validate

NUC validation.

class InvocationRequirement(audience: Did)[source]

Bases: object

Require an invocation.

audience: Did

__eq__(other): Return self==value.

__repr__(): Return repr(self).

class DelegationRequirement(audience: Did)[source]

Bases: object

Require a delegation.

audience: Did

__eq__(other): Return self==value.

__repr__(): Return repr(self).

class ValidationParameters(max_chain_length: int, max_policy_width: int, max_policy_depth: int, token_requirements: InvocationRequirement | DelegationRequirement | None)[source]

Bases: object

Parameters used during token validation.

max_chain_length: int

max_policy_width: int

max_policy_depth: int

token_requirements: InvocationRequirement | DelegationRequirement | None

static default() → ValidationParameters[source]: Build the default validation parameters.

__eq__(other): Return self==value.

__repr__(): Return repr(self).

class NucTokenValidator(root_issuers: List[Did])[source]

Bases: object

A validator for NUC tokens.

Example

from nuc.validate import NucTokenValidator
from nuc.token import NucToken

token = NucToken.parse(
    {
        "iss": "did:nil:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
        "aud": "did:nil:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
        "sub": "did:nil:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
        "cmd": "/nil/db/read",
        "pol": [["==", ".foo", 42]],
        "nonce": "beef",
    }
)

validator = NucTokenValidator([])
validator.validate(token)

validate(envelope: NucTokenEnvelope, context: SelectorContext, parameters: ValidationParameters = ValidationParameters.default()) → None[source]

Validate a NUC token using the given parameters.

This will raise an exception if validation fails.

Parameters:

envelope – The token to be validated.
parameters – The validation parameters.

class ValidationKind(value, names=_not_given, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Bases: Enum

The kind of validation that failed.

CHAIN_TOO_LONG = 'token chain is too long'

COMMAND_NOT_ATTENUATED = 'command is not an attenuation'

DIFFERENT_SUBJECTS = 'different subjects in chain'

INVALID_AUDIENCE = 'invalid audience'

INVALID_SIGNATURES = 'invalid signatures'

ISSUER_AUDIENCE_MISMATCH = 'issuer/audience mismatch'

MISSING_PROOF = 'proof is missing'

NEED_DELEGATION = 'token must be a delegation'

NEED_INVOCATION = 'token must be an invocation'

NOT_BEFORE_BACKWARDS = '`not before` cannot move backwards'

NOT_BEFORE_NOT_MET = '`not before` date not met'

POLICY_NOT_MET = 'policy not met'

POLICY_TOO_DEEP = 'policy is too deep'

POLICY_TOO_WIDE = 'policy is too wide'

PROOFS_MUST_BE_DELEGATIONS = 'proofs must be delegations'

ROOT_KEY_SIGNATURE_MISSING = 'root NUC is not signed by root keypair'

SUBJECT_NOT_IN_CHAIN = 'subject not in chain'

TOKEN_EXPIRED = 'token is expired'

TOO_MANY_PROOFS = 'up to one `prf` in a token is allowed'

UNCHAINED_PROOFS = 'extra proofs not part of chain provided'

exception ValidationException(kind: ValidationKind)[source]

Bases: Exception

Token validation failed.

class PolicyTreeProperties(max_depth: int, max_policy_width: int)[source]

Bases: object

The properties of a policy tree.

max_depth: int

max_policy_width: int

static from_policy(root_policy: Policy) → PolicyTreeProperties[source]: Construct a policy tree properties object from a policy.

__eq__(other): Return self==value.

__repr__(): Return repr(self).