pr_fixes

.github/workflows/release.yml

@@ -141,7 +141,7 @@ jobs:
         with:
           workflow: update_service
           repo: fluencelabs/node-distro
-          ref: 'main'
+          ref: 'tg-hl-api'
           token: ${{ secrets.PERSONAL_TOKEN }}
           inputs: '{
             "name": "trust-graph",

README.md

@@ -62,5 +62,26 @@ func my_function(peer_id: string) -> u32:
    import { Fluence, KeyPair } from "@fluencelabs/fluence";
    import { krasnodar, Node } from "@fluencelabs/fluence-network-environment";
    ```
-3. Add root and issue root trust.
+3. Create client (specify keypair if you are node owner
-4. For now, trusts/revocations can only be signed by client's private key.
+[link](https://github.com/fluencelabs/node-distro/blob/main/fluence/Config.default.toml#L9))
+
+   ```typescript
+   await Fluence.start({ connectTo: relay /*, KeyPair: builtins_keypair*/});
+   ```
+4. Add root and issue root trust.
+   ```typescript
+   let peer_id = Fluence.getStatus().peerId;
+   let relay = Fluence.getStatus().relayPeerId;
+   assert(peer_id !== null);
+   assert(relay !== null);
+   let max_chain_len = 2;
+   let far_future = tg.timestamp_sec() + 9999999999;
+   let error = await tg.add_root_trust(relay, peer_id, max_chain_len, far_future);
+   assert(error == null)
+   ```
+5. For now, trusts/revocations can only be signed with the client's private key.
+   Keypair specification will be available soon.
+   ```typescript
+   // issue signed trust
+   let error = await tg.issue_trust(relay, peer_id, issued_for_peer_id, expires_at_sec);
+   ```

admin/index.ts

@@ -49,7 +49,6 @@ async function main(environment: Node[]) {
         Fluence.getStatus().peerId,
         Fluence.getStatus().relayPeerId
     );
-
     let root_sk_b58 = fs.readFileSync("./root_secret_key.ed25519").toString();
     let issuer_sk_b58 = fs.readFileSync("./issuer_secret_key.ed25519").toString();
     let example_sk_b58 = fs.readFileSync("../example_secret_key.ed25519").toString();
@@ -70,7 +69,7 @@ async function main(environment: Node[]) {
     common_chain.push(await issue_trust_helper(node, root_kp, root_kp.Libp2pPeerId.toB58String(), issuer_kp.Libp2pPeerId.toB58String(), expires_at, cur_time));
     // from root to example
     let trust = await issue_trust_helper(node, root_kp, root_kp.Libp2pPeerId.toB58String(), example_kp.Libp2pPeerId.toB58String(), expires_at, cur_time);
-    let cert = {chain: [...common_chain, trust]};
+    let cert = {chain: [common_chain[0], trust]};
     certificates.push(cert);
 
     for (let i = 0; i < krasnodar.length; i++)  {

aqua/misc.aqua

@@ -5,4 +5,4 @@ service TrustOp("op"):
   array_length(a: []Trust) -> u32
 
 service BoolOp("op"):
-  array_length(a: []bool) -> u32
+  array_length(a: []bool) -> u32

aqua/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fluencelabs/trust-graph",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "Aqua Trust Graph API library",
   "files": [
     "*.aqua"

aqua/trust-graph-api.aqua

@@ -1,27 +1,37 @@
 import "trust-graph.aqua"
 import "misc.aqua"
-import "@fluencelabs/aqua-lib/builtin.aqua"
+import Sig, Peer from "@fluencelabs/aqua-lib/builtin.aqua"
+
+alias PeerId: string
+alias Error: string
 
 -- Set peer_id as a root to TG instance on current node
 -- Self-signed trust should be added in next call for correct behaviour
 -- `max_chain_len` specifies maximum chain length after root trust,
 -- if `max_chain_len` is zero there is no trusts except self-signed root trust in certificates for this root
-func add_root(peer_id: string, max_chain_len: u32) -> AddRootResult:
+func set_root(peer_id: PeerId, max_chain_len: u32) -> SetRootResult:
-    weight_factor <- TrustGraph.get_weight_factor(max_chain_len)
+    result <- TrustGraph.set_root(peer_id, max_chain_len)
-    result <- TrustGraph.add_root(peer_id, weight_factor)
     <- result
 
--- Create and sign trust with %init_peer_id%'s private key
+-- Create and sign trust
-func issue_trust(issued_for_peer_id: string, expires_at_sec: u64) -> ?Trust, ?string:
+-- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined
-    issued_at_sec <- Peer.timestamp_sec()
+func issue_trust(issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Trust, ?Error:
-    bytes <- TrustGraph.get_trust_bytes(issued_for_peer_id, expires_at_sec, issued_at_sec)
+    on HOST_PEER_ID:
+        issued_at_sec <- Peer.timestamp_sec()
+        bytes <- TrustGraph.get_trust_bytes(issued_for, expires_at_sec, issued_at_sec)
 
     result: ?Trust
     error: ?string
     if bytes.success:
-        on %init_peer_id% via HOST_PEER_ID:
+        if issuer != %init_peer_id%:
-            signature <- Sig.sign(bytes.result)
+            Sig issuer
-        issue_result <- TrustGraph.issue_trust(issued_for_peer_id, expires_at_sec, issued_at_sec, signature)
+        else:
+            Sig "sig"
+
+        signature <- Sig.sign(bytes.result)
+
+        on HOST_PEER_ID:
+            issue_result <- TrustGraph.issue_trust(issued_for, expires_at_sec, issued_at_sec, signature)
         if issue_result.success:
             result <<- issue_result.trust
         else:
@@ -30,75 +40,88 @@ func issue_trust(issued_for_peer_id: string, expires_at_sec: u64) -> ?Trust, ?st
         error <<- bytes.error
     <- result, error
 
