build-trust · adrianbenavides · Feb 27, 2025 · Feb 26, 2025
@@ -1,91 +1,91 @@
-/// INTRODUCTION
-///
-/// This example shows how to use attribute-based credential in order to have
-/// several devices connecting to a server, via the Ockam Orchestrator.
-///
-/// The corresponding example using the command-line can be found here: https://docs.ockam.io/use-cases/apply-fine-grained-permissions-with-attribute-based-access-control-abac.
-///
-/// You first need to:
-///
-///  - create a project with `ockam enroll`
-///  - export the project information with `ockam project information > project.json`
-///
-/// Then you can start:
-///
-///  - a local Python webserver: `python3 -m http.server --bind 127.0.0.1 5000`
-///  - the control node in `11-attribute-based-authentication-control-plane.rs`
-///  - the edge node in `11-attribute-based-authentication-edge-plane.rs`
-///
-/// This will set up a TCP outlet on the control node, connected to the Python webserver
-/// and a TCP inlet on the edge node which can be used to send HTTP requests (at 127.0.0.1:7000).
-///
-/// Then if you execute `curl --fail --head --max-time 10 127.0.0.1:7000` you should get back
-/// a successful response like:
-///
-/// HTTP/1.0 200 OK
-/// Server: SimpleHTTP/0.6 Python/3.9.6
-/// Date: Tue, 07 Feb 2023 15:05:59 GMT
-/// Content-type: text/html; charset=utf-8
-/// Content-Length: 870
-///
-/// and observe that a successful connection has been made on the Python webserver:
-///
-/// ± python3 -m http.server --bind 127.0.0.1 5000                                                                                                                                                                                                                                                                                                                                                                                      default
-///  Serving HTTP on 127.0.0.1 port 5000 (http://127.0.0.1:5000/) ...
-///  127.0.0.1 - - [06/Feb/2023 15:52:20] "HEAD / HTTP/1.1" 200 -
-///
-/// TOPOLOGY
-///
-/// The network we establish between the control node, the edge node and the Orchestrator is the following
-///
-///       get credential         +-------------------------------------+
-///       via secure channel     |                                     | Inlet <-- 127.0.0.1:7000
-///              +---------------+              Edge node              | connected to "outlet"
-///              |               |                                     | via secure channel
-///              |               +-------------------------------------+
-///              |                   |                           |
-///              |                   |                           | create secure channel to control
-///              |                   |                           | via the relay
-///              v                   v                           |
-///      +--------------+        +-------------------------------+-------+
-///      | Authority    |        |                               |       |
-///      |              |        |             Orchestrator      |       |
-///      |              |        |                               |       |
-///      +--------------+        +---------------------- forwarder ------+
-///              ^                  ^                    to control
-///              |                  |                   ^        |
-///              |                  |            create |        |
-///              |                  |                   |        v
-///              |                  |                   |     "untrusted"  secure channel
-///              |               +---------------------------------------+ listener
-///              |               |                                       |
-///              +---------------|              Control node             | "outlet" --> 127.0.0.1:5000
-///       get credential         |                                       |
-///       via secure channel     +---------------------------------------+
-///
-///
-///   - we create initially some secure channels to the Authority in order to retrieve credential
-///     based on a one-time token generated with `ockam project ticket --attribute component=<name of node>`
-///
-///   - then the control node creates a relay on the Orchestrator in order to accept TCP traffic without
-///     having to open a port to the internet. It also starts a channel listener ("untrusted", accept all incoming requests for now)
-///
-///   - on its side the edge node starts a secure channel via relay (named "forward_to_control_plane1"), to the "untrusted" listener
-///     with the secure channel address it creates an Inlet which will direct TCP traffic via the secure channel to get to the
-///     control node and then to the "outlet" worker to reach the Python webserver
-///
-///   - the outlet is configured to only receive messages from the edge node by checking its authenticated attributes
-///   - the inlet is configured to only receive messages from the control node by checking its authenticated attributes
-///
-/// IMPLEMENTATION
-///
-/// The code for this example can be found in:
-///
-///  - examples/11-attribute-based-authentication-control-plane.rs: for the control node
-///  - examples/11-attribute-based-authentication-edge-plane.rs: for the edge node
-///  - src/project.rs: read the content of the project.json file
-///  - src/token.rs: generate a one-time token using the ockam command line
