Async enrollment client implementation #11889

touilleMan · 2025-12-09T15:55:20Z

No description provided.

AureliaDolo

There are a few places with todos left, will they b tackled in this PR or later ?

AureliaDolo · 2025-12-19T16:04:33Z

libparsec/crates/client/src/invite/async_enrollment/list.rs

+                    SubmitPayloadSignature::PKI { .. } => {
+                        // TODO: use `libparsec_platform_pki` to obtain info on
+                        // the X509 root certificate from the submitter X509 certificate
+                        todo!()


link issue ?

AureliaDolo · 2026-01-05T09:11:14Z

libparsec/crates/client/src/invite/async_enrollment/accept.rs

+    // PKI-related errors
+    #[error("Invalid X509 trustchain (server doesn't recognize the root certificate)")]
+    InvalidX509Trustchain,
+    // TODO: add other PKI-related errors


AureliaDolo · 2026-01-05T09:15:49Z

libparsec/crates/client/src/invite/async_enrollment/submit.rs

+    // PKI-related errors
+    #[error("Invalid X509 trustchain (server doesn't recognize the root certificate)")]
+    InvalidX509Trustchain,
+    // TODO: add other PKI-related errors


AureliaDolo · 2026-01-05T09:16:32Z

libparsec/crates/client/src/invite/async_enrollment/submitter_finalize.rs

+    // PKI-related errors
+    #[error("Invalid X509 trustchain (server doesn't recognize the root certificate)")]
+    InvalidX509Trustchain,
+    // TODO: add other PKI-related errors


AureliaDolo · 2026-01-05T09:22:16Z

libparsec/crates/client/src/invite/async_enrollment/submitter_forget.rs

+
+pub type SubmitterForgetAsyncEnrollmentError = libparsec_platform_device_loader::RemoveDeviceError;
+
+pub async fn submitter_forget_async_enrollment(


Maybe add a note in the RFC about the forget operation, even if it's only local.

(maybe it would be worth adding a forget server cmd to clean it up as soon as we may know that an enrollment is no longer usable, (maybe not caring about the success of the remote part of the operation)

Maybe add a note in the RFC about the forget operation, even if it's only local.

done 👍

maybe it would be worth adding a forget server cmd to clean it up as soon as we may know that an enrollment is no longer usable, (maybe not caring about the success of the remote part of the operation

I'd rather not do that since it increases complexity (more APIs, more corner cases given we have to deal with offline errors) and cover only a niche case.
Instead let just wait for end-user feedback before adding more feature to the async enrollment.

AureliaDolo · 2026-01-05T09:25:18Z

libparsec/src/device.rs

                        libparsec_client_connection::ProxyConfig::default(),
                    )?;

+                    // TODO: Add `openbao_transit_mount_path` to `DeviceAccessStrategy::OpenBao`


this is implemented in the next PR #11963

AureliaDolo · 2026-01-05T09:25:24Z

libparsec/src/device.rs

                    openbao_auth_token,
                } => {
                    let client = libparsec_client_connection::build_client()?;
+                    // TODO: Add `openbao_transit_mount_path` to `DeviceAccessStrategy::OpenBao`


this is implemented in the next PR #11963

AureliaDolo · 2026-01-05T13:34:09Z

libparsec/crates/platform_device_loader/src/native/mod.rs

Could you move the changes in platform_device_loader to another pr ? It would be easier for #11954 🙏

At least the kind that are changing existing functions.

It would be easier for #11954 🙏

I don't see the gain here: this PR is supposed to be merged ASAP, so its changes will end up on master before any PR from 11954 is ready (I see only #12022 that is currently in draft state)

#12022 😿

Note I've moved platform_device_loader's changes unrelated to openbao in there own commit

AureliaDolo · 2026-01-07T15:45:53Z

docs/rfcs/1023-async-enrollment.md

+> So instead Alice is only expected to remove the enrollment info from her machine's filesystem
+> (hence there is no longer an enrollment pending from her point of view), and an admin
+> should manually cancel the enrollment (but accepting it by mistake is not an issue either,
+> since Alice no longer knows about here user & device secret keys).


Suggested change

> since Alice no longer knows about here user & device secret keys).

> since Alice no longer knows about her user & device secret keys).

AureliaDolo · 2026-01-07T16:01:24Z

docs/rfcs/1023-async-enrollment.md

+> (as we consider this rather unusual).
+> So instead Alice is only expected to remove the enrollment info from her machine's filesystem
+> (hence there is no longer an enrollment pending from her point of view), and an admin
+> should manually cancel the enrollment (but accepting it by mistake is not an issue either,


Wouldn't that create a user for Alice and then if Alice eventually wants to join the organization there will be a phantom Alice to revoke first ?

