feat(auth): authenticate automation controller

src/console/console.did

@@ -52,7 +52,7 @@ type AuthenticationConfigInternetIdentity = record {
 };
 type AuthenticationConfigOpenId = record {
   observatory_id : opt principal;
-  providers : vec record { OpenIdProvider; OpenIdProviderConfig };
+  providers : vec record { OpenIdDelegationProvider; OpenIdProviderAuthConfig };
 };
 type AuthenticationError = variant {
   PrepareDelegation : PrepareDelegationError;
@@ -223,7 +223,11 @@ type ListSegmentsArgs = record {
   segment_kind : opt StorableSegmentKind;
 };
 type Memory = variant { Heap; Stable };
-type OpenId = record { provider : OpenIdProvider; data : OpenIdData };
+type OpenId = record { provider : OpenIdDelegationProvider; data : OpenIdData };
+type OpenIdAuthProviderDelegationConfig = record {
+  targets : opt vec principal;
+  max_time_to_live : opt nat64;
+};
 type OpenIdData = record {
   name : opt text;
   locale : opt text;
@@ -233,6 +237,7 @@ type OpenIdData = record {
   given_name : opt text;
   preferred_username : opt text;
 };
+type OpenIdDelegationProvider = variant { GitHub; Google };
 type OpenIdGetDelegationArgs = record {
   jwt : text;
   session_key : blob;
@@ -244,15 +249,10 @@ type OpenIdPrepareDelegationArgs = record {
   session_key : blob;
   salt : blob;
 };
-type OpenIdProvider = variant { GitHub; Google };
-type OpenIdProviderConfig = record {
-  delegation : opt OpenIdProviderDelegationConfig;
+type OpenIdProviderAuthConfig = record {
+  delegation : opt OpenIdAuthProviderDelegationConfig;
   client_id : text;
 };
-type OpenIdProviderDelegationConfig = record {
-  targets : opt vec principal;
-  max_time_to_live : opt nat64;
-};
 type PaymentStatus = variant { Refunded; Acknowledged; Completed };
 type PrepareDelegationError = variant {
   JwtFindProvider : JwtFindProviderError;

src/console/src/accounts/impls.rs

@@ -1,7 +1,7 @@
 use crate::constants::E8S_PER_ICP;
 use crate::types::state::{Account, OpenIdData, Provider};
 use ic_cdk::api::time;
-use junobuild_auth::openid::types::interface::OpenIdCredential;
+use junobuild_auth::openid::delegation::types::interface::OpenIdCredential;
 use junobuild_auth::profile::types::OpenIdProfile;
 use junobuild_shared::types::state::{MissionControlId, UserId};
 

src/console/src/auth/delegation.rs

@@ -4,26 +4,33 @@ use junobuild_auth::delegation::types::{
     GetDelegationError, GetDelegationResult, OpenIdGetDelegationArgs, OpenIdPrepareDelegationArgs,
     PrepareDelegationError, PreparedDelegation,
 };
-use junobuild_auth::openid::types::interface::OpenIdCredential;
-use junobuild_auth::openid::types::provider::OpenIdProvider;
-use junobuild_auth::state::types::config::OpenIdProviders;
+use junobuild_auth::openid::delegation::types::interface::OpenIdCredential;
+use junobuild_auth::openid::delegation::types::provider::OpenIdDelegationProvider;
+use junobuild_auth::state::types::config::OpenIdAuthProviders;
 use junobuild_auth::{delegation, openid};
 
