wip: removed unneeded nodesClaimNetworkVerify RPC handler

[ci skip]

Author: tegefaulkes

src/nodes/NodeManager.ts

@@ -140,9 +140,16 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
    */
   protected claimNetworkAuthority: Token<ClaimNetworkAuthority> | undefined =
     undefined;
+  /**
+   * If a node has joined a network then it's `ClaimNetworkAccess` is tracked here
+   */
   protected claimNetworkAccess: Token<ClaimNetworkAccess> | undefined =
     undefined;
 
+  /**
+   * These are the level paths for mapping the ClaimNetworkAccess and ClaimNetworkAuthority claims for each network it has joined.
+   * Used to look up and switch between networks as needed.
+   */
   protected nodeManagerDbPath: LevelPath = [this.constructor.name];
   protected nodeManagerClaimNetworkAuthorityPath: LevelPath = [
     ...this.nodeManagerDbPath,
@@ -1963,26 +1970,30 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
         }
         const receivedClaim = readStatus.value;
         // We need to re-construct the token from the message
-        const signedClaim = claimsUtils.parseSignedClaim(
-          receivedClaim.signedTokenEncoded,
-        );
+        const signedClaim =
+          claimNetworkAccessUtils.parseSignedClaimNetworkAccess(
+            receivedClaim.signedTokenEncoded,
+          );
         const fullySignedToken = Token.fromSigned(signedClaim);
         // Check that the signatures are correct
-        const requestingNodePublicKey =
-          keysUtils.publicKeyFromNodeId(requestingNodeId);
-        if (
-          !fullySignedToken.verifyWithPublicKey(
-            this.keyRing.keyPair.publicKey,
-          ) ||
-          !fullySignedToken.verifyWithPublicKey(requestingNodePublicKey)
-        ) {
-          throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
+        const networkNodeId = nodesUtils.decodeNodeId(
+          this.claimNetworkAuthority!.payload.iss,
+        );
+        if (networkNodeId == null) {
+          utils.never('failed to decode networkNodeId');
         }
-        // TODO: verify network and authority claim is correct
+
+        claimNetworkAccessUtils.verifyClaimNetworkAccess(
+          networkNodeId,
+          requestingNodeId,
+          this.claimNetworkAuthority!.payload.network,
+          fullySignedToken,
+        );
         // Ending the stream
         return fullySignedToken;
       },
     );
+    // Prevent async promise handling leak
     void claimP.catch(() => {});
     yield {
       signedTokenEncoded: await halfSignedClaimP,
@@ -2040,105 +2051,6 @@ class NodeManager<Manifest extends AgentClientManifestNodeManager> {
     );
   }
 
