Add more context to ms rules / identity provider callbacks (#204)

* Input group context to mls rules * Input epoch info to identity provider * Fixup * Fixup * Move GroupContext to core, pass it to identity provider * Bump version * Fixup * Give group context to id provider when creating group * save better state * Fix function names, appease clippy * Apply review suggestions --------- Co-authored-by: Marta Mularczyk <mulmarta@amazon.com>
awslabs · Nov 20, 2024 · ad3c6e9 · ad3c6e9
1 parent 9f4d07f
commit ad3c6e9
Show file tree

Hide file tree

Showing 42 changed files with 449 additions and 341 deletions.
diff --git a/mls-rs-core/Cargo.toml b/mls-rs-core/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-core"
-version = "0.19.2"
+version = "0.20.0"
 edition = "2021"
 description = "Core components and traits for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"

diff --git a/mls-rs-core/src/crypto/test_suite.rs b/mls-rs-core/src/crypto/test_suite.rs
@@ -11,7 +11,7 @@ use super::{
     CipherSuiteProvider, CryptoProvider, HpkeCiphertext, HpkeContextS, HpkePublicKey, HpkeSecretKey,
 };
 
-#[cfg(all(not(mls_build_async), not(target_arch = "wasm32"), feature = "std"))]
+#[cfg(all(not(target_arch = "wasm32"), feature = "std"))]
 const PATH: &str = concat!(
     env!("CARGO_MANIFEST_DIR"),
     "/test_data/crypto_provider.json"

diff --git a/mls-rs-core/src/group.rs b/mls-rs-core/src/group.rs
@@ -2,10 +2,12 @@
 // Copyright by contributors to this project.
 // SPDX-License-Identifier: (Apache-2.0 OR MIT)
 
+mod context;
 mod group_state;
 mod proposal_type;
 mod roster;
 
+pub use context::*;
 pub use group_state::*;
 pub use proposal_type::*;
 pub use roster::*;
diff --git a/mls-rs/src/group/context.rs → mls-rs-core/src/group/context.rs b/mls-rs/src/group/context.rs → mls-rs-core/src/group/context.rs
@@ -2,16 +2,46 @@
 // Copyright by contributors to this project.
 // SPDX-License-Identifier: (Apache-2.0 OR MIT)
 
-use alloc::vec;
-use alloc::vec::Vec;
-use core::fmt::{self, Debug};
+use crate::{crypto::CipherSuite, extension::ExtensionList, protocol_version::ProtocolVersion};
+use alloc::{vec, vec::Vec};
+use core::{
+    fmt::{self, Debug},
+    ops::Deref,
+};
 use mls_rs_codec::{MlsDecode, MlsEncode, MlsSize};
 
-use crate::{cipher_suite::CipherSuite, protocol_version::ProtocolVersion, ExtensionList};
+#[derive(Clone, PartialEq, Eq, MlsSize, MlsEncode, MlsDecode)]
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
+#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+pub struct ConfirmedTranscriptHash(
+    #[mls_codec(with = "mls_rs_codec::byte_vec")]
+    #[cfg_attr(feature = "serde", serde(with = "crate::vec_serde"))]
+    Vec<u8>,
+);
+
+impl Debug for ConfirmedTranscriptHash {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        crate::debug::pretty_bytes(&self.0)
+            .named("ConfirmedTranscriptHash")
+            .fmt(f)
+    }
+}
 
-use super::ConfirmedTranscriptHash;
+impl Deref for ConfirmedTranscriptHash {
+    type Target = Vec<u8>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl From<Vec<u8>> for ConfirmedTranscriptHash {
+    fn from(value: Vec<u8>) -> Self {
+        Self(value)
+    }
+}
 