-///
+//! INTRODUCTION
+//!
+//! This example shows how to use attribute-based credential in order to have
+//! several devices connecting to a server, via the Ockam Orchestrator.
+//!
+//! The corresponding example using the command-line can be found here: https://docs.ockam.io/use-cases/apply-fine-grained-permissions-with-attribute-based-access-control-abac.
+//!
+//! You first need to:
+//!
+//!  - create a project with `ockam enroll`
+//!  - export the project information with `ockam project information > project.json`
+//!
+//! Then you can start:
+//!
+//!  - a local Python webserver: `python3 -m http.server --bind 127.0.0.1 5000`
+//!  - the control node in `11-attribute-based-authentication-control-plane.rs`
+//!  - the edge node in `11-attribute-based-authentication-edge-plane.rs`
+//!
+//! This will set up a TCP outlet on the control node, connected to the Python webserver
+//! and a TCP inlet on the edge node which can be used to send HTTP requests (at 127.0.0.1:7000).
+//!
+//! Then if you execute `curl --fail --head --max-time 10 127.0.0.1:7000` you should get back
+//! a successful response like:
+//!
+//! HTTP/1.0 200 OK
+//! Server: SimpleHTTP/0.6 Python/3.9.6
+//! Date: Tue, 07 Feb 2023 15:05:59 GMT
+//! Content-type: text/html; charset=utf-8
+//! Content-Length: 870
+//!
+//! and observe that a successful connection has been made on the Python webserver:
+//!
+//! ± python3 -m http.server --bind 127.0.0.1 5000                                                                                                                                                                                                                                                                                                                                                                                      default
+//!  Serving HTTP on 127.0.0.1 port 5000 (http://127.0.0.1:5000/) ...
+//!  127.0.0.1 - - [06/Feb/2023 15:52:20] "HEAD / HTTP/1.1" 200 -
+//!
+//! TOPOLOGY
+//!
+//! The network we establish between the control node, the edge node and the Orchestrator is the following
+//!
+//!       get credential         +-------------------------------------+
+//!       via secure channel     |                                     | Inlet <-- 127.0.0.1:7000
+//!              +---------------+              Edge node              | connected to "outlet"
+//!              |               |                                     | via secure channel
+//!              |               +-------------------------------------+
+//!              |                   |                           |
+//!              |                   |                           | create secure channel to control
+//!              |                   |                           | via the relay
+//!              v                   v                           |
+//!      +--------------+        +-------------------------------+-------+
+//!      | Authority    |        |                               |       |
+//!      |              |        |             Orchestrator      |       |
+//!      |              |        |                               |       |
+//!      +--------------+        +---------------------- forwarder ------+
+//!              ^                  ^                    to control
+//!              |                  |                   ^        |
+//!              |                  |            create |        |
+//!              |                  |                   |        v
+//!              |                  |                   |     "untrusted"  secure channel
+//!              |               +---------------------------------------+ listener
+//!              |               |                                       |
+//!              +---------------|              Control node             | "outlet" --> 127.0.0.1:5000
+//!       get credential         |                                       |
+//!       via secure channel     +---------------------------------------+
+//!
+//!
+//!   - we create initially some secure channels to the Authority in order to retrieve credential
+//!     based on a one-time token generated with `ockam project ticket --attribute component=<name of node>`
+//!
+//!   - then the control node creates a relay on the Orchestrator in order to accept TCP traffic without
+//!     having to open a port to the internet. It also starts a channel listener ("untrusted", accept all incoming requests for now)
+//!
+//!   - on its side the edge node starts a secure channel via relay (named "forward_to_control_plane1"), to the "untrusted" listener
+//!     with the secure channel address it creates an Inlet which will direct TCP traffic via the secure channel to get to the
+//!     control node and then to the "outlet" worker to reach the Python webserver
+//!
+//!   - the outlet is configured to only receive messages from the edge node by checking its authenticated attributes
+//!   - the inlet is configured to only receive messages from the control node by checking its authenticated attributes
+//!
+//! IMPLEMENTATION
+//!
+//! The code for this example can be found in:
+//!
+//!  - examples/11-attribute-based-authentication-control-plane.rs: for the control node
+//!  - examples/11-attribute-based-authentication-edge-plane.rs: for the edge node
+//!  - src/project.rs: read the content of the project.json file
+//!  - src/token.rs: generate a one-time token using the ockam command line
+//!
 
