fluencelabs/trust-graph-test
1
0
Fork 0
mirror of https://github.com/fluencelabs/trust-graph-test synced 2025-04-25 13:32:14 +00:00
Code Issues Projects Releases Wiki Activity

wip

Browse Source
This commit is contained in:
Alexey Proshutinskiy 2021-09-14 14:21:26 +03:00
parent db4165e663
commit 02406c6426
6 changed files with 212 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
service/src/results.rs
View File

@ -23,10 +23,12 @@ impl From<Result<(), ServiceError>> for InsertResult {
} }
} }
// TODO: add peer id to result
#[marine] #[marine]
pub struct WeightResult { pub struct WeightResult {
pub success: bool, pub success: bool,
pub weight: Vec<u32>, pub weight: u32,
pub peer_id: String,
pub error: String, pub error: String,
} }
@ -162,24 +164,24 @@ impl From<Result<(), ServiceError>> for VerifyTrustResult {
} }
#[marine] #[marine]
pub struct IssueCertificateResult { pub struct AddTrustResult {
pub success: bool, pub success: bool,
pub error: String, pub error: String,
pub cert: Certificate, pub weight: u32,
} }
impl From<Result<Certificate, ServiceError>> for IssueCertificateResult { impl From<Result<u32, ServiceError>> for AddTrustResult {
fn from(result: Result<Certificate, ServiceError>) -> Self { fn from(result: Result<u32, ServiceError>) -> Self {
match result { match result {
Ok(cert) => IssueCertificateResult { Ok(weight) => AddTrustResult {
success: true, success: true,
error: "".to_string(), error: "".to_string(),
cert, weight,
}, },
Err(e) => IssueCertificateResult { Err(e) => AddTrustResult {
success: false, success: false,
error: format!("{}", e), error: format!("{}", e),
cert: Certificate { chain: vec![] }, weight: u32::default(),
}, },
} }
} }

