From bd524d0f3a2597607f0877b9d9ffa7bc21f2d839 Mon Sep 17 00:00:00 2001 From: Oleksandr Deundiak Date: Wed, 27 Mar 2024 14:48:58 +0100 Subject: [PATCH] chore(rust): move identity_attributes from authority info --- .../06-credentials-exchange-issuer.rs | 1 + .../ockam_api/src/authenticator/common.rs | 22 ++++++++++++++----- .../credential_issuer/credential_issuer.rs | 10 ++++++--- .../credential_issuer_worker.rs | 7 +++++- .../direct/direct_authenticator.rs | 16 +++++++------- .../direct/direct_authenticator_worker.rs | 9 ++++++-- .../enrollment_tokens/acceptor.rs | 3 +-- .../authenticator/enrollment_tokens/issuer.rs | 6 ++++- .../enrollment_tokens/issuer_worker.rs | 10 +++++++-- .../ockam_api/src/authority_node/authority.rs | 11 ++++++---- .../ockam_api/tests/credential_issuer.rs | 1 + 11 files changed, 67 insertions(+), 29 deletions(-) diff --git a/examples/rust/get_started/examples/06-credentials-exchange-issuer.rs b/examples/rust/get_started/examples/06-credentials-exchange-issuer.rs index 16bf6ff234c..90373135218 100644 --- a/examples/rust/get_started/examples/06-credentials-exchange-issuer.rs +++ b/examples/rust/get_started/examples/06-credentials-exchange-issuer.rs @@ -56,6 +56,7 @@ async fn main(ctx: Context) -> Result<()> { // distinct for each identifier, but for this example we'll keep things simple. let credential_issuer = CredentialIssuerWorker::new( members.clone(), + node.identities_attributes(), node.credentials(), &issuer, "test".to_string(), diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/common.rs b/implementations/rust/ockam/ockam_api/src/authenticator/common.rs index 2a1465d7158..b4d14aaa7f3 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/common.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/common.rs @@ -1,6 +1,6 @@ use crate::authenticator::direct::{OCKAM_ROLE_ATTRIBUTE_ENROLLER_VALUE, OCKAM_ROLE_ATTRIBUTE_KEY}; use crate::authenticator::AuthorityMembersRepository; -use ockam::identity::Identifier; +use ockam::identity::{Identifier, IdentitiesAttributes}; use ockam_core::Result; use std::collections::BTreeMap; use std::sync::Arc; @@ -39,12 +39,11 @@ impl EnrollerAccessControlChecks { false } - pub(crate) async fn check_identifier( + pub(crate) async fn check_is_member( members: Arc, identifier: &Identifier, - account_authority: &Option, ) -> Result { - let mut r = match members.get_member(identifier).await? { + let r = match members.get_member(identifier).await? { Some(member) => { let is_enroller = Self::check_bin_attributes_is_enroller(member.attributes()); EnrollerCheckResult { @@ -61,9 +60,20 @@ impl EnrollerAccessControlChecks { is_pre_trusted: false, }, }; + + Ok(r) + } + + pub(crate) async fn check_identifier( + members: Arc, + identities_attributes: Arc, + identifier: &Identifier, + account_authority: &Option, + ) -> Result { + let mut r = Self::check_is_member(members, identifier).await?; + if let Some(info) = account_authority { - if let Some(attrs) = info - .identities_attributes() + if let Some(attrs) = identities_attributes .get_attributes(identifier, info.account_authority()) .await? { diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer.rs b/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer.rs index 9207fcde045..288c99aa22b 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer.rs @@ -4,7 +4,7 @@ use crate::authenticator::direct::AccountAuthorityInfo; use crate::authenticator::AuthorityMembersRepository; use ockam::identity::models::{CredentialAndPurposeKey, CredentialSchemaIdentifier}; use ockam::identity::utils::AttributesBuilder; -use ockam::identity::{Attributes, Credentials, Identifier}; +use ockam::identity::{Attributes, Credentials, Identifier, IdentitiesAttributes}; use ockam_core::compat::sync::Arc; use ockam_core::Result; @@ -20,6 +20,7 @@ pub const DEFAULT_CREDENTIAL_VALIDITY: Duration = Duration::from_secs(30 * 24 * /// This struct runs as a Worker to issue credentials based on a request/response protocol pub struct CredentialIssuer { members: Arc, + identities_attributes: Arc, credentials: Arc, issuer: Identifier, subject_attributes: Attributes, @@ -30,9 +31,11 @@ pub struct CredentialIssuer { impl CredentialIssuer { /// Create a new credentials issuer + #[allow(clippy::too_many_arguments)] #[instrument(skip_all, fields(issuer = %issuer, project_identifier = project_identifier.clone(), credential_ttl = credential_ttl.map_or("n/a".to_string(), |d| d.as_secs().to_string())))] pub fn new( members: Arc, + identities_attributes: Arc, credentials: Arc, issuer: &Identifier, project_identifier: String, @@ -54,6 +57,7 @@ impl CredentialIssuer { Self { members, + identities_attributes, credentials, issuer: issuer.clone(), subject_attributes, @@ -69,8 +73,8 @@ impl CredentialIssuer { ) -> Result> { // Check if it has a valid project admin credential if let Some(info) = self.account_authority.as_ref() { - if let Some(attrs) = info - .identities_attributes() + if let Some(attrs) = self + .identities_attributes .get_attributes(subject, info.account_authority()) .await? { diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer_worker.rs b/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer_worker.rs index 93a6122f2d5..61a8d5ad33b 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer_worker.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer_worker.rs @@ -5,7 +5,9 @@ use tracing::trace; use crate::authenticator::credential_issuer::CredentialIssuer; use crate::authenticator::direct::AccountAuthorityInfo; use crate::authenticator::AuthorityMembersRepository; -use ockam::identity::{Credentials, Identifier, IdentitySecureChannelLocalInfo}; +use ockam::identity::{ + Credentials, Identifier, IdentitiesAttributes, IdentitySecureChannelLocalInfo, +}; use ockam_core::api::{Method, RequestHeader, Response}; use ockam_core::compat::boxed::Box; use ockam_core::compat::sync::Arc; @@ -20,8 +22,10 @@ pub struct CredentialIssuerWorker { impl CredentialIssuerWorker { /// Create a new credentials issuer + #[allow(clippy::too_many_arguments)] pub fn new( members: Arc, + identities_attributes: Arc, credentials: Arc, issuer: &Identifier, project_identifier: String, @@ -32,6 +36,7 @@ impl CredentialIssuerWorker { Self { credential_issuer: CredentialIssuer::new( members, + identities_attributes, credentials, issuer, project_identifier, diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs b/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs index ebccf265fbd..4db0bf173d0 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs @@ -1,10 +1,9 @@ use either::Either; -use ockam::identity::IdentitiesAttributes; use std::collections::{BTreeMap, HashMap}; use ockam::identity::utils::now; -use ockam::identity::AttributesEntry; use ockam::identity::Identifier; +use ockam::identity::{AttributesEntry, IdentitiesAttributes}; use ockam_core::compat::sync::Arc; use ockam_core::Result; @@ -24,11 +23,11 @@ pub type DirectAuthenticatorResult = Either; pub struct DirectAuthenticator { members: Arc, + identities_attributes: Arc, account_authority: Option, } #[derive(Clone)] pub struct AccountAuthorityInfo { - identities_attributes: Arc, account_authority: Identifier, project_identifier: String, enforce_admin_checks: bool, @@ -36,22 +35,17 @@ pub struct AccountAuthorityInfo { impl AccountAuthorityInfo { pub fn new( - identities_attributes: Arc, account_authority: Identifier, project_identifier: String, enforce_admin_checks: bool, ) -> Self { Self { - identities_attributes, account_authority, project_identifier, enforce_admin_checks, } } - pub fn