diff --git a/toolkit/client/client.go b/toolkit/client/client.go index d783605..f9cca09 100644 --- a/toolkit/client/client.go +++ b/toolkit/client/client.go @@ -60,18 +60,18 @@ func (c *Client) PrepareInvoke(ctx context.Context, cmd command.Command, subject return nil, err } - invSealed, invCid, err := inv.ToSealed(c.privKey) + invSealed, _, err := inv.ToSealed(c.privKey) if err != nil { return nil, err } cont := container.NewWriter() - cont.AddSealed(invCid, invSealed) + cont.AddSealed(invSealed) for bundle, err := range c.pool.GetBundles(proof) { if err != nil { return nil, err } - cont.AddSealed(bundle.Cid, bundle.Sealed) + cont.AddSealed(bundle.Sealed) } return cont, nil diff --git a/toolkit/client/proof.go b/toolkit/client/proof.go index 019a0be..fa6c701 100644 --- a/toolkit/client/proof.go +++ b/toolkit/client/proof.go @@ -14,6 +14,8 @@ import ( // - issuer: the DID of the client, also the issuer of the invocation token // - cmd: the command to execute // - subject: the DID of the resource to operate on, also the subject (or audience if defined) of the invocation token +// The returned delegation chain is ordered starting from the leaf (the one matching the invocation) to the root +// (the one given by the service). // Note: you can read it as "(issuer) wants to do (cmd) on (subject)". // Note: the returned delegation(s) don't have to match exactly the parameters, as long as they allow them. // Note: the implemented algorithm won't perform well with a large number of delegations. diff --git a/toolkit/client/requester.go b/toolkit/client/requester.go index 8420a49..9cb3855 100644 --- a/toolkit/client/requester.go +++ b/toolkit/client/requester.go @@ -16,6 +16,8 @@ type DelegationRequester interface { // - cmd: the command to execute // - audience: the DID of the client, also the issuer of the invocation token // - subject: the DID of the resource to operate on, also the subject (or audience if defined) of the invocation token + // The returned delegations MUST be ordered starting from the leaf (the one matching the invocation) to the root + // (the one given by the service). // Note: you can read it as "(audience) wants to do (cmd) on (subject)". // Note: the returned delegation(s) don't have to match exactly the parameters, as long as they allow them. RequestDelegation(ctx context.Context, audience did.DID, cmd command.Command, subject did.DID) (iter.Seq2[*delegation.Bundle, error], error) diff --git a/toolkit/server/exectx/ucanctx.go b/toolkit/server/exectx/ucanctx.go index 6f87e55..1f6a622 100644 --- a/toolkit/server/exectx/ucanctx.go +++ b/toolkit/server/exectx/ucanctx.go @@ -38,6 +38,9 @@ type UcanCtx struct { infura *extargs.InfuraExtArgs } +// FromContainer prepare a UcanCtx from a UCAN container, for further evaluation in a server pipeline. +// It is expected that the container holds a single invocation and the matching delegations. If not, +// an error is returned. func FromContainer(cont container.Reader) (*UcanCtx, error) { inv, err := cont.GetInvocation() if err != nil { @@ -95,7 +98,7 @@ func (ctn UcanCtx) Policies() policy.Policy { } // Meta returns all the meta values from the delegations. -// They are accumulated from the root delegation to the leaf delegation, with no overwrite. +// They are accumulated from the root delegation to the leaf delegation, with no overwriting. func (ctn UcanCtx) Meta() meta.ReadOnly { return ctn.meta.ReadOnly() } diff --git a/toolkit/server/exectx/ucanctx_test.go b/toolkit/server/exectx/ucanctx_test.go index d891fdd..29f3186 100644 --- a/toolkit/server/exectx/ucanctx_test.go +++ b/toolkit/server/exectx/ucanctx_test.go @@ -57,13 +57,13 @@ func ExampleContext() { invocation.WithExpirationIn(10*time.Minute), invocation.WithArgument("myarg", "hello"), // we can specify invocation parameters ) - invBytes, invCid, _ := inv.ToSealed(user.PrivKey()) + invBytes, _, _ := inv.ToSealed(user.PrivKey()) // PACKAGING: no obligation for the transport, but the user needs to give the service the invocation // and all the proof delegations. We can use a container for that. cont := container.NewWriter() - cont.AddSealed(dlgCid, dlgBytes) - cont.AddSealed(invCid, invBytes) + cont.AddSealed(dlgBytes) + cont.AddSealed(invBytes) contBytes, _ := cont.ToBase64StdPadding() // MAKING A REQUEST: we pass the container in the Bearer HTTP header diff --git a/toolkit/server/extargs/http_test.go b/toolkit/server/extargs/http_test.go index 8ea454a..401bd3a 100644 --- a/toolkit/server/extargs/http_test.go +++ b/toolkit/server/extargs/http_test.go @@ -107,15 +107,15 @@ func TestHttp(t *testing.T) { // we don't test the args hash here emptyArgs := args.New().ReadOnly() - extArgs := NewHttpExtArgs(pol, emptyArgs, r) + ctx := NewHttpExtArgs(pol, emptyArgs, r) - _, err := extArgs.Args() + _, err := ctx.Args() require.NoError(t, err) if tc.expected { - require.NoError(t, extArgs.Verify()) + require.NoError(t, ctx.Verify()) } else { - require.Error(t, extArgs.Verify()) + require.Error(t, ctx.Verify()) } } @@ -173,12 +173,12 @@ func TestHttpHash(t *testing.T) { err := invArgs.Add(HttpArgsKey, tc.hash) require.NoError(t, err) - extArgs := NewHttpExtArgs(pol, invArgs.ReadOnly(), req) + ctx := NewHttpExtArgs(pol, invArgs.ReadOnly(), req) if tc.expected { - require.NoError(t, extArgs.Verify()) + require.NoError(t, ctx.Verify()) } else { - require.Error(t, extArgs.Verify()) + require.Error(t, ctx.Verify()) } }) } diff --git a/toolkit/server/extargs/jsonrpc_test.go b/toolkit/server/extargs/jsonrpc_test.go index 80a444d..1346f1d 100644 --- a/toolkit/server/extargs/jsonrpc_test.go +++ b/toolkit/server/extargs/jsonrpc_test.go @@ -97,15 +97,15 @@ func TestJsonRpc(t *testing.T) { // we don't test the args hash here emptyArgs := args.New().ReadOnly() - extArgs := NewJsonRpcExtArgs(tc.pol, emptyArgs, tc.req) + ctx := NewJsonRpcExtArgs(tc.pol, emptyArgs, tc.req) - _, err := extArgs.Args() + _, err := ctx.Args() require.NoError(t, err) if tc.expected { - require.NoError(t, extArgs.Verify()) + require.NoError(t, ctx.Verify()) } else { - require.Error(t, extArgs.Verify()) + require.Error(t, ctx.Verify()) } }) } @@ -152,12 +152,12 @@ func TestJsonRpcHash(t *testing.T) { err := invArgs.Add(JsonRpcArgsKey, tc.hash) require.NoError(t, err) - extArgs := NewJsonRpcExtArgs(pol, invArgs.ReadOnly(), req) + ctx := NewJsonRpcExtArgs(pol, invArgs.ReadOnly(), req) if tc.expected { - require.NoError(t, extArgs.Verify()) + require.NoError(t, ctx.Verify()) } else { - require.Error(t, extArgs.Verify()) + require.Error(t, ctx.Verify()) } }) }