From 1dc4e684d4cb6ba46cc24ddd2f9afe0969633583 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 29 Mar 2024 12:47:40 +0800 Subject: [PATCH] image-rs: get rid of checking `decrypt_config` parameter The high level API of image-rs is `pull_image()`. There is one parameter named `decrypt_config` passed to the api, and the parameter is to specify the orignal kbc parameter, e.g. provider:attestation-agent:offline_fs_kbc:null However, different parts of the parameter is now specified - `attestation-agent`: the key to look up keyprovider is embedded inside the encrypted image layer annotation. - `offline_fs_kbc:null`: so-called AA_KBC_PARAMS, is defined in CDH if Kata-CC is used, so in this case, we do not to ensure the parameter is given as it will not be used. This is why we get rid of this parameter checking in this commit. In enclave-cc scenarios, the `decrypt_config` is still used, and we will check the parameter in concrete `ocicrypt-rs`'s `native` key provider plugin. Signed-off-by: Xynnn007 --- image-rs/src/decrypt.rs | 14 +++++++----- image-rs/src/pull.rs | 36 +++++++++++++----------------- image-rs/tests/common/mod.rs | 3 ++- image-rs/tests/image_decryption.rs | 4 ++-- 4 files changed, 27 insertions(+), 30 deletions(-) diff --git a/image-rs/src/decrypt.rs b/image-rs/src/decrypt.rs index d64f40f37..33d14d90d 100644 --- a/image-rs/src/decrypt.rs +++ b/image-rs/src/decrypt.rs @@ -93,16 +93,18 @@ mod encryption { pub fn get_decrypt_key( &self, descriptor: &OciDescriptor, - decrypt_config: &str, + decrypt_config: &Option<&str>, ) -> Result> { if !self.is_encrypted() { bail!("unencrypted media type: {}", self.media_type); } - if decrypt_config.is_empty() { - bail!("decrypt_config is empty"); - } - let cc = create_decrypt_config(vec![decrypt_config.to_string()], vec![])?; + let keys = match decrypt_config { + Some(decrypt_config) => vec![decrypt_config.to_string()], + None => Vec::new(), + }; + + let cc = create_decrypt_config(keys, vec![])?; if let Some(decrypt_config) = cc.decrypt_config { decrypt_layer_key_opts_data(&decrypt_config, descriptor.annotations.as_ref()) } else { @@ -359,7 +361,7 @@ impl Decryptor { pub fn get_decrypt_key( &self, _descriptor: &OciDescriptor, - _decrypt_config: &str, + _decrypt_config: Option<&str>, ) -> Result> { bail!( "no support of encryption, can't handle '{}'", diff --git a/image-rs/src/pull.rs b/image-rs/src/pull.rs index efc8b818e..ad3bc26b3 100644 --- a/image-rs/src/pull.rs +++ b/image-rs/src/pull.rs @@ -18,8 +18,6 @@ use crate::image::LayerMeta; use crate::meta_store::MetaStore; use crate::stream::stream_processing; -const ERR_NO_DECRYPT_CFG: &str = "decrypt_config is None"; - /// The PullClient connects to remote OCI registry, pulls the container image, /// and save the image layers under data_dir and return the layer meta info. pub struct PullClient<'a> { @@ -145,25 +143,21 @@ impl<'a> PullClient<'a> { let decryptor = Decryptor::from_media_type(&layer.media_type); if decryptor.is_encrypted() { - if let Some(dc) = decrypt_config { - let decrypt_key = decryptor - .get_decrypt_key(&layer, dc) - .map_err(|e| anyhow!("failed to get decrypt key {}", e.to_string()))?; - let plaintext_layer = decryptor - .async_get_plaintext_layer(layer_reader, &layer, &decrypt_key) - .map_err(|e| anyhow!("failed to async_get_plaintext_layer: {:?}", e))?; - layer_meta.uncompressed_digest = self - .async_decompress_unpack_layer( - plaintext_layer, - &diff_id, - &decryptor.media_type, - &destination, - ) - .await?; - layer_meta.encrypted = true; - } else { - bail!(ERR_NO_DECRYPT_CFG); - } + let decrypt_key = decryptor + .get_decrypt_key(&layer, decrypt_config) + .map_err(|e| anyhow!("failed to get decrypt key {}", e.to_string()))?; + let plaintext_layer = decryptor + .async_get_plaintext_layer(layer_reader, &layer, &decrypt_key) + .map_err(|e| anyhow!("failed to async_get_plaintext_layer: {:?}", e))?; + layer_meta.uncompressed_digest = self + .async_decompress_unpack_layer( + plaintext_layer, + &diff_id, + &decryptor.media_type, + &destination, + ) + .await?; + layer_meta.encrypted = true; } else { layer_meta.uncompressed_digest = self .async_decompress_unpack_layer( diff --git a/image-rs/tests/common/mod.rs b/image-rs/tests/common/mod.rs index 14a9e663d..bda0dd640 100644 --- a/image-rs/tests/common/mod.rs +++ b/image-rs/tests/common/mod.rs @@ -16,7 +16,7 @@ const SIGNATURE_SCRIPT: &str = "scripts/install_test_signatures.sh"; const OFFLINE_FS_KBC_RESOURCE_SCRIPT: &str = "scripts/install_offline_fs_kbc_files.sh"; /// Attestation Agent Key Provider Parameter -pub const AA_PARAMETER: &str = "provider:attestation-agent:offline_fs_kbc::null"; +pub const AA_PARAMETER: &str = "offline_fs_kbc::null"; /// Attestation Agent Offline Filesystem KBC resources file for general tests that use images stored in the quay.io registry pub const OFFLINE_FS_KBC_RESOURCES_FILE: &str = "aa-offline_fs_kbc-resources.json"; @@ -97,6 +97,7 @@ pub async fn start_confidential_data_hub() -> Result { cfg_if::cfg_if! { if #[cfg(feature = "keywrap-ttrpc")] { let mut cdh = Command::new(cdh_path) + .env("AA_KBC_PARAM", AA_PARAMETER) .kill_on_drop(true) .spawn() .expect("Failed to start confidential-data-hub"); diff --git a/image-rs/tests/image_decryption.rs b/image-rs/tests/image_decryption.rs index 743ae6df7..f5f82fba2 100644 --- a/image-rs/tests/image_decryption.rs +++ b/image-rs/tests/image_decryption.rs @@ -71,13 +71,13 @@ async fn test_decrypt_layers(#[case] image: &str) { let mut image_client = ImageClient::new(work_dir.path().to_path_buf()); if cfg!(feature = "snapshot-overlayfs") { image_client - .pull_image(image, bundle_dir.path(), &None, &Some(common::AA_PARAMETER)) + .pull_image(image, bundle_dir.path(), &None, &None) .await .expect("failed to download image"); common::umount_bundle(&bundle_dir); } else { image_client - .pull_image(image, bundle_dir.path(), &None, &Some(common::AA_PARAMETER)) + .pull_image(image, bundle_dir.path(), &None, &None) .await .unwrap_err(); }