chore(rust): move identity_attributes from authority info

examples/rust/get_started/examples/06-credentials-exchange-issuer.rs

@@ -56,6 +56,7 @@ async fn main(ctx: Context) -> Result<()> {
     // distinct for each identifier, but for this example we'll keep things simple.
     let credential_issuer = CredentialIssuerWorker::new(
         members.clone(),
+        node.identities_attributes(),
         node.credentials(),
         &issuer,
         "test".to_string(),

implementations/rust/ockam/ockam_api/src/authenticator/common.rs

@@ -1,6 +1,6 @@
 use crate::authenticator::direct::{OCKAM_ROLE_ATTRIBUTE_ENROLLER_VALUE, OCKAM_ROLE_ATTRIBUTE_KEY};
 use crate::authenticator::AuthorityMembersRepository;
-use ockam::identity::Identifier;
+use ockam::identity::{Identifier, IdentitiesAttributes};
 use ockam_core::Result;
 use std::collections::BTreeMap;
 use std::sync::Arc;
@@ -39,12 +39,11 @@ impl EnrollerAccessControlChecks {
         false
     }
 
-    pub(crate) async fn check_identifier(
+    pub(crate) async fn check_is_member(
         members: Arc<dyn AuthorityMembersRepository>,
         identifier: &Identifier,
-        account_authority: &Option<AccountAuthorityInfo>,
     ) -> Result<EnrollerCheckResult> {
-        let mut r = match members.get_member(identifier).await? {
+        let r = match members.get_member(identifier).await? {
             Some(member) => {
                 let is_enroller = Self::check_bin_attributes_is_enroller(member.attributes());
                 EnrollerCheckResult {
@@ -61,9 +60,20 @@ impl EnrollerAccessControlChecks {
                 is_pre_trusted: false,
             },
         };
+
+        Ok(r)
+    }
+
+    pub(crate) async fn check_identifier(
+        members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
+        identifier: &Identifier,
+        account_authority: &Option<AccountAuthorityInfo>,
+    ) -> Result<EnrollerCheckResult> {
+        let mut r = Self::check_is_member(members, identifier).await?;
+
         if let Some(info) = account_authority {
-            if let Some(attrs) = info
-                .identities_attributes()
+            if let Some(attrs) = identities_attributes
                 .get_attributes(identifier, info.account_authority())
                 .await?
             {

implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer.rs

@@ -4,7 +4,7 @@ use crate::authenticator::direct::AccountAuthorityInfo;
 use crate::authenticator::AuthorityMembersRepository;
 use ockam::identity::models::{CredentialAndPurposeKey, CredentialSchemaIdentifier};
 use ockam::identity::utils::AttributesBuilder;
-use ockam::identity::{Attributes, Credentials, Identifier};
+use ockam::identity::{Attributes, Credentials, Identifier, IdentitiesAttributes};
 use ockam_core::compat::sync::Arc;
 use ockam_core::Result;
 
@@ -20,6 +20,7 @@ pub const DEFAULT_CREDENTIAL_VALIDITY: Duration = Duration::from_secs(30 * 24 *
 /// This struct runs as a Worker to issue credentials based on a request/response protocol
 pub struct CredentialIssuer {
     members: Arc<dyn AuthorityMembersRepository>,
+    identities_attributes: Arc<IdentitiesAttributes>,
     credentials: Arc<Credentials>,
     issuer: Identifier,
     subject_attributes: Attributes,
@@ -30,9 +31,11 @@ pub struct CredentialIssuer {
 
 impl CredentialIssuer {
     /// Create a new credentials issuer
+    #[allow(clippy::too_many_arguments)]
     #[instrument(skip_all, fields(issuer = %issuer, project_identifier = project_identifier.clone(), credential_ttl = credential_ttl.map_or("n/a".to_string(), |d| d.as_secs().to_string())))]
     pub fn new(
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         credentials: Arc<Credentials>,
         issuer: &Identifier,
         project_identifier: String,
@@ -54,6 +57,7 @@ impl CredentialIssuer {
 
         Self {
             members,
+            identities_attributes,
             credentials,
             issuer: issuer.clone(),
             subject_attributes,
@@ -69,8 +73,8 @@ impl CredentialIssuer {
     ) -> Result<Option<CredentialAndPurposeKey>> {
         // Check if it has a valid project admin credential
         if let Some(info) = self.account_authority.as_ref() {
-            if let Some(attrs) = info
-                .identities_attributes()
+            if let Some(attrs) = self
+                .identities_attributes
                 .get_attributes(subject, info.account_authority())
                 .await?
             {

implementations/rust/ockam/ockam_api/src/authenticator/credential_issuer/credential_issuer_worker.rs

@@ -5,7 +5,9 @@ use tracing::trace;
 use crate::authenticator::credential_issuer::CredentialIssuer;
 use crate::authenticator::direct::AccountAuthorityInfo;
 use crate::authenticator::AuthorityMembersRepository;
-use ockam::identity::{Credentials, Identifier, IdentitySecureChannelLocalInfo};
+use ockam::identity::{
+    Credentials, Identifier, IdentitiesAttributes, IdentitySecureChannelLocalInfo,
+};
 use ockam_core::api::{Method, RequestHeader, Response};
 use ockam_core::compat::boxed::Box;
 use ockam_core::compat::sync::Arc;
@@ -20,8 +22,10 @@ pub struct CredentialIssuerWorker {
 
 impl CredentialIssuerWorker {
     /// Create a new credentials issuer
+    #[allow(clippy::too_many_arguments)]
     pub fn new(
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         credentials: Arc<Credentials>,
         issuer: &Identifier,
         project_identifier: String,
@@ -32,6 +36,7 @@ impl CredentialIssuerWorker {
         Self {
             credential_issuer: CredentialIssuer::new(
                 members,
+                identities_attributes,
                 credentials,
                 issuer,
                 project_identifier,

implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs

@@ -1,10 +1,9 @@
 use either::Either;
-use ockam::identity::IdentitiesAttributes;
 use std::collections::{BTreeMap, HashMap};
 
 use ockam::identity::utils::now;
-use ockam::identity::AttributesEntry;
 use ockam::identity::Identifier;
+use ockam::identity::{AttributesEntry, IdentitiesAttributes};
 use ockam_core::compat::sync::Arc;
 use ockam_core::Result;
 
@@ -24,34 +23,29 @@ pub type DirectAuthenticatorResult<T> = Either<T, DirectAuthenticatorError>;
 
 pub struct DirectAuthenticator {
     members: Arc<dyn AuthorityMembersRepository>,
+    identities_attributes: Arc<IdentitiesAttributes>,
     account_authority: Option<AccountAuthorityInfo>,
 }
 #[derive(Clone)]
 pub struct AccountAuthorityInfo {
-    identities_attributes: Arc<IdentitiesAttributes>,
     account_authority: Identifier,
     project_identifier: String,
     enforce_admin_checks: bool,
 }
 
 impl AccountAuthorityInfo {
     pub fn new(
-        identities_attributes: Arc<IdentitiesAttributes>,
         account_authority: Identifier,
         project_identifier: String,
         enforce_admin_checks: bool,
     ) -> Self {
         Self {
-            identities_attributes,
             account_authority,
             project_identifier,
             enforce_admin_checks,
         }
     }
 
