feat: EntityID polymorphism

Cargo.toml

@@ -100,7 +100,6 @@ tracing-subscriber = { version = "0.3", default-features = false, features = [
     "fmt",
     "ansi",
 ] }
-unsigned-varint = "0.8"
 uuid = "1"
 webpki-roots = "0.26"
 x509-parser = "0.16"
@@ -137,8 +136,8 @@ rust-version = "1.83"
 publish = false
 
 [workspace.dependencies]
-authly-common = { git = "https://github.com/protojour/authly-lib.git" }
-authly-client = { git = "https://github.com/protojour/authly-lib.git" }
+authly-common = { git = "https://github.com/protojour/authly-lib.git", branch = "entity-id-polymorphism" }
+authly-client = { git = "https://github.com/protojour/authly-lib.git", branch = "entity-id-polymorphism" }
 hiqlite = { git = "https://github.com/sebadob/hiqlite.git", default-features = false, features = [
     "auto-heal",
     "listen_notify_local",

benches/authly_benches.rs

@@ -4,7 +4,7 @@ use authly::{
     session::{Session, SessionToken},
     test_support::TestCtx,
 };
-use authly_common::id::{AttrId, Eid};
+use authly_common::id::{AttrId, PersonaId};
 use criterion::{criterion_group, criterion_main, Criterion};
 use fnv::FnvHashSet;
 use time::{Duration, OffsetDateTime};
@@ -13,7 +13,7 @@ pub fn authly_benchmark(c: &mut Criterion) {
     let ctx = TestCtx::new().lite_instance();
     let session = Session {
         token: SessionToken::new_random(),
-        eid: Eid::random(),
+        eid: PersonaId::random().upcast(),
         expires_at: OffsetDateTime::now_utc() + Duration::days(42),
     };
     let user_attributes = FnvHashSet::from_iter([AttrId::random(), AttrId::random()]);

crates/authly-testservice/src/main.rs

@@ -1,7 +1,7 @@
 use std::env;
 use std::sync::Arc;
 
-use authly_common::id::Eid;
+use authly_common::id::ServiceId;
 use authly_common::mtls_server::PeerServiceEntity;
 use axum::http::StatusCode;
 use axum::response::IntoResponse;
@@ -303,7 +303,7 @@ fn render_nav_tab_list(selected: usize, ctx: &HtmlCtx) -> Markup {
 
 struct HtmlCtx {
     client: Option<authly_client::Client>,
-    peer_service_entity: Option<Eid>,
+    peer_service_entity: Option<ServiceId>,
     access_token: Option<Arc<authly_client::AccessToken>>,
     prefix: String,
 }

examples/demo/0_rudiments.toml

@@ -9,7 +9,7 @@ SERVER_CERT_ROTATION_RATE = "3m"
 # The gateway is responsible for opening up the public aspects of Authly
 # to the world outside the cluster:
 [[service-entity]]
-eid = "e.3c2f40b3f47a4d9b9129b1e7c15fbc04"
+eid = "s.3c2f40b3f47a4d9b9129b1e7c15fbc04"
 label = "arx"
 attributes = ["authly:role:authenticate", "authly:role:get_access_token"]
 kubernetes-account = { name = "arx", namespace = "authly-test" }

examples/demo/1_testusers.toml

@@ -2,7 +2,7 @@
 id = "d783648f-e6ac-4492-87f7-43d5e5805d60"
 
 [[entity]]
-eid = "e.0fbcd73e1a884424a1615c3c3fdeebec"
+eid = "p.0fbcd73e1a884424a1615c3c3fdeebec"
 label = "me"
 email = ["[email protected]"]
 username = "testuser"
@@ -11,11 +11,11 @@ password-hash = [
 ]
 
 [[entity]]
-eid = "e.81dc1da0fa644142bad35043a9c3b025"
+eid = "g.81dc1da0fa644142bad35043a9c3b025"
 label = "us"
 
 [[entity]]
-eid = "e.96bf83f88cbf455fa356553f7fca1b9e"
+eid = "p.96bf83f88cbf455fa356553f7fca1b9e"
 label = "you"
 
 [[members]]

examples/demo/2_testservice.toml

@@ -2,7 +2,7 @@
 id = "bc9ce588-50c3-47d1-94c1-f88b21eaf299"
 
 [[service-entity]]
-eid = "e.f3e799137c034e1eb4cd3e4f65705932"
+eid = "s.f3e799137c034e1eb4cd3e4f65705932"
 label = "testservice"
 attributes = ["authly:role:authenticate", "authly:role:get_access_token"]
 kubernetes-account = { name = "testservice", namespace = "authly-test" }
@@ -13,11 +13,11 @@ label = "role"
 attributes = ["ui/user", "ui/admin"]
 
 [[entity-attribute-assignment]]
-entity = "e.0fbcd73e1a884424a1615c3c3fdeebec"
+entity = "p.0fbcd73e1a884424a1615c3c3fdeebec"
 attributes = ["testservice:role:ui/user"]
 
 [[entity-attribute-assignment]]
-entity = "e.96bf83f88cbf455fa356553f7fca1b9e"
+entity = "p.96bf83f88cbf455fa356553f7fca1b9e"
 attributes = ["testservice:role:ui/admin"]
 
 [[resource-property]]

examples/ultradb/0_ultradb.toml

@@ -5,19 +5,19 @@ id = "18d70399-0e89-46b8-81ce-a6a16e5db7cc"
 # The gateway is responsible for opening up the public aspects of Authly
 # to the world outside the cluster:
 [[service-entity]]
-eid = "e.3c2f40b3f47a4d9b9129b1e7c15fbc04"
+eid = "s.3c2f40b3f47a4d9b9129b1e7c15fbc04"
 label = "arx"
 attributes = ["authly:role:authenticate", "authly:role:get_access_token"]
 kubernetes-account = { name = "arx", namespace = "memoriam-test" }
 
 [[service-entity]]
-eid = "e.ec29ba1d23cb43f89b7c73db6f177a1d"
+eid = "s.ec29ba1d23cb43f89b7c73db6f177a1d"
 label = "ultradb"
 attributes = []
 kubernetes-account = { name = "domaindb", namespace = "dbtest" }
 
 [[service-entity]]
-eid = "e.a1c6134658dd4120823fdc42bb2f42ad"
+eid = "s.a1c6134658dd4120823fdc42bb2f42ad"
 label = "ultradb_gui"
 
 [[entity-property]]

examples/ultradb/1_pants_domain.toml

@@ -6,7 +6,7 @@ label = "pants"
 
 # expose the pants domain to the "ultradb" service
 [[service-domain]]
-service = "e.ec29ba1d23cb43f89b7c73db6f177a1d"
+service = "s.ec29ba1d23cb43f89b7c73db6f177a1d"
 domain = "pants"
 
 [[resource-property]]

lib/authly-db/src/param.rs

@@ -1,4 +1,6 @@
-use authly_common::id::{kind::IdKind, AnyId, Id128, Id128DynamicArrayConv};
+use authly_common::id::{
+    kind::IdKind, subset::IdKindSubset, DynamicId, Id128, Id128DynamicArrayConv,
+};
 
 pub trait AsParam: Sized {
     fn as_param(&self) -> hiqlite::Param;
@@ -10,7 +12,7 @@ impl<K: IdKind> AsParam for Id128<K> {
     }
 }
 
-impl AsParam for AnyId {
+impl<KS: IdKindSubset> AsParam for DynamicId<KS> {
     fn as_param(&self) -> hiqlite::Param {
         hiqlite::Param::Blob(self.to_array_dynamic().to_vec())
     }

src/access_control.rs

@@ -1,4 +1,4 @@
-use authly_common::id::{AttrId, Eid};
+use authly_common::id::{AttrId, ServiceId};
 use authly_db::DbError;
 use fnv::FnvHashSet;
 
@@ -10,7 +10,7 @@ pub enum SvcAccessControlError {
 }
 
 pub struct AuthorizedPeerService {
-    pub eid: Eid,
+    pub eid: ServiceId,
 
     #[expect(unused)]
     pub attributes: FnvHashSet<AttrId>,
@@ -64,10 +64,10 @@ impl<T: AuthlyRole> VerifyAuthlyRole for T {
 /// This currently does not use policies, it only checks whether the service is assigned the required attribute.
 pub async fn authorize_peer_service(
     deps: &impl GetDb,
-    svc_eid: Eid,
+    svc_eid: ServiceId,
     required_authly_roles: &[BuiltinAttr],
 ) -> Result<AuthorizedPeerService, SvcAccessControlError> {
-    let attributes = entity_db::list_entity_attrs(deps.get_db(), svc_eid)
+    let attributes = entity_db::list_entity_attrs(deps.get_db(), svc_eid.upcast())
         .await
         .map_err(SvcAccessControlError::Db)?;
 

src/audit.rs

@@ -1,5 +1,5 @@
-use authly_common::id::Eid;
+use authly_common::id::EntityId;
 
 /// The response Actor behind some action
 #[derive(Clone, Copy)]
-pub struct Actor(pub Eid);
+pub struct Actor(pub EntityId);

src/authority_mandate/submission.rs

@@ -1,6 +1,6 @@
 use anyhow::anyhow;
 use authly_common::{
-    id::{Eid, Id128DynamicArrayConv},
+    id::{Id128DynamicArrayConv, ServiceId},
     proto::mandate_submission::{self as proto},
 };
 use rcgen::CertificateParams;
@@ -40,11 +40,11 @@ pub struct Authly {
     pub code: UrlSafeBase64,
 
     /// The entity ID handed by the authority to the mandate
-    pub mandate_entity_id: Eid,
+    pub mandate_entity_id: ServiceId,
 }
 
 pub struct CertifiedMandate {
-    pub mandate_eid: Eid,
+    pub mandate_eid: ServiceId,
     pub mandate_identity: AuthlyCert,
     pub mandate_local_ca: AuthlyCert,
 }
@@ -98,6 +98,6 @@ impl TryFrom<(proto::AuthlyCertificate, AuthlyCertKind)> for AuthlyCert {
     }
 }
 
