refactor(rust): extract a credential refresher from the credential re…

…triever
build-trust · Feb 20, 2024 · 9a8d2f1 · 9a8d2f1
1 parent 1f905be
commit 9a8d2f1
Show file tree

Hide file tree

Showing 40 changed files with 1,060 additions and 1,046 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/examples/rust/get_started/Cargo.toml b/examples/rust/get_started/Cargo.toml
@@ -38,6 +38,7 @@ ockam_api = { path = "../../../implementations/rust/ockam/ockam_api" }
 ockam_core = { path = "../../../implementations/rust/ockam/ockam_core" }
 ockam_multiaddr = { path = "../../../implementations/rust/ockam/ockam_multiaddr" }
 ockam_node = { path = "../../../implementations/rust/ockam/ockam_node" }
+ockam_transport_core = { path = "../../../implementations/rust/ockam/ockam_transport_core" }
 ockam_transport_tcp = { path = "../../../implementations/rust/ockam/ockam_transport_tcp" }
 ockam_transport_udp = { path = "../../../implementations/rust/ockam/ockam_transport_udp" }
 ockam_transport_uds = { path = "../../../implementations/rust/ockam/ockam_transport_uds" }

diff --git a/examples/rust/get_started/examples/06-credentials-exchange-client.rs b/examples/rust/get_started/examples/06-credentials-exchange-client.rs
@@ -73,7 +73,7 @@ async fn main(ctx: Context) -> Result<()> {
             route![server_connection, DefaultAddress::SECURE_CHANNEL_LISTENER],
             SecureChannelOptions::new()
                 .with_authority(issuer.clone())
-                .with_credential(credential)?,
+                .with_credential(credential),
         )
         .await?;
 

diff --git a/examples/rust/get_started/examples/06-credentials-exchange-server.rs b/examples/rust/get_started/examples/06-credentials-exchange-server.rs
@@ -77,7 +77,7 @@ async fn main(ctx: Context) -> Result<()> {
     let tcp_listener_options = TcpListenerOptions::new();
     let sc_listener_options = SecureChannelListenerOptions::new()
         .with_authority(issuer.clone())
-        .with_credential(credential)?
+        .with_credential(credential)
         .as_consumer(&tcp_listener_options.spawner_flow_control_id());
 
     node.flow_controls().add_consumer(

diff --git a/examples/rust/get_started/examples/11-attribute-based-authentication-control-plane.rs b/examples/rust/get_started/examples/11-attribute-based-authentication-control-plane.rs
@@ -1,19 +1,17 @@
-use std::sync::Arc;
-
 use hello_ockam::{create_token, import_project};
 use ockam::abac::AbacAccessControl;
 use ockam::identity::{
-    RemoteCredentialRetrieverCreator, RemoteCredentialRetrieverInfo, SecureChannelListenerOptions,
-    SecureChannelOptions, TrustMultiIdentifiersPolicy,
+    CredentialRetrieverOptions, RemoteCredentialRetrieverInfo, SecureChannelListenerOptions, SecureChannelOptions,
+    TrustMultiIdentifiersPolicy,
 };
 use ockam::remote::RemoteRelayOptions;
 use ockam::{node, Context, Result, TcpOutletOptions, TcpTransportExtension};
 use ockam_api::authenticator::enrollment_tokens::TokenAcceptor;
 use ockam_api::authenticator::one_time_code::OneTimeCode;
 use ockam_api::nodes::NodeManager;
 use ockam_api::{multiaddr_to_route, multiaddr_to_transport_route, DefaultAddress};
-use ockam_core::AsyncTryClone;
 use ockam_multiaddr::MultiAddr;
+use ockam_transport_core::Transport;
 
 /// This node supports a "control" server on which several "edge" devices can connect
 ///
@@ -75,16 +73,12 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
     let project_authority_route = multiaddr_to_transport_route(&project.authority_route()).unwrap(); // FIXME: Handle error
 
     // Create a credential retriever that will be used to obtain credentials
-    let credential_retriever = Arc::new(RemoteCredentialRetrieverCreator::new(
-        node.context().async_try_clone().await?,
-        Arc::new(tcp.clone()),
-        node.secure_channels(),
-        RemoteCredentialRetrieverInfo::new(
-            project.authority_identifier(),
-            project_authority_route,
-            DefaultAddress::CREDENTIAL_ISSUER.into(),
-        ),
-    ));
+    let credential_retriever_info = RemoteCredentialRetrieverInfo::new(
+        project.authority_identifier(),
+        project_authority_route,
+        DefaultAddress::CREDENTIAL_ISSUER.into(),
+        tcp.transport_type(),
+    );
 
