fluencelabs/trust-graph-test
1
0
Fork 0
mirror of https://github.com/fluencelabs/trust-graph-test synced 2025-04-25 08:22:30 +00:00
Code Issues Projects Releases Wiki Activity

service: expose revoke api

Browse Source
This commit is contained in:
Alexey Proshutinskiy 2021-09-27 16:04:59 +03:00
parent 0978b2520d
commit 201f65571c
7 changed files with 256 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
aqua/trust-graph.aqua
View File

@ -24,6 +24,11 @@ data AllCertsResult:
certificates: []Certificate certificates: []Certificate
error: string error: string
data GetRevokeBytesResult:
success: bool
error: string
result: []u8
data GetTrustBytesResult: data GetTrustBytesResult:
success: bool success: bool
error: string error: string
@ -33,11 +38,27 @@ data InsertResult:
success: bool success: bool
error: string error: string
data Revoke:
revoked_peer_id: string
revoked_at: u64
signature: string
sig_type: string
revoked_by: string
data IssueRevocationResult:
success: bool
error: string
revoke: Revoke
data IssueTrustResult: data IssueTrustResult:
success: bool success: bool
error: string error: string
trust: Trust trust: Trust
data RevokeResult:
success: bool
error: string
data VerifyTrustResult: data VerifyTrustResult:
success: bool success: bool
error: string error: string
@ -52,9 +73,12 @@ service TrustGraph("trust-graph"):
add_root(peer_id: string, weight_factor: u32) -> AddRootResult add_root(peer_id: string, weight_factor: u32) -> AddRootResult
add_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> AddTrustResult add_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> AddTrustResult
get_all_certs(issued_for: string, timestamp_sec: u64) -> AllCertsResult get_all_certs(issued_for: string, timestamp_sec: u64) -> AllCertsResult
get_revoke_bytes(revoked_peer_id: string, revoked_at: u64) -> GetRevokeBytesResult
get_trust_bytes(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64) -> GetTrustBytesResult get_trust_bytes(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64) -> GetTrustBytesResult
get_weight(peer_id: string, timestamp_sec: u64) -> WeightResult get_weight(peer_id: string, timestamp_sec: u64) -> WeightResult
insert_cert(certificate: Certificate, timestamp_sec: u64) -> InsertResult insert_cert(certificate: Certificate, timestamp_sec: u64) -> InsertResult
insert_cert_raw(certificate: string, timestamp_sec: u64) -> InsertResult insert_cert_raw(certificate: string, timestamp_sec: u64) -> InsertResult
issue_revocation(revoked_peer_id: string, revoked_by_peer_id: string, revoked_at_sec: u64, signature_bytes: []u8) -> IssueRevocationResult
issue_trust(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64, trust_bytes: []u8) -> IssueTrustResult issue_trust(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64, trust_bytes: []u8) -> IssueTrustResult
revoke(revoke: Revoke, timestamp_sec: u64) -> RevokeResult
verify_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> VerifyTrustResult verify_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> VerifyTrustResult

