class AuthorizationGraph extends AuthorizationCheck with NamedLogging
Stores a set of namespace delegations, tracks dependencies and determines which keys are authorized to sign on behalf of a namespace.
Namespace delegations are a bit tricky as there can be an arbitrary number of delegations between the namespace key and the key that will be used for authorizations. Think of it as a certificate chain where we get a series of certificates and we need to figure out a path from one certificate to the root certificate.
NOTE: this class is not thread-safe
Properties of the graph:
- Each node corresponds to a target key
- The node with key fingerprint of the namespace is the root node
- The edges between nodes are namespace delegations. If key A signs a namespace delegation with target key B, then key A authorizes key B to act on the namespace. In this case, the edge is outgoing from node A and incoming into node B.
- The graph may have cycles. The implementation does not get confused by this.
Computation task: The graph maintains a set of nodes that are connected to the root node. Those correspond to the keys that are authorized to sign on behalf of the namespace.
Limitation: clients need to ensure that the namespace delegations added have valid signatures. If delegations with invalid signatures are added, authorization will break.
- Alphabetic
- By Inheritance
- AuthorizationGraph
- NamedLogging
- AuthorizationCheck
- AnyRef
- Any
- Hide All
- Show All
- Public
- Protected
Instance Constructors
- new AuthorizationGraph(namespace: Namespace, extraDebugInfo: Boolean, loggerFactory: NamedLoggerFactory)
- extraDebugInfo
whether to log the authorization graph at debug level on every recomputation
Value Members
- final def !=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def ##: Int
- Definition Classes
- AnyRef → Any
- final def ==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def asInstanceOf[T0]: T0
- Definition Classes
- Any
- def authorizedDelegations(): Map[Namespace, Seq[(AuthorizedNamespaceDelegation, Int)]]
Per namespace (required for decentralized namespaces), a list of namespace delegations that have a gapless chain to the root certificate together with the length of the chain to the root certificate for each namespace delegation.
Per namespace (required for decentralized namespaces), a list of namespace delegations that have a gapless chain to the root certificate together with the length of the chain to the root certificate for each namespace delegation.
- Definition Classes
- AuthorizationGraph → AuthorizationCheck
- def clone(): AnyRef
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.CloneNotSupportedException]) @IntrinsicCandidate() @native()
- final def eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- def equals(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef → Any
- implicit def errorLoggingContext(implicit traceContext: TraceContext): ErrorLoggingContext
- Attributes
- protected
- Definition Classes
- NamedLogging
- def existsAuthorizedKeyIn(authKeys: Set[Fingerprint], mappingToAuthorize: Code): Boolean
Determines if a subset of the given keys is authorized to sign a given mapping type on behalf of the (possibly decentralized) namespace.
Determines if a subset of the given keys is authorized to sign a given mapping type on behalf of the (possibly decentralized) namespace.
- mappingToAuthorize
the Code of the mapping that needs to be authorized.
- Definition Classes
- AuthorizationGraph → AuthorizationCheck
- final def getClass(): Class[_ <: AnyRef]
- Definition Classes
- AnyRef → Any
- Annotations
- @IntrinsicCandidate() @native()
- def hashCode(): Int
- Definition Classes
- AnyRef → Any
- Annotations
- @IntrinsicCandidate() @native()
- final def isInstanceOf[T0]: Boolean
- Definition Classes
- Any
- def keysSupportingAuthorization(authKeys: Set[Fingerprint], mappingToAuthorize: Code): Set[SigningPublicKey]
Returns those keys that are useful for signing on behalf of the (possibly decentralized) namespace.
Returns those keys that are useful for signing on behalf of the (possibly decentralized) namespace. Only keys with fingerprint in
authKeyswill be returned. The returned keys are not necessarily sufficient to authorize a transaction on behalf of the namespace; in case of a decentralized namespace, additional signatures may be required. Only returns keys that are permitted to sign the provided mapping type.- Definition Classes
- AuthorizationGraph → AuthorizationCheck
- def logger: TracedLogger
- Attributes
- protected
- Definition Classes
- NamedLogging
- val loggerFactory: NamedLoggerFactory
- Attributes
- protected
- Definition Classes
- AuthorizationGraph → NamedLogging
- implicit def namedLoggingContext(implicit traceContext: TraceContext): NamedLoggingContext
- Attributes
- protected
- Definition Classes
- NamedLogging
- val namespace: Namespace
- final def ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- def noTracingLogger: Logger
- Attributes
- protected
- Definition Classes
- NamedLogging
- def nodes: Set[Fingerprint]
- final def notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @IntrinsicCandidate() @native()
- final def notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @IntrinsicCandidate() @native()
- def recompute()(implicit traceContext: TraceContext): Unit
Recompute the authorization graph starting from the root certificate: We start at the root certificate and follow outgoing authorizations for all delegations that can sign NamespaceDelegations.
Recompute the authorization graph starting from the root certificate: We start at the root certificate and follow outgoing authorizations for all delegations that can sign NamespaceDelegations. As a result, every key that doesn't end up in the cache is not connected to the root certificate and therefore useless.
- Attributes
- protected
- def remove(item: AuthorizedNamespaceDelegation)(implicit traceContext: TraceContext): Unit
Remove all mappings with the same target key from this graph.
Remove all mappings with the same target key from this graph.
- Exceptions thrown
java.lang.IllegalArgumentExceptionifitemdoes not refer tonamespaceor the operation is not REMOVE.
- def replace(items: Seq[AuthorizedNamespaceDelegation])(implicit traceContext: TraceContext): Unit
Add the mappings in
itemsto this graph and remove any existing mappings with the same target fingerprint.Add the mappings in
itemsto this graph and remove any existing mappings with the same target fingerprint. If an unauthorized namespace delegation is added to the graph, the graph will contain nodes that are not connected to the root. The target key of the unauthorized delegation will still be considered unauthorized.- Exceptions thrown
java.lang.IllegalArgumentExceptionifitemdoes not refer tonamespaceor the operation is not REPLACE.
- def replace(item: AuthorizedNamespaceDelegation)(implicit traceContext: TraceContext): Unit
- def report()(implicit traceContext: TraceContext): Unit
- final def synchronized[T0](arg0: => T0): T0
- Definition Classes
- AnyRef
- def toString(): String
- Definition Classes
- AuthorizationGraph → AnyRef → Any
- final def wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])
- final def wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException]) @native()
- final def wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])