--- Issue trust and add to TG instance on current node
-func add_trust(issued_for_peer_id: string, expires_at_sec: u64) -> ?string:
-    trust, issue_error <- issue_trust(issued_for_peer_id, expires_at_sec)
-
-    error: ?string
-    if trust == nil:
-        error <<- issue_error!
-    else:
-        timestamp_sec <- Peer.timestamp_sec()
-        add_result <- TrustGraph.add_trust(trust!, %init_peer_id%, timestamp_sec)
-        if add_result.success != true:
-            error <<- add_result.error
-
-    <- error
-
 -- Add trust to TG instance on current node
-func import_trust(trust: Trust) -> ?string:
+func import_trust(trust: Trust, issuer: PeerId) -> ?Error:
     error: ?string
     timestamp_sec <- Peer.timestamp_sec()
-    add_result <- TrustGraph.add_trust(trust, %init_peer_id%, timestamp_sec)
+    add_result <- TrustGraph.add_trust(trust, issuer, timestamp_sec)
     if add_result.success != true:
         error <<- add_result.error
-
     <- error
 
--- Set %init_peer_id% as a root and add self-signed trust to TG instance on current node
+-- Issue trust and add to TG instance on `node`
-func add_root_trust(max_chain_len: u32, expires_at_sec: u64) -> ?string:
+-- If `issuer` is not %init_peer_id%, Sig service with `issuer` peer id as service id should be defined
-    add_root_result <- add_root(%init_peer_id%, max_chain_len)
+func add_trust(node: PeerId, issuer: PeerId, issued_for: PeerId, expires_at_sec: u64) -> ?Error:
-    error: *?string
+    trust, issue_error <- issue_trust(issuer, issued_for, expires_at_sec)
-    if add_root_result.success:
+
-        error <- add_trust(%init_peer_id%, expires_at_sec)
+    error: *?Error
+    if trust == nil:
+        error <<- issue_error
     else:
-        -- converting string to ?string
+        on node:
-        tmp: *string
+            error <- import_trust(trust!, issuer)
-        tmp <<- add_root_result.error
+
-        error <<- tmp
+    <- error!
+
+-- Set `peer_id` as a root and add self-signed trust to TG instance on `node`
+-- If `peer_id` is not %init_peer_id%, Sig service with `peer_id` as service id should be defined
+func add_root_trust(node: PeerId, peer_id: PeerId, max_chain_len: u32, expires_at_sec: u64) -> ?Error:
+    trust, issue_error <- issue_trust(peer_id, peer_id, expires_at_sec)
+
+    error: *?Error
+    if trust == nil:
+        error <<- issue_error
+    else:
+        on node:
+            set_root_result <- set_root(peer_id, max_chain_len)
+            if set_root_result.success:
+                error <- import_trust(trust!, peer_id)
+            else:
+                -- converting string to ?string
+                tmp: *string
+                tmp <<- set_root_result.error
+                error <<- tmp
 
     <- error!
 
 -- Check signature and expiration time of trust
-func verify_trust(trust: Trust, issuer_peer_id: string) -> VerifyTrustResult:
+func verify_trust(trust: Trust, issuer: PeerId) -> VerifyTrustResult:
     timestamp_sec <- Peer.timestamp_sec()
-    result <- TrustGraph.verify_trust(trust, issuer_peer_id, timestamp_sec)
+    result <- TrustGraph.verify_trust(trust, issuer, timestamp_sec)
     <- result
 
 -- Get the maximum weight of trust for one peer id
 -- Trust has weight if there is at least 1 trust chain from one of the roots
-func get_weight(peer_id: string) -> WeightResult:
+func get_weight(peer_id: PeerId) -> WeightResult:
     timestamp_sec <- Peer.timestamp_sec()
     result <- TrustGraph.get_weight(peer_id, timestamp_sec)
     <- result
 
 -- Get maximum weight of trust among all chains which contain trust from `issuer`
-func get_weight_from(peer_id: string, issuer: string) -> WeightResult:
+func get_weight_from(peer_id: PeerId, issuer: PeerId) -> WeightResult:
     timestamp_sec <- Peer.timestamp_sec()
     result <- TrustGraph.get_weight_from(peer_id, issuer, timestamp_sec)
     <- result
 
 -- Create revocation signed by %init_peer_id%
-func issue_revocation(revoked_peer_id: string) -> ?Revocation, ?string:
+-- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined
-    issued_at_sec <- Peer.timestamp_sec()
+func issue_revocation(revoked_by: PeerId, revoked: PeerId) -> ?Revocation, ?Error:
-    bytes <- TrustGraph.get_revocation_bytes(revoked_peer_id, issued_at_sec)
+    on HOST_PEER_ID:
+        issued_at_sec <- Peer.timestamp_sec()
+        bytes <- TrustGraph.get_revocation_bytes(revoked, issued_at_sec)
 
     result: ?Revocation
     error: ?string
     if bytes.success:
-        on %init_peer_id% via HOST_PEER_ID:
+        if revoked_by != %init_peer_id%:
-            signature <- Sig.sign(bytes.result)
+            Sig revoked_by
-        issue_result <- TrustGraph.issue_revocation(revoked_peer_id, %init_peer_id%, issued_at_sec, signature)
+        else:
+            Sig "sig"
+
+        signature <- Sig.sign(bytes.result)
+
+        on HOST_PEER_ID:
+            issue_result <- TrustGraph.issue_revocation(revoked_by, revoked, issued_at_sec, signature)
         if issue_result.success:
             result <<- issue_result.revocation
         else:
@@ -107,24 +130,8 @@ func issue_revocation(revoked_peer_id: string) -> ?Revocation, ?string:
         error <<- bytes.error
     <- result, error
 