83
service/src/service_api.rs
View File

@ -1,11 +1,11 @@
use crate::dto::{Certificate, Trust}; use crate::dto::{Certificate, Trust};
use crate::results::{ use crate::results::{
AddRootResult, AllCertsResult, GetTrustMetadataResult, InsertResult, IssueCertificateResult, AddRootResult, AddTrustResult, AllCertsResult, GetTrustMetadataResult, InsertResult,
IssueTrustResult, VerifyTrustResult, WeightResult, IssueCertificateResult, IssueTrustResult, VerifyTrustResult, WeightResult,
}; };
use crate::service_impl::{ use crate::service_impl::{
add_root_impl, get_all_certs_impl, get_trust_metadata_imp, get_weight_impl, insert_cert_impl, add_root_impl, add_trust_impl, get_all_certs_impl, get_trust_metadata_imp, get_weight_impl,
insert_cert_impl_raw, issue_certificate_with_trust_checked_impl, insert_cert_impl, insert_cert_impl_raw, issue_certificate_with_trust_checked_impl,
issue_root_certificate_checked_impl, issue_trust_impl, verify_trust_impl, issue_root_certificate_checked_impl, issue_trust_impl, verify_trust_impl,
}; };
use marine_rs_sdk::{marine, CallParameters}; use marine_rs_sdk::{marine, CallParameters};
@ -13,19 +13,19 @@ use marine_rs_sdk::{marine, CallParameters};
#[marine] #[marine]
/// add a certificate in string representation to trust graph if it is valid /// add a certificate in string representation to trust graph if it is valid
/// see `trust_graph::Certificate` class for string encoding/decoding /// see `trust_graph::Certificate` class for string encoding/decoding
// TODO change `current_time` to time service // TODO change `timestamp_sec` to time service
fn insert_cert_raw(certificate: String, current_time: u64) -> InsertResult { fn insert_cert_raw(certificate: String, timestamp_sec: u64) -> InsertResult {
insert_cert_impl_raw(certificate, current_time).into() insert_cert_impl_raw(certificate, timestamp_sec).into()
} }
#[marine] #[marine]
/// add a certificate in JSON representation to trust graph if it is valid /// add a certificate in JSON representation to trust graph if it is valid
/// see `dto::Certificate` class for structure /// see `dto::Certificate` class for structure
fn insert_cert(certificate: Certificate, current_time: u64) -> InsertResult { fn insert_cert(certificate: Certificate, timestamp_sec: u64) -> InsertResult {
insert_cert_impl(certificate, current_time).into() insert_cert_impl(certificate, timestamp_sec).into()
} }
// TODO: pass current timestamp, return only valid, delete expired // TODO: pass current timestamp, return only valid, delete expired, return max weight
#[marine] #[marine]
fn get_weight(peer_id: String) -> WeightResult { fn get_weight(peer_id: String) -> WeightResult {
get_weight_impl(peer_id).into() get_weight_impl(peer_id).into()
@ -37,6 +37,8 @@ fn get_all_certs(issued_for: String) -> AllCertsResult {
get_all_certs_impl(issued_for).into() get_all_certs_impl(issued_for).into()
} }
// todo: add trust method
#[marine] #[marine]
/// could add only a host of a trust graph service /// could add only a host of a trust graph service
fn add_root(peer_id: String, weight: u32) -> AddRootResult { fn add_root(peer_id: String, weight: u32) -> AddRootResult {
@ -71,27 +73,52 @@ fn issue_trust(
issue_trust_impl(issued_for_peer_id, expires_at, issued_at, signed_metadata).into() issue_trust_impl(issued_for_peer_id, expires_at, issued_at, signed_metadata).into()
} }
// TODO: use "peer" "timestamp_sec" and check tetraplets
#[marine] #[marine]
fn verify_trust(trust: Trust, issuer_peer_id: String, cur_time: u64) -> VerifyTrustResult { fn verify_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> VerifyTrustResult {
verify_trust_impl(trust, issuer_peer_id, cur_time).into() verify_trust_impl(trust, issuer_peer_id, timestamp_sec).into()
} }
#[marine] #[marine]
fn issue_root_certificate_checked( fn add_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> AddTrustResult {
root_trust: Trust, add_trust_impl(trust, issuer_peer_id, timestamp_sec).into()
issued_trust: Trust,
cur_time: u64,
) -> IssueCertificateResult {
issue_root_certificate_checked_impl(root_trust, issued_trust, cur_time).into()
} }
#[marine] // service TrustGraph("trust-graph"):
fn issue_certificate_with_trust_checked( // -- returns hash of metadata to sign
cert: Certificate, // get_trust_bytes(issued_for_peer_id: string, expires_at: u64, issued_at: u64) -> GetTrustMetadataResult
trust: Trust, //
issued_by_peer_id: String, // -- issued_by needed to identify signature type (ed25519, rsa or secp256k1)
cur_time: u64, // issue_trust(issued_by_peer_id: string, issued_for_peer_id: string, expires_at: u64, issued_at: u64, signature: []u8) -> IssueTrustResult
) -> IssueCertificateResult { //
issue_certificate_with_trust_checked_impl(cert, trust, issued_by_peer_id, cur_time).into() // -- just verifying signatures, timestamp without inserting into local trust graph
} // verify_trust(issued_by_peer_id: string, trust: Trust, timestamp_sec: u64) -> VerifyTrustResult
//
// -- checks signature, timestamp, try to find place to insert, returns max_weight if succeed
// add_trust(issued_by_peer_id: string, trust: Trust, timestamp_sec: u64) -> AddTrustResult
//
// -- add root trust with given weight
// add_root(peer_id: string, trust: Trust, weight: u32) -> AddRootResult
//
// -- return max weight if found, remove expired
// get_weight(issued_for: string, timestamp_sec: u32) -> WeightResult
//
// -- return all certs, remove expired
// get_all_certs(issued_for: string, timestamp_sec) -> AllCertsResult
//
// -- insert full certificate if possible
// insert_cert(certificate: Certificate, current_time: u64) -> InsertResult
// insert_cert_raw(certificate: string, current_time: u64) -> InsertResult
//
// -- returns hash of metadata to sign
// get_revoke_bytes(revoked_peer_id: string, revoked_at: u64, issued_at: u64) -> GetRevokeMetadataResult
//
// -- revoked_by needed to identify signature type (ed25519, rsa or secp256k1)
// issue_revoke(revoked_by_peer_id: string, revoked_peer_id: string, revoked_at: u64, signature: []u8) -> IssueRevokeResult
//
// -- checks signature, checks timestamp
// revoke(revoke: Revoke, timestamp_sec: u64) -> AddRevokeResult
//
// get_all_revocation(revoked_peer_id: string)
//
// -- TODO
// get_trust

