2023-12-29 12:46:10 +00:00
|
|
|
aqua TrustGraphApi declares *
|
|
|
|
|
|
|
|
|
|
export set_root, issue_trust, import_trust
|
|
|
|
|
export add_trust, add_root_trust, verify_trust
|
|
|
|
|
export get_weight, get_weight_from, issue_revocation
|
|
|
|
|
export import_revocation, revoke, get_host_certs_from
|
|
|
|
|
export get_all_certs, get_all_certs_from, get_host_certs
|
|
|
|
|
export insert_cert
|
|
|
|
|
|
2022-02-04 17:00:49 +00:00
|
|
|
import Sig, Peer, PeerId from "@fluencelabs/aqua-lib/builtin.aqua"
|
2022-02-04 15:45:37 +00:00
|
|
|
import "misc.aqua"
|
2021-11-12 13:19:16 +00:00
|
|
|
import "trust-graph.aqua"
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
alias Error: string
|
2021-11-12 13:19:16 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Set `peer_id` as a root
|
|
|
|
|
-- Self-signed trust should be added in next call for correct behaviour
|
|
|
|
|
-- `max_chain_len` specifies maximum chain length after root trust,
|
|
|
|
|
-- if `max_chain_len` is zero there is no trusts except self-signed root trust in certificates for this root
|
|
|
|
|
func set_root(peer_id: PeerId, max_chain_len: u32) -> SetRootResult:
|
|
|
|
|
result <- TrustGraph.set_root(peer_id, max_chain_len)
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: %init_peer_id%
|
|
|
|
|
-- Create on relay and sign trust on client
|
|
|
|
|
-- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If TrustGraph.get_trust_bytes or TrustGraph.issue_trust fails, (nil, error) is returned.
|
|
|
|
|
func issue_trust(issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Trust, ?Error:
|
|
|
|
|
-- after marine-web release this will be done on %init_peer_id%
|
|
|
|
|
on HOST_PEER_ID:
|
|
|
|
|
issued_at_sec <- Peer.timestamp_sec()
|
|
|
|
|
bytes <- TrustGraph.get_trust_bytes(issued_for, expires_at_sec, issued_at_sec)
|
|
|
|
|
|
2023-12-29 12:46:10 +00:00
|
|
|
result: *Trust
|
2022-02-04 15:45:37 +00:00
|
|
|
error: *Error
|
|
|
|
|
if bytes.success:
|
2022-02-05 00:17:07 +00:00
|
|
|
Sig issuer
|
|
|
|
|
sig_res <- Sig.sign(bytes.result)
|
|
|
|
|
|
|
|
|
|
if sig_res.success:
|
|
|
|
|
on HOST_PEER_ID:
|
|
|
|
|
issue_result <- TrustGraph.issue_trust(issued_for, expires_at_sec, issued_at_sec, sig_res.signature!)
|
|
|
|
|
if issue_result.success:
|
|
|
|
|
result <<- issue_result.trust
|
|
|
|
|
else:
|
|
|
|
|
error <<- issue_result.error
|
2022-02-04 15:45:37 +00:00
|
|
|
else:
|
2022-02-05 00:17:07 +00:00
|
|
|
error <<- sig_res.error!
|
2022-02-04 15:45:37 +00:00
|
|
|
else:
|
|
|
|
|
error <<- bytes.error
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
<- result, error
|
|
|
|
|
|
|
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Add trust to TG
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If TrustGraph.add_trust fails, error is returned.
|
|
|
|
|
func import_trust(trust: Trust, issuer: PeerId) -> ?Error:
|
|
|
|
|
error: *Error
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
add_result <- TrustGraph.add_trust(trust, issuer, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
if !add_result.success:
|
2022-02-04 15:45:37 +00:00
|
|
|
error <<- add_result.error
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
<- error
|
|
|
|
|
|
|
|
|
|
-- Call context: %init_peer_id%
|
|
|
|
|
-- Issue trust and add to TG instance on `node`
|
|
|
|
|
-- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If issue_trust or import_trust fails, error is returned.
|
|
|
|
|
func add_trust(node: PeerId, issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Error:
|
|
|
|
|
trust, issue_error <- issue_trust(issuer, issued_for, expires_at_sec)
|
|
|
|
|
|
|
|
|
|
error: *Error
|
|
|
|
|
if issue_error != nil:
|
|
|
|
|
error <<- issue_error!
|
|
|
|
|
else:
|
|
|
|
|
on node:
|
|
|
|
|
import_error <- import_trust(trust!, issuer)
|
|
|
|
|
append_error(error, import_error)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
<- error
|
|
|
|
|
|
|
|
|
|
-- Call context: %init_peer_id%
|
|
|
|
|
-- Set `peer_id` as a root and add self-signed trust to TG instance on `node`
|
|
|
|
|
-- If `peer_id` is not %init_peer_id%, Sig service with `peer_id` as service id should be defined
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If issue_trust, import_trust or set_root fails, error is returned.
|
|
|
|
|
func add_root_trust(node: PeerId, peer_id: PeerId, max_chain_len: u32, expires_at_sec: u64) -> ?Error:
|
|
|
|
|
trust, issue_error <- issue_trust(peer_id, peer_id, expires_at_sec)
|
|
|
|
|
|
|
|
|
|
error: *Error
|
|
|
|
|
if issue_error != nil:
|
|
|
|
|
error <<- issue_error!
