MarketTakers/arbiter
6
0
Fork 0
Code Issues 27 Pull Requests 2 Packages Projects Releases Wiki Activity

refactor: rename to to better reflect meaning
Some checks failed
ci/woodpecker/push/server-audit Pipeline was successful
Details
ci/woodpecker/push/server-vet Pipeline failed
Details
ci/woodpecker/push/server-lint Pipeline failed
Details
ci/woodpecker/push/server-test Pipeline was successful
Details

Browse Source
This commit is contained in:
Skipper
2026-04-19 13:35:18 +02:00
parent fd25de32a1
commit a1c3ffd2d1
58 changed files with 437 additions and 437 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/crates/arbiter-client/src/auth.rs
View File

@@ -26,13 +26,13 @@ use chrono::DateTime;
pub enum AuthError {
#[error("Server sent invalid auth challenge")]
InvalidChallenge,
#[error("Client approval denied by User Agent")]
#[error("Client approval denied by Operator")]
ApprovalDenied,
#[error("Auth challenge was not returned by server")]
MissingAuthChallenge,
#[error("No User Agents online to approve client")]
NoUserAgentsOnline,
#[error("No Operators online to approve client")]
NoOperatorsOnline,
#[error("Signing key storage error")]
Storage(#[from] StorageError),
@@ -44,7 +44,7 @@ pub enum AuthError {
fn map_auth_result(code: i32) -> AuthError {
match AuthResult::try_from(code).unwrap_or(AuthResult::Unspecified) {
AuthResult::ApprovalDenied => AuthError::ApprovalDenied,
AuthResult::NoUserAgentsOnline => AuthError::NoUserAgentsOnline,
AuthResult::NoOperatorsOnline => AuthError::NoOperatorsOnline,
AuthResult::Unspecified
| AuthResult::Success
| AuthResult::InvalidKey

6
server/crates/arbiter-crypto/src/authn/v1.rs
View File

@@ -7,7 +7,7 @@ use ml_dsa::{
use rand::RngExt;
pub static CLIENT_CONTEXT: &[u8] = b"arbiter_client";
pub static USERAGENT_CONTEXT: &[u8] = b"arbiter_user_agent";
pub static OPERATOR_CONTEXT: &[u8] = b"arbiter_operator";
const NONCE_SIZE: usize = 32;
@@ -192,7 +192,7 @@ mod tests {
use crate::authn::AuthChallenge;
use super::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, USERAGENT_CONTEXT};
use super::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, OPERATOR_CONTEXT};
#[test]
fn public_key_round_trip_decodes() {
@@ -227,7 +227,7 @@ mod tests {
.expect("signature should be created");
assert!(public_key.verify(&challenge, CLIENT_CONTEXT, &signature));
assert!(!public_key.verify(&challenge, USERAGENT_CONTEXT, &signature));
assert!(!public_key.verify(&challenge, OPERATOR_CONTEXT, &signature));
}
#[test]

2
server/crates/arbiter-proto/build.rs
View File

@@ -10,7 +10,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
.compile_protos(
&[
format!("{}/arbiter.proto", PROTOBUF_DIR),
format!("{}/user_agent.proto", PROTOBUF_DIR),
format!("{}/operator.proto", PROTOBUF_DIR),
format!("{}/client.proto", PROTOBUF_DIR),
format!("{}/evm.proto", PROTOBUF_DIR),
],

16
server/crates/arbiter-proto/src/lib.rs
View File

@@ -12,30 +12,30 @@ pub mod proto {
}
}
pub mod user_agent {
tonic::include_proto!("arbiter.user_agent");
pub mod operator {
tonic::include_proto!("arbiter.operator");
pub mod auth {
tonic::include_proto!("arbiter.user_agent.auth");
tonic::include_proto!("arbiter.operator.auth");
}
pub mod evm {
tonic::include_proto!("arbiter.user_agent.evm");
tonic::include_proto!("arbiter.operator.evm");
}
pub mod sdk_client {
tonic::include_proto!("arbiter.user_agent.sdk_client");
tonic::include_proto!("arbiter.operator.sdk_client");
}
pub mod vault {
tonic::include_proto!("arbiter.user_agent.vault");
tonic::include_proto!("arbiter.operator.vault");
pub mod bootstrap {
tonic::include_proto!("arbiter.user_agent.vault.bootstrap");
tonic::include_proto!("arbiter.operator.vault.bootstrap");
}
pub mod unseal {
tonic::include_proto!("arbiter.user_agent.vault.unseal");
tonic::include_proto!("arbiter.operator.vault.unseal");
}
}
}

4
server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
View File

@@ -43,13 +43,13 @@ create table if not exists arbiter_settings (
insert into arbiter_settings (id) values (1) on conflict do nothing;
-- ensure singleton row exists
create table if not exists useragent_client (
create table if not exists operator_client (
id integer not null primary key,
public_key blob not null,
created_at integer not null default(unixepoch ('now')),
updated_at integer not null default(unixepoch ('now'))
) STRICT;
create unique index if not exists uniq_useragent_client_public_key on useragent_client (public_key);
create unique index if not exists uniq_operator_client_public_key on operator_client (public_key);
create table if not exists client_metadata (
id integer not null primary key,

2
server/crates/arbiter-server/src/actors/bootstrap.rs
View File

@@ -48,7 +48,7 @@ impl Bootstrapper {
let row_count: i64 = {
let mut conn = db.get().await?;
schema::useragent_client::table
schema::operator_client::table
.count()
.get_result(&mut conn)
.await?

6
server/crates/arbiter-server/src/actors/evm/mod.rs
View File

@@ -134,7 +134,7 @@ impl EvmActor {
#[messages]
impl EvmActor {
#[message]
pub async fn useragent_create_grant(
pub async fn operator_create_grant(
&mut self,
basic: SharedGrantSettings,
grant: SpecificGrant,
@@ -161,7 +161,7 @@ impl EvmActor {
#[message]
#[expect(clippy::unused_async, reason = "reserved for impl")]
pub async fn useragent_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
pub async fn operator_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
// let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
// let vault = self.vault.clone();
@@ -186,7 +186,7 @@ impl EvmActor {
}
#[message]
pub async fn useragent_list_grants(&mut self) -> Result<Vec<Grant<SpecificGrant>>, Error> {
pub async fn operator_list_grants(&mut self) -> Result<Vec<Grant<SpecificGrant>>, Error> {
match self.engine.list_all_grants().await {
Ok(grants) => Ok(grants),
Err(ListError::Database(db_err)) => Err(Error::Database(db_err)),

22
server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
View File

@@ -2,7 +2,7 @@ use crate::{
actors::flow_coordinator::ApprovalError,
peers::{
client::ClientProfile,
user_agent::{UserAgentSession, session::BeginNewClientApproval},
operator::{OperatorSession, session::BeginNewClientApproval},
},
};
@@ -15,12 +15,12 @@ use std::ops::ControlFlow;
pub struct Args {
pub client: ClientProfile,
pub user_agents: Vec<ActorRef<UserAgentSession>>,
pub operators: Vec<ActorRef<OperatorSession>>,
pub reply: ReplySender<Result<bool, ApprovalError>>,
}
pub struct ClientApprovalController {
/// Number of UAs that have not yet responded (approval or denial) or died.
/// Number of operators that have not yet responded (approval or denial) or died.
pending: usize,
/// Number of approvals received so far.
approved: usize,
@@ -42,21 +42,21 @@ impl Actor for ClientApprovalController {
async fn on_start(
Args {
client,
user_agents,
operators,
reply,
}: Self::Args,
actor_ref: ActorRef<Self>,
) -> Result<Self, Self::Error> {
let this = Self {
pending: user_agents.len(),
pending: operators.len(),
approved: 0,
reply: Some(reply),
};
for user_agent in user_agents {
actor_ref.link(&user_agent).await;
for operator in operators {
actor_ref.link(&operator).await;
let _ = user_agent
let _ = operator
.tell(BeginNewClientApproval {
client: client.clone(),
controller: actor_ref.clone(),
@@ -73,10 +73,10 @@ impl Actor for ClientApprovalController {
_: ActorId,
_: ActorStopReason,
) -> Result<ControlFlow<ActorStopReason>, Self::Error> {
// A linked UA died before responding — counts as a non-approval.
// A linked operator died before responding — counts as a non-approval.
self.pending = self.pending.saturating_sub(1);
if self.pending == 0 {
// At least one UA didn't approve: deny.
// At least one operator didn't approve: deny.
self.send_reply(Ok(false));
return Ok(ControlFlow::Break(ActorStopReason::Normal));
}
@@ -99,7 +99,7 @@ impl ClientApprovalController {
self.pending = self.pending.saturating_sub(1);
if self.pending == 0 {
// Every connected UA approved.
// Every connected operator approved.
self.send_reply(Ok(true));
ctx.stop();
}

