refactor: Split out token-fernet driver

Cargo.toml

@@ -3,6 +3,7 @@ members = [
   "crates/api-types",
   "crates/core",
   "crates/keystone",
+  "crates/token-fernet",
   "crates/storage",
   "tests/api",
   "tests/integration",

Dockerfile

@@ -19,6 +19,7 @@ COPY crates/api-types/Cargo.toml /usr/src/keystone/crates/api-types/
 COPY crates/core/Cargo.toml /usr/src/keystone/crates/core/
 COPY crates/keystone/Cargo.toml /usr/src/keystone/crates/keystone/
 COPY crates/storage/Cargo.toml /usr/src/keystone/crates/storage/
+COPY crates/token-fernet/Cargo.toml /usr/src/keystone/crates/token-fernet/
 COPY tests/federation/Cargo.toml /usr/src/keystone/tests/federation/
 COPY tests/integration/Cargo.toml /usr/src/keystone/tests/integration/
 COPY tests/api/Cargo.toml /usr/src/keystone/tests/api/
@@ -30,8 +31,9 @@ RUN mkdir -p keystone/crates/keystone/src/bin && touch keystone/crates/keystone/
   cp keystone/src/main.rs keystone/tests/loadtest/src/main.rs &&\
   mkdir -p keystone/crates/api-types/src && touch keystone/crates/api-types/src/lib.rs &&\
   mkdir -p keystone/crates/core/src && touch keystone/crates/core/src/lib.rs &&\
-  mkdir -p keystone/crates/core/benches && touch keystone/crates/core/benches/fernet_token.rs &&\
-  mkdir -p keystone/crates/storage/src && touch keystone/crates/storage/src/lib.rs
+  mkdir -p keystone/crates/storage/src && touch keystone/crates/storage/src/lib.rs &&\
+  mkdir -p keystone/crates/token-fernet/src && touch keystone/crates/token-fernet/src/lib.rs &&\
+  mkdir -p keystone/crates/token-fernet/benches && touch keystone/crates/token-fernet/benches/fernet_token.rs
 
 # Set the working directory
 WORKDIR /usr/src/keystone
@@ -45,6 +47,7 @@ COPY crates/keystone/ /usr/src/keystone/crates/keystone
 COPY crates/core/ /usr/src/keystone/crates/core
 COPY crates/api-types/ /usr/src/keystone/crates/api-types
 COPY crates/storage/ /usr/src/keystone/crates/storage
+COPY crates/token-fernet/ /usr/src/keystone/crates/token-fernet
 
 ## Touch main.rs to prevent cached release build
 RUN touch crates/keystone/src/lib.rs && touch crates/keystone/src/bin/keystone.rs

crates/core/Cargo.toml

@@ -7,59 +7,40 @@ edition.workspace = true
 license.workspace = true
 homepage.workspace = true
 repository.workspace = true
-autobenches = false
-autobins = false
-
-[[bench]]
-name = "fernet_token"
-harness = false
 
 [dependencies]
 async-trait.workspace = true
-axum = { workspace = true }
+axum.workspace = true
 base64.workspace = true
 bcrypt = { workspace = true, features = ["alloc"] }
-byteorder.workspace = true
-bytes.workspace = true
 chrono.workspace = true
 config = { workspace = true, features = ["async", "ini"] }
 derive_builder.workspace = true
 eyre.workspace = true
-fernet = { workspace = true, features = ["rustcrypto"] }
-futures-util.workspace = true
-itertools.workspace = true
 jsonwebtoken = { version = "10.3", features = ["rust_crypto"] }
 openstack-keystone-api-types = { version = "0.1", path = "../api-types/"}
 mockall = { workspace = true, optional = true }
-nix = { workspace = true, features = ["fs", "user"] }
 rand.workspace = true
 regex.workspace = true
 reqwest = { workspace = true, features = ["json", "http2", "gzip", "deflate"] }
-rmp.workspace = true
 schemars.workspace = true
-scopeguard.workspace = true
 sea-orm.workspace = true
 secrecy = { workspace = true, features = ["serde"] }
 serde.workspace = true
 serde_json.workspace = true
 serde_urlencoded.workspace = true
 tempfile.workspace = true
 thiserror.workspace = true
-tokio = { workspace = true , features = ["fs"]}
+tokio = { workspace = true, features = ["fs"] }
 tracing.workspace = true
 url = { workspace = true, features = ["serde"] }
 url-macro.workspace = true
 uuid = { workspace = true, features = ["v4"] }
 validator = { workspace = true, features = ["derive"] }
 
