New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(rust): extract identity as an entity #4542
refactor(rust): extract identity as an entity #4542
Conversation
5526ae7
to
523f435
Compare
959ab00
to
b37447d
Compare
@mrinalwadhwa we can plug-in vaults and transports with this PR. You also wrote "async executor". How is it possible at the moment since the |
implementations/rust/ockam/ockam_identity/src/secure_channels/secure_channels.rs
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't go through the whole PR due to its size, but the structure overall looks good to me. We can merge and discuss later
077a7f6
to
ba573f5
Compare
ba573f5
to
4e8a295
Compare
to be able to compile rust doc examples to build a node
60e5556
to
d323cea
Compare
Introduction
This PR aims at simplifying the current handling of identities to provide:
a better notion of
Identity
: at the moment anIdentity
is not only a set of key changes representing a specific actor in the system but also a set of services shared by all the actors (to persist keys, sign them, store attributes etc...). As a result a redundant notion ofPublicIdentity
had to be introduced. Moreover it is not even possible to simplyclone
anIdentity
since it contains aContext
a more consistent and navigable API for the available services which can be used to
Since the notion of
Identity
is tied to most of the library, this PR is necessarily touching many files. The following sections describe the main changes:The
ockam_identity
crateThe top-level folders in the
ockam_identity
crate are organized around "entity" (singular) and "entities" (plural, services for 'entity') modules:credential
:CredentialData
,Credential
credentials
:Credentials
serviceidentity
:Identity
,IdentityChangeHistory
,IdentityIdentifier
identities
:Identities
,IdentitiesCreation
servicessecure_channel
:TrustOptions
,Addresses
etc...secure_channels
:SecureChannels
servicesData types
The main changes are:
Identity
is now just a set of key changes and an identifier, no more services, no moreContext
PublicIdentity
(and corresponding functions) has been removedCredentialBuilder
had to have some modifications to incorporate the issuer (it was implicit before when doingidentity.issue_credential
)Node Services
Identities
is a set of services to manage identitiesIdentitiesCreation
to create / import identitiesIdentitiesKeys
to manage identities keysCredentials
to manage attributes and credentialsCredentialsServer
to start a worker serving credentialsThe
Identities
services are backed up byIdentitiesVault
to store keys and provide cryptographic informationIdentitiesRepository
to persist identities data (attributes etc...). It has 4 interfacesIdentityAttributesWriter
to persist the attributes of an identityIdentityAttributesReader
to retrieve the attributes of an identityIdentitiesWriter
to persist a known identityIdentitiesReader
to get a persisted known identitySecureChannels
is a set of services used to create secure channelsIdentities
services (so it uses the same underlying vault)SecureChannelsRegistry
Note on vaults: strictly speaking there is one less vault interface needed to manage identities (no need for
SymmetricVault
). However introducing a distinction betweenIdentitiesVault
andSecureChannelsVault
led to more difficulties than necessary for no obvious modularity gain.Additional note the
Context
which was stored before insideIdentity
is now explicitly passed as an argument when running operations requiring it, for example to create a secure channel. This makes that part slightly more verbose but now it also dispense of the creation of a fullContext
when doing simple identity operations like storing attributes.Builders
Identities
andSecureChannels
can be created using a builder pattern. For exampleIn the user guide examples a
Services
struct is available, and gives access to all the required services to create identities, secure channel, access credentials etc... (see the modified examples). This leaves the room open for other types of services (projects, spaces?). It also opens the possibility to encapsulate the creation of transports in the future (services.create_tcp_transport().await?
) but I haven't explored that yet.The
ockam_api
crateNodeManager
The
NodeManager
now hasIdentity
credential
SecureChannels
services (all sub-services likeidentities_creation
can be directly accessed viaNodeManager::self
The independent
Vault
andAttributesStorage
have been removed since they are now implementation details ofSecureChannels
. TheNodeManager
uses aSecureChannels
builder.NodeIdentities
A
NodeIdentities
struct has been introduced to help implement theIdentitiesService
endpoint, where a default vault is used unless a vault name is specified. I suspect that there could be better/more refactorings there.The
ockam_command
crateOn the
ockam_command
side we are mostly adapting to the changes inockam_api
. One thing to notice is that it is less frequent to require aContext
to run operations.Examples
At the top-level, since we separate an
Identity
from various capabilities (creation, secure channels), we need to change the user-facing API. The proposal is to do the following:In the code above:
we instantiate a default set of
ockam
services as anode
. The default implementations of all services is storing data in-memory but there is also anode::builder()
to configure exactly how we want implementations to behavewe obtain various capabilities: create identities, or start secure channels from the
services
variable. One advantage of this approach is that it makes the top level api discoverable in and IDE by simply asking the IDE to propose completionsTO BE DONE
The
CHANGELOG
files for each crate have not been updated with all the changes yet.Examples in the documentation also need to be updated.