     // 3. create an access control policy checking the value of the "component" attribute of the caller
     let access_control = AbacAccessControl::create(
@@ -106,7 +100,7 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
 
     let tcp_project_route = multiaddr_to_route(&project.route(), &tcp).await.unwrap(); // FIXME: Handle error
     let project_options = SecureChannelOptions::new()
-        .with_credential_retriever_creator(credential_retriever)?
+        .with_credential_retriever_options(CredentialRetrieverOptions::remote_default(credential_retriever_info))
         .with_authority(project.authority_identifier())
         .with_trust_policy(TrustMultiIdentifiersPolicy::new(vec![project.identifier()]));
 

diff --git a/examples/rust/get_started/examples/11-attribute-based-authentication-edge-plane.rs b/examples/rust/get_started/examples/11-attribute-based-authentication-edge-plane.rs
@@ -1,7 +1,7 @@
 use hello_ockam::{create_token, import_project};
 use ockam::abac::AbacAccessControl;
 use ockam::identity::{
-    identities, RemoteCredentialRetrieverCreator, RemoteCredentialRetrieverInfo, SecureChannelOptions,
+    identities, CredentialRetrieverOptions, RemoteCredentialRetrieverInfo, SecureChannelOptions,
     TrustMultiIdentifiersPolicy,
 };
 use ockam::node;
@@ -10,9 +10,8 @@ use ockam_api::authenticator::enrollment_tokens::TokenAcceptor;
 use ockam_api::authenticator::one_time_code::OneTimeCode;
 use ockam_api::nodes::NodeManager;
 use ockam_api::{multiaddr_to_route, multiaddr_to_transport_route, DefaultAddress};
-use ockam_core::compat::sync::Arc;
-use ockam_core::AsyncTryClone;
 use ockam_multiaddr::MultiAddr;
+use ockam_transport_core::Transport;
 use ockam_transport_tcp::{TcpInletOptions, TcpTransportExtension};
 
 /// This node supports an "edge" server which can connect to a "control" node
@@ -74,17 +73,13 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
 
     let project_authority_route = multiaddr_to_transport_route(&project.route()).unwrap(); // FIXME: Handle error
 
-    // Create a credential retriever that will be used to obtain credentials
-    let credential_retriever = Arc::new(RemoteCredentialRetrieverCreator::new(
-        node.context().async_try_clone().await?,
-        Arc::new(tcp.clone()),
-        node.secure_channels(),
-        RemoteCredentialRetrieverInfo::new(
-            project.authority_identifier(),
-            project_authority_route,
-            DefaultAddress::CREDENTIAL_ISSUER.into(),
-        ),
-    ));
+    // Information used to access a retriever that will be used to obtain credentials
+    let credential_retriever_info = RemoteCredentialRetrieverInfo::new(
+        project.authority_identifier(),
+        project_authority_route,
+        DefaultAddress::CREDENTIAL_ISSUER.into(),
+        tcp.transport_type(),
+    );
 
     // 3. create an access control policy checking the value of the "component" attribute of the caller
     let access_control = AbacAccessControl::create(
@@ -98,7 +93,7 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
 
     let tcp_project_route = multiaddr_to_route(&project.route(), &tcp).await.unwrap(); // FIXME: Handle error
     let project_options = SecureChannelOptions::new()
-        .with_credential_retriever_creator(credential_retriever)?
+        .with_credential_retriever_options(CredentialRetrieverOptions::remote_default(credential_retriever_info))
         .with_authority(project.authority_identifier())
         .with_trust_policy(TrustMultiIdentifiersPolicy::new(vec![project.identifier()]));
 

diff --git a/implementations/rust/ockam/ockam_api/src/cli_state/trust.rs b/implementations/rust/ockam/ockam_api/src/cli_state/trust.rs
@@ -1,9 +1,12 @@
-use crate::nodes::service::{NodeManagerCredentialRetrieverOptions, NodeManagerTrustOptions};
+use crate::nodes::service::NodeManagerTrustOptions;
 use crate::{multiaddr_to_transport_route, CliState, DefaultAddress};
-use ockam::identity::{IdentitiesVerification, RemoteCredentialRetrieverInfo};
+use ockam::identity::{
+    CredentialRetrieverOptions, IdentitiesVerification, RemoteCredentialRetrieverInfo,
+};
 use ockam_core::errcode::{Kind, Origin};
 use ockam_core::{Error, Result};
 use ockam_multiaddr::MultiAddr;
+use ockam_transport_tcp::TCP;
 use ockam_vault::SoftwareVaultForVerifyingSignatures;
 
 impl CliState {
@@ -71,10 +74,11 @@ impl CliState {
                     authority_identifier.clone(),
                     authority_route,
                     DefaultAddress::CREDENTIAL_ISSUER.into(),
+                    TCP,
                 );
 
                 let trust_options = NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::Remote(info),
+                    CredentialRetrieverOptions::remote_default(info),
                     Some(authority_identifier.clone()),
                 );
 
