Make sharing of subject keys easier

Paul Hewlett · eccles · commit ab3fe2edb49b · 2022-09-23T15:42:56.000+01:00
Problem:
Sharing of self subject keys is not bidirectional.

Solution:
Add subjects.share() method which efficiently shares self
subjects between 2 archivist instances

Signed-off-by: Paul Hewlett &lt;phewlett76@gmail.com&gt;
diff --git a/archivist/subjects.py b/archivist/subjects.py
@@ -25,14 +25,15 @@
 from base64 import b64decode
 from json import loads as json_loads
 from logging import getLogger
-from typing import Any, Optional
+from typing import Any, Optional, Tuple
 
 # pylint:disable=cyclic-import      # but pylint doesn't understand this feature
 from . import archivist
 
 from .constants import (
-    SUBJECTS_SUBPATH,
     SUBJECTS_LABEL,
+    SUBJECTS_SELF_ID,
+    SUBJECTS_SUBPATH,
 )
 from . import subjects_confirmer
 from .dictmerge import _deepmerge
@@ -91,20 +92,46 @@ def create(
             ),
         )
 
-    def import_subject(self, name: str, subject: Subject) -> Subject:
+    def share(
+        self, name: str, other_name: str, other_archivist: archivist.Archivist
+    ) -> Tuple[Subject, Subject]:
+        """Import the self subjects from the foreign archivist connection
+           from another organization - mutually share.
+
+        Args:
+            name (str): display_name of the foreign self subject in this archivist
+            other_name (str): display_name of the self subject in other archivist
+            other_archivist (Archivist): Archivist object
+
+        Returns:
+            2-tuple of :class:`Subject` instance
+
+        """
+        subject1 = self.import_subject(
+            name, other_archivist.subjects.read(SUBJECTS_SELF_ID)
+        )
+        subject2 = other_archivist.subjects.import_subject(
+            other_name, self.read(SUBJECTS_SELF_ID)
+        )
+        subject1 = self.wait_for_confirmation(subject1["identity"])
+        subject2 = other_archivist.subjects.wait_for_confirmation(subject2["identity"])
+
+        return subject1, subject2
+
+    def import_subject(self, display_name: str, subject: Subject) -> Subject:
         """Create subject from another subject usually
            from another organization.
 
         Args:
-            name (str): of the subject
+            display_name (str): display_name of the subject
             subject (Subject): Subject object
 
         Returns:
             :class:`Subject` instance
 
         """
         return self.create(
-            name,
+            display_name,
             subject["wallet_pub_key"],
             subject["tessera_pub_key"],
         )
@@ -289,6 +316,8 @@ def list(
             iterable that returns :class:`Subject` instances
 
         """
+
+        LOGGER.debug("List '%s'", display_name)
         return (
             Subject(**a)
             for a in self._archivist.list(
diff --git a/functests/execaccess_policies.py b/functests/execaccess_policies.py
@@ -11,7 +11,6 @@
 
 from archivist.archivist import Archivist
 from archivist.constants import ASSET_BEHAVIOURS
-from archivist.constants import SUBJECTS_SELF_ID
 from archivist.proof_mechanism import ProofMechanism
 from archivist.utils import get_auth
 
@@ -296,24 +295,15 @@ def setUp(self):
         self.arch_2 = Archivist(getenv("TEST_ARCHIVIST"), auth_2, verify=False)
 
         # creates reciprocal subjects for arch 1 and arch 2.
-        my_subject_1 = self.arch.subjects.read(SUBJECTS_SELF_ID)
-        my_subject_2 = self.arch_2.subjects.read(SUBJECTS_SELF_ID)
-
         # subject 1 contains details of subject 2 to be shared
-        self.subject_1 = self.arch.subjects.import_subject(
+        self.subject_1, self.subject_2 = self.arch.subjects.share(
             "org2_subject",
-            my_subject_2,
-        )
-
-        # subject 2 contains details of subject 1 to be shared
-        self.subject_2 = self.arch_2.subjects.import_subject(
             "org1_subject",
-            my_subject_1,
+            self.arch_2,
         )
-
-        # check the subjects are confirmed
-        self.arch.subjects.wait_for_confirmation(self.subject_1["identity"])
-        self.arch_2.subjects.wait_for_confirmation(self.subject_2["identity"])
+        print()
+        print("Org1: subject_1", json_dumps(self.subject_1, indent=4))
+        print("Org2: subject_2", json_dumps(self.subject_2, indent=4))
 