83
service/src/service_impl.rs
View File

@ -1,15 +1,37 @@
use crate::dto::{Certificate, DtoConversionError, Trust}; use crate::dto::{Certificate, DtoConversionError, Trust};
use crate::service_impl::ServiceError::InvalidTimestampTetraplet;
use crate::storage_impl::get_data; use crate::storage_impl::get_data;
use fluence_keypair::error::DecodingError; use fluence_keypair::error::DecodingError;
use fluence_keypair::public_key::peer_id_to_fluence_pk; use fluence_keypair::public_key::peer_id_to_fluence_pk;
use fluence_keypair::{PublicKey, Signature}; use fluence_keypair::{PublicKey, Signature};
use libp2p_core::PeerId; use libp2p_core::PeerId;
use marine_rs_sdk::CallParameters;
use std::convert::{Into, TryInto}; use std::convert::{Into, TryInto};
use std::str::FromStr; use std::str::FromStr;
use std::time::Duration; use std::time::Duration;
use thiserror::Error as ThisError; use thiserror::Error as ThisError;
use trust_graph::{current_time, CertificateError, TrustError, TrustGraphError}; use trust_graph::{current_time, CertificateError, TrustError, TrustGraphError};
pub static TRUSTED_TIMESTAMP_SERVICE_ID: &str = "peer";
pub static TRUSTED_TIMESTAMP_FUNCTION_NAME: &str = "timestamp_sec";
/// Check timestamps are generated on the current host with builtin ("peer" "timestamp_sec")
pub(crate) fn check_timestamp_tetraplets(
call_parameters: &CallParameters,
arg_number: usize,
) -> Result<(), ServiceError> {
let tetraplets = call_parameters
.tetraplets
.get(arg_number)
.ok_or(InvalidTimestampTetraplet)?;
let tetraplet = tetraplets.get(0).wrap_err(error_msg)?;
(tetraplet.service_id == TRUSTED_TIMESTAMP_SERVICE_ID
&& tetraplet.function_name == TRUSTED_TIMESTAMP_FUNCTION_NAME
&& tetraplet.peer_pk == call_parameters.host_id)
.then(|| ())
.ok_or(InvalidTimestampTetraplet)
}
#[derive(ThisError, Debug)] #[derive(ThisError, Debug)]
pub enum ServiceError { pub enum ServiceError {
#[error("peer id parse error: {0}")] #[error("peer id parse error: {0}")]
@ -46,6 +68,8 @@ pub enum ServiceError {
#[source] #[source]
TrustError, TrustError,
), ),
#[error("you should use host peer.timestamp_sec to pass timestamp")]
InvalidTimestampTetraplet,
} }
fn parse_peer_id(peer_id: String) -> Result<PeerId, ServiceError> { fn parse_peer_id(peer_id: String) -> Result<PeerId, ServiceError> {
@ -65,17 +89,17 @@ pub fn get_weight_impl(peer_id: String) -> Result<Option<u32>, ServiceError> {
Ok(weight) Ok(weight)
} }
fn add_cert(certificate: trust_graph::Certificate, duration: u64) -> Result<(), ServiceError> { fn add_cert(certificate: trust_graph::Certificate, timestamp_sec: u64) -> Result<(), ServiceError> {
let duration = Duration::from_millis(duration); let timestamp_sec = Duration::from_secs(timestamp_sec);
let mut tg = get_data().lock(); let mut tg = get_data().lock();
tg.add(certificate, duration)?; tg.add(certificate, timestamp_sec)?;
