Skip to content

Commit

Permalink
CDH/KMS/kbs: read parameters from env
Browse files Browse the repository at this point in the history
Related to confidential-containers#413. KBS client will also read parameters from env,
including:

- KBC_NAME: The KBC name, i.e. `cc_kbc`, `offline_fs_kbc` or
`online_sev_kbc`
- KBS_URL: The url of KBS
- KBS_PUBLICKEY_CERT: The public key cert of KBS

Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
Xynnn007 committed Jan 20, 2024
1 parent d6414a1 commit 4407301
Show file tree
Hide file tree
Showing 6 changed files with 28 additions and 17 deletions.
1 change: 0 additions & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion confidential-data-hub/kms/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ edition = "2021"
[dependencies]
anyhow.workspace = true
async-trait.workspace = true
attestation_agent = { path = "../../attestation-agent/lib", default-features = false }
base64.workspace = true
bincode = { workspace = true, optional = true }
chrono = { workspace = true, optional = true }
Expand Down
4 changes: 0 additions & 4 deletions confidential-data-hub/kms/src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
// SPDX-License-Identifier: Apache-2.0
//

use attestation_agent::aa_kbc_params;
use thiserror::Error;

pub type Result<T> = std::result::Result<T, Error>;
Expand All @@ -23,7 +22,4 @@ pub enum Error {

#[error("Unsupported provider: {0}")]
UnsupportedProvider(String),

#[error("aa_kbc_params error")]
AaKbcParamsError(#[from] aa_kbc_params::ParamError),
}
23 changes: 20 additions & 3 deletions confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,15 @@
// SPDX-License-Identifier: Apache-2.0
//

use std::env;

use async_trait::async_trait;
use kbs_protocol::{
client::KbsClient as KbsProtocolClient,
token_provider::{AATokenProvider, TokenProvider},
KbsClientCapabilities, ResourceUri,
};
use log::{info, warn};

use crate::{Error, Result};

Expand All @@ -23,12 +26,26 @@ impl CcKbc {
let token_provider = AATokenProvider::new()
.await
.map_err(|e| Error::KbsClientError(format!("create AA token provider failed: {e}")))?;

let client = kbs_protocol::KbsClientBuilder::with_token_provider(
Box::new(token_provider),
kbs_host_url,
)
.build()
.map_err(|e| Error::KbsClientError(format!("create kbs client failed: {e}")))?;
);

let client = match env::var("KBS_PUBLICKEY_CERT") {
Ok(cert_pem) => {
info!("Use KBS public key cert");
client.add_kbs_cert(&cert_pem)
}
Err(e) => {
warn!("KBS_PUBLICKEY_CERT get failed: {e:?}. Use no KBS public key certs.");
client
}
};

let client = client
.build()
.map_err(|e| Error::KbsClientError(format!("create kbs client failed: {e}")))?;
Ok(Self { client })
}
}
Expand Down
14 changes: 8 additions & 6 deletions confidential-data-hub/kms/src/plugins/kbs/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ mod offline_fs;
use std::sync::Arc;

use async_trait::async_trait;
use attestation_agent::aa_kbc_params;
use lazy_static::lazy_static;
pub use resource_uri::ResourceUri;
use std::env;
use tokio::sync::Mutex;

use crate::{Annotations, Error, Getter, Result};
Expand All @@ -33,17 +33,19 @@ enum RealClient {

impl RealClient {
async fn new() -> Result<Self> {
let params = aa_kbc_params::get_params().await?;
let kbc = env::var("KBC_NAME")
.map_err(|_| Error::KbsClientError("KBC_NAME not set in env".to_string()))?;
let _kbs_url = env::var("KBS_URL")
.map_err(|_| Error::KbsClientError("KBS_URL not set in env".to_string()))?;

let c = match params.kbc() {
let c = match &kbc[..] {
#[cfg(feature = "kbs")]
"cc_kbc" => RealClient::Cc(cc_kbc::CcKbc::new(params.uri()).await?),
"cc_kbc" => RealClient::Cc(cc_kbc::CcKbc::new(&_kbs_url).await?),
#[cfg(feature = "sev")]
"online_sev_kbc" => RealClient::Sev(sev::OnlineSevKbc::new(params.uri()).await?),
"online_sev_kbc" => RealClient::Sev(sev::OnlineSevKbc::new(&_kbs_url).await?),
"offline_fs_kbc" => RealClient::OfflineFs(offline_fs::OfflineFsKbc::new().await?),
others => return Err(Error::KbsClientError(format!("unknown kbc name {others}, only support `cc_kbc`(feature `kbs`), `online_sev_kbc` (feature `sev`) and `offline_fs_kbc`."))),
};

Ok(c)
}
}
Expand Down
2 changes: 0 additions & 2 deletions confidential-data-hub/kms/src/plugins/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ use strum::{AsRefStr, EnumString};

use crate::{Decrypter, Error, Getter, ProviderSettings, Result};

const _IN_GUEST_DEFAULT_KEY_PATH: &str = "/run/confidential-containers/cdh/kms-credential";

#[cfg(feature = "aliyun")]
pub mod aliyun;

Expand Down

0 comments on commit 4407301

Please sign in to comment.