go/ucan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: go:cont-naming
Branches Tags
go:main go:attestation go:selfsigned go:gh-pages go:fork/alanshaw/ash/feat/invocation-test-vectors go:cont-naming go:proof-check go:v1 go:flacky-test go:match-tracing go:fix/meta-optional-in-delegation go:v1-policy-utf8-tokenizer go:v1-fix-policy-match-any go:policy-filtering go:feat/delegation/examples go:v1-policy-subset-selection go:feat/reorganize-packages go:feat/calculate-cid go:envelope go:v1-fix-policy-examples-test go:invocation go:v1.0.0-rc.1 go:b5/make-apache-mit-license
go:v1.1.0 go:v1.0.1 go:v1.0.0 go:v1.0.0-preview go:v0.7.0
...
pull from: go:proof-check
Branches Tags
go:main go:attestation go:selfsigned go:gh-pages go:fork/alanshaw/ash/feat/invocation-test-vectors go:cont-naming go:proof-check go:v1 go:flacky-test go:match-tracing go:fix/meta-optional-in-delegation go:v1-policy-utf8-tokenizer go:v1-fix-policy-match-any go:policy-filtering go:feat/delegation/examples go:v1-policy-subset-selection go:feat/reorganize-packages go:feat/calculate-cid go:envelope go:v1-fix-policy-examples-test go:invocation go:v1.0.0-rc.1 go:b5/make-apache-mit-license
go:v1.1.0 go:v1.0.1 go:v1.0.0 go:v1.0.0-preview go:v0.7.0

1 Commits
cont-namin ... proof-chec

Author SHA1 Message Date
Michael Muré
fb97653529 WIP 2025-01-06 14:24:56 +01:00
2 changed files with 23 additions and 4 deletions
Expand all files Collapse all files

19
token/delegation/delegation.go
View File

@@ -172,6 +172,25 @@ func (t *Token) IsValidAt(ti time.Time) bool {
return true
}
// Covers indicate if this token has the power to allow the given sub-delegation.
// This function only verifies the principals alignment
func (t *Token) Covers(subDelegation *Token) bool {
// The Subject of each delegation must equal the invocation's Subject (or Audience if defined). - 4f
if t.Subject() != sub {
return fmt.Errorf("%w: delegation %s, expected %s, got %s", ErrWrongSub, dlgCid, sub, dlg.Subject())
}
// The Issuer of each delegation must be the Audience in the next one. - 4d
if t.Audience() != subDelegation.Issuer() {
return fmt.Errorf("%w: delegation %s, expected %s, got %s", ErrBrokenChain, dlgCid, iss, dlg.Audience())
}
// The command of each delegation must "allow" the one before it. - 4g
if !dlg.Command().Covers(cmd) {
return fmt.Errorf("%w: delegation %s, %s doesn't cover %s", ErrCommandNotCovered, dlgCid, dlg.Command(), cmd)
}
}
func (t *Token) String() string {
var res strings.Builder

8
token/invocation/proof.go
View File

@@ -37,9 +37,9 @@ import (
// 4. When the proof chain is being validated (verifyProofs below):
// a. There must be at least one delegation in the proof chain.
// b. All referenced delegations must be available.
// c. The first proof must be issued to the Invoker (audience DID).
// d. The Issuer of each delegation must be the Audience in the next one.
// e. The last token must be a root delegation.
// c. The first proof must be issued to the Invoker.
// d. The Issuer of each delegation must be the Audience in the parent delegation.
// e. The chain must terminate with a root delegation.
// f. The Subject of each delegation must equal the invocation's Subject (or Audience if defined)
// g. The command of each delegation must "allow" the one before it.
//
@@ -72,7 +72,7 @@ func (t *Token) verifyProofs(delegations []*delegation.Token) error {
return fmt.Errorf("%w: delegation %s, expected %s, got %s", ErrWrongSub, dlgCid, sub, dlg.Subject())
}
// The first proof must be issued to the Invoker (audience DID). - 4c
// The first proof must be issued to the Invoker. - 4c
// The Issuer of each delegation must be the Audience in the next one. - 4d
if dlg.Audience() != iss {
return fmt.Errorf("%w: delegation %s, expected %s, got %s", ErrBrokenChain, dlgCid, iss, dlg.Audience())