feat(rust): removed secure channel key exchange and persistency

Author: davide-baldo

implementations/rust/ockam/ockam_api/src/authority_node/authority.rs

@@ -12,8 +12,7 @@ use crate::authenticator::{
 };
 use ockam::identity::utils::now;
 use ockam::identity::{
-    Identifier, Identities, SecureChannelListenerOptions, SecureChannelSqlxDatabase,
-    SecureChannels, TrustEveryonePolicy,
+    Identifier, Identities, SecureChannelListenerOptions, SecureChannels, TrustEveryonePolicy,
 };
 use ockam::tcp::{TcpListenerOptions, TcpTransport};
 use ockam_core::compat::sync::Arc;
@@ -75,14 +74,12 @@ impl Authority {
 
         let members = Arc::new(AuthorityMembersSqlxDatabase::new(database.clone()));
         let tokens = Arc::new(AuthorityEnrollmentTokenSqlxDatabase::new(database.clone()));
-        let secure_channel_repository = Arc::new(SecureChannelSqlxDatabase::new(database.clone()));
 
         Self::bootstrap_repository(members.clone(), configuration).await?;
 
         let identities = Identities::create_with_node(database, node_name).build();
 
-        let secure_channels =
-            SecureChannels::from_identities(identities.clone(), secure_channel_repository);
+        let secure_channels = SecureChannels::from_identities(identities.clone());
 
         let identifier = configuration.identifier();
         info!(identifier=%identifier, "retrieved the authority identifier");

implementations/rust/ockam/ockam_api/src/cli_state/secure_channels.rs

@@ -2,7 +2,7 @@ use std::sync::Arc;
 
 use crate::cli_state::CliState;
 use crate::cli_state::Result;
-use ockam::identity::{Identities, SecureChannelSqlxDatabase, SecureChannels};
+use ockam::identity::{Identities, SecureChannels};
 use ockam_node::Context;
 
 impl CliState {
@@ -17,9 +17,6 @@ impl CliState {
         let identities = Identities::create_with_node(self.database(), node_name)
             .with_vault(vault)
             .build();
-        Ok(SecureChannels::from_identities(
-            identities,
-            Arc::new(SecureChannelSqlxDatabase::new(self.database())),
-        ))
+        Ok(SecureChannels::from_identities(identities))
     }
 }

implementations/rust/ockam/ockam_api/src/cli_state/vaults.rs

@@ -1,7 +1,7 @@
 use colorful::Colorful;
 use ockam::identity::{
-    Identifier, Identities, RemoteCredentialRetrieverInfo, SecureChannelRegistry,
-    SecureChannelSqlxDatabase, SecureChannels, Vault,
+    Identifier, Identities, RemoteCredentialRetrieverInfo, SecureChannelRegistry, SecureChannels,
+    Vault,
 };
 use ockam_core::errcode::{Kind, Origin};
 use ockam_core::{AsyncTryClone, Error};
@@ -398,7 +398,6 @@ impl CliState {
                     let secure_channels = Arc::new(SecureChannels::new(
                         identities,
                         SecureChannelRegistry::default(), //TODO: inherit registry from the node
-                        Arc::new(SecureChannelSqlxDatabase::new(self.database())),
                     ));
 
                     let credential_retriever_creator = credential_retriever_options

implementations/rust/ockam/ockam_api/src/nodes/service.rs

@@ -28,7 +28,6 @@ mod trust;
 mod worker;
 
 pub use manager::*;
-pub use secure_channel::SecureChannelType;
 pub use trust::*;
 pub use worker::*;
 

implementations/rust/ockam/ockam_api/src/nodes/service/manager.rs

@@ -10,7 +10,6 @@ use crate::nodes::registry::Registry;
 use crate::nodes::service::http::HttpServer;
 use crate::nodes::service::{
     CredentialRetrieverCreators, CredentialRetrieverOptions, NodeManagerTrustOptions,
-    SecureChannelType,
 };
 
 use crate::cli_state::journeys::{NODE_NAME, USER_EMAIL, USER_NAME};
@@ -205,7 +204,6 @@ impl NodeManager {
                 None, // Not checking identifiers here in favor of credential check
                 None,
                 ctx,
-                SecureChannelType::KeyExchangeAndMessages,
             )
             .await?;
 

implementations/rust/ockam/ockam_api/src/nodes/service/relay.rs

@@ -21,7 +21,6 @@ use crate::nodes::models::secure_channel::{
 };
 use crate::nodes::registry::RegistryRelayInfo;
 use crate::nodes::service::in_memory_node::InMemoryNode;
-use crate::nodes::service::secure_channel::SecureChannelType;
 use crate::nodes::BackgroundNodeClient;
 use crate::session::replacer::{ReplacerOutcome, ReplacerOutputKind, SessionReplacer};
 use crate::session::session::Session;
@@ -440,7 +439,6 @@ impl SecureChannelsCreation for InMemoryNode {
                 Some(vec![authorized]),
                 credential,
                 timeout,
-                SecureChannelType::KeyExchangeAndMessages,
             )
             .await
             .into_diagnostic()