identities_attributes(&self) -> Arc { - self.identities_attributes.clone() - } pub fn account_authority(&self) -> &Identifier { &self.account_authority } @@ -66,10 +60,12 @@ impl AccountAuthorityInfo { impl DirectAuthenticator { pub fn new( members: Arc, + identities_attributes: Arc, account_authority: Option, ) -> Self { Self { members, + identities_attributes, account_authority, } } @@ -83,6 +79,7 @@ impl DirectAuthenticator { ) -> Result> { let check = EnrollerAccessControlChecks::check_identifier( self.members.clone(), + self.identities_attributes.clone(), enroller, &self.account_authority, ) @@ -143,6 +140,7 @@ impl DirectAuthenticator { ) -> Result>> { let check = EnrollerAccessControlChecks::check_identifier( self.members.clone(), + self.identities_attributes.clone(), enroller, &self.account_authority, ) @@ -179,6 +177,7 @@ impl DirectAuthenticator { ) -> Result> { let check_enroller = EnrollerAccessControlChecks::check_identifier( self.members.clone(), + self.identities_attributes.clone(), enroller, &self.account_authority, ) @@ -196,6 +195,7 @@ impl DirectAuthenticator { let check_member = EnrollerAccessControlChecks::check_identifier( self.members.clone(), + self.identities_attributes.clone(), identifier, &self.account_authority, ) diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator_worker.rs b/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator_worker.rs index e943c81c070..0af9d0bdda1 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator_worker.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator_worker.rs @@ -2,7 +2,7 @@ use either::Either; use minicbor::Decoder; use tracing::trace; -use ockam::identity::{Identifier, IdentitySecureChannelLocalInfo}; +use ockam::identity::{Identifier, IdentitiesAttributes, IdentitySecureChannelLocalInfo}; use ockam_core::api::{Method, RequestHeader, Response}; use ockam_core::compat::sync::Arc; use ockam_core::{Result, Routed, Worker}; @@ -21,10 +21,15 @@ pub struct DirectAuthenticatorWorker { impl DirectAuthenticatorWorker { pub fn new( members: Arc, + identities_attributes: Arc, account_authority: Option, ) -> Self { Self { - authenticator: DirectAuthenticator::new(members, account_authority), + authenticator: DirectAuthenticator::new( + members, + identities_attributes, + account_authority, + ), } } } diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/acceptor.rs b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/acceptor.rs index 604b278de3f..82f375517af 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/acceptor.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/acceptor.rs @@ -34,8 +34,7 @@ impl EnrollmentTokenAcceptor { from: &Identifier, ) -> Result> { let check = - EnrollerAccessControlChecks::check_identifier(self.members.clone(), from, &None) - .await?; + EnrollerAccessControlChecks::check_is_member(self.members.clone(), from).await?; // Not allow updating existing members if check.is_member { diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer.rs b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer.rs index 4e6ef366ea7..273cc3bbb67 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer.rs @@ -4,7 +4,7 @@ use rand::Rng; use std::collections::BTreeMap; use ockam::identity::utils::now; -use ockam::identity::Identifier; +use ockam::identity::{Identifier, IdentitiesAttributes}; use ockam_core::compat::sync::Arc; use ockam_core::compat::time::Duration; use ockam_core::Result; @@ -25,6 +25,7 @@ pub type EnrollmentTokenIssuerResult = Either; pub struct EnrollmentTokenIssuer { pub(super) tokens: Arc, pub(super) members: Arc, + pub(super) identities_attributes: Arc, pub(super) account_authority: Option, } @@ -32,11 +33,13 @@ impl EnrollmentTokenIssuer { pub fn new( tokens: Arc, members: Arc, + identities_attributes: Arc, account_authority: Option, ) -> Self { Self { tokens, members, + identities_attributes, account_authority, } } @@ -51,6 +54,7 @@ impl EnrollmentTokenIssuer { ) -> Result> { let check = EnrollerAccessControlChecks::check_identifier( self.members.clone(), + self.identities_attributes.clone(), enroller, &self.account_authority, ) diff --git a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer_worker.rs b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer_worker.rs index 62b636be832..aa8ed44bae2 100644 --- a/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer_worker.rs +++ b/implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer_worker.rs @@ -2,7 +2,7 @@ use either::Either; use minicbor::Decoder; use tracing::trace; -use ockam::identity::IdentitySecureChannelLocalInfo; +use ockam::identity::{IdentitiesAttributes, IdentitySecureChannelLocalInfo}; use ockam_core::api::{Method, RequestHeader, Response}; use ockam_core::compat::sync::Arc; use ockam_core::compat::time::Duration; @@ -22,10 +22,16 @@ impl EnrollmentTokenIssuerWorker { pub fn new( tokens: Arc, members: Arc, + identities_attributes: Arc, account_authority: Option, ) -> Self { Self { - issuer: EnrollmentTokenIssuer::new(tokens, members, account_authority), + issuer: EnrollmentTokenIssuer::new( + tokens, + members, + identities_attributes, + account_authority, + ), } } } diff --git a/implementations/rust/ockam/ockam_api/src/authority_node/authority.rs b/implementations/rust/ockam/ockam_api/src/authority_node/authority.rs index 689c72c6910..a1129386cc2 100644 --- a/implementations/rust/ockam/ockam_api/src/authority_node/authority.rs +++ b/implementations/rust/ockam/ockam_api/src/authority_node/authority.rs @@ -74,7 +74,6 @@ impl Authority { let identities = Identities::create(database).build(); - let identity_attrs = identities.identities_attributes().clone(); let secure_channels = SecureChannels::from_identities(identities.clone()); let identifier = configuration.identifier(); @@ -87,7 +86,6 @@ impl Authority { .import_from_change_history(None, change_history) .await?; Some(AccountAuthorityInfo::new( - identity_attrs, acc_authority_identifier, configuration.project_identifier(), configuration.enforce_admin_checks, @@ -158,8 +156,11 @@ impl Authority { return Ok(()); } - let direct = - DirectAuthenticatorWorker::new(self.members.clone(), self.account_authority.clone()); + let direct = DirectAuthenticatorWorker::new( + self.members.clone(), + self.secure_channels.identities().identities_attributes(), + self.account_authority.clone(), + ); let name = configuration.authenticator_name(); ctx.flow_controls() @@ -185,6 +186,7 @@ impl Authority { let issuer = EnrollmentTokenIssuerWorker::new( self.tokens.clone(), self.members.clone(), + self.secure_channels.identities().identities_attributes(), self.account_authority.clone(), ); let acceptor = @@ -226,6 +228,7 @@ impl Authority { // create and start a credential issuer worker let issuer = CredentialIssuerWorker::new( self.members.clone(), + self.secure_channels.identities().identities_attributes(), self.secure_channels.identities().credentials(), &self.identifier, configuration.project_identifier(), diff --git a/implementations/rust/ockam/ockam_api/tests/credential_issuer.rs b/implementations/rust/ockam/ockam_api/tests/credential_issuer.rs index c3ae36ce838..a771f302a40 100644 --- a/implementations/rust/ockam/ockam_api/tests/credential_issuer.rs +++ b/implementations/rust/ockam/ockam_api/tests/credential_issuer.rs @@ -68,6 +68,7 @@ async fn credential(ctx: &mut Context) -> Result<()> { .add_consumer(auth_worker_addr.clone(), &sc_flow_control_id); let auth = CredentialIssuerWorker::new( members, + identities.identities_attributes(), identities.credentials(), &auth_identifier, "test".to_string(),