feat(rust): create 3 separate credential retriever types

examples/rust/get_started/examples/11-attribute-based-authentication-control-plane.rs

@@ -84,6 +84,7 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
             project_authority_route,
             DefaultAddress::CREDENTIAL_ISSUER.into(),
         ),
+        "test".to_string(), // FIXME LATER CRED
     ));
 
     // 3. create an access control policy checking the value of the "component" attribute of the caller

examples/rust/get_started/examples/11-attribute-based-authentication-edge-plane.rs

@@ -84,6 +84,7 @@ async fn start_node(ctx: Context, project_information_path: &str, token: OneTime
             project_authority_route,
             DefaultAddress::CREDENTIAL_ISSUER.into(),
         ),
+        "test".to_string(), // FIXME LATER CRED
     ));
 
     // 3. create an access control policy checking the value of the "component" attribute of the caller

implementations/rust/ockam/ockam_api/src/cli_state/trust.rs

@@ -1,4 +1,5 @@
 use crate::nodes::service::{NodeManagerCredentialRetrieverOptions, NodeManagerTrustOptions};
+use crate::nodes::NodeManager;
 use crate::{multiaddr_to_transport_route, CliState, DefaultAddress};
 use ockam::identity::{IdentitiesVerification, RemoteCredentialRetrieverInfo};
 use ockam_core::errcode::{Kind, Origin};
@@ -35,15 +36,15 @@ impl CliState {
             ));
         }
 
-        if authority_route.is_some() && expect_cached_credential {
-            return Err(Error::new(
-                Origin::Api,
-                Kind::NotFound,
-                "Authority address was provided but expect_cached_credential is true",
-            ));
-        }
-
         if let Some(authority_identity) = authority_identity {
+            if expect_cached_credential {
+                return Err(Error::new(
+                    Origin::Api,
+                    Kind::NotFound,
+                    "Authority address was provided but expect_cached_credential is true",
+                ));
+            }
+
             let identities_verification = IdentitiesVerification::new(
                 self.change_history_repository(),
                 SoftwareVaultForVerifyingSignatures::create(),
@@ -74,8 +75,13 @@ impl CliState {
                 );
 
                 let trust_options = NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::Remote(info),
+                    NodeManagerCredentialRetrieverOptions::Remote {
+                        info,
+                        project_id: "unknown".to_string(),
+                    },
+                    NodeManagerCredentialRetrieverOptions::None,
                     Some(authority_identifier.clone()),
+                    NodeManagerCredentialRetrieverOptions::None,
                 );
 
                 info!(
@@ -86,8 +92,13 @@ impl CliState {
                 trust_options
             } else if expect_cached_credential {
                 let trust_options = NodeManagerTrustOptions::new(
-                    NodeManagerCredentialRetrieverOptions::CacheOnly(authority_identifier.clone()),
+                    NodeManagerCredentialRetrieverOptions::CacheOnly {
+                        issuer: authority_identifier.clone(),
+                        project_id: "unknown".to_string(),
+                    },
+                    NodeManagerCredentialRetrieverOptions::None,
                     Some(authority_identifier.clone()),
+                    NodeManagerCredentialRetrieverOptions::None,
                 );
 
                 info!(
@@ -98,8 +109,10 @@ impl CliState {
                 trust_options
             } else {
                 let trust_options = NodeManagerTrustOptions::new(
+                    NodeManagerCredentialRetrieverOptions::None,
                     NodeManagerCredentialRetrieverOptions::None,
                     Some(authority_identifier.clone()),
+                    NodeManagerCredentialRetrieverOptions::None,
                 );
 
                 info!(
@@ -123,8 +136,10 @@ impl CliState {
             None => {
                 info!("TrustOptions configured: No Authority. No Credentials");
                 return Ok(NodeManagerTrustOptions::new(
+                    NodeManagerCredentialRetrieverOptions::None,
                     NodeManagerCredentialRetrieverOptions::None,
                     None,
+                    NodeManagerCredentialRetrieverOptions::None,
                 ));
             }
         };
@@ -137,15 +152,43 @@ impl CliState {
                 Kind::NotFound,
                 format!("Invalid authority route: {}", &authority_multiaddr),
             ))?;
-        let info = RemoteCredentialRetrieverInfo::new(
-            authority_identifier.clone(),
-            authority_route,
-            DefaultAddress::CREDENTIAL_ISSUER.into(),
-        );
+
+        let project_id = project.project_id().to_string();
+        let project_member_retriever = NodeManagerCredentialRetrieverOptions::Remote {
+            info: RemoteCredentialRetrieverInfo::new(
+                authority_identifier.clone(),
+                authority_route,
+                DefaultAddress::CREDENTIAL_ISSUER.into(),
+            ),
+            project_id: project_id.clone(),
+        };
+
+        let controller_identifier = NodeManager::load_controller_identifier()?;
+        let contoller_transport_route = NodeManager::controller_route().await?;
+
+        let project_admin_retriever = NodeManagerCredentialRetrieverOptions::Remote {
+            info: RemoteCredentialRetrieverInfo::new(
+                controller_identifier.clone(),
+                contoller_transport_route.clone(),
+                DefaultAddress::CREDENTIAL_ISSUER.into(), // FIXME CRED
+            ),
+            project_id: project_id.clone(),
+        };
+
+        let account_admin_retriever = NodeManagerCredentialRetrieverOptions::Remote {
+            info: RemoteCredentialRetrieverInfo::new(
+                controller_identifier.clone(),
+                contoller_transport_route,
+                DefaultAddress::CREDENTIAL_ISSUER.into(), // FIXME CRED
+            ),
+            project_id: project_id.clone(),
+        };
 
         let trust_options = NodeManagerTrustOptions::new(
-            NodeManagerCredentialRetrieverOptions::Remote(info),
+            project_member_retriever,
+            project_admin_retriever,
             Some(authority_identifier.clone()),
+            account_admin_retriever,
         );
 
         info!(

implementations/rust/ockam/ockam_api/src/cloud/secure_clients.rs

@@ -83,10 +83,10 @@ impl NodeManager {
         project_identifier: &Identifier,
         project_multiaddr: &MultiAddr,
         caller_identifier: &Identifier,
-        credentials_enabled: CredentialsEnabled,
+        credentials_enabled: CredentialsEnabled, // FIXME: Choose as a member or as an admin
     ) -> Result<ProjectNodeClient> {
         let credential_retriever_creator = match credentials_enabled {
-            CredentialsEnabled::On => self.credential_retriever_creator.clone(),
+            CredentialsEnabled::On => self.credential_retriever_creators.project_member.clone(),
             CredentialsEnabled::Off => None,
         };
 
@@ -243,7 +243,7 @@ impl NodeManager {
         get_env_with_default::<MultiAddr>(OCKAM_CONTROLLER_ADDR, default_addr).unwrap()
     }
 
-    async fn controller_route() -> Result<Route> {
+    pub async fn controller_route() -> Result<Route> {
         let multiaddr = Self::controller_multiaddr();
         multiaddr_to_transport_route(&multiaddr).ok_or_else(|| {
             ApiError::core(format!(

implementations/rust/ockam/ockam_api/src/nodes/mod.rs

@@ -7,7 +7,7 @@ pub use service::background_node_client::*;
 pub use service::in_memory_node::*;
 pub use service::policy::*;
 /// The main node-manager service running on remote nodes
-pub use service::{IdentityOverride, NodeManager, NodeManagerWorker};
+pub use service::{NodeManager, NodeManagerWorker};
 
 /// A const address to bind and send messages to
 pub const NODEMANAGER_ADDR: &str = "_internal.nodemanager";