--- Revoke all certificates on current node's TG instance
--- which contain path from %init_peer_id% to `revoked_peer_id`
-func revoke(revoked_peer_id: string) -> ?string:
-    revocation, issue_error <- issue_revocation(revoked_peer_id)
-
-    error: ?string
-    if revocation == nil:
-        error <<- issue_error!
-    else:
-        timestamp_sec <- Peer.timestamp_sec()
-        revoke_result <- TrustGraph.revoke(revocation!, timestamp_sec)
-        if revoke_result.success != true:
-            error <<- revoke_result.error
-
-    <- error
-
 -- Import revocation to current node's TG instance
-func import_revocation(revocation: Revocation) -> ?string:
+func import_revocation(revocation: Revocation) -> ?Error:
     error: ?string
     timestamp_sec <- Peer.timestamp_sec()
     add_result <- TrustGraph.revoke(revocation, timestamp_sec)
@@ -133,20 +140,37 @@ func import_revocation(revocation: Revocation) -> ?string:
 
     <- error
 
+-- Revoke all certificates on `node` TG instance
+-- which contain path from %init_peer_id% to `revoked_peer_id`
+-- If `revoked_by` is not %init_peer_id%, Sig service with `revoked_by` peer id as service id should be defined
+func revoke(node: PeerId, revoked_by: PeerId, revoked: PeerId) -> ?Error:
+    revocation, issue_error <- issue_revocation(revoked_by, revoked)
+
+    error: *?string
+    if revocation == nil:
+        error <<- issue_error
+    else:
+        on node:
+           error <- import_revocation(revocation!)
+
+    <- error!
+
+
+
 -- Return all certificates issued for current node which contains trust from `issuer`
-func get_host_certs_from(issuer: string) -> AllCertsResult:
+func get_host_certs_from(issuer: PeerId) -> AllCertsResult:
     timestamp_sec <- Peer.timestamp_sec()
     result <- TrustGraph.get_host_certs_from(issuer, timestamp_sec)
     <- result
 
 -- Return all certificates issued for given peer id
-func get_all_certs(issued_for: string) -> AllCertsResult:
+func get_all_certs(issued_for: PeerId) -> AllCertsResult:
     timestamp_sec <- Peer.timestamp_sec()
     result <- TrustGraph.get_all_certs(issued_for, timestamp_sec)
     <- result
 
 -- Return all certificates issued for given peer id which contains trust from `issuer`
-func get_all_certs_from(issued_for: string, issuer: string) -> AllCertsResult:
+func get_all_certs_from(issued_for: PeerId, issuer: PeerId) -> AllCertsResult:
     timestamp_sec <- Peer.timestamp_sec()
     result <- TrustGraph.get_all_certs_from(issued_for, issuer, timestamp_sec)
     <- result
@@ -165,7 +189,7 @@ func insert_cert(certificate: Certificate) -> InsertResult:
 
 -- returns `true` if current node is identified as official Fluence Labs peer
 -- returns `false` otherwise
-func isFluencePeer() -> ?bool, ?string:
+func isFluencePeer() -> ?bool, ?Error:
     certs_result <- get_host_certs_from("12D3KooWM45u7AQxsb4MuQJNYT3NWHHMLU7JTbBV66RTfF3KSzdR")
     result: ?bool
     error: ?string

aqua/trust-graph.aqua

@@ -1,9 +1,5 @@
 module TrustGraph declares *
 
-data AddRootResult:
-  success: bool
-  error: string
-
 data AddTrustResult:
   success: bool
   error: string
@@ -24,6 +20,18 @@ data AllCertsResult:
   certificates: []Certificate
   error: string
 
+data Revocation:
+  revoked_peer_id: string
+  revoked_at: u64
+  signature: string
+  sig_type: string
+  revoked_by: string
+
+data ExportRevocationsResult:
+  success: bool
+  revocations: []Revocation
+  error: string
+
 data GetRevokeBytesResult:
   success: bool
   error: string
@@ -38,13 +46,6 @@ data InsertResult:
   success: bool
   error: string
 
-data Revocation:
-  revoked_peer_id: string
-  revoked_at: u64
-  signature: string
-  sig_type: string
-  revoked_by: string
-
 data IssueRevocationResult:
   success: bool
   error: string
@@ -59,6 +60,10 @@ data RevokeResult:
   success: bool
   error: string
 
