diff --git a/implementations/rust/ockam/ockam_api/src/cli_state/mod.rs b/implementations/rust/ockam/ockam_api/src/cli_state/mod.rs index 4f19c9c0bf1..121cc44e564 100644 --- a/implementations/rust/ockam/ockam_api/src/cli_state/mod.rs +++ b/implementations/rust/ockam/ockam_api/src/cli_state/mod.rs @@ -4,17 +4,17 @@ use miette::Diagnostic; use rand::random; use thiserror::Error; +use ockam::identity::storage::{PurposeKeysRepository, PurposeKeysSqlxDatabase}; use ockam::identity::{ ChangeHistoryRepository, ChangeHistorySqlxDatabase, Identities, IdentityAttributesRepository, IdentityAttributesSqlxDatabase, }; -use ockam::identity::storage::{PurposeKeysRepository, PurposeKeysSqlxDatabase}; use ockam::SqlxDatabase; use ockam_abac::{PoliciesRepository, PolicySqlxDatabase}; use ockam_core::compat::sync::Arc; use ockam_core::env::get_env_with_default; +use ockam_core::Error; use ockam_node::Executor; -use ockam_vault::storage::{SecretsRepository, SecretsSqlxDatabase}; pub use projects_repository::*; pub use projects_repository_sql::*; pub use spaces_repository::*; @@ -42,9 +42,11 @@ pub mod credentials; pub mod enrollments; pub mod identities; pub mod nodes; +pub mod policies; pub mod projects; pub mod projects_repository; pub mod projects_repository_sql; +pub mod secure_channels; pub mod spaces; pub mod spaces_repository; pub mod spaces_repository_sql; @@ -74,8 +76,8 @@ pub enum CliStateError { #[error("A {resource} named {name} already exists")] #[diagnostic( - code("OCK409"), - help("Please try using a different name or delete the existing {resource}") + code("OCK409"), + help("Please try using a different name or delete the existing {resource}") )] AlreadyExists { resource: String, name: String }, @@ -101,8 +103,8 @@ pub enum CliStateError { #[error("Invalid configuration version '{0}'")] #[diagnostic( - code("OCK500"), - help("Please try running 'ockam reset' to reset your local configuration") + code("OCK500"), + help("Please try running 'ockam reset' to reset your local configuration") )] InvalidVersion(String), } @@ -117,7 +119,7 @@ impl From for ockam_core::Error { fn from(e: CliStateError) -> Self { match e { CliStateError::Ockam(e) => e, - _ => ockam_core::Error::new( + _ => Error::new( ockam_core::errcode::Origin::Application, ockam_core::errcode::Kind::Internal, e, @@ -156,15 +158,11 @@ impl CliState { self.dir.clone() } - pub async fn change_history_repository(&self) -> Result> { + async fn change_history_repository(&self) -> Result> { Ok(Arc::new(ChangeHistorySqlxDatabase::new(self.database()))) } - pub async fn secrets_repository(&self) -> Result> { - Ok(Arc::new(SecretsSqlxDatabase::new(self.database()))) - } - - pub async fn identity_attributes_repository( + async fn identity_attributes_repository( &self, ) -> Result> { Ok(Arc::new(IdentityAttributesSqlxDatabase::new( @@ -172,11 +170,11 @@ impl CliState { ))) } - pub async fn identities_repository(&self) -> Result> { + async fn identities_repository(&self) -> Result> { Ok(Arc::new(IdentitiesSqlxDatabase::new(self.database()))) } - pub async fn purpose_keys_repository(&self) -> Result> { + async fn purpose_keys_repository(&self) -> Result> { Ok(Arc::new(PurposeKeysSqlxDatabase::new(self.database()))) } @@ -192,27 +190,27 @@ impl CliState { Ok(Arc::new(NodesSqlxDatabase::new(self.database()))) } - pub async fn policies_repository(&self) -> Result> { + pub(super) async fn policies_repository(&self) -> Result> { Ok(Arc::new(PolicySqlxDatabase::new(self.database()))) } - pub async fn projects_repository(&self) -> Result> { + async