84
service/src/dto.rs
View File

@ -1,14 +1,14 @@
use marine_rs_sdk::marine; use crate::dto::DtoConversionError::PeerIdDecodeError;
use fluence_keypair::error::DecodingError; use fluence_keypair::error::DecodingError;
use fluence_keypair::{Signature}; use fluence_keypair::public_key::peer_id_to_fluence_pk;
use fluence_keypair::signature::RawSignature;
use fluence_keypair::Signature;
use libp2p_core::PeerId;
use marine_rs_sdk::marine;
use std::convert::TryFrom; use std::convert::TryFrom;
use std::str::FromStr;
use std::time::Duration; use std::time::Duration;
use thiserror::Error as ThisError; use thiserror::Error as ThisError;
use libp2p_core::PeerId;
use fluence_keypair::public_key::peer_id_to_fluence_pk;
use std::str::FromStr;
use fluence_keypair::signature::RawSignature;
use crate::dto::DtoConversionError::PeerIdDecodeError;
#[derive(ThisError, Debug)] #[derive(ThisError, Debug)]
pub enum DtoConversionError { pub enum DtoConversionError {
@ -73,11 +73,15 @@ impl TryFrom<Trust> for trust_graph::Trust {
type Error = DtoConversionError; type Error = DtoConversionError;
fn try_from(t: Trust) -> Result<Self, Self::Error> { fn try_from(t: Trust) -> Result<Self, Self::Error> {
let issued_for = peer_id_to_fluence_pk(PeerId::from_str(&t.issued_for) let issued_for = peer_id_to_fluence_pk(
.map_err(|e| PeerIdDecodeError(format!("{:?}", e)))?) PeerId::from_str(&t.issued_for).map_err(|e| PeerIdDecodeError(format!("{:?}", e)))?,
)
.map_err(|e| DtoConversionError::PeerIdDecodeError(e.to_string()))?; .map_err(|e| DtoConversionError::PeerIdDecodeError(e.to_string()))?;
let signature = bs58::decode(&t.signature).into_vec()?; let signature = bs58::decode(&t.signature).into_vec()?;
let signature = Signature::from_raw_signature(RawSignature { bytes: signature, sig_type: t.sig_type })?; let signature = Signature::from_raw_signature(RawSignature {
bytes: signature,
sig_type: t.sig_type,
})?;
let expires_at = Duration::from_secs(t.expires_at); let expires_at = Duration::from_secs(t.expires_at);
let issued_at = Duration::from_secs(t.issued_at); let issued_at = Duration::from_secs(t.issued_at);
return Ok(trust_graph::Trust { return Ok(trust_graph::Trust {
@ -105,3 +109,63 @@ impl From<trust_graph::Trust> for Trust {
}; };
} }
} }
#[marine]
#[derive(Default)]
pub struct Revoke {
/// who is revoked
pub revoked_peer_id: String,
/// date when revocation was created
pub revoked_at: u64,
/// Signature of a previous trust in a chain.
/// Signature is self-signed if it is a root trust, base58
pub signature: String,
pub sig_type: String,
/// the issuer of this revocation, base58 peer id
pub revoked_by: String,
}
impl TryFrom<Revoke> for trust_graph::Revoke {
type Error = DtoConversionError;
fn try_from(r: Revoke) -> Result<Self, Self::Error> {
let revoked_pk = peer_id_to_fluence_pk(
PeerId::from_str(&r.revoked_peer_id)
.map_err(|e| PeerIdDecodeError(format!("{:?}", e)))?,
)
.map_err(|e| DtoConversionError::PeerIdDecodeError(e.to_string()))?;
let revoked_by_pk = peer_id_to_fluence_pk(
PeerId::from_str(&r.revoked_by).map_err(|e| PeerIdDecodeError(format!("{:?}", e)))?,
)
.map_err(|e| DtoConversionError::PeerIdDecodeError(e.to_string()))?;
let signature = bs58::decode(&r.signature).into_vec()?;
let signature = Signature::from_raw_signature(RawSignature {
bytes: signature,
sig_type: r.sig_type,
})?;
let revoked_at = Duration::from_secs(r.revoked_at);
return Ok(trust_graph::Revoke {
pk: revoked_pk,
revoked_at,
revoked_by: revoked_by_pk,
signature,
});
}
}
impl From<trust_graph::Revoke> for Revoke {
fn from(r: trust_graph::Revoke) -> Self {
let revoked_by = r.revoked_by.to_peer_id().to_base58();
let revoked_peer_id = r.pk.to_peer_id().to_base58();
let raw_signature = r.signature.get_raw_signature();
let signature = bs58::encode(raw_signature.bytes).into_string();
let revoked_at = r.revoked_at.as_secs();
return Revoke {
revoked_peer_id,
revoked_at,
signature,
sig_type: raw_signature.sig_type,
revoked_by,
};
}
}

71
service/src/results.rs
View File

@ -1,4 +1,4 @@
use crate::dto::{Certificate, Trust}; use crate::dto::{Certificate, Revoke, Trust};
use crate::service_impl::ServiceError; use crate::service_impl::ServiceError;
use marine_rs_sdk::marine; use marine_rs_sdk::marine;
@ -187,3 +187,72 @@ impl From<Result<u32, ServiceError>> for AddTrustResult {
} }
} }
} }
#[marine]
pub struct GetRevokeBytesResult {
pub success: bool,
pub error: String,
pub result: Vec<u8>,
}
impl From<Result<Vec<u8>, ServiceError>> for GetRevokeBytesResult {
fn from(result: Result<Vec<u8>, ServiceError>) -> Self {
match result {
Ok(res) => GetRevokeBytesResult {
success: true,
error: "".to_string(),
result: res,
},
Err(e) => GetRevokeBytesResult {
success: false,
error: format!("{}", e),
result: vec![],
},
}
}
}
#[marine]
pub struct IssueRevocationResult {
pub success: bool,
pub error: String,
pub revoke: Revoke,
}
impl From<Result<Revoke, ServiceError>> for IssueRevocationResult {
fn from(result: Result<Revoke, ServiceError>) -> Self {
match result {
Ok(revoke) => IssueRevocationResult {
success: true,
error: "".to_string(),
revoke,
},
Err(e) => IssueRevocationResult {
success: false,
error: format!("{}", e),
revoke: Revoke::default(),
},
}
}
}
#[marine]
pub struct RevokeResult {
pub success: bool,
pub error: String,
}
impl From<Result<(), ServiceError>> for RevokeResult {
fn from(result: Result<(), ServiceError>) -> Self {
match result {
Ok(()) => RevokeResult {
success: true,
error: "".to_string(),
},
Err(e) => RevokeResult {
success: false,
error: format!("{}", e),
},
}
}
}

