@interop/zcap 10.1.0 → 11.0.1

package/dist/CapabilityInvocation.d.ts

@@ -0,0 +1,151 @@
+import { CapabilityProofPurpose, type CapabilityDelegationConstructor } from './CapabilityProofPurpose.js';
+import type { IProofDescription } from '@interop/jsonld-signatures';
+import type { IDelegatedZcap, IZcap } from '@interop/data-integrity-core/zcap';
+import type { CapabilityInvocationOptions, CapabilityMeta, CapabilityValidateResult, ValidateOptions } from './types.js';
+/**
+ * The proof purpose for *invoking* an authorization capability (zcap).
+ *
+ * Instantiated in one of two mutually exclusive modes:
+ * - **Create-proof mode** — pass `{capability, capabilityAction,
+ *   invocationTarget}`.
+ * - **Verify-proof mode** — pass `{expectedAction, expectedTarget,
+ *   expectedRootCapability, suite, ...}`.
+ *
+ * Passing parameters from both modes together throws.
+ */
+export declare class CapabilityInvocation extends CapabilityProofPurpose {
+    capability?: string | IDelegatedZcap;
+    capabilityAction?: string;
+    invocationTarget?: string;
+    expectedAction?: string;
+    expectedTarget?: string | string[];
+    /**
+     * @param options - The options.
+     * @param options.capability - The capability to add/reference in a created
+     *   proof. A root zcap MUST be passed as its ID string; a delegated zcap must
+     *   be passed as the full object.
+     * @param options.capabilityAction - The capability action that is to be added
+     *   to a proof.
+     * @param options.invocationTarget - The invocation target to use; this is
+     *   required and can be used to attenuate the capability's invocation target
+     *   if the verifier supports target attenuation.
+     * @param options.allowTargetAttenuation - Allow the invocationTarget of a
+     *   delegation chain to be increasingly restrictive based on a hierarchical
+     *   RESTful URL structure.
+     * @param options.controller - The description of the controller, if it is not
+     *   to be dereferenced via a `documentLoader`.
+     * @param options.date - Used during proof verification as the expected date
+     *   for the creation of the proof (within a maximum timestamp delta) and for
+     *   checking to see if a capability has expired; if not passed the current
+     *   date will be used.
+     * @param options.expectedAction - The capability action that is expected when
+     *   validating a proof.
+     * @param options.expectedRootCapability - The expected root capability for
+     *   the delegation chain (a single root capability ID string, or an array of
+     *   acceptable root capability ID strings).
+     * @param options.expectedTarget - The target(s) we expect a capability to
+     *   apply to (absolute URI, or array of URIs).
+     * @param options.inspectCapabilityChain - An async function that can be used
+     *   to check for revocations related to any of verified capabilities.
+     * @param options.maxChainLength - The maximum length of the capability
+     *   delegation chain.
+     * @param options.maxClockSkew - A maximum number of seconds that clocks may
+     *   be skewed when checking capability expiration date-times against `date`
+     *   and when comparing invocation proof creation time against delegation
+     *   proof creation time.
+     * @param options.maxDelegationTtl - The maximum milliseconds to live for a
+     *   delegated zcap as measured by the time difference between `expires` and
+     *   `created` on the delegation proof.
+     * @param options.maxTimestampDelta - A maximum number of seconds that
+     *   "created" date on the capability invocation proof can deviate from
+     *   `date`, defaults to `Infinity`.
+     * @param options.suite - The jsonld-signature suite(s) to use to verify the
+     *   capability chain. Required only in verify-proof mode; unused (and
+     *   omitted) when creating an invocation proof.
+     */
+    constructor({ capability, capabilityAction, invocationTarget, allowTargetAttenuation, controller, date, expectedAction, expectedRootCapability, expectedTarget, inspectCapabilityChain, maxChainLength, maxClockSkew, maxDelegationTtl, maxTimestampDelta, suite }?: CapabilityInvocationOptions);
+    /**
+     * Adds the capability invocation terms (`capability`, `invocationTarget`,
+     * `capabilityAction`, `proofPurpose`) to a proof being created. Used in
+     * create-proof mode.
+     *
+     * @param proof - The proof under construction.
+     *
+     * @returns Resolves to the updated proof.
+     */
+    update(proof: IProofDescription): Promise<IProofDescription>;
+    /**
+     * Determines whether the given proof matches this proof purpose, i.e., it has
+     * the zcap context, references a capability, and its `capabilityAction` and
+     * `invocationTarget` match `expectedAction` and `expectedTarget`. Used in
+     * verify-proof mode.
