Scille
diff --git a/‎libparsec/crates/client/src/async_enrollment/accept.rs‎
Lines changed: 237 additions & 0 deletions b/‎libparsec/crates/client/src/async_enrollment/accept.rs‎
Lines changed: 237 additions & 0 deletions
diff --git a/‎libparsec/crates/client/src/async_enrollment/info.rs‎
Lines changed: 94 additions & 0 deletions b/‎libparsec/crates/client/src/async_enrollment/info.rs‎
Lines changed: 94 additions & 0 deletions
@@ -0,0 +1,237 @@
+// Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
+
+use libparsec_client_connection::{AuthenticatedCmds, ConnectionError};
+use libparsec_types::prelude::*;
+
+use crate::{
+    greater_timestamp, utils::create_user_and_device_certificates, EventBus,
+    EventTooMuchDriftWithServerClock, GreaterTimestampOffset,
+};
+
+#[derive(Debug, thiserror::Error)]
+pub enum AsyncEnrollmentAcceptError {
+    #[error("Cannot communicate with the server: {0}")]
+    Offline(#[from] ConnectionError),
+
+    #[error("Author not allowed")]
+    AuthorNotAllowed,
+    #[error("Enrollment not found")]
+    EnrollmentNotFound,
+    #[error("Enrollment no longer available (either already accepted or rejected)")]
+    EnrollmentNoLongerAvailable,
+    #[error("Submitter has provided an invalid request: {0}")]
+    BadSubmitPayload(#[from] AsyncEnrollmentVerifySubmitPayloadError),
+    #[error("Active users limit reached")]
+    ActiveUsersLimitReached,
+    #[error("Human handle (i.e. email address) already taken")]
+    HumanHandleAlreadyTaken,
+    #[error("Our clock ({client_timestamp}) and the server's one ({server_timestamp}) are too far apart")]
+    TimestampOutOfBallpark {
+        server_timestamp: DateTime,
+        client_timestamp: DateTime,
+        ballpark_client_early_offset: f64,
+        ballpark_client_late_offset: f64,
+    },
+    #[error(transparent)]
+    Internal(#[from] anyhow::Error),
+}
+
+pub trait AsyncEnrollmentAcceptIdentityStrategy {
+    fn verify_submit_payload(
+        &self,
+        payload: &[u8],
+        payload_signature: libparsec_client_connection::protocol::authenticated_cmds::latest::async_enrollment_list::SubmitPayloadSignature,
+    ) -> Result<AsyncEnrollmentSubmitPayload, AsyncEnrollmentVerifySubmitPayloadError> {
+        let submit_payload = AsyncEnrollmentSubmitPayload::load(payload)
+            .map_err(|_| AsyncEnrollmentVerifySubmitPayloadError::BadPayload)?;
+        self._verify_submit_payload(payload, payload_signature)?;
+        Ok(submit_payload)
+    }
+    fn _verify_submit_payload(
+        &self,
+        payload: &[u8],
+        payload_signature: libparsec_client_connection::protocol::authenticated_cmds::latest::async_enrollment_list::SubmitPayloadSignature,
+    ) -> Result<AsyncEnrollmentSubmitPayload, AsyncEnrollmentVerifySubmitPayloadError>;
+    fn sign_accept_payload(&self, payload: &[u8]) -> libparsec_client_connection::protocol::authenticated_cmds::latest::async_enrollment_accept::AcceptPayloadSignature;
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AsyncEnrollmentVerifySubmitPayloadError {
+    #[error("Invalid payload serialization")]
+    BadPayload,
+    /// The signature couldn't be verified
+    #[error("Invalid payload signature")]
+    BadSignature,
+    /// The signature is valid, but it has been done by someone unrelated to
+    /// the requested email present in the payload.
+    #[error("Requested email in the payload doesn't match the signature author's identity")]
+    BadRequestedEmail,
+}
+
+pub async fn async_enrollment_accept(
+    cmds: &AuthenticatedCmds,
+    event_bus: &EventBus,
+    author: &LocalDevice,
+    enrollment_id: AsyncEnrollmentID,
+    profile: UserProfile,
+    identity_strategy: &dyn AsyncEnrollmentAcceptIdentityStrategy,
+) -> Result<(), AsyncEnrollmentAcceptError> {
+    // 1) Get back the enrollment submit payload from the server
+
+    let enrollment = {
+        let enrollments = {
+            use libparsec_client_connection::protocol::authenticated_cmds::latest::async_enrollment_list::{Req, Rep};
+
+            let rep = cmds.send(Req).await?;
+            match rep {
+                Rep::Ok { enrollments } => enrollments,
+                Rep::AuthorNotAllowed => return Err(AsyncEnrollmentAcceptError::AuthorNotAllowed),
+                bad_rep @ Rep::UnknownStatus { .. } => {
+                    return Err(anyhow::anyhow!("Unexpected server response: {:?}", bad_rep).into())
+                }
+            }
+        };
+        enrollments
+            .into_iter()
+            .find(|e| e.enrollment_id == enrollment_id)
+            .ok_or(AsyncEnrollmentAcceptError::EnrollmentNotFound)?