+data SetRootResult:
+  success: bool
+  error: string
+
 data VerifyTrustResult:
   success: bool
   error: string
@@ -70,8 +75,8 @@ data WeightResult:
   error: string
 
 service TrustGraph("trust-graph"):
-  add_root(peer_id: string, weight_factor: u32) -> AddRootResult
   add_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> AddTrustResult
+  export_revocations(issued_for: string) -> ExportRevocationsResult
   get_all_certs(issued_for: string, timestamp_sec: u64) -> AllCertsResult
   get_all_certs_from(issued_for: string, issuer: string, timestamp_sec: u64) -> AllCertsResult
   get_host_certs(timestamp_sec: u64) -> AllCertsResult
@@ -79,11 +84,11 @@ service TrustGraph("trust-graph"):
   get_revocation_bytes(revoked_peer_id: string, revoked_at: u64) -> GetRevokeBytesResult
   get_trust_bytes(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64) -> GetTrustBytesResult
   get_weight(peer_id: string, timestamp_sec: u64) -> WeightResult
-  get_weight_factor(max_chain_len: u32) -> u32
   get_weight_from(peer_id: string, issuer: string, timestamp_sec: u64) -> WeightResult
   insert_cert(certificate: Certificate, timestamp_sec: u64) -> InsertResult
   insert_cert_raw(certificate: string, timestamp_sec: u64) -> InsertResult
-  issue_revocation(revoked_peer_id: string, revoked_by_peer_id: string, revoked_at_sec: u64, signature_bytes: []u8) -> IssueRevocationResult
+  issue_revocation(revoked_by_peer_id: string, revoked_peer_id: string, revoked_at_sec: u64, signature_bytes: []u8) -> IssueRevocationResult
   issue_trust(issued_for_peer_id: string, expires_at_sec: u64, issued_at_sec: u64, trust_bytes: []u8) -> IssueTrustResult
   revoke(revoke: Revocation, timestamp_sec: u64) -> RevokeResult
+  set_root(peer_id: string, max_chain_len: u32) -> SetRootResult
   verify_trust(trust: Trust, issuer_peer_id: string, timestamp_sec: u64) -> VerifyTrustResult

builtin-package/on_start.air

@@ -1,9 +1,6 @@
 (seq
     (seq
-        (seq
+        (call relay ("trust-graph" "set_root") ["12D3KooWNbZKaPWRZ8wgjGvrxdJFz9Fq5uVwkR6ERV1f74HhPdyB" 5] add_root_res)
-            (call relay ("trust-graph" "get_weight_factor") [5] weight_factor)
-            (call relay ("trust-graph" "add_root") ["12D3KooWNbZKaPWRZ8wgjGvrxdJFz9Fq5uVwkR6ERV1f74HhPdyB" weight_factor] add_root_res)
-        )
         (xor
             (match add_root_res.$.success! true
                 (null)

example/aqua/computation.aqua

@@ -19,9 +19,9 @@ func trusted_computation(node: string) -> ?u64:
         certs_result <- get_all_certs_from(node, %init_peer_id%)
         if certs_result.success:
             len <- CertOp.array_length(certs_result.certificates)
-    -- if there is any certificate node is trusted and computation is possible
+        -- if there is any certificate node is trusted and computation is possible
-    if len != 0:
+        if len != 0:
-        on node:
+            on node:
-            result <- TrustedComputation.identity(5)
+                result <- TrustedComputation.identity(5)
 
     <- result

example/aqua/export.aqua

@@ -1,24 +1,13 @@
-use add_root_trust, add_trust, revoke from "@fluencelabs/trust-graph/trust-graph-api.aqua" as TrustGraph
+import add_root_trust, add_trust, revoke from "@fluencelabs/trust-graph/trust-graph-api.aqua"
 export add_root_trust, add_trust, revoke
 import Peer from "@fluencelabs/aqua-lib/builtin.aqua"
 
--- here we define wrappers with `on` for export functions used in script
+alias PeerId: string
-func add_root_trust(node: string, max_chain_len: u32, expires_at_sec: u64) -> ?string:
-    on node:
-        error <- TrustGraph.add_root_trust(max_chain_len, expires_at_sec)
-    <- error
-
-func add_trust(node: string, issued_for_peer_id: string, expires_at_sec: u64) -> ?string:
-    on node:
-        error <- TrustGraph.add_trust(issued_for_peer_id, expires_at_sec)
-    <- error
-
-func revoke(node: string, revoked_peer_id: string) -> ?string:
-    on node:
-        error <- TrustGraph.revoke(revoked_peer_id)
-    <- error
 
 func timestamp_sec() -> u64:
     on HOST_PEER_ID:
         result <- Peer.timestamp_sec()
     <- result
+
+service Sig:
+    sign(msg: []u8) -> []u8

example/index.ts

@@ -19,7 +19,7 @@ import * as tg from "./generated/export";
 import {Fluence, FluencePeer, KeyPair} from "@fluencelabs/fluence";
 import {krasnodar, Node, testNet, stage} from "@fluencelabs/fluence-network-environment";
 import assert from "assert";
-import {add_root_trust} from "./generated/export";
+import {add_root_trust, registerSig} from "./generated/export";
 const bs58 = require('bs58');
 
 let local: Node[] = [
@@ -40,21 +40,22 @@ let local: Node[] = [
     },
 ];
 
-async function revoke_all(relay: string) {
+async function revoke_all(relay: string, revoked_by: string) {
     for (var node of local) {
-        let error = await tg.revoke(relay, node.peerId);
+        let error = await tg.revoke(relay, revoked_by, node.peerId);
+        console.log(error)
         assert(error == null);
     }
 }
-async function add_root(relay: string) {
+async function add_root(relay: string, peer_id: string) {
     let current_time = await tg.timestamp_sec();
     let far_future = current_time + 9999999;
-    let error = await tg.add_root_trust(relay, 2, far_future);
+    let error = await tg.add_root_trust(relay, peer_id, 2, far_future);
     assert(error == null);
 }
 
