Struct Identity

Source

pub struct Identity { /* private fields */ }

Expand description

Caller-owned identity bundle: one ed25519 keypair + one token cache.

See the module docs for generation / persistence / issuance semantics.

Implementations§

Source §

impl Identity

Source

pub fn generate() -> Self

Generate a fresh ed25519 identity.

Use once at first-run; persist the returned bytes via Self::to_bytes and reload with Self::from_bytes on subsequent runs. Every call to generate() produces a new entity id — don’t call it on every startup unless you actually want a fresh identity (you almost never do).

Source

pub fn from_seed(seed: [u8; 32]) -> Self

Load from a caller-owned 32-byte ed25519 seed.

Source

pub fn to_bytes(&self) -> [u8; 32]

Serialize the identity as its 32-byte seed. Token cache entries are runtime-only and not serialized — reinstall any long-lived grants via Self::install_token after reloading.

Source

pub fn from_bytes(bytes: &[u8]) -> Result<Self, TokenError>

Load a previously-serialized identity. Expects exactly 32 bytes — the ed25519 seed — otherwise returns TokenError::InvalidFormat.

Source

pub fn entity_id(&self) -> &EntityId

Ed25519 public key. 32 bytes.

Source

pub fn origin_hash(&self) -> u64

Derived 64-bit hash used in packet headers (OriginStamp).

Source

pub fn node_id(&self) -> u64

Derived 64-bit node id used for routing / addressing.

Source

pub fn sign(&self, message: &[u8]) -> [u8; 64]

Sign arbitrary bytes. Typically used by the transport to sign CapabilityAnnouncements; exposed here so callers can sign their own out-of-band messages with the same identity.

Source

pub fn issue_token( &self, subject: EntityId, scope: TokenScope, channel: &ChannelName, ttl: Duration, delegation_depth: u8, ) -> PermissionToken

Issue a scoped permission token to subject.

Short TTLs + periodic re-issuance is the designed v1 answer to revocation — a PermissionToken has no CRL lookup. Pick TTLs that match how long you’d tolerate a compromised token being valid.

delegation_depth = 0 disallows re-delegation (subject cannot mint further tokens from this one).

ttl == Duration::ZERO is soft-clamped to 1 second (the minimum non-born-expired TTL), and a ttl longer than MAX_TOKEN_TTL_SECS is soft-clamped down to that ceiling. Both keep this infallible surface non-panicking: try_issue rejects an over-long TTL with TokenError::TtlTooLong, which the .expect() below would otherwise turn into a process abort. In debug builds a debug_assert! fires so either misuse surfaces in tests; in release the SDK keeps a non-panicking surface for callers that may receive an out-of-range value from upstream configuration. Callers that need to reject these at the boundary should use Self::try_issue_token, which returns TokenError::ZeroTtl / TokenError::TtlTooLong.

Source

pub fn try_issue_token( &self, subject: EntityId, scope: TokenScope, channel: &ChannelName, ttl: Duration, delegation_depth: u8, ) -> Result<PermissionToken, TokenError>

Fallible variant of Self::issue_token.

Returns TokenError::ZeroTtl when ttl == Duration::ZERO. Pre-fix this minted a born-expired token — every receiver rejected it as Expired and the issuer learned about the misuse only by reading log lines on the receiver side.

Source

pub fn install_token(&self, token: PermissionToken) -> Result<(), TokenError>

Install a token received from another issuer — typically a delegated subscribe / publish grant. The signature is verified on insert; an invalid token returns TokenError::InvalidSignature.

Source

pub fn lookup_token( &self, subject: &EntityId, channel: &ChannelName, ) -> Option<PermissionToken>

Look up a cached token by (subject, channel). Sub-microsecond (DashMap-backed). Returns None if no exact-channel token is cached; the transport’s wildcard fallback is handled separately by TokenCache::check.

Source