 /// unused main function
 fn main() {}
@@ -670,7 +670,7 @@ mod tests {
         test_parse_error(&mut "a=\"\"", "the value can't be empty");
     }
 
-    /// HELPERS
+    // HELPERS
 
     /// Test the parsing of a name
     fn test_parse_name(input: &str) {

@@ -610,7 +610,7 @@ mod tests {
         test_failure("a or b", &format!("The first identifier of the expression: `a or b` must be an operation. The available operations are: {}", OPERATORS.join(", ")));
     }
 
-    /// HELPERS
+    // HELPERS
     fn test_failure(s: &str, expected_message: &str) {
         match parse(s) {
             Err(e) => assert!(e.to_string().contains(expected_message)),

@@ -205,7 +205,7 @@ mod test {
         Ok(())
     }
 
-    /// HELPERS
+    // HELPERS
     async fn resource_policy_repository() -> Result<Arc<dyn ResourcePoliciesRepository>> {
         Ok(Arc::new(ResourcePolicySqlxDatabase::create().await?))
     }

@@ -170,7 +170,7 @@ mod test {
         Ok(())
     }
 
-    /// HELPERS
+    // HELPERS
     async fn create_repository() -> Result<Arc<dyn ResourcesRepository>> {
         Ok(Arc::new(ResourcesSqlxDatabase::create().await?))
     }

@@ -245,7 +245,7 @@ mod test {
         Ok(())
     }
 
-    /// HELPERS
+    // HELPERS
     async fn create_repository() -> Result<Arc<dyn ResourceTypePoliciesRepository>> {
         Ok(Arc::new(ResourceTypePolicySqlxDatabase::create().await?))
     }

@@ -523,7 +523,7 @@ pub mod tests {
         result.unwrap()
     }
 
-    /// HELPERS
+    // HELPERS
 
     /// Create an Authority configuration with:
     ///

@@ -448,7 +448,7 @@ mod tests {
         .await
     }
 
-    /// HELPERS
+    // HELPERS
     fn list_file_names(dir: &Path) -> Vec<String> {
         fs::read_dir(dir)
             .unwrap()

@@ -255,7 +255,7 @@ mod tests {
         assert_eq!(now_as_string(datetime("2024-03-31T12:00:00Z")), "240330");
     }
 
-    /// HELPERS
+    // HELPERS
     fn datetime(s: &str) -> DateTime<Utc> {
         Utc.from_utc_datetime(&DateTime::parse_from_rfc3339(s).unwrap().naive_utc())
     }

@@ -1,7 +1,7 @@
 use opentelemetry::Key;
 use std::fmt::{Display, Formatter};
 
-/// List of attribute keys for journey event creation
+// List of attribute keys for journey event creation
 
 pub const TCP_OUTLET_AT: &Key = &Key::from_static_str("app.tcp_outlet.at");
 pub const TCP_OUTLET_FROM: &Key = &Key::from_static_str("app.tcp_outlet.from");

@@ -226,7 +226,7 @@ mod tests {
         Ok(())
     }
 
-    /// HELPERS
+    // HELPERS
     async fn create_identity(db: SqlxDatabase, name: &str) -> Result<Identity> {
         let identities = identities().await?;
         let identifier = identities.identities_creation().create_identity().await?;

@@ -432,7 +432,7 @@ mod tests {
         .await
     }
 
-    /// HELPERS
+    // HELPERS
     async fn create_identity() -> Result<Identifier> {
         let identities = identities().await?;
         identities.identities_creation().create_identity().await

@@ -393,7 +393,7 @@ mod test {
         .await
     }
 
-    /// HELPERS
+    // HELPERS
     async fn create_identity() -> Result<Identifier> {
         let identities = identities().await?;
         identities.identities_creation().create_identity().await

@@ -755,7 +755,7 @@ mod test {
         .await
     }
 
-    /// HELPERS
+    // HELPERS
     fn create_project(
         id: &str,
         name: &str,

@@ -442,7 +442,7 @@ mod test {
     use std::net::SocketAddr;
     use tokio::net::TcpStream;
 
-    async fn send_http_request<'a, S: Serialize + Send, D: DeserializeOwned + Send>(
+    async fn send_http_request<S: Serialize + Send, D: DeserializeOwned + Send>(
         request: Request<S>,
     ) -> Response<D> {
         let host = request.uri().host().expect("uri has no host");

