ucan

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 9, 2025 License: Apache-2.0 Imports: 21 Imported by: 1

Documentation

Overview

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Package ucan provides User-Controlled Authorization Networks (UCAN) implementation for decentralized authorization and capability delegation in the Sonr network. This package handles JWT-based tokens, cryptographic verification, and resource capabilities.

Index

Constants

View Source 
const (
	VaultAdminAction = "vault/admin"
)

Constants for vault capability actions

Variables

View Source 
var (
	// StandardTemplate provides default authorization template
	StandardTemplate = NewCapabilityTemplate()
)
View Source 
var VaultCapabilitySchema = z.Struct(z.Shape{
	"can": z.String().Required().OneOf(
		[]string{
			VaultAdminAction,
			"vault/read",
			"vault/write",
			"vault/sign",
			"vault/export",
			"vault/import",
			"vault/delete",
		},
		z.Message("Invalid vault capability"),
	),
	"with": z.String().
		Required().
		TestFunc(ValidateIPFSCID, z.Message("Vault resource must be IPFS CID in format 'ipfs://CID'")),
	"actions": z.Slice(z.String().OneOf(
		[]string{"read", "write", "sign", "export", "import", "delete"},
		z.Message("Invalid vault action"),
	)).Optional(),
	"vault": z.String().Required().Min(1, z.Message("Vault address cannot be empty")),
	"cavs":  z.Slice(z.String()).Optional(),
})

VaultCapabilitySchema defines validation specifically for vault capabilities

Functions

func CreateHasher 

func CreateHasher(hashAlg crypto.Hash) (hash.Hash, error)

CreateHasher creates a hasher for the given crypto.Hash algorithm

func ExtractSignature 

func ExtractSignature(tokenString string) ([]byte, error)

ExtractSignature extracts the signature portion of a JWT token

func ExtractUnsignedToken 

func ExtractUnsignedToken(tokenString string) (string, error)

ExtractUnsignedToken extracts the unsigned portion of a JWT token (header + payload)

func GenerateJWTToken 

func GenerateJWTToken(attenuation Attenuation, duration time.Duration) (string, error)

GenerateJWTToken creates a UCAN JWT token with given capability and expiration

func GenerateModuleJWTToken 

func GenerateModuleJWTToken(attenuations []Attenuation, issuer, audience string, duration time.Duration) (string, error)

GenerateModuleJWTToken creates a UCAN JWT token with module-specific capabilities

func GetEnclaveDataCID 

func GetEnclaveDataCID(token *Token) (string, error)

GetEnclaveDataCID extracts the enclave data CID from vault capabilities

func GetHashAlgorithmForMethod 

func GetHashAlgorithmForMethod(method jwt.SigningMethod) (crypto.Hash, error)

GetHashAlgorithmForMethod returns the appropriate hash algorithm for a JWT signing method

func RevokeCapability 

func RevokeCapability(attenuation Attenuation) error

RevokeCapability adds a capability to the revocation list

func SupportedSigningMethods 

func SupportedSigningMethods() []jwt.SigningMethod

SupportedSigningMethods returns the list of supported JWT signing methods for UCAN

func ValidateEnclaveDataCIDIntegrity 

func ValidateEnclaveDataCIDIntegrity(enclaveDataCID string, enclaveData []byte) error

ValidateEnclaveDataCIDIntegrity validates enclave data against expected CID

func ValidateEnclaveDataIntegrity 

func ValidateEnclaveDataIntegrity(enclaveData *mpc.EnclaveData, expectedCID string) error

ValidateEnclaveDataIntegrity validates enclave data against IPFS CID

func ValidateIPFSCID 

func ValidateIPFSCID(value *string, ctx z.Ctx) bool

ValidateIPFSCID validates IPFS CID format for vault resources

func ValidateSecurityConfig 

func ValidateSecurityConfig(config *SecurityConfig) error

ValidateSecurityConfig validates that a security configuration is reasonable

func ValidateSignature 

func ValidateSignature(tokenString string, verifyKey any) error

ValidateSignature validates the cryptographic signature of a UCAN token

func ValidateVaultCapability 

func ValidateVaultCapability(att map[string]any) error

ValidateVaultCapability validates vault-specific capabilities

func ValidateVaultTokenCapability 

func ValidateVaultTokenCapability(token *Token, enclaveDataCID, requiredAction string) error

ValidateVaultTokenCapability validates a UCAN token for vault operations

func VerifyEd25519Signature 

func VerifyEd25519Signature(
	signingString string,
	signature []byte,
	publicKey ed25519.PublicKey,
) error

VerifyEd25519Signature verifies an Ed25519 signature

func VerifyRSASignature 

func VerifyRSASignature(
	signingString string,
	signature []byte,
	publicKey *rsa.PublicKey,
	hashAlg crypto.Hash,
) error

VerifyRSASignature verifies an RSA signature using the specified hash algorithm

Types

type Attenuation 

type Attenuation struct {
	Capability Capability `json:"can"`
	Resource   Resource   `json:"with"`
}

Attenuation represents a UCAN capability attenuation

func CreateDEXAttenuation 

func CreateDEXAttenuation(actions []string, poolPattern string, caveats []string, maxAmount string) Attenuation

CreateDEXAttenuation creates a DEX-specific attenuation

func CreateDIDAttenuation 

func CreateDIDAttenuation(actions []string, didPattern string, caveats []string) Attenuation

CreateDIDAttenuation creates a DID-specific attenuation

func CreateDWNAttenuation 

func CreateDWNAttenuation(actions []string, recordPattern string, caveats []string) Attenuation

CreateDWNAttenuation creates a DWN-specific attenuation

func CreateMultiAttenuation 

func CreateMultiAttenuation(actions []string, resourceURI string) Attenuation

CreateMultiAttenuation creates an attenuation with multiple actions

func CreateServiceAttenuation 

func CreateServiceAttenuation(actions []string, serviceID, domain string) Attenuation

CreateServiceAttenuation creates a service-specific attenuation

func CreateSimpleAttenuation 

func CreateSimpleAttenuation(action, resourceURI string) Attenuation

CreateSimpleAttenuation creates a basic attenuation

func CreateVaultAttenuation 

func CreateVaultAttenuation(actions []string, enclaveDataCID, vaultAddress string) Attenuation

CreateVaultAttenuation creates a vault-specific attenuation

func NewCapability 

func NewCapability(issuer, resource string, abilities []string) (Attenuation, error)

NewCapability is a helper function to create a basic capability

func VaultAttenuationConstructor 

func VaultAttenuationConstructor(m map[string]any) (Attenuation, error)

VaultAttenuationConstructor creates vault-specific attenuations with enhanced validation

type AttenuationList 

type AttenuationList []Attenuation

AttenuationList provides utilities for working with multiple attenuations

func (AttenuationList) CanPerform 

func (al AttenuationList) CanPerform(resourceURI string, actions []string) bool

CanPerform checks if the attenuations allow specific actions on a resource

func (AttenuationList) Contains 

func (al AttenuationList) Contains(resourceURI string) bool

Contains checks if the list contains attenuations for a specific resource

func (AttenuationList) GetCapabilitiesForResource 

func (al AttenuationList) GetCapabilitiesForResource(resourceURI string) []Capability

GetCapabilitiesForResource returns all capabilities for a specific resource

func (AttenuationList) IsSubsetOf 

func (al AttenuationList) IsSubsetOf(parent AttenuationList) bool

IsSubsetOf checks if this list is a subset of another list

type Capability 

type Capability interface {
	// GetActions returns the list of actions this capability grants
	GetActions() []string
	// Grants checks if this capability grants the required abilities
	Grants(abilities []string) bool
	// Contains checks if this capability contains another capability
	Contains(other Capability) bool
	// String returns a string representation
	String() string
}

Capability defines what actions can be performed

type CapabilityTemplate 

type CapabilityTemplate struct {
	AllowedActions    map[string][]string `json:"allowed_actions"`    // resource_type -> []actions
	DefaultExpiration time.Duration       `json:"default_expiration"` // default token lifetime
	MaxExpiration     time.Duration       `json:"max_expiration"`     // maximum allowed lifetime
}

CapabilityTemplate provides validation and construction utilities

func EnhancedServiceTemplate 

func EnhancedServiceTemplate() *CapabilityTemplate

EnhancedServiceTemplate returns enhanced service template with delegation support

func NewCapabilityTemplate 

func NewCapabilityTemplate() *CapabilityTemplate

NewCapabilityTemplate creates a new capability template

func StandardDEXTemplate 

func StandardDEXTemplate() *CapabilityTemplate

StandardDEXTemplate returns a standard template for DEX operations

func StandardDIDTemplate 

func StandardDIDTemplate() *CapabilityTemplate

StandardDIDTemplate returns a standard template for DID operations

func StandardDWNTemplate 

func StandardDWNTemplate() *CapabilityTemplate

StandardDWNTemplate returns a standard template for DWN operations

func StandardServiceTemplate 

func StandardServiceTemplate() *CapabilityTemplate

StandardServiceTemplate returns a standard template for service operations

func StandardVaultTemplate 

func StandardVaultTemplate() *CapabilityTemplate

StandardVaultTemplate returns a standard template for vault operations

func (*CapabilityTemplate) AddAllowedActions 

func (ct *CapabilityTemplate) AddAllowedActions(resourceType string, actions []string)

AddAllowedActions adds allowed actions for a resource type

func (*CapabilityTemplate) GetDefaultExpirationTime 

func (ct *CapabilityTemplate) GetDefaultExpirationTime() int64

GetDefaultExpirationTime returns the default expiration timestamp

func (*CapabilityTemplate) ValidateAttenuation 

func (ct *CapabilityTemplate) ValidateAttenuation(att Attenuation) error

ValidateAttenuation validates an attenuation against the template

func (*CapabilityTemplate) ValidateExpiration 

func (ct *CapabilityTemplate) ValidateExpiration(expiresAt int64) error

ValidateExpiration validates token expiration time

type CrossModuleCapability 

type CrossModuleCapability struct {
	Modules map[string]Capability `json:"modules"`
}

CrossModuleCapability allows composing capabilities across modules

func (*CrossModuleCapability) Contains 

func (c *CrossModuleCapability) Contains(other Capability) bool

Contains checks if this cross-module capability contains another

func (*CrossModuleCapability) GetActions 

func (c *CrossModuleCapability) GetActions() []string

GetActions returns all actions across all modules

func (*CrossModuleCapability) Grants 

func (c *CrossModuleCapability) Grants(abilities []string) bool

Grants checks if required abilities are granted across modules

func (*CrossModuleCapability) String 

func (c *CrossModuleCapability) String() string

String returns string representation

type DEXCapability 

type DEXCapability struct {
	Action    string            `json:"action"`
	Actions   []string          `json:"actions,omitempty"`
	Caveats   []string          `json:"caveats,omitempty"`
	MaxAmount string            `json:"max_amount,omitempty"` // For swap limits
	Metadata  map[string]string `json:"metadata,omitempty"`
}

DEXCapability implements Capability for DEX module operations

func (*DEXCapability) Contains 

func (c *DEXCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*DEXCapability) GetActions 

func (c *DEXCapability) GetActions() []string

GetActions returns the actions this DEX capability grants

func (*DEXCapability) Grants 

func (c *DEXCapability) Grants(abilities []string) bool

Grants checks if this capability grants the required abilities

func (*DEXCapability) String 

func (c *DEXCapability) String() string

String returns string representation

type DEXResource 

type DEXResource struct {
	SimpleResource
	PoolID    string            `json:"pool_id,omitempty"`
	AssetPair string            `json:"asset_pair,omitempty"`
	OrderID   string            `json:"order_id,omitempty"`
	Metadata  map[string]string `json:"metadata,omitempty"`
}

DEXResource represents DEX-specific resources

type DIDCapability 

type DIDCapability struct {
	Action   string            `json:"action"`
	Actions  []string          `json:"actions,omitempty"`
	Caveats  []string          `json:"caveats,omitempty"`
	Metadata map[string]string `json:"metadata,omitempty"`
}

