aqua TrustGraphApi declares * export set_root, issue_trust, import_trust export add_trust, add_root_trust, verify_trust export get_weight, get_weight_from, issue_revocation export import_revocation, revoke, get_host_certs_from export get_all_certs, get_all_certs_from, get_host_certs export insert_cert import Sig, Peer, PeerId from "@fluencelabs/aqua-lib/builtin.aqua" import "misc.aqua" import "trust-graph.aqua" alias Error: string -- Call context: any node with registered `trust-graph` service -- Set `peer_id` as a root -- Self-signed trust should be added in next call for correct behaviour -- `max_chain_len` specifies maximum chain length after root trust, -- if `max_chain_len` is zero there is no trusts except self-signed root trust in certificates for this root func set_root(peer_id: PeerId, max_chain_len: u32) -> SetRootResult: result <- TrustGraph.set_root(peer_id, max_chain_len) <- result -- Call context: %init_peer_id% -- Create on relay and sign trust on client -- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined -- Errors: -- If TrustGraph.get_trust_bytes or TrustGraph.issue_trust fails, (nil, error) is returned. func issue_trust(issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Trust, ?Error: -- after marine-web release this will be done on %init_peer_id% on HOST_PEER_ID: issued_at_sec <- Peer.timestamp_sec() bytes <- TrustGraph.get_trust_bytes(issued_for, expires_at_sec, issued_at_sec) result: *Trust error: *Error if bytes.success: Sig issuer sig_res <- Sig.sign(bytes.result) if sig_res.success: on HOST_PEER_ID: issue_result <- TrustGraph.issue_trust(issued_for, expires_at_sec, issued_at_sec, sig_res.signature!) if issue_result.success: result <<- issue_result.trust else: error <<- issue_result.error else: error <<- sig_res.error! else: error <<- bytes.error <- result, error -- Call context: any node with registered `trust-graph` service -- Add trust to TG -- Errors: -- If TrustGraph.add_trust fails, error is returned. func import_trust(trust: Trust, issuer: PeerId) -> ?Error: error: *Error timestamp_sec <- Peer.timestamp_sec() add_result <- TrustGraph.add_trust(trust, issuer, timestamp_sec) if !add_result.success: error <<- add_result.error <- error -- Call context: %init_peer_id% -- Issue trust and add to TG instance on `node` -- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined -- Errors: -- If issue_trust or import_trust fails, error is returned. func add_trust(node: PeerId, issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Error: trust, issue_error <- issue_trust(issuer, issued_for, expires_at_sec) error: *Error if issue_error != nil: error <<- issue_error! else: on node: import_error <- import_trust(trust!, issuer) append_error(error, import_error) <- error -- Call context: %init_peer_id% -- Set `peer_id` as a root and add self-signed trust to TG instance on `node` -- If `peer_id` is not %init_peer_id%, Sig service with `peer_id` as service id should be defined -- Errors: -- If issue_trust, import_trust or set_root fails, error is returned. func add_root_trust(node: PeerId, peer_id: PeerId, max_chain_len: u32, expires_at_sec: u64) -> ?Error: trust, issue_error <- issue_trust(peer_id, peer_id, expires_at_sec) error: *Error if issue_error != nil: error <<- issue_error! else: on node: set_root_result <- set_root(peer_id, max_chain_len) if set_root_result.success: import_error <- import_trust(trust!, peer_id) append_error(error, import_error) else: error <<- set_root_result.error <- error -- Call context: any node with registered `trust-graph` service -- Check signature and expiration time of trust func verify_trust(trust: Trust, issuer: PeerId) -> VerifyTrustResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.verify_trust(trust, issuer, timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Get the maximum weight of trust for `peer_id` -- Trust has weight if there is at least 1 trust chain from one of the roots func get_weight(peer_id: PeerId) -> WeightResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_weight(peer_id, timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Get maximum weight of trust for `peer_id` among all chains which contain trust from `issuer` func get_weight_from(peer_id: PeerId, issuer: PeerId) -> WeightResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_weight_from(peer_id, issuer, timestamp_sec) <- result -- Call context: %init_peer_id% -- Create revocation signed by %init_peer_id% -- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined -- Errors: -- If TrustGraph.get_revocation_bytes or TrustGraph.issue_revocation fails, (nil, error) is returned. func issue_revocation(revoked_by: PeerId, revoked: PeerId) -> ?Revocation, ?Error: -- after marine-web release this will be done on %init_peer_id% on HOST_PEER_ID: issued_at_sec <- Peer.timestamp_sec() bytes <- TrustGraph.get_revocation_bytes(revoked, issued_at_sec) result: *Revocation error: *Error if bytes.success: Sig revoked_by sig_res <- Sig.sign(bytes.result) if sig_res.success: on HOST_PEER_ID: issue_result <- TrustGraph.issue_revocation(revoked_by, revoked, issued_at_sec, sig_res.signature!) if issue_result.success: result <<- issue_result.revocation else: error <<- issue_result.error else: error <<- sig_res.error! else: error <<- bytes.error <- result, error -- Call context: any node with registered `trust-graph` service -- Import revocation to TG -- Errors: -- If TrustGraph.revoke fails, error is returned. func import_revocation(revocation: Revocation) -> ?Error: error: *Error timestamp_sec <- Peer.timestamp_sec() add_result <- TrustGraph.revoke(revocation, timestamp_sec) if !add_result.success: error <<- add_result.error <- error -- Call context: %init_peer_id% -- Revoke all certificates on `node` TG instance -- which contain path from %init_peer_id% to `revoked_peer_id` -- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined -- Errors: -- if issue_revocation or import_revocation fails, error is returned. func revoke(node: PeerId, revoked_by: PeerId, revoked: PeerId) -> ?Error: revocation, issue_error <- issue_revocation(revoked_by, revoked) error: *Error if revocation == nil: error <<- issue_error! else: on node: import_error <- import_revocation(revocation!) append_error(error, import_error) <- error -- Call context: any node with registered `trust-graph` service -- Return all certificates issued for current node which contains trust from `issuer` func get_host_certs_from(issuer: PeerId) -> AllCertsResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_host_certs_from(issuer, timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Return all certificates issued for given peer id func get_all_certs(issued_for: PeerId) -> AllCertsResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_all_certs(issued_for, timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Return all certificates issued for given peer id which contains trust from `issuer` func get_all_certs_from(issued_for: PeerId, issuer: PeerId) -> AllCertsResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_all_certs_from(issued_for, issuer, timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Return all certificates issued for current node func get_host_certs() -> AllCertsResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.get_host_certs(timestamp_sec) <- result -- Call context: any node with registered `trust-graph` service -- Insert certificate to TG instance on current node func insert_cert(certificate: Certificate) -> InsertResult: timestamp_sec <- Peer.timestamp_sec() result <- TrustGraph.insert_cert(certificate, timestamp_sec) <- result