Crate ockam

End-to-end encrypted, mutually authenticated, secure communication.

A hands-on guide 👉.

Data, within modern distributed applications, are rarely exchanged over a single point-to-point transport connection. Application messages routinely flow over complex, multi-hop, multi-protocol routes — across data centers, through queues and caches, via gateways and brokers — before reaching their end destination.

Transport layer security protocols are unable to protect application messages because their protection is constrained by the length and duration of the underlying transport connection.

Ockam makes it simple for our applications to guarantee end-to-end integrity, authenticity, and confidentiality of data. We no longer have to implicitly depend on the defenses of every machine or application within the same, usually porous, network boundary. Our application’s messages don’t have to be vulnerable at every point, along their journey, where a transport connection terminates.

Instead, our application can have a strikingly smaller vulnerability surface and easily make granular authorization decisions about all incoming information and commands.

Features

• End-to-end encrypted, mutually authenticated secure channels.
• Multi-hop, multi-transport, application layer routing.
• Key establishment, rotation, and revocation - for fleets, at scale.
• Lightweight, Concurrent, Stateful Workers that enable simple APIs.
• Attribute-based Access Control - credentials with selective disclosure.
• Add-ons for a variety of operating environments, transport protocols, and cryptographic hardware.

Documentation

Tutorials, examples and reference guides are available at docs.ockam.io.

Re-exports

• pub use ockam_abac as abac;
• pub use ockam_identity as identity;
• pub use node::*;

Modules

• access_control
  Access Control
• application_migration_set
  This module defines the migrations to apply to the application database
• compat
  Compatibility adapter, mostly for no_std use.
• debugger
  Debugger
• errcode
  A module to export the error code in a meaningful way
• flow_control
  Flow Controls
• migration_20231231100000_node_name_identity_attributes
  This migration adds a node name column to the identity attributes table
• migration_20240111100001_add_authority_tables
  This migration moves attributes from identity_attributes to the authority_member table for authority nodes
• migration_20240111100002_delete_trust_context
  This migration updates policies to not rely on trust_context_id, also introduces node_name and replicates policy for each existing node
• migration_20240212100000_split_policies
  This migration moves policies attached to resource types from table “resource_policy” to “resource_type_policy”
• migration_20240313100000_remove_orphan_resources
  This migration removes orphan resources
• node
  List of all top-level services
• node_migration_set
  This module defines the migrations to apply to the appliaction database
• remote
  RemoteRelay allows registering node within a Cloud Node with dynamic or static alias, which allows other nodes forward messages to local workers on this node using that alias.
• vault
  Types and traits relating to ockam vaults.
• workers
  A collection of utility workers for various use cases.

Macros

• route
  Creates a new Route from a comma-delimited list of Addresses.

Structs

• Address
  A generic address type.
• Any
  A passthrough marker message type.
• Context
  Context contains Node state and references to the runtime.
• DelayedEvent
  Allow to send message to destination address periodically after some delay Only one scheduled heartbeat allowed at a time Dropping this handle cancels scheduled heartbeat
• Error
  The type of errors returned by Ockam functions.
• Executor
  Underlying Ockam node executor
• LocalMessage
  A message type that is routed locally within a single node.
• Mailbox
  A Mailbox controls the dispatch of incoming messages for a particular Address Note that Worker, Processor and Context may have multiple Mailboxes (with different addresses), but they always have exactly one mpsc receiver (message queue)
• Mailboxes
  A collection of Mailboxes for a specific Worker, Processor or Context
• MessageReceiveOptions
  Full set of options to send_and_receive_extended function
• MessageSendReceiveOptions
  Full set of options to send_and_receive_extended function
• Migrator
  Migrator is responsible for running Sql and Rust migrations side by side in the correct order, checking for conflicts, duplicates; making sure each migration runs only once
• NodeBuilder
  Start a node with a custom setup configuration
• ProtocolId
  A user-defined protocol identifier.
• RelayService
  Alias worker to register remote workers under local names.
• RelayServiceOptions
  Trust Options for a Forwarding Service
• Route
  A full route to a peer.
• Routed
  A message wrapper that provides message route information.
• SqlxDatabase
  The SqlxDatabase struct is used to create a database:
• TcpConnectionOptions
  Trust Options for a TCP connection
• TcpInletOptions
  Trust Options for an Inlet
• TcpListenerOptions
  Trust Options for a TCP listener
• TcpOutletOptions
  Trust Options for an Outlet
• TcpTransport
  High level management interface for TCP transports
• TransportMessage
  A generic transport message type.
• WorkerBuilder
  Start a Worker with a custom configuration

Enums

• OckamError
  An enumeration of different error types emitted by this library.
• SqlxType
  This enum represents the set of types that we currently support in our database Since we support only Sqlite at the moment, those types are close to what is supported by Sqlite: https://www.sqlite.org/datatype3.html

Traits

• AsyncTryClone
  Clone trait for async structs.
• FromSqlxError
  This trait provides some syntax for transforming sqlx errors into ockam errors
• Message
  A user defined message that can be serialised and deserialized.
• MigrationSet
  This trait runs migrations on a given database
• Processor
  Defines an interface for Ockam Workers that need to continuously perform background operations.
• RustMigration
  Individual rust migration
• TcpTransportExtension
  This trait adds a create_tcp_transport method to any struct returning a Context. This is the case for an ockam::Node, so you can write node.create_tcp_transport()
• ToSqlxType
  This trait can be implemented by any type that can be converted to a database type Typically an Identifier (to a Text), a TimestampInSeconds (to an Integer) etc…
• ToVoid
  This trait provides some syntax to shorten queries execution returning ()
• Worker
  Defines the core interface shared by all Ockam Workers.

Functions

• allow
  Produces Ok(true) to avoid an ambiguous reading from using the unadorned value in auth code.
• deny
  Produces Ok(false) to avoid an ambiguous reading from using the unadorned value in auth code.

Type Aliases

• Encoded
  Alias of the type used for encoded data.
• Result

Attribute Macros

• node
  Marks an async function to be run in an ockam node.
• processor
  Mark an Ockam Processor implementation.
• test
  Marks an async test function to be run in an ockam node.
• worker
  Mark an Ockam Worker implementation.

Derive Macros

• AsyncTryClone
  Implements the AsyncTryClone trait for a type.
• Message
  Implements the Message trait for a type.