-pub type OpenIdPrepareDelegationResult =
-    Result<(PreparedDelegation, OpenIdProvider, OpenIdCredential), PrepareDelegationError>;
+pub type OpenIdPrepareDelegationResult = Result<
+    (
+        PreparedDelegation,
+        OpenIdDelegationProvider,
+        OpenIdCredential,
+    ),
+    PrepareDelegationError,
+>;
 
 pub async fn openid_prepare_delegation(
     args: &OpenIdPrepareDelegationArgs,
-    providers: &OpenIdProviders,
+    providers: &OpenIdAuthProviders,
 ) -> OpenIdPrepareDelegationResult {
-    let (credential, provider) = match openid::verify_openid_credentials_with_jwks_renewal(
-        &args.jwt, &args.salt, providers, &AuthHeap,
-    )
-    .await
-    {
-        Ok(value) => value,
-        Err(err) => return Err(PrepareDelegationError::from(err)),
-    };
+    let (credential, provider) =
+        match openid::delegation::verify_openid_credentials_with_jwks_renewal(
+            &args.jwt, &args.salt, providers, &AuthHeap,
+        )
+        .await
+        {
+            Ok(value) => value,
+            Err(err) => return Err(PrepareDelegationError::from(err)),
+        };
 
     let result = delegation::openid_prepare_delegation(
         &args.session_key,
@@ -38,14 +45,15 @@ pub async fn openid_prepare_delegation(
 
 pub fn openid_get_delegation(
     args: &OpenIdGetDelegationArgs,
-    providers: &OpenIdProviders,
+    providers: &OpenIdAuthProviders,
 ) -> GetDelegationResult {
-    let (credential, provider) = match openid::verify_openid_credentials_with_cached_jwks(
-        &args.jwt, &args.salt, providers, &AuthHeap,
-    ) {
-        Ok(value) => value,
-        Err(err) => return Err(GetDelegationError::from(err)),
-    };
+    let (credential, provider) =
+        match openid::delegation::verify_openid_credentials_with_cached_jwks(
+            &args.jwt, &args.salt, providers, &AuthHeap,
+        ) {
+            Ok(value) => value,
+            Err(err) => return Err(GetDelegationError::from(err)),
+        };
 
     delegation::openid_get_delegation(
         &args.session_key,

src/console/src/auth/register.rs

@@ -3,12 +3,12 @@ use crate::types::state::OpenId;
 use crate::types::state::{Account, OpenIdData, Provider};
 use candid::Principal;
 use junobuild_auth::delegation::types::UserKey;
-use junobuild_auth::openid::types::interface::OpenIdCredential;
-use junobuild_auth::openid::types::provider::OpenIdProvider;
+use junobuild_auth::openid::delegation::types::interface::OpenIdCredential;
+use junobuild_auth::openid::delegation::types::provider::OpenIdDelegationProvider;
 
 pub async fn register_account(
     public_key: &UserKey,
-    provider: &OpenIdProvider,
+    provider: &OpenIdDelegationProvider,
     credential: &OpenIdCredential,
 ) -> Result<Account, String> {
     let user_id = Principal::self_authenticating(public_key);

src/console/src/lib.rs

@@ -17,6 +17,7 @@ mod rates;
 mod segments;
 mod store;
 mod types;
+mod upgrade;
 
 use crate::types::interface::AuthenticationArgs;
 use crate::types::interface::AuthenticationResult;

src/console/src/memory/lifecycle.rs

@@ -4,6 +4,7 @@ use crate::fees::init_factory_fees;
 use crate::memory::manager::{get_memory_upgrades, init_stable_state, STATE};
 use crate::rates::init::init_factory_rates;
 use crate::types::state::{HeapState, ReleasesMetadata, State};
+use crate::upgrade::types::upgrade::UpgradeState;
 use ciborium::{from_reader, into_writer};
 use ic_cdk_macros::{init, post_upgrade, pre_upgrade};
 use junobuild_shared::ic::api::caller;
@@ -50,9 +51,12 @@ fn post_upgrade() {
     let memory = get_memory_upgrades();
     let state_bytes = read_post_upgrade(&memory);
 
-    let state: State = from_reader(&*state_bytes)
+    // TODO: remove once stable memory introduced on mainnet
+    let upgrade_state: UpgradeState = from_reader(&*state_bytes)
         .expect("Failed to decode the state of the console in post_upgrade hook.");
 