Yes exactly, I've added a word about this 👍

touilleMan force-pushed the async-enrollment-server branch from cbcf4ae to 9b8670b Compare December 10, 2025 09:34

touilleMan force-pushed the async-enrollment-client branch from c54e031 to 83a885a Compare December 10, 2025 09:34

touilleMan force-pushed the async-enrollment-server branch from 9b8670b to f368186 Compare December 10, 2025 11:48

touilleMan force-pushed the async-enrollment-client branch from 83a885a to 860068f Compare December 10, 2025 11:48

touilleMan force-pushed the async-enrollment-server branch from f368186 to ef0b1d1 Compare December 10, 2025 12:19

touilleMan force-pushed the async-enrollment-client branch from 860068f to 3c706b7 Compare December 10, 2025 12:19

touilleMan force-pushed the async-enrollment-server branch from ef0b1d1 to 18b27cb Compare December 10, 2025 15:05

touilleMan force-pushed the async-enrollment-client branch 2 times, most recently from 1278012 to a58c868 Compare December 10, 2025 16:24

touilleMan force-pushed the async-enrollment-server branch from 18b27cb to e8b6106 Compare December 10, 2025 21:43

touilleMan force-pushed the async-enrollment-client branch from a58c868 to 4549912 Compare December 10, 2025 21:43

touilleMan force-pushed the async-enrollment-server branch from e8b6106 to e7e3f87 Compare December 12, 2025 16:25

touilleMan force-pushed the async-enrollment-client branch from 4549912 to cdaa7c1 Compare December 12, 2025 16:26

touilleMan force-pushed the async-enrollment-server branch from e7e3f87 to cef2c16 Compare December 14, 2025 20:19

touilleMan force-pushed the async-enrollment-client branch from cdaa7c1 to 1140e87 Compare December 14, 2025 20:19

touilleMan force-pushed the async-enrollment-server branch from cef2c16 to 094cb42 Compare December 16, 2025 08:18

touilleMan force-pushed the async-enrollment-client branch from 1140e87 to 746fbe7 Compare December 16, 2025 08:18

touilleMan force-pushed the async-enrollment-server branch from 094cb42 to 3ace11f Compare December 16, 2025 11:35

touilleMan force-pushed the async-enrollment-client branch from 746fbe7 to 1fb8f2e Compare December 16, 2025 11:35

touilleMan force-pushed the async-enrollment-server branch from 3ace11f to 6ff3a33 Compare December 16, 2025 13:53

touilleMan force-pushed the async-enrollment-client branch from 1fb8f2e to bb9ca8f Compare December 16, 2025 13:53

Base automatically changed from async-enrollment-server to async-enrollment-schemas December 16, 2025 14:30

Base automatically changed from async-enrollment-schemas to rfc-local-device-smartcard December 16, 2025 14:31

touilleMan force-pushed the rfc-local-device-smartcard branch 4 times, most recently from 01f12ca to 5a53419 Compare December 16, 2025 17:08

Base automatically changed from rfc-local-device-smartcard to master December 17, 2025 07:32

touilleMan force-pushed the async-enrollment-client branch from bb9ca8f to ad4207a Compare December 18, 2025 20:57

touilleMan marked this pull request as ready for review December 18, 2025 21:00

touilleMan requested review from a team as code owners December 18, 2025 21:00

touilleMan force-pushed the async-enrollment-client branch 3 times, most recently from bdd6080 to 0b8b208 Compare December 18, 2025 21:35

AureliaDolo reviewed Jan 5, 2026

View reviewed changes

touilleMan force-pushed the async-enrollment-client branch from 0b8b208 to d6a46dd Compare January 5, 2026 09:58

AureliaDolo reviewed Jan 5, 2026

View reviewed changes

touilleMan linked an issue Jan 7, 2026 that may be closed by this pull request

Async enrollment: client-side implementation #12025

Open

touilleMan force-pushed the async-enrollment-client branch 2 times, most recently from c4f670b to 4dfcd83 Compare January 7, 2026 15:26

touilleMan requested a review from AureliaDolo January 7, 2026 15:27

touilleMan force-pushed the async-enrollment-client branch 2 times, most recently from 03113be to eb4ee54 Compare January 7, 2026 15:29

AureliaDolo reviewed Jan 7, 2026

View reviewed changes

touilleMan added 7 commits January 8, 2026 09:47

Document enrollment cancellation in RFC 1023

403469c

Minor fixes in libparsec_platform_device_loader

18787bb

Add async enrollement pending support in platform_device_loader

f8cad54

Add sign support to libparsec_openbao

d4e6f7e

libparsec_client implementation for async enrollment

6b7fea1

Implement async enrollment support in libparsec bindings

4dba37b

Re-generate electron&web bindings

98fe18a

touilleMan force-pushed the async-enrollment-client branch from eb4ee54 to 98fe18a Compare January 8, 2026 08:50

touilleMan requested a review from AureliaDolo January 8, 2026 08:50

touilleMan mentioned this pull request Jan 8, 2026

Move web wrapper to the new platform_filesystem crate without error_set. #12022

Merged

AureliaDolo approved these changes Jan 8, 2026

View reviewed changes


		pub type SubmitterForgetAsyncEnrollmentError = libparsec_platform_device_loader::RemoveDeviceError;

		pub async fn submitter_forget_async_enrollment(

	> since Alice no longer knows about here user & device secret keys).
	> since Alice no longer knows about her user & device secret keys).

Async enrollment client implementation #11889

Are you sure you want to change the base?

Async enrollment client implementation #11889

Uh oh!

Conversation

touilleMan commented Dec 9, 2025

Uh oh!

AureliaDolo left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants