164 lines
4.7 KiB
Go
164 lines
4.7 KiB
Go
package exectx_test
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/INFURA/go-ethlibs/jsonrpc"
|
|
"github.com/ipfs/go-cid"
|
|
"github.com/stretchr/testify/require"
|
|
"github.com/ucan-wg/go-ucan/did/didtest"
|
|
"github.com/ucan-wg/go-ucan/pkg/command"
|
|
"github.com/ucan-wg/go-ucan/pkg/container"
|
|
"github.com/ucan-wg/go-ucan/pkg/policy"
|
|
"github.com/ucan-wg/go-ucan/pkg/policy/literal"
|
|
"github.com/ucan-wg/go-ucan/token/delegation"
|
|
"github.com/ucan-wg/go-ucan/token/invocation"
|
|
|
|
"github.com/INFURA/go-ucan-toolkit/server/exectx"
|
|
)
|
|
|
|
func ExampleContext() {
|
|
// let's use some pre-made DID+privkey.
|
|
// use go-ucan/did to generate or parse them.
|
|
service := didtest.PersonaAlice
|
|
user := didtest.PersonaBob
|
|
|
|
// DELEGATION: the service gives some power to the user, in the form of a root UCAN token.
|
|
// The command defines the shape of the arguments on which the policies operate, it is specific to that service.
|
|
// Policies define what the user can do.
|
|
|
|
cmd := command.New("foo")
|
|
pol := policy.MustConstruct(
|
|
// some basic HTTP constraints
|
|
policy.Equal(".http.method", literal.String("GET")),
|
|
policy.Like(".http.path", "/foo/*"),
|
|
// some JsonRpc constraints
|
|
policy.Or(
|
|
policy.Like(".jsonrpc.method", "eth_*"),
|
|
policy.Equal(".jsonrpc.method", literal.String("debug_traceCall")),
|
|
),
|
|
)
|
|
|
|
dlg, _ := delegation.Root(service.DID(), user.DID(), cmd, pol,
|
|
delegation.WithExpirationIn(24*time.Hour),
|
|
)
|
|
dlgBytes, dlgCid, _ := dlg.ToSealed(service.PrivKey())
|
|
|
|
// INVOCATION: the user leverages the delegation (power) to make a request.
|
|
|
|
inv, _ := invocation.New(user.DID(), cmd, service.DID(), []cid.Cid{dlgCid},
|
|
invocation.WithExpirationIn(10*time.Minute),
|
|
invocation.WithArgument("myarg", "hello"), // we can specify invocation parameters
|
|
)
|
|
invBytes, _, _ := inv.ToSealed(user.PrivKey())
|
|
|
|
// PACKAGING: no obligation for the transport, but the user needs to give the service the invocation
|
|
// and all the proof delegations. We can use a container for that.
|
|
cont := container.NewWriter()
|
|
cont.AddSealed(dlgBytes)
|
|
cont.AddSealed(invBytes)
|
|
contBytes, _ := cont.ToBase64StdPadding()
|
|
|
|
// MAKING A REQUEST: we pass the container in the Bearer HTTP header
|
|
|
|
jrpc := jsonrpc.NewRequest()
|
|
jrpc.Method = "eth_call"
|
|
jrpc.Params = jsonrpc.MustParams("0x599784", true)
|
|
jrpcBytes, _ := jrpc.MarshalJSON()
|
|
req, _ := http.NewRequest(http.MethodGet, "/foo/bar", bytes.NewReader(jrpcBytes))
|
|
req.Header.Set("Authorization", "Bearer "+string(contBytes))
|
|
|
|
// SERVER: Auth middleware
|
|
// - decode the container
|
|
// - create the context
|
|
|
|
authMw := func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Note: we obviously want something more robust, this is an example
|
|
// Note: if an error occur, we'll want to return an HTTP 401 Unauthorized
|
|
data := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
|
|
cont, _ := container.FromString(data)
|
|
ucanCtx, _ := exectx.FromContainer(cont)
|
|
|
|
// insert into the go context
|
|
req = req.WithContext(exectx.AddUcanCtxToContext(req.Context(), ucanCtx))
|
|
|
|
next.ServeHTTP(w, req)
|
|
})
|
|
}
|
|
|
|
// SERVER: http checks
|
|
|
|
httpMw := func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ucanCtx, _ := exectx.FromContext(req.Context())
|
|
|
|
err := ucanCtx.VerifyHttp(r)
|
|
if err != nil {
|
|
// This will print something like:
|
|
// `the following UCAN policy is not satisfied: ["==", ".http.path", "/foo"]`
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// SERVER: JsonRpc checks
|
|
|
|
jsonrpcMw := func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ucanCtx, _ := exectx.FromContext(req.Context())
|
|
|
|
var jrpc jsonrpc.Request
|
|
_ = json.NewDecoder(r.Body).Decode(&jrpc)
|
|
|
|
err := ucanCtx.VerifyJsonRpc(&jrpc)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// SERVER: final handler
|
|
|
|
handler := func(w http.ResponseWriter, r *http.Request) {
|
|
ucanCtx, _ := exectx.FromContext(req.Context())
|
|
|
|
if err := ucanCtx.ExecutionAllowed(); err != nil {
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
_, _ = fmt.Fprintln(w, "Success!")
|
|
}
|
|
|
|
// Ready to go!
|
|
_ = http.ListenAndServe("", authMw(httpMw(jsonrpcMw(http.HandlerFunc(handler)))))
|
|
}
|
|
|
|
func TestGoCtx(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
ucanCtx, ok := exectx.FromContext(ctx)
|
|
require.False(t, ok)
|
|
require.Nil(t, ucanCtx)
|
|
|
|
expected := &exectx.UcanCtx{}
|
|
|
|
ctx = exectx.AddUcanCtxToContext(ctx, expected)
|
|
|
|
got, ok := exectx.FromContext(ctx)
|
|
require.True(t, ok)
|
|
require.Equal(t, expected, got)
|
|
}
|