-async function add_new_trust_checked(relay: string, issued_for_peer_id: string, expires_at_sec: number) {
+async function add_new_trust_checked(relay: string, issuer: string, issued_for_peer_id: string, expires_at_sec: number) {
-    let error = await tg.add_trust(relay, issued_for_peer_id, expires_at_sec);
+    let error = await tg.add_trust(relay, issuer, issued_for_peer_id, expires_at_sec);
     if (error !== null) {
         console.error("%s", error);
     } else {
@@ -62,8 +63,8 @@ async function add_new_trust_checked(relay: string, issued_for_peer_id: string,
     }
 }
 
-async function revoke_checked(relay: string, revoked_peer_id: string) {
+async function revoke_checked(relay: string, revoked_by: string, revoked_peer_id: string) {
-    let error = await tg.revoke(relay, revoked_peer_id);
+    let error = await tg.revoke(relay, revoked_by, revoked_peer_id);
     if (error !== null) {
         console.log("%s", error);
     } else {
@@ -95,17 +96,19 @@ async function main() {
         Fluence.getStatus().peerId,
         Fluence.getStatus().relayPeerId
     );
+    let local_peer_id = Fluence.getStatus().peerId;
+    assert(local_peer_id !== null);
 
     let current_time = await tg.timestamp_sec();
     let far_future = current_time + 9999999;
 
     // clear all trusts from our peer id on relay
-    await revoke_all(relay.peerId);
+    await revoke_all(relay.peerId, local_peer_id);
     // wait to be sure that last revocation will be older than future trusts at least on 1 second (because timestamp in secs)
     await new Promise(f => setTimeout(f, 1000));
 
     // set our peer id as root to our relay
-    await add_root(relay.peerId);
+    await add_root(relay.peerId, local_peer_id);
 
     let nodeA = local[0].peerId
     let nodeB = local[1].peerId
@@ -117,7 +120,7 @@ async function main() {
     await exec_trusted_computation(nodeC); // fail
 
     console.log("🌀 Issue trust to nodeB: %s", nodeB);
-    await add_new_trust_checked(relay.peerId, nodeB, far_future);
+    await add_new_trust_checked(relay.peerId, local_peer_id, nodeB, far_future);
 
     await exec_trusted_computation(nodeA); // fail
     await exec_trusted_computation(nodeB); // success
@@ -125,7 +128,7 @@ async function main() {
 
     await new Promise(f => setTimeout(f, 1000));
     console.log("🚫 Revoke trust to nodeB");
-    await revoke_checked(relay.peerId, nodeB);
+    await revoke_checked(relay.peerId, local_peer_id, nodeB);
 
     await exec_trusted_computation(nodeA); // fail
     await exec_trusted_computation(nodeB); // fail

example_secret_key.ed25519

@@ -0,0 +1 @@
+E5ay3731i4HN8XjJozouV92RDMGAn3qSnb9dKSnujiWv

service/src/results.rs

@@ -60,9 +60,9 @@ pub struct AllCertsResult {
 impl From<Result<Vec<Certificate>, ServiceError>> for AllCertsResult {
     fn from(result: Result<Vec<Certificate>, ServiceError>) -> Self {
         match result {
-            Ok(certs) => AllCertsResult {
+            Ok(certificates) => AllCertsResult {
                 success: true,
-                certificates: certs,
+                certificates,
                 error: "".to_string(),
             },
             Err(e) => AllCertsResult {
@@ -75,19 +75,19 @@ impl From<Result<Vec<Certificate>, ServiceError>> for AllCertsResult {
 }
 
 #[marine]
-pub struct AddRootResult {
+pub struct SetRootResult {
     pub success: bool,
     pub error: String,
 }
 
-impl From<Result<(), ServiceError>> for AddRootResult {
+impl From<Result<(), ServiceError>> for SetRootResult {
     fn from(result: Result<(), ServiceError>) -> Self {
         match result {
-            Ok(()) => AddRootResult {
+            Ok(()) => SetRootResult {
                 success: true,
                 error: "".to_string(),
             },
-            Err(e) => AddRootResult {
+            Err(e) => SetRootResult {
                 success: false,
                 error: format!("{}", e),
             },
@@ -256,3 +256,27 @@ impl From<Result<(), ServiceError>> for RevokeResult {
         }
     }
 }
+
+#[marine]
+pub struct ExportRevocationsResult {
+    pub success: bool,
+    pub revocations: Vec<Revocation>,
+    pub error: String,
+}
+
+impl From<Result<Vec<Revocation>, ServiceError>> for ExportRevocationsResult {
+    fn from(result: Result<Vec<Revocation>, ServiceError>) -> Self {
+        match result {
+            Ok(revocations) => ExportRevocationsResult {
+                success: true,
+                revocations,
+                error: "".to_string(),
+            },
+            Err(e) => ExportRevocationsResult {
+                success: false,
+                revocations: vec![],
+                error: format!("{}", e),
+            },
+        }
+    }
+}

