Add .well-known record and host param

Author: adamspofford-dfinity

Cargo.lock

@@ -5,6 +5,7 @@ use ic_agent::{Identity as _, export::Principal, identity::BasicIdentity};
 use icp::{context::Context, fs::read_to_string, identity::key, prelude::*};
 use snafu::{ResultExt, Snafu};
 use tracing::{info, warn};
+use url::Url;
 
 use crate::{commands::identity::StorageMode, operations::ii_poll};
 
@@ -14,6 +15,10 @@ pub(crate) struct IiArgs {
     /// Name for the linked identity
     name: String,
 
+    /// Host of the II login frontend (e.g. https://example.icp0.io)
+    #[arg(long, default_value = ii_poll::DEFAULT_HOST)]
+    host: Url,
+
     /// Where to store the session private key
     #[arg(long, value_enum, default_value_t)]
     storage: StorageMode,
@@ -51,13 +56,14 @@ pub(crate) async fn exec(ctx: &Context, args: &IiArgs) -> Result<(), IiError> {
     let basic = BasicIdentity::from_raw_key(&secret_key.serialize_raw());
     let der_public_key = basic.public_key().expect("ed25519 always has a public key");
 
-    let chain = ii_poll::poll_for_delegation(&der_public_key)
+    let chain = ii_poll::poll_for_delegation(&args.host, &der_public_key)
         .await
         .context(PollSnafu)?;
 
     let from_key = hex::decode(&chain.public_key).context(DecodeFromKeySnafu)?;
     let ii_principal = Principal::self_authenticating(&from_key);
 
+    let host = args.host.clone();
     ctx.dirs
         .identity()?
         .with_write(async |dirs| {
@@ -68,6 +74,7 @@ pub(crate) async fn exec(ctx: &Context, args: &IiArgs) -> Result<(), IiError> {
                 &chain,
                 ii_principal,
                 create_format,
+                host,
             )
         })
         .await?

crates/icp-cli/src/commands/identity/link/ii.rs

@@ -20,7 +20,7 @@ pub(crate) struct LoginArgs {
 }
 
 pub(crate) async fn exec(ctx: &Context, args: &LoginArgs) -> Result<(), LoginError> {
-    let (algorithm, storage) = ctx
+    let (algorithm, storage, host) = ctx
         .dirs
         .identity()?
         .with_read(async |dirs| {
@@ -31,8 +31,11 @@ pub(crate) async fn exec(ctx: &Context, args: &LoginArgs) -> Result<(), LoginErr
                 .context(IdentityNotFoundSnafu { name: &args.name })?;
             match spec {
                 IdentitySpec::InternetIdentity {
-                    algorithm, storage, ..
-                } => Ok((algorithm.clone(), storage.clone())),
+                    algorithm,
+                    storage,
+                    host,
+                    ..
+                } => Ok((algorithm.clone(), storage.clone(), host.clone())),
                 _ => NotIiSnafu { name: &args.name }.fail(),
             }
         })
@@ -52,7 +55,7 @@ pub(crate) async fn exec(ctx: &Context, args: &LoginArgs) -> Result<(), LoginErr
         .await?
         .context(LoadSessionKeySnafu)?;
 
-    let chain = ii_poll::poll_for_delegation(&der_public_key)
+    let chain = ii_poll::poll_for_delegation(&host, &der_public_key)
         .await
         .context(PollSnafu)?;
 

crates/icp-cli/src/commands/identity/login.rs

@@ -14,8 +14,8 @@ use snafu::{ResultExt, Snafu};
 use tokio::{net::TcpListener, sync::oneshot};
 use url::Url;
 
-/// The hosted II login frontend for the dev account canister.
-const CLI_LOGIN_BASE: &str = "https://ut7yr-7iaaa-aaaag-ak7ca-cai.icp0.io/cli-login";
+/// Fallback host. Dummy value until we get a real domain. A staging instance can be found at ut7yr-7iaaa-aaaag-ak7ca-caia.ic0.app
+pub(crate) const DEFAULT_HOST: &str = "https://not.a.domain";
 
 #[derive(Debug, Snafu)]
 pub(crate) enum IiPollError {
@@ -25,18 +25,53 @@ pub(crate) enum IiPollError {
     #[snafu(display("failed to run local callback server"))]
     ServeServer { source: std::io::Error },
 
+    #[snafu(display("failed to fetch `{url}`"))]
+    FetchDiscovery { url: String, source: reqwest::Error },
+
+    #[snafu(display("failed to read discovery response from `{url}`"))]
+    ReadDiscovery { url: String, source: reqwest::Error },
+
+    #[snafu(display(
+        "`{url}` returned an empty login path — the response must be a single non-empty line"
+    ))]
+    EmptyLoginPath { url: String },
+
     #[snafu(display("interrupted"))]
     Interrupted,
 }
 
-/// Starts a local HTTP server to receive the delegation callback from the II
-/// frontend, prints the login URL for the user to open, and returns the
-/// delegation chain once the frontend POSTs it back.
+/// Discovers the login path from `{host}/.well-known/ic-cli-login`, then opens
+/// a local HTTP server, builds the login URL, and returns the delegation chain
+/// once the frontend POSTs it back.
 pub(crate) async fn poll_for_delegation(
+    host: &Url,
     der_public_key: &[u8],
 ) -> Result<DelegationChain, IiPollError> {
     let key_b64 = URL_SAFE_NO_PAD.encode(der_public_key);
 
+    // Discover the login path.
+    let discovery_url = host
+        .join("/.well-known/ic-cli-login")
+        .expect("joining an absolute path is infallible");
+    let discovery_url_str = discovery_url.to_string();
+    let login_path = reqwest::get(discovery_url)
+        .await
+        .context(FetchDiscoverySnafu {
+            url: &discovery_url_str,
+        })?
+        .text()
+        .await
+        .context(ReadDiscoverySnafu {
+            url: &discovery_url_str,
+        })?;
+    let login_path = login_path.trim();
+    if login_path.is_empty() {
+        return EmptyLoginPathSnafu {
+            url: discovery_url_str,
+        }
+        .fail();
+    }
+
     // Bind on a random port before opening the browser so the callback URL is known.
     let listener = TcpListener::bind("127.0.0.1:0")
         .await
@@ -54,11 +89,11 @@ pub(crate) async fn poll_for_delegation(
             .append_pair("callback", &callback_url);
         scratch.query().expect("just set").to_owned()
     };
-    let mut login_url = Url::parse(CLI_LOGIN_BASE).expect("valid constant");
+    let mut login_url = host.join(login_path).expect("login_path is a valid path");
     login_url.set_fragment(Some(&fragment));
 
     eprintln!();
-    eprintln!("  Press Enter to open {}", {
+    eprintln!("  Press Enter to log in at {}", {
         let mut display = login_url.clone();
         display.set_fragment(None);
         display

crates/icp-cli/src/operations/ii_poll.rs

@@ -6,7 +6,8 @@ use std::{
 use ic_agent::{
     Identity,
     identity::{
-        AnonymousIdentity, BasicIdentity, DelegatedIdentity, Prime256v1Identity, Secp256k1Identity,
+        AnonymousIdentity, BasicIdentity, DelegatedIdentity, DelegationError, Prime256v1Identity,
+        Secp256k1Identity,
     },
 };
 use ic_ed25519::PrivateKeyFormat;
@@ -21,6 +22,7 @@ use rand::Rng;
 use scrypt::Params;
 use sec1::{der::Decode, pem::PemLabel};
 use snafu::{OptionExt, ResultExt, Snafu, ensure};
+use url::Url;
 use zeroize::Zeroizing;
 
 use crate::{
@@ -113,6 +115,12 @@ pub enum LoadIdentityError {
         source: delegation::LoadError,
     },
 
+    #[snafu(display("failed to validate delegation chain loaded from `{path}`"))]
+    ValidateDelegationChain {
+        path: PathBuf,
+        source: DelegationError,
+    },
+
     #[snafu(display(
         "delegation for identity `{name}` has expired or will expire within 5 minutes; \
          run `icp identity login {name}` to re-authenticate"
@@ -398,10 +406,8 @@ fn load_ii_identity(
         }
     };
 
-    // Use new_unchecked because the root of the II delegation chain uses
-    // canister signatures (OID 1.3.6.1.4.1.56387.1.2) which DelegatedIdentity::new
-    // cannot verify client-side. The replica validates the chain on each request.
-    let delegated = DelegatedIdentity::new_unchecked(from_key, inner, signed_delegations);
+    let delegated = DelegatedIdentity::new(from_key, inner, signed_delegations)
+        .context(ValidateDelegationChainSnafu { path: &chain_path })?;
 
     Ok(Arc::new(delegated))
 }
@@ -1112,6 +1118,7 @@ pub fn link_ii_identity(
     chain: &delegation::DelegationChain,
     principal: ic_agent::export::Principal,
     create_format: CreateFormat,
+    host: Url,
 ) -> Result<(), LinkIiIdentityError> {
     let mut identity_list = IdentityList::load_from(dirs.read())?;
     ensure!(
@@ -1186,6 +1193,7 @@ pub fn link_ii_identity(
         algorithm,
         principal,
         storage: ii_storage,
+        host,
     };
     identity_list.identities.insert(name.to_string(), spec);
     identity_list.write_to(dirs)?;

crates/icp/src/identity/key.rs

@@ -4,6 +4,7 @@ use ic_agent::export::Principal;
 use serde::{Deserialize, Serialize};
 use snafu::{Snafu, ensure};
 use strum::{Display, EnumString};
+use url::Url;
 
 use crate::{
     fs::{
@@ -134,6 +135,9 @@ pub enum IdentitySpec {
         /// (`Principal::self_authenticating(from_key)`), not the session key.
         principal: Principal,
         storage: IiKeyStorage,
+        /// The host used for II login, stored so `icp identity login` can
+        /// re-authenticate without requiring `--host` again.
+        host: Url,
     },
 }