+    };
+
+    // 2) Validate the submit payload & the requested email vs identity consistency
+
+    let submit_payload = identity_strategy.verify_submit_payload(
+        &enrollment.submit_payload,
+        enrollment.submit_payload_signature,
+    )?;
+
+    // 3) The submit payload is all good, now we can actually enroll the user
+
+    let mut timestamp = author.time_provider.now();
+    loop {
+        let (
+            submitter_user_certificate,
+            submitter_redacted_user_certificate,
+            submitter_device_certificate,
+            submitter_redacted_device_certificate,
+            accept_payload,
+        ) = create_certificates_and_accept_payload(
+            author,
+            submit_payload.requested_device_label.clone(),
+            submit_payload.requested_human_handle.clone(),
+            profile,
+            submit_payload.public_key.clone(),
+            submit_payload.verify_key.clone(),
+            timestamp,
+        );
+        let accept_payload_signature = identity_strategy.sign_accept_payload(&accept_payload);
+
+        {
+            use libparsec_client_connection::protocol::authenticated_cmds::latest::async_enrollment_accept::{Req, Rep};
+
+            let rep = cmds
+                .send(Req {
+                    enrollment_id,
+                    submitter_user_certificate,
+                    submitter_device_certificate,
+                    submitter_redacted_user_certificate,
+                    submitter_redacted_device_certificate,
+                    accept_payload,
+                    accept_payload_signature,
+                })
+                .await?;
+            return match rep {
+                Rep::Ok => Ok(()),
+                Rep::RequireGreaterTimestamp {
+                    strictly_greater_than,
+                } => {
+                    timestamp = greater_timestamp(
+                        &author.time_provider,
+                        GreaterTimestampOffset::User,
+                        strictly_greater_than,
+                    );
+                    continue;
+                }
+                Rep::AuthorNotAllowed => Err(AsyncEnrollmentAcceptError::AuthorNotAllowed),
+                Rep::EnrollmentNotFound => Err(AsyncEnrollmentAcceptError::EnrollmentNotFound),
+                Rep::EnrollmentNoLongerAvailable => Err(AsyncEnrollmentAcceptError::EnrollmentNoLongerAvailable),
+                Rep::ActiveUsersLimitReached => Err(AsyncEnrollmentAcceptError::ActiveUsersLimitReached),
+                Rep::HumanHandleAlreadyTaken => Err(AsyncEnrollmentAcceptError::HumanHandleAlreadyTaken),
+                Rep::TimestampOutOfBallpark {
+                    server_timestamp,
+                    client_timestamp,
+                    ballpark_client_early_offset,
+                    ballpark_client_late_offset,
+                } => {
+                    let event = EventTooMuchDriftWithServerClock {
+                        server_timestamp,
+                        ballpark_client_early_offset,
+                        ballpark_client_late_offset,
+                        client_timestamp,
+                    };
+                    event_bus.send(&event);
+
+                    Err(AsyncEnrollmentAcceptError::TimestampOutOfBallpark {
+                        server_timestamp,
+                        client_timestamp,
+                        ballpark_client_early_offset,
+                        ballpark_client_late_offset,
+                    })
+                }
+                bad_rep @ (
+                    Rep::UserAlreadyExists  // User & device IDs have just been randomly generated
+                    | Rep::InvalidCertificate
+                    | Rep::InvalidAcceptPayload
+                    | Rep::InvalidAcceptPayloadSignature
+                    | Rep::UnknownStatus { .. }
+                ) => {
+                    return Err(anyhow::anyhow!("Unexpected server response: {:?}", bad_rep).into())
+                }
+            };
+        }
+    }
+}
+
+fn create_certificates_and_accept_payload(
+    author: &LocalDevice,
+    device_label: DeviceLabel,
+    human_handle: HumanHandle,
+    profile: UserProfile,
+    public_key: PublicKey,
+    verify_key: VerifyKey,
+    timestamp: DateTime,
+) -> (Bytes, Bytes, Bytes, Bytes, Bytes) {
+    let (
+        user_id,
+        device_id,
