Add get_account_delegation functionality

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -215,9 +215,10 @@ export const idlFactory = ({ IDL }) => {
     'signature' : IDL.Vec(IDL.Nat8),
     'delegation' : Delegation,
   });
-  const GetDelegationResponse = IDL.Variant({
-    'no_such_delegation' : IDL.Null,
-    'signed_delegation' : SignedDelegation,
+  const AccountDelegationError = IDL.Variant({
+    'NoSuchDelegation' : IDL.Null,
+    'InternalCanisterError' : IDL.Text,
+    'Unauthorized' : IDL.Principal,
   });
   const GetAccountsError = IDL.Variant({
     'InternalCanisterError' : IDL.Text,
@@ -263,6 +264,10 @@ export const idlFactory = ({ IDL }) => {
     'openid_credentials' : IDL.Opt(IDL.Vec(OpenIdCredential)),
     'device_registration' : IDL.Opt(DeviceRegistrationInfo),
   });
+  const GetDelegationResponse = IDL.Variant({
+    'no_such_delegation' : IDL.Null,
+    'signed_delegation' : SignedDelegation,
+  });
   const GetIdAliasRequest = IDL.Record({
     'rp_id_alias_jwt' : IDL.Text,
     'issuer' : FrontendHostname,
@@ -391,10 +396,6 @@ export const idlFactory = ({ IDL }) => {
     'user_key' : UserKey,
     'timestamp' : Timestamp,
   });
-  const AccountDelegationError = IDL.Variant({
-    'InternalCanisterError' : IDL.Text,
-    'Unauthorized' : IDL.Principal,
-  });
   const PrepareIdAliasRequest = IDL.Record({
     'issuer' : FrontendHostname,
     'relying_party' : FrontendHostname,
@@ -544,8 +545,19 @@ export const idlFactory = ({ IDL }) => {
     'exit_device_registration_mode' : IDL.Func([UserNumber], [], []),
     'fetch_entries' : IDL.Func([], [IDL.Vec(BufferedArchiveEntry)], []),
     'get_account_delegation' : IDL.Func(
-        [UserNumber, FrontendHostname, AccountNumber, SessionKey, Timestamp],
-        [GetDelegationResponse],
+        [
+          UserNumber,
+          FrontendHostname,
+          IDL.Opt(AccountNumber),
+          SessionKey,
+          Timestamp,
+        ],
+        [
+          IDL.Variant({
+            'Ok' : SignedDelegation,
+            'Err' : AccountDelegationError,
+          }),
+        ],
         ['query'],
       ),
     'get_accounts' : IDL.Func(

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -2,7 +2,8 @@ import type { Principal } from '@dfinity/principal';
 import type { ActorMethod } from '@dfinity/agent';
 import type { IDL } from '@dfinity/candid';
 
-export type AccountDelegationError = { 'InternalCanisterError' : string } |
+export type AccountDelegationError = { 'NoSuchDelegation' : null } |
+  { 'InternalCanisterError' : string } |
   { 'Unauthorized' : Principal };
 export interface AccountInfo {
   'name' : [] | [string],
@@ -444,8 +445,9 @@ export interface _SERVICE {
   'exit_device_registration_mode' : ActorMethod<[UserNumber], undefined>,
   'fetch_entries' : ActorMethod<[], Array<BufferedArchiveEntry>>,
   'get_account_delegation' : ActorMethod<
-    [UserNumber, FrontendHostname, AccountNumber, SessionKey, Timestamp],
-    GetDelegationResponse
+    [UserNumber, FrontendHostname, [] | [AccountNumber], SessionKey, Timestamp],
+    { 'Ok' : SignedDelegation } |
+      { 'Err' : AccountDelegationError }
   >,
   'get_accounts' : ActorMethod<
     [UserNumber, FrontendHostname],

src/internet_identity/internet_identity.did

@@ -574,6 +574,7 @@ type UpdateAccountError = variant {
 type AccountDelegationError = variant {
     InternalCanisterError : text;
     Unauthorized : principal;
+    NoSuchDelegation;
 };
 
 type PrepareAccountDelegation = record {
@@ -888,8 +889,8 @@ service : (opt InternetIdentityInit) -> {
     get_account_delegation : (
         anchor_number : UserNumber,
         origin : FrontendHostname,
-        account_number : AccountNumber, // Null is unreserved default account
+        account_number : opt AccountNumber, // Null is unreserved default account
         session_key : SessionKey,
         expiration : Timestamp
-    ) -> (GetDelegationResponse) query;
+    ) -> (variant { Ok : SignedDelegation; Err : AccountDelegationError }) query;
 };

src/internet_identity/src/account_management.rs

@@ -14,10 +14,13 @@ use crate::{
     },
     update_root_hash,
 };
+use ic_canister_sig_creation::{
+    delegation_signature_msg, signature_map::CanisterSigInputs, DELEGATION_SIG_DOMAIN,
+};
 use ic_cdk::{api::time, caller};
 use internet_identity_interface::internet_identity::types::{
-    AccountNumber, AccountUpdate, AnchorNumber, CreateAccountError, FrontendHostname, SessionKey,
-    UpdateAccountError,
+    AccountNumber, AccountUpdate, AnchorNumber, CreateAccountError, Delegation, FrontendHostname,
+    SessionKey, SignedDelegation, Timestamp, UpdateAccountError,
 };
 use serde_bytes::ByteBuf;
 
@@ -145,6 +148,45 @@ pub async fn prepare_account_delegation(
     })
 }
 
+pub fn get_account_delegation(
+    anchor_number: AnchorNumber,
+    origin: &FrontendHostname,
+    account_number: Option<AccountNumber>,
+    session_key: SessionKey,
+    expiration: Timestamp,
+) -> Result<SignedDelegation, AccountDelegationError> {
+    check_frontend_length(origin);
+
+    storage_borrow(|storage| {
+        let account = storage
+            .read_account(ReadAccountParams {
+                account_number,
+                anchor_number,
+                origin,
+            })
+            .ok_or(AccountDelegationError::Unauthorized(caller()))?;
+
+        state::assets_and_signatures(|certified_assets, sigs| {
+            let inputs = CanisterSigInputs {
+                domain: DELEGATION_SIG_DOMAIN,
+                seed: &account.calculate_seed(),
+                message: &delegation_signature_msg(&session_key, expiration, None),
+            };
+            match sigs.get_signature_as_cbor(&inputs, Some(certified_assets.root_hash())) {
+                Ok(signature) => Ok(SignedDelegation {
+                    delegation: Delegation {
+                        pubkey: session_key,
+                        expiration,
+                        targets: None,
+                    },
+                    signature: ByteBuf::from(signature),
+                }),
+                Err(_) => Err(AccountDelegationError::NoSuchDelegation),
+            }
+        })
+    })
+}
+
 #[test]
 fn should_create_account_for_origin() {
     use crate::state::{storage_borrow_mut, storage_replace};

src/internet_identity/src/delegation.rs

@@ -11,7 +11,6 @@ use ic_canister_sig_creation::{
 use ic_cdk::{id, trap};
 use ic_certification::Hash;
 use internet_identity_interface::internet_identity::types::*;
-use serde_bytes::ByteBuf;
 use sha2::{Digest, Sha256};
 use std::net::IpAddr;
 
@@ -65,34 +64,6 @@ fn is_dev_frontend(frontend: &FrontendHostname) -> bool {
     false
 }
 
-pub fn get_delegation(
-    anchor_number: AnchorNumber,
-    frontend: FrontendHostname,
-    session_key: SessionKey,
-    expiration: Timestamp,
-) -> GetDelegationResponse {
-    check_frontend_length(&frontend);
-
-    state::assets_and_signatures(|certified_assets, sigs| {
-        let inputs = CanisterSigInputs {
-            domain: DELEGATION_SIG_DOMAIN,
-            seed: &calculate_anchor_seed(anchor_number, &frontend),
-            message: &delegation_signature_msg(&session_key, expiration, None),
-        };
-        match sigs.get_signature_as_cbor(&inputs, Some(certified_assets.root_hash())) {
-            Ok(signature) => GetDelegationResponse::SignedDelegation(SignedDelegation {
-                delegation: Delegation {
-                    pubkey: session_key,
-                    expiration,
-                    targets: None,
-                },
-                signature: ByteBuf::from(signature),
-            }),
-            Err(_) => GetDelegationResponse::NoSuchDelegation,
-        }
-    })
-}
-
 pub fn get_principal(anchor_number: AnchorNumber, frontend: FrontendHostname) -> Principal {
     check_frontend_length(&frontend);
 

src/internet_identity/src/main.rs

@@ -305,7 +305,15 @@ fn get_delegation(
     let Ok(_) = check_authorization(anchor_number) else {
         trap(&format!("{} could not be authenticated.", caller()));
     };
-    delegation::get_delegation(anchor_number, frontend, session_key, expiration)
+    account_management::get_account_delegation(
+        anchor_number,
+        &frontend,
+        None,
+        session_key,
+        expiration,
+    )
+    .map(GetDelegationResponse::SignedDelegation)
+    .unwrap_or(GetDelegationResponse::NoSuchDelegation)
 }
 
 #[query]
@@ -385,13 +393,22 @@ async fn prepare_account_delegation(
 
 #[query]
 fn get_account_delegation(
-    _anchor_number: AnchorNumber,
-    _origin: FrontendHostname,
-    _account_number: AccountNumber,
-    _session_key: SessionKey,
-    _expiration: Timestamp,
-) -> GetDelegationResponse {
-    GetDelegationResponse::NoSuchDelegation
+    anchor_number: AnchorNumber,
+    origin: FrontendHostname,
+    account_number: Option<AccountNumber>,
+    session_key: SessionKey,
+    expiration: Timestamp,
+) -> Result<SignedDelegation, AccountDelegationError> {
+    match check_authorization(anchor_number) {
+        Ok(_) => account_management::get_account_delegation(
+            anchor_number,
+            &origin,
+            account_number,
+            session_key,
+            expiration,
+        ),
+        Err(err) => Err(err.into()),
+    }
 }
 
 #[query]

src/internet_identity/src/storage/account.rs

@@ -1,6 +1,9 @@
 use candid::{CandidType, Principal};
 
-use crate::{authz_utils::IdentityUpdateError, delegation};
+use crate::{
+    authz_utils::{AuthorizationError, IdentityUpdateError},
+    delegation,
+};
 use ic_cdk::trap;
 use ic_certification::Hash;
 use internet_identity_interface::internet_identity::types::{
@@ -166,6 +169,13 @@ impl Account {
 pub enum AccountDelegationError {
     Unauthorized(Principal),
     InternalCanisterError(String),
+    NoSuchDelegation,
+}
+
+impl From<AuthorizationError> for AccountDelegationError {
+    fn from(err: AuthorizationError) -> Self {
+        AccountDelegationError::Unauthorized(err.principal)
+    }
 }
 
 impl From<IdentityUpdateError> for AccountDelegationError {