Ok(()) Ok(())
} }
pub fn insert_cert_impl_raw(certificate: String, duration: u64) -> Result<(), ServiceError> { pub fn insert_cert_impl_raw(certificate: String, timestamp_sec: u64) -> Result<(), ServiceError> {
let certificate = trust_graph::Certificate::from_str(&certificate)?; let certificate = trust_graph::Certificate::from_str(&certificate)?;
add_cert(certificate, duration)?; add_cert(certificate, timestamp_sec)?;
Ok(()) Ok(())
} }
@ -93,10 +117,10 @@ pub fn get_all_certs_impl(issued_for: String) -> Result<Vec<Certificate>, Servic
Ok(certs.into_iter().map(|c| c.into()).collect()) Ok(certs.into_iter().map(|c| c.into()).collect())
} }
pub fn insert_cert_impl(certificate: Certificate, duration: u64) -> Result<(), ServiceError> { pub fn insert_cert_impl(certificate: Certificate, timestamp_sec: u64) -> Result<(), ServiceError> {
let certificate: trust_graph::Certificate = certificate.try_into()?; let certificate: trust_graph::Certificate = certificate.try_into()?;
add_cert(certificate, duration)?; add_cert(certificate, timestamp_sec)?;
Ok(()) Ok(())
} }
@ -138,45 +162,32 @@ pub fn issue_trust_impl(
pub fn verify_trust_impl( pub fn verify_trust_impl(
trust: Trust, trust: Trust,
issuer_peer_id: String, issuer_peer_id: String,
cur_time: u64, timestamp_sec: u64,
) -> Result<(), ServiceError> { ) -> Result<(), ServiceError> {
check_timestamp_tetraplets(&marine_rs_sdk::get_call_parameters(), 2)?;
let public_key = extract_public_key(issuer_peer_id)?; let public_key = extract_public_key(issuer_peer_id)?;
trust_graph::Trust::verify( trust_graph::Trust::verify(
&trust.try_into()?, &trust.try_into()?,
&public_key, &public_key,
Duration::from_secs(cur_time), Duration::from_secs(timestamp_sec),
)?; )?;
Ok(()) Ok(())
} }
pub fn issue_root_certificate_checked_impl( pub fn add_trust_impl(
root_trust: Trust,
issued_trust: Trust,
cur_time: u64,
) -> Result<Certificate, ServiceError> {
trust_graph::Certificate::new_from_root_trust(
root_trust.try_into()?,
issued_trust.try_into()?,
Duration::from_secs(cur_time),
)
.map(|c| c.into())
.map_err(ServiceError::CertError)
}
pub fn issue_certificate_with_trust_checked_impl(
cert: Certificate,
trust: Trust, trust: Trust,
issued_by: String, issuer_peer_id: String,
cur_time: u64, timestamp_sec: u64,
) -> Result<Certificate, ServiceError> { ) -> Result<(), ServiceError> {
let public_key = extract_public_key(issued_by)?; let public_key = extract_public_key(issuer_peer_id)?;
trust_graph::Certificate::issue_with_trust( check_timestamp_tetraplets(&marine_rs_sdk::get_call_parameters(), 2)?;
public_key, let mut tg = get_data().lock();
tg.add_trust(
trust.try_into()?, trust.try_into()?,
&cert.try_into()?, public_key,
Duration::from_secs(cur_time), Duration::from_secs(timestamp_sec),
) )?;
.map(|c| c.into())
.map_err(ServiceError::CertError) Ok(())
} }

