feat: Add node identity

acp/identity/identity.go

@@ -73,49 +73,22 @@ func FromPrivateKey(
 		return Identity{}, err
 	}
 
-	var signedToken []byte
-	if !skipTokenGeneration {
-		subject := hex.EncodeToString(publicKey.SerializeCompressed())
-		now := time.Now()
-
-		jwtBuilder := jwt.NewBuilder()
-		jwtBuilder = jwtBuilder.Subject(subject)
-		jwtBuilder = jwtBuilder.Expiration(now.Add(duration))
-		jwtBuilder = jwtBuilder.NotBefore(now)
-		jwtBuilder = jwtBuilder.Issuer(did)
-		jwtBuilder = jwtBuilder.IssuedAt(now)
-
-		if audience.HasValue() {
-			jwtBuilder = jwtBuilder.Audience([]string{audience.Value()})
-		}
-
-		token, err := jwtBuilder.Build()
-		if err != nil {
-			return Identity{}, err
-		}
-
-		if authorizedAccount.HasValue() {
-			err = token.Set(acptypes.AuthorizedAccountClaim, authorizedAccount.Value())
-			if err != nil {
-				return Identity{}, err
-			}
-		}
+	identity := Identity{
+		DID:        did,
+		PrivateKey: privateKey,
+		PublicKey:  publicKey,
+	}
 
-		signedToken, err = jwt.Sign(token, jwt.WithKey(BearerTokenSignatureScheme, privateKey.ToECDSA()))
+	if !skipTokenGeneration {
+		err = identity.UpdateToken(duration, audience, authorizedAccount)
 		if err != nil {
 			return Identity{}, err
 		}
 	}
-
-	return Identity{
-		DID:         did,
-		PrivateKey:  privateKey,
-		PublicKey:   publicKey,
-		BearerToken: string(signedToken),
-	}, nil
+	return identity, nil
 }
 
-// FromToken constructs a new `Indentity` from a bearer token.
+// FromToken constructs a new `Identity` from a bearer token.
 func FromToken(data []byte) (Identity, error) {
 	token, err := jwt.Parse(data, jwt.WithVerify(false))
 	if err != nil {
@@ -163,3 +136,52 @@ func didFromPublicKey(publicKey *secp256k1.PublicKey, producer didProducer) (str
 func (identity Identity) IntoRawIdentity() RawIdentity {
 	return newRawIdentity(identity.PrivateKey, identity.PublicKey, identity.DID)
 }
+
+// UpdateToken updates the `BearerToken` field of the `Identity`.
+//
+//   - duration: The [time.Duration] that this identity is valid for.
+//   - audience: The audience that this identity is valid for.  This is required
+//     by the Defra http client.  For example `github.com/sourcenetwork/defradb`
+//   - authorizedAccount: An account that this identity is authorizing to make
+//     SourceHub calls on behalf of this actor.  This is currently required when
+//     using SourceHub ACP.
+func (identity *Identity) UpdateToken(
+	duration time.Duration,
+	audience immutable.Option[string],
+	authorizedAccount immutable.Option[string],
+) error {
+	var signedToken []byte
+	subject := hex.EncodeToString(identity.PublicKey.SerializeCompressed())
+	now := time.Now()
+
+	jwtBuilder := jwt.NewBuilder()
+	jwtBuilder = jwtBuilder.Subject(subject)
+	jwtBuilder = jwtBuilder.Expiration(now.Add(duration))
+	jwtBuilder = jwtBuilder.NotBefore(now)
+	jwtBuilder = jwtBuilder.Issuer(identity.DID)
+	jwtBuilder = jwtBuilder.IssuedAt(now)
+
+	if audience.HasValue() {
+		jwtBuilder = jwtBuilder.Audience([]string{audience.Value()})
+	}
+
+	token, err := jwtBuilder.Build()
+	if err != nil {
+		return err
+	}
+
+	if authorizedAccount.HasValue() {
+		err = token.Set(acptypes.AuthorizedAccountClaim, authorizedAccount.Value())
+		if err != nil {
+			return err
+		}
+	}
+
+	signedToken, err = jwt.Sign(token, jwt.WithKey(BearerTokenSignatureScheme, identity.PrivateKey.ToECDSA()))
+	if err != nil {
+		return err
+	}
+
+	identity.BearerToken = string(signedToken)
+	return nil
+}

acp/identity/raw_identity.go

@@ -71,21 +71,3 @@ func (r RawIdentity) IntoIdentity() (Identity, error) {
 		DID:        r.DID,
 	}, nil
 }
-
-// IntoIdentity converts a PublicRawIdentity into an Identity.
-func (r PublicRawIdentity) IntoIdentity() (Identity, error) {
-	publicKeyBytes, err := hex.DecodeString(r.PublicKey)
-	if err != nil {
-		return Identity{}, err
-	}
-
-	publicKey, err := secp256k1.ParsePubKey(publicKeyBytes)
-	if err != nil {
-		return Identity{}, err
-	}
-
-	return Identity{
-		PublicKey: publicKey,
-		DID:       r.DID,
-	}, nil
-}

