update credential API to include sessions

This change updates the credential API to include sessions as just another
credential type. It adds the ApiToken type and enables revocation of
credentials. Updates were also made to the Identity API which now includes a
list of new credentials added to an Identity.

This change also migrates off the hacky ENV configuration paradigm and includes
a new config.toml file specified by the SECD_CONFIG_PATH env var. No default is
currently provided.

Clippy updates and code cleanup.

1 files changed, 18 insertions, 84 deletions

diff --git a/crates/secd/src/client/store/sql_db.rs b/crates/secd/src/client/store/sql_db.rs
index 3e72fe8..7b3a68e 100644
--- a/crates/secd/src/client/store/sql_db.rs
+++ b/crates/secd/src/client/store/sql_db.rs
@@ -1,7 +1,7 @@
 use super::{Store, StoreError, StoreType};
 use crate::{
-    Address, AddressType, AddressValidation, AddressValidationMethod, Credential, CredentialId,
-    CredentialType, Identity, IdentityId, Session,
+    util::ErrorContext, Address, AddressType, AddressValidation, AddressValidationMethod,
+    Credential, CredentialId, CredentialType, Identity, IdentityId,
 };
 use email_address::EmailAddress;
 use lazy_static::lazy_static;
@@ -26,8 +26,6 @@ const WRITE_CREDENTIAL: &str = "write_credential";
 const FIND_CREDENTIAL: &str = "find_credential";
 const WRITE_IDENTITY: &str = "write_identity";
 const FIND_IDENTITY: &str = "find_identity";
-const WRITE_SESSION: &str = "write_session";
-const FIND_SESSION: &str = "find_session";
 
 const ERR_MSG_MIGRATION_FAILED: &str = "Failed to apply secd migrations to a sql db. File a bug at https://www.github.com/branchcontrol/secdiam";
 
@@ -59,14 +57,6 @@ lazy_static! {
                 include_str!("../../../store/sqlite/sql/find_identity.sql"),
             ),
             (
-                WRITE_SESSION,
-                include_str!("../../../store/sqlite/sql/write_session.sql"),
-            ),
-            (
-                FIND_SESSION,
-                include_str!("../../../store/sqlite/sql/find_session.sql"),
-            ),
-            (
                 WRITE_CREDENTIAL,
                 include_str!("../../../store/sqlite/sql/write_credential.sql"),
             ),
@@ -105,14 +95,6 @@ lazy_static! {
                 include_str!("../../../store/pg/sql/find_identity.sql"),
             ),
             (
-                WRITE_SESSION,
-                include_str!("../../../store/pg/sql/write_session.sql"),
-            ),
-            (
-                FIND_SESSION,
-                include_str!("../../../store/pg/sql/find_session.sql"),
-            ),
-            (
                 WRITE_CREDENTIAL,
                 include_str!("../../../store/pg/sql/write_credential.sql"),
             ),
@@ -145,7 +127,7 @@ impl<T> SqlxResultExt<T> for Result<T, sqlx::Error> {
                 return Err(StoreError::IdempotentCheckAlreadyExists);
             }
         }
-        self.map_err(|e| StoreError::SqlClientError(e))
+        self.map_err(StoreError::SqlClientError)
     }
 }
 
@@ -169,7 +151,7 @@ impl Store for PgClient {
 }
 
 impl PgClient {
-    pub async fn new(pool: sqlx::Pool<Postgres>) -> Arc<dyn Store + Send + Sync + 'static> {
+    pub async fn new_ref(pool: sqlx::Pool<Postgres>) -> Arc<dyn Store + Send + Sync + 'static> {
         sqlx::migrate!("store/pg/migrations", "secd")
             .run(&pool)
             .await
@@ -196,7 +178,7 @@ impl Store for SqliteClient {
 }
 
