From 004166e4a14d12ccc79c569bee1d3c85c9234717 Mon Sep 17 00:00:00 2001 From: Adrian Benavides Date: Tue, 7 Nov 2023 15:47:40 +0100 Subject: [PATCH] fix(rust): setup authority node properly to enroll to project with enrollment ticket --- .../ockam/ockam_api/src/enroll/enrollment.rs | 8 +-- .../ockam_api/src/nodes/service/portals.rs | 1 + .../ockam_app_lib/src/invitations/commands.rs | 61 +++++++------------ 3 files changed, 28 insertions(+), 42 deletions(-) diff --git a/implementations/rust/ockam/ockam_api/src/enroll/enrollment.rs b/implementations/rust/ockam/ockam_api/src/enroll/enrollment.rs index 3ff9283de83..f4c6e79b9d9 100644 --- a/implementations/rust/ockam/ockam_api/src/enroll/enrollment.rs +++ b/implementations/rust/ockam/ockam_api/src/enroll/enrollment.rs @@ -75,7 +75,7 @@ impl Enrollment for SecureClient { token: OidcToken, ) -> miette::Result { let req = Request::post("v0/enroll").body(AuthenticateOidcToken::new(token)); - trace!(target: TARGET, "executing auth0 flow"); + debug!(target: TARGET, "executing auth0 flow"); let reply = self .tell(ctx, "auth0_authenticator", req) .await @@ -94,7 +94,7 @@ impl Enrollment for SecureClient { token: OidcToken, ) -> miette::Result<()> { let req = Request::post("v0/enroll").body(AuthenticateOidcToken::new(token)); - trace!(target: TARGET, "executing auth0 flow"); + debug!(target: TARGET, "executing auth0 flow"); self.tell(ctx, DefaultAddress::OKTA_IDENTITY_PROVIDER, req) .await .into_diagnostic()? @@ -104,7 +104,7 @@ impl Enrollment for SecureClient { async fn present_token(&self, ctx: &Context, token: &OneTimeCode) -> miette::Result<()> { let req = Request::post("/").body(token); - trace!(target: TARGET, "present a token"); + debug!(target: TARGET, "present a token"); self.tell(ctx, DefaultAddress::ENROLLMENT_TOKEN_ACCEPTOR, req) .await .into_diagnostic()? @@ -114,7 +114,7 @@ impl Enrollment for SecureClient { async fn issue_credential(&self, ctx: &Context) -> miette::Result { let req = Request::post("/"); - trace!(target: TARGET, "getting a credential"); + debug!(target: TARGET, "getting a credential"); self.ask(ctx, DefaultAddress::CREDENTIAL_ISSUER, req) .await .into_diagnostic()? diff --git a/implementations/rust/ockam/ockam_api/src/nodes/service/portals.rs b/implementations/rust/ockam/ockam_api/src/nodes/service/portals.rs index 2de7a17bc63..98155b8449e 100644 --- a/implementations/rust/ockam/ockam_api/src/nodes/service/portals.rs +++ b/implementations/rust/ockam/ockam_api/src/nodes/service/portals.rs @@ -744,6 +744,7 @@ impl Inlets for BackgroundNode { authorized_identifier: &Option, wait_for_outlet_timeout: Duration, ) -> miette::Result> { + debug!(%listen_addr, %outlet_addr, "Creating TCP inlet"); self.add_policy_to_project(ctx, "tcp-inlet").await?; let request = { let via_project = outlet_addr.matches(0, &[Project::CODE.into()]); diff --git a/implementations/rust/ockam/ockam_app_lib/src/invitations/commands.rs b/implementations/rust/ockam/ockam_app_lib/src/invitations/commands.rs index 57efce15932..9a48a1c1467 100644 --- a/implementations/rust/ockam/ockam_app_lib/src/invitations/commands.rs +++ b/implementations/rust/ockam/ockam_app_lib/src/invitations/commands.rs @@ -2,7 +2,6 @@ use miette::IntoDiagnostic; use std::collections::HashMap; use std::net::SocketAddr; use std::str::FromStr; -use std::sync::Arc; use std::time::Duration; use tracing::{debug, info, trace, warn}; @@ -21,7 +20,6 @@ use ockam_api::nodes::BackgroundNode; use ockam_api::ConnectionStatus; use ockam_multiaddr::MultiAddr; -use crate::background_node::BackgroundNodeClient; use crate::invitations::state::{Inlet, ReceivedInvitationStatus}; use crate::shared_service::relay::create::relay_name_from_identifier; use crate::state::{AppState, PROJECT_NAME}; @@ -318,7 +316,6 @@ impl AppState { } let cli_state = self.state().await; - let background_node_client = self.background_node_client().await; for invitation in invitations.accepted.invitations { match InletDataFromInvitation::new( &cli_state, @@ -327,13 +324,7 @@ impl AppState { ) { Ok(inlet_data) => match inlet_data { Some(inlet_data) => { - let result = self - .refresh_inlet( - cli_state.clone(), - background_node_client.clone(), - inlet_data, - ) - .await; + let result = self.refresh_inlet(inlet_data).await; { // we want to reduce the scope of the guard as much as possible let mut guard = invitations_arc.write().await; @@ -373,36 +364,35 @@ impl AppState { async fn refresh_inlet( &self, - cli_state: CliState, - background_node_client: Arc, mut inlet_data: InletDataFromInvitation, ) -> crate::Result> { let inlet_node_name = &inlet_data.local_node_name; debug!(node = %inlet_node_name, "Checking node status"); if !inlet_data.enabled { - debug!(node = %inlet_node_name, "TCP inlet is disabled by the user, just deleting the node"); - self.delete_background_node(inlet_node_name).await?; + debug!(node = %inlet_node_name, "TCP inlet is disabled by the user, deleting the node"); + let _ = self.delete_background_node(inlet_node_name).await; // we want to keep the entry to store the attribute `enabled = false` return Inlet::new(inlet_data).map(Some); } + self.background_node_client() + .await + .nodes() + .create(inlet_node_name) + .await?; + let mut inlet_node = self.background_node(inlet_node_name).await?; inlet_node.set_timeout(Duration::from_secs(5)); - // if disabled it'll be deleted - if let Ok(node) = cli_state.nodes.get(inlet_node_name) { - if node.is_running() { - debug!(node = %inlet_node_name, "Node already running"); - if let Ok(inlet) = inlet_node - .show_inlet(&self.context(), &inlet_data.service_name) - .await? - .success() - { - if inlet.status == ConnectionStatus::Up { - inlet_data.socket_addr = Some(inlet.bind_addr.parse()?); - return Inlet::new(inlet_data).map(Some); - } - } + if let Ok(inlet) = inlet_node + .show_inlet(&self.context(), &inlet_data.service_name) + .await? + .success() + { + if inlet.status == ConnectionStatus::Up { + debug!(node = %inlet_node_name, alias = %inlet.alias, "TCP inlet is already up"); + inlet_data.socket_addr = Some(inlet.bind_addr.parse()?); + return Inlet::new(inlet_data).map(Some); } } @@ -413,9 +403,7 @@ impl AppState { return Ok(None); } - let socket_addr = self - .create_inlet(background_node_client.clone(), inlet_node, &inlet_data) - .await?; + let socket_addr = self.create_inlet(inlet_node, &inlet_data).await?; inlet_data.socket_addr = Some(socket_addr); Inlet::new(inlet_data).map(Some) @@ -425,7 +413,6 @@ impl AppState { /// Returns the inlet SocketAddr async fn create_inlet( &self, - background_node_client: Arc, inlet_node: BackgroundNode, inlet_data: &InletDataFromInvitation, ) -> crate::Result { @@ -447,6 +434,7 @@ impl AppState { None => get_free_address()?, }; if let Some(enrollment_ticket_hex) = enrollment_ticket_hex { + debug!(node = %local_node_name, "Enrolling node with enrollment ticket"); let enrollment_ticket = EnrollmentTicket::try_from(enrollment_ticket_hex.as_ref())?; let project_authority = { let project_lookup = enrollment_ticket @@ -455,7 +443,7 @@ impl AppState { let project = Project::from(project_lookup); let cli_state = self.state().await; // Store project and trust context to CLI state if they don't exist. - if let Err(e) = cli_state.projects.create(&project.name, project.clone()) { + if let Err(e) = cli_state.projects.overwrite(&project.name, project.clone()) { match e { CliStateError::AlreadyExists { .. } => {} _ => { @@ -465,7 +453,7 @@ impl AppState { } if let Err(e) = cli_state .trust_contexts - .create(local_node_name, project.clone().try_into()?) + .overwrite(local_node_name, project.clone().try_into()?) { match e { CliStateError::AlreadyExists { .. } => {} @@ -487,15 +475,12 @@ impl AppState { ) .await .into_diagnostic()?; + debug!(node = %local_node_name, "Presenting enrollment ticket to authority node"); authority_node .present_token(&self.context(), &enrollment_ticket.one_time_code) .await?; authority_node.issue_credential(&self.context()).await?; } - background_node_client - .nodes() - .create(local_node_name) - .await?; // give time for the node to spawn up tokio::time::sleep(Duration::from_millis(250)).await;