feat: get_jwks method for controllers

ilbertt · Apr 12, 2024 · 7707046 · 7707046
1 parent 2bbdfd1
commit 7707046
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 3 deletions.
diff --git a/src/ic_backend/ic_backend.did b/src/ic_backend/ic_backend.did
@@ -51,4 +51,5 @@ service : {
     "authenticated" : () -> (AuthenticatedResponse) query;
     "sync_jwks" : () -> ();
     "set_jwks" : (Auth0JWKS) -> ();
+    "get_jwks" : () -> (opt Auth0JWKS) query;
 };
diff --git a/src/ic_backend/src/lib.rs b/src/ic_backend/src/lib.rs
@@ -159,6 +159,18 @@ fn set_jwks(jwks: Auth0JWKSet) {
     state::store_jwks(jwks)
 }
 
+#[query]
+// used in tests
+fn get_jwks() -> Option<Auth0JWKSet> {
+    let caller = caller();
+
+    if !is_controller(&caller) {
+        trap("caller is not a controller");
+    }
+
+    state::jwks(|jwks| jwks.clone())
+}
+
 // In the following, we register a custom getrandom implementation because
 // otherwise getrandom (which is a dependency of some packages) fails to compile.
 // This is necessary because getrandom by default fails to compile for the

diff --git a/src/ic_backend/tests/common/canister.rs b/src/ic_backend/tests/common/canister.rs
@@ -56,3 +56,7 @@ pub fn sync_jwks(env: &TestEnv, sender: Principal) -> Result<(), CallError> {
 pub fn set_jwks(env: &TestEnv, sender: Principal, jwks: Auth0JWKSet) -> Result<(), CallError> {
     update_candid_as(env.pic(), env.canister_id(), sender, "set_jwks", (jwks,)).map(|(res,)| res)
 }
+
+pub fn get_jwks(env: &TestEnv, sender: Principal) -> Result<Option<Auth0JWKSet>, CallError> {
+    query_candid_as(env.pic(), env.canister_id(), sender, "get_jwks", ()).map(|(res,)| res)
+}
diff --git a/src/ic_backend/tests/controller_only.rs b/src/ic_backend/tests/controller_only.rs
@@ -1,7 +1,7 @@
 mod common;
 
 use common::{
-    canister::{extract_trap_message, set_jwks, sync_jwks},
+    canister::{extract_trap_message, get_jwks, set_jwks, sync_jwks},
     identity::generate_random_identity,
     test_env,
 };
@@ -34,9 +34,31 @@ fn test_set_jwks_controller_only() {
 fn test_set_jwks_once() {
     let env = test_env::create_test_env();
 
-    set_jwks(&env, env.controller(), Auth0JWKSet { keys: vec![] }).unwrap();
+    // initially, the canister doesn't have the jwks
+    let canister_jwks = get_jwks(&env, env.controller()).unwrap();
+    assert!(canister_jwks.is_none());
 
-    let res = set_jwks(&env, env.controller(), Auth0JWKSet { keys: vec![] }).unwrap_err();
+    // set dummy jwks
+    let jwks = Auth0JWKSet { keys: vec![] };
+    set_jwks(&env, env.controller(), jwks.clone()).unwrap();
+
+    // now the canister has the jwks
+    let canister_jwks = get_jwks(&env, env.controller()).unwrap().unwrap();
+    assert_eq!(canister_jwks, jwks);
+
+    // try to set the jwks again
+    let res = set_jwks(&env, env.controller(), jwks).unwrap_err();
     assert!(extract_trap_message(res)
         .contains("JWKS already set. Call sync_jwks to fetch the JWKS from the auth provider"));
 }
+
+#[test]
+fn test_get_jwks_controller_only() {
+    let env = test_env::create_test_env();
+
+    let sender = generate_random_identity().sender().unwrap();
+
+    let res = get_jwks(&env, sender).unwrap_err();
+
+    assert!(extract_trap_message(res).contains("caller is not a controller"));
+}