ockam_api 0.93.0

Ockam's request-response API
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

use either::Either;
use ockam::identity::utils::now;
use ockam::identity::Identifier;
use ockam_core::compat::sync::Arc;
use ockam_core::Result;

use crate::authenticator::common::EnrollerAccessControlChecks;
use crate::authenticator::one_time_code::OneTimeCode;
use crate::authenticator::{
    AuthorityEnrollmentTokenRepository, AuthorityMember, AuthorityMembersRepository,
};

pub struct EnrollmentTokenAcceptorError(pub String);

pub type EnrollmentTokenAcceptorResult<T> = Either<T, EnrollmentTokenAcceptorError>;

pub struct EnrollmentTokenAcceptor {
    authority: Identifier,
    pub(super) tokens: Arc<dyn AuthorityEnrollmentTokenRepository>,
    pub(super) members: Arc<dyn AuthorityMembersRepository>,
}

impl EnrollmentTokenAcceptor {
    pub fn new(
        authority: &Identifier,
        tokens: Arc<dyn AuthorityEnrollmentTokenRepository>,
        members: Arc<dyn AuthorityMembersRepository>,
    ) -> Self {
        Self {
            authority: authority.clone(),
            tokens,
            members,
        }
    }

    #[instrument(skip_all, fields(from = %from))]
    pub async fn accept_token(
        &mut self,
        otc: OneTimeCode,
        from: &Identifier,
    ) -> Result<EnrollmentTokenAcceptorResult<()>> {
        let check = EnrollerAccessControlChecks::check_is_member(
            &self.authority,
            self.members.clone(),
            from,
        )
        .await?;

        // Not allow updating existing members
        if check.is_member {
            warn!("{} is already a member", from);
            return Ok(Either::Right(EnrollmentTokenAcceptorError(
                "Already a member".to_string(),
            )));
        }

        let token = match self.tokens.use_token(otc, now()?).await {
            Ok(Some(token)) => token,
            Ok(None) => {
                warn!("Unknown enrollment token received from {}", from);
                return Ok(Either::Right(EnrollmentTokenAcceptorError(
                    "Unknown enrollment token".to_string(),
                )));
            }
            Err(err) => {
                warn!(
                    "Error using an enrollment token received from {}. Error: {}",
                    from, err
                );
                return Ok(Either::Right(EnrollmentTokenAcceptorError(format!(
                    "Error using the enrollment token: {err:?}"
                ))));
            }
        };

        let reference = token.reference();
        let attrs = token
            .attrs
            .iter()
            .map(|(k, v)| (k.as_bytes().to_vec(), v.as_bytes().to_vec()))
            .collect();

        let member = AuthorityMember::new(from.clone(), attrs, token.issued_by, now()?, false);

        if let Err(err) = self.members.add_member(&self.authority, member).await {
            warn!(
                "Error adding member {} using enrollment token: {}",
                from, err
            );
            return Ok(Either::Right(EnrollmentTokenAcceptorError(
                "Error adding member using enrollment token".to_string(),
            )));
        }

        info!(
            "Successfully accepted an enrollment token from {}. Reference: {}",
            from, reference
        );

        Ok(Either::Left(()))
    }
}