Open mrinalwadhwa opened 2 years ago
noyez
commented
2 years ago Hello -- Do you envision the CLI to be something along the lines of ockam identity rotate --node n1 --key key-label? Other ideas:
ockam node ...ockam rotate ...
mrinalwadhwa
commented
2 years ago @noyez Thank you for looking into this!! I was thinking of something like this:
ockam identity rotate --node n1 --key key-labelHello -- I've been looking at this issue and I have a few questions.
ockam identity show --full output? Or is the only observable effect in the default_value.json file? Identity struct. I think i can piece that together by getting the IdentityChangeHistory, and the Vault from the ~/.config/ockam-cli/default_vault.json. But there appears to be done two different ways to create the Identity struct.
Identity::new( )IdentityBuilder::build( )Is one preferred over the other? It seems that IdentityBuilder::build() does a lot more then eventually calls Identity::new().
Thanks for any input and clarifications!
SanjoDeundiak
commented
2 years ago Hey @noyez . You don't need to create a new Identity, we want to be able to rotate a key inside an already existed Identity instance. That instance can be found in NodeManager struct. New key will be automatically added to the Vault. But Identity itself should be resaved to the NodeConfig. Do not hesitate to ask more questions if you need
noyez
commented
1 year ago Hey @noyez . You don't need to create a new Identity, we want to be able to rotate a key inside an already existed Identity instance.
Got it. i was hoping my code path was loading the existing identity and not creating a new one, but it probably was creating a new one.
That instance can be found in
NodeManagerstruct. New key will be automatically added to the Vault. But Identity itself should be resaved to theNodeConfig.
Please correct me if i'm wrong in my understanding. There is a NodeManager and that gets paired with NodeManagerWorker and for those sturcts to be useful, they need to be "started". However in order to start NodeManager, it gets consumed by NodeManagerWorker, and that gets consumed by start_worker. So once NodeManager and NodeManagerWorker are started they appear to be inaccessible since they are consumed. (I'm using start_embeded_node() as a bases for my assumptions.)
So to access the data from NodeManager should i be getting it from the node service somehow or with the messaging API?
Note that when i try creating a stand-alone NodeManager (i.e. w/o "starting" it) and calling rotate_key() on the identity, it hangs here https://github.com/build-trust/ockam/blob/develop/implementations/rust/ockam/ockam_identity/src/identity.rs#L149 when waiting on the await part of the change_history member. That experience coupled with the start_embeded_node function pushed me to the conclusion that the NodeManager and NodeManagerWorker needed to be "started". But i can't figure out how to access the NodeManager once it has been "started".
Please advise, thanks!
SanjoDeundiak
commented
1 year ago @noyez yes, NodeManagerWorker is a worker, it's running asynchronously in the background. In this case you don't need to access its internal state from the outside, because rotate command should be handled by the NodeManagerWorker itself. Please explore how Identity create command is handled as an example: Request from the CLI is sent here, that request is handled here
noyez
commented
1 year ago @SanjoDeundiak ooooooh, of course! thank you! 🤦 Your last comment resonated and really helped me comprehend the interactions, and now it seems so simple.
I have a PR Draft (https://github.com/build-trust/ockam/pull/3841). It is marked as a Draft because i'm observing errors when rotating a key only after identity show commands are run. For example, if i spin up a fresh node, then rotate keys, it works. But if i spin up a fresh node and ask for ockam identity show --node n1, then rotate key, i get an error. I'm not sure its related to the PR, but its worth mentioning. I added a test in the command.bats file specifically for this error since it probably shouldn't be failing so it is worth testing, so in my PR that test will fail.
Just a brief look at the flow and what works and what errors:
ockam identity rotate-keys --label OCKAM_RK --node n1 # works
ockam message send hello --to /node/n1/service/uppercase
ockam identity rotate-keys --label OCKAM_RK --node n1 # works
ockam node list
ockam identity rotate-keys --label OCKAM_RK --node n1 # works
ockam identity show --node n1
ockam identity rotate-keys --label OCKAM_RK --node n1 # fails (and any rotate-key command thereafter fails)Below is a more detailed log of what's happening:
saputkin
commented
1 year ago @noyez are you still working on this one? if not I would like to help :)
noyez
commented
1 year ago New PR for this issue: https://github.com/build-trust/ockam/pull/4876. Previous bug mentioned above appears to be fixed, although i have not done extensive testing.
Currently
The following will create and identity
The code for it is
Desired
It is possible to rotate identity keys https://github.com/build-trust/ockam/blob/develop/implementations/rust/ockam/ockam_identity/src/identity.rs#L181
We want to support this as a command.
We love helping new contributors! ❤️ If you have questions or need help as you explore, please join us on Discord. If you're looking for other issues to contribute to, please checkout our good first issues.