alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f19e7675ac85ce7bec5606ac7098e5a144a82aac
alknet/tasks/core/config-identity-provider-into-handler.md
glm-5.1 a7f0dcdeb9 tasks: decompose Phase 1 core modifications into 12 atomic implementation tasks 
Phase 1 of the integration plan modifies alknet-core to support the
architectural changes from Phase 0 ADRs and specs. Decomposed into
dependency-ordered tasks across config split, identity, forwarding
policy, OperationEnv, interface abstraction, and NAPI reload API.

Critical path: config-split → identity → forwarding → wire-into-handler
→ interface-trait → ssh-interface-extraction → review.

Two highest-risk tasks (interface-trait-definition, ssh-interface-extraction)
are split from §1.8 per the integration plan's note that it may need
sub-phases. OperationEnv is split into types and runtime per Phase 1
local-dispatch-only constraint.
2026-06-07 13:29:58 +00:00

52 lines
2.5 KiB
Markdown
Raw Blame History

---
id: core/config-identity-provider-into-handler
name: Wire IdentityProvider and ForwardingPolicy into ServerHandler
status: pending
depends_on:
- core/forwarding-policy
scope: narrow
risk: low
impact: component
level: implementation
---
## Description
Wire the `IdentityProvider` and `ForwardingPolicy` into `ServerHandler` and the server accept loop. This is the integration task that connects the config split, identity trait, and forwarding policy to the actual runtime behavior.
**Key changes**:
- `Server::run()` (or `serve()`) constructs `ConfigIdentityProvider` from `ArcSwap<DynamicConfig>` and passes it to `ServerHandler`
- `ServerHandler` holds `Arc<dyn IdentityProvider>` instead of `Arc<ServerAuthConfig>`
- `auth_publickey()` calls `identity_provider.resolve_from_fingerprint()` and stores the resulting `Identity` on the session
- `channel_open_direct_tcpip()` evaluates `ForwardingPolicy::check()` using the session's `Identity`
- `ConfigReloadHandle` is threaded through from `Server::run()` so callers can reload `DynamicConfig`
- The `ServerHandler::new()` API takes `IdentityProvider` + `DynamicConfig` instead of `ServerAuthConfig`
**This is a wiring/integration task** — the pieces exist from tasks 1.1-1.3, this connects them.
## Acceptance Criteria
- [ ] `ServerHandler` holds `Arc<dyn IdentityProvider>` and `Arc<ArcSwap<DynamicConfig>>` instead of `Arc<ServerAuthConfig>`
- [ ] `auth_publickey()` delegates to `IdentityProvider::resolve_from_fingerprint()` and stores `Identity` on the session
- [ ] `channel_open_direct_tcpip()` evaluates `ForwardingPolicy::check()` before proxying; logs rejection with principal and target
- [ ] `ServeOptions` produces `(StaticConfig, DynamicConfig)` at startup
- [ ] `ConfigReloadHandle` returned from `Server::run()` for external reload
- [ ] `ConfigIdentityProvider` constructed at startup from initial `DynamicConfig`
- [ ] All existing integration tests pass
- [ ] New integration test: reload DynamicConfig → new auth keys take effect on next connection
- [ ] New integration test: ForwardingPolicy deny rule blocks channel open
## References
- docs/architecture/identity.md — IdentityProvider wiring into ServerHandler
- docs/architecture/configuration.md — ConfigReloadHandle, ConfigIdentityProvider
- crates/alknet-core/src/server/handler.rs — current handler to be refactored
- crates/alknet-core/src/server/serve.rs — ServeOptions and Server::run()
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink