refactor: identity persistence (#3101)

cmd/cliclient/migrate.go

@@ -32,7 +32,7 @@ func NewMigrateHandler() *MigrateHandler {
 	return &MigrateHandler{}
 }
 
-func (h *MigrateHandler) MigrateSQL(cmd *cobra.Command, args []string) error {
+func (h *MigrateHandler) MigrateSQL(cmd *cobra.Command, args []string, opts ...driver.RegistryOption) error {
 	var d driver.Registry
 	var err error
 
@@ -78,7 +78,7 @@ func (h *MigrateHandler) MigrateSQL(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	err = d.Init(cmd.Context(), &contextx.Default{}, driver.SkipNetworkInit)
+	err = d.Init(cmd.Context(), &contextx.Default{}, append(opts, driver.SkipNetworkInit)...)
 	if err != nil {
 		return errors.Wrap(err, "an error occurred initializing migrations")
 	}

cmd/courier/watch.go

@@ -4,7 +4,7 @@
 package courier
 
 import (
-	cx "context"
+	"context"
 	"net/http"
 
 	"github.com/spf13/cobra"
@@ -22,7 +22,7 @@ import (
 )
 
 func NewWatchCmd(slOpts []servicelocatorx.Option, dOpts []driver.RegistryOption) *cobra.Command {
-	var c = &cobra.Command{
+	c := &cobra.Command{
 		Use:   "watch",
 		Short: "Starts the Ory Kratos message courier",
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -38,7 +38,7 @@ func NewWatchCmd(slOpts []servicelocatorx.Option, dOpts []driver.RegistryOption)
 	return c
 }
 
-func StartCourier(ctx cx.Context, r driver.Registry) error {
+func StartCourier(ctx context.Context, r driver.Registry) error {
 	eg, ctx := errgroup.WithContext(ctx)
 
 	if r.Config().CourierExposeMetricsPort(ctx) != 0 {
@@ -54,7 +54,7 @@ func StartCourier(ctx cx.Context, r driver.Registry) error {
 	return eg.Wait()
 }
 
-func ServeMetrics(ctx cx.Context, r driver.Registry) error {
+func ServeMetrics(ctx context.Context, r driver.Registry) error {
 	c := r.Config()
 	l := r.Logger()
 	n := negroni.New()
@@ -73,39 +73,23 @@ func ServeMetrics(ctx cx.Context, r driver.Registry) error {
 		handler = otelx.NewHandler(handler, "cmd.courier.ServeMetrics", otelhttp.WithTracerProvider(tp))
 	}
 
-	// #nosec G112 - the correct settings are set by graceful.WithDefaults
+	//#nosec G112 -- the correct settings are set by graceful.WithDefaults
 	server := graceful.WithDefaults(&http.Server{
 		Addr:    c.MetricsListenOn(ctx),
 		Handler: handler,
 	})
 
 	l.Printf("Starting the metrics httpd on: %s", server.Addr)
-	if err := graceful.Graceful(func() error {
-		errChan := make(chan error, 1)
-		go func(errChan chan error) {
-			if err := server.ListenAndServe(); err != nil {
-				errChan <- err
-			}
-		}(errChan)
-		select {
-		case err := <-errChan:
-			l.Errorf("Failed to start the metrics httpd: %s\n", err)
-			return err
-		case <-ctx.Done():
-			l.Printf("Shutting down the metrics httpd: context closed: %s\n", ctx.Err())
-			return server.Shutdown(ctx)
-		}
-	}, server.Shutdown); err != nil {
+	if err := graceful.GracefulContext(ctx, server.ListenAndServe, server.Shutdown); err != nil {
 		l.Errorln("Failed to gracefully shutdown metrics httpd")
 		return err
-	} else {
-		l.Println("Metrics httpd was shutdown gracefully")
 	}
+	l.Println("Metrics httpd was shutdown gracefully")
 	return nil
 }
 