|
|
|
|
|
else:
|
|
|
|
|
on node:
|
|
|
|
|
set_root_result <- set_root(peer_id, max_chain_len)
|
|
|
|
|
if set_root_result.success:
|
|
|
|
|
import_error <- import_trust(trust!, peer_id)
|
|
|
|
|
append_error(error, import_error)
|
|
|
|
|
else:
|
|
|
|
|
error <<- set_root_result.error
|
|
|
|
|
|
|
|
|
|
<- error
|
|
|
|
|
|
|
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Check signature and expiration time of trust
|
|
|
|
|
func verify_trust(trust: Trust, issuer: PeerId) -> VerifyTrustResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.verify_trust(trust, issuer, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Get the maximum weight of trust for `peer_id`
|
|
|
|
|
-- Trust has weight if there is at least 1 trust chain from one of the roots
|
|
|
|
|
func get_weight(peer_id: PeerId) -> WeightResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_weight(peer_id, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Get maximum weight of trust for `peer_id` among all chains which contain trust from `issuer`
|
|
|
|
|
func get_weight_from(peer_id: PeerId, issuer: PeerId) -> WeightResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_weight_from(peer_id, issuer, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: %init_peer_id%
|
|
|
|
|
-- Create revocation signed by %init_peer_id%
|
|
|
|
|
-- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If TrustGraph.get_revocation_bytes or TrustGraph.issue_revocation fails, (nil, error) is returned.
|
|
|
|
|
func issue_revocation(revoked_by: PeerId, revoked: PeerId) -> ?Revocation, ?Error:
|
|
|
|
|
-- after marine-web release this will be done on %init_peer_id%
|
|
|
|
|
on HOST_PEER_ID:
|
|
|
|
|
issued_at_sec <- Peer.timestamp_sec()
|
|
|
|
|
bytes <- TrustGraph.get_revocation_bytes(revoked, issued_at_sec)
|
|
|
|
|
|
2023-12-29 12:46:10 +00:00
|
|
|
result: *Revocation
|
2022-02-04 15:45:37 +00:00
|
|
|
error: *Error
|
|
|
|
|
if bytes.success:
|
2022-02-05 00:17:07 +00:00
|
|
|
Sig revoked_by
|
2022-02-04 15:45:37 +00:00
|
|
|
|
2022-02-05 00:17:07 +00:00
|
|
|
sig_res <- Sig.sign(bytes.result)
|
2021-11-12 13:19:16 +00:00
|
|
|
|
2022-02-05 00:17:07 +00:00
|
|
|
if sig_res.success:
|
|
|
|
|
on HOST_PEER_ID:
|
|
|
|
|
issue_result <- TrustGraph.issue_revocation(revoked_by, revoked, issued_at_sec, sig_res.signature!)
|
|
|
|
|
if issue_result.success:
|
|
|
|
|
result <<- issue_result.revocation
|
|
|
|
|
else:
|
|
|
|
|
error <<- issue_result.error
|
2022-02-04 15:45:37 +00:00
|
|
|
else:
|
2022-02-05 00:17:07 +00:00
|
|
|
error <<- sig_res.error!
|
2022-02-04 15:45:37 +00:00
|
|
|
else:
|
|
|
|
|
error <<- bytes.error
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
<- result, error
|
|
|
|
|
|
|
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Import revocation to TG
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- If TrustGraph.revoke fails, error is returned.
|
|
|
|
|
func import_revocation(revocation: Revocation) -> ?Error:
|
|
|
|
|
error: *Error
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
add_result <- TrustGraph.revoke(revocation, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
if !add_result.success:
|
2022-02-04 15:45:37 +00:00
|
|
|
error <<- add_result.error
|
|
|
|
|
|
|
|
|
|
<- error
|
|
|
|
|
|
|
|
|
|
-- Call context: %init_peer_id%
|
|
|
|
|
-- Revoke all certificates on `node` TG instance
|
|
|
|
|
-- which contain path from %init_peer_id% to `revoked_peer_id`
|
|
|
|
|
-- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined
|
|
|
|
|
-- Errors:
|
|
|
|
|
-- if issue_revocation or import_revocation fails, error is returned.
|
|
|
|
|
func revoke(node: PeerId, revoked_by: PeerId, revoked: PeerId) -> ?Error:
|
|
|
|
|
revocation, issue_error <- issue_revocation(revoked_by, revoked)
|
|
|
|
|
|
|
|
|
|
error: *Error
|
|
|
|
|
if revocation == nil:
|
|
|
|
|
error <<- issue_error!
|
|
|
|
|
else:
|
|
|
|
|
on node:
|
|
|
|
|
import_error <- import_revocation(revocation!)
|
|
|
|
|
append_error(error, import_error)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
<- error
|
|
|
|
|
|
|
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Return all certificates issued for current node which contains trust from `issuer`
|
|
|
|
|
func get_host_certs_from(issuer: PeerId) -> AllCertsResult:
|
2021-12-06 17:17:45 +00:00
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_host_certs_from(issuer, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Return all certificates issued for given peer id
|
|
|
|
|
func get_all_certs(issued_for: PeerId) -> AllCertsResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_all_certs(issued_for, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Return all certificates issued for given peer id which contains trust from `issuer`
|
|
|
|
|
func get_all_certs_from(issued_for: PeerId, issuer: PeerId) -> AllCertsResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_all_certs_from(issued_for, issuer, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Return all certificates issued for current node
|
|
|
|
|
func get_host_certs() -> AllCertsResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.get_host_certs(timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
|
|
|
|
|
2022-02-04 15:45:37 +00:00
|
|
|
-- Call context: any node with registered `trust-graph` service
|
|
|
|
|
-- Insert certificate to TG instance on current node
|
|
|
|
|
func insert_cert(certificate: Certificate) -> InsertResult:
|
|
|
|
|
timestamp_sec <- Peer.timestamp_sec()
|
|
|
|
|
result <- TrustGraph.insert_cert(certificate, timestamp_sec)
|
2023-12-29 12:46:10 +00:00
|
|
|
|
2021-11-12 13:19:16 +00:00
|
|
|
<- result
|