service/src/service_api.rs

@@ -2,9 +2,9 @@ use crate::dto::{Certificate, Revocation, Trust};
 use crate::error::ServiceError;
 use crate::misc::{check_timestamp_tetraplets, extract_public_key, with_tg, wrapped_try};
 use crate::results::{
-    AddRootResult, AddTrustResult, AllCertsResult, GetRevokeBytesResult, GetTrustBytesResult,
+    AddTrustResult, AllCertsResult, ExportRevocationsResult, GetRevokeBytesResult,
-    InsertResult, IssueRevocationResult, IssueTrustResult, RevokeResult, VerifyTrustResult,
+    GetTrustBytesResult, InsertResult, IssueRevocationResult, IssueTrustResult, RevokeResult,
-    WeightResult,
+    SetRootResult, VerifyTrustResult, WeightResult,
 };
 use crate::storage_impl::SQLiteStorage;
 use fluence_keypair::Signature;
@@ -12,27 +12,22 @@ use marine_rs_sdk::{get_call_parameters, marine, CallParameters};
 use std::convert::{TryFrom, TryInto};
 use std::str::FromStr;
 use std::time::Duration;
-use trust_graph::{TrustGraph, MAX_WEIGHT_FACTOR};
+use trust_graph::TrustGraph;
 
 #[marine]
-fn get_weight_factor(max_chain_len: u32) -> u32 {
+/// could set only a owner of a trust graph service
-    MAX_WEIGHT_FACTOR.checked_sub(max_chain_len).unwrap_or(0u32)
+fn set_root(peer_id: String, max_chain_len: u32) -> SetRootResult {
-}
-
-#[marine]
-/// could add only a owner of a trust graph service
-fn add_root(peer_id: String, weight_factor: u32) -> AddRootResult {
     let call_parameters: CallParameters = marine_rs_sdk::get_call_parameters();
     let init_peer_id = call_parameters.init_peer_id;
     if call_parameters.service_creator_peer_id == init_peer_id {
         with_tg(|tg| {
             let public_key = extract_public_key(peer_id)?;
-            tg.add_root_weight_factor(public_key, weight_factor)?;
+            tg.set_root(public_key, max_chain_len)?;
             Ok(())
         })
         .into()
     } else {
-        return AddRootResult {
+        return SetRootResult {
             success: false,
             error: ServiceError::NotOwner.to_string(),
         };
@@ -221,12 +216,11 @@ fn add_trust(trust: Trust, issuer_peer_id: String, timestamp_sec: u64) -> AddTru
             return Err(ServiceError::InvalidTimestamp("trust".to_string()));
         }
 
-        tg.add_trust(
+        Ok(tg.add_trust(
             &trust.try_into()?,
             public_key,
             Duration::from_secs(timestamp_sec),
-        )
+        )?)
-        .map_err(ServiceError::TGError)
     })
     .into()
 }
@@ -245,8 +239,8 @@ fn get_revocation_bytes(revoked_peer_id: String, revoked_at: u64) -> GetRevokeBy
 
 #[marine]
 fn issue_revocation(
-    revoked_peer_id: String,
     revoked_by_peer_id: String,
+    revoked_peer_id: String,
     revoked_at_sec: u64,
     signature_bytes: Vec<u8>,
 ) -> IssueRevocationResult {
@@ -256,7 +250,7 @@ fn issue_revocation(
 
         let revoked_at = Duration::from_secs(revoked_at_sec);
         let signature = Signature::from_bytes(revoked_by_pk.get_key_format(), signature_bytes);
-        Ok(trust_graph::Revocation::new(revoked_pk, revoked_by_pk, revoked_at, signature).into())
+        Ok(trust_graph::Revocation::new(revoked_by_pk, revoked_pk, revoked_at, signature).into())
     })
     .into()
 }
@@ -270,7 +264,20 @@ fn revoke(revoke: Revocation, timestamp_sec: u64) -> RevokeResult {
             return Err(ServiceError::InvalidTimestamp("revoke".to_string()));
         }
 
-        tg.revoke(revoke.try_into()?).map_err(ServiceError::TGError)
+        Ok(tg.revoke(revoke.try_into()?)?)
+    })
+    .into()
+}
+
+#[marine]
+fn export_revocations(issued_for: String) -> ExportRevocationsResult {
+    with_tg(|tg| {
+        let issued_for_pk = extract_public_key(issued_for)?;
+        Ok(tg
+            .get_revocations(issued_for_pk)?
+            .into_iter()
+            .map(|r| r.into())
+            .collect())
     })
     .into()
 }

service/src/storage_impl.rs

@@ -293,7 +293,7 @@ impl Storage for SQLiteStorage {
         }
     }
 
-    fn add_root_weight_factor(
+    fn set_root_weight_factor(
         &mut self,
         pk: PK,
         weight_factor: WeightFactor,

service/src/tests.rs

@@ -87,8 +87,8 @@ mod service_tests {
         cp
     }
 
-    fn add_root_peer_id(trust_graph: &mut ServiceInterface, peer_id: PeerId, weight_factor: u32) {
+    fn set_root_peer_id(trust_graph: &mut ServiceInterface, peer_id: PeerId, max_chain_len: u32) {
-        let result = trust_graph.add_root(peer_id.to_base58(), weight_factor);
+        let result = trust_graph.set_root(peer_id.to_base58(), max_chain_len);
         assert!(result.success, "{}", result.error);
     }
 
