ucan

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const Root = Capability("/")

Variables

View Source 
var (
	ErrNotAuthorized     = errors.New("not authorized")
	ErrCapabilityExpired = errors.New("capability expired")
	ErrBadToken          = errors.New("bad token")
	ErrTooBig            = errors.New("capability blob too big")
	ErrBadContext        = errors.New("bad context")

	ErrTODO = errors.New("TODO")
)

Functions

func SaveCapabilityContext 

func SaveCapabilityContext(ctx CapabilityContext, wr io.Writer) error

Types

type Action 

type Action string
const (
	Invoke    Action = "invoke"
	Delegate  Action = "delegate"
	Broadcast Action = "broadcast"
	Revoke    Action = "revoke"
)

type BYOToken 

type BYOToken struct {
}

type BasicCapabilityContext 

type BasicCapabilityContext struct {
	// contains filtered or unexported fields
}

func (*BasicCapabilityContext) AddRoots 

func (ctx *BasicCapabilityContext) AddRoots(roots []did.DID, require, provide, revoke TokenList) error

func (*BasicCapabilityContext) Consume 

func (ctx *BasicCapabilityContext) Consume(origin did.DID, data []byte) error

func (*BasicCapabilityContext) DID 

func (ctx *BasicCapabilityContext) DID() did.DID

func (*BasicCapabilityContext) Delegate 

func (ctx *BasicCapabilityContext) Delegate(subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error)

func (*BasicCapabilityContext) DelegateBroadcast 

func (ctx *BasicCapabilityContext) DelegateBroadcast(subject did.DID, topic string, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error)

func (*BasicCapabilityContext) DelegateInvocation 

func (ctx *BasicCapabilityContext) DelegateInvocation(target, subject, audience did.DID, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error)

func (*BasicCapabilityContext) Discard 

func (ctx *BasicCapabilityContext) Discard(data []byte)

func (*BasicCapabilityContext) Grant 

func (ctx *BasicCapabilityContext) Grant(action Action, subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability) (TokenList, error)

func (*BasicCapabilityContext) ListRoots 

func (ctx *BasicCapabilityContext) ListRoots() ([]did.DID, TokenList, TokenList, TokenList)

func (*BasicCapabilityContext) Name 

func (ctx *BasicCapabilityContext) Name() string

func (*BasicCapabilityContext) Provide 

func (ctx *BasicCapabilityContext) Provide(target did.DID, subject crypto.ID, audience crypto.ID, expire uint64, invoke []Capability, provide []Capability) ([]byte, error)

func (*BasicCapabilityContext) ProvideBroadcast 

func (ctx *BasicCapabilityContext) ProvideBroadcast(subject crypto.ID, topic string, expire uint64, provide []Capability) ([]byte, error)

func (*BasicCapabilityContext) RemoveRoots 

func (ctx *BasicCapabilityContext) RemoveRoots(trust []did.DID, require, provide TokenList)

func (*BasicCapabilityContext) Require 

func (ctx *BasicCapabilityContext) Require(anchor did.DID, subject crypto.ID, audience crypto.ID, cap []Capability) error

func (*BasicCapabilityContext) RequireBroadcast 

func (ctx *BasicCapabilityContext) RequireBroadcast(anchor did.DID, subject crypto.ID, topic string, require []Capability) error

func (*BasicCapabilityContext) Revoke 

func (ctx *BasicCapabilityContext) Revoke(token *Token) (*Token, error)

func (*BasicCapabilityContext) Start 

func (ctx *BasicCapabilityContext) Start(gcInterval time.Duration)

func (*BasicCapabilityContext) Stop 

func (ctx *BasicCapabilityContext) Stop()

func (*BasicCapabilityContext) Trust 

func (ctx *BasicCapabilityContext) Trust() did.TrustContext

type Capability 

type Capability string

func (Capability) Implies 

func (c Capability) Implies(other Capability) bool

type CapabilityContext 

type CapabilityContext interface {
	// Name returns the context name
	Name() string

	// DID returns the context's controlling DID
	DID() did.DID

	// Trust returns the context's did trust context
	Trust() did.TrustContext

	// Consume ingests some or all of the provided capability tokens.
	// It'll only return an error if all provided capabilities were not ingested.
	Consume(origin did.DID, cap []byte) error

	// Discard discards previously consumed capability tokens
	Discard(cap []byte)

	// Require ensures that at least one of the capabilities is delegated from
	// the subject to the audience, with an appropriate anchor
	// An empty list will mean that no capabilities are required and is vacuously
	// true.
	//
	// TODO (if necessary): create a RequireAll() since this method is basically a RequireAny()
	Require(anchor did.DID, subject crypto.ID, audience crypto.ID, require []Capability) error

	// RequireBroadcast ensures that at least one of the capabilities is delegated
	// to thes subject for the specified broadcast topics
	RequireBroadcast(origin did.DID, subject crypto.ID, topic string, require []Capability) error