DIDCapability implements Capability for DID module operations

func (*DIDCapability) Contains 

func (c *DIDCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*DIDCapability) GetActions 

func (c *DIDCapability) GetActions() []string

GetActions returns the actions this DID capability grants

func (*DIDCapability) Grants 

func (c *DIDCapability) Grants(abilities []string) bool

Grants checks if this capability grants the required abilities

func (*DIDCapability) String 

func (c *DIDCapability) String() string

String returns string representation

type DIDResolver 

type DIDResolver interface {
	ResolveDIDKey(ctx context.Context, did string) (keys.DID, error)
}

DIDResolver resolves DID keys to public keys for signature verification

type DIDResource 

type DIDResource struct {
	SimpleResource
	DIDMethod  string            `json:"did_method,omitempty"`
	DIDSubject string            `json:"did_subject,omitempty"`
	Metadata   map[string]string `json:"metadata,omitempty"`
}

DIDResource represents DID-specific resources

type DWNCapability 

type DWNCapability struct {
	Action   string            `json:"action"`
	Actions  []string          `json:"actions,omitempty"`
	Caveats  []string          `json:"caveats,omitempty"`
	Metadata map[string]string `json:"metadata,omitempty"`
}

DWNCapability implements Capability for DWN module operations

func (*DWNCapability) Contains 

func (c *DWNCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*DWNCapability) GetActions 

func (c *DWNCapability) GetActions() []string

GetActions returns the actions this DWN capability grants

func (*DWNCapability) Grants 

func (c *DWNCapability) Grants(abilities []string) bool

Grants checks if this capability grants the required abilities

func (*DWNCapability) String 

func (c *DWNCapability) String() string

String returns string representation

type DWNResource 

type DWNResource struct {
	SimpleResource
	RecordType string            `json:"record_type,omitempty"`
	Protocol   string            `json:"protocol,omitempty"`
	Owner      string            `json:"owner,omitempty"`
	Metadata   map[string]string `json:"metadata,omitempty"`
}

DWNResource represents DWN-specific resources

type Fact 

type Fact struct {
	Data json.RawMessage `json:"data"`
}

Fact represents arbitrary facts in UCAN tokens

type GaslessCapability 

type GaslessCapability struct {
	Capability
	AllowGasless bool   `json:"allow_gasless"`
	GasLimit     uint64 `json:"gas_limit,omitempty"`
}

GaslessCapability wraps other capabilities with gasless transaction support

func (*GaslessCapability) GetGasLimit 

func (c *GaslessCapability) GetGasLimit() uint64

GetGasLimit returns the gas limit for gasless transactions

func (*GaslessCapability) SupportsGasless 

func (c *GaslessCapability) SupportsGasless() bool

SupportsGasless returns whether this capability supports gasless transactions

type KeyValidator 

type KeyValidator struct{}

KeyValidator provides validation for cryptographic keys

func NewKeyValidator 

func NewKeyValidator() *KeyValidator

NewKeyValidator creates a new key validator

func (*KeyValidator) ValidateEd25519PublicKey 

func (kv *KeyValidator) ValidateEd25519PublicKey(key ed25519.PublicKey) error

ValidateEd25519PublicKey validates an Ed25519 public key for UCAN usage

func (*KeyValidator) ValidateRSAPublicKey 

func (kv *KeyValidator) ValidateRSAPublicKey(key *rsa.PublicKey) error

ValidateRSAPublicKey validates an RSA public key for UCAN usage

type KeyshareSource 

type KeyshareSource interface {
	Address() string
	Issuer() string
	ChainCode() ([]byte, error)
	OriginToken() (*Token, error)
	SignData(data []byte) ([]byte, error)
	VerifyData(data []byte, sig []byte) (bool, error)
	Enclave() mpc.Enclave

	// UCAN token creation methods
	NewOriginToken(
		audienceDID string,
		att []Attenuation,
		fct []Fact,
		notBefore, expires time.Time,
	) (*Token, error)
	NewAttenuatedToken(
		parent *Token,
		audienceDID string,
		att []Attenuation,
		fct []Fact,
		nbf, exp time.Time,
	) (*Token, error)
}

KeyshareSource provides MPC-based UCAN token creation and validation

func NewMPCKeyshareSource 

func NewMPCKeyshareSource(enclave mpc.Enclave) (KeyshareSource, error)

