refactor(rust): swap vault attach-key for identity create --key-id

build-trust · Oct 6, 2023 · 656f03e · 656f03e
1 parent adcb43d
commit 656f03e
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 80 deletions.
diff --git a/implementations/rust/ockam/ockam_command/src/authority/create.rs b/implementations/rust/ockam/ockam_command/src/authority/create.rs
@@ -288,7 +288,7 @@ async fn start_authority_node(
                 Ok(state) => state.config().identifier(),
                 Err(_) => {
                     debug!("creating default identity");
-                    let cmd = identity::CreateCommand::new("authority".into(), None);
+                    let cmd = identity::CreateCommand::new("authority".into(), None, None);
                     cmd.create_identity(opts.clone()).await?
                 }
             }

diff --git a/implementations/rust/ockam/ockam_command/src/identity/create.rs b/implementations/rust/ockam/ockam_command/src/identity/create.rs
@@ -3,9 +3,11 @@ use crate::util::node_rpc;
 use crate::{docs, fmt_log, fmt_ok, CommandGlobalOpts};
 use clap::Args;
 use colorful::Colorful;
+use miette::miette;
 use ockam::identity::Identifier;
 use ockam::Context;
-use ockam_api::cli_state::traits::StateDirTrait;
+use ockam_api::cli_state::traits::{StateDirTrait, StateItemTrait};
+use ockam_vault::{HandleToSecret, SigningSecretKeyHandle};
 use rand::prelude::random;
 use tokio::sync::Mutex;
 use tokio::try_join;
@@ -26,11 +28,19 @@ pub struct CreateCommand {
     /// Vault name to store the identity key
     #[arg(long, value_name = "VAULT_NAME", global = true)]
     vault: Option<String>,
+
+    /// Key ID to use for the identity creation
+    #[arg(short, long)]
+    key_id: Option<String>,
 }
 
 impl CreateCommand {
-    pub fn new(name: String, vault: Option<String>) -> CreateCommand {
-        CreateCommand { name, vault }
+    pub fn new(name: String, vault: Option<String>, key_id: Option<String>) -> CreateCommand {
+        CreateCommand {
+            name,
+            vault,
+            key_id,
+        }
     }
 
     pub fn run(self, options: CommandGlobalOpts) {
@@ -71,13 +81,34 @@ impl CreateCommand {
 
             let vault = vault_state.get().await?;
 
-            let identity = opts
+            let identities_creation = opts
                 .state
                 .get_identities(vault)
                 .await?
-                .identities_creation()
-                .create_identity()
-                .await?;
+                .identities_creation();
+
+            // Create an identity using the KMS key, if provided.
+            let identity = match &self.key_id {
+                Some(key_id) => {
+                    if !vault_state.config().is_aws() {
+                        Err(miette!(
+                            "Vault {} is not an AWS KMS vault",
+                            self.vault.clone().unwrap_or("default".to_string()),
+                        ))
+                    } else {
+                        let handle = SigningSecretKeyHandle::ECDSASHA256CurveP256(
+                            HandleToSecret::new(key_id.as_bytes().to_vec()),
+                        );
+
+                        Ok(identities_creation
+                            .identity_builder()
+                            .with_existing_key(handle)
+                            .build()
+                            .await?)
+                    }
+                }
+                None => Ok(identities_creation.create_identity().await?),
+            }?;
 
             opts.state
                 .create_identity_state(identity.identifier(), Some(&self.name))

diff --git a/implementations/rust/ockam/ockam_command/src/identity/mod.rs b/implementations/rust/ockam/ockam_command/src/identity/mod.rs
@@ -80,7 +80,7 @@ pub fn get_default_identity_name(cli_state: &CliState) -> String {
 /// Create the default identity
 pub fn create_default_identity(opts: &CommandGlobalOpts) {
     let default = "default";
-    let create_command = CreateCommand::new(default.into(), None);
+    let create_command = CreateCommand::new(default.into(), None, None);
     create_command.run(opts.clone().set_quiet());
 
     // Retrieve the identifier if available

diff --git a/implementations/rust/ockam/ockam_command/src/vault/attach_key.rs b/implementations/rust/ockam/ockam_command/src/vault/attach_key.rs
diff --git a/implementations/rust/ockam/ockam_command/src/vault/mod.rs b/implementations/rust/ockam/ockam_command/src/vault/mod.rs
@@ -1,11 +1,9 @@
-mod attach_key;
 mod create;
 mod default;
 mod delete;
 mod list;
 mod show;
 
-use crate::vault::attach_key::AttachKeyCommand;
 use crate::vault::create::CreateCommand;
 use crate::vault::default::DefaultCommand;
 use crate::vault::delete::DeleteCommand;
@@ -34,7 +32,6 @@ pub struct VaultCommand {
 #[derive(Clone, Debug, Subcommand)]
 pub enum VaultSubcommand {
     Create(CreateCommand),
-    AttachKey(AttachKeyCommand),
     Show(ShowCommand),
     Delete(DeleteCommand),
     List(ListCommand),
@@ -45,7 +42,6 @@ impl VaultCommand {
     pub fn run(self, opts: CommandGlobalOpts) {
         match self.subcommand {
             VaultSubcommand::Create(cmd) => cmd.run(opts),
-            VaultSubcommand::AttachKey(cmd) => cmd.run(opts),
             VaultSubcommand::Show(cmd) => cmd.run(opts),
             VaultSubcommand::List(cmd) => cmd.run(opts),
             VaultSubcommand::Delete(cmd) => cmd.run(opts),