20
server/crates/arbiter-server/src/actors/flow_coordinator/mod.rs
View File

@@ -1,7 +1,7 @@
use crate::{
actors::{
flow_coordinator::client_connect_approval::ClientApprovalController,
useragent_registry::{GetConnected, UserAgentRegistry},
operator_registry::{GetConnected, OperatorRegistry},
},
peers::client::{ClientProfile, session::ClientSession},
};
@@ -20,14 +20,14 @@ pub mod client_connect_approval;
pub struct FlowCoordinator {
pub clients: HashMap<ActorId, ActorRef<ClientSession>>,
useragent_registry: ActorRef<UserAgentRegistry>,
operator_registry: ActorRef<OperatorRegistry>,
}
impl FlowCoordinator {
pub fn new(useragent_registry: ActorRef<UserAgentRegistry>) -> Self {
pub fn new(operator_registry: ActorRef<OperatorRegistry>) -> Self {
Self {
clients: HashMap::default(),
useragent_registry,
operator_registry,
}
}
}
@@ -66,8 +66,8 @@ impl Actor for FlowCoordinator {
#[derive(Debug, thiserror::Error, Clone, PartialEq, Eq, Hash)]
pub enum ApprovalError {
#[error("No user agents connected")]
NoUserAgentsConnected,
#[error("No operators connected")]
NoOperatorsConnected,
}
#[messages]
@@ -93,19 +93,19 @@ impl FlowCoordinator {
unreachable!("Expected `request_client_approval` to have callback channel");
};
let Ok(refs) = self.useragent_registry.ask(GetConnected).await else {
reply_sender.send(Err(ApprovalError::NoUserAgentsConnected));
let Ok(refs) = self.operator_registry.ask(GetConnected).await else {
reply_sender.send(Err(ApprovalError::NoOperatorsConnected));
return reply;
};
if refs.is_empty() {
reply_sender.send(Err(ApprovalError::NoUserAgentsConnected));
reply_sender.send(Err(ApprovalError::NoOperatorsConnected));
return reply;
}
ClientApprovalController::spawn(client_connect_approval::Args {
client,
user_agents: refs,
operators: refs,
reply: reply_sender,
});

12
server/crates/arbiter-server/src/actors/mod.rs
View File

@@ -1,7 +1,7 @@
use crate::{
actors::{
bootstrap::Bootstrapper, evm::EvmActor, flow_coordinator::FlowCoordinator,
useragent_registry::UserAgentRegistry, vault::Vault,
operator_registry::OperatorRegistry, vault::Vault,
},
db,
};
@@ -13,7 +13,7 @@ use thiserror::Error;
pub mod bootstrap;
pub mod evm;
pub mod flow_coordinator;
pub mod useragent_registry;
pub mod operator_registry;
pub mod vault;
#[derive(Error, Debug)]
@@ -31,7 +31,7 @@ pub struct GlobalActors {
pub vault: ActorRef<Vault>,
pub bootstrapper: ActorRef<Bootstrapper>,
pub flow_coordinator: ActorRef<FlowCoordinator>,
pub useragent_registry: ActorRef<UserAgentRegistry>,
pub operator_registry: ActorRef<OperatorRegistry>,
pub evm: ActorRef<EvmActor>,
pub events: ActorRef<MessageBus>,
}
@@ -44,15 +44,15 @@ impl GlobalActors {
pub async fn spawn(db: db::DatabasePool) -> Result<Self, SpawnError> {
let message_bus = Self::spawn_message_bus();
let key_holder = Vault::spawn(Vault::new(db.clone(), message_bus.clone()).await?);
let useragent_registry = UserAgentRegistry::spawn(UserAgentRegistry::default());
let operator_registry = OperatorRegistry::spawn(OperatorRegistry::default());
Ok(Self {
bootstrapper: Bootstrapper::spawn(Bootstrapper::new(&db).await?),
evm: EvmActor::spawn(EvmActor::new(key_holder.clone(), db)),
vault: key_holder,
flow_coordinator: FlowCoordinator::spawn(FlowCoordinator::new(
useragent_registry.clone(),
operator_registry.clone(),
)),
useragent_registry,
operator_registry,
events: message_bus,
})
}

22
server/crates/arbiter-server/src/actors/useragent_registry.rs → server/crates/arbiter-server/src/actors/operator_registry.rs
View File

@@ -1,4 +1,4 @@
use crate::peers::user_agent::UserAgentSession;
use crate::peers::operator::OperatorSession;
use kameo::{
Actor,
@@ -11,11 +11,11 @@ use std::{collections::HashMap, ops::ControlFlow};
use tracing::info;
#[derive(Default)]
pub struct UserAgentRegistry {
connected: HashMap<ActorId, ActorRef<UserAgentSession>>,
pub struct OperatorRegistry {
connected: HashMap<ActorId, ActorRef<OperatorSession>>,
}
impl Actor for UserAgentRegistry {
impl Actor for OperatorRegistry {
type Args = Self;
type Error = Infallible;
@@ -33,8 +33,8 @@ impl Actor for UserAgentRegistry {
if self.connected.remove(&id).is_some() {
info!(
?id,
actor = "UserAgentRegistry",
event = "useragent.disconnected"
actor = "OperatorRegistry",
event = "operator.disconnected"
);
}
Ok(ControlFlow::Continue(()))
@@ -42,20 +42,20 @@ impl Actor for UserAgentRegistry {
}
#[messages]
impl UserAgentRegistry {
impl OperatorRegistry {
#[message(ctx)]
pub async fn connect_useragent(
pub async fn connect_operator(
&mut self,
actor: ActorRef<UserAgentSession>,
actor: ActorRef<OperatorSession>,
ctx: &mut Context<Self, ()>,
) {
info!(id = %actor.id(), actor = "UserAgentRegistry", event = "useragent.connected");
info!(id = %actor.id(), actor = "OperatorRegistry", event = "operator.connected");
ctx.actor_ref().link(&actor).await;
self.connected.insert(actor.id(), actor);
}
#[message]
pub fn get_connected(&self) -> Vec<ActorRef<UserAgentSession>> {
pub fn get_connected(&self) -> Vec<ActorRef<OperatorSession>> {
self.connected.values().cloned().collect()
}
}

4
server/crates/arbiter-server/src/db/models.rs
View File

@@ -248,8 +248,8 @@ pub struct ProgramClient {
}
#[derive(Queryable, Debug)]
#[diesel(table_name = schema::useragent_client, check_for_backend(Sqlite))]
pub struct UseragentClient {
#[diesel(table_name = schema::operator_client, check_for_backend(Sqlite))]
pub struct OperatorClient {
pub id: i32,
pub public_key: Vec<u8>,
pub created_at: SqliteTimestamp,

4
server/crates/arbiter-server/src/db/schema.rs
View File

@@ -186,7 +186,7 @@ diesel::table! {
}
diesel::table! {
useragent_client (id) {
operator_client (id) {
id -> Integer,
public_key -> Binary,
created_at -> Integer,
@@ -233,5 +233,5 @@ diesel::allow_tables_to_appear_in_same_query!(
program_client,
root_key_history,
tls_history,
useragent_client,
operator_client,
);

4
server/crates/arbiter-server/src/grpc/client/auth.rs
View File

@@ -176,8 +176,8 @@ impl Convert for auth::Error {
InvalidChallengeSolution => ProtoAuthResult::InvalidSignature,
ApproveError(auth::ApproveError::Denied) => ProtoAuthResult::ApprovalDenied,
ApproveError(auth::ApproveError::Upstream(
crate::actors::flow_coordinator::ApprovalError::NoUserAgentsConnected,
)) => ProtoAuthResult::NoUserAgentsOnline,
crate::actors::flow_coordinator::ApprovalError::NoOperatorsConnected,
)) => ProtoAuthResult::NoOperatorsOnline,
ApproveError(auth::ApproveError::Internal)
| DatabasePoolUnavailable
| DatabaseOperationFailed

20
server/crates/arbiter-server/src/grpc/mod.rs
View File

@@ -1,8 +1,8 @@
use crate::peers::{client::ClientConnection, user_agent::UserAgentConnection};
use crate::peers::{client::ClientConnection, operator::OperatorConnection};
use arbiter_proto::{
proto::{
client::{ClientRequest, ClientResponse},
user_agent::{UserAgentRequest, UserAgentResponse},
operator::{OperatorRequest, OperatorResponse},
},
transport::grpc::GrpcBi,
};
@@ -14,7 +14,7 @@ use tracing::info;
mod request_tracker;
pub mod client;
pub mod user_agent;
pub mod operator;
mod common;
@@ -33,7 +33,7 @@ pub trait TryConvert {
#[async_trait]
impl arbiter_proto::proto::arbiter_service_server::ArbiterService for super::Server {
type UserAgentStream = ReceiverStream<Result<UserAgentResponse, Status>>;
type OperatorStream = ReceiverStream<Result<OperatorResponse, Status>>;
type ClientStream = ReceiverStream<Result<ClientResponse, Status>>;
#[tracing::instrument(level = "debug", skip(self))]
@@ -52,23 +52,23 @@ impl arbiter_proto::proto::arbiter_service_server::ArbiterService for super::Ser
}
#[tracing::instrument(level = "debug", skip(self))]
async fn user_agent(
async fn operator(
&self,
request: Request<tonic::Streaming<UserAgentRequest>>,
) -> Result<Response<Self::UserAgentStream>, Status> {
request: Request<tonic::Streaming<OperatorRequest>>,
) -> Result<Response<Self::OperatorStream>, Status> {
let req_stream = request.into_inner();
let (bi, rx) = GrpcBi::from_bi_stream(req_stream);
tokio::spawn(user_agent::start(
UserAgentConnection {
tokio::spawn(operator::start(
OperatorConnection {
db: self.context.db.clone(),
actors: self.context.actors.clone(),
},
bi,
));
info!(event = "connection established", "grpc.user_agent");
info!(event = "connection established", "grpc.operator");
Ok(Response::new(rx))
}

52
server/crates/arbiter-server/src/grpc/user_agent.rs → server/crates/arbiter-server/src/grpc/operator.rs
View File

@@ -1,12 +1,12 @@
use crate::{
grpc::request_tracker::RequestTracker,
peers::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
peers::operator::{OutOfBand, OperatorConnection, OperatorSession},
};
use arbiter_proto::{
proto::user_agent::{
UserAgentRequest, UserAgentResponse,
user_agent_request::Payload as UserAgentRequestPayload,
user_agent_response::Payload as UserAgentResponsePayload,
proto::operator::{
OperatorRequest, OperatorResponse,
operator_request::Payload as OperatorRequestPayload,
operator_response::Payload as OperatorResponsePayload,
},
transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
};
@@ -38,8 +38,8 @@ impl Sender<OutOfBand> for OutOfBandAdapter {
}
async fn dispatch_loop(
mut bi: GrpcBi<UserAgentRequest, UserAgentResponse>,
actor: ActorRef<UserAgentSession>,
mut bi: GrpcBi<OperatorRequest, OperatorResponse>,
actor: ActorRef<OperatorSession>,
mut receiver: mpsc::Receiver<OutOfBand>,
mut request_tracker: RequestTracker,
) {
@@ -53,7 +53,7 @@ async fn dispatch_loop(
let payload = sdk_client::out_of_band_payload(oob);
if bi.send(Ok(UserAgentResponse { id: None, payload: Some(payload) })).await.is_err() {
if bi.send(Ok(OperatorResponse { id: None, payload: Some(payload) })).await.is_err() {
return;
}
}
@@ -64,7 +64,7 @@ async fn dispatch_loop(
let conn = match message {
Ok(conn) => conn,
Err(err) => {
warn!(error = ?err, "Failed to receive user agent request");
warn!(error = ?err, "Failed to receive operator request");
return;
}
};
@@ -78,13 +78,13 @@ async fn dispatch_loop(
};
let Some(payload) = conn.payload else {
let _ = bi.send(Err(Status::invalid_argument("Missing user-agent request payload"))).await;
let _ = bi.send(Err(Status::invalid_argument("Missing operator request payload"))).await;
return;
};
match dispatch_inner(&actor, payload).await {
Ok(Some(response)) => {
if bi.send(Ok(UserAgentResponse {
if bi.send(Ok(OperatorResponse {
id: Some(request_id),
payload: Some(response),
})).await.is_err() {
@@ -93,7 +93,7 @@ async fn dispatch_loop(
}
Ok(None) => {}
Err(status) => {
error!(?status, "Failed to process user agent request");
error!(?status, "Failed to process operator request");
let _ = bi.send(Err(status)).await;
return;
}
@@ -104,23 +104,23 @@ async fn dispatch_loop(
}
async fn dispatch_inner(
actor: &ActorRef<UserAgentSession>,
payload: UserAgentRequestPayload,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
payload: OperatorRequestPayload,
) -> Result<Option<OperatorResponsePayload>, Status> {
match payload {
UserAgentRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
UserAgentRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
UserAgentRequestPayload::SdkClient(req) => sdk_client::dispatch(actor, req).await,
UserAgentRequestPayload::Auth(..) => {
warn!("Unsupported post-auth user agent auth request");
Err(Status::invalid_argument("Unsupported user-agent request"))
OperatorRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
OperatorRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
OperatorRequestPayload::SdkClient(req) => sdk_client::dispatch(actor, req).await,
OperatorRequestPayload::Auth(..) => {
warn!("Unsupported post-auth operator auth request");
Err(Status::invalid_argument("Unsupported operator request"))
}
}
}
pub async fn start(
mut conn: UserAgentConnection,
mut bi: GrpcBi<UserAgentRequest, UserAgentResponse>,
mut conn: OperatorConnection,
mut bi: GrpcBi<OperatorRequest, OperatorResponse>,
) {
let mut request_tracker = RequestTracker::default();
@@ -129,16 +129,16 @@ pub async fn start(
let actor = {
let transport = auth::AuthTransportAdapter::new(&mut bi, &mut request_tracker);
match crate::peers::user_agent::start(&mut conn, transport, Box::new(oob_adapter)).await {
match crate::peers::operator::start(&mut conn, transport, Box::new(oob_adapter)).await {
Ok(actor) => actor,
Err(e) => {
warn!(error = ?e, "User agent connection failed");
warn!(error = ?e, "Operator connection failed");
return;
}
}
};
info!("User agent session established");
info!("Operator session established");
dispatch_loop(bi, actor.clone(), oob_receiver, request_tracker).await;
actor.kill();

38
server/crates/arbiter-server/src/grpc/user_agent/auth.rs → server/crates/arbiter-server/src/grpc/operator/auth.rs
View File

@@ -1,16 +1,16 @@
use crate::{grpc::request_tracker::RequestTracker, peers::user_agent::auth};
use crate::{grpc::request_tracker::RequestTracker, peers::operator::auth};
use arbiter_crypto::authn;
use arbiter_proto::{
proto::user_agent::{
UserAgentRequest, UserAgentResponse,
proto::operator::{
OperatorRequest, OperatorResponse,
auth::{
self as proto_auth, AuthChallenge as ProtoAuthChallenge,
AuthChallengeRequest as ProtoAuthChallengeRequest,
AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
request::Payload as AuthRequestPayload, response::Payload as AuthResponsePayload,
},
user_agent_request::Payload as UserAgentRequestPayload,
user_agent_response::Payload as UserAgentResponsePayload,
operator_request::Payload as OperatorRequestPayload,
operator_response::Payload as OperatorResponsePayload,
},
transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
};
@@ -20,13 +20,13 @@ use tonic::Status;
use tracing::warn;
pub(super) struct AuthTransportAdapter<'a> {
pub(super) bi: &'a mut GrpcBi<UserAgentRequest, UserAgentResponse>,
pub(super) bi: &'a mut GrpcBi<OperatorRequest, OperatorResponse>,
pub(super) request_tracker: &'a mut RequestTracker,
}
impl<'a> AuthTransportAdapter<'a> {
pub(super) const fn new(
bi: &'a mut GrpcBi<UserAgentRequest, UserAgentResponse>,
bi: &'a mut GrpcBi<OperatorRequest, OperatorResponse>,
request_tracker: &'a mut RequestTracker,
) -> Self {
Self {
@@ -35,7 +35,7 @@ impl<'a> AuthTransportAdapter<'a> {
}
}
pub(super) const fn bi_mut(&mut self) -> &mut GrpcBi<UserAgentRequest, UserAgentResponse> {
pub(super) const fn bi_mut(&mut self) -> &mut GrpcBi<OperatorRequest, OperatorResponse> {
self.bi
}
@@ -45,21 +45,21 @@ impl<'a> AuthTransportAdapter<'a> {
pub(super) async fn send_response_payload(
&mut self,
payload: UserAgentResponsePayload,
payload: OperatorResponsePayload,
) -> Result<(), TransportError> {
self.bi
.send(Ok(UserAgentResponse {
.send(Ok(OperatorResponse {
id: Some(self.request_tracker.current_request_id()),
payload: Some(payload),
}))
.await
}
async fn send_user_agent_response(
async fn send_operator_response(
&mut self,
payload: AuthResponsePayload,
) -> Result<(), TransportError> {
self.send_response_payload(UserAgentResponsePayload::Auth(proto_auth::Response {
self.send_response_payload(OperatorResponsePayload::Auth(proto_auth::Response {
payload: Some(payload),
}))
.await
@@ -107,7 +107,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
}
};
self.send_user_agent_response(payload).await
self.send_operator_response(payload).await
}
}
@@ -117,7 +117,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
let request = match self.bi.recv().await? {
Ok(request) => request,
Err(error) => {
warn!(error = ?error, "Failed to receive user agent auth request");
warn!(error = ?error, "Failed to receive operator auth request");
return None;
}
};
@@ -133,16 +133,16 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
let Some(payload) = request.payload else {
warn!(
event = "received request with empty payload",
"grpc.useragent.auth_adapter"
"grpc.operator.auth_adapter"
);
return None;
};
let UserAgentRequestPayload::Auth(auth_request) = payload else {
let OperatorRequestPayload::Auth(auth_request) = payload else {
let _ = self
.bi
.send(Err(Status::invalid_argument(
"Unsupported user-agent auth request",
"Unsupported operator auth request",
)))
.await;
return None;
@@ -151,7 +151,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
let Some(payload) = auth_request.payload else {
warn!(
event = "received auth request with empty payload",
"grpc.useragent.auth_adapter"
"grpc.operator.auth_adapter"
);
return None;
};
@@ -164,7 +164,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
let Ok(pubkey) = authn::PublicKey::try_from(pubkey.as_slice()) else {
warn!(
event = "received request with invalid public key",
"grpc.useragent.auth_adapter"
"grpc.operator.auth_adapter"
);
return None;
};

40
server/crates/arbiter-server/src/grpc/user_agent/evm.rs → server/crates/arbiter-server/src/grpc/operator/evm.rs
View File

@@ -3,8 +3,8 @@ use crate::{
Convert, TryConvert,
common::inbound::{RawEvmAddress, RawEvmTransaction},
},
peers::user_agent::{
UserAgentSession,
peers::operator::{
OperatorSession,
session::handlers::{
GrantMutationError, HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate,
HandleGrantDelete, HandleGrantList, HandleSignTransaction,
@@ -24,12 +24,12 @@ use arbiter_proto::proto::{
wallet_create_response::Result as WalletCreateResult,
wallet_list_response::Result as WalletListResult,
},
user_agent::{
operator::{
evm::{
self as proto_evm, SignTransactionRequest as ProtoSignTransactionRequest,
request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload,
},
user_agent_response::Payload as UserAgentResponsePayload,
operator_response::Payload as OperatorResponsePayload,
},
};
@@ -37,16 +37,16 @@ use kameo::actor::ActorRef;
use tonic::Status;
use tracing::warn;
const fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
UserAgentResponsePayload::Evm(proto_evm::Response {
const fn wrap_evm_response(payload: EvmResponsePayload) -> OperatorResponsePayload {
OperatorResponsePayload::Evm(proto_evm::Response {
payload: Some(payload),
})
}
pub(super) async fn dispatch(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: proto_evm::Request,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let Some(payload) = req.payload else {
return Err(Status::invalid_argument("Missing EVM request payload"));
};
@@ -62,8 +62,8 @@ pub(super) async fn dispatch(
}
async fn handle_wallet_create(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
let result = match actor.ask(HandleEvmWalletCreate {}).await {
Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
id: wallet_id,
@@ -82,8 +82,8 @@ async fn handle_wallet_create(
}
async fn handle_wallet_list(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
let result = match actor.ask(HandleEvmWalletList {}).await {
Ok(wallets) => WalletListResult::Wallets(WalletList {
wallets: wallets
@@ -107,8 +107,8 @@ async fn handle_wallet_list(
}
async fn handle_grant_list(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
let result = match actor.ask(HandleGrantList {}).await {
Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
grants: grants
@@ -134,9 +134,9 @@ async fn handle_grant_list(
}
async fn handle_grant_create(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: EvmGrantCreateRequest,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let basic = req
.shared
.ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
@@ -164,9 +164,9 @@ async fn handle_grant_create(
}
async fn handle_grant_delete(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: EvmGrantDeleteRequest,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let result = match actor
.ask(HandleGrantDelete {
grant_id: req.grant_id,
@@ -190,9 +190,9 @@ async fn handle_grant_delete(
}
async fn handle_sign_transaction(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: ProtoSignTransactionRequest,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let request = req
.request
.ok_or_else(|| Status::invalid_argument("Missing sign transaction request"))?;

2
server/crates/arbiter-server/src/grpc/user_agent/inbound.rs → server/crates/arbiter-server/src/grpc/operator/inbound.rs
View File

@@ -14,7 +14,7 @@ use arbiter_proto::{
TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
specific_grant::Grant as ProtoSpecificGrantType,
},
proto::user_agent::sdk_client::{WalletAccess, WalletAccessEntry as SdkClientWalletAccess},
proto::operator::sdk_client::{WalletAccess, WalletAccessEntry as SdkClientWalletAccess},
};
use alloy::primitives::{Address, U256};

2
server/crates/arbiter-server/src/grpc/user_agent/outbound.rs → server/crates/arbiter-server/src/grpc/operator/outbound.rs
View File

@@ -10,7 +10,7 @@ use arbiter_proto::proto::{
TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
specific_grant::Grant as ProtoSpecificGrantType,
},
user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
operator::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
};
use chrono::{DateTime, Utc};

38
server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs → server/crates/arbiter-server/src/grpc/operator/sdk_client.rs
View File