NewMPCKeyshareSource creates a new MPC-based keyshare source from an enclave

type MPCCapabilityBuilder 

type MPCCapabilityBuilder struct {
	// contains filtered or unexported fields
}

MPCCapabilityBuilder helps build MPC-specific capabilities

func NewMPCCapabilityBuilder 

func NewMPCCapabilityBuilder(enclave mpc.Enclave) (*MPCCapabilityBuilder, error)

NewMPCCapabilityBuilder creates a new MPC capability builder

func (*MPCCapabilityBuilder) CreateCustomCapability 

func (b *MPCCapabilityBuilder) CreateCustomCapability(
	actions []string,
	vaultAddress, enclaveDataCID string,
) Attenuation

CreateCustomCapability creates a custom capability with specified actions

func (*MPCCapabilityBuilder) CreateVaultAdminCapability 

func (b *MPCCapabilityBuilder) CreateVaultAdminCapability(
	vaultAddress, enclaveDataCID string,
) Attenuation

CreateVaultAdminCapability creates admin-level vault capabilities

func (*MPCCapabilityBuilder) CreateVaultReadOnlyCapability 

func (b *MPCCapabilityBuilder) CreateVaultReadOnlyCapability(
	vaultAddress, enclaveDataCID string,
) Attenuation

CreateVaultReadOnlyCapability creates read-only vault capabilities

func (*MPCCapabilityBuilder) CreateVaultSigningCapability 

func (b *MPCCapabilityBuilder) CreateVaultSigningCapability(
	vaultAddress, enclaveDataCID string,
) Attenuation

CreateVaultSigningCapability creates signing-specific vault capabilities

type MPCDIDResolver 

type MPCDIDResolver struct {
	// contains filtered or unexported fields
}

MPCDIDResolver resolves DIDs with special handling for MPC-derived DIDs

func NewMPCDIDResolver 

func NewMPCDIDResolver(enclave mpc.Enclave, fallback DIDResolver) *MPCDIDResolver

NewMPCDIDResolver creates a new MPC DID resolver

func (*MPCDIDResolver) ResolveDIDKey 

func (r *MPCDIDResolver) ResolveDIDKey(ctx context.Context, didStr string) (keys.DID, error)

ResolveDIDKey resolves DID keys with MPC enclave support

type MPCSigningMethod 

type MPCSigningMethod struct {
	Name string
	// contains filtered or unexported fields
}

MPCSigningMethod implements JWT signing using MPC enclaves

func NewMPCSigningMethod 

func NewMPCSigningMethod(name string, enclave mpc.Enclave) *MPCSigningMethod

NewMPCSigningMethod creates a new MPC-based JWT signing method

func (*MPCSigningMethod) Alg 

func (m *MPCSigningMethod) Alg() string

Alg returns the signing method algorithm name

func (*MPCSigningMethod) Sign 

func (m *MPCSigningMethod) Sign(signingString string, key any) ([]byte, error)

Sign signs a JWT string using the MPC enclave

func (*MPCSigningMethod) Verify 

func (m *MPCSigningMethod) Verify(signingString string, signature []byte, key any) error

Verify verifies a JWT signature using the MPC enclave

type MPCTokenBuilder 

type MPCTokenBuilder struct {
	// contains filtered or unexported fields
}

MPCTokenBuilder creates UCAN tokens using MPC signing

func NewMPCTokenBuilder 

func NewMPCTokenBuilder(enclave mpc.Enclave) (*MPCTokenBuilder, error)

NewMPCTokenBuilder creates a new MPC-based UCAN token builder

func (*MPCTokenBuilder) CreateDelegatedToken 

func (b *MPCTokenBuilder) CreateDelegatedToken(
	parent *Token,
	audienceDID string,
	attenuations []Attenuation,
	facts []Fact,
	notBefore, expiresAt time.Time,
) (*Token, error)

CreateDelegatedToken creates a delegated UCAN token using MPC signing

func (*MPCTokenBuilder) CreateOriginToken 

func (b *MPCTokenBuilder) CreateOriginToken(
	audienceDID string,
	attenuations []Attenuation,
	facts []Fact,
	notBefore, expiresAt time.Time,
) (*Token, error)