+    let state: State = upgrade_state.into();
+
     STATE.with(|s| *s.borrow_mut() = state);
 
     defer_init_certified_assets();

src/console/src/types.rs

@@ -4,7 +4,7 @@ pub mod state {
     use candid::CandidType;
     use ic_ledger_types::{BlockIndex, Tokens};
     use ic_stable_structures::StableBTreeMap;
-    use junobuild_auth::openid::types::provider::OpenIdProvider;
+    use junobuild_auth::openid::delegation::types::provider::OpenIdDelegationProvider;
     use junobuild_auth::state::types::state::AuthenticationHeapState;
     use junobuild_cdn::proposals::{ProposalsStable, SegmentDeploymentVersion};
     use junobuild_cdn::storage::{ProposalAssetsStable, ProposalContentChunksStable};
@@ -83,7 +83,7 @@ pub mod state {
 
     #[derive(CandidType, Serialize, Deserialize, Clone)]
     pub struct OpenId {
-        pub provider: OpenIdProvider,
+        pub provider: OpenIdDelegationProvider,
         pub data: OpenIdData,
     }
 

src/console/src/upgrade/impls.rs

@@ -0,0 +1,56 @@
+use crate::types::state::{HeapState, State};
+use crate::upgrade::types::upgrade::{
+    UpgradeAuthenticationHeapState, UpgradeHeapState, UpgradeOpenIdProvider, UpgradeState,
+};
+use junobuild_auth::openid::types::provider::OpenIdProvider;
+use junobuild_auth::state::types::state::{AuthenticationHeapState, OpenIdState};
+
+impl From<UpgradeState> for State {
+    fn from(upgrade: UpgradeState) -> Self {
+        State {
+            stable: upgrade.stable,
+            heap: upgrade.heap.into(),
+        }
+    }
+}
+
+impl From<UpgradeHeapState> for HeapState {
+    fn from(upgrade: UpgradeHeapState) -> Self {
+        HeapState {
+            authentication: upgrade.authentication.map(|auth| auth.into()),
+            controllers: upgrade.controllers,
+            mission_controls: upgrade.mission_controls,
+            payments: upgrade.payments,
+            invitation_codes: upgrade.invitation_codes,
+            factory_fees: upgrade.factory_fees,
+            factory_rates: upgrade.factory_rates,
+            storage: upgrade.storage,
+            releases_metadata: upgrade.releases_metadata,
+        }
+    }
+}
+
+impl From<UpgradeAuthenticationHeapState> for AuthenticationHeapState {
+    fn from(upgrade: UpgradeAuthenticationHeapState) -> Self {
+        AuthenticationHeapState {
+            config: upgrade.config,
+            salt: upgrade.salt,
+            openid: upgrade.openid.map(|openid_state| OpenIdState {
+                certificates: openid_state
+                    .certificates
+                    .into_iter()
+                    .map(|(provider, cert)| (provider.into(), cert))
+                    .collect(),
+            }),
+        }
+    }
+}
+
+impl From<UpgradeOpenIdProvider> for OpenIdProvider {
+    fn from(old: UpgradeOpenIdProvider) -> Self {
+        match old {
+            UpgradeOpenIdProvider::Google => OpenIdProvider::Google,
+            UpgradeOpenIdProvider::GitHub => OpenIdProvider::GitHubProxy,
+        }
+    }
+}

src/console/src/upgrade/mod.rs

@@ -0,0 +1,2 @@
+mod impls;
+pub mod types;