-#[derive(Clone, PartialEq, MlsSize, MlsEncode, MlsDecode)]
+#[derive(Clone, PartialEq, Eq, MlsSize, MlsEncode, MlsDecode)]
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[cfg_attr(
     all(feature = "ffi", not(test)),
@@ -22,13 +52,13 @@ pub struct GroupContext {
     pub protocol_version: ProtocolVersion,
     pub cipher_suite: CipherSuite,
     #[mls_codec(with = "mls_rs_codec::byte_vec")]
-    #[cfg_attr(feature = "serde", serde(with = "mls_rs_core::vec_serde"))]
+    #[cfg_attr(feature = "serde", serde(with = "crate::vec_serde"))]
     pub group_id: Vec<u8>,
     pub epoch: u64,
-    #[cfg_attr(feature = "serde", serde(with = "mls_rs_core::vec_serde"))]
+    #[cfg_attr(feature = "serde", serde(with = "crate::vec_serde"))]
     #[mls_codec(with = "mls_rs_codec::byte_vec")]
-    pub(crate) tree_hash: Vec<u8>,
-    pub(crate) confirmed_transcript_hash: ConfirmedTranscriptHash,
+    pub tree_hash: Vec<u8>,
+    pub confirmed_transcript_hash: ConfirmedTranscriptHash,
     pub extensions: ExtensionList,
 }
 
@@ -37,15 +67,9 @@ impl Debug for GroupContext {
         f.debug_struct("GroupContext")
             .field("protocol_version", &self.protocol_version)
             .field("cipher_suite", &self.cipher_suite)
-            .field(
-                "group_id",
-                &mls_rs_core::debug::pretty_group_id(&self.group_id),
-            )
+            .field("group_id", &crate::debug::pretty_group_id(&self.group_id))
             .field("epoch", &self.epoch)
-            .field(
-                "tree_hash",
-                &mls_rs_core::debug::pretty_bytes(&self.tree_hash),
-            )
+            .field("tree_hash", &crate::debug::pretty_bytes(&self.tree_hash))
             .field("confirmed_transcript_hash", &self.confirmed_transcript_hash)
             .field("extensions", &self.extensions)
             .finish()
@@ -54,20 +78,21 @@ impl Debug for GroupContext {
 
 #[cfg_attr(all(feature = "ffi", not(test)), ::safer_ffi_gen::safer_ffi_gen)]
 impl GroupContext {
-    pub(crate) fn new_group(
+    /// Create a group context for a new MLS group.
+    pub fn new(
         protocol_version: ProtocolVersion,
         cipher_suite: CipherSuite,
         group_id: Vec<u8>,
         tree_hash: Vec<u8>,
         extensions: ExtensionList,
-    ) -> Self {
+    ) -> GroupContext {
         GroupContext {
             protocol_version,
             cipher_suite,
             group_id,
             epoch: 0,
             tree_hash,
-            confirmed_transcript_hash: ConfirmedTranscriptHash::from(vec![]),
+            confirmed_transcript_hash: vec![].into(),
             extensions,
         }
     }

diff --git a/mls-rs-core/src/identity/provider.rs b/mls-rs-core/src/identity/provider.rs
@@ -2,13 +2,37 @@
 // Copyright by contributors to this project.
 // SPDX-License-Identifier: (Apache-2.0 OR MIT)
 
-use crate::{error::IntoAnyError, extension::ExtensionList, time::MlsTime};
+use crate::{error::IntoAnyError, extension::ExtensionList, group::GroupContext, time::MlsTime};
 #[cfg(mls_build_async)]
 use alloc::boxed::Box;
 use alloc::vec::Vec;
 
 use super::{CredentialType, SigningIdentity};
 
+#[derive(Clone, Copy, PartialEq, Eq, Debug)]
+#[cfg_attr(feature = "serde", derive(serde::Serialize,))]
+#[non_exhaustive]
+pub enum MemberValidationContext<'a> {
+    ForCommit {
+        current_context: &'a GroupContext,
+        new_extensions: &'a ExtensionList,
+    },
+    ForNewGroup {
+        current_context: &'a GroupContext,
+    },
+    None,
+}
+
+impl<'a> MemberValidationContext<'a> {
+    pub fn new_extensions(&self) -> Option<&ExtensionList> {
+        match self {
+            Self::ForCommit { new_extensions, .. } => Some(*new_extensions),
+            Self::ForNewGroup { current_context } => Some(&current_context.extensions),
+            Self::None => None,
+        }
+    }
+}
+
 /// Identity system that can be used to validate a
 /// [`SigningIdentity`](mls-rs-core::identity::SigningIdentity)
 #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
@@ -26,7 +50,7 @@ pub trait IdentityProvider: Send + Sync {
         &self,
         signing_identity: &SigningIdentity,
         timestamp: Option<MlsTime>,
-        extensions: Option<&ExtensionList>,
+        context: MemberValidationContext<'_>,
     ) -> Result<(), Self::Error>;
 
