wip: completed cross signed claimNetworkAccess logic

tegefaulkes · tegefaulkes · commit 17e0545a4cd7 · 2025-06-17T15:32:36.000+10:00
diff --git a/src/claims/payloads/claimNetworkAccess.ts b/src/claims/payloads/claimNetworkAccess.ts
@@ -1,13 +1,16 @@
 import type { Claim, SignedClaim } from '../types.js';
 import type { NodeId, NodeIdEncoded } from '../../ids/types.js';
 import type { SignedTokenEncoded } from '../../tokens/types.js';
-import type Token from '../../tokens/Token.js';
+import * as claimNetworkAuthorityUtils from './claimNetworkAuthority.js';
+import Token from '../../tokens/Token.js';
 import * as tokensSchema from '../../tokens/schemas/index.js';
 import * as ids from '../../ids/index.js';
 import * as claimsUtils from '../utils.js';
 import * as tokensUtils from '../../tokens/utils.js';
 import * as validationErrors from '../../validation/errors.js';
 import * as utils from '../../utils/index.js';
+import * as nodesUtils from '../../nodes/utils.js';
+import * as keysUtils from '../../keys/utils/index.js';
 
 /**
  * Asserts that a node is a part of a network
@@ -17,7 +20,7 @@ interface ClaimNetworkAccess extends Claim {
   iss: NodeIdEncoded;
   sub: NodeIdEncoded;
   network: string;
-  signedClaimNetworkAuthorityEncoded?: SignedTokenEncoded;
+  signedClaimNetworkAuthorityEncoded: SignedTokenEncoded;
 }
 
 function assertClaimNetworkAccess(
@@ -87,12 +90,69 @@ function parseSignedClaimNetworkAccess(
 
 function verifyClaimNetworkAccess(
   networkNodeId: NodeId,
-  targetNodeId: NodeId,
+  subjectNodeId: NodeId,
   network: string,
-  token: Token<ClaimNetworkAccess>,
+  tokenClaimNetworkAccess: Token<ClaimNetworkAccess>,
 ): void {
   // TODO: complete
-  console.log(token);
+  //  for the network authority claim.
+  //  1. check network is correct
+  //  2. issuer matches network public key
+  //  3. subject matches the current node
+  //  4. signed both by issuer and subject
+
+  const signedClaim =
+    claimNetworkAuthorityUtils.parseSignedClaimNetworkAuthority(
+      tokenClaimNetworkAccess.payload.signedClaimNetworkAuthorityEncoded,
+    );
+  const claimNetworkAuthority = Token.fromSigned(signedClaim);
+  const issuerNodeId = nodesUtils.decodeNodeId(
+    tokenClaimNetworkAccess.payload.iss,
+  );
+  if (issuerNodeId == null) throw Error('TMP IMP issuerNodeId is null');
+  claimNetworkAuthorityUtils.verifyClaimNetworkAuthority(
+    networkNodeId,
+    issuerNodeId,
+    network,
+    claimNetworkAuthority,
+  );
+  //  For the access claim
+  //  1. issuer is current node
+  //  2. subject is target node
+  //  3. is signed by both the target and issuer
+
+  // Issuer should be the subject of the ClaimNetworkAuthority and signed by it
+  const claimNetworkAuthoritySub = claimNetworkAuthority.payload.sub;
+  const nodeIdIss = tokenClaimNetworkAccess.payload.iss;
+  if (nodeIdIss !== claimNetworkAuthoritySub) {
+    throw Error(
+      'TMP IMP Issuer NodeIdEncoded does not match the expected network id',
+    );
+  }
+  const networkPublicKey = keysUtils.publicKeyFromNodeId(issuerNodeId);
+  if (!tokenClaimNetworkAccess.verifyWithPublicKey(networkPublicKey)) {
+    throw Error('TMP IMP Token was not signed by the issuer node');
+  }
+
+  // Subject should be the target node and signed by it
+  const targetNodeIdEncoded = nodesUtils.encodeNodeId(subjectNodeId);
+  const nodeIdSub = tokenClaimNetworkAccess.payload.sub;
+  if (nodeIdSub !== targetNodeIdEncoded) {
+    throw Error(
+      'TMP IMP Subject NodeIdEncoded does not match the expected subject node',
+    );
+  }
+  const targetPublicKey = keysUtils.publicKeyFromNodeId(subjectNodeId);
+
+  if (!tokenClaimNetworkAccess.verifyWithPublicKey(targetPublicKey)) {
+    throw Error('TMP IMP Token was not signed by the subject node');
+  }
+
+  // Checking if the network name matches
+  const networkName = tokenClaimNetworkAccess.payload.network;
+  if (networkName !== network) {
+    throw Error('TMP IMP Network name does not match the expected network');
+  }
 }
 
 export {
diff --git a/src/claims/payloads/claimNetworkAuthority.ts b/src/claims/payloads/claimNetworkAuthority.ts
@@ -3,7 +3,6 @@ import type { NodeId, NodeIdEncoded } from '../../ids/types.js';
 import type Token from '../../tokens/Token.js';
 import * as ids from '../../ids/index.js';
 import * as claimsUtils from '../utils.js';
-import * as tokensUtils from '../../tokens/utils.js';
 import * as validationErrors from '../../validation/errors.js';
 import * as utils from '../../utils/index.js';
 import * as nodesUtils from '../../nodes/utils.js';
@@ -66,7 +65,7 @@ function parseClaimNetworkAuthority(
 function parseSignedClaimNetworkAuthority(
   signedClaimNetworkNodeEncoded: unknown,
 ): SignedClaim<ClaimNetworkAuthority> {
-  const signedClaim = tokensUtils.parseSignedToken(
+  const signedClaim = claimsUtils.parseSignedClaim(
     signedClaimNetworkNodeEncoded,
   );
   assertClaimNetworkAuthority(signedClaim.payload);
diff --git a/src/nodes/NodeManager.ts b/src/nodes/NodeManager.ts
@@ -1586,12 +1586,11 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
       );
     }
 
-    // TODO: Steps:
-    //  1. validate claimNetworkAuthority
-    //  2. construct claim
-    //  3. In the signing hook make a call to the target node and hand it over for signing.
-    //  4. validate returned claim and return it in signing hook.
-    //  5. return new claim and id.
+    // 1. validate claimNetworkAuthority
+    // 2. construct claim
+    // 3. In the signing hook make a call to the target node and hand it over for signing.
+    // 4. validate returned claim and return it in signing hook.
+    // 5. return new claim and id.
 
     // Validating that the ClaimNetworkAuthority is correct.
     const networkNodeId = nodesUtils.decodeNodeId(
@@ -1608,11 +1607,12 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
     const encodedNetworkAuthority = claimsUtils.generateSignedClaim(
       claimNetworkAuthority.toSigned(),
     );
+    const subjectNodeId = this.keyRing.getNodeId();
     const [claimId, signedClaim] = await this.sigchain.addClaim(
       {
         typ: 'ClaimNetworkAccess',
         iss: nodesUtils.encodeNodeId(targetNodeId),
-        sub: nodesUtils.encodeNodeId(this.keyRing.getNodeId()),
+        sub: nodesUtils.encodeNodeId(subjectNodeId),
         network,
         signedClaimNetworkAuthorityEncoded: encodedNetworkAuthority,
       },
@@ -1627,7 +1627,7 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
           const stream = await client.methods.nodesClaimNetworkSign();
           const writer = stream.writable.getWriter();
           const reader = stream.readable.getReader();
-          let fullySignedToken: Token<Claim>;
+          let fullySignedToken: Token<ClaimNetworkAccess>;
           try {
             await writer.write({
               signedTokenEncoded: halfSignedClaimEncoded,
@@ -1639,41 +1639,41 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
             }
             const receivedClaim = readStatus.value;
             // We need to re-construct the token from the message
-            const signedClaim = claimsUtils.parseSignedClaim(
-              receivedClaim.signedTokenEncoded,
+            const recivedClaimNetworkAccess =
+              claimNetworkAccessUtils.parseSignedClaimNetworkAccess(
+                receivedClaim.signedTokenEncoded,
+              );
+            fullySignedToken = Token.fromSigned(recivedClaimNetworkAccess);
+            claimNetworkAccessUtils.verifyClaimNetworkAccess(
+              networkNodeId,
+              subjectNodeId,
+              network,
+              fullySignedToken,
             );
-            fullySignedToken = Token.fromSigned(signedClaim);
-            // Check that the signatures are correct
-            const targetNodePublicKey =
-              keysUtils.publicKeyFromNodeId(targetNodeId);
-            if (
-              !fullySignedToken.verifyWithPublicKey(
-                this.keyRing.keyPair.publicKey,
-              ) ||
-              !fullySignedToken.verifyWithPublicKey(targetNodePublicKey)
-            ) {
-              throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
-            }
-
-            // TODO: Verify the claim's network authority is correct.
 