+     *
+     * @param proof - The proof to test.
+     * @param options - The options.
+     * @param options.document - The document the proof is attached to.
+     * @param options.documentLoader - A configured document loader.
+     *
+     * @returns Resolves to `true` if the proof matches.
+     */
+    match(proof: IProofDescription, { document, documentLoader }: ValidateOptions): Promise<boolean>;
+    /** @returns The `CapabilityDelegation` class. */
+    _getCapabilityDelegationClass(): CapabilityDelegationConstructor;
+    /**
+     * Resolves the invoked (tail) capability from the invocation proof.
+     *
+     * @param options - The options.
+     * @param options.proof - The capability invocation proof; its `capability` is
+     *   the invoked capability (a root zcap ID string or a delegated zcap
+     *   object).
+     *
+     * @returns The invoked capability.
+     */
+    _getTailCapability({ proof }: {
+        document?: object;
+        proof: IProofDescription;
+    }): {
+        capability: string | IZcap;
+    };
+    /**
+     * Runs invocation-specific checks before chain verification: that
+     * `capabilityAction` is allowed and matches `expectedAction`, that the
+     * proof's `invocationTarget` matches the capability target (honoring target
+     * attenuation) and an `expectedTarget`, and that a delegated capability is
+     * not invoked before its delegation proof's `created` date.
+     *
+     * @param options - The options.
+     * @param options.dereferencedChain - The dereferenced chain (root to tail).
+     * @param options.proof - The capability invocation proof.
+     *
+     * @returns Resolves with an empty `capabilityChainMeta` (the tail's
+     *   delegation proof is verified later by `_verifyCapabilityChain`).
+     */
+    _runChecksBeforeChainVerification({ dereferencedChain, proof }: {
+        dereferencedChain: IZcap[];
+        proof: IProofDescription;
+        validateOptions: ValidateOptions;
+    }): Promise<{
+        capabilityChainMeta: CapabilityMeta[];
+    }>;
+    /**
+     * Runs invocation-specific checks after chain verification: that the invoking
+     * verification method (or its controller) is the capability controller, that
+     * a delegated capability has not expired, and the base proof validation. Sets
+     * `result.invoker` to the proof controller.
+     *
+     * @param options - The options.
+     * @param options.dereferencedChain - The dereferenced chain (root to tail).
+     * @param options.proof - The capability invocation proof.
+     * @param options.validateOptions - The validation options passed through from
+     *   `jsigs` (including `verificationMethod`).
+     *
+     * @returns Resolves to the proof validation result with an added `invoker`.
+     */
+    _runChecksAfterChainVerification({ dereferencedChain, proof, validateOptions }: {
+        capabilityChainMeta: CapabilityMeta[];
+        dereferencedChain: IZcap[];
+        proof: IProofDescription;
+        validateOptions: ValidateOptions;
+    }): Promise<CapabilityValidateResult>;
+}
+//# sourceMappingURL=CapabilityInvocation.d.ts.map

package/dist/CapabilityInvocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityInvocation.d.ts","sourceRoot":"","sources":["../src/CapabilityInvocation.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,sBAAsB,EACtB,KAAK,+BAA+B,EACrC,MAAM,6BAA6B,CAAA;AACpC,OAAO,KAAK,EACV,iBAAiB,EAElB,MAAM,4BAA4B,CAAA;AACnC,OAAO,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,mCAAmC,CAAA;AAC9E,OAAO,KAAK,EACV,2BAA2B,EAC3B,cAAc,EACd,wBAAwB,EACxB,eAAe,EAChB,MAAM,YAAY,CAAA;AAEnB;;;;;;;;;;GAUG;AACH,qBAAa,oBAAqB,SAAQ,sBAAsB;IAC9D,UAAU,CAAC,EAAE,MAAM,GAAG,cAAc,CAAA;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IAElC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2CG;gBACS,EAEV,UAAU,EACV,gBAAgB,EAChB,gBAAgB,EAEhB,sBAAsB,EACtB,UAAU,EACV,IAAI,EACJ,cAAc,EACd,sBAAsB,EACtB,cAAc,EACd,sBAAsB,EACtB,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,EACN,GAAE,2BAAgC;IA+FnC;;;;;;;;OAQG;IACG,MAAM,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IASlE;;;;;;;;;;;;OAYG;IACG,KAAK,CACT,KAAK,EAAE,iBAAiB,EACxB,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,eAAe,GAC5C,OAAO,CAAC,OAAO,CAAC;IAiCnB,iDAAiD;IACjD,6BAA6B,IAAI,+BAA+B;IAIhE;;;;;;;;;OASG;IACH,kBAAkB,CAAC,EACjB,KAAK,EACN,EAAE;QACD,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,KAAK,EAAE,iBAAiB,CAAA;KACzB,GAAG;QAAE,UAAU,EAAE,MAAM,GAAG,KAAK,CAAA;KAAE;IAIlC;;;;;;;;;;;;;OAaG;IACG,iCAAiC,CAAC,EACtC,iBAAiB,EACjB,KAAK,EACN,EAAE;QACD,iBAAiB,EAAE,KAAK,EAAE,CAAA;QAC1B,KAAK,EAAE,iBAAiB,CAAA;QACxB,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC;QAAE,mBAAmB,EAAE,cAAc,EAAE,CAAA;KAAE,CAAC;IAyGtD;;;;;;;;;;;;;OAaG;IACG,gCAAgC,CAAC,EACrC,iBAAiB,EACjB,KAAK,EACL,eAAe,EAChB,EAAE;QACD,mBAAmB,EAAE,cAAc,EAAE,CAAA;QACrC,iBAAiB,EAAE,KAAK,EAAE,CAAA;QAC1B,KAAK,EAAE,iBAAiB,CAAA;QACxB,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC,wBAAwB,CAAC;CAsDtC"}

package/dist/CapabilityInvocation.js

@@ -0,0 +1,365 @@
+/*!
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as utils from './utils.js';
+import { CapabilityDelegation } from './CapabilityDelegation.js';
+import { CapabilityProofPurpose } from './CapabilityProofPurpose.js';
+/**
+ * The proof purpose for *invoking* an authorization capability (zcap).
+ *
+ * Instantiated in one of two mutually exclusive modes:
+ * - **Create-proof mode** — pass `{capability, capabilityAction,
+ *   invocationTarget}`.
+ * - **Verify-proof mode** — pass `{expectedAction, expectedTarget,
+ *   expectedRootCapability, suite, ...}`.
+ *
+ * Passing parameters from both modes together throws.
+ */
+export class CapabilityInvocation extends CapabilityProofPurpose {
+    capability;
+    capabilityAction;
+    invocationTarget;
+    expectedAction;
+    expectedTarget;
+    /**
+     * @param options - The options.
+     * @param options.capability - The capability to add/reference in a created
+     *   proof. A root zcap MUST be passed as its ID string; a delegated zcap must
+     *   be passed as the full object.
+     * @param options.capabilityAction - The capability action that is to be added
+     *   to a proof.
+     * @param options.invocationTarget - The invocation target to use; this is
+     *   required and can be used to attenuate the capability's invocation target
+     *   if the verifier supports target attenuation.
+     * @param options.allowTargetAttenuation - Allow the invocationTarget of a
+     *   delegation chain to be increasingly restrictive based on a hierarchical
+     *   RESTful URL structure.
+     * @param options.controller - The description of the controller, if it is not
+     *   to be dereferenced via a `documentLoader`.
+     * @param options.date - Used during proof verification as the expected date
+     *   for the creation of the proof (within a maximum timestamp delta) and for
+     *   checking to see if a capability has expired; if not passed the current
+     *   date will be used.
+     * @param options.expectedAction - The capability action that is expected when
+     *   validating a proof.
+     * @param options.expectedRootCapability - The expected root capability for
+     *   the delegation chain (a single root capability ID string, or an array of
+     *   acceptable root capability ID strings).
+     * @param options.expectedTarget - The target(s) we expect a capability to
+     *   apply to (absolute URI, or array of URIs).
+     * @param options.inspectCapabilityChain - An async function that can be used
+     *   to check for revocations related to any of verified capabilities.
+     * @param options.maxChainLength - The maximum length of the capability
+     *   delegation chain.
+     * @param options.maxClockSkew - A maximum number of seconds that clocks may
+     *   be skewed when checking capability expiration date-times against `date`
+     *   and when comparing invocation proof creation time against delegation
+     *   proof creation time.
+     * @param options.maxDelegationTtl - The maximum milliseconds to live for a
+     *   delegated zcap as measured by the time difference between `expires` and
+     *   `created` on the delegation proof.
+     * @param options.maxTimestampDelta - A maximum number of seconds that
+     *   "created" date on the capability invocation proof can deviate from
+     *   `date`, defaults to `Infinity`.
+     * @param options.suite - The jsonld-signature suite(s) to use to verify the
+     *   capability chain. Required only in verify-proof mode; unused (and
+     *   omitted) when creating an invocation proof.
+     */
+    constructor({ 
+    // proof creation params
+    capability, capabilityAction, invocationTarget, 
+    // proof verification params
+    allowTargetAttenuation, controller, date, expectedAction, expectedRootCapability, expectedTarget, inspectCapabilityChain, maxChainLength, maxClockSkew, maxDelegationTtl, maxTimestampDelta, suite } = {}) {
+        // parameters used to create a proof
+        const hasCreateProofParams = capability || capabilityAction || invocationTarget;
+        // params used to verify a proof
+        const hasVerifyProofParams = controller ||
+            date ||
+            expectedAction ||
+            expectedRootCapability ||
+            expectedTarget ||
+            inspectCapabilityChain ||
+            suite;
+        if (hasCreateProofParams && hasVerifyProofParams) {
+            // cannot provide both create and verify params
+            throw new Error('Parameters for both creating and verifying a proof must not be ' +
+                'provided together.');
+        }
+        super({
+            allowTargetAttenuation,
+            controller,
+            date,
+            expectedRootCapability,
+            inspectCapabilityChain,
+            maxChainLength,
+            maxClockSkew,
+            maxDelegationTtl,
+            maxTimestampDelta,
+            suite,
+            term: 'capabilityInvocation'
+        });
+        // validate `CapabilityInvocation` specific params, the base class will
+        // have already handled validating common ones...
+        // use negative conditional to cover case where neither create nor
+        // verify params were provided and default to proof creation case to
+        // avoid creating bad proofs
+        if (!hasVerifyProofParams) {
+            if (typeof capability === 'object') {
+                // root capabilities MUST be passed as strings
+                if (!(capability && capability.parentCapability)) {
+                    throw new Error('"capability" must be a string if it is a root capability.');
+                }
+            }
+            else if (typeof capability !== 'string') {
+                throw new TypeError('"capability" must be a string or object.');
+            }
+            if (typeof capabilityAction !== 'string') {
+                throw new TypeError('"capabilityAction" must be a string.');
+            }
+            if (!(typeof invocationTarget === 'string' && invocationTarget.includes(':'))) {
+                throw new TypeError('"invocationTarget" must be a string that expresses an absolute URI.');
+            }
+            this.capability = capability;
+            this.capabilityAction = capabilityAction;
+            this.invocationTarget = invocationTarget;
+        }
+        else {
+            if (typeof expectedAction !== 'string') {
+                throw new TypeError('"expectedAction" must be a string.');
+            }
+            if (!(typeof expectedTarget === 'string' || Array.isArray(expectedTarget))) {
+                throw new TypeError('"expectedTarget" must be a string or array.');
+            }
+            // expected target values must be absolute URIs
+            const expectedTargets = Array.isArray(expectedTarget)
+                ? expectedTarget
+                : [expectedTarget];
+            for (const et of expectedTargets) {
+                if (!(typeof et === 'string' && et.includes(':'))) {
+                    throw new Error('"expectedTargets" values must be absolute URI strings.');
+                }
+            }
+            this.expectedTarget = expectedTarget;
+            this.expectedAction = expectedAction;
+        }
+    }
+    /**
+     * Adds the capability invocation terms (`capability`, `invocationTarget`,
+     * `capabilityAction`, `proofPurpose`) to a proof being created. Used in
+     * create-proof mode.
+     *
+     * @param proof - The proof under construction.
+     *
+     * @returns Resolves to the updated proof.
+     */
+    async update(proof) {
+        const { capability, capabilityAction, invocationTarget } = this;
+        proof.proofPurpose = this.term;
+        proof.capability = capability;
+        proof.invocationTarget = invocationTarget;
+        proof.capabilityAction = capabilityAction;
+        return proof;
+    }
+    /**
+     * Determines whether the given proof matches this proof purpose, i.e., it has
+     * the zcap context, references a capability, and its `capabilityAction` and
+     * `invocationTarget` match `expectedAction` and `expectedTarget`. Used in
+     * verify-proof mode.
+     *
+     * @param proof - The proof to test.
+     * @param options - The options.
+     * @param options.document - The document the proof is attached to.
+     * @param options.documentLoader - A configured document loader.
+     *
+     * @returns Resolves to `true` if the proof matches.
+     */
+    async match(proof, { document, documentLoader }) {
+        const { expectedAction, expectedTarget } = this;
+        try {
+            // check the `proof` context before using its terms
+            utils.checkProofContext({ proof });
+        }
+        catch {
+            // context does not match, so proof does not match
+            return false;
+        }
+        if (!proof.capability) {
+            // capability not in the proof, not a match
+            return false;
+        }
+        // ensure basic purpose and expected action match the proof
+        if (!((await super.match(proof, { document, documentLoader })) &&
+            expectedAction === proof.capabilityAction)) {
+            return false;
+        }
+        // ensure the proof's declared invocation target matches an expected one
+        if (Array.isArray(expectedTarget)) {
+            return expectedTarget.includes(proof.invocationTarget);
+        }
+        return expectedTarget === proof.invocationTarget;
+    }
+    /** @returns The `CapabilityDelegation` class. */
+    _getCapabilityDelegationClass() {
+        return CapabilityDelegation;
+    }
+    /**
+     * Resolves the invoked (tail) capability from the invocation proof.
+     *
+     * @param options - The options.
+     * @param options.proof - The capability invocation proof; its `capability` is
+     *   the invoked capability (a root zcap ID string or a delegated zcap
+     *   object).
+     *
+     * @returns The invoked capability.
+     */
+    _getTailCapability({ proof }) {
+        return { capability: proof.capability };
+    }
+    /**
+     * Runs invocation-specific checks before chain verification: that
+     * `capabilityAction` is allowed and matches `expectedAction`, that the
+     * proof's `invocationTarget` matches the capability target (honoring target
+     * attenuation) and an `expectedTarget`, and that a delegated capability is
+     * not invoked before its delegation proof's `created` date.
+     *
+     * @param options - The options.
+     * @param options.dereferencedChain - The dereferenced chain (root to tail).
+     * @param options.proof - The capability invocation proof.
+     *
+     * @returns Resolves with an empty `capabilityChainMeta` (the tail's
+     *   delegation proof is verified later by `_verifyCapabilityChain`).
+     */
+    async _runChecksBeforeChainVerification({ dereferencedChain, proof }) {
+        const { allowTargetAttenuation, expectedAction, expectedTarget } = this;
+        /* 1. Ensure that `capabilityAction` is an allowed action and that
+        it matches `expectedAction`. Note that if it doesn't match and `match`
+        was called to gate calling `validate`, then this code will not execute.
+        However, if `validate` is called directly, this check MUST run here.
+    
+        If the capability restricts the actions via `allowedAction` then
+        `capabilityAction` must be in its set. */
+        const capability = dereferencedChain[dereferencedChain.length - 1];
+        const capabilityAction = proof.capabilityAction;
+        const allowedActions = utils.getAllowedActions({ capability });
+        if (allowedActions.length > 0 &&
+            !allowedActions.includes(capabilityAction)) {
+            throw new Error(`Capability action "${capabilityAction}" is not allowed by the ` +
+                'capability; allowed actions are: ' +
+                allowedActions.map(x => `"${x}"`).join(', '));
+        }
+        if (capabilityAction !== expectedAction) {
+            throw new Error(`Capability action "${capabilityAction}" does not match the ` +
+                `expected action of "${expectedAction}".`);
+        }
+        /* 2. Ensure `expectedTarget` is as expected. The invocation target
+        will also be checked to ensure it hasn't changed from previous zcaps
+        in the chain (unless attenuation is permitted) later. */
+        /* 3. Verify the invocation target in the proof is as expected. The
+        `invocationTarget` specified in the capability invocation proof must
+        match exactly (or follow acceptable target attenuation rules) the
+        `invocationTarget` specified in the invoked capability. */
+        const capabilityTarget = utils.getTarget({ capability });
+        const { invocationTarget } = proof;
+        if (!(typeof invocationTarget === 'string' && invocationTarget.includes(':'))) {
+            throw new TypeError(`Invocation target (${invocationTarget}) must be a string that ` +
+                'expresses an absolute URI.');
+        }
+        if (!utils.isValidTarget({
+            invocationTarget,
+            baseInvocationTarget: capabilityTarget,
+            allowTargetAttenuation
+        })) {
+            throw new Error(`Invocation target (${invocationTarget}) does not match ` +
+                `capability target (${capabilityTarget}).`);
+        }
+        /* 4. Verify the invocation target is an expected target. Prior to this
+        step we ensured that the invocation target used matched th capability
+        that was invoked, but this check ensures that the invocation target used
+        matches the endpoint (the `expectedTarget`) where the capability was
+        actually invoked. */
+        if (!((Array.isArray(expectedTarget) &&
+            expectedTarget.includes(invocationTarget)) ||
+            (typeof expectedTarget === 'string' &&
+                invocationTarget === expectedTarget))) {
+            throw new Error(`Expected target (${String(expectedTarget)}) does not match ` +
+                `invocation target (${invocationTarget}).`);
+        }
+        /* 5. If capability is delegated (not root), then ensure the capability
+        invocation proof `created` date is not before the capability delegation
+        proof creation date. */
+        if ('parentCapability' in capability) {
+            const invoked = Date.parse(proof.created);
+            const [delegationProof] = utils.getDelegationProofs({ capability });
+            const delegated = Date.parse(delegationProof.created);
+            const { maxClockSkew = 300 } = this;
+            // use `utils.compareTime` to allow for clock drift from the machine
+            // that created the delegation proof and the machine that created
+            // the invocation proof
+            if (utils.compareTime({ t1: invoked, t2: delegated, maxClockSkew }) < 0) {
+                throw new Error('A delegated capability must not be invoked before the "created" ' +
+                    'date in its delegation proof.');
+            }
+        }
+        // return no capability delegation verify results yet; the tail's
+        // capability delegation proof must be verified via
+        // `_verifyCapabilityChain`
+        return { capabilityChainMeta: [] };
+    }
+    /**
+     * Runs invocation-specific checks after chain verification: that the invoking
+     * verification method (or its controller) is the capability controller, that
+     * a delegated capability has not expired, and the base proof validation. Sets
+     * `result.invoker` to the proof controller.