@@ -97,9 +97,9 @@ mod service_tests {
         issuer_kp: &KeyPair,
         issued_at_sec: u64,
         expires_at_sec: u64,
-        weight_factor: u32,
+        max_chain_len: u32,
     ) -> Trust {
-        let result = trust_graph.add_root(issuer_kp.get_peer_id().to_base58(), weight_factor);
+        let result = trust_graph.set_root(issuer_kp.get_peer_id().to_base58(), max_chain_len);
         assert!(result.success, "{}", result.error);
         add_trust(
             trust_graph,
@@ -206,8 +206,8 @@ mod service_tests {
 
         let revoke_bytes = issuer_kp.sign(&result.result).unwrap().to_vec().to_vec();
         let issue_result = trust_graph.issue_revocation(
-            revoked_peer_id.to_base58(),
             issuer_kp.get_peer_id().to_base58(),
+            revoked_peer_id.to_base58(),
             revoked_at_sec,
             revoke_bytes,
         );
@@ -325,7 +325,7 @@ mod service_tests {
         };
 
         let some_peer_id = KeyPair::generate_ed25519().get_peer_id();
-        let result = trust_graph.add_root_cp(some_peer_id.to_base58(), 0, cp);
+        let result = trust_graph.set_root_cp(some_peer_id.to_base58(), 0, cp);
         assert!(!result.success);
         assert_eq!(result.error, ServiceError::NotOwner.to_string());
     }
@@ -343,7 +343,7 @@ mod service_tests {
         };
 
         let some_peer_id = KeyPair::generate_ed25519().get_peer_id();
-        let result = trust_graph.add_root_cp(some_peer_id.to_base58(), 0, cp);
+        let result = trust_graph.set_root_cp(some_peer_id.to_base58(), 0, cp);
         assert!(result.success, "{}", result.error);
     }
 
@@ -357,7 +357,7 @@ mod service_tests {
         let expires_at_sec = 9999u64;
         let issued_at_sec = 0u64;
 
-        add_root_peer_id(&mut trust_graph, root_kp.get_peer_id(), 4u32);
+        set_root_peer_id(&mut trust_graph, root_kp.get_peer_id(), 4u32);
 
         let result =
             trust_graph.get_trust_bytes(root_peer_id.to_base58(), expires_at_sec, issued_at_sec);
@@ -408,7 +408,7 @@ mod service_tests {
             &root_kp,
             cur_time,
             root_expired_time - 1,
-            4,
+            10,
         );
 
         let trust_kp = KeyPair::generate_ed25519();
@@ -447,7 +447,7 @@ mod service_tests {
 
         let peerA_kp = KeyPair::generate_ed25519();
         let mut cur_time = 100u64;
-        add_root_with_trust(&mut trust_graph, &peerA_kp, cur_time, cur_time + 9999, 4u32);
+        add_root_with_trust(&mut trust_graph, &peerA_kp, cur_time, cur_time + 9999, 10);
 
         let peerB_kp = KeyPair::generate_ed25519();
         add_trust(
@@ -490,7 +490,7 @@ mod service_tests {
         let mut cur_time = current_time();
 
         let root_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root_peer_id, 2);
+        set_root_peer_id(&mut trust_graph, root_peer_id, 10);
         add_trusts(&mut trust_graph, &trusts, cur_time);
 
         let target_peer_id = key_pairs[4].get_peer_id();
@@ -536,7 +536,7 @@ mod service_tests {
         let cur_time = current_time();
 
         let root_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root_peer_id, 2);
+        set_root_peer_id(&mut trust_graph, root_peer_id, 10);
         add_trusts(&mut trust_graph, &trusts, cur_time);
 
         let issued_by = key_pairs.last().unwrap().get_peer_id();
@@ -577,7 +577,7 @@ mod service_tests {
         let cur_time = current_time();
 
         let root1_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root1_peer_id, 2);
+        set_root_peer_id(&mut trust_graph, root1_peer_id, 10);
         add_trusts(&mut trust_graph, &trusts, cur_time);
 
         let issued_by = key_pairs.last().unwrap().get_peer_id();
@@ -620,7 +620,7 @@ mod service_tests {
 
         let cur_time = current_time();
         let root_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root_peer_id, 1);
+        set_root_peer_id(&mut trust_graph, root_peer_id, 10);
 
         for auth in trusts.iter() {
             add_trust_checked(&mut trust_graph, auth.trust.clone(), auth.issuer, cur_time);
@@ -649,9 +649,9 @@ mod service_tests {
         let far_future = cur_time + 9999;
 
         // add first and last trusts as roots
-        add_root_peer_id(&mut trust_graph, kps[0].get_peer_id(), 0);
+        set_root_peer_id(&mut trust_graph, kps[0].get_peer_id(), 10);
         add_trusts(&mut trust_graph, &trusts, cur_time);
-        add_root_with_trust(&mut trust_graph, &kps[5], cur_time, far_future, 0);
+        add_root_with_trust(&mut trust_graph, &kps[5], cur_time, far_future, 10);
 
         let certs = get_all_certs(&mut trust_graph, kps[5].get_peer_id(), cur_time);
         // first with self-signed last trust, second - without
@@ -667,7 +667,7 @@ mod service_tests {
 
         let root_kp = KeyPair::generate_ed25519();
         let cur_time = 100u64;
-        add_root_with_trust(&mut trust_graph, &root_kp, cur_time, cur_time + 999, 4u32);
+        add_root_with_trust(&mut trust_graph, &root_kp, cur_time, cur_time + 999, 10);
 
         let trust_kp = KeyPair::generate_ed25519();
         add_trust(
@@ -712,7 +712,7 @@ mod service_tests {
 
         let root_kp = KeyPair::generate_ed25519();
         let mut cur_time = 100u64;
-        add_root_with_trust(&mut trust_graph, &root_kp, cur_time, cur_time + 999, 4u32);
+        add_root_with_trust(&mut trust_graph, &root_kp, cur_time, cur_time + 999, 10);
 