implementations/rust/ockam/ockam_api/src/nodes/service/secure_channel.rs

@@ -1,13 +1,13 @@
 use std::time::Duration;
 
 use ockam::identity::models::CredentialAndPurposeKey;
+use ockam::identity::TrustEveryonePolicy;
 use ockam::identity::Vault;
 use ockam::identity::{
     Identifier, Identities, SecureChannelListenerOptions, SecureChannelOptions, SecureChannels,
     TrustMultiIdentifiersPolicy,
 };
 use ockam::identity::{SecureChannel, SecureChannelListener};
-use ockam::identity::{SecureChannelSqlxDatabase, TrustEveryonePolicy};
 use ockam::{Address, Result, Route};
 use ockam_core::api::{Error, Response};
 use ockam_core::compat::sync::Arc;
@@ -29,12 +29,6 @@ use crate::nodes::registry::SecureChannelInfo;
 use crate::nodes::service::default_address::DefaultAddress;
 use crate::nodes::{NodeManager, NodeManagerWorker};
 
-#[derive(PartialOrd, PartialEq, Debug)]
-pub enum SecureChannelType {
-    KeyExchangeAndMessages,
-    KeyExchangeOnly,
-}
-
 /// SECURE CHANNELS
 impl NodeManagerWorker {
     pub async fn list_secure_channels(&self) -> Result<Response<Vec<String>>, Response<Error>> {
@@ -64,7 +58,6 @@ impl NodeManagerWorker {
                 authorized_identifiers,
                 credential,
                 timeout,
-                SecureChannelType::KeyExchangeAndMessages,
             )
             .await
             .map(|secure_channel| {
@@ -124,13 +117,7 @@ impl NodeManagerWorker {
 
         let response = self
             .node_manager
-            .create_secure_channel_listener(
-                addr,
-                authorized_identifiers,
-                identity_name,
-                ctx,
-                SecureChannelType::KeyExchangeAndMessages,
-            )
+            .create_secure_channel_listener(addr, authorized_identifiers, identity_name, ctx)
             .await
             .map(|_| Response::ok())?;
         Ok(response)
@@ -177,7 +164,6 @@ impl NodeManager {
         authorized_identifiers: Option<Vec<Identifier>>,
         credential: Option<CredentialAndPurposeKey>,
         timeout: Option<Duration>,
-        secure_channel_type: SecureChannelType,
     ) -> Result<SecureChannel> {
         let identifier = self.get_identifier_by_name(identity_name.clone()).await?;
 
@@ -192,7 +178,6 @@ impl NodeManager {
                 authorized_identifiers,
                 credential,
                 timeout,
-                secure_channel_type,
             )
             .await?;
 
@@ -209,7 +194,6 @@ impl NodeManager {
         authorized_identifiers: Option<Vec<Identifier>>,
         credential: Option<CredentialAndPurposeKey>,
         timeout: Option<Duration>,
-        secure_channel_type: SecureChannelType,
     ) -> Result<SecureChannel> {
         debug!(%sc_route, "Creating secure channel");
         let options = SecureChannelOptions::new();
@@ -240,13 +224,6 @@ impl NodeManager {
             None => options.with_trust_policy(TrustEveryonePolicy),
         };
 
-        let options = if secure_channel_type == SecureChannelType::KeyExchangeOnly {
-            // TODO: Should key exchange channels be persisted automatically?
-            options.key_exchange_only().persist()?
-        } else {
-            options
-        };
-
         let sc = self
             .secure_channels
             .create_secure_channel(ctx, identifier, sc_route.clone(), options)
@@ -303,35 +280,12 @@ impl NodeManager {
 
 /// SECURE CHANNEL LISTENERS
 impl NodeManager {
-    //TODO: remove everything about key exchange service from secure channel
-    #[allow(dead_code)]
-    pub(crate) async fn start_key_exchanger_service(
-        &self,
-        context: &Context,
-        address: Address,
-    ) -> Result<SecureChannelListener> {
-        // skip creation if it already exists
-        if let Some(listener) = self.registry.secure_channel_listeners.get(&address).await {
-            return Ok(listener);
-        }
-
-        self.create_secure_channel_listener(
-            address.clone(),
-            None,
-            None,
-            context,
-            SecureChannelType::KeyExchangeOnly,
-        )
-        .await
-    }
-
     pub async fn create_secure_channel_listener(
         &self,
         address: Address,
         authorized_identifiers: Option<Vec<Identifier>>,
         identity_name: Option<String>,
         ctx: &Context,
-        secure_channel_type: SecureChannelType,
     ) -> Result<SecureChannelListener> {
         debug!(
             "Handling request to create a new secure channel listener: {}",
@@ -381,13 +335,6 @@ impl NodeManager {
             }
         };
 
