alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
916ed91b79cd11edcbd9cf26fc021ec49eeb2e0e
alknet/tasks/core/config-identity-provider-into-handler.md

2.5 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
core/config-identity-provider-into-handler Wire IdentityProvider and ForwardingPolicy into ServerHandler completed
core/forwarding-policy
narrow low component implementation

Description

Wire the IdentityProvider and ForwardingPolicy into ServerHandler and the server accept loop. This is the integration task that connects the config split, identity trait, and forwarding policy to the actual runtime behavior.

Key changes:

  • Server::run() (or serve()) constructs ConfigIdentityProvider from ArcSwap<DynamicConfig> and passes it to ServerHandler
  • ServerHandler holds Arc<dyn IdentityProvider> instead of Arc<ServerAuthConfig>
  • auth_publickey() calls identity_provider.resolve_from_fingerprint() and stores the resulting Identity on the session
  • channel_open_direct_tcpip() evaluates ForwardingPolicy::check() using the session's Identity
  • ConfigReloadHandle is threaded through from Server::run() so callers can reload DynamicConfig
  • The ServerHandler::new() API takes IdentityProvider + DynamicConfig instead of ServerAuthConfig

This is a wiring/integration task — the pieces exist from tasks 1.1-1.3, this connects them.

Acceptance Criteria

  • ServerHandler holds Arc<dyn IdentityProvider> and Arc<ArcSwap<DynamicConfig>> instead of Arc<ServerAuthConfig>
  • auth_publickey() delegates to IdentityProvider::resolve_from_fingerprint() and stores Identity on the session
  • channel_open_direct_tcpip() evaluates ForwardingPolicy::check() before proxying; logs rejection with principal and target
  • ServeOptions produces (StaticConfig, DynamicConfig) at startup
  • ConfigReloadHandle returned from Server::run() for external reload
  • ConfigIdentityProvider constructed at startup from initial DynamicConfig
  • All existing integration tests pass
  • New integration test: reload DynamicConfig → new auth keys take effect on next connection
  • New integration test: ForwardingPolicy deny rule blocks channel open

References

  • docs/architecture/identity.md — IdentityProvider wiring into ServerHandler
  • docs/architecture/configuration.md — ConfigReloadHandle, ConfigIdentityProvider
  • crates/alknet-core/src/server/handler.rs — current handler to be refactored
  • crates/alknet-core/src/server/serve.rs — ServeOptions and Server::run()

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink