ockam_api 0.93.0

Ockam's request-response API
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

use sqlx::*;
use std::path::PathBuf;
use std::sync::Arc;

use crate::cli_state::{NamedVault, UseAwsKms, VaultType, VaultsRepository};
use ockam::{FromSqlxError, SqlxDatabase, ToVoid};
use ockam_core::async_trait;
use ockam_core::Result;
use ockam_node::database::AutoRetry;
use ockam_node::database::{Boolean, Nullable};

#[derive(Clone)]
pub struct VaultsSqlxDatabase {
    database: SqlxDatabase,
}

impl VaultsSqlxDatabase {
    pub fn new(database: SqlxDatabase) -> Self {
        debug!("create a repository for vaults");
        Self { database }
    }

    /// Create a repository
    pub fn make_repository(database: SqlxDatabase) -> Arc<dyn VaultsRepository> {
        if database.needs_retry() {
            Arc::new(AutoRetry::new(Self::new(database)))
        } else {
            Arc::new(Self::new(database))
        }
    }

    /// Create a new in-memory database
    pub async fn create() -> Result<Self> {
        Ok(Self::new(SqlxDatabase::in_memory("vaults").await?))
    }
}

#[async_trait]
impl VaultsRepository for VaultsSqlxDatabase {
    async fn store_vault(&self, name: &str, vault_type: VaultType) -> Result<NamedVault> {
        let mut transaction = self.database.begin().await.into_core()?;

        let query1 =
            query_scalar("SELECT EXISTS(SELECT 1 FROM vault WHERE is_default = $1)").bind(true);
        let default_exists: Boolean = query1.fetch_one(&mut *transaction).await.into_core()?;
        let default_exists = default_exists.to_bool();

        let query = query(
            r#"
        INSERT INTO
            vault (name, path, is_default, is_kms)
            VALUES ($1, $2, $3, $4)
            ON CONFLICT (name)
            DO UPDATE SET path = $2, is_default = $3, is_kms = $4"#,
        )
        .bind(name)
        .bind(vault_type.path().map(|p| p.to_string_lossy().to_string()))
        .bind(!default_exists)
        .bind(vault_type.use_aws_kms());
        query.execute(&mut *transaction).await.void()?;

        transaction.commit().await.void()?;
        Ok(NamedVault::new(name, vault_type, !default_exists))
    }

    async fn update_vault(&self, name: &str, vault_type: VaultType) -> Result<()> {
        let query = query("UPDATE vault SET path = $1, is_kms = $2 WHERE name = $3")
            .bind(vault_type.path().map(|p| p.to_string_lossy().to_string()))
            .bind(vault_type.use_aws_kms())
            .bind(name);
        query.execute(&*self.database.pool).await.void()
    }

    async fn delete_named_vault(&self, name: &str) -> Result<()> {
        let query = query("DELETE FROM vault WHERE name = $1").bind(name);
        query.execute(&*self.database.pool).await.void()
    }

    async fn get_database_vault(&self) -> Result<Option<NamedVault>> {
        let query = query_as("SELECT name, path, is_default, is_kms FROM vault WHERE path is NULL");
        let row: Option<VaultRow> = query
            .fetch_optional(&*self.database.pool)
            .await
            .into_core()?;
        row.map(|r| r.named_vault()).transpose()
    }

    async fn get_named_vault(&self, name: &str) -> Result<Option<NamedVault>> {
        let query =
            query_as("SELECT name, path, is_default, is_kms FROM vault WHERE name = $1").bind(name);
        let row: Option<VaultRow> = query
            .fetch_optional(&*self.database.pool)
            .await
            .into_core()?;
        row.map(|r| r.named_vault()).transpose()
    }

    async fn get_named_vaults(&self) -> Result<Vec<NamedVault>> {
        let query = query_as("SELECT name, path, is_default, is_kms FROM vault");
        let rows: Vec<VaultRow> = query.fetch_all(&*self.database.pool).await.into_core()?;
        rows.iter().map(|r| r.named_vault()).collect()
    }
}

// Database serialization / deserialization

#[derive(FromRow)]
pub(crate) struct VaultRow {
    name: String,
    path: Nullable<String>,
    is_default: Boolean,
    is_kms: Boolean,
}

impl VaultRow {
    pub(crate) fn named_vault(&self) -> Result<NamedVault> {
        Ok(NamedVault::new(
            &self.name,
            self.vault_type(),
            self.is_default(),
        ))
    }

    pub(crate) fn vault_type(&self) -> VaultType {
        match self.path.to_option() {
            None => VaultType::database(UseAwsKms::from(self.is_kms.to_bool())),
            Some(p) => VaultType::local_file(
                PathBuf::from(p).as_path(),
                UseAwsKms::from(self.is_kms.to_bool()),
            ),
        }
    }

    pub(crate) fn is_default(&self) -> bool {
        self.is_default.to_bool()
    }
}

#[cfg(test)]
mod test {
    use super::*;
    use ockam_node::database::with_dbs;
    use std::sync::Arc;

    #[tokio::test]
    async fn test_repository() -> Result<()> {
        with_dbs(|db| async move {
            let repository: Arc<dyn VaultsRepository> = Arc::new(VaultsSqlxDatabase::new(db));

            // A vault can be defined with a path and stored under a specific name
            let vault_type = VaultType::local_file("path", UseAwsKms::No);
            let named_vault1 = repository.store_vault("vault1", vault_type.clone()).await?;
            let expected = NamedVault::new("vault1", vault_type.clone(), true);
            assert_eq!(named_vault1, expected);

            // The vault can then be retrieved with its name
            let result = repository.get_named_vault("vault1").await?;
            assert_eq!(result, Some(named_vault1.clone()));

            // Another vault can be created.
            // It is not the default vault
            let vault_type = VaultType::local_file("path2", UseAwsKms::No);
            let named_vault2 = repository.store_vault("vault2", vault_type.clone()).await?;
            let expected = NamedVault::new("vault2", vault_type.clone(), false);
            // it is not the default vault
            assert_eq!(named_vault2, expected);

            // The first vault can be set at another path
            let vault_type = VaultType::local_file("path2", UseAwsKms::No);
            repository
                .update_vault("vault1", vault_type.clone())
                .await?;
            let result = repository.get_named_vault("vault1").await?;
            assert_eq!(result, Some(NamedVault::new("vault1", vault_type, true)));

            // The first vault can be deleted
            repository.delete_named_vault("vault1").await?;
            let result = repository.get_named_vault("vault1").await?;
            assert_eq!(result, None);
            Ok(())
        })
        .await
    }

    #[tokio::test]
    async fn test_store_kms_vault() -> Result<()> {
        with_dbs(|db| async move {
            let repository: Arc<dyn VaultsRepository> = Arc::new(VaultsSqlxDatabase::new(db));

            // It is possible to create a vault storing its signing keys in an AWS KMS
            let vault_type = VaultType::database(UseAwsKms::Yes);
            let kms = repository.store_vault("kms", vault_type.clone()).await?;
            let expected = NamedVault::new("kms", vault_type, true);
            assert_eq!(kms, expected);
            Ok(())
        })
        .await
    }
}