cli/node_identity_assign.go

@@ -62,6 +62,19 @@ Example to assign an identity to the node:
 			if err != nil {
 				return err
 			}
+
+			if !cfg.GetBool("keyring.disabled") {
+				kr, err := openKeyring(cmd)
+				if err != nil {
+					return err
+				}
+
+				err = kr.Set(nodeIdentityKeyName, data)
+				if err != nil {
+					return err
+				}
+			}
+
 			return db.AssignNodeIdentity(cmd.Context(), identity)
 		},
 	}

http/handler_store.go

@@ -20,7 +20,6 @@ import (
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/sourcenetwork/immutable"
 
-	"github.com/sourcenetwork/defradb/acp/identity"
 	"github.com/sourcenetwork/defradb/client"
 )
 
@@ -354,23 +353,6 @@ func (s *storeHandler) GetNodeIdentity(rw http.ResponseWriter, req *http.Request
 	responseJSON(rw, http.StatusOK, identity)
 }
 
-func (s *storeHandler) AssignNodeIdentity(rw http.ResponseWriter, req *http.Request) {
-	db := req.Context().Value(dbContextKey).(client.DB)
-
-	ident := identity.FromContext(req.Context())
-
-	if !ident.HasValue() {
-		responseJSON(rw, http.StatusBadRequest, errorResponse{ErrMissingIdentity})
-		return
-	}
-
-	err := db.AssignNodeIdentity(req.Context(), ident.Value())
-	if err != nil {
-		responseJSON(rw, http.StatusBadRequest, errorResponse{err})
-		return
-	}
-}
-
 func (h *storeHandler) bindRoutes(router *Router) {
 	successResponse := &openapi3.ResponseRef{
 		Ref: "#/components/responses/success",
@@ -672,14 +654,6 @@ func (h *storeHandler) bindRoutes(router *Router) {
 	nodeIdentity.AddResponse(200, identityResponse)
 	nodeIdentity.Responses.Set("400", errorResponse)
 
-	assignNodeIdentity := openapi3.NewOperation()
-	assignNodeIdentity.OperationID = "assign_node_identity"
-	assignNodeIdentity.Description = "Assign node's identity"
-	assignNodeIdentity.Tags = []string{"node", "identity"}
-	assignNodeIdentity.Responses = openapi3.NewResponses()
-	assignNodeIdentity.Responses.Set("200", successResponse)
-	assignNodeIdentity.Responses.Set("400", errorResponse)
-
 	router.AddRoute("/backup/export", http.MethodPost, backupExport, h.BasicExport)
 	router.AddRoute("/backup/import", http.MethodPost, backupImport, h.BasicImport)
 	router.AddRoute("/collections", http.MethodGet, collectionDescribe, h.GetCollection)
@@ -695,5 +669,4 @@ func (h *storeHandler) bindRoutes(router *Router) {
 	router.AddRoute("/schema/default", http.MethodPost, setActiveSchemaVersion, h.SetActiveSchemaVersion)
 	router.AddRoute("/lens", http.MethodPost, setMigration, h.SetMigration)
 	router.AddRoute("/node/identity", http.MethodGet, nodeIdentity, h.GetNodeIdentity)
-	router.AddRoute("/node/identity", http.MethodPost, assignNodeIdentity, h.AssignNodeIdentity)
 }

tests/clients/http/wrapper.go

@@ -288,5 +288,5 @@ func (w *Wrapper) GetNodeIdentity(ctx context.Context) (immutable.Option[identit
 }
 
 func (w *Wrapper) AssignNodeIdentity(ctx context.Context, ident identity.Identity) error {
-	return w.client.AssignNodeIdentity(ctx, ident)
+	return w.node.DB.AssignNodeIdentity(ctx, ident)
 }

tests/integration/node/identity_test.go

@@ -8,7 +8,7 @@
 // by the Apache License, Version 2.0, included in the file
 // licenses/APL.txt.
 
-package encryption
+package node
 
 import (
 	"testing"

tests/integration/utils.go

@@ -167,15 +167,15 @@ func ExecuteTestCase(
 	skipIfViewCacheTypeUnsupported(t, testCase.SupportedViewTypes)
 
 	var clients []ClientType
-	//if httpClient {
-	clients = append(clients, HTTPClientType)
-	//}
-	//if goClient {
-	clients = append(clients, GoClientType)
-	//}
-	//if cliClient {
-	clients = append(clients, CLIClientType)
-	//}
+	if httpClient {
+		clients = append(clients, HTTPClientType)
+	}
+	if goClient {
+		clients = append(clients, GoClientType)
+	}
+	if cliClient {
+		clients = append(clients, CLIClientType)
+	}
 
 	var databases []DatabaseType
 	if badgerInMemory {