@@ -1,8 +1,8 @@
use crate::{
db::models::NewEvmWalletAccess,
grpc::Convert,
peers::user_agent::{
OutOfBand, UserAgentSession,
peers::operator::{
OutOfBand, OperatorSession,
session::handlers::{
HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
HandleRevokeEvmWalletAccess, HandleSdkClientList,
@@ -12,7 +12,7 @@ use crate::{
use arbiter_crypto::authn;
use arbiter_proto::proto::{
shared::ClientInfo as ProtoClientMetadata,
user_agent::{
operator::{
sdk_client::{
self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
ConnectionRequest as ProtoSdkClientConnectionRequest,
@@ -24,7 +24,7 @@ use arbiter_proto::proto::{
request::Payload as SdkClientRequestPayload,
response::Payload as SdkClientResponsePayload,
},
user_agent_response::Payload as UserAgentResponsePayload,
operator_response::Payload as OperatorResponsePayload,
},
};
@@ -32,13 +32,13 @@ use kameo::actor::ActorRef;
use tonic::Status;
use tracing::{info, warn};
const fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> UserAgentResponsePayload {
UserAgentResponsePayload::SdkClient(proto_sdk_client::Response {
const fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> OperatorResponsePayload {
OperatorResponsePayload::SdkClient(proto_sdk_client::Response {
payload: Some(payload),
})
}
pub(super) fn out_of_band_payload(oob: OutOfBand) -> UserAgentResponsePayload {
pub(super) fn out_of_band_payload(oob: OutOfBand) -> OperatorResponsePayload {
match oob {
OutOfBand::ClientConnectionRequest { profile } => wrap_sdk_client_response(
SdkClientResponsePayload::ConnectionRequest(ProtoSdkClientConnectionRequest {
@@ -59,9 +59,9 @@ pub(super) fn out_of_band_payload(oob: OutOfBand) -> UserAgentResponsePayload {
}
pub(super) async fn dispatch(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: proto_sdk_client::Request,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let Some(payload) = req.payload else {
return Err(Status::invalid_argument(
"Missing SDK client request payload",
@@ -87,9 +87,9 @@ pub(super) async fn dispatch(
}
async fn handle_connection_response(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
resp: ProtoSdkClientConnectionResponse,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let pubkey = authn::PublicKey::try_from(resp.pubkey.as_slice())
.map_err(|()| Status::invalid_argument("Invalid ML-DSA public key"))?;
@@ -108,8 +108,8 @@ async fn handle_connection_response(
}
async fn handle_list(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
let result = match actor.ask(HandleSdkClientList {}).await {
Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
clients: clients
@@ -144,9 +144,9 @@ async fn handle_list(
}
async fn handle_grant_wallet_access(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: ProtoSdkClientGrantWalletAccess,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(Convert::convert).collect();
match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
Ok(()) => {
@@ -161,9 +161,9 @@ async fn handle_grant_wallet_access(
}
async fn handle_revoke_wallet_access(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: ProtoSdkClientRevokeWalletAccess,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
match actor
.ask(HandleRevokeEvmWalletAccess {
entries: req.accesses,
@@ -182,8 +182,8 @@ async fn handle_revoke_wallet_access(
}
async fn handle_list_wallet_access(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
match actor.ask(HandleListWalletAccess {}).await {
Ok(accesses) => Ok(Some(wrap_sdk_client_response(
SdkClientResponsePayload::ListWalletAccess(ListWalletAccessResponse {

18
server/crates/arbiter-server/src/grpc/user_agent/vault.rs → server/crates/arbiter-server/src/grpc/operator/vault.rs
View File

@@ -1,11 +1,11 @@
use crate::{
actors::vault::VaultState,
peers::user_agent::{UserAgentSession, session::handlers::HandleQueryVaultState},
peers::operator::{OperatorSession, session::handlers::HandleQueryVaultState},
};
use arbiter_proto::{
proto::shared::VaultState as ProtoVaultState,
proto::user_agent::{
user_agent_response::Payload as UserAgentResponsePayload,
proto::operator::{
operator_response::Payload as OperatorResponsePayload,
vault::{
self as proto_vault, request::Payload as VaultRequestPayload,
response::Payload as VaultResponsePayload,
@@ -17,16 +17,16 @@ use kameo::actor::ActorRef;
use tonic::Status;
use tracing::warn;
const fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
UserAgentResponsePayload::Vault(proto_vault::Response {
const fn wrap_vault_response(payload: VaultResponsePayload) -> OperatorResponsePayload {
OperatorResponsePayload::Vault(proto_vault::Response {
payload: Some(payload),
})
}
pub(super) async fn dispatch(
actor: &ActorRef<UserAgentSession>,
actor: &ActorRef<OperatorSession>,
req: proto_vault::Request,
) -> Result<Option<UserAgentResponsePayload>, Status> {
) -> Result<Option<OperatorResponsePayload>, Status> {
let Some(payload) = req.payload else {
return Err(Status::invalid_argument("Missing vault request payload"));
};
@@ -42,8 +42,8 @@ pub(super) async fn dispatch(
}
async fn handle_query_vault_state(
actor: &ActorRef<UserAgentSession>,
) -> Result<Option<UserAgentResponsePayload>, Status> {
actor: &ActorRef<OperatorSession>,
) -> Result<Option<OperatorResponsePayload>, Status> {
let state = match actor.ask(HandleQueryVaultState {}).await {
Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
Ok(VaultState::Sealed) => ProtoVaultState::Sealed,

4
server/crates/arbiter-server/src/grpc/user_agent/vault_gate.rs → server/crates/arbiter-server/src/grpc/operator/vault_gate.rs
View File

@@ -1,7 +1,7 @@
use super::auth::AuthTransportAdapter;
use crate::{
grpc::TryConvert,
peers::user_agent::vault_gate::{self as vault_gate},
peers::operator::vault_gate::{self as vault_gate},
};
use arbiter_proto::transport::{Bi, Error as TransportError, Receiver, Sender};
@@ -20,7 +20,7 @@ impl Receiver<vault_gate::Inbound> for AuthTransportAdapter<'_> {
Err(error) => {
warn!(
?error,
"Failed to receive user agent request during vault gate"
"Failed to receive operator request during vault gate"
);
return None;
}

8
server/crates/arbiter-server/src/grpc/user_agent/vault_gate/inbound.rs → server/crates/arbiter-server/src/grpc/operator/vault_gate/inbound.rs
View File

@@ -1,11 +1,11 @@
use crate::{
grpc::{Convert, TryConvert},
peers::user_agent::vault_gate::{
peers::operator::vault_gate::{
self as vault_gate, HandleBootstrapEncryptedKey, HandleHandshake, HandleUnsealEncryptedKey,
},
};
use arbiter_proto::proto::user_agent::{
user_agent_request::Payload as UserAgentRequestPayload,
use arbiter_proto::proto::operator::{
operator_request::Payload as OperatorRequestPayload,
vault::{
self as proto_vault,
bootstrap::{self as proto_bootstrap},
@@ -16,7 +16,7 @@ use arbiter_proto::proto::user_agent::{
use tonic::Status;
impl TryConvert for UserAgentRequestPayload {
impl TryConvert for OperatorRequestPayload {
type Output = vault_gate::Inbound;
type Error = Status;

26
server/crates/arbiter-server/src/grpc/user_agent/vault_gate/outbound.rs → server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs
View File