-func Watch(ctx cx.Context, r driver.Registry) error {
-	ctx, cancel := cx.WithCancel(ctx)
+func Watch(ctx context.Context, r driver.Registry) error {
+	ctx, cancel := context.WithCancel(ctx)
 
 	r.Logger().Println("Courier worker started.")
 	if err := graceful.Graceful(func() error {
@@ -115,7 +99,7 @@ func Watch(ctx cx.Context, r driver.Registry) error {
 		}
 
 		return c.Work(ctx)
-	}, func(_ cx.Context) error {
+	}, func(_ context.Context) error {
 		cancel()
 		return nil
 	}); err != nil {

cmd/daemon/serve.go

@@ -120,15 +120,15 @@ func ServePublic(r driver.Registry, cmd *cobra.Command, args []string, slOpts *s
 		handler = otelx.TraceHandler(handler, otelhttp.WithTracerProvider(tracer.Provider()))
 	}
 
-	// #nosec G112 - the correct settings are set by graceful.WithDefaults
+	//#nosec G112 -- the correct settings are set by graceful.WithDefaults
 	server := graceful.WithDefaults(&http.Server{
 		Handler:   handler,
 		TLSConfig: &tls.Config{GetCertificate: certs, MinVersion: tls.VersionTLS12},
 	})
 	addr := c.PublicListenOn(ctx)
 
 	l.Printf("Starting the public httpd on: %s", addr)
-	if err := graceful.Graceful(func() error {
+	if err := graceful.GracefulContext(ctx, func() error {
 		listener, err := networkx.MakeListener(addr, c.PublicSocketPermission(ctx))
 		if err != nil {
 			return err
@@ -191,7 +191,7 @@ func ServeAdmin(r driver.Registry, cmd *cobra.Command, args []string, slOpts *se
 		)
 	}
 
-	// #nosec G112 - the correct settings are set by graceful.WithDefaults
+	//#nosec G112 -- the correct settings are set by graceful.WithDefaults
 	server := graceful.WithDefaults(&http.Server{
 		Handler:   handler,
 		TLSConfig: &tls.Config{GetCertificate: certs, MinVersion: tls.VersionTLS12},
@@ -200,7 +200,7 @@ func ServeAdmin(r driver.Registry, cmd *cobra.Command, args []string, slOpts *se
 	addr := c.AdminListenOn(ctx)
 
 	l.Printf("Starting the admin httpd on: %s", addr)
-	if err := graceful.Graceful(func() error {
+	if err := graceful.GracefulContext(ctx, func() error {
 		listener, err := networkx.MakeListener(addr, c.AdminSocketPermission(ctx))
 		if err != nil {
 			return err

cmd/hashers/argon2/loadtest.go

@@ -188,7 +188,7 @@ func runLoadTest(cmd *cobra.Command, conf *argon2Config, reqPerMin int) (*result
 		eg.Go(func(i int) func() error {
 			return func() error {
 				// wait randomly before starting, max. sample time
-				// #nosec G404 - just a timeout to collect statistical data
+				//#nosec G404 -- just a timeout to collect statistical data
 				t := time.Duration(rand.Intn(int(sampleTime)))
 				timer := time.NewTimer(t)
 				defer timer.Stop()

cmd/jsonnet/format.go

@@ -47,7 +47,7 @@ Use -w or --write to write output back to files instead of stdout.
 					cmdx.Must(err, `JSONNet file "%s" could not be formatted: %s`, file, err)
 
 					if shouldWrite {
-						err := os.WriteFile(file, []byte(output), 0644) // #nosec
+						err := os.WriteFile(file, []byte(output), 0644) //#nosec
 						cmdx.Must(err, `Could not write to file "%s" because: %s`, file, err)
 					} else {
 						fmt.Println(output)

cmd/migrate/sql.go

@@ -7,11 +7,12 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/ory/kratos/cmd/cliclient"
+	"github.com/ory/kratos/driver"
 	"github.com/ory/x/configx"
 )
 