-        let options = if secure_channel_type == SecureChannelType::KeyExchangeOnly {
-            // TODO: Should key exchange channels be persisted automatically?
-            options.key_exchange_only().persist()?
-        } else {
-            options
-        };
-
         let listener = secure_channels
             .create_secure_channel_listener(ctx, &identifier, address.clone(), options)
             .await?;
@@ -399,27 +346,25 @@ impl NodeManager {
             .insert(address.clone(), listener.clone())
             .await;
 
-        if secure_channel_type == SecureChannelType::KeyExchangeAndMessages {
-            // TODO: Clean
-            // Add Echoer as a consumer by default
-            ctx.flow_controls()
-                .add_consumer(DefaultAddress::ECHO_SERVICE, listener.flow_control_id());
-
-            // TODO: PUNCTURE Make optional?
-            ctx.flow_controls().add_consumer(
-                DefaultAddress::UDP_PUNCTURE_NEGOTIATION_LISTENER,
-                listener.flow_control_id(),
-            );
-
-            // Add ourselves to allow tunneling
-            ctx.flow_controls()
-                .add_consumer(address, listener.flow_control_id());
-
-            ctx.flow_controls().add_consumer(
-                DefaultAddress::UPPERCASE_SERVICE,
-                listener.flow_control_id(),
-            );
-        }
+        // TODO: Clean
+        // Add Echoer as a consumer by default
+        ctx.flow_controls()
+            .add_consumer(DefaultAddress::ECHO_SERVICE, listener.flow_control_id());
+
+        // TODO: PUNCTURE Make optional?
+        ctx.flow_controls().add_consumer(
+            DefaultAddress::UDP_PUNCTURE_NEGOTIATION_LISTENER,
+            listener.flow_control_id(),
+        );
+
+        // Add ourselves to allow tunneling
+        ctx.flow_controls()
+            .add_consumer(address, listener.flow_control_id());
+
+        ctx.flow_controls().add_consumer(
+            DefaultAddress::UPPERCASE_SERVICE,
+            listener.flow_control_id(),
+        );
 
         Ok(listener)
     }
@@ -477,7 +422,6 @@ impl NodeManager {
         Ok(Arc::new(SecureChannels::new(
             identities,
             self.secure_channels.secure_channel_registry(),
-            Arc::new(SecureChannelSqlxDatabase::new(self.cli_state.database())),
         )))
     }
 }

implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/session_replacer.rs

@@ -20,7 +20,6 @@ use ockam_transport_tcp::TcpInlet;
 
 use crate::error::ApiError;
 use crate::nodes::connection::Connection;
-use crate::nodes::service::SecureChannelType;
 use crate::nodes::NodeManager;
 use crate::session::replacer::{
     AdditionalSessionReplacer, CurrentInletStatus, ReplacerOutcome, ReplacerOutputKind,
@@ -356,7 +355,6 @@ impl AdditionalSessionReplacer for InletSessionReplacer {
                 None,
                 // TODO: Have a dedicated timeout
                 Some(Duration::from_secs(10)),
-                SecureChannelType::KeyExchangeAndMessages,
             )
             .await?;
         let additional_sc = self.additional_secure_channel.insert(additional_sc);

implementations/rust/ockam/ockam_api/tests/credential_issuer.rs

@@ -1,7 +1,7 @@
 use minicbor::bytes::ByteSlice;
+use ockam::identity::identities;
 use ockam::identity::models::CredentialAndPurposeKey;
 use ockam::identity::utils::now;
-use ockam::identity::{identities, SecureChannelSqlxDatabase};
 use ockam::identity::{
     Identities, SecureChannelListenerOptions, SecureChannelOptions, SecureChannels,
 };
@@ -55,10 +55,7 @@ async fn credential(ctx: &mut Context) -> Result<()> {
         .with_purpose_keys_repository(identities.purpose_keys_repository())
         .with_cached_credential_repository(identities.cached_credentials_repository())
         .build();
-    let secure_channels = SecureChannels::from_identities(
-        identities.clone(),
-        Arc::new(SecureChannelSqlxDatabase::create().await?),
-    );
+    let secure_channels = SecureChannels::from_identities(identities.clone());
     let identities_verification = identities.identities_verification();
 
     // Create the CredentialIssuer:

implementations/rust/ockam/ockam_api/tests/latency.rs

@@ -1,6 +1,5 @@
 #![recursion_limit = "256"]
 
-use ockam_api::nodes::service::SecureChannelType;
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 
@@ -48,7 +47,6 @@ pub fn measure_message_latency_two_nodes() -> ockam_core::Result<()> {
                     None,
                     None,
                     None,
-                    SecureChannelType::KeyExchangeAndMessages,
                 )
                 .await
                 .unwrap();