+     *
+     * @param options - The options.
+     * @param options.dereferencedChain - The dereferenced chain (root to tail).
+     * @param options.proof - The capability invocation proof.
+     * @param options.validateOptions - The validation options passed through from
+     *   `jsigs` (including `verificationMethod`).
+     *
+     * @returns Resolves to the proof validation result with an added `invoker`.
+     */
+    async _runChecksAfterChainVerification({ dereferencedChain, proof, validateOptions }) {
+        /* Verify the controller of the capability. The zcap controller must
+        match the invoking verification method (or its controller). */
+        const capability = dereferencedChain[dereferencedChain.length - 1];
+        const { verificationMethod } = validateOptions;
+        if (!utils.isController({
+            capability,
+            verificationMethod: verificationMethod
+        })) {
+            throw utils.createDetailedError('The capability controller does not match the verification method ' +
+                '(or its controller) used to invoke.', { capability, verificationMethod });
+        }
+        // if capability is delegated, verify that it has not expired
+        if ('parentCapability' in capability) {
+            // verify expiration dates
+            // expires date has been previously validated, so just parse it
+            const currentCapabilityExpirationTime = Date.parse(capability.expires);
+            // use `utils.compareTime` to allow for allow for clock drift because
+            // we are comparing against `currentDate`
+            const { date, maxClockSkew = 300 } = this;
+            const currentDate = (date && new Date(date)) || new Date();
+            if (utils.compareTime({
+                t1: currentDate.getTime(),
+                t2: currentCapabilityExpirationTime,
+                maxClockSkew
+            }) > 0) {
+                throw new Error('The invoked capability has expired.');
+            }
+        }
+        // run base level validation checks
+        const result = await this._runBaseProofValidation({
+            proof,
+            validateOptions
+        });
+        if (!result.valid) {
+            throw result.error;
+        }
+        // the controller of the verification method from the proof is the
+        // invoker of the capability
+        result.invoker = result.controller;
+        return result;
+    }
+}
+//# sourceMappingURL=CapabilityInvocation.js.map

package/dist/CapabilityInvocation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityInvocation.js","sourceRoot":"","sources":["../src/CapabilityInvocation.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,KAAK,MAAM,YAAY,CAAA;AACnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AAChE,OAAO,EACL,sBAAsB,EAEvB,MAAM,6BAA6B,CAAA;AAapC;;;;;;;;;;GAUG;AACH,MAAM,OAAO,oBAAqB,SAAQ,sBAAsB;IAC9D,UAAU,CAA0B;IACpC,gBAAgB,CAAS;IACzB,gBAAgB,CAAS;IACzB,cAAc,CAAS;IACvB,cAAc,CAAoB;IAElC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2CG;IACH,YAAY;IACV,wBAAwB;IACxB,UAAU,EACV,gBAAgB,EAChB,gBAAgB;IAChB,4BAA4B;IAC5B,sBAAsB,EACtB,UAAU,EACV,IAAI,EACJ,cAAc,EACd,sBAAsB,EACtB,cAAc,EACd,sBAAsB,EACtB,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,KAC0B,EAAE;QACjC,oCAAoC;QACpC,MAAM,oBAAoB,GACxB,UAAU,IAAI,gBAAgB,IAAI,gBAAgB,CAAA;QACpD,gCAAgC;QAChC,MAAM,oBAAoB,GACxB,UAAU;YACV,