 impl SqliteClient {
-    pub async fn new(pool: sqlx::Pool<Sqlite>) -> Arc<dyn Store + Send + Sync + 'static> {
+    pub async fn new_ref(pool: sqlx::Pool<Sqlite>) -> Arc<dyn Store + Send + Sync + 'static> {
         sqlx::migrate!("store/sqlite/migrations", "secd")
             .run(&pool)
             .await
@@ -436,7 +418,6 @@ where
         id: Option<&Uuid>,
         address_value: Option<&str>,
         address_is_validated: Option<bool>,
-        session_token_hash: &Option<Vec<u8>>,
     ) -> Result<Vec<Identity>, StoreError> {
         let sqls = get_sqls(&self.sqls_root, FIND_IDENTITY);
         let rs = sqlx::query_as::<
@@ -452,7 +433,6 @@ where
         .bind(id)
         .bind(address_value)
         .bind(address_is_validated)
-        .bind(session_token_hash)
         .fetch_all(&self.pool)
         .await
         .extend_err()?;
@@ -462,7 +442,8 @@ where
             res.push(Identity {
                 id,
                 address_validations: vec![],
-                credentials: vec![],
+                credentials: self.find_credential(None, Some(id), None).await?,
+                new_credentials: vec![],
                 rules: vec![],
                 metadata,
                 created_at,
@@ -473,57 +454,12 @@ where
         Ok(res)
     }
 
-    pub async fn write_session(&self, s: &Session, token_hash: &[u8]) -> Result<(), StoreError> {
-        let sqls = get_sqls(&self.sqls_root, WRITE_SESSION);
-        sqlx::query(&sqls[0])
-            .bind(s.identity_id)
-            .bind(token_hash)
-            .bind(s.created_at)
-            .bind(s.expired_at)
-            .bind(s.revoked_at)
-            .execute(&self.pool)
-            .await
-            .extend_err()?;
-
-        Ok(())
-    }
-
-    pub async fn find_session(
-        &self,
-        token: Vec<u8>,
-        identity_id: Option<&Uuid>,
-    ) -> Result<Vec<Session>, StoreError> {
-        let sqls = get_sqls(&self.sqls_root, FIND_SESSION);
-        let rs =
-            sqlx::query_as::<_, (Uuid, OffsetDateTime, OffsetDateTime, Option<OffsetDateTime>)>(
-                &sqls[0],
-            )
-            .bind(token)
-            .bind(identity_id)
-            .bind(OffsetDateTime::now_utc())
-            .bind(OffsetDateTime::now_utc())
-            .fetch_all(&self.pool)
-            .await
-            .extend_err()?;
-
-        let mut res = vec![];
-        for (identity_id, created_at, expired_at, revoked_at) in rs.into_iter() {
-            res.push(Session {
-                identity_id,
-                token: vec![],
-                created_at,
-                expired_at,
-                revoked_at,
-            });
-        }
-        Ok(res)
-    }
-
     pub async fn write_credential(&self, c: &Credential) -> Result<(), StoreError> {
         let sqls = get_sqls(&self.sqls_root, WRITE_CREDENTIAL);
         let partial_key = match &c.t {
-            crate::CredentialType::Passphrase { key, value: _ } => Some(key.clone()),
-            _ => None,
+            CredentialType::Passphrase { key, .. } => Some(key.clone()),
+            CredentialType::ApiToken { public, .. } => Some(public.clone()),
+            CredentialType::Session { key, .. } => Some(key.clone()),
         };
 
         sqlx::query(&sqls[0])
@@ -545,17 +481,13 @@ where
         id: Option<Uuid>,
         identity_id: Option<Uuid>,
         t: Option<&CredentialType>,
-        restrict_by_key: bool,
     ) -> Result<Vec<Credential>, StoreError> {
         let sqls = get_sqls(&self.sqls_root, FIND_CREDENTIAL);
-        let key = restrict_by_key
-            .then(|| {
-                t.map(|i| match i {
-                    CredentialType::Passphrase { key, value: _ } => key.clone(),
-                    _ => todo!(),
-                })
-            })
-            .flatten();
+        let key = t.map(|i| match i {
+            CredentialType::Passphrase { key, .. } => key.clone(),
+            CredentialType::ApiToken { public, .. } => public.clone(),
+            CredentialType::Session { key, .. } => key.clone(),
+        });
 
         let rs = sqlx::query_as::<
             _,
@@ -578,7 +510,9 @@ where
 
         let mut res = vec![];
         for (id, identity_id, data, created_at, revoked_at, deleted_at) in rs.into_iter() {
-            let t: CredentialType = serde_json::from_str(&data)?;
+            let t: CredentialType =
+                serde_json::from_str(&data).ctx("error while deserializing credential_type")?;
+
             res.push(Credential {
                 id,
                 identity_id,