     /// Determine if `signing_identity` is valid for an external sender in

diff --git a/mls-rs-crypto-awslc/Cargo.toml b/mls-rs-crypto-awslc/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-awslc"
-version = "0.12.1"
+version = "0.13.0"
 edition = "2021"
 description = "AWS-LC based CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -17,18 +17,18 @@ default = ["non-fips"]
 aws-lc-rs = { version = "=1.10.0", default-features = false, features = ["alloc"] }
 aws-lc-sys = { version = "0.22.0", optional = true }
 aws-lc-fips-sys = { version = "0.12.0", optional = true }
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0" }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.10.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", version = "0.11.0" }
-mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", version = "0.12.0" }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0" }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.11.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", version = "0.12.0" }
+mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", version = "0.13.0" }
 thiserror = "1.0.40"
 zeroize = { version = "1", features = ["zeroize_derive"] }
 maybe-async = "0.2.10"
 
 [dev-dependencies]
 assert_matches = "1.5.0"
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", features = ["test_suite"] }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.10.0", features = ["test_utils"] }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", features = ["test_suite"] }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.11.0", features = ["test_utils"] }
 futures-test = "0.3.25"
 
 [target.'cfg(mls_build_async)'.dependencies]

diff --git a/mls-rs-crypto-cryptokit/Cargo.toml b/mls-rs-crypto-cryptokit/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-cryptokit"
-version = "0.1.0"
+version = "0.2.0"
 edition = "2021"
 description = "CryptoKit based CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -20,12 +20,12 @@ serde_json = "1.0"
 [dev-dependencies]
 hex-literal = "0.4.1"
 assert_matches = "1.5.0"
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", features = ["test_suite"] }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", features = ["test_suite"] }
 
 [dependencies]
 maybe-async = "0.2.10"
-mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.19.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.11.0" }
+mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.20.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.12.0" }
 thiserror = { version = "1.0.63", optional = true }
 zeroize = { version = "1", default-features = false, features = ["alloc", "zeroize_derive"] }
 

diff --git a/mls-rs-crypto-hpke/Cargo.toml b/mls-rs-crypto-hpke/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-hpke"
-version = "0.10.0"
+version = "0.11.0"
 edition = "2021"
 description = "HPKE implementation based on mls-rs-crypto-traits used by mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -15,8 +15,8 @@ std = ["mls-rs-core/std", "mls-rs-crypto-traits/std", "dep:thiserror", "zeroize/
 test_utils = ["mls-rs-core/test_suite"]
 
 [dependencies]
-mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.19.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.11.0" }
+mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.20.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.12.0" }
 thiserror = { version = "1.0.40", optional = true }
 zeroize = { version = "1", default-features = false, features = ["alloc", "zeroize_derive"] }
 cfg-if = "^1"
@@ -28,7 +28,7 @@ serde_json = { version = "^1.0" }
 assert_matches = "1.5.0"
 mockall = "0.12"
 hex = { version = "^0.4.3", features = ["serde"] }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", features = ["mock"], version = "0.11.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", features = ["mock"], version = "0.12.0" }
 
 [target.'cfg(target_arch = "wasm32")'.dev-dependencies]
 wasm-bindgen-test = { version = "0.3.26", default-features = false }

diff --git a/mls-rs-crypto-openssl/Cargo.toml b/mls-rs-crypto-openssl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-openssl"
-version = "0.10.0"
+version = "0.11.0"
 edition = "2021"
 description = "OpenSSL based CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -14,10 +14,10 @@ default = ["x509"]
 
 [dependencies]
 openssl = { version = "0.10.40" }
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0" }
-mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", optional = true, version = "0.12.0" }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.10.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", version = "0.11.0" }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0" }
+mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", optional = true, version = "0.13.0" }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.11.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", version = "0.12.0" }
 thiserror = "1.0.40"
 zeroize = { version = "1", features = ["zeroize_derive"] }
 maybe-async = "0.2.10"
@@ -27,8 +27,8 @@ hex = { version = "^0.4.3", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "^1.0" }
 assert_matches = "1.5.0"
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", features = ["test_suite"] }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.10.0", features = ["test_utils"] }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", features = ["test_suite"] }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", version = "0.11.0", features = ["test_utils"] }
 