+        user_certificate_bytes,
+        redacted_user_certificate_bytes,
+        device_certificate_bytes,
+        redacted_device_certificate_bytes,
+    ) = create_user_and_device_certificates(
+        author,
+        device_label.clone(),
+        human_handle.clone(),
+        profile,
+        public_key,
+        verify_key,
+        timestamp,
+    );
+
+    let accept_payload = AsyncEnrollmentAcceptPayload {
+        user_id,
+        device_id,
+        device_label,
+        human_handle,
+        profile,
+        root_verify_key: author.root_verify_key().clone(),
+    };
+    let accept_payload_bytes = accept_payload.dump().into();
+
+    (
+        user_certificate_bytes,
+        redacted_user_certificate_bytes,
+        device_certificate_bytes,
+        redacted_device_certificate_bytes,
+        accept_payload_bytes,
+    )
+}
@@ -0,0 +1,94 @@
+// Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
+
+use libparsec_client_connection::{AnonymousCmds, ConnectionError};
+use libparsec_types::prelude::*;
+
+#[derive(Debug, thiserror::Error)]
+pub enum AsyncEnrollmentInfoError {
+    #[error("Cannot communicate with the server: {0}")]
+    Offline(#[from] ConnectionError),
+    #[error("Enrollment not found")]
+    EnrollmentNotFound,
+    #[error(transparent)]
+    Internal(#[from] anyhow::Error),
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AsyncEnrollmentVerifyAcceptPayloadError {
+    #[error("Invalid payload serialization")]
+    BadPayload,
+    /// The signature couldn't be verified
+    #[error("Invalid payload signature")]
+    BadSignature,
+}
+
+pub trait AsyncEnrollmentInfoIdentityStrategy {
+    fn verify_accept_payload(
+        &self,
+        payload: &[u8],
+        payload_signature: libparsec_client_connection::protocol::anonymous_cmds::latest::async_enrollment_info::AcceptPayloadSignature,
+    ) -> Result<AsyncEnrollmentSubmitPayload, AsyncEnrollmentVerifyAcceptPayloadError> {
+        let submit_payload = AsyncEnrollmentSubmitPayload::load(payload)
+            .map_err(|_| AsyncEnrollmentVerifyAcceptPayloadError::BadPayload)?;
+        self._verify_accept_payload(payload, payload_signature)?;
+        Ok(submit_payload)
+    }
+    fn _verify_accept_payload(
+        &self,
+        payload: &[u8],
+        payload_signature: libparsec_client_connection::protocol::anonymous_cmds::latest::async_enrollment_info::AcceptPayloadSignature,
+    ) -> Result<AsyncEnrollmentSubmitPayload, AsyncEnrollmentVerifyAcceptPayloadError>;
+}
+
+pub async fn async_enrollment_info(
+    cmds: &AnonymousCmds,
+    enrollment_id: AsyncEnrollmentID,
+) -> Result<(AsyncEnrollmentID, DateTime), AsyncEnrollmentInfoError> {
+    let _status = {
+        use libparsec_client_connection::protocol::anonymous_cmds::latest::async_enrollment_info::{Req, Rep};
+
+        let req = Req { enrollment_id };
+        let rep = cmds.send(req).await?;
+        match rep {
+            Rep::Ok(status) => status,
+            Rep::EnrollmentNotFound => return Err(AsyncEnrollmentInfoError::EnrollmentNotFound),
+            bad_rep @ Rep::UnknownStatus { .. } => {
+                return Err(anyhow::anyhow!("Unexpected server response: {:?}", bad_rep).into())
+            }
+        }
+    };
+
+    todo!()
+
+    // {
+    //     use libparsec_protocol::anonymous_cmds::v5::async_enrollment_info::InfoStatus;
+    //     match status {
+    //         InfoStatus::Submitted { submitted_on } => Ok(Info::Submitted { submitted_on }),
+    //         InfoStatus::Rejected {
+    //             rejected_on,
+    //             submitted_on,
+    //         } => Ok(Info::Rejected {
+    //             rejected_on,
+    //             submitted_on,
+    //         }),
+    //         InfoStatus::Cancelled {
+    //             cancelled_on,
+    //             submitted_on,
+    //         } => Ok(Info::Cancelled {
+    //             cancelled_on,
+    //             submitted_on,
+    //         }),
+    //         InfoStatus::Accepted {
+    //             accepted_on,
+    //             accept_payload,
+    //             accept_payload_signature,
+    //             submitted_on,
+    //         } => Ok(Info::Accepted {
+    //             accepted_on,
+    //             accept_payload,
+    //             accept_payload_signature,
+    //             submitted_on,
+    //         }),
+    //     }
+    // }
+}