@@ -86,7 +90,7 @@ impl CliState {
                 trust_options
             } else if expect_cached_credential {
                 let trust_options = NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::CacheOnly(authority_identifier.clone()),
+                    CredentialRetrieverOptions::CacheOnly(authority_identifier.clone()),
                     Some(authority_identifier.clone()),
                 );
 
@@ -98,7 +102,7 @@ impl CliState {
                 trust_options
             } else {
                 let trust_options = NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::None,
+                    CredentialRetrieverOptions::None,
                     Some(authority_identifier.clone()),
                 );
 
@@ -123,7 +127,7 @@ impl CliState {
             None => {
                 info!("TrustOptions configured: No Authority. No Credentials");
                 return Ok(NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::None,
+                    CredentialRetrieverOptions::None,
                     None,
                 ));
             }
@@ -141,10 +145,11 @@ impl CliState {
             authority_identifier.clone(),
             authority_route,
             DefaultAddress::CREDENTIAL_ISSUER.into(),
+            TCP,
         );
 
         let trust_options = NodeManagerTrustOptions::new(
-            NodeManagerCredentialRetrieverOptions::Remote(info),
+            CredentialRetrieverOptions::remote_default(info),
             Some(authority_identifier.clone()),
         );
 

diff --git a/implementations/rust/ockam/ockam_api/src/cloud/secure_clients.rs b/implementations/rust/ockam/ockam_api/src/cloud/secure_clients.rs
@@ -3,7 +3,7 @@ use std::str::FromStr;
 use std::time::Duration;
 
 use ockam::identity::{
-    CredentialRetrieverCreator, Identifier, SecureChannels, SecureClient, DEFAULT_TIMEOUT,
+    CredentialRetrieverOptions, Identifier, SecureChannels, SecureClient, DEFAULT_TIMEOUT,
 };
 use ockam_core::compat::sync::Arc;
 use ockam_core::env::{get_env, get_env_with_default, FromString};
@@ -85,15 +85,15 @@ impl NodeManager {
         caller_identifier: &Identifier,
         credentials_enabled: CredentialsEnabled,
     ) -> Result<ProjectNodeClient> {
-        let credential_retriever_creator = match credentials_enabled {
-            CredentialsEnabled::On => self.credential_retriever_creator.clone(),
-            CredentialsEnabled::Off => None,
+        let credential_retriever_options = match credentials_enabled {
+            CredentialsEnabled::On => self.credential_retriever_options(),
+            CredentialsEnabled::Off => CredentialRetrieverOptions::None,
         };
 
         NodeManager::project_node_client(
             &self.tcp_transport,
             self.secure_channels.clone(),
-            credential_retriever_creator,
+            credential_retriever_options,
             project_identifier,
             project_multiaddr,
             caller_identifier,
@@ -131,7 +131,7 @@ impl NodeManager {
         Ok(ControllerClient {
             secure_client: SecureClient::new(
                 secure_channels,
-                None,
+                CredentialRetrieverOptions::None,
                 Arc::new(tcp_transport.clone()),
                 controller_route,
                 &controller_identifier,
@@ -159,7 +159,7 @@ impl NodeManager {
         Ok(AuthorityNodeClient {
             secure_client: SecureClient::new(
                 secure_channels,
-                None,
+                CredentialRetrieverOptions::None,
                 Arc::new(tcp_transport.clone()),
                 authority_route,
                 authority_identifier,
@@ -174,7 +174,7 @@ impl NodeManager {
     pub async fn project_node_client(
         tcp_transport: &TcpTransport,
         secure_channels: Arc<SecureChannels>,
-        credential_retriever_creator: Option<Arc<dyn CredentialRetrieverCreator>>,
+        credential_retriever_options: CredentialRetrieverOptions,
         project_identifier: &Identifier,
         project_multiaddr: &MultiAddr,
         caller_identifier: &Identifier,
@@ -188,7 +188,7 @@ impl NodeManager {
         Ok(ProjectNodeClient {
             secure_client: SecureClient::new(
                 secure_channels,
-                credential_retriever_creator,
+                credential_retriever_options,
                 Arc::new(tcp_transport.clone()),
                 project_route,
                 project_identifier,
@@ -215,7 +215,7 @@ impl NodeManager {
         Ok(GenericSecureClient {
             secure_client: SecureClient::new(
                 secure_channels,
-                None,
+                CredentialRetrieverOptions::None,
                 Arc::new(tcp_transport.clone()),
                 route,
                 identifier,

diff --git a/implementations/rust/ockam/ockam_api/src/lib.rs b/implementations/rust/ockam/ockam_api/src/lib.rs
@@ -47,6 +47,7 @@ mod util;
 pub use cli_state::*;
 pub use influxdb_token_lease::*;
 pub use nodes::service::default_address::*;
+pub use nodes::service::*;
 pub use session::sessions::ConnectionStatus;
 pub use util::*;
 pub use version::*;