-  public async handleVerifyClaimNetwork(
-    requestingNodeId: NodeId,
-    input: AgentRPCRequestParams<AgentClaimMessage>,
-    tran?: DBTransaction,
-  ): Promise<AgentRPCResponseResult<{ success: true }>> {
-    if (tran == null) {
-      return this.db.withTransactionF((tran) =>
-        this.handleVerifyClaimNetwork(requestingNodeId, input, tran),
-      );
-    }
-    const signedClaim = claimsUtils.parseSignedClaim(input.signedTokenEncoded);
-    const token = Token.fromSigned(signedClaim);
-    claimNetworkAccessUtils.assertClaimNetworkAccess(token.payload);
-    // Verify if the token is signed
-    if (
-      !token.verifyWithPublicKey(
-        keysUtils.publicKeyFromNodeId(requestingNodeId),
-      ) ||
-      !token.verifyWithPublicKey(
-        keysUtils.publicKeyFromNodeId(
-          nodesUtils.decodeNodeId(token.payload.iss)!,
-        ),
-      )
-    ) {
-      throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
-    }
-    if (
-      token.payload.network === 'testnet.polykey.com' ||
-      token.payload.network === 'mainnet.polykey.com'
-    ) {
-      return { success: true };
-    }
-    if (token.payload.signedClaimNetworkAuthorityEncoded == null) {
-      throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
-    }
-    const authorityToken = Token.fromEncoded(
-      token.payload.signedClaimNetworkAuthorityEncoded,
-    );
-    // Verify if the token is signed
-    if (
-      token.payload.iss !== authorityToken.payload.sub ||
-      !authorityToken.verifyWithPublicKey(
-        keysUtils.publicKeyFromNodeId(
-          nodesUtils.decodeNodeId(authorityToken.payload.sub)!,
-        ),
-      ) ||
-      !authorityToken.verifyWithPublicKey(
-        keysUtils.publicKeyFromNodeId(
-          nodesUtils.decodeNodeId(authorityToken.payload.iss)!,
-        ),
-      )
-    ) {
-      throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
-    }
-
-    let success = false;
-    for await (const [_, claim] of this.sigchain.getSignedClaims({})) {
-      try {
-        claimNetworkAccessUtils.assertClaimNetworkAccess(claim.payload);
-      } catch {
-        // FIXME: check error type.
-        continue;
-      }
-      if (claim.payload.signedClaimNetworkAuthorityEncoded == null) {
-        throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
-      }
-      const tokenNetworkAuthority = Token.fromEncoded(
-        claim.payload.signedClaimNetworkAuthorityEncoded,
-      );
-      try {
-        claimNetworkAuthorityUtils.assertClaimNetworkAuthority(
-          tokenNetworkAuthority.payload,
-        );
-      } catch {
-        // FIXME: check error type.
-        continue;
-      }
-      // No need to check if local claims are correctly signed by a Network Authority.
-      if (
-        authorityToken.verifyWithPublicKey(
-          keysUtils.publicKeyFromNodeId(
-            nodesUtils.decodeNodeId(claim.payload.iss)!,
-          ),
-        )
-      ) {
-        success = true;
-        break;
-      }
-    }
-
-    if (!success) {
-      throw new nodesErrors.ErrorNodeClaimNetworkVerificationFailed();
-    }
-
-    return {
-      success: true,
-    };
-  }
-
   /**
    * Adds a node to the node graph. This assumes that you have already authenticated the node
    * Updates the node if the node already exists

src/nodes/agent/callers/index.ts

@@ -8,7 +8,6 @@ import nodesConnectionSignalFinal from './nodesConnectionSignalFinal.js';
 import nodesConnectionSignalInitial from './nodesConnectionSignalInitial.js';
 import nodesCrossSignClaim from './nodesCrossSignClaim.js';
 import nodesClaimNetworkSign from './nodesClaimNetworkSign.js';
-import nodesClaimNetworkVerify from './nodesClaimNetworkVerify.js';
 import notificationsSend from './notificationsSend.js';
 import vaultsGitInfoGet from './vaultsGitInfoGet.js';
 import vaultsGitPackGet from './vaultsGitPackGet.js';
@@ -27,7 +26,6 @@ const manifestClientNodeManager = {
   nodesClaimNetworkAuthorityGet,
   nodesClaimsGet,
   nodesClaimNetworkSign,
-  nodesClaimNetworkVerify,
   nodesClosestActiveConnectionsGet,
   nodesClosestLocalNodesGet,
   nodesCrossSignClaim,
@@ -64,7 +62,6 @@ export {
   nodesConnectionSignalInitial,
   nodesCrossSignClaim,
   nodesClaimNetworkSign,
-  nodesClaimNetworkVerify,
   notificationsSend,
   vaultsGitInfoGet,
   vaultsGitPackGet,

src/nodes/agent/callers/nodesClaimNetworkVerify.ts

@@ -81,6 +81,8 @@ const claimNetworkAuthorityArb = (
           {
             iss,
             sub,
+            network: fc.webUrl(),
+            isPrivate: fc.boolean(),
           },
           { noNullPrototype: true },
         )
@@ -119,6 +121,7 @@ const claimNetworkAccessArb = (
             sub,
             network,
             signedClaimNetworkAuthorityEncoded,
+            isPrivate: fc.boolean(),
           },
           { noNullPrototype: true },
         )