Merge pull request #3 from gobengo/ucanto-230-access-claim-delegate

test access-claim and access/delegate invocation creation/authorizati…

package.json

@@ -23,6 +23,7 @@
     "@ucanto/interface": "^4.0.3",
     "@ucanto/principal": "^4.0.3",
     "@ucanto/transport": "^4.0.3",
+    "@web3-storage/capabilities": "^2.3.0",
     "@web3-storage/upload-client": "^5.3.0"
   }
 }

src/w3protocol.test.ts

@@ -5,13 +5,15 @@ import * as ed25519 from '@ucanto/principal/ed25519';
 import { BlobLike } from '@web3-storage/upload-client/types';
 import * as stream from 'node:stream/web'
 import Ucanto from '@ucanto/interface';
+import * as validator from '@ucanto/validator';
 import * as UCAN from '@ipld/dag-ucan'
 import type * as UploadClientTypes from '@web3-storage/upload-client/types'
 import * as HTTP from '@ucanto/transport/http'
 import * as CAR from '@ucanto/transport/car'
 import * as CBOR from '@ucanto/transport/cbor'
 import * as ucanto from '@ucanto/core'
 import * as Client from '@ucanto/client'
+import { Access } from '@web3-storage/capabilities';
 
 test('can list items in a space', {}, async t => {
   const space = await ed25519.generate();
@@ -167,6 +169,7 @@ test('can delegate space/info for a space', {}, async (t) => {
 })
 
 // skipped for now while we know it doesn't work
+// (it gets an ambiguous Error because the space isnt registered)
 test('w3protocol-test can upload file', { skip: true }, async (t) => {
   const space = await ed25519.generate();
   const alice = await ed25519.generate();
@@ -230,3 +233,105 @@ function createHttpConnection<S extends Record<string,any>>(audience: Ucanto.UCA
     })
   })
 }
+
+test('can create access/claim invocations', async () => {
+  const issuer = await ed25519.generate();
+  const audience = await ed25519.generate();
+  const invocation = await Access.claim.invoke({
+    issuer,
+    audience,
+    with: issuer.did(),
+  }).delegate()
+  assert.ok(invocation.cid, 'invocation.cid is truthy')
+
+
+  const authorization = await validator.access(invocation, {
+    capability: Access.claim,
+    principal: ed25519.Verifier,
+    authority: audience,
+  })
+  assert.notDeepEqual(authorization.error, true, 'access did not result in error')
+})
+
+test('can create access/delegate invocations', async () => {
+  const issuer = await ed25519.generate();
+  const audience = await ed25519.generate();
+  const delegation = await createSampleDelegation();
+  const invocation = await Access.delegate.invoke({
+    issuer,
+    audience,
+    with: issuer.did(),
+    nb: {
+      delegations: {
+        shouldBeACid: delegation.cid
+      }
+    },
+    proofs: [delegation]
+  }).delegate()
+  assert.ok(invocation.cid, 'invocation.cid is truthy')
+
+  const authorization = await validator.access(invocation, {
+    capability: Access.delegate,
+    principal: ed25519.Verifier,
+    authority: audience,
+  })
+  assert.notDeepEqual(authorization.error, true, 'access did not result in error')
+})
+
+async function createSampleDelegation() {
+  return ucanto.delegate({
+    issuer: await ed25519.generate(),
+    audience: await ed25519.generate(),
+    capabilities: [
+      {
+        can: 'test/*',
+        with: 'urn:*'
+      }
+    ]
+  })
+}
+
+function w3s() {
+  const production = createHttpConnection(
+    'did:web:web3.storage' as const,
+    new URL('https://access.web3.storage'),
+  )
+  const staging = createHttpConnection(
+    'did:web:staging.web3.storage' as const,
+    new URL('https://w3access-staging.protocol-labs.workers.dev'),
+  )
+  return {
+    staging,
+    ...production,
+  }
+}
+
+test('can invoke access/delegate', async () => {
+  const w3 = w3s().staging;
+  const issuer = await ed25519.generate();
+  const delegation = await createSampleDelegation();
+  const delegate = await Access.delegate.invoke({
+      issuer,
+      audience: w3.id,
+      with: issuer.did(),
+      nb: {
+        delegations: {
+          shouldBeACid: delegation.cid
+        }
+      },
+      proofs: [delegation]
+    }).delegate()
+  const [result] = await w3.execute(delegate);
+  warnIfError(result)
+  assert.ok(result.error)
+  // this is 'good'. The only reason it's an error is the space hasn't been 'registered'
+  // via email confirmation
+  assert.deepEqual('name' in result && result.name, 'InsufficientStorage', 'access/delegate result is InsufficientStorage')
+  // assert.notDeepEqual(result.error, true, 'access/delegate result is not an error')
+})
+
+function warnIfError(result: Ucanto.Result<unknown, { error: true }>) {
+  if ('error' in result) {
+    console.warn('error result', result)
+  }
+}