@@ -1,9 +1,9 @@
 use crate::logs::LogFormat;
 use std::time::Duration;
 
-///
-/// LOGGING
-///
+//
+// LOGGING
+//
 
 /// Log format for files. See LogFormat for other values
 pub(crate) const DEFAULT_LOG_FORMAT: LogFormat = LogFormat::Default;
@@ -18,9 +18,9 @@ pub(crate) const DEFAULT_LOG_MAX_FILES: u64 = 60;
 pub(crate) const DEFAULT_OPENTELEMETRY_ENDPOINT: &str =
     "https://otelcoll.orchestrator.ockam.io:443";
 
-///
-/// TRACING
-///
+//
+// TRACING
+//
 
 /// Timeout for trying to access the Telemetry collector endpoint when running a command
 /// It is quite high but experimentation shows that sometimes there's quite some lag even if the endpoint is available

@@ -1,16 +1,16 @@
-///
-/// LOGGING CONFIGURATION
-///
+//
+// LOGGING CONFIGURATION
+//
 
 /// Decides if logs should be created. Accepted values, see FromString<bool>. For example; true, false, 1, 0
 pub(crate) const OCKAM_LOGGING: &str = "OCKAM_LOGGING";
 
 /// Required log level. Accepted values, see LevelVar. For example: trace, debug, info, warn, error
 pub(crate) const OCKAM_LOG_LEVEL: &str = "OCKAM_LOG_LEVEL";
 
-///
-/// LOG FILE CONFIGURATION
-///
+//
+//LOG FILE CONFIGURATION
+//
 
 /// Max size of a log file before it is rotated, in Mb
 pub(crate) const OCKAM_LOG_MAX_SIZE_MB: &str = "OCKAM_LOG_MAX_SIZE_MB";
@@ -24,9 +24,9 @@ pub(crate) const OCKAM_LOG_FORMAT: &str = "OCKAM_LOG_FORMAT";
 /// Filter for log messages based on crate names. Accepted values: 'all' or 'comma-separated strings'. For example: ockam_core,ockam_api
 pub(crate) const OCKAM_LOG_CRATES_FILTER: &str = "OCKAM_LOG_CRATES_FILTER";
 
-///
-/// TRACING CONFIGURATION
-///
+//
+// TRACING CONFIGURATION
+//
 
 /// Decides if spans and log records should be created and exported. Accepted values, see BooleanVar. For example; true, false, 1, 0
 pub(crate) const OCKAM_TELEMETRY_EXPORT: &str = "OCKAM_TELEMETRY_EXPORT";
@@ -58,9 +58,9 @@ pub const OCKAM_DEVELOPER: &str = "OCKAM_DEVELOPER";
 /// If this variable is true, print statements will debug the setting of the OpenTelemetry export
 pub(crate) const OCKAM_OPENTELEMETRY_EXPORT_DEBUG: &str = "OCKAM_OPENTELEMETRY_EXPORT_DEBUG";
 
-///
-/// TELEMETRY COLLECTOR ENDPOINT CONFIGURATION
-///
+//
+// TELEMETRY COLLECTOR ENDPOINT CONFIGURATION
+//
 
 /// URL for the OpenTelemetry collector. Accepted values, see UrlVar. For example: http://127.0.0.1:4317
 pub(crate) const OCKAM_OPENTELEMETRY_ENDPOINT: &str = "OCKAM_OPENTELEMETRY_ENDPOINT";
@@ -75,9 +75,9 @@ pub(crate) const OCKAM_FOREGROUND_TELEMETRY_ENDPOINT_CONNECTION_TIMEOUT: &str =
 pub(crate) const OCKAM_BACKGROUND_TELEMETRY_ENDPOINT_CONNECTION_TIMEOUT: &str =
     "OCKAM_BACKGROUND_TELEMETRY_ENDPOINT_CONNECTION_TIMEOUT";
 
-///
-/// TELEMETRY COLLECTOR EXPORT CONFIGURATION
-///
+//
+// TELEMETRY COLLECTOR EXPORT CONFIGURATION
+//
 
 /// Timeout for trying to export spans to the endpoint.
 /// Accepted values, see DurationVar. For example: 500ms