CreateOriginToken creates a new origin UCAN token using MPC signing

func (*MPCTokenBuilder) CreateVaultCapabilityToken 

func (b *MPCTokenBuilder) CreateVaultCapabilityToken(
	audienceDID string,
	vaultAddress string,
	enclaveDataCID string,
	actions []string,
	expiresAt time.Time,
) (*Token, error)

CreateVaultCapabilityToken creates a vault-specific UCAN token

func (*MPCTokenBuilder) GetAddress 

func (b *MPCTokenBuilder) GetAddress() string

GetAddress returns the address derived from the enclave

func (*MPCTokenBuilder) GetIssuerDID 

func (b *MPCTokenBuilder) GetIssuerDID() string

GetIssuerDID returns the issuer DID derived from the enclave

type MPCTokenValidator 

type MPCTokenValidator struct {
	*MPCVerifier
	// contains filtered or unexported fields
}

MPCTokenValidator provides comprehensive UCAN token validation with MPC support

func NewMPCTokenValidator 

func NewMPCTokenValidator(enclave mpc.Enclave, enableEnclaveValidation bool) *MPCTokenValidator

NewMPCTokenValidator creates a comprehensive UCAN token validator with MPC support

func (*MPCTokenValidator) ValidateTokenForResource 

func (v *MPCTokenValidator) ValidateTokenForResource(
	ctx context.Context,
	tokenString string,
	resourceURI string,
	requiredAbilities []string,
) (*Token, error)

ValidateTokenForResource validates token capabilities for a specific resource

func (*MPCTokenValidator) ValidateTokenForVaultOperation 

func (v *MPCTokenValidator) ValidateTokenForVaultOperation(
	ctx context.Context,
	tokenString string,
	enclaveDataCID string,
	requiredAction string,
	vaultAddress string,
) (*Token, error)

ValidateTokenForVaultOperation performs comprehensive validation for vault operations

type MPCVerifier 

type MPCVerifier struct {
	*Verifier
	// contains filtered or unexported fields
}

MPCVerifier provides UCAN verification with MPC support

func NewMPCVerifier 

func NewMPCVerifier(enclave mpc.Enclave) *MPCVerifier

NewMPCVerifier creates a UCAN verifier with MPC support

func (*MPCVerifier) VerifyMPCToken 

func (v *MPCVerifier) VerifyMPCToken(ctx context.Context, tokenString string) (*Token, error)

VerifyMPCToken verifies a UCAN token that may be signed with MPC

type MultiCapability 

type MultiCapability struct {
	Actions []string `json:"actions"`
}

MultiCapability implements Capability for multiple actions

func (*MultiCapability) Contains 

func (c *MultiCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*MultiCapability) GetActions 

func (c *MultiCapability) GetActions() []string

GetActions returns all actions

func (*MultiCapability) Grants 

func (c *MultiCapability) Grants(abilities []string) bool

Grants checks if the capability grants all required abilities

func (*MultiCapability) String 

func (c *MultiCapability) String() string

String returns string representation

type Proof 

type Proof string

Proof represents a UCAN delegation proof (either JWT or CID)

type Resource 

type Resource interface {
	// GetScheme returns the resource scheme (e.g., "https", "ipfs")
	GetScheme() string
	// GetValue returns the resource value/path
	GetValue() string
	// GetURI returns the full URI string
	GetURI() string
	// Matches checks if this resource matches another resource
	Matches(other Resource) bool
}

Resource defines what resource the capability applies to

type SecurityConfig 

type SecurityConfig struct {
	AllowedSigningMethods []jwt.SigningMethod
	MinRSAKeySize         int
	MaxRSAKeySize         int
	RequireSecureAlgs     bool
}

SecurityConfig contains security configuration for UCAN validation

func DefaultSecurityConfig 

func DefaultSecurityConfig() *SecurityConfig

DefaultSecurityConfig returns a secure default configuration

func RestrictiveSecurityConfig 

func RestrictiveSecurityConfig() *SecurityConfig

RestrictiveSecurityConfig returns a more restrictive configuration

type ServiceResource 

type ServiceResource struct {
	SimpleResource
	ServiceID string            `json:"service_id"`
	Domain    string            `json:"domain"`
	Metadata  map[string]string `json:"metadata,omitempty"`
}