     def _create_asset(self, label, arch, uuid):
         asset_data = deepcopy(REQUEST_EXISTS_ATTACHMENTS)
diff --git a/notebooks/Share_Asset.ipynb b/notebooks/Share_Asset.ipynb
@@ -111,17 +111,13 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "def import_subject(acme, weyland):\n",
-    "    \"\"\"Add subjects record for weyland in acme's environment\"\"\"\n",
-    "    subject = acme.subjects.import_subject(\n",
-    "        \"weyland\",\n",
-    "        weyland.subjects.read(SUBJECTS_SELF_ID),\n",
-    "    )\n",
-    "\n",
-    "    # must wait for confirmation\n",
-    "    acme.subjects.wait_for_confirmation(subject[\"identity\"])\n",
-    "\n",
-    "    return subject\n"
+    "def share_subjects(name1, arch1, name2, arch2):\n",
+    "    \"\"\"Share subjects between 2 organizations\"\"\"\n",
+    "    return arch1.subjects.share(\n",
+    "        name1,\n",
+    "        name2,\n",
+    "        arch2,\n",
+    "    )"
    ]
   },
   {
@@ -227,8 +223,9 @@
    "source": [
     "# set a subject for weyland in acme's environment. The identity will be used as a\n",
     "# filter in the access permissions of the access_policy.\n",
-    "weyland_subject_on_acme = import_subject(acme, weyland)\n",
-    "print(\"weyland_subject\", json_dumps(weyland_subject_on_acme, indent=4))"
+    "weyland_subject_on_acme, acme_subject_on_weyland = share_subjects(\"weyland on acme\", acme, \"acme_on_weyland\", weyland)\n",
+    "print(\"weyland_subject on acme\", json_dumps(weyland_subject_on_acme, indent=4))\n",
+    "print(\"acme_subject on acme\", json_dumps(acme_subject_on_weyland, indent=4))"
    ]
   },
   {
@@ -306,14 +303,6 @@
     "weyland_asset = weyland.assets.read(acme_asset[\"identity\"])\n",
     "print(\"asset read from weyland\", json_dumps(weyland_asset, indent=4))"
    ]
-  },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "id": "2486fd97",
-   "metadata": {},
-   "outputs": [],
-   "source": []
   }
  ],
  "metadata": {
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -7,7 +7,7 @@ coverage[toml]~=6.4
 pip-audit~=2.4
 pycodestyle~=2.9
 pylint~=2.14
-pyright~=1.1.265
+pyright~=1.1.271
 
 # uploading to pypi
 build~=0.8
diff --git a/unittests/testsubjects.py b/unittests/testsubjects.py
@@ -2,6 +2,7 @@
 Test subjects
 """
 
+from os import environ
 from unittest import TestCase, mock
 
 from archivist.archivist import Archivist
@@ -13,15 +14,19 @@
     SUBJECTS_LABEL,
 )
 from archivist.errors import ArchivistBadRequestError, ArchivistUnconfirmedError
+from archivist.logger import set_logger
 
 from .mock_response import MockResponse
 
+if "TEST_DEBUG" in environ and environ["TEST_DEBUG"]:
+    set_logger(environ["TEST_DEBUG"])
 
 # pylint: disable=missing-docstring
 # pylint: disable=protected-access
 # pylint: disable=unused-variable
 
 DISPLAY_NAME = "Subject display name"
+DISPLAY_NAME2 = "Subject display name2"
 WALLET_PUB_KEY = [
     (
         "04c1173bf7844bf1c607b79c18db091b9558ffe581bf132b8cf3b37657230fa321a088"
@@ -47,6 +52,7 @@
 )
 
 IDENTITY = f"{SUBJECTS_LABEL}/xxxxxxxx"
+IDENTITY2 = f"{SUBJECTS_LABEL}/yyyyyyyy"
 SUBPATH = f"{SUBJECTS_SUBPATH}/{SUBJECTS_LABEL}"
 
 RESPONSE = {
@@ -56,6 +62,14 @@
     "wallet_address": WALLET_ADDRESSES,
     "tessera_pub_key": TESSERA_PUB_KEY,
 }
+# response when getting from second archivist when sharing
+RESPONSE2 = {
+    "identity": IDENTITY2,
+    "display_name": DISPLAY_NAME2,
+    "wallet_pub_key": WALLET_PUB_KEY,
+    "wallet_address": WALLET_ADDRESSES,
+    "tessera_pub_key": TESSERA_PUB_KEY,
+}
 RESPONSE_WITH_PENDING = {
     **RESPONSE,
     "confirmation_status": "PENDING",
@@ -64,11 +78,20 @@
     **RESPONSE,
     "confirmation_status": "CONFIRMED",
 }
+RESPONSE2_WITH_CONFIRMATION = {
+    **RESPONSE2,
+    "confirmation_status": "CONFIRMED",
+}
 REQUEST = {
     "display_name": DISPLAY_NAME,
     "wallet_pub_key": WALLET_PUB_KEY,
     "tessera_pub_key": TESSERA_PUB_KEY,
 }
+REQUEST2 = {
+    "display_name": DISPLAY_NAME2,
+    "wallet_pub_key": WALLET_PUB_KEY,
+    "tessera_pub_key": TESSERA_PUB_KEY,
+}
 UPDATE = {"display_name": DISPLAY_NAME}
 
 
@@ -81,6 +104,7 @@ class TestSubjects(TestCase):
 
     def setUp(self):
         self.arch = Archivist("url", "authauthauth", max_time=1)
+        self.arch2 = Archivist("url", "authauthauth", max_time=1)
 
     def test_subjects_str(self):
         """
@@ -125,6 +149,72 @@ def test_subjects_create(self):
                 msg="CREATE method called incorrectly",
             )
 
+    def test_subjects_share(self):
+        """
+        Test subject share
+        """
+        with mock.patch.object(
+            self.arch.session, "post"
+        ) as mock_post1, mock.patch.object(
+            self.arch.session, "get"
+        ) as mock_get1, mock.patch.object(
+            self.arch2.session, "post"
+        ) as mock_post2, mock.patch.object(
+            self.arch2.session, "get"
+        ) as mock_get2:
+            mock_post1.return_value = MockResponse(200, **RESPONSE_WITH_CONFIRMATION)
+            mock_get1.return_value = MockResponse(200, **RESPONSE_WITH_CONFIRMATION)
+            mock_post2.return_value = MockResponse(200, **RESPONSE2_WITH_CONFIRMATION)
+            mock_get2.return_value = MockResponse(200, **RESPONSE2_WITH_CONFIRMATION)
+
+            subject1, subject2 = self.arch.subjects.share(
+                DISPLAY_NAME, DISPLAY_NAME2, self.arch2
+            )
+            args, kwargs = mock_post1.call_args
+            self.assertEqual(
+                args,
+                (f"url/{ROOT}/{SUBPATH}",),
+                msg="CREATE method args called incorrectly",
+            )
+            self.assertEqual(
+                kwargs,
+                {
+                    "json": REQUEST,
+                    "headers": {
+                        "authorization": "Bearer authauthauth",
+                    },
+                    "verify": True,
+                },
+                msg="CREATE method kwargs called incorrectly",
+            )
+            self.assertEqual(
+                subject1,
+                RESPONSE_WITH_CONFIRMATION,
+                msg="CREATE method called incorrectly",
+            )
+            args, kwargs = mock_post2.call_args
+            self.assertEqual(
+                args,
+                (f"url/{ROOT}/{SUBPATH}",),
+                msg="CREATE method args called incorrectly",
+            )
+            self.assertEqual(
+                kwargs,
+                {
+                    "json": REQUEST2,
+                    "headers": {
+                        "authorization": "Bearer authauthauth",
+                    },
+                    "verify": True,
+                },
+                msg="CREATE method kwargs called incorrectly",
+            )
+            self.assertEqual(
+                subject2,
+                RESPONSE2_WITH_CONFIRMATION,
+                msg="CREATE method called incorrectly",
+            )
+
     def test_subjects_import_subject(self):
         """
         Test subject import_subject