38
service/src/service_api.rs
View File

@ -1,11 +1,13 @@
use crate::dto::{Certificate, Trust}; use crate::dto::{Certificate, Revoke, Trust};
use crate::results::{ use crate::results::{
AddRootResult, AddTrustResult, AllCertsResult, GetTrustBytesResult, InsertResult, AddRootResult, AddTrustResult, AllCertsResult, GetRevokeBytesResult, GetTrustBytesResult,
IssueTrustResult, VerifyTrustResult, WeightResult, InsertResult, IssueRevocationResult, IssueTrustResult, RevokeResult, VerifyTrustResult,
WeightResult,
}; };
use crate::service_impl::{ use crate::service_impl::{
add_root_impl, add_trust_impl, get_all_certs_impl, get_trust_bytes_imp, get_weight_impl, add_root_impl, add_trust_impl, get_all_certs_impl, get_revoke_bytes_impl, get_trust_bytes_imp,
insert_cert_impl, insert_cert_impl_raw, issue_trust_impl, verify_trust_impl, get_weight_impl, insert_cert_impl, insert_cert_impl_raw, issue_revocation_impl,
issue_trust_impl, revoke_impl, verify_trust_impl,
}; };
use marine_rs_sdk::{marine, CallParameters}; use marine_rs_sdk::{marine, CallParameters};
@ -85,3 +87,29 @@ fn verify_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> Ver
fn add_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> AddTrustResult { fn add_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> AddTrustResult {
add_trust_impl(trust, issuer_peer_id, timestamp_sec).into() add_trust_impl(trust, issuer_peer_id, timestamp_sec).into()
} }
#[marine]
fn get_revoke_bytes(revoked_peer_id: String, revoked_at: u64) -> GetRevokeBytesResult {
get_revoke_bytes_impl(revoked_peer_id, revoked_at).into()
}
#[marine]
fn issue_revocation(
revoked_peer_id: String,
revoked_by_peer_id: String,
revoked_at_sec: u64,
signature_bytes: Vec<u8>,
) -> IssueRevocationResult {
issue_revocation_impl(
revoked_peer_id,
revoked_by_peer_id,
revoked_at_sec,
signature_bytes,
)
.into()
}
#[marine]
fn revoke(revoke: Revoke, timestamp_sec: u64) -> RevokeResult {
revoke_impl(revoke, timestamp_sec).into()
}

41
service/src/service_impl.rs
View File

@ -1,4 +1,4 @@
use crate::dto::{Certificate, DtoConversionError, Trust}; use crate::dto::{Certificate, DtoConversionError, Revoke, Trust};
use crate::service_impl::ServiceError::InvalidTimestampTetraplet; use crate::service_impl::ServiceError::InvalidTimestampTetraplet;
use crate::storage_impl::get_data; use crate::storage_impl::get_data;
use fluence_keypair::error::DecodingError; use fluence_keypair::error::DecodingError;
@ -7,6 +7,7 @@ use fluence_keypair::{PublicKey, Signature};
use libp2p_core::PeerId; use libp2p_core::PeerId;
use marine_rs_sdk::CallParameters; use marine_rs_sdk::CallParameters;
use std::convert::{Into, TryInto}; use std::convert::{Into, TryInto};
use std::iter::Rev;
use std::str::FromStr; use std::str::FromStr;
use std::time::Duration; use std::time::Duration;
use thiserror::Error as ThisError; use thiserror::Error as ThisError;
@ -199,3 +200,41 @@ pub fn add_trust_impl(
) )
.map_err(ServiceError::TGError) .map_err(ServiceError::TGError)
} }
pub fn get_revoke_bytes_impl(
revoked_peer_id: String,
revoked_at: u64,
) -> Result<Vec<u8>, ServiceError> {
let public_key = extract_public_key(revoked_peer_id)?;
Ok(trust_graph::Revoke::signature_bytes(
&public_key,
Duration::from_secs(revoked_at),
))
}
pub fn issue_revocation_impl(
revoked_peer_id: String,
revoked_by_peer_id: String,
revoked_at_sec: u64,
signature_bytes: Vec<u8>,
) -> Result<Revoke, ServiceError> {
let revoked_pk = extract_public_key(revoked_peer_id)?;
let revoked_by_pk = extract_public_key(revoked_by_peer_id)?;
let revoked_at = Duration::from_secs(revoked_at_sec);
let signature = Signature::from_bytes_with_public_key(&revoked_by_pk, signature_bytes);
Ok(trust_graph::Revoke::new(revoked_pk, revoked_by_pk, revoked_at, signature).into())
}
pub fn revoke_impl(revoke: Revoke, timestamp_sec: u64) -> Result<(), ServiceError> {
check_timestamp_tetraplets(&marine_rs_sdk::get_call_parameters(), 1)?;
// TODO: use error for revoke, not trust
if revoke.revoked_at > timestamp_sec {
return Err(ServiceError::InvalidTrustTimestamp);
}
let mut tg = get_data().lock();
tg.revoke(revoke.try_into()?).map_err(ServiceError::TGError)
}