             // Next stage is to process the claim for the other node
             const readStatus2 = await reader.read();
             if (readStatus2.done) {
               throw new claimsErrors.ErrorEmptyStream();
             }
             const receivedClaimRemote = readStatus2.value;
+
             // We need to re-construct the token from the message
-            const signedClaimRemote = claimsUtils.parseSignedClaim(
-              receivedClaimRemote.signedTokenEncoded,
-            );
+            const signedClaimRemote =
+              claimNetworkAccessUtils.parseSignedClaimNetworkAccess(
+                receivedClaimRemote.signedTokenEncoded,
+              );
             // This is a singly signed claim,
             // we want to verify it before signing and sending back
             const signedTokenRemote = Token.fromSigned(signedClaimRemote);
-            if (!signedTokenRemote.verifyWithPublicKey(targetNodePublicKey)) {
-              throw new claimsErrors.ErrorSinglySignedClaimVerificationFailed();
-            }
             signedTokenRemote.signWithPrivateKey(this.keyRing.keyPair);
+            // Verify everything is correct
+            claimNetworkAccessUtils.verifyClaimNetworkAccess(
+              networkNodeId,
+              subjectNodeId,
+              network,
+              signedTokenRemote,
+            );
             // 4. X <- responds with double signing the X signed claim <- Y
             const agentClaimedMessageRemote = claimsUtils.generateSignedClaim(
               signedTokenRemote.toSigned(),
@@ -1692,14 +1692,14 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
             throw e;
           }
           return fullySignedToken;
-          throw Error('TMP IMP not implemented.');
         });
       },
       tran,
     );
     return [claimId, signedClaim as SignedClaim<ClaimNetworkAccess>];
   }
 
+  // TODO: This needs to check the ACL to see if we should actually help create the claim.
   public async *handleClaimNetwork(
     requestingNodeId: NodeId,
     input: AsyncIterableIterator<AgentRPCRequestParams<AgentClaimMessage>>,
@@ -1756,7 +1756,7 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
       utils.promise<SignedTokenEncoded>();
     const claimP = this.sigchain.addClaim(
       {
-        typ: 'claimNetworkAccess',
+        typ: 'ClaimNetworkAccess',
         iss: nodesUtils.encodeNodeId(this.keyRing.getNodeId()),
         sub: nodesUtils.encodeNodeId(requestingNodeId),
         network: this.claimNetworkAuthority.payload.network,
diff --git a/tests/nodes/NodeManager.test.ts b/tests/nodes/NodeManager.test.ts
@@ -993,7 +993,10 @@ describe(`${NodeManager.name}`, () => {
       expect(await nodeGraphPeer.nodesTotal()).toBe(0);
     });
 
-    test('creating a claimNetworkAccess token', async () => {
+    // TODO tests
+    //  1. claiming a network should fail if issuer doesn't have a valid claimNetworkAuthority
+    //  2. Claming a network should fail if issuer doesn't allow the requesting node access.
+    test('creating a claimNetworkAccess token and verifying it', async () => {
       const nodeIdTarget = keyRingPeer.getNodeId();
       await nodeGraph.setNodeContactAddressData(
         nodeIdTarget,
@@ -1030,24 +1033,19 @@ describe(`${NodeManager.name}`, () => {
             return claim;
           },
         );
-      try {
-        const result = await nodeManager.claimNetwork(
-          nodeIdTarget,
-          network,
-          Token.fromSigned(claimNetworkAuthority),
-        );
-        const [, signedClaim] = result;
-        const token = Token.fromSigned(signedClaim);
-        claimNetworkAccessUtils.verifyClaimNetworkAccess(
-          networkNodeId,
-          keyRingPeer.getNodeId(),
-          network,
-          token,
-        );
-      } catch (e) {
-        console.error(e);
-        throw e;
-      }
+      const result = await nodeManager.claimNetwork(
+        nodeIdTarget,
+        network,
+        Token.fromSigned(claimNetworkAuthority),
+      );
+      const [, signedClaim] = result;
+      const token = Token.fromSigned(signedClaim);
+      claimNetworkAccessUtils.verifyClaimNetworkAccess(
+        networkNodeId,
+        keyRing.getNodeId(),
+        network,
+        token,
+      );
     });
   });
   describe('with 1 peer and mdns', () => {