 // migrateSqlCmd represents the sql command
-func NewMigrateSQLCmd() *cobra.Command {
+func NewMigrateSQLCmd(opts ...driver.RegistryOption) *cobra.Command {
 	c := &cobra.Command{
 		Use:   "sql <database-url>",
 		Short: "Create SQL schemas and apply migration plans",
@@ -29,7 +30,7 @@ You can read in the database URL using the -e flag, for example:
 Before running this command on an existing database, create a back up!
 `,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return cliclient.NewMigrateHandler().MigrateSQL(cmd, args)
+			return cliclient.NewMigrateHandler().MigrateSQL(cmd, args, opts...)
 		},
 	}
 

courier/smtp.go

@@ -82,13 +82,13 @@ func newSMTP(ctx context.Context, deps Dependencies) (*smtpClient, error) {
 		// Enforcing StartTLS by default for security best practices (config review, etc.)
 		skipStartTLS, _ := strconv.ParseBool(uri.Query().Get("disable_starttls"))
 		if !skipStartTLS {
-			// #nosec G402 This is ok (and required!) because it is configurable and disabled by default.
+			//#nosec G402 -- This is ok (and required!) because it is configurable and disabled by default.
 			dialer.TLSConfig = &tls.Config{InsecureSkipVerify: sslSkipVerify, Certificates: tlsCertificates, ServerName: serverName}
 			// Enforcing StartTLS
 			dialer.StartTLSPolicy = gomail.MandatoryStartTLS
 		}
 	case "smtps":
-		// #nosec G402 This is ok (and required!) because it is configurable and disabled by default.
+		//#nosec G402 -- This is ok (and required!) because it is configurable and disabled by default.
 		dialer.TLSConfig = &tls.Config{InsecureSkipVerify: sslSkipVerify, Certificates: tlsCertificates, ServerName: serverName}
 		dialer.SSL = true
 	}

driver/registry_default.go

@@ -517,8 +517,7 @@ func (m *RegistryDefault) ContinuityCookieManager(ctx context.Context) sessions.
 
 func (m *RegistryDefault) Tracer(ctx context.Context) *otelx.Tracer {
 	if m.trc == nil {
-		m.Logger().WithError(errors.WithStack(errors.New(""))).Warn("No tracer setup in RegistryDefault")
-		return otelx.NewNoop(m.l, m.Config().Tracing(ctx)) // should never happen
+		return otelx.NewNoop(m.l, m.Config().Tracing(ctx))
 	}
 	return m.trc
 }

go.mod

@@ -61,6 +61,7 @@ require (
 	github.com/jteeuwen/go-bindata v3.0.7+incompatible
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/knadh/koanf v1.4.4
+	github.com/laher/mergefs v0.1.2-0.20230223191438-d16611b2f4e7
 	github.com/luna-duclos/instrumentedsql v1.1.3
 	github.com/mattn/goveralls v0.0.7
 	github.com/mikefarah/yq/v4 v4.19.1
@@ -70,7 +71,7 @@ require (
 	github.com/ory/client-go v0.2.0-alpha.60
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe
-	github.com/ory/graceful v0.1.3
+	github.com/ory/graceful v0.1.4-0.20230301144740-e222150c51d0
 	github.com/ory/herodot v0.9.13
 	github.com/ory/hydra-client-go/v2 v2.0.3
 	github.com/ory/jsonschema/v3 v3.0.7
@@ -87,7 +88,7 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/sqs/goreturns v0.0.0-20181028201513-538ac6014518
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	github.com/tidwall/gjson v1.14.3
 	github.com/tidwall/sjson v1.2.5
 	github.com/urfave/negroni v1.0.0