 [target.'cfg(mls_build_async)'.dependencies]
 async-trait = "0.1.74"

diff --git a/mls-rs-crypto-rustcrypto/Cargo.toml b/mls-rs-crypto-rustcrypto/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-rustcrypto"
-version = "0.11.1"
+version = "0.12.0"
 edition = "2021"
 description = "RustCrypto based CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -29,9 +29,9 @@ std = [
 ]
 
 [dependencies]
-mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.19.0" }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, version = "0.10.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.11.0" }
+mls-rs-core = { path = "../mls-rs-core", default-features = false, version = "0.20.0" }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, version = "0.11.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, version = "0.12.0" }
 
 thiserror = { version = "1.0.40", optional = true }
 zeroize = { version = "1", default-features = false, features = ["alloc", "zeroize_derive"] }
@@ -59,7 +59,7 @@ ed25519-dalek = { version = "2", default-features = false, features = ["alloc",
 sec1 = { version = "0.7", default-features = false, features = ["alloc"] }
 
 # X509 feature
-mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", optional = true, version = "0.12.0" }
+mls-rs-identity-x509 = { path = "../mls-rs-identity-x509", optional = true, version = "0.13.0" }
 x509-cert = { version = "0.2", optional = true, features = ["std"] }
 spki = { version = "0.7", optional = true, features = ["std", "alloc"] }
 const-oid = { version = "0.9", optional = true, features = ["std"] }
@@ -70,8 +70,8 @@ hex = { version = "^0.4.3", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "^1.0" }
 assert_matches = "1.5.0"
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", features = ["test_suite"] }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, version = "0.10.0", features = ["test_utils"] }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", features = ["test_suite"] }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, version = "0.11.0", features = ["test_utils"] }
 
 [target.'cfg(mls_build_async)'.dependencies]
 async-trait = "0.1.74"

diff --git a/mls-rs-crypto-traits/Cargo.toml b/mls-rs-crypto-traits/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-traits"
-version = "0.11.0"
+version = "0.12.0"
 edition = "2021"
 description = "Crypto traits required to create a CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"
@@ -14,7 +14,7 @@ std = ["mls-rs-core/std"]
 default = ["std"]
 
 [dependencies]
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", default-features = false }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", default-features = false }
 mockall = { version = "^0.11", optional = true }
 maybe-async = "0.2.10"
 

diff --git a/mls-rs-crypto-webcrypto/Cargo.toml b/mls-rs-crypto-webcrypto/Cargo.toml
@@ -9,9 +9,9 @@ keywords = ["mls", "mls-rs"]
 license = "Apache-2.0 OR MIT"
 
 [dependencies]
-mls-rs-core = { path = "../mls-rs-core", default-features = false, features = ["std"], version = "0.19.0" }
-mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, features = ["std"], version = "0.10.0" }
-mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, features = ["std"], version = "0.11.0" }
+mls-rs-core = { path = "../mls-rs-core", default-features = false, features = ["std"], version = "0.20.0" }
+mls-rs-crypto-hpke = { path = "../mls-rs-crypto-hpke", default-features = false, features = ["std"], version = "0.11.0" }
+mls-rs-crypto-traits = { path = "../mls-rs-crypto-traits", default-features = false, features = ["std"], version = "0.12.0" }
 thiserror = "1.0.40"
 zeroize = { version = "1", features = ["zeroize_derive"] }
 maybe-async = "0.2.10"
@@ -26,7 +26,7 @@ web-sys = { version = "0.3.64", features = ["Window", "CryptoKey", "CryptoKeyPai
 const-oid = { version = "0.9", features = ["db"] }
 
 [dev-dependencies]
-mls-rs-core = { path = "../mls-rs-core", version = "0.19.0", features = ["test_suite"] }
+mls-rs-core = { path = "../mls-rs-core", version = "0.20.0", features = ["test_suite"] }
 wasm-bindgen-test = { version = "0.3.26", default-features = false }
 futures-test = "0.3.25"
 serde_json = "^1.0"