 [dev-dependencies]
-base64urlsafedata.workspace = true
-criterion = { workspace = true, features = ["async_tokio"] }
 httpmock = { version = "0.8", features = ["http2"] }
 mockall.workspace = true
-rstest.workspace = true
-sea-orm = { workspace = true, features = ["mock" ]}
-tempfile.workspace = true
 tracing-test = { workspace = true, features = ["no-env-filter"] }
 url.workspace = true
 

crates/core/src/tests.rs

@@ -20,7 +20,7 @@ use crate::keystone::{Service, ServiceState};
 use crate::policy::MockPolicy;
 use crate::provider::{Provider, ProviderBuilder};
 
-pub(crate) mod token;
+//pub(crate) mod token;
 
 pub fn get_mocked_state(
     config: Option<Config>,

crates/core/src/token/backend.rs

@@ -18,9 +18,6 @@ use crate::token::{TokenProviderError, types::*};
 
 use crate::keystone::ServiceState;
 
-pub mod fernet;
-pub use fernet::*;
-
 /// Token Provider backend interface.
 #[cfg_attr(test, mockall::automock)]
 pub trait TokenBackend: Send + Sync {

crates/core/src/token/error.rs

@@ -13,14 +13,13 @@
 // SPDX-License-Identifier: Apache-2.0
 //! Token provider errors.
 
-use std::num::TryFromIntError;
-
 use thiserror::Error;
 
 use crate::error::BuilderError;
 
 /// Token provider error.
 #[derive(Error, Debug)]
+#[non_exhaustive]
 pub enum TokenProviderError {
     /// Actor has no roles on the target scope.
     #[error("actor has no roles on scope")]
@@ -54,32 +53,24 @@ pub enum TokenProviderError {
         source: crate::assignment::error::AssignmentProviderError,
     },
 
-    /// AuditID must be urlsafe base64 encoded value.
-    #[error("audit_id must be urlsafe base64 encoded value")]
-    AuditIdWrongFormat,
-
     /// Authentication error.
     #[error(transparent)]
     Authentication(#[from] crate::auth::AuthenticationError),
 
-    /// Base64 Decode error.
-    #[error("b64 decryption error")]
-    Base64Decode(#[from] base64::DecodeError),
-
     /// Conflict.
     #[error("{message}")]
     Conflict { message: String, context: String },
 
-    ///// Database error.
-    //#[error(transparent)]
-    //Database(#[from] DatabaseError),
     /// The domain is disabled.
     #[error("domain is disabled")]
     DomainDisabled(String),
 
     /// Driver error.
-    #[error("backend driver error: {0}")]
-    Driver(String),
+    #[error("backend driver error: {source}")]
+    Driver {
+        #[source]
+        source: Box<dyn std::error::Error + Send + Sync + 'static>,
+    },
 
     /// Expired token.
     #[error("token expired")]
@@ -93,64 +84,10 @@ pub enum TokenProviderError {
     #[error("federated payload must contain idp_id and protocol_id")]
     FederatedPayloadMissingData,
 
-    /// Fernet Decryption.
-    #[error("fernet decryption error")]
-    FernetDecryption(#[from] fernet::DecryptionError),
-
-    /// Missing fernet keys.
-    #[error("no usable fernet keys has been found")]
-    FernetKeysMissing,
-
-    /// Fernet key read error.
-    #[error("fernet key read error: {}", source)]
-    FernetKeyRead {
-        /// The source of the error.
-        source: std::io::Error,
-        /// Key file name.
-        path: std::path::PathBuf,
-    },
-
     /// Identity provider error.
     #[error(transparent)]
     IdentityProvider(#[from] crate::identity::error::IdentityProviderError),
 
-    /// Invalid token data.
-    #[error("invalid token error")]
-    InvalidToken,
-
-    /// Unsupported token version.
-    #[error("token version {0} is not supported")]
-    InvalidTokenType(u8),
-
-    /// Unsupported token uuid.
-    #[error("token uuid is not supported")]
-    InvalidTokenUuid,
-
-    /// Unsupported token uuid coding.
-    #[error("token uuid coding {0:?} is not supported")]
-    InvalidTokenUuidMarker(rmp::Marker),
-
-    /// IO error.
-    #[error("io error: {}", source)]
-    Io {
-        /// The source of the error.
-        #[from]
-        source: std::io::Error,
-    },
-
-    /// Nix errno.
-    #[error("unix error {source} while {context}")]
-    NixErrno {
-        /// Context.
-        context: String,
-        /// The source of the error.
-        source: nix::errno::Errno,
-    },
-
-    /// tempfile persisting error.
-    #[error(transparent)]
-    Persist(#[from] tempfile::PersistError),
-
     /// The project is disabled.
     #[error("project disabled")]
     ProjectDisabled(String),
@@ -167,14 +104,6 @@ pub enum TokenProviderError {
     #[error(transparent)]
     RevokeProvider(#[from] crate::revoke::error::RevokeProviderError),
 
-    /// MSGPack Encryption.
-    #[error("rmp value encoding error")]
-    RmpEncode(String),
-
-    /// MSGPack Decryption.
-    #[error("rmp value error")]
-    RmpValueRead(#[from] rmp::decode::ValueReadError),
-
     /// Role provider error.
     #[error(transparent)]
     RoleProvider {
@@ -195,15 +124,6 @@ pub enum TokenProviderError {
     #[error("subject information missing")]
     SubjectMissing,
 
-    /// Fernet payload timestamp overflow error.
-    #[error("fernet payload timestamp overflow ({value}): {}", source)]
-    TokenTimestampOverflow {
-        /// Token timestamp.
-        value: u64,
-        /// The source of the error.
-        source: std::num::TryFromIntError,
-    },
-
     /// Token restriction not found error.
     #[error("token restriction {0} not found")]
     TokenRestrictionNotFound(String),
@@ -220,14 +140,6 @@ pub enum TokenProviderError {
     #[error("trustee domain disabled")]
     TrustorDomainDisabled,
 
-    /// Integer conversion error.
-    #[error("int parse")]
-    TryFromIntError(#[from] TryFromIntError),
-
-    /// Unsupported authentication methods in token payload.
-    #[error("unsupported authentication methods {0} in token payload")]
-    UnsupportedAuthMethods(String),
-
     /// Unsupported token restriction driver.
     #[error("driver `{0}` is not supported for the token provider")]
     UnsupportedDriver(String),

crates/core/src/token/service.rs

@@ -66,14 +66,14 @@ impl TokenService {
         plugin_manager: &P,
     ) -> Result<Self, TokenProviderError> {
         let backend_driver = plugin_manager
-            .get_token_backend(&config.token.provider.to_string())?
+            .get_token_backend(config.token.provider.to_string())?
             .clone();
         let tr_backend_driver = plugin_manager
             .get_token_restriction_backend(&config.token_restriction.driver)?
             .clone();
         Ok(Self {
             config: config.clone(),
-            backend_driver: backend_driver,
+            backend_driver,
             tr_backend_driver,
         })
     }
@@ -1045,7 +1045,7 @@ mod tests {
     fn get_provider(config: &Config, token_mock: Option<MockTokenBackend>) -> TokenService {
         TokenService {
             config: config.clone(),
-            backend_driver: Arc::new(token_mock.unwrap_or(MockTokenBackend::default())),
+            backend_driver: Arc::new(token_mock.unwrap_or_default()),
             tr_backend_driver: Arc::new(MockTokenRestrictionBackend::default()),
         }
     }

crates/core/src/token/types.rs

@@ -114,7 +114,7 @@ impl Token {
     ///
     /// An internal method (available only within the module) to set the
     /// `issued_at` into the token payload.
-    pub(super) fn set_issued_at(&mut self, issued_at: DateTime<Utc>) -> &mut Self {
+    pub fn set_issued_at(&mut self, issued_at: DateTime<Utc>) -> &mut Self {
         match self {
             Self::ApplicationCredential(x) => x.issued_at = issued_at,
             Self::DomainScope(x) => x.issued_at = issued_at,