-    pub fn identities_attributes(&self) -> Arc<IdentitiesAttributes> {
-        self.identities_attributes.clone()
-    }
     pub fn account_authority(&self) -> &Identifier {
         &self.account_authority
     }
@@ -66,10 +60,12 @@ impl AccountAuthorityInfo {
 impl DirectAuthenticator {
     pub fn new(
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         account_authority: Option<AccountAuthorityInfo>,
     ) -> Self {
         Self {
             members,
+            identities_attributes,
             account_authority,
         }
     }
@@ -83,6 +79,7 @@ impl DirectAuthenticator {
     ) -> Result<DirectAuthenticatorResult<()>> {
         let check = EnrollerAccessControlChecks::check_identifier(
             self.members.clone(),
+            self.identities_attributes.clone(),
             enroller,
             &self.account_authority,
         )
@@ -143,6 +140,7 @@ impl DirectAuthenticator {
     ) -> Result<DirectAuthenticatorResult<HashMap<Identifier, AttributesEntry>>> {
         let check = EnrollerAccessControlChecks::check_identifier(
             self.members.clone(),
+            self.identities_attributes.clone(),
             enroller,
             &self.account_authority,
         )
@@ -179,6 +177,7 @@ impl DirectAuthenticator {
     ) -> Result<DirectAuthenticatorResult<()>> {
         let check_enroller = EnrollerAccessControlChecks::check_identifier(
             self.members.clone(),
+            self.identities_attributes.clone(),
             enroller,
             &self.account_authority,
         )
@@ -196,6 +195,7 @@ impl DirectAuthenticator {
 
         let check_member = EnrollerAccessControlChecks::check_identifier(
             self.members.clone(),
+            self.identities_attributes.clone(),
             identifier,
             &self.account_authority,
         )

implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator_worker.rs

@@ -2,7 +2,7 @@ use either::Either;
 use minicbor::Decoder;
 use tracing::trace;
 
-use ockam::identity::{Identifier, IdentitySecureChannelLocalInfo};
+use ockam::identity::{Identifier, IdentitiesAttributes, IdentitySecureChannelLocalInfo};
 use ockam_core::api::{Method, RequestHeader, Response};
 use ockam_core::compat::sync::Arc;
 use ockam_core::{Result, Routed, Worker};
@@ -21,10 +21,15 @@ pub struct DirectAuthenticatorWorker {
 impl DirectAuthenticatorWorker {
     pub fn new(
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         account_authority: Option<AccountAuthorityInfo>,
     ) -> Self {
         Self {
-            authenticator: DirectAuthenticator::new(members, account_authority),
+            authenticator: DirectAuthenticator::new(
+                members,
+                identities_attributes,
+                account_authority,
+            ),
         }
     }
 }

implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/acceptor.rs

@@ -34,8 +34,7 @@ impl EnrollmentTokenAcceptor {
         from: &Identifier,
     ) -> Result<EnrollmentTokenAcceptorResult<()>> {
         let check =
-            EnrollerAccessControlChecks::check_identifier(self.members.clone(), from, &None)
-                .await?;
+            EnrollerAccessControlChecks::check_is_member(self.members.clone(), from).await?;
 
         // Not allow updating existing members
         if check.is_member {

implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer.rs

@@ -4,7 +4,7 @@ use rand::Rng;
 use std::collections::BTreeMap;
 
 use ockam::identity::utils::now;
-use ockam::identity::Identifier;
+use ockam::identity::{Identifier, IdentitiesAttributes};
 use ockam_core::compat::sync::Arc;
 use ockam_core::compat::time::Duration;
 use ockam_core::Result;
@@ -25,18 +25,21 @@ pub type EnrollmentTokenIssuerResult<T> = Either<T, EnrollmentTokenIssuerError>;
 pub struct EnrollmentTokenIssuer {
     pub(super) tokens: Arc<dyn AuthorityEnrollmentTokenRepository>,
     pub(super) members: Arc<dyn AuthorityMembersRepository>,
+    pub(super) identities_attributes: Arc<IdentitiesAttributes>,
     pub(super) account_authority: Option<AccountAuthorityInfo>,
 }
 