ServiceResource represents service-specific resources

func (*ServiceResource) SupportsDelegate 

func (r *ServiceResource) SupportsDelegate() bool

Enhanced ServiceResource adds delegation capabilities

type SignatureInfo 

type SignatureInfo struct {
	Algorithm     string
	KeyType       string
	SigningString string
	Signature     []byte
	Valid         bool
}

SignatureInfo contains information about a token's signature

func ExtractSignatureInfo 

func ExtractSignatureInfo(tokenString string, verifyKey any) (*SignatureInfo, error)

ExtractSignatureInfo extracts signature information from a JWT token

type SigningValidator 

type SigningValidator struct {
	// contains filtered or unexported fields
}

SigningValidator provides cryptographic validation for UCAN tokens

func NewSigningValidator 

func NewSigningValidator() *SigningValidator

NewSigningValidator creates a new signing validator with default allowed methods

func NewSigningValidatorWithMethods 

func NewSigningValidatorWithMethods(methods []jwt.SigningMethod) *SigningValidator

NewSigningValidatorWithMethods creates a validator with specific allowed methods

func (*SigningValidator) ValidateSigningMethod 

func (sv *SigningValidator) ValidateSigningMethod(method jwt.SigningMethod) error

ValidateSigningMethod checks if a signing method is allowed

func (*SigningValidator) ValidateTokenSignature 

func (sv *SigningValidator) ValidateTokenSignature(
	tokenString string,
	keyFunc jwt.Keyfunc,
) (*jwt.Token, error)

ValidateTokenSignature validates the cryptographic signature of a token

type SimpleCapability 

type SimpleCapability struct {
	Action string `json:"action"`
}

SimpleCapability implements Capability for single actions

func (*SimpleCapability) Contains 

func (c *SimpleCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*SimpleCapability) GetActions 

func (c *SimpleCapability) GetActions() []string

GetActions returns the single action

func (*SimpleCapability) Grants 

func (c *SimpleCapability) Grants(abilities []string) bool

Grants checks if the capability grants all required abilities

func (*SimpleCapability) String 

func (c *SimpleCapability) String() string

String returns string representation

type SimpleResource 

type SimpleResource struct {
	Scheme string `json:"scheme"`
	Value  string `json:"value"`
	URI    string `json:"uri"`
}

SimpleResource implements Resource for basic URI resources

func (*SimpleResource) GetScheme 

func (r *SimpleResource) GetScheme() string

GetScheme returns the resource scheme

func (*SimpleResource) GetURI 

func (r *SimpleResource) GetURI() string

GetURI returns the full URI

func (*SimpleResource) GetValue 

func (r *SimpleResource) GetValue() string

GetValue returns the resource value

func (*SimpleResource) Matches 

func (r *SimpleResource) Matches(other Resource) bool

Matches checks if resources are equivalent

type StringDIDResolver 

type StringDIDResolver struct{}

StringDIDResolver implements DIDResolver for did:key strings

func (StringDIDResolver) ResolveDIDKey 

func (StringDIDResolver) ResolveDIDKey(ctx context.Context, didStr string) (keys.DID, error)

ResolveDIDKey extracts a public key from a did:key string

type Token 

type Token struct {
	Raw          string        `json:"raw"`
	Issuer       string        `json:"iss"`
	Audience     string        `json:"aud"`
	ExpiresAt    int64         `json:"exp,omitempty"`
	NotBefore    int64         `json:"nbf,omitempty"`
	Attenuations []Attenuation `json:"att"`
	Proofs       []Proof       `json:"prf,omitempty"`
	Facts        []Fact        `json:"fct,omitempty"`
}

Token represents a UCAN JWT token with parsed claims

func NewVaultAdminToken 

func NewVaultAdminToken(
	builder TokenBuilderInterface,
	vaultOwnerDID string,
	vaultAddress string,
	enclaveDataCID string,
	exp time.Time,
) (*Token, error)