IAAI;YACJ,cAAc;YACd,sBAAsB;YACtB,cAAc;YACd,sBAAsB;YACtB,KAAK,CAAA;QAEP,IAAI,oBAAoB,IAAI,oBAAoB,EAAE,CAAC;YACjD,+CAA+C;YAC/C,MAAM,IAAI,KAAK,CACb,iEAAiE;gBAC/D,oBAAoB,CACvB,CAAA;QACH,CAAC;QAED,KAAK,CAAC;YACJ,sBAAsB;YACtB,UAAU;YACV,IAAI;YACJ,sBAAsB;YACtB,sBAAsB;YACtB,cAAc;YACd,YAAY;YACZ,gBAAgB;YAChB,iBAAiB;YACjB,KAAK;YACL,IAAI,EAAE,sBAAsB;SAC7B,CAAC,CAAA;QAEF,uEAAuE;QACvE,iDAAiD;QAEjD,kEAAkE;QAClE,oEAAoE;QACpE,4BAA4B;QAC5B,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;gBACnC,8CAA8C;gBAC9C,IAAI,CAAC,CAAC,UAAU,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACjD,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;gBAC1C,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAA;YACjE,CAAC;YACD,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;gBACzC,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;YAC7D,CAAC;YACD,IACE,CAAC,CACC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,CACvE,EACD,CAAC;gBACD,MAAM,IAAI,SAAS,CACjB,qEAAqE,CACtE,CAAA;YACH,CAAC;YAED,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;YAC5B,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAA;YACxC,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAA;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;gBACvC,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAA;YAC3D,CAAC;YACD,IACE,CAAC,CAAC,OAAO,cAAc,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,EACtE,CAAC;gBACD,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;YACpE,CAAC;YACD,+CAA+C;YAC/C,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;gBACnD,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAA;YACpB,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;gBACjC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CACb,wDAAwD,CACzD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,cAAc,GAAG,cAAc,CAAA;YACpC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAA;QACtC,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM,CAAC,KAAwB;QACnC,MAAM,EAAE,UAAU,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAA;QAC/D,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAA;QAC9B,KAAK,CAAC,UAAU,GAAG,UAAU,CAAA;QAC7B,KAAK,CAAC,gBAAgB,GAAG,gBAAgB,CAAA;QACzC,KAAK,CAAC,gBAAgB,GAAG,gBAAgB,CAAA;QACzC,OAAO,KAAK,CAAA;IACd,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,KAAK,CACT,KAAwB,EACxB,EAAE,QAAQ,EAAE,cAAc,EAAmB;QAE7C,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,GAAG,IAAI,CAAA;QAE/C,IAAI,CAAC;YACH,mDAAmD;YACnD,KAAK,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,kDAAkD;YAClD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,2CAA2C;YAC3C,OAAO,KAAK,CAAA;QACd,CAAC;QAED,2DAA2D;QAC3D,IACE,CAAC,CACC,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC,CAAC;YACxD,cAAc,KAAK,KAAK,CAAC,gBAAgB,CAC1C,EACD,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,wEAAwE;QACxE,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAClC,OAAO,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,gBAA0B,CAAC,CAAA;QAClE,CAAC;QACD,OAAO,cAAc,KAAK,KAAK,CAAC,gBAAgB,CAAA;IAClD,CAAC;IAED,iDAAiD;IACjD,6BAA6B;QAC3B,OAAO,oBAAoB,CAAA;IAC7B,CAAC;IAED;;;;;;;;;OASG;IACH,kBAAkB,CAAC,EACjB,KAAK,EAIN;QACC,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,UAA4B,EAAE,CAAA;IAC3D,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,iCAAiC,CAAC,EACtC,iBAAiB,EACjB,KAAK,EAKN;QACC,MAAM,EAAE,sBAAsB,EAAE,cAAc,EAAE,cAAc,EAAE,GAAG,IAAI,CAAA;QAEvE;;;;;;iDAMyC;QACzC,MAAM,UAAU,GAAG,iBAAiB,