	// Provide prepares the appropriate capability tokens to prove and delegate authority
	// to a subject for an audience.
	// - It delegates invocations to the subject with an audience and invoke capabilities
	// - It delegates the delegate capabilities to the target with audience the subject
	Provide(target did.DID, subject crypto.ID, audience crypto.ID, expire uint64, invoke []Capability, delegate []Capability) ([]byte, error)

	// ProvideBroadcast prepares the appropriate capability tokens to prove authority
	// to broadcast to a topic
	ProvideBroadcast(subject crypto.ID, topic string, expire uint64, broadcast []Capability) ([]byte, error)

	// AddRoots adds trust anchors
	//
	// require: regards to side-chains. It'll be used as one of the sources of truth when an entity is claiming having certain capabilities.
	//
	// provide: regards to the capabilities that we can delegate.
	AddRoots(trust []did.DID, require, provide TokenList, revoke TokenList) error

	// ListRoots list the current trust anchors
	ListRoots() ([]did.DID, TokenList, TokenList, TokenList)

	// RemoveRoots removes the specified trust anchors
	RemoveRoots(trust []did.DID, require, provide TokenList)

	// Delegate creates the appropriate delegation tokens anchored in our roots
	Delegate(subject, audience did.DID, topics []string, expire, depth uint64, cap []Capability, selfSign SelfSignMode) (TokenList, error)

	// DelegateInvocation creates the appropriate invocation tokens anchored in anchor
	DelegateInvocation(target, subject, audience did.DID, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error)

	// DelegateBroadcast creates the appropriate broadcast token anchored in our roots
	DelegateBroadcast(subject did.DID, topic string, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error)

	// Grant creates the appropriate delegation tokens considering ourselves as the root
	Grant(action Action, subject, audience did.DID, topic []string, expire, depth uint64, provide []Capability) (TokenList, error)

	// Revoke creates a revocation for the provided token (token=(iss+sub+nonce))
	Revoke(*Token) (*Token, error)

	// Start starts a token garbage collector goroutine that clears expired tokens
	Start(gcInterval time.Duration)
	// Stop stops a previously started gc goroutine
	Stop()
}

CapabilityContext exposes the necessary functionalities to manage capabilities between different contexts. The work is based on UCAN but we're not strictly following its specs.

TODO: explain side-chains

TODO: explain anchor concept

Some concepts:

- Issuer: the one delegating/granting/invoking capabilities. Responsible for signing the token. - Audience: is the resource which the capabilities can be applied upon. - Subject:

  • is the receiver, when delegating/granting capabilities
  • is the invoker, when invoking capabilities

func LoadCapabilityContext 

func LoadCapabilityContext(trust did.TrustContext, rd io.Reader) (CapabilityContext, error)

func LoadCapabilityContextWithName 

func LoadCapabilityContextWithName(name string, trust did.TrustContext, rd io.Reader) (CapabilityContext, error)

func NewCapabilityContext 

func NewCapabilityContext(trust did.TrustContext, ctxDID did.DID, roots []did.DID, require, provide TokenList, revoke TokenList) (CapabilityContext, error)

func NewCapabilityContextWithName 

func NewCapabilityContextWithName(name string, trust did.TrustContext, ctxDID did.DID, roots []did.DID, require, provide TokenList, revoke TokenList) (CapabilityContext, error)

type CapabilityContextView 

type CapabilityContextView struct {
	DID     did.DID   `json:"did"`
	Roots   []did.DID `json:"roots"`
	Require TokenList `json:"require"`
	Provide TokenList `json:"provide"`
	Revoke  TokenList `json:"revoke"`
}

type DMSToken 

type DMSToken struct {
	Action     Action       `json:"act"`
	Issuer     did.DID      `json:"iss"`
	Subject    did.DID      `json:"sub"`
	Audience   did.DID      `json:"aud"`
	Topic      []Capability `json:"topic,omitempty"`
	Capability []Capability `json:"cap"`
	Nonce      []byte       `json:"nonce"`
	Expire     uint64       `json:"exp"`
	Depth      uint64       `json:"depth,omitempty"`
	Chain      *Token       `json:"chain,omitempty"`
	Signature  []byte       `json:"sig,omitempty"`
}

func (*DMSToken) AllowAction 

func (t *DMSToken) AllowAction(ot *Token) bool

func (*DMSToken) AllowBroadcast 

func (t *DMSToken) AllowBroadcast(subject did.DID, topic Capability, c Capability) bool

func (*DMSToken) AllowDelegation 

func (t *DMSToken) AllowDelegation(action Action, issuer, audience did.DID, topics []Capability, expire uint64, c Capability) bool