src/console/src/upgrade/types.rs

@@ -0,0 +1,58 @@
+pub mod upgrade {
+    use crate::memory::manager::init_stable_state;
+    use crate::types::state::{
+        Accounts, FactoryFees, FactoryRates, IcpPayments, InvitationCodes, ReleasesMetadata,
+        StableState,
+    };
+    use candid::{CandidType, Deserialize};
+    use junobuild_auth::state::types::config::AuthenticationConfig;
+    use junobuild_auth::state::types::state::{OpenIdCachedCertificate, Salt};
+    use junobuild_shared::types::state::Controllers;
+    use junobuild_storage::types::state::StorageHeapState;
+    use serde::Serialize;
+    use std::collections::HashMap;
+
+    #[derive(Serialize, Deserialize)]
+    pub struct UpgradeState {
+        // Direct stable state: State that is uses stable memory directly as its store. No need for pre/post upgrade hooks.
+        #[serde(skip, default = "init_stable_state")]
+        pub stable: StableState,
+
+        pub heap: UpgradeHeapState,
+    }
+
+    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
+    pub struct UpgradeHeapState {
+        #[deprecated(note = "Deprecated. Use stable memory instead.")]
+        pub mission_controls: Accounts,
+        #[deprecated(note = "Deprecated. Use stable memory instead.")]
+        pub payments: IcpPayments,
+        pub invitation_codes: InvitationCodes,
+        pub controllers: Controllers,
+        pub factory_fees: Option<FactoryFees>,
+        pub factory_rates: Option<FactoryRates>,
+        pub storage: StorageHeapState,
+        pub authentication: Option<UpgradeAuthenticationHeapState>,
+        pub releases_metadata: ReleasesMetadata,
+    }
+
+    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
+    pub struct UpgradeAuthenticationHeapState {
+        pub config: AuthenticationConfig,
+        pub salt: Option<Salt>,
+        pub openid: Option<UpgradeOpenIdState>,
+    }
+
+    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
+    pub struct UpgradeOpenIdState {
+        pub certificates: HashMap<UpgradeOpenIdProvider, OpenIdCachedCertificate>,
+    }
+
+    #[derive(
+        CandidType, Serialize, Deserialize, Clone, Hash, PartialEq, Eq, PartialOrd, Ord, Debug,
+    )]
+    pub enum UpgradeOpenIdProvider {
+        Google,
+        GitHub,
+    }
+}

src/declarations/console/console.did.d.ts

@@ -69,7 +69,7 @@ export interface AuthenticationConfigInternetIdentity {
 }
 export interface AuthenticationConfigOpenId {
 	observatory_id: [] | [Principal];
-	providers: Array<[OpenIdProvider, OpenIdProviderConfig]>;
+	providers: Array<[OpenIdDelegationProvider, OpenIdProviderAuthConfig]>;
 }
 export type AuthenticationError =
 	| {
@@ -277,9 +277,13 @@ export interface ListSegmentsArgs {
 }
 export type Memory = { Heap: null } | { Stable: null };
 export interface OpenId {
-	provider: OpenIdProvider;
+	provider: OpenIdDelegationProvider;
 	data: OpenIdData;
 }
+export interface OpenIdAuthProviderDelegationConfig {
+	targets: [] | [Array<Principal>];
+	max_time_to_live: [] | [bigint];
+}
 export interface OpenIdData {
 	name: [] | [string];
 	locale: [] | [string];
@@ -289,6 +293,7 @@ export interface OpenIdData {
 	given_name: [] | [string];
 	preferred_username: [] | [string];
 }
+export type OpenIdDelegationProvider = { GitHub: null } | { Google: null };
 export interface OpenIdGetDelegationArgs {
 	jwt: string;
 	session_key: Uint8Array;
@@ -300,15 +305,10 @@ export interface OpenIdPrepareDelegationArgs {
 	session_key: Uint8Array;
 	salt: Uint8Array;
 }
-export type OpenIdProvider = { GitHub: null } | { Google: null };
-export interface OpenIdProviderConfig {
-	delegation: [] | [OpenIdProviderDelegationConfig];
+export interface OpenIdProviderAuthConfig {
+	delegation: [] | [OpenIdAuthProviderDelegationConfig];
 	client_id: string;
 }
-export interface OpenIdProviderDelegationConfig {
-	targets: [] | [Array<Principal>];
-	max_time_to_live: [] | [bigint];
-}
 export type PaymentStatus = { Refunded: null } | { Acknowledged: null } | { Completed: null };
 export type PrepareDelegationError =
 	| {