7
service/src/tests.rs
View File

@ -44,11 +44,8 @@ mod tests {
macro_rules! issue_trust { macro_rules! issue_trust {
($trust_graph:expr, $issuer_kp:expr, $issued_peer_id: expr, $expires_at:expr, $issued_at: expr) => {{ ($trust_graph:expr, $issuer_kp:expr, $issued_peer_id: expr, $expires_at:expr, $issued_at: expr) => {{
let trust_metadata_result = $trust_graph.get_trust_metadata( let trust_metadata_result =
$issued_peer_id.to_base58(), $trust_graph.get_trust_bytes($issued_peer_id.to_base58(), $expires_at, $issued_at);
$expires_at,
$issued_at,
);
assert_result!(trust_metadata_result); assert_result!(trust_metadata_result);
let metadata = trust_metadata_result.result; let metadata = trust_metadata_result.result;

22
src/revoke.rs
View File

@ -19,6 +19,7 @@ use fluence_keypair::key_pair::KeyPair;
use fluence_keypair::public_key::PublicKey; use fluence_keypair::public_key::PublicKey;
use fluence_keypair::signature::Signature; use fluence_keypair::signature::Signature;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sha2::Digest;
use std::time::Duration; use std::time::Duration;
use thiserror::Error as ThisError; use thiserror::Error as ThisError;
@ -28,7 +29,7 @@ pub enum RevokeError {
IncorrectSignature( IncorrectSignature(
#[from] #[from]
#[source] #[source]
fluence_keypair::error::SigningError fluence_keypair::error::SigningError,
), ),
} }
@ -43,12 +44,12 @@ pub struct Revoke {
/// the issuer of this revocation /// the issuer of this revocation
pub revoked_by: PublicKey, pub revoked_by: PublicKey,
/// proof of this revocation /// proof of this revocation
signature: Signature, pub signature: Signature,
} }
impl Revoke { impl Revoke {
#[allow(dead_code)] #[allow(dead_code)]
fn new( pub fn new(
pk: PublicKey, pk: PublicKey,
revoked_by: PublicKey, revoked_by: PublicKey,
revoked_at: Duration, revoked_at: Duration,
@ -71,14 +72,14 @@ impl Revoke {
Revoke::new(to_revoke, revoker.public(), revoked_at, signature) Revoke::new(to_revoke, revoker.public(), revoked_at, signature)
} }
fn signature_bytes(pk: &PublicKey, revoked_at: Duration) -> Vec<u8> { pub fn signature_bytes(pk: &PublicKey, revoked_at: Duration) -> Vec<u8> {
let mut msg = Vec::new(); let mut metadata = Vec::new();
let pk_bytes = &pk.encode(); let pk_bytes = &pk.encode();
msg.push(pk_bytes.len() as u8); metadata.push(pk_bytes.len() as u8);
msg.extend(pk_bytes); metadata.extend(pk_bytes);
msg.extend_from_slice(&(revoked_at.as_secs() as u64).to_le_bytes()); metadata.extend_from_slice(&(revoked_at.as_secs() as u64).to_le_bytes());
msg sha2::Sha256::digest(&metadata).to_vec()
} }
/// Verifies that revocation is cryptographically correct. /// Verifies that revocation is cryptographically correct.
@ -87,7 +88,8 @@ impl Revoke {
revoke revoke
.revoked_by .revoked_by
.verify(msg.as_slice(), &revoke.signature).map_err(IncorrectSignature) .verify(msg.as_slice(), &revoke.signature)
.map_err(IncorrectSignature)
} }
} }