53
service/trust-graph.aqua
View File

@ -40,19 +40,54 @@ data VerifyTrustResult:
success: bool success: bool
error: string error: string
data AddTrustResult:
success: bool
error: string
weight: u32
peer_id: u32
data WeightResult: data WeightResult:
success: bool success: bool
weight: []u32 weight: u32
peer_id: string
error: string error: string
service TrustGraph("trust-graph"): service TrustGraph("trust-graph"):
add_root(peer_id: string, weight: u32) -> AddRootResult -- returns hash of metadata to sign
get_all_certs(issued_for: string) -> AllCertsResult get_trust_bytes(issued_for_peer_id: string, expires_at: u64, issued_at: u64) -> GetTrustMetadataResult
get_trust_metadata(issued_for_peer_id: string, expires_at: u64, issued_at: u64) -> GetTrustMetadataResult
get_weight(peer_id: string) -> WeightResult -- issued_by needed to identify signature type (ed25519, rsa or secp256k1)
issue_trust(issued_by_peer_id: string, issued_for_peer_id: string, expires_at: u64, issued_at: u64, signature: []u8) -> IssueTrustResult
-- just verifying signatures, timestamp without inserting into local trust graph
verify_trust(issued_by_peer_id: string, trust: Trust, timestamp_sec: u64) -> VerifyTrustResult
-- checks signature, timestamp, try to find place to insert, returns max_weight if succeed
add_trust(issued_by_peer_id: string, trust: Trust, timestamp_sec: u64) -> AddTrustResult
-- add root trust with given weight
add_root(peer_id: string, trust: Trust, weight: u32) -> AddRootResult
-- return max weight if found, remove expired
get_weight(issued_for: string, timestamp_sec: u32) -> WeightResult
-- return all certs, remove expired
get_all_certs(issued_for: string, timestamp_sec) -> AllCertsResult
-- insert full certificate if possible
insert_cert(certificate: Certificate, current_time: u64) -> InsertResult insert_cert(certificate: Certificate, current_time: u64) -> InsertResult
insert_cert_raw(certificate: string, current_time: u64) -> InsertResult insert_cert_raw(certificate: string, current_time: u64) -> InsertResult
issue_certificate_with_trust_checked(cert: Certificate, trust: Trust, issued_by_peer_id: string, cur_time: u64) -> IssueCertificateResult
issue_root_certificate_checked(root_trust: Trust, issued_trust: Trust, cur_time: u64) -> IssueCertificateResult -- returns hash of metadata to sign
issue_trust(issued_for_peer_id: string, expires_at: u64, issued_at: u64, signed_metadata: []u8) -> IssueTrustResult get_revoke_bytes(revoked_peer_id: string, revoked_at: u64, issued_at: u64) -> GetRevokeMetadataResult
verify_trust(trust: Trust, issuer_peer_id: string, cur_time: u64) -> VerifyTrustResult
-- revoked_by needed to identify signature type (ed25519, rsa or secp256k1)
issue_revoke(revoked_by_peer_id: string, revoked_peer_id: string, revoked_at: u64, signature: []u8) -> IssueRevokeResult
-- checks signature, checks timestamp
revoke(revoke: Revoke, timestamp_sec: u64) -> AddRevokeResult
get_all_revocation(revoked_peer_id: string)
-- TODO
get_trust