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAE,CAAA;QACnE,MAAM,gBAAgB,GAAG,KAAK,CAAC,gBAA0B,CAAA;QACzD,MAAM,cAAc,GAAG,KAAK,CAAC,iBAAiB,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;QAC9D,IACE,cAAc,CAAC,MAAM,GAAG,CAAC;YACzB,CAAC,cAAc,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAC1C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,sBAAsB,gBAAgB,0BAA0B;gBAC9D,mCAAmC;gBACnC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAC/C,CAAA;QACH,CAAC;QACD,IAAI,gBAAgB,KAAK,cAAc,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,sBAAsB,gBAAgB,uBAAuB;gBAC3D,uBAAuB,cAAc,IAAI,CAC5C,CAAA;QACH,CAAC;QAED;;gEAEwD;QAExD;;;kEAG0D;QAC1D,MAAM,gBAAgB,GAAG,KAAK,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;QACxD,MAAM,EAAE,gBAAgB,EAAE,GAAG,KAAK,CAAA;QAClC,IACE,CAAC,CAAC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACzE,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,sBAAsB,gBAAgB,0BAA0B;gBAC9D,4BAA4B,CAC/B,CAAA;QACH,CAAC;QACD,IACE,CAAC,KAAK,CAAC,aAAa,CAAC;YACnB,gBAAgB;YAChB,oBAAoB,EAAE,gBAAgB;YACtC,sBAAsB;SACvB,CAAC,EACF,CAAC;YACD,MAAM,IAAI,KAAK,CACb,sBAAsB,gBAAgB,mBAAmB;gBACvD,sBAAsB,gBAAgB,IAAI,CAC7C,CAAA;QACH,CAAC;QAED;;;;4BAIoB;QACpB,IACE,CAAC,CACC,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;YAC5B,cAAc,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;YAC5C,CAAC,OAAO,cAAc,KAAK,QAAQ;gBACjC,gBAAgB,KAAK,cAAc,CAAC,CACvC,EACD,CAAC;YACD,MAAM,IAAI,KAAK,CACb,oBAAoB,MAAM,CAAC,cAAc,CAAC,mBAAmB;gBAC3D,sBAAsB,gBAAgB,IAAI,CAC7C,CAAA;QACH,CAAC;QAED;;+BAEuB;QACvB,IAAI,kBAAkB,IAAI,UAAU,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAQ,CAAC,CAAA;YAC1C,MAAM,CAAC,eAAe,CAAC,GAAG,KAAK,CAAC,mBAAmB,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;YACnE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,eAAgB,CAAC,OAAO,CAAC,CAAA;YACtD,MAAM,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,IAAI,CAAA;YACnC,oEAAoE;YACpE,iEAAiE;YACjE,uBAAuB;YACvB,IAAI,KAAK,CAAC,WAAW,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,KAAK,CACb,kEAAkE;oBAChE,+BAA+B,CAClC,CAAA;YACH,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,mDAAmD;QACnD,2BAA2B;QAC3B,OAAO,EAAE,mBAAmB,EAAE,EAAE,EAAE,CAAA;IACpC,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,gCAAgC,CAAC,EACrC,iBAAiB,EACjB,KAAK,EACL,eAAe,EAMhB;QACC;sEAC8D;QAC9D,MAAM,UAAU,GAAG,iBAAiB,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAE,CAAA;QACnE,MAAM,EAAE,kBAAkB,EAAE,GAAG,eAAe,CAAA;QAC9C,IACE,CAAC,KAAK,CAAC,YAAY,CAAC;YAClB,UAAU;YACV,kBAAkB,EAAE,kBAAyC;SAC9D,CAAC,EACF,CAAC;YACD,MAAM,KAAK,CAAC,mBAAmB,CAC7B,mEAAmE;gBACjE,qCAAqC,EACvC,EAAE,UAAU,EAAE,kBAAkB,EAAE,CACnC,CAAA;QACH,CAAC;QAED,6DAA6D;QAC7D,IAAI,kBAAkB,IAAI,UAAU,EAAE,CAAC;YACrC,0BAA0B;YAC1B,+DAA+D;YAC/D,MAAM,+BAA+B,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;YAEtE,qEAAqE;YACrE,yCAAyC;YACzC,MAAM,EAAE,IAAI,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,IAAI,CAAA;YACzC,MAAM,WAAW,GAAG,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,EAAE,CAAA;YAC1D,IACE,KAAK,CAAC,WAAW,CAAC;gBAChB,EAAE,EAAE,WAAW,CAAC,OAAO,EAAE;gBACzB,EAAE,EAAE,+BAA+B;gBACnC,YAAY;aACb,CAAC,GAAG,CAAC,EACN,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC;YAChD,KAAK;YACL,eAAe;SAChB,CAAC,CAAA;QACF,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,MAAM,CAAC,KAAK,CAAA;QACpB,CAAC;QAED,kEAAkE;QAClE,4BAA4B;QAC5B,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,UAAU,CAAA;QAElC,OAAO,MAAM,CAAA;IACf,CAAC;CACF"}