func (*DMSToken) AllowInvocation 

func (t *DMSToken) AllowInvocation(subject, audience did.DID, c Capability) bool

func (*DMSToken) Anchor 

func (t *DMSToken) Anchor(anchor did.DID) bool

func (*DMSToken) AnchorDepth 

func (t *DMSToken) AnchorDepth(anchor did.DID) (depth uint64, have bool)

func (*DMSToken) Delegate 

func (t *DMSToken) Delegate(provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*DMSToken, error)

func (*DMSToken) DelegateBroadcast 

func (t *DMSToken) DelegateBroadcast(provider did.Provider, subject did.DID, topic Capability, expire uint64, c []Capability) (*DMSToken, error)

func (*DMSToken) DelegateInvocation 

func (t *DMSToken) DelegateInvocation(provider did.Provider, subject, audience did.DID, expire uint64, c []Capability) (*DMSToken, error)

func (*DMSToken) ExpireBefore 

func (t *DMSToken) ExpireBefore(deadline uint64) bool

func (*DMSToken) RevocationKey 

func (t *DMSToken) RevocationKey() string

func (*DMSToken) Revoked 

func (t *DMSToken) Revoked(revoke *RevocationSet) bool

func (*DMSToken) SelfSigned 

func (t *DMSToken) SelfSigned(origin did.DID) bool

func (*DMSToken) SignatureData 

func (t *DMSToken) SignatureData() ([]byte, error)

func (*DMSToken) Subsumes 

func (t *DMSToken) Subsumes(ot *Token) bool

type RevocationSet 

type RevocationSet struct {
	// contains filtered or unexported fields
}

func (*RevocationSet) List 

func (r *RevocationSet) List() []*Token

func (*RevocationSet) Revoke 

func (r *RevocationSet) Revoke(t *Token)

func (*RevocationSet) Revoked 

func (r *RevocationSet) Revoked(key string) bool

type Saver 

type Saver interface {
	Save(wr io.Writer) error
}

type SelfSignMode 

type SelfSignMode int
const (
	SelfSignNo SelfSignMode = iota
	SelfSignAlso
	SelfSignOnly
)

type Token 

type Token struct {
	// DMS tokens
	DMS *DMSToken `json:"dms,omitempty"`
	// UCAN standard (when it is done) envelope for BYO anhcors
	UCAN *BYOToken `json:"ucan,omitempty"`
}

func (*Token) Action 

func (t *Token) Action() Action

func (*Token) AllowAction 

func (t *Token) AllowAction(ot *Token) bool

func (*Token) AllowBroadcast 

func (t *Token) AllowBroadcast(subject did.DID, topic Capability, c Capability) bool

func (*Token) AllowDelegation 

func (t *Token) AllowDelegation(action Action, issuer, audience did.DID, topics []Capability, expire uint64, c Capability) bool

func (*Token) AllowInvocation 

func (t *Token) AllowInvocation(subject, audience did.DID, c Capability) bool

func (*Token) Anchor 

func (t *Token) Anchor(anchor did.DID) bool

func (*Token) AnchorDepth 

func (t *Token) AnchorDepth(anchor did.DID) (uint64, bool)

func (*Token) Audience 

func (t *Token) Audience() did.DID

func (*Token) Capability 

func (t *Token) Capability() []Capability

func (*Token) Delegate 

func (t *Token) Delegate(provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*Token, error)

func (*Token) DelegateBroadcast 

func (t *Token) DelegateBroadcast(provider did.Provider, subject did.DID, topic Capability, expire uint64, c []Capability) (*Token, error)

func (*Token) DelegateInvocation 

func (t *Token) DelegateInvocation(provider did.Provider, subject, audience did.DID, expire uint64, c []Capability) (*Token, error)

func (*Token) Expire 

func (t *Token) Expire() uint64

func (*Token) ExpireBefore 

func (t *Token) ExpireBefore(deadline uint64) bool

func (*Token) Expired 

func (t *Token) Expired() bool

func (*Token) Expiry 

func (t *Token) Expiry() uint64

func (*Token) Issuer 

func (t *Token) Issuer() did.DID

func (*Token) Nonce 

func (t *Token) Nonce() []byte

func (*Token) RevocationKey 

func (t *Token) RevocationKey() string

func (*Token) SelfSigned 

func (t *Token) SelfSigned(origin did.DID) bool

func (*Token) SignatureData 

func (t *Token) SignatureData() ([]byte, error)

func (*Token) Size 

func (t *Token) Size() int

func (*Token) Subject 

func (t *Token) Subject() did.DID

func (*Token) Subsumes 

func (t *Token) Subsumes(ot *Token) bool

func (*Token) Topic 

func (t *Token) Topic() []Capability

func (*Token) Verify 

func (t *Token) Verify(trust did.TrustContext, now uint64, revoke *RevocationSet) error

type TokenList 

type TokenList struct {
	Tokens []*Token `json:"tok,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.