NewVaultAdminToken creates a new UCAN token with vault admin capabilities

func VerifyJWTToken 

func VerifyJWTToken(tokenString string) (*Token, error)

VerifyJWTToken validates and parses a UCAN JWT token

func VerifyModuleJWTToken 

func VerifyModuleJWTToken(tokenString string, expectedIssuer, expectedAudience string) (*Token, error)

VerifyModuleJWTToken validates and parses a UCAN JWT token with module-specific capabilities

type TokenBuilder 

type TokenBuilder struct {
	Capability Attenuation
}

TokenBuilder implements token builder functionality

func (*TokenBuilder) CreateDelegatedToken 

func (tb *TokenBuilder) CreateDelegatedToken(
	parentToken *Token,
	issuer string,
	capabilities []Attenuation,
	facts []Fact,
	start, expiry time.Time,
) (*Token, error)

CreateDelegatedToken creates a delegated token

func (*TokenBuilder) CreateOriginToken 

func (tb *TokenBuilder) CreateOriginToken(
	issuer string,
	capabilities []Attenuation,
	facts []Fact,
	start, expiry time.Time,
) (*Token, error)

CreateOriginToken creates a new origin token

type TokenBuilderInterface 

type TokenBuilderInterface interface {
	CreateOriginToken(
		issuer string,
		capabilities []Attenuation,
		facts []Fact,
		start, expiry time.Time,
	) (*Token, error)
	CreateDelegatedToken(
		parentToken *Token,
		issuer string,
		capabilities []Attenuation,
		facts []Fact,
		start, expiry time.Time,
	) (*Token, error)
}

TokenBuilderInterface defines token building methods

type VaultCapability 

type VaultCapability struct {
	Action         string            `json:"can"`
	Actions        []string          `json:"actions,omitempty"`
	VaultAddress   string            `json:"vault,omitempty"`
	Caveats        []string          `json:"cavs,omitempty"`
	EnclaveDataCID string            `json:"enclave_data_cid,omitempty"`
	Metadata       map[string]string `json:"metadata,omitempty"`
}

VaultCapability implements Capability for vault-specific operations with support for admin permissions, actions, and enclave data management.

func (*VaultCapability) Contains 

func (c *VaultCapability) Contains(other Capability) bool

Contains checks if this capability contains another capability

func (*VaultCapability) GetActions 

func (c *VaultCapability) GetActions() []string

GetActions returns the actions this vault capability grants

func (*VaultCapability) Grants 

func (c *VaultCapability) Grants(abilities []string) bool

Grants checks if this capability grants the required abilities

func (*VaultCapability) String 

func (c *VaultCapability) String() string

String returns string representation

type VaultResource 

type VaultResource struct {
	SimpleResource
	VaultAddress   string            `json:"vault_address,omitempty"`
	EnclaveDataCID string            `json:"enclave_data_cid,omitempty"`
	Metadata       map[string]string `json:"metadata,omitempty"`
}

VaultResource represents vault-specific resources with metadata

type VaultResourceExt 

type VaultResourceExt struct {
	SimpleResource
	VaultAddress   string `json:"vault_address"`
	EnclaveDataCID string `json:"enclave_data_cid"`
}

VaultResourceExt represents an extended IPFS-based vault resource (to avoid redeclaration)

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier provides UCAN token verification and validation functionality

func NewVerifier 

func NewVerifier(didResolver DIDResolver) *Verifier

NewVerifier creates a new UCAN token verifier

func (*Verifier) VerifyCapability 

func (v *Verifier) VerifyCapability(
	ctx context.Context,
	tokenString string,
	resource string,
	abilities []string,
) (*Token, error)

VerifyCapability validates that a UCAN token grants specific capabilities

func (*Verifier) VerifyDelegationChain 

func (v *Verifier) VerifyDelegationChain(ctx context.Context, tokenString string) error

VerifyDelegationChain validates the complete delegation chain of a UCAN token

func (*Verifier) VerifyToken 

func (v *Verifier) VerifyToken(ctx context.Context, tokenString string) (*Token, error)

VerifyToken parses and verifies a UCAN JWT token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.