1 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 // Copyright by contributors to this project. 3 // SPDX-License-Identifier: (Apache-2.0 OR MIT) 4 5 use crate::{error::IntoAnyError, extension::ExtensionList, time::MlsTime}; 6 #[cfg(mls_build_async)] 7 use alloc::boxed::Box; 8 use alloc::vec::Vec; 9 10 use super::{CredentialType, SigningIdentity}; 11 12 /// Identity system that can be used to validate a 13 /// [`SigningIdentity`](mls-rs-core::identity::SigningIdentity) 14 #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)] 15 #[cfg_attr(mls_build_async, maybe_async::must_be_async)] 16 pub trait IdentityProvider: Send + Sync { 17 /// Error type that this provider returns on internal failure. 18 type Error: IntoAnyError; 19 20 /// Determine if `signing_identity` is valid for a group member. 21 /// 22 /// A `timestamp` value can optionally be supplied to aid with validation 23 /// of a [`Credential`](mls-rs-core::identity::Credential) that requires 24 /// time based context. For example, X.509 certificates can become expired. validate_member( &self, signing_identity: &SigningIdentity, timestamp: Option<MlsTime>, extensions: Option<&ExtensionList>, ) -> Result<(), Self::Error>25 async fn validate_member( 26 &self, 27 signing_identity: &SigningIdentity, 28 timestamp: Option<MlsTime>, 29 extensions: Option<&ExtensionList>, 30 ) -> Result<(), Self::Error>; 31 32 /// Determine if `signing_identity` is valid for an external sender in 33 /// the ExternalSendersExtension stored in the group context. 34 /// 35 /// A `timestamp` value can optionally be supplied to aid with validation 36 /// of a [`Credential`](mls-rs-core::identity::Credential) that requires 37 /// time based context. For example, X.509 certificates can become expired. validate_external_sender( &self, signing_identity: &SigningIdentity, timestamp: Option<MlsTime>, extensions: Option<&ExtensionList>, ) -> Result<(), Self::Error>38 async fn validate_external_sender( 39 &self, 40 signing_identity: &SigningIdentity, 41 timestamp: Option<MlsTime>, 42 extensions: Option<&ExtensionList>, 43 ) -> Result<(), Self::Error>; 44 45 /// A unique identifier for `signing_identity`. 46 /// 47 /// The MLS protocol requires that each member of a group has a unique 48 /// set of identifiers according to the application. identity( &self, signing_identity: &SigningIdentity, extensions: &ExtensionList, ) -> Result<Vec<u8>, Self::Error>49 async fn identity( 50 &self, 51 signing_identity: &SigningIdentity, 52 extensions: &ExtensionList, 53 ) -> Result<Vec<u8>, Self::Error>; 54 55 /// Determines if `successor` can remove `predecessor` as part of an external commit. 56 /// 57 /// The MLS protocol allows for removal of an existing member when adding a 58 /// new member via external commit. This function determines if a removal 59 /// should be allowed by providing the target member to be removed as 60 /// `predecessor` and the new member as `successor`. valid_successor( &self, predecessor: &SigningIdentity, successor: &SigningIdentity, extensions: &ExtensionList, ) -> Result<bool, Self::Error>61 async fn valid_successor( 62 &self, 63 predecessor: &SigningIdentity, 64 successor: &SigningIdentity, 65 extensions: &ExtensionList, 66 ) -> Result<bool, Self::Error>; 67 68 /// Credential types that are supported by this provider. supported_types(&self) -> Vec<CredentialType>69 fn supported_types(&self) -> Vec<CredentialType>; 70 } 71