@@ -1,12 +1,12 @@
use crate::{
actors::vault::VaultState,
grpc::{Convert, TryConvert},
peers::user_agent::vault_gate::{self as vault_gate},
peers::operator::vault_gate::{self as vault_gate},
};
use arbiter_proto::proto::{
shared::VaultState as ProtoVaultState,
user_agent::{
user_agent_response::Payload as UserAgentResponsePayload,
operator::{
operator_response::Payload as OperatorResponsePayload,
vault::{
self as proto_vault,
bootstrap::{self as proto_bootstrap, BootstrapResult as ProtoBootstrapResult},
@@ -22,28 +22,28 @@ use arbiter_proto::proto::{
use tonic::Status;
use tracing::warn;
const fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
UserAgentResponsePayload::Vault(proto_vault::Response {
const fn wrap_vault_response(payload: VaultResponsePayload) -> OperatorResponsePayload {
OperatorResponsePayload::Vault(proto_vault::Response {
payload: Some(payload),
})
}
const fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
const fn wrap_unseal_response(payload: UnsealResponsePayload) -> OperatorResponsePayload {
wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
payload: Some(payload),
}))
}
fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> OperatorResponsePayload {
wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
result: result.into(),
}))
}
impl Convert for VaultState {
type Output = UserAgentResponsePayload;
type Output = OperatorResponsePayload;
fn convert(self) -> UserAgentResponsePayload {
fn convert(self) -> OperatorResponsePayload {
let proto_state = match self {
Self::Unbootstrapped => ProtoVaultState::Unbootstrapped,
Self::Sealed => ProtoVaultState::Sealed,
@@ -54,9 +54,9 @@ impl Convert for VaultState {
}
impl Convert for vault_gate::HandshakeResponse {
type Output = UserAgentResponsePayload;
type Output = OperatorResponsePayload;
fn convert(self) -> UserAgentResponsePayload {
fn convert(self) -> OperatorResponsePayload {
wrap_unseal_response(UnsealResponsePayload::Start(
proto_unseal::UnsealStartResponse {
server_pubkey: self.server_pubkey.as_bytes().to_vec(),
@@ -66,10 +66,10 @@ impl Convert for vault_gate::HandshakeResponse {
}
impl TryConvert for vault_gate::Outbound {
type Output = UserAgentResponsePayload;
type Output = OperatorResponsePayload;
type Error = Status;
fn try_convert(self) -> Result<UserAgentResponsePayload, Status> {
fn try_convert(self) -> Result<OperatorResponsePayload, Status> {
match self {
Self::HandleVaultState(result) => result
.map_err(|err| {

2
server/crates/arbiter-server/src/peers/client/auth.rs
View File

@@ -54,7 +54,7 @@ impl From<diesel::result::Error> for Error {
pub enum ApproveError {
#[error("Internal error")]
Internal,
#[error("Client connection denied by user agents")]
#[error("Client connection denied by operators")]
Denied,
#[error("Upstream error: {0}")]
Upstream(flow_coordinator::ApprovalError),

2
server/crates/arbiter-server/src/peers/mod.rs
View File

@@ -1,2 +1,2 @@
pub mod client;
pub mod user_agent;
pub mod operator;

4
server/crates/arbiter-server/src/peers/user_agent/auth/mod.rs → server/crates/arbiter-server/src/peers/operator/auth/mod.rs
View File

@@ -1,4 +1,4 @@
use super::{Credentials, UserAgentConnection};
use super::{Credentials, OperatorConnection};
use arbiter_crypto::authn::{self, AuthChallenge};
use arbiter_proto::transport::Bi;
@@ -69,7 +69,7 @@ fn parse_auth_event(payload: Inbound) -> AuthEvents {
}
pub async fn authenticate<T>(
props: &mut UserAgentConnection,
props: &mut OperatorConnection,
transport: &mut T,
) -> Result<Credentials, Error>
where

26
server/crates/arbiter-server/src/peers/user_agent/auth/state.rs → server/crates/arbiter-server/src/peers/operator/auth/state.rs
View File

@@ -1,13 +1,13 @@
use super::{
super::{Credentials, UserAgentConnection},
super::{Credentials, OperatorConnection},
Error,
};
use crate::{
actors::bootstrap::ConsumeToken,
db::{DatabasePool, schema::useragent_client},
peers::user_agent::auth::Outbound,
db::{DatabasePool, schema::operator_client},
peers::operator::auth::Outbound,
};
use arbiter_crypto::authn::{self, AuthChallenge, USERAGENT_CONTEXT};
use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
use arbiter_proto::transport::Bi;
use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl};
@@ -44,9 +44,9 @@ async fn get_client_id(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<O
Error::internal("Database unavailable")
})?;
useragent_client::table
.filter(useragent_client::public_key.eq(pubkey.to_bytes()))
.select(useragent_client::id)
operator_client::table
.filter(operator_client::public_key.eq(pubkey.to_bytes()))
.select(operator_client::id)
.first::<i32>(&mut conn)
.await
.optional()
@@ -63,9 +63,9 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
Error::internal("Database unavailable")
})?;
let id: i32 = diesel::insert_into(useragent_client::table)
.values((useragent_client::public_key.eq(pubkey_bytes),))
.returning(useragent_client::id)
let id: i32 = diesel::insert_into(operator_client::table)
.values((operator_client::public_key.eq(pubkey_bytes),))
.returning(operator_client::id)
.get_result(&mut conn)
.await
.map_err(|e| {
@@ -77,12 +77,12 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
}
pub(super) struct AuthContext<'a, T: ?Sized> {
pub(super) conn: &'a mut UserAgentConnection,
pub(super) conn: &'a mut OperatorConnection,
pub(super) transport: &'a mut T,
}
impl<'a, T: ?Sized> AuthContext<'a, T> {
pub(super) const fn new(conn: &'a mut UserAgentConnection, transport: &'a mut T) -> Self {
pub(super) const fn new(conn: &'a mut OperatorConnection, transport: &'a mut T) -> Self {
Self { conn, transport }
}
}
@@ -143,7 +143,7 @@ where
Error::InvalidChallengeSolution
})?;
let valid = pubkey.verify(challenge, USERAGENT_CONTEXT, &signature);
let valid = pubkey.verify(challenge, OPERATOR_CONTEXT, &signature);
if !valid {
self.transport

18
server/crates/arbiter-server/src/peers/user_agent/mod.rs → server/crates/arbiter-server/src/peers/operator/mod.rs
View File

@@ -17,7 +17,7 @@ use tokio::sync::oneshot;
use tracing::{error, warn};
pub use auth::authenticate;
pub use session::UserAgentSession;
pub use session::OperatorSession;
pub mod auth;
pub mod session;
@@ -30,10 +30,10 @@ pub struct Credentials {
}
impl Integrable for Credentials {
const KIND: &'static str = "useragent_credentials";
const KIND: &'static str = "operator_credentials";
}
// Messages, sent by user agent to connection client without having a request
// Messages, sent by operator to connection client without having a request
#[derive(Debug)]
pub enum OutOfBand {
ClientConnectionRequest { profile: ClientProfile },
@@ -41,12 +41,12 @@ pub enum OutOfBand {
}
#[derive(Clone)]
pub struct UserAgentConnection {
pub struct OperatorConnection {
pub(crate) db: DatabasePool,
pub(crate) actors: GlobalActors,
}
impl UserAgentConnection {
impl OperatorConnection {
pub const fn new(db: DatabasePool, actors: GlobalActors) -> Self {
Self { db, actors }
}
@@ -106,7 +106,7 @@ async fn should_run_gate(vault: &ActorRef<Vault>) -> Result<bool, Error> {
}
async fn run_vault_gate<T>(
props: &UserAgentConnection,
props: &OperatorConnection,
transport: &mut T,
auth_creds: Credentials,
) -> Result<(), Error>
@@ -160,10 +160,10 @@ where
}
pub async fn start<T>(
props: &mut UserAgentConnection,
props: &mut OperatorConnection,
mut transport: T,
oob_sender: Box<dyn Sender<OutOfBand>>,
) -> Result<ActorRef<UserAgentSession>, Error>
) -> Result<ActorRef<OperatorSession>, Error>
where
T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send,
T: Bi<vault_gate::Inbound, Result<vault_gate::Outbound, vault_gate::Error>> + Send,
@@ -178,7 +178,7 @@ where
// checking the integrity
verify_integrity(&props.db, &props.actors.vault, &creds).await?;
Ok(UserAgentSession::spawn(UserAgentSession::new(
Ok(OperatorSession::spawn(OperatorSession::new(
props.clone(),
oob_sender,
)))

22
server/crates/arbiter-server/src/peers/user_agent/session/handlers.rs → server/crates/arbiter-server/src/peers/operator/session/handlers.rs
View File

@@ -1,8 +1,8 @@
use super::{Error, UserAgentSession};
use super::{Error, OperatorSession};
use crate::{
actors::evm::{
ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
UseragentCreateGrant, UseragentListGrants,
OperatorCreateGrant, OperatorListGrants,
},
actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer,
actors::vault::VaultState,
@@ -36,7 +36,7 @@ pub enum GrantMutationError {
}
#[messages]
impl UserAgentSession {
impl OperatorSession {
#[message]
pub(crate) async fn handle_query_vault_state(&mut self) -> Result<VaultState, Error> {
use crate::actors::vault::GetState;
@@ -44,7 +44,7 @@ impl UserAgentSession {
let vault_state = match self.props.actors.vault.ask(GetState {}).await {
Ok(state) => state,
Err(err) => {
error!(?err, actor = "useragent", "vault.query.failed");
error!(?err, actor = "operator", "vault.query.failed");
return Err(Error::internal("Vault is in broken state"));
}
};
@@ -54,7 +54,7 @@ impl UserAgentSession {
}
#[messages]
impl UserAgentSession {
impl OperatorSession {
#[message]
pub(crate) async fn handle_evm_wallet_create(&mut self) -> Result<(i32, Address), Error> {
match self.props.actors.evm.ask(Generate {}).await {
@@ -82,10 +82,10 @@ impl UserAgentSession {
}
#[messages]
impl UserAgentSession {
impl OperatorSession {
#[message]
pub(crate) async fn handle_grant_list(&mut self) -> Result<Vec<Grant<SpecificGrant>>, Error> {
match self.props.actors.evm.ask(UseragentListGrants {}).await {
match self.props.actors.evm.ask(OperatorListGrants {}).await {
Ok(grants) => Ok(grants),
Err(err) => {
error!(?err, "EVM grant list failed");
@@ -104,7 +104,7 @@ impl UserAgentSession {
.props
.actors
.evm
.ask(UseragentCreateGrant { basic, grant })
.ask(OperatorCreateGrant { basic, grant })
.await
{
Ok(grant_id) => Ok(grant_id),
@@ -121,7 +121,7 @@ impl UserAgentSession {
// .props
// .actors
// .evm
// .ask(UseragentDeleteGrant { grant_id })
// .ask(OperatorDeleteGrant { grant_id })
// .await
// {
// Ok(()) => Ok(()),
@@ -157,7 +157,7 @@ impl UserAgentSession {
Err(SignTransactionError::Vet(vet_error))
}
Err(err) => {
error!(?err, "EVM sign transaction failed in user-agent session");
error!(?err, "EVM sign transaction failed in operator session");
Err(SignTransactionError::Internal)
}
}
@@ -226,7 +226,7 @@ impl UserAgentSession {
}
#[messages]
impl UserAgentSession {
impl OperatorSession {
#[message(ctx)]
pub(crate) async fn handle_new_client_approve(
&mut self,

28
server/crates/arbiter-server/src/peers/user_agent/session/mod.rs → server/crates/arbiter-server/src/peers/operator/session/mod.rs
View File

@@ -1,8 +1,8 @@
use super::{OutOfBand, UserAgentConnection};
use super::{OutOfBand, OperatorConnection};
use crate::{
actors::{
flow_coordinator::client_connect_approval::ClientApprovalController,
useragent_registry::ConnectUseragent,
operator_registry::ConnectOperator,
},
peers::client::ClientProfile,
};
@@ -49,8 +49,8 @@ pub struct PendingClientApproval {
controller: ActorRef<ClientApprovalController>,
}
pub struct UserAgentSession {
props: UserAgentConnection,
pub struct OperatorSession {
props: OperatorConnection,
sender: Box<dyn Sender<OutOfBand>>,
pending_client_approvals: HashMap<Vec<u8>, PendingClientApproval>,
@@ -58,8 +58,8 @@ pub struct UserAgentSession {
pub mod handlers;
impl UserAgentSession {
pub(crate) fn new(props: UserAgentConnection, sender: Box<dyn Sender<OutOfBand>>) -> Self {
impl OperatorSession {
pub(crate) fn new(props: OperatorConnection, sender: Box<dyn Sender<OutOfBand>>) -> Self {
Self {
props,
sender,
@@ -69,7 +69,7 @@ impl UserAgentSession {
}
#[messages]
impl UserAgentSession {
impl OperatorSession {
#[message]
pub async fn begin_new_client_approval(
&mut self,
@@ -85,7 +85,7 @@ impl UserAgentSession {
{
error!(
?e,
actor = "user_agent",
actor = "operator",
event = "failed to announce new client connection"
);
return;
@@ -101,7 +101,7 @@ impl UserAgentSession {
}
}
impl Actor for UserAgentSession {
impl Actor for OperatorSession {
type Args = Self;
type Error = Error;
@@ -109,17 +109,17 @@ impl Actor for UserAgentSession {
async fn on_start(args: Self::Args, this: ActorRef<Self>) -> Result<Self, Self::Error> {
args.props
.actors
.useragent_registry
.ask(ConnectUseragent {
.operator_registry
.ask(ConnectOperator {
actor: this.clone(),
})
.await
.map_err(|err| {
error!(
?err,
"Failed to register user agent connection with user agent registry"
"Failed to register operator connection with operator registry"
);
Error::internal("Failed to register user agent connection with user agent registry")
Error::internal("Failed to register operator connection with operator registry")
})?;
Ok(args)
}
@@ -149,7 +149,7 @@ impl Actor for UserAgentSession {
{
error!(
?e,
actor = "user_agent",
actor = "operator",
event = "failed to announce client connection cancellation"
);
}

0
server/crates/arbiter-server/src/peers/user_agent/vault_gate/mod.rs → server/crates/arbiter-server/src/peers/operator/vault_gate/mod.rs
View File

0
server/crates/arbiter-server/src/peers/user_agent/vault_gate/state.rs → server/crates/arbiter-server/src/peers/operator/vault_gate/state.rs
View File

8
server/crates/arbiter-server/tests/client/auth.rs
View File

@@ -79,22 +79,22 @@ fn sign_client_challenge(key: &SigningKey<MlDsa87>, challenge: &AuthChallenge) -
.into()
}
async fn insert_bootstrap_sentinel_useragent(db: &db::DatabasePool) {
async fn insert_bootstrap_sentinel_operator(db: &db::DatabasePool) {
let mut conn = db.get().await.unwrap();
let sentinel_key = verifying_key(&MlDsa87::key_gen(&mut rand::rng()))
.encode()
.0
.to_vec();
insert_into(schema::useragent_client::table)
.values((schema::useragent_client::public_key.eq(sentinel_key),))
insert_into(schema::operator_client::table)
.values((schema::operator_client::public_key.eq(sentinel_key),))
.execute(&mut conn)
.await
.unwrap();
}
async fn spawn_test_actors(db: &db::DatabasePool) -> GlobalActors {
insert_bootstrap_sentinel_useragent(db).await;
insert_bootstrap_sentinel_operator(db).await;
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
actors

6
server/crates/arbiter-server/tests/operator.rs Normal file
View File

@@ -0,0 +1,6 @@
mod common;
#[path = "operator/auth.rs"]
mod auth;
#[path = "operator/unseal.rs"]
mod unseal;

58
server/crates/arbiter-server/tests/user_agent/auth.rs → server/crates/arbiter-server/tests/operator/auth.rs
View File