go.sum

@@ -913,6 +913,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/go-gypsy v1.0.0/go.mod h1:chkXM0zjdpXOiqkCW1XcCHDfjfk14PH2KKkQWxfJUcU=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/laher/mergefs v0.1.2-0.20230223191438-d16611b2f4e7 h1:PDeBswTUsSIT4QSrzLvlqKlGrANYa7TrXUwdBN9myU8=
+github.com/laher/mergefs v0.1.2-0.20230223191438-d16611b2f4e7/go.mod h1:FSY1hYy94on4Tz60waRMGdO1awwS23BacqJlqf9lJ9Q=
 github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
@@ -945,6 +947,8 @@ github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJ
 github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
 github.com/markbates/pkger v0.17.1 h1:/MKEtWqtc0mZvu9OinB9UzVN9iYCwLWuyUv4Bw+PCno=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
+github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
+github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -1093,8 +1097,8 @@ github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnz
 github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe h1:rvu4obdvqR0fkSIJ8IfgzKOWwZ5kOT2UNfLq81Qk7rc=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe/go.mod h1:z4n3u6as84LbV4YmgjHhnwtccQqzf4cZlSk9f1FhygI=
-github.com/ory/graceful v0.1.3 h1:FaeXcHZh168WzS+bqruqWEw/HgXWLdNv2nJ+fbhxbhc=
-github.com/ory/graceful v0.1.3/go.mod h1:4zFz687IAF7oNHHiB586U4iL+/4aV09o/PYLE34t2bA=
+github.com/ory/graceful v0.1.4-0.20230301144740-e222150c51d0 h1:VMUeLRfQD14fOMvhpYZIIT4vtAqxYh+f3KnSqCeJ13o=
+github.com/ory/graceful v0.1.4-0.20230301144740-e222150c51d0/go.mod h1:hg2iCy+LCWOXahBZ+NQa4dk8J2govyQD79rrqrgMyY8=
 github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU=
 github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo=
 github.com/ory/hydra-client-go/v2 v2.0.3 h1:jIx968J9RBnjRuaQ21QMLCwZoa28FPvzYWAQ+88XVLw=
@@ -1342,8 +1346,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=

hash/hash_comparator.go

@@ -7,8 +7,8 @@ import (
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/md5"  // #nosec G501
-	"crypto/sha1" // #nosec G505 - compatibility for imported passwords
+	"crypto/md5"  //#nosec G501 -- compatibility for imported passwords
+	"crypto/sha1" //#nosec G505 -- compatibility for imported passwords
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/subtle"
@@ -220,7 +220,7 @@ func CompareMD5(_ context.Context, password []byte, hash []byte) error {
 		r := strings.NewReplacer("{SALT}", string(salt), "{PASSWORD}", string(password))
 		arg = []byte(r.Replace(string(pf)))
 	}
-	// #nosec G401
+	//#nosec G401 -- compatibility for imported passwords
 	otherHash := md5.Sum(arg)
 
 	// Check that the contents of the hashed passwords are identical. Note
@@ -412,7 +412,7 @@ func compareSHAHelper(hasher string, raw []byte, hash []byte) error {
 
 	switch hasher {
 	case "sha1":
-		sum := sha1.Sum(raw) // #nosec G401 - compatibility for imported passwords
+		sum := sha1.Sum(raw) //#nosec G401 -- compatibility for imported passwords
 		sha = sum[:]
 	case "sha256":
 		sum := sha256.Sum256(raw)

hash/hasher_pbkdf2.go

@@ -7,7 +7,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/rand"
-	"crypto/sha1" // #nosec G505 - compatibility for imported passwords
+	"crypto/sha1" //#nosec G505 -- compatibility for imported passwords
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/base64"

identity/identity.go

@@ -137,7 +137,7 @@ func (i *Identity) AfterEagerFind(tx *pop.Connection) error {
 		return err
 	}
 
-	if err := i.validate(); err != nil {
+	if err := i.Validate(); err != nil {
 		return err
 	}
 
@@ -378,7 +378,7 @@ func (i WithCredentialsMetadataAndAdminMetadataInJSON) MarshalJSON() ([]byte, er
 	return json.Marshal(localIdentity(i))
 }
 