66
src/trust_graph.rs
View File

@ -68,6 +68,8 @@ pub enum TrustGraphError {
#[source] #[source]
RevokeError, RevokeError,
), ),
#[error("Path to {0} not found")]
AddTrustError(String),
} }
impl<T: StorageError + 'static> From<T> for TrustGraphError { impl<T: StorageError + 'static> From<T> for TrustGraphError {
@ -92,7 +94,11 @@ where
} }
/// Insert new root weight /// Insert new root weight
pub fn add_root_weight(&mut self, pk: PublicKey, weight: Weight) -> Result<(), TrustGraphError> { pub fn add_root_weight(
&mut self,
pk: PublicKey,
weight: Weight,
) -> Result<(), TrustGraphError> {
Ok(self.storage.add_root_weight(pk.into(), weight)?) Ok(self.storage.add_root_weight(pk.into(), weight)?)
} }
@ -101,7 +107,35 @@ where
Ok(self.storage.get(&pk.into())?) Ok(self.storage.get(&pk.into())?)
} }
// TODO: remove cur_time from api, leave it for tests only pub fn add_trust<T, P>(
&mut self,
trust: T,
issued_by: P,
cur_time: Duration,
) -> Result<(), TrustGraphError>
where
T: Borrow<Trust>,
P: Borrow<PublicKey>,
{
Trust::verify(trust, issued_by.borrow(), cur_time)?;
let _parent_trust_node =
self.get(issued_by.clone().borrow())?
.ok_or(TrustGraphError::AddTrustError(
issued_by.borrow().to_peer_id().to_base58(),
))?;
let pk = trust.issued_for.clone().into();
let auth = Auth {
trust: trust.clone(),
issued_by,
};
self.storage
.update_auth(&pk, auth, &root_trust.issued_for, cur_time)
}
/// Certificate is a chain of trusts, add this chain to graph /// Certificate is a chain of trusts, add this chain to graph
pub fn add<C>(&mut self, cert: C, cur_time: Duration) -> Result<(), TrustGraphError> pub fn add<C>(&mut self, cert: C, cur_time: Duration) -> Result<(), TrustGraphError>
where where
@ -123,13 +157,13 @@ where
// Insert new TrustNode for this root_pk if there wasn't one // Insert new TrustNode for this root_pk if there wasn't one
if self.storage.get(&root_pk)?.is_none() { if self.storage.get(&root_pk)?.is_none() {
let mut trust_node = TrustNode::new(root_trust.issued_for.clone(), cur_time);
let root_auth = Auth { let root_auth = Auth {
trust: root_trust.clone(), trust: root_trust.clone(),
issued_by: root_trust.issued_for.clone(), issued_by: root_trust.issued_for.clone(),
}; };
trust_node.update_auth(root_auth);
self.storage.insert(root_pk, trust_node)?; self.storage
.update_auth(&root_pk, root_auth, &root_trust.issued_for, cur_time)?;
} }
// Insert remaining trusts to the graph // Insert remaining trusts to the graph
@ -188,7 +222,7 @@ where
return Ok(None); return Ok(None);
} }
let mut weight = std::u32::MAX; let mut weight = u32::MAX;
for cert in certs { for cert in certs {
let c = cert.borrow(); let c = cert.borrow();
@ -376,13 +410,15 @@ mod tests {
let root_kp = KeyPair::generate_ed25519(); let root_kp = KeyPair::generate_ed25519();
let second_kp = KeyPair::generate_ed25519(); let second_kp = KeyPair::generate_ed25519();
let mut cert = let mut cert = Certificate::issue_root(&root_kp, second_kp.public(), expires_at, issued_at);
Certificate::issue_root(&root_kp, second_kp.public(), expires_at, issued_at);
let mut key_pairs = vec![root_kp, second_kp]; let mut key_pairs = vec![root_kp, second_kp];
for idx in 2..len { for idx in 2..len {
let kp = keys.get(&idx).unwrap_or(&KeyPair::generate_ed25519()).clone(); let kp = keys
.get(&idx)
.unwrap_or(&KeyPair::generate_ed25519())
.clone();
let previous_kp = &key_pairs[idx - 1]; let previous_kp = &key_pairs[idx - 1];
cert = Certificate::issue( cert = Certificate::issue(
&previous_kp, &previous_kp,
@ -591,9 +627,15 @@ mod tests {
let st = InMemoryStorage::new(); let st = InMemoryStorage::new();
let mut graph = TrustGraph::new(st); let mut graph = TrustGraph::new(st);
// add first and last trusts as roots // add first and last trusts as roots
graph.add_root_weight(cert.chain[0].clone().issued_for.into(), 1).unwrap(); graph
graph.add_root_weight(cert.chain[3].clone().issued_for.into(), 1).unwrap(); .add_root_weight(cert.chain[0].clone().issued_for.into(), 1)
graph.add_root_weight(cert.chain[5].clone().issued_for.into(), 1).unwrap(); .unwrap();
graph
.add_root_weight(cert.chain[3].clone().issued_for.into(), 1)
.unwrap();
graph
.add_root_weight(cert.chain[5].clone().issued_for.into(), 1)
.unwrap();
graph.add(cert.clone(), current_time()).unwrap(); graph.add(cert.clone(), current_time()).unwrap();

3
src/trust_graph_storage.rs
View File

@ -118,8 +118,7 @@ impl Storage for InMemoryStorage {
None => { None => {
let mut trust_node = TrustNode::new(issued_for.clone(), cur_time); let mut trust_node = TrustNode::new(issued_for.clone(), cur_time);
trust_node.update_auth(auth); trust_node.update_auth(auth);
self.nodes.insert(pk.clone(), trust_node); self.insert(pk.clone(), trust_node)
Ok(())
} }
} }
} }