@@ -1,6 +1,6 @@
use super::common::ChannelTransport;
use arbiter_crypto::{
authn::{self, AuthChallenge, USERAGENT_CONTEXT},
authn::{self, AuthChallenge, OPERATOR_CONTEXT},
safecell::{SafeCell, SafeCellHandle as _},
};
use arbiter_proto::transport::{Error as TransportError, Receiver, Sender};
@@ -8,7 +8,7 @@ use arbiter_server::{
actors::{GlobalActors, bootstrap::GetToken, vault::Bootstrap},
crypto::integrity,
db::{self, schema},
peers::user_agent::{self, Credentials, UserAgentConnection, auth, vault_gate},
peers::operator::{self, Credentials, OperatorConnection, auth, vault_gate},
};
use async_trait::async_trait;
@@ -21,13 +21,13 @@ fn verifying_key(key: &SigningKey<MlDsa87>) -> VerifyingKey<MlDsa87> {
<SigningKey<MlDsa87> as Keypair>::verifying_key(key)
}
fn sign_useragent_challenge(
fn sign_operator_challenge(
key: &SigningKey<MlDsa87>,
challenge: &AuthChallenge,
) -> authn::Signature {
let challenge = challenge.format();
key.signing_key()
.sign_deterministic(&challenge, USERAGENT_CONTEXT)
.sign_deterministic(&challenge, OPERATOR_CONTEXT)
.unwrap()
.into()
}
@@ -41,8 +41,8 @@ fn tamper_challenge(challenge: &AuthChallenge) -> AuthChallenge {
struct NullOobSender;
#[async_trait]
impl Sender<user_agent::OutOfBand> for NullOobSender {
async fn send(&mut self, _item: user_agent::OutOfBand) -> Result<(), TransportError> {
impl Sender<operator::OutOfBand> for NullOobSender {
async fn send(&mut self, _item: operator::OutOfBand) -> Result<(), TransportError> {
Ok(())
}
}
@@ -166,7 +166,7 @@ pub async fn bootstrap_token_auth() {
let (mut server_transport, mut test_transport) = ChannelTransport::new();
let db_for_task = db.clone();
let task = tokio::spawn(async move {
let mut props = UserAgentConnection::new(db_for_task, actors);
let mut props = OperatorConnection::new(db_for_task, actors);
auth::authenticate(&mut props, &mut server_transport).await
});
@@ -188,7 +188,7 @@ pub async fn bootstrap_token_auth() {
other => panic!("Expected AuthChallenge, got {other:?}"),
};
let signature = sign_useragent_challenge(&new_key, &challenge);
let signature = sign_operator_challenge(&new_key, &challenge);
test_transport
.send(auth::Inbound::AuthChallengeSolution {
@@ -206,8 +206,8 @@ pub async fn bootstrap_token_auth() {
task.await.unwrap().unwrap();
let mut conn = db.get().await.unwrap();
let stored_pubkey: Vec<u8> = schema::useragent_client::table
.select(schema::useragent_client::public_key)
let stored_pubkey: Vec<u8> = schema::operator_client::table
.select(schema::operator_client::public_key)
.first::<Vec<u8>>(&mut conn)
.await
.unwrap();
@@ -223,7 +223,7 @@ pub async fn bootstrap_invalid_token_auth() {
let (mut server_transport, mut test_transport) = ChannelTransport::new();
let db_for_task = db.clone();
let task = tokio::spawn(async move {
let mut props = UserAgentConnection::new(db_for_task, actors);
let mut props = OperatorConnection::new(db_for_task, actors);
auth::authenticate(&mut props, &mut server_transport).await
});
@@ -245,7 +245,7 @@ pub async fn bootstrap_invalid_token_auth() {
other => panic!("Expected AuthChallenge, got {other:?}"),
};
let signature = sign_useragent_challenge(&new_key, &challenge);
let signature = sign_operator_challenge(&new_key, &challenge);
test_transport
.send(auth::Inbound::AuthChallengeSolution {
signature: signature.to_bytes(),
@@ -259,7 +259,7 @@ pub async fn bootstrap_invalid_token_auth() {
));
let mut conn = db.get().await.unwrap();
let count: i64 = schema::useragent_client::table
let count: i64 = schema::operator_client::table
.count()
.get_result::<i64>(&mut conn)
.await
@@ -285,9 +285,9 @@ pub async fn challenge_auth() {
{
let mut conn = db.get().await.unwrap();
let id: i32 = insert_into(schema::useragent_client::table)
.values((schema::useragent_client::public_key.eq(pubkey_bytes.clone()),))
.returning(schema::useragent_client::id)
let id: i32 = insert_into(schema::operator_client::table)
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
.returning(schema::operator_client::id)
.get_result(&mut conn)
.await
.unwrap();
@@ -307,7 +307,7 @@ pub async fn challenge_auth() {
let (mut server_transport, mut test_transport) = ChannelTransport::new();
let db_for_task = db.clone();
let task = tokio::spawn(async move {
let mut props = UserAgentConnection::new(db_for_task, actors);
let mut props = OperatorConnection::new(db_for_task, actors);
auth::authenticate(&mut props, &mut server_transport).await
});
@@ -331,7 +331,7 @@ pub async fn challenge_auth() {
Err(err) => panic!("Expected Ok response, got Err({err:?})"),
};
let signature = sign_useragent_challenge(&new_key, &challenge);
let signature = sign_operator_challenge(&new_key, &challenge);
test_transport
.send(auth::Inbound::AuthChallengeSolution {
@@ -371,8 +371,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
{
let mut conn = db.get().await.unwrap();
insert_into(schema::useragent_client::table)
.values((schema::useragent_client::public_key.eq(pubkey_bytes.clone()),))
insert_into(schema::operator_client::table)
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
.execute(&mut conn)
.await
.unwrap();
@@ -381,8 +381,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
let (server_transport, mut test_transport) = start_transport_pair();
let db_for_task = db.clone();
let task = tokio::spawn(async move {
let mut props = UserAgentConnection::new(db_for_task, actors);
user_agent::start(&mut props, server_transport, Box::new(NullOobSender)).await
let mut props = OperatorConnection::new(db_for_task, actors);
operator::start(&mut props, server_transport, Box::new(NullOobSender)).await
});
test_transport
@@ -405,7 +405,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
Err(err) => panic!("Expected Ok response, got Err({err:?})"),
};
let signature = sign_useragent_challenge(&new_key, &challenge);
let signature = sign_operator_challenge(&new_key, &challenge);
test_transport
.send(auth::Inbound::AuthChallengeSolution {
@@ -422,7 +422,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
assert!(matches!(
task.await.unwrap(),
Err(user_agent::Error::Internal(_))
Err(operator::Error::Internal(_))
));
}
@@ -444,9 +444,9 @@ pub async fn challenge_auth_rejects_invalid_signature() {
{
let mut conn = db.get().await.unwrap();
let id: i32 = insert_into(schema::useragent_client::table)
.values((schema::useragent_client::public_key.eq(pubkey_bytes.clone()),))
.returning(schema::useragent_client::id)
let id: i32 = insert_into(schema::operator_client::table)
.values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
.returning(schema::operator_client::id)
.get_result(&mut conn)
.await
.unwrap();
@@ -466,7 +466,7 @@ pub async fn challenge_auth_rejects_invalid_signature() {
let (mut server_transport, mut test_transport) = ChannelTransport::new();
let db_for_task = db.clone();
let task = tokio::spawn(async move {
let mut props = UserAgentConnection::new(db_for_task, actors);
let mut props = OperatorConnection::new(db_for_task, actors);
auth::authenticate(&mut props, &mut server_transport).await
});
@@ -490,7 +490,7 @@ pub async fn challenge_auth_rejects_invalid_signature() {
Err(err) => panic!("Expected Ok response, got Err({err:?})"),
};
let signature = sign_useragent_challenge(&new_key, &tamper_challenge(&challenge));
let signature = sign_operator_challenge(&new_key, &tamper_challenge(&challenge));
test_transport
.send(auth::Inbound::AuthChallengeSolution {

2
server/crates/arbiter-server/tests/user_agent/unseal.rs → server/crates/arbiter-server/tests/operator/unseal.rs
View File

@@ -8,7 +8,7 @@ use arbiter_server::{
vault::{Bootstrap, Seal},
},
db,
peers::user_agent::{
peers::operator::{
Credentials,
vault_gate::{
Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate,

6
server/crates/arbiter-server/tests/user_agent.rs
View File

@@ -1,6 +0,0 @@
mod common;
#[path = "user_agent/auth.rs"]
mod auth;
#[path = "user_agent/unseal.rs"]
mod unseal;