-fn read_id(bytes: &[u8]) -> anyhow::Result<Eid> {
-    Eid::try_from_bytes_dynamic(bytes).ok_or_else(|| anyhow!("invalid ID"))
+fn read_id(bytes: &[u8]) -> anyhow::Result<ServiceId> {
+    ServiceId::try_from_bytes_dynamic(bytes).ok_or_else(|| anyhow!("invalid ID"))
 }

src/authority_mandate/submission/authority.rs

@@ -1,6 +1,6 @@
 //! Submission, authority side
 
-use authly_common::id::Eid;
+use authly_common::id::ServiceId;
 use rand::{rngs::OsRng, Rng};
 use rcgen::{CertificateSigningRequestParams, DnValue, PublicKeyData};
 use tracing::warn;
@@ -52,7 +52,7 @@ pub async fn authority_generate_submission_token(
     let expiration = now + SUBMISSION_CODE_EXPIRATION;
 
     // Assign new Entity ID to mandate
-    let mandate_entity_id = Eid::random();
+    let mandate_entity_id = ServiceId::random();
 
     let claims = SubmissionClaims {
         iat: now.unix_timestamp(),

src/authority_mandate/submission/mandate.rs

@@ -3,7 +3,7 @@
 use std::{borrow::Cow, sync::Arc};
 
 use authly_common::{
-    id::Eid,
+    id::ServiceId,
     proto::mandate_submission::{
         self as proto, authly_mandate_submission_client::AuthlyMandateSubmissionClient,
     },
@@ -133,7 +133,7 @@ pub fn mandate_decode_submission_token(
 
 pub fn mandate_identity_signing_request(
     deps: &dyn GetInstance,
-    mandate_eid: Eid,
+    mandate_eid: ServiceId,
 ) -> anyhow::Result<CertificateSigningRequest> {
     let common_name = mandate_eid.to_string();
     let params = {

src/bus/service_events.rs

@@ -5,7 +5,7 @@ use std::{
     time::Duration,
 };
 
-use authly_common::id::Eid;
+use authly_common::id::ServiceId;
 use fnv::FnvHashMap;
 use tokio_util::sync::CancellationToken;
 use tracing::{error, info};
@@ -20,7 +20,7 @@ pub struct ServiceMessageConnection {
     pub addr: SocketAddr,
 }
 
-type SenderMap = FnvHashMap<Eid, Vec<ServiceMessageConnection>>;
+type SenderMap = FnvHashMap<ServiceId, Vec<ServiceMessageConnection>>;
 
 #[derive(Clone)]
 pub struct ServiceEventDispatcher {
@@ -36,7 +36,7 @@ impl ServiceEventDispatcher {
         }
     }
 
-    pub fn subscribe(&self, svc_eid: Eid, connection: ServiceMessageConnection) {
+    pub fn subscribe(&self, svc_eid: ServiceId, connection: ServiceMessageConnection) {
         self.clone()
             .spawn_watcher(svc_eid, connection.sender.clone());
 
@@ -54,7 +54,7 @@ impl ServiceEventDispatcher {
     }
 
     /// Broadcast to a single service (all connections)
-    pub fn broadcast(&self, svc_eid: Eid, msg: ServiceMessage) {
+    pub fn broadcast(&self, svc_eid: ServiceId, msg: ServiceMessage) {
         let mut slow_connections: Vec<ServiceMessageConnection> = vec![];
 
         {
@@ -101,7 +101,7 @@ impl ServiceEventDispatcher {
     }
 
     /// Collect connection statistics for each connected service
-    pub fn statistics(&self) -> BTreeMap<Eid, usize> {
+    pub fn statistics(&self) -> BTreeMap<ServiceId, usize> {
         let map = self.map.read().unwrap();
         let mut stats = BTreeMap::default();
 
@@ -113,7 +113,7 @@ impl ServiceEventDispatcher {
     }
 
     /// Spawn a watcher that calls `gc` when the sender's channel has been closed
-    fn spawn_watcher(self, svc_eid: Eid, sender: MsgSender) {
+    fn spawn_watcher(self, svc_eid: ServiceId, sender: MsgSender) {
         let sender = sender.clone();
 
         tokio::spawn(async move {
@@ -127,7 +127,7 @@ impl ServiceEventDispatcher {
     }
 
     // Remove senders associated with closed channels
-    fn gc(&self, svc_eid: Eid) {
+    fn gc(&self, svc_eid: ServiceId) {
         let mut map = self.map.write().unwrap();
         let Some(connections) = map.get_mut(&svc_eid) else {
             return;
@@ -147,7 +147,7 @@ impl ServiceEventDispatcher {
         }
     }
 
-    fn forget(&self, svc_eid: Eid, sender: &MsgSender) {
+    fn forget(&self, svc_eid: ServiceId, sender: &MsgSender) {
         let mut map = self.map.write().unwrap();
         let Some(connections) = map.get_mut(&svc_eid) else {
             return;