         let trust_kp = KeyPair::generate_ed25519();
         let expires_at_sec = cur_time + 10;
@@ -752,10 +752,10 @@ mod service_tests {
         let root2_kp = KeyPair::generate_ed25519();
         let cur_time = 100;
         let far_future = cur_time + 99999;
-        // root with bigger weight (smaller weight factor)
+        // root with bigger weight (bigger max_chain_len)
-        add_root_with_trust(&mut trust_graph, &root1_kp, cur_time, far_future, 0u32);
+        add_root_with_trust(&mut trust_graph, &root1_kp, cur_time, far_future, 10);
         // opposite
-        add_root_with_trust(&mut trust_graph, &root2_kp, cur_time, far_future, 5u32);
+        add_root_with_trust(&mut trust_graph, &root2_kp, cur_time, far_future, 5);
 
         // issue trust from root2 to any other peer_id
         let issued_by_root2_peer_id = KeyPair::generate_ed25519().get_peer_id();
@@ -832,7 +832,7 @@ mod service_tests {
 
         let cur_time = current_time();
         let root_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root_peer_id, 1);
+        set_root_peer_id(&mut trust_graph, root_peer_id, 10);
 
         for auth in trusts.iter() {
             add_trust_checked(&mut trust_graph, auth.trust.clone(), auth.issuer, cur_time);
@@ -862,7 +862,7 @@ mod service_tests {
 
         let cur_time = current_time();
         let root_peer_id = key_pairs[0].get_peer_id();
-        add_root_peer_id(&mut trust_graph, root_peer_id, 1);
+        set_root_peer_id(&mut trust_graph, root_peer_id, 10);
 
         for auth in trusts.iter() {
             add_trust_checked(&mut trust_graph, auth.trust.clone(), auth.issuer, cur_time);

src/revoke.rs

@@ -50,8 +50,8 @@ pub struct Revocation {
 impl Revocation {
     #[allow(dead_code)]
     pub fn new(
-        pk: PublicKey,
         revoked_by: PublicKey,
+        pk: PublicKey,
         revoked_at: Duration,
         signature: Signature,
     ) -> Self {
@@ -69,7 +69,7 @@ impl Revocation {
         let msg = Revocation::signature_bytes(&to_revoke, revoked_at);
         let signature = revoker.sign(&msg).unwrap();
 
-        Revocation::new(to_revoke, revoker.public(), revoked_at, signature)
+        Revocation::new(revoker.public(), to_revoke, revoked_at, signature)
     }
 
     pub fn signature_bytes(pk: &PublicKey, revoked_at: Duration) -> Vec<u8> {
@@ -120,8 +120,8 @@ mod tests {
 
         let duration2 = Duration::new(95, 0);
         let corrupted_revoke = Revocation::new(
-            to_revoke.public(),
             revoker.public(),
+            to_revoke.public(),
             duration2,
             revoke.signature,
         );

src/trust_graph.rs

@@ -94,6 +94,10 @@ impl From<TrustGraphError> for String {
     }
 }
 
+fn get_weight_factor(max_chain_len: u32) -> u32 {
+    MAX_WEIGHT_FACTOR.checked_sub(max_chain_len).unwrap_or(0u32)
+}
+
 pub fn get_weight_from_factor(wf: WeightFactor) -> u32 {
     2u32.pow(MAX_WEIGHT_FACTOR.saturating_sub(wf))
 }
@@ -107,12 +111,10 @@ where
     }
 
     /// Insert new root weight
-    pub fn add_root_weight_factor(
+    pub fn set_root(&mut self, pk: PublicKey, max_chain_len: u32) -> Result<(), TrustGraphError> {
-        &mut self,
+        Ok(self
-        pk: PublicKey,
+            .storage
-        weight: WeightFactor,
+            .set_root_weight_factor(pk.into(), get_weight_factor(max_chain_len))?)
-    ) -> Result<(), TrustGraphError> {
-        Ok(self.storage.add_root_weight_factor(pk.into(), weight)?)
     }
 
     pub fn add_trust<T, P>(
@@ -388,4 +390,11 @@ where
 
         Ok(self.storage.revoke(revocation)?)
     }
+
+    pub fn get_revocations<P>(&self, issued_for: P) -> Result<Vec<Revocation>, TrustGraphError>
+    where
+        P: Borrow<PublicKey>,
+    {
+        Ok(self.storage.get_revocations(issued_for.borrow().as_ref())?)
+    }
 }

src/trust_graph_storage.rs

@@ -22,7 +22,11 @@ pub trait Storage {
     fn insert(&mut self, node: TrustRelation) -> Result<(), Self::Error>;
 
     fn get_root_weight_factor(&self, pk: &PK) -> Result<Option<WeightFactor>, Self::Error>;
-    fn add_root_weight_factor(&mut self, pk: PK, weight: WeightFactor) -> Result<(), Self::Error>;
+    fn set_root_weight_factor(
+        &mut self,
+        pk: PK,
+        weight_factor: WeightFactor,
+    ) -> Result<(), Self::Error>;
     fn root_keys(&self) -> Result<Vec<PK>, Self::Error>;
     fn revoke(&mut self, revocation: Revocation) -> Result<(), Self::Error>;
     fn update_auth(&mut self, auth: Auth, cur_time: Duration) -> Result<(), Self::Error>;