 impl EnrollmentTokenIssuer {
     pub fn new(
         tokens: Arc<dyn AuthorityEnrollmentTokenRepository>,
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         account_authority: Option<AccountAuthorityInfo>,
     ) -> Self {
         Self {
             tokens,
             members,
+            identities_attributes,
             account_authority,
         }
     }
@@ -51,6 +54,7 @@ impl EnrollmentTokenIssuer {
     ) -> Result<EnrollmentTokenIssuerResult<OneTimeCode>> {
         let check = EnrollerAccessControlChecks::check_identifier(
             self.members.clone(),
+            self.identities_attributes.clone(),
             enroller,
             &self.account_authority,
         )

implementations/rust/ockam/ockam_api/src/authenticator/enrollment_tokens/issuer_worker.rs

@@ -2,7 +2,7 @@ use either::Either;
 use minicbor::Decoder;
 use tracing::trace;
 
-use ockam::identity::IdentitySecureChannelLocalInfo;
+use ockam::identity::{IdentitiesAttributes, IdentitySecureChannelLocalInfo};
 use ockam_core::api::{Method, RequestHeader, Response};
 use ockam_core::compat::sync::Arc;
 use ockam_core::compat::time::Duration;
@@ -22,10 +22,16 @@ impl EnrollmentTokenIssuerWorker {
     pub fn new(
         tokens: Arc<dyn AuthorityEnrollmentTokenRepository>,
         members: Arc<dyn AuthorityMembersRepository>,
+        identities_attributes: Arc<IdentitiesAttributes>,
         account_authority: Option<AccountAuthorityInfo>,
     ) -> Self {
         Self {
-            issuer: EnrollmentTokenIssuer::new(tokens, members, account_authority),
+            issuer: EnrollmentTokenIssuer::new(
+                tokens,
+                members,
+                identities_attributes,
+                account_authority,
+            ),
         }
     }
 }

implementations/rust/ockam/ockam_api/src/authority_node/authority.rs

@@ -74,7 +74,6 @@ impl Authority {
 
         let identities = Identities::create(database).build();
 
-        let identity_attrs = identities.identities_attributes().clone();
         let secure_channels = SecureChannels::from_identities(identities.clone());
 
         let identifier = configuration.identifier();
@@ -87,7 +86,6 @@ impl Authority {
                     .import_from_change_history(None, change_history)
                     .await?;
                 Some(AccountAuthorityInfo::new(
-                    identity_attrs,
                     acc_authority_identifier,
                     configuration.project_identifier(),
                     configuration.enforce_admin_checks,
@@ -158,8 +156,11 @@ impl Authority {
             return Ok(());
         }
 
-        let direct =
-            DirectAuthenticatorWorker::new(self.members.clone(), self.account_authority.clone());
+        let direct = DirectAuthenticatorWorker::new(
+            self.members.clone(),
+            self.secure_channels.identities().identities_attributes(),
+            self.account_authority.clone(),
+        );
 
         let name = configuration.authenticator_name();
         ctx.flow_controls()
@@ -185,6 +186,7 @@ impl Authority {
         let issuer = EnrollmentTokenIssuerWorker::new(
             self.tokens.clone(),
             self.members.clone(),
+            self.secure_channels.identities().identities_attributes(),
             self.account_authority.clone(),
         );
         let acceptor =
@@ -226,6 +228,7 @@ impl Authority {
         // create and start a credential issuer worker
         let issuer = CredentialIssuerWorker::new(
             self.members.clone(),
+            self.secure_channels.identities().identities_attributes(),
             self.secure_channels.identities().credentials(),
             &self.identifier,
             configuration.project_identifier(),

implementations/rust/ockam/ockam_api/tests/credential_issuer.rs

@@ -68,6 +68,7 @@ async fn credential(ctx: &mut Context) -> Result<()> {
         .add_consumer(auth_worker_addr.clone(), &sc_flow_control_id);
     let auth = CredentialIssuerWorker::new(
         members,
+        identities.identities_attributes(),
         identities.credentials(),
         &auth_identifier,
         "test".to_string(),