fn projects_repository(&self) -> Result> { Ok(Arc::new(ProjectsSqlxDatabase::new(self.database()))) } - pub async fn spaces_repository(&self) -> Result> { + async fn spaces_repository(&self) -> Result> { Ok(Arc::new(SpacesSqlxDatabase::new(self.database()))) } - pub async fn users_repository(&self) -> Result> { + async fn users_repository(&self) -> Result> { Ok(Arc::new(UsersSqlxDatabase::new(self.database()))) } - pub async fn credentials_repository(&self) -> Result> { + async fn credentials_repository(&self) -> Result> { Ok(Arc::new(CredentialsSqlxDatabase::new(self.database()))) } - pub async fn trust_contexts_repository(&self) -> Result> { + async fn trust_contexts_repository(&self) -> Result> { Ok(Arc::new(TrustContextsSqlxDatabase::new(self.database()))) } diff --git a/implementations/rust/ockam/ockam_api/src/cli_state/secure_channels.rs b/implementations/rust/ockam/ockam_api/src/cli_state/secure_channels.rs index a6440f843c9..70cdac72438 100644 --- a/implementations/rust/ockam/ockam_api/src/cli_state/secure_channels.rs +++ b/implementations/rust/ockam/ockam_api/src/cli_state/secure_channels.rs @@ -1,8 +1,7 @@ use std::sync::Arc; use ockam::identity::{ - ChangeHistoryRepository, IdentityAttributesRepository, SecureChannelRegistry, SecureChannels, - Vault, + ChangeHistoryRepository, IdentityAttributesRepository, SecureChannels, Vault, }; use crate::bootstrapped_identities_store::{ @@ -46,20 +45,4 @@ impl CliState { .build(); Ok(secure_channels) } - - /// Build a SecureChannels struct for a specific vault if one is specified - /// and reuse the secure_channel_registry - pub(crate) async fn build_secure_channels( - &self, - vault_name: &str, - secure_channel_registry: SecureChannelRegistry, - ) -> Result> { - let vault = self.get_vault_by_name(vault_name).await?; - Ok(SecureChannels::builder() - .with_vault(vault) - .with_change_history_repository(self.change_history_repository().await?) - .with_secure_channels_registry(secure_channel_registry) - .with_purpose_keys_repository(self.purpose_keys_repository().await?) - .build()) - } } diff --git a/implementations/rust/ockam/ockam_api/src/nodes/service.rs b/implementations/rust/ockam/ockam_api/src/nodes/service.rs index e87e46a8e66..5b4667c5a58 100644 --- a/implementations/rust/ockam/ockam_api/src/nodes/service.rs +++ b/implementations/rust/ockam/ockam_api/src/nodes/service.rs @@ -11,15 +11,14 @@ use minicbor::{Decoder, Encode}; use ockam::identity::models::CredentialAndPurposeKey; use ockam::identity::TrustContext; -use ockam::identity::Vault; -use ockam::identity::{ChangeHistoryRepository, Credentials, CredentialsServer, Identities}; +use ockam::identity::{Credentials, CredentialsServer, Identities}; use ockam::identity::{CredentialsServerModule, IdentityAttributesRepository}; use ockam::identity::{Identifier, SecureChannels}; use ockam::{ Address, Context, RelayService, RelayServiceOptions, Result, Routed, TcpTransport, Worker, }; use ockam_abac::expr::{eq, ident, str}; -use ockam_abac::{Action, Env, Expr, PoliciesRepository, PolicyAccessControl, Resource}; +use ockam_abac::{Action, Env, Expr, Resource}; use ockam_core::api::{Method, RequestHeader, Response}; use ockam_core::compat::{string::String, sync::Arc}; use ockam_core::flow_control::FlowControlId; @@ -27,7 +26,6 @@ use ockam_core::AllowAll; use ockam_core::IncomingAccessControl; use ockam_multiaddr::MultiAddr; -use crate::bootstrapped_identities_store::BootstrapedIdentityAttributesStore; use crate::bootstrapped_identities_store::PreTrustedIdentities; use crate::cli_state::trust_contexts_repository_sql::NamedTrustContext; use crate::cli_state::CliState; @@ -96,7 +94,6 @@ pub struct NodeManager { pub(crate) secure_channels: Arc, trust_context: Option, pub(crate) registry: Registry, - policies_repository: Arc, pub(crate) medic_handle: MedicHandle, } @@ -140,10 +137,6 @@ impl NodeManager { Arc::new(CredentialsServerModule::new(self.credentials())) } - pub(super) fn secure_channels_vault(&self) -> Vault { - self.secure_channels.identities().vault() - } - pub fn tcp_transport(&self) -> &TcpTransport { &self.tcp_transport } @@ -246,7 +239,7 @@ impl NodeManager { // Check if a policy exists for (resource, action) and if not, then // create or use a default entry: - if self.policies_repository.get_policy(r, a).await?.is_none() { + if self.cli_state.get_policy(r, a).await?.is_none() { let fallback = match custom_default { Some(e) => e.clone(), None => eq([ @@ -254,21 +247,11 @@ impl NodeManager { ident("subject.trust_context_id"), ]), }; - self.policies_repository.set_policy(r, a, &fallback).await? + self.cli_state.set_policy(r, a, &fallback).await?; } - let policies = self.policies_repository.clone(); - debug!( - "set a policy access control for resource '{}' and action '{}'", - &r, &a - ); - - Ok(Arc::new(PolicyAccessControl::new( - policies, - self.identity_attributes_repository(), - r.clone(), - a.clone(), - env, - ))) + let policy_access_control = + self.cli_state.make_policy_access_control(r, a, env).await?; + Ok(Arc::new(policy_access_control)) } else { debug!( "no policy access control set for resource '{}' and action: '{}'", @@ -371,35 +354,12 @@ impl NodeManager { debug!("create the identity repository"); let cli_state = general_options.cli_state; - let change_history_repository: Arc = - cli_state.change_history_repository().await?; - let identity_attributes_repository: Arc = - cli_state.identity_attributes_repository().await?; - let policies_repository: Arc = - cli_state.policies_repository().await?; - - //TODO: fix this. Either don't require it to be a bootstrappedidentitystore (and use the - //trait instead), or pass it from the general_options always. - let vault: Vault = cli_state.get_node_vault(&general_options.node_name).await?; - let identity_attributes_repository: Arc = - Arc::new(match general_options.pre_trusted_identities { - None => BootstrapedIdentityAttributesStore::new( - Arc::new(PreTrustedIdentities::new_from_string("{}")?), - identity_attributes_repository.clone(), - ), - Some(f) => BootstrapedIdentityAttributesStore::new( - Arc::new(f), - identity_attributes_repository.clone(), - ), - }); - - debug!("create the secure channels service"); - let secure_channels = SecureChannels::builder() - .with_vault(vault) - .with_change_history_repository(change_history_repository.clone()) - .with_identity_attributes_repository(identity_attributes_repository.clone()) - .with_purpose_keys_repository(cli_state.purpose_keys_repository().await?) - .build(); + let secure_channels = cli_state + .secure_channels( + &general_options.node_name, + general_options.pre_trusted_identities, + ) + .await?; debug!("start the medic"); let medic_handle = MedicHandle::start_medic(ctx).await?; @@ -429,7 +389,6 @@ impl NodeManager { secure_channels, trust_context, registry: Default::default(), - policies_repository, medic_handle, }; diff --git a/implementations/rust/ockam/ockam_api/src/nodes/service/node_services.rs b/implementations/rust/ockam/ockam_api/src/nodes/service/node_services.rs index ff236e5a229..fd9c87c88ae 100644 --- a/implementations/rust/ockam/ockam_api/src/nodes/service/node_services.rs +++ b/implementations/rust/ockam/ockam_api/src/nodes/service/node_services.rs @@ -532,13 +532,14 @@ impl NodeManagerWorker { // if we are using the project we need to allow safe communication based on the // project identifier self.node_manager - .policies_repository + .cli_state .set_policy( &resources::INLET, &actions::HANDLE_MESSAGE, &eq([ident("subject.identifier"), str(project_identifier)]), ) - .await?; + .await + .map_err(ockam_core::Error::from)? } } diff --git a/implementations/rust/ockam/ockam_api/src/nodes/service/policy.rs b/implementations/rust/ockam/ockam_api/src/nodes/service/policy.rs index a2d233af56f..c0140f35733 100644 --- a/implementations/rust/ockam/ockam_api/src/nodes/service/policy.rs +++ b/implementations/rust/ockam/ockam_api/src/nodes/service/policy.rs @@ -23,9 +23,10 @@ impl NodeManager { let p: Policy = dec.decode()?; let r = Resource::new(resource); let a = Action::new(action); - self.policies_repository + self.cli_state .set_policy(&r, &a, p.expression()) - .await?; + .await + .map_err(ockam_core::Error::from)?; Ok(Response::ok(req)) } @@ -37,7 +38,7 @@ impl NodeManager { ) -> Result, Response>> { let r = Resource::new(resource); let a = Action::new(action); - if let Some(e) = self.policies_repository.get_policy(&r, &a).await? { + if let Some(e) = self.cli_state.get_policy(&r, &a).await? { Ok(Either::Right(Response::ok(req).body(Policy::new(e)))) } else { Ok(Either::Left(Response::not_found(req, "policy not found"))) @@ -51,9 +52,10 @@ impl NodeManager { ) -> Result, Response> { let r = Resource::new(res); let p = self - .policies_repository + .cli_state .get_policies_by_resource(&r) - .await?; + .await + .map_err(ockam_core::Error::from)?; let p = p.into_iter().map(|(a, e)| Expression::new(a, e)).collect(); Ok(Response::ok(req).body(PolicyList::new(p))) } @@ -66,7 +68,10 @@ impl NodeManager { ) -> Result, Response> { let r = Resource::new(res); let a = Action::new(act); - self.policies_repository.delete_policy(&r, &a).await?; + self.cli_state + .delete_policy(&r, &a) + .await + .map_err(ockam_core::Error::from)?; Ok(Response::ok(req)) } } diff --git a/implementations/rust/ockam/ockam_api/src/nodes/service/secure_channel.rs b/implementations/rust/ockam/ockam_api/src/nodes/service/secure_channel.rs index 667f9c89dd4..92b91657e95 100644 --- a/implementations/rust/ockam/ockam_api/src/nodes/service/secure_channel.rs +++ b/implementations/rust/ockam/ockam_api/src/nodes/service/secure_channel.rs @@ -506,13 +506,18 @@ impl NodeManager { return Ok(self.secure_channels.clone()); } let vault = self.get_secure_channels_vault(vault_name.clone()).await?; - let identity_repository = self.cli_state.change_history_repository().await?; let registry = self.secure_channels.secure_channel_registry(); Ok(SecureChannels::builder() .with_vault(vault) - .with_change_history_repository(identity_repository) + .with_change_history_repository( + self.secure_channels + .identities() + .change_history_repository(), + ) + .with_purpose_keys_repository( + self.secure_channels.identities().purpose_keys_repository(), + ) .with_secure_channels_registry(registry) - .with_purpose_keys_repository(self.cli_state.purpose_keys_repository().await?) .build()) } @@ -521,7 +526,7 @@ impl NodeManager { let existing_vault = self.cli_state.get_vault_by_name(&vault_name).await?; Ok(existing_vault) } else { - Ok(self.secure_channels_vault()) + Ok(self.secure_channels.vault()) } } }