-func (i *Identity) validate() error {
+func (i *Identity) Validate() error {
 	expected := i.NID
 	if expected == uuid.Nil {
 		return errors.WithStack(herodot.ErrInternalServerError.WithReason("Received empty nid."))

identity/identity_test.go

@@ -267,7 +267,7 @@ func TestValidateNID(t *testing.T) {
 		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
-			err := tc.i.validate()
+			err := tc.i.Validate()
 			if tc.expectedErr {
 				require.Error(t, err)
 			} else {

identity/pool.go

@@ -77,5 +77,8 @@ type (
 
 		// HydrateIdentityAssociations hydrates the associations of an identity.
 		HydrateIdentityAssociations(ctx context.Context, i *Identity, expandables Expandables) error
+
+		// InjectTraitsSchemaURL sets the identity's traits JSON schema URL from the schema's ID.
+		InjectTraitsSchemaURL(ctx context.Context, i *Identity) error
 	}
 )

identity/test/pool.go

@@ -41,9 +41,7 @@ import (
 	"github.com/ory/kratos/x"
 )
 
-func TestPool(ctx context.Context, conf *config.Config, p interface {
-	persistence.Persister
-}, m *identity.Manager) func(t *testing.T) {
+func TestPool(ctx context.Context, conf *config.Config, p persistence.Persister, m *identity.Manager) func(t *testing.T) {
 	return func(t *testing.T) {
 		exampleServerURL := urlx.ParseOrPanic("http://example.com")
 		conf.MustSet(ctx, config.ViperKeyPublicBaseURL, exampleServerURL.String())
@@ -134,7 +132,6 @@ func TestPool(ctx context.Context, conf *config.Config, p interface {
 					assert.Empty(t, actual.RecoveryAddresses)
 					assert.Empty(t, actual.VerifiableAddresses)
 
-					require.Len(t, actual.InternalCredentials, 2)
 					require.Len(t, actual.Credentials, 2)
 
 					assertx.EqualAsJSONExcept(t, expected.Credentials[identity.CredentialsTypePassword], actual.Credentials[identity.CredentialsTypePassword], []string{"updated_at", "created_at"})
@@ -181,7 +178,6 @@ func TestPool(ctx context.Context, conf *config.Config, p interface {
 			t.Run("expand=everything", func(t *testing.T) {
 				runner(t, identity.ExpandEverything, func(t *testing.T, actual *identity.Identity) {
 
-					require.Len(t, actual.InternalCredentials, 2)
 					require.Len(t, actual.Credentials, 2)
 
 					assertx.EqualAsJSONExcept(t, expected.Credentials[identity.CredentialsTypePassword], actual.Credentials[identity.CredentialsTypePassword], []string{"updated_at", "created_at"})
@@ -199,7 +195,6 @@ func TestPool(ctx context.Context, conf *config.Config, p interface {
 				runner(t, identity.ExpandNothing, func(t *testing.T, actual *identity.Identity) {
 					require.NoError(t, p.HydrateIdentityAssociations(ctx, actual, identity.ExpandEverything))
 
-					require.Len(t, actual.InternalCredentials, 2)
 					require.Len(t, actual.Credentials, 2)
 
 					assertx.EqualAsJSONExcept(t, expected.Credentials[identity.CredentialsTypePassword], actual.Credentials[identity.CredentialsTypePassword], []string{"updated_at", "created_at"})

internal/registrationhelpers/helpers.go

@@ -275,7 +275,7 @@ func AssertRegistrationRespectsValidation(t *testing.T, reg *driver.RegistryDefa
 	})
 }
 
-func AssertCommonErrorCases(t *testing.T, reg *driver.RegistryDefault, flows []string) {
+func AssertCommonErrorCases(t *testing.T, flows []string) {
 	ctx := context.Background()
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	testhelpers.SetDefaultIdentitySchemaFromRaw(conf, basicSchema)