diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml index 33a2e82a0..713ce9302 100644 --- a/.github/workflows/cdh_basic.yml +++ b/.github/workflows/cdh_basic.yml @@ -67,13 +67,13 @@ jobs: - name: Run cargo test run: | - sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub -p secret + sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub - name: Run cargo fmt check run: | - sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -p secret -- --check + sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check - name: Run rust lint check run: | # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now - sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -p secret -- -D warnings -A clippy::derive-partial-eq-without-eq + sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq diff --git a/Cargo.lock b/Cargo.lock index 48c902eac..1cb1058f7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1085,6 +1085,7 @@ name = "confidential-data-hub" version = "0.1.0" dependencies = [ "anyhow", + "assert-json-diff", "assert_cmd", "async-trait", "attestation-agent", @@ -1101,13 +1102,13 @@ dependencies = [ "nix 0.29.0", "prost 0.13.3", "protobuf 3.5.1", + "rand", "resource_uri", "rstest", - "secret", "serde", "serde_json", "serial_test", - "storage", + "strum", "tempfile", "thiserror 2.0.3", "tokio", @@ -1115,6 +1116,7 @@ dependencies = [ "tonic-build", "ttrpc", "ttrpc-codegen", + "zeroize", ] [[package]] @@ -5574,29 +5576,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "secret" -version = "0.1.0" -dependencies = [ - "anyhow", - "assert-json-diff", - "assert_cmd", - "async-trait", - "base64 0.22.1", - "clap 4.2.7", - "crypto", - "kms", - "rand", - "rstest", - "serde", - "serde_json", - "strum", - "tempfile", - "thiserror 2.0.3", - "tokio", - "zeroize", -] - [[package]] name = "security-framework" version = "2.9.2" @@ -6112,26 +6091,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" -[[package]] -name = "storage" -version = "0.1.0" -dependencies = [ - "anyhow", - "async-trait", - "base64 0.22.1", - "kms", - "log", - "rand", - "rstest", - "secret", - "serde", - "serde_json", - "strum", - "tempfile", - "thiserror 2.0.3", - "tokio", -] - [[package]] name = "string_cache" version = "0.8.7" diff --git a/Cargo.toml b/Cargo.toml index 95c5eda5c..4bec4e106 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,8 +12,6 @@ members = [ "attestation-agent/coco_keyprovider", "confidential-data-hub/hub", "confidential-data-hub/kms", - "confidential-data-hub/secret", - "confidential-data-hub/storage", "image-rs", "ocicrypt-rs", ] diff --git a/README.md b/README.md index 8c53655c2..7e707f61f 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ CoCo Keyprovider. Used to encrypt the container images. ## Tools -[secret-cli](confidential-data-hub/secret) +[secret-cli](confidential-data-hub/hub/src/bin/secret_cli.rs) Utility for sealing and unsealing sealed secrets [CDH Client](confidential-data-hub/hub/src/bin) diff --git a/api-server-rest/openapi/api.json b/api-server-rest/openapi/api.json index dd0caf465..0d2f3c3f8 100644 --- a/api-server-rest/openapi/api.json +++ b/api-server-rest/openapi/api.json @@ -1,5 +1,5 @@ { - "openapi": "3.0.3", + "openapi": "3.1.0", "info": { "title": "CoCo Restful API", "description": "HTTP based API for CoCo containers to get resource/evidence/token from confidential-data-hub and attestation-agent.", @@ -20,9 +20,7 @@ "paths": { "/aa/evidence": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_evidence", "parameters": [ { @@ -67,9 +65,7 @@ }, "/aa/token": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_token", "parameters": [ { @@ -114,9 +110,7 @@ }, "/cdh/resource/{repository}/{type}/{tag}": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_resource", "responses": { "200": { @@ -144,5 +138,6 @@ } } } - } + }, + "components": {} } \ No newline at end of file diff --git a/confidential-data-hub/docs/SEALED_SECRET.md b/confidential-data-hub/docs/SEALED_SECRET.md index 4793140f1..33351d423 100644 --- a/confidential-data-hub/docs/SEALED_SECRET.md +++ b/confidential-data-hub/docs/SEALED_SECRET.md @@ -10,8 +10,11 @@ in conjunction with an attestation. The Confidential Data Hub provides an API for unsealing secrets inside of a confidential guest. -There is also a [secret cli](../secret/src/bin) tool that can be used to generate sealed -secrets. +You can also use the secret cli tool to generate a sealed secret: + +```bash +cargo run -p confidential-data-hub --bin secret +``` ## Kubernetes Secrets @@ -173,7 +176,6 @@ Start with a sealed secret such as } } ``` -You can use the [secret cli](../secret/src/bin) tool to generate a sealed secret. Encode the payload in BASE64URL ``` diff --git a/confidential-data-hub/docs/SECURE_STORAGE.md b/confidential-data-hub/docs/SECURE_STORAGE.md index 83826f365..e9439ffab 100644 --- a/confidential-data-hub/docs/SECURE_STORAGE.md +++ b/confidential-data-hub/docs/SECURE_STORAGE.md @@ -17,7 +17,7 @@ We reuse [direct block device assigned volume feature](https://github.com/kata-c [Aliyun OSS](https://www.alibabacloud.com/product/object-storage-service) is an object storage service provided by Alibaba Cloud (Aliyun). -The [plugin](../storage/src/volume_type/aliyun) provides two different modes for secure mount. +The [plugin](../hub/src/storage/volume_type/aliyun) provides two different modes for secure mount. Confidential Data Hub's `secure_mount()` [API](../hub/protos/api.proto) will help to instrument this. @@ -65,7 +65,7 @@ For more details, please refer to [the guide](use-cases/secure-mount-with-aliyun ### Block Device -The [plugin](../storage/src/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption. +The [plugin](../hub/src/storage/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption. #### LUKS Encryption diff --git a/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md b/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md index ac626da08..5d48a993b 100644 --- a/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md +++ b/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md @@ -30,7 +30,7 @@ Follow the instructions in the [CDH README](../../README.md#confidential-data-hu 2. Install `luks-encrypt-storage` -Install [luks-encrypt-storage](../../storage/scripts/luks-encrypt-storage) into `/usr/local/bin` +Install [luks-encrypt-storage](../../hub/src/storage/scripts/luks-encrypt-storage) into `/usr/local/bin` 3. Run CDH ```shell @@ -74,4 +74,4 @@ $ lsblk |grep "encrypted_disk" # Expected output: └─encrypted_disk_OEyEj_dif 253:1 0 968.6M 0 crypt └─encrypted_disk_OEyEj 253:2 0 968.6M 0 crypt /mnt/test-path -``` \ No newline at end of file +``` diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 43457b5bf..57fe37199 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -26,6 +26,11 @@ required-features = ["bin", "grpc"] name = "cdh-oneshot" required-features = ["bin"] +[[bin]] +name = "secret" +path = "src/bin/secret_cli.rs" +required-features = ["cli"] + [dependencies] anyhow = { workspace = true, optional = true } async-trait.workspace = true @@ -43,42 +48,50 @@ log.workspace = true prost = { workspace = true, optional = true } protobuf = { workspace = true, optional = true } resource_uri.path = "../../attestation-agent/deps/resource_uri" -secret.path = "../secret" -storage.path = "../storage" +rand.workspace = true serde = { workspace = true, optional = true } serde_json.workspace = true +strum = { workspace = true, features = ["derive"] } +tempfile = { workspace = true, optional = true } thiserror.workspace = true -tokio = { workspace = true, features = [ "rt-multi-thread", "macros", "sync" ] } +tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] } tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = ["async"], optional = true } +zeroize.workspace = true [build-dependencies] +anyhow.workspace = true tonic-build = { workspace = true, optional = true } ttrpc-codegen = { workspace = true, optional = true } [dev-dependencies] assert_cmd.workspace = true +assert-json-diff.workspace = true nix.workspace = true rstest.workspace = true serial_test.workspace = true tempfile.workspace = true +tokio = { workspace = true, features = ["rt", "macros" ] } [features] -default = ["kbs", "bin", "ttrpc", "grpc"] +default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"] # support aliyun stacks (KMS, ..) -aliyun = ["secret/aliyun"] +aliyun = ["tempfile"] # support coco-KBS to provide confidential resources -kbs = ["kms/kbs", "secret/kbs"] +kbs = ["kms/kbs"] # support sev to provide confidential resources -sev = ["kms/sev", "secret/sev"] +sev = ["kms/sev"] # support eHSM stacks (KMS, ...) -ehsm = ["secret/ehsm"] +ehsm = [] # Binary RPC type bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] grpc = ["prost", "tonic", "tonic-build", "tokio/signal"] + +# for secret_cli +cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] diff --git a/confidential-data-hub/hub/src/api.rs b/confidential-data-hub/hub/src/api.rs index 37f941443..77bf9d56c 100644 --- a/confidential-data-hub/hub/src/api.rs +++ b/confidential-data-hub/hub/src/api.rs @@ -5,8 +5,8 @@ use async_trait::async_trait; +use crate::storage::volume_type::Storage; use crate::Result; -use storage::volume_type::Storage; /// The APIs of the DataHub. See /// for diff --git a/confidential-data-hub/hub/src/bin/cdh-oneshot.rs b/confidential-data-hub/hub/src/bin/cdh-oneshot.rs index 58216b905..c1e1f9888 100644 --- a/confidential-data-hub/hub/src/bin/cdh-oneshot.rs +++ b/confidential-data-hub/hub/src/bin/cdh-oneshot.rs @@ -9,9 +9,8 @@ use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; -use confidential_data_hub::{hub::Hub, CdhConfig, DataHub}; +use confidential_data_hub::{hub::Hub, storage::volume_type::Storage, CdhConfig, DataHub}; use log::warn; -use storage::volume_type::Storage; #[derive(Parser)] #[command(name = "cdh_oneshot")] diff --git a/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs b/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs index 3d877876c..6b51efea0 100644 --- a/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs +++ b/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs @@ -16,7 +16,7 @@ use api::{ }; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; -use storage::volume_type::Storage; +use confidential_data_hub::storage::volume_type::Storage; mod api { tonic::include_proto!("api"); diff --git a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs index 24b7fb1ea..497607e43 100644 --- a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs @@ -5,10 +5,12 @@ use anyhow::*; -use confidential_data_hub::{hub::Hub, DataHub}; +use confidential_data_hub::{ + storage::volume_type::Storage, + {hub::Hub, DataHub}, +}; use log::{debug, error}; use std::{error::Error as _, net::SocketAddr, sync::Arc}; -use storage::volume_type::Storage; use tonic::{transport::Server, Request, Response, Status}; use crate::{ diff --git a/confidential-data-hub/secret/src/bin/secret_cli.rs b/confidential-data-hub/hub/src/bin/secret_cli.rs similarity index 98% rename from confidential-data-hub/secret/src/bin/secret_cli.rs rename to confidential-data-hub/hub/src/bin/secret_cli.rs index f50b8bd8e..52e1c3aac 100644 --- a/confidential-data-hub/secret/src/bin/secret_cli.rs +++ b/confidential-data-hub/hub/src/bin/secret_cli.rs @@ -7,6 +7,10 @@ use std::{env, path::Path}; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{command, Args, Parser, Subcommand}; +use confidential_data_hub::secret::{ + layout::{envelope::EnvelopeSecret, vault::VaultSecret}, + Secret, SecretContent, VERSION, +}; use crypto::WrapType; #[cfg(feature = "aliyun")] use kms::plugins::aliyun::AliyunKmsClient; @@ -14,8 +18,6 @@ use kms::plugins::aliyun::AliyunKmsClient; use kms::plugins::ehsm::EhsmKmsClient; use kms::{Encrypter, ProviderSettings}; use rand::Rng; -use secret::secret::layout::{envelope::EnvelopeSecret, vault::VaultSecret}; -use secret::secret::{Secret, SecretContent, VERSION}; #[cfg(feature = "ehsm")] use serde_json::Value; use tokio::{fs, io::AsyncWriteExt}; diff --git a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs index 6a7a67103..da72e2fce 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs @@ -9,6 +9,7 @@ use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; +use confidential_data_hub::storage::volume_type::Storage; use protos::{ api::*, api_ttrpc::{ @@ -18,7 +19,6 @@ use protos::{ keyprovider::*, keyprovider_ttrpc::KeyProviderServiceClient, }; -use storage::volume_type::Storage; use ttrpc::context; mod protos; diff --git a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs index 448c49323..671912061 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs @@ -7,9 +7,11 @@ use std::error::Error as _; use anyhow::Result; use async_trait::async_trait; -use confidential_data_hub::{hub::Hub, CdhConfig, DataHub}; +use confidential_data_hub::{ + storage::volume_type::Storage, + {hub::Hub, CdhConfig, DataHub}, +}; use log::{debug, error}; -use storage::volume_type::Storage; use ttrpc::{asynchronous::TtrpcContext, Code, Error, Status}; use crate::{ diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index fee920e33..8b31eaff2 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use crate::image; +use crate::{image, secret, storage}; use thiserror::Error; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index 18fc42b08..a850703e7 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -9,12 +9,13 @@ use async_trait::async_trait; use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient}; use kms::{Annotations, ProviderSettings}; use log::{debug, info}; -use storage::volume_type::Storage; use tokio::sync::{Mutex, OnceCell}; -use crate::{image, CdhConfig, DataHub, Error, Result}; +use crate::storage::volume_type::Storage; +use crate::{image, secret, CdhConfig, DataHub, Error, Result}; pub struct Hub { + #[allow(dead_code)] pub(crate) credentials: HashMap, image_client: OnceCell>, config: CdhConfig, diff --git a/confidential-data-hub/hub/src/lib.rs b/confidential-data-hub/hub/src/lib.rs index 468abeff0..0118fb138 100644 --- a/confidential-data-hub/hub/src/lib.rs +++ b/confidential-data-hub/hub/src/lib.rs @@ -17,3 +17,5 @@ pub mod config; pub use config::*; pub mod image; +pub mod secret; +pub mod storage; diff --git a/confidential-data-hub/secret/src/error.rs b/confidential-data-hub/hub/src/secret/error.rs similarity index 100% rename from confidential-data-hub/secret/src/error.rs rename to confidential-data-hub/hub/src/secret/error.rs diff --git a/confidential-data-hub/secret/src/secret/layout/envelope.rs b/confidential-data-hub/hub/src/secret/layout/envelope.rs similarity index 100% rename from confidential-data-hub/secret/src/secret/layout/envelope.rs rename to confidential-data-hub/hub/src/secret/layout/envelope.rs diff --git a/confidential-data-hub/secret/src/secret/layout/mod.rs b/confidential-data-hub/hub/src/secret/layout/mod.rs similarity index 100% rename from confidential-data-hub/secret/src/secret/layout/mod.rs rename to confidential-data-hub/hub/src/secret/layout/mod.rs diff --git a/confidential-data-hub/secret/src/secret/layout/vault.rs b/confidential-data-hub/hub/src/secret/layout/vault.rs similarity index 97% rename from confidential-data-hub/secret/src/secret/layout/vault.rs rename to confidential-data-hub/hub/src/secret/layout/vault.rs index 2b9d6962b..24bc60adc 100644 --- a/confidential-data-hub/secret/src/secret/layout/vault.rs +++ b/confidential-data-hub/hub/src/secret/layout/vault.rs @@ -3,11 +3,11 @@ // SPDX-License-Identifier: Apache-2.0 // -use kms::ProviderSettings; use serde::{Deserialize, Serialize}; use thiserror::Error; pub use kms::Annotations; +pub use kms::ProviderSettings; pub type Result = std::result::Result; diff --git a/confidential-data-hub/secret/src/secret/mod.rs b/confidential-data-hub/hub/src/secret/mod.rs similarity index 87% rename from confidential-data-hub/secret/src/secret/mod.rs rename to confidential-data-hub/hub/src/secret/mod.rs index f1ad97cb4..e17ef0dbc 100644 --- a/confidential-data-hub/secret/src/secret/mod.rs +++ b/confidential-data-hub/hub/src/secret/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // +pub mod error; pub mod layout; use base64::{engine::general_purpose::URL_SAFE_NO_PAD as b64, Engine}; @@ -10,7 +11,7 @@ use serde::{Deserialize, Serialize}; use self::layout::{envelope::EnvelopeSecret, vault::VaultSecret}; -use crate::{Result, SecretError}; +pub use error::{Result, SecretError}; #[derive(Serialize, Deserialize, PartialEq, Debug)] #[serde(tag = "type", rename_all = "lowercase")] @@ -29,6 +30,14 @@ pub struct Secret { pub const VERSION: &str = "0.1.0"; +pub async fn unseal_secret(secret: &[u8]) -> Result> { + let secret_string = String::from_utf8(secret.to_vec()) + .map_err(|_| SecretError::ParseFailed("Secret string must be UTF-8"))?; + + let secret = Secret::from_signed_base64_string(secret_string)?; + secret.unseal().await +} + impl Secret { pub async fn unseal(&self) -> Result> { if self.version != VERSION { @@ -81,15 +90,15 @@ mod tests { use crypto::WrapType; use rstest::rstest; - use crate::{ - secret::layout::{envelope::EnvelopeSecret, vault::VaultSecret}, - Annotations, ProviderSettings, + use crate::secret::layout::{ + envelope::EnvelopeSecret, + vault::{Annotations, ProviderSettings, VaultSecret}, }; use super::{Secret, SecretContent}; #[rstest] - #[case(include_str!("../../tests/envelope-1.json"), Secret { + #[case(include_str!("./tests/envelope-1.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Envelope(EnvelopeSecret { provider: "aliyun".into(), @@ -102,7 +111,7 @@ mod tests { annotations: Annotations::default(), }), })] - #[case(include_str!("../../tests/vault-1.json"), Secret { + #[case(include_str!("./tests/vault-1.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Vault(VaultSecret { provider: "aliyun".into(), @@ -111,7 +120,7 @@ mod tests { name: "xxx".into(), }), })] - #[case(include_str!("../../tests/vault-2.json"), Secret { + #[case(include_str!("./tests/vault-2.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Vault(VaultSecret { provider: "kbs".into(), diff --git a/confidential-data-hub/secret/tests/envelope-1.json b/confidential-data-hub/hub/src/secret/tests/envelope-1.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope-1.json rename to confidential-data-hub/hub/src/secret/tests/envelope-1.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json diff --git a/confidential-data-hub/secret/tests/test_hsm_secrets.rs b/confidential-data-hub/hub/src/secret/tests/test_hsm_secrets.rs similarity index 100% rename from confidential-data-hub/secret/tests/test_hsm_secrets.rs rename to confidential-data-hub/hub/src/secret/tests/test_hsm_secrets.rs diff --git a/confidential-data-hub/secret/tests/vault-1.json b/confidential-data-hub/hub/src/secret/tests/vault-1.json similarity index 100% rename from confidential-data-hub/secret/tests/vault-1.json rename to confidential-data-hub/hub/src/secret/tests/vault-1.json diff --git a/confidential-data-hub/hub/src/secret/tests/vault-12json b/confidential-data-hub/hub/src/secret/tests/vault-12json new file mode 100644 index 000000000..e69de29bb diff --git a/confidential-data-hub/secret/tests/vault-2.json b/confidential-data-hub/hub/src/secret/tests/vault-2.json similarity index 100% rename from confidential-data-hub/secret/tests/vault-2.json rename to confidential-data-hub/hub/src/secret/tests/vault-2.json diff --git a/confidential-data-hub/storage/src/error.rs b/confidential-data-hub/hub/src/storage/error.rs similarity index 96% rename from confidential-data-hub/storage/src/error.rs rename to confidential-data-hub/hub/src/storage/error.rs index 6693b4375..ef57cc3f1 100644 --- a/confidential-data-hub/storage/src/error.rs +++ b/confidential-data-hub/hub/src/storage/error.rs @@ -5,7 +5,7 @@ use thiserror::Error; -use crate::volume_type; +use super::volume_type; pub type Result = std::result::Result; diff --git a/confidential-data-hub/storage/src/lib.rs b/confidential-data-hub/hub/src/storage/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/lib.rs rename to confidential-data-hub/hub/src/storage/mod.rs index 391985321..964deed03 100644 --- a/confidential-data-hub/storage/src/lib.rs +++ b/confidential-data-hub/hub/src/storage/mod.rs @@ -4,6 +4,5 @@ // pub mod error; -pub mod volume_type; - pub use error::*; +pub mod volume_type; diff --git a/confidential-data-hub/storage/scripts/luks-encrypt-storage b/confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage similarity index 100% rename from confidential-data-hub/storage/scripts/luks-encrypt-storage rename to confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage diff --git a/confidential-data-hub/storage/src/volume_type/aliyun/error.rs b/confidential-data-hub/hub/src/storage/volume_type/aliyun/error.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/aliyun/error.rs rename to confidential-data-hub/hub/src/storage/volume_type/aliyun/error.rs diff --git a/confidential-data-hub/storage/src/volume_type/aliyun/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/volume_type/aliyun/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs index e4b44547b..fd04229fb 100644 --- a/confidential-data-hub/storage/src/volume_type/aliyun/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs @@ -19,6 +19,7 @@ use tokio::{ process::Command, }; +use crate::secret; use error::{AliyunError, Result}; use super::SecureMount; diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/error.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/error.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/blockdevice/error.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/error.rs diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/luks/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/luks/mod.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/blockdevice/luks/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/luks/mod.rs diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs index c8f14ccb0..27e76fd44 100644 --- a/confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs @@ -6,6 +6,7 @@ pub mod error; pub mod luks; use super::SecureMount; +use crate::secret; use async_trait::async_trait; use error::{BlockDeviceError, Result}; use kms::{Annotations, ProviderSettings}; diff --git a/confidential-data-hub/storage/src/volume_type/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/mod.rs similarity index 98% rename from confidential-data-hub/storage/src/volume_type/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/mod.rs index 76f27dc28..dc1e7a241 100644 --- a/confidential-data-hub/storage/src/volume_type/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/mod.rs @@ -8,7 +8,7 @@ pub mod aliyun; pub mod blockdevice; use std::{collections::HashMap, str::FromStr}; -use crate::Result; +use super::error::Result; use async_trait::async_trait; diff --git a/confidential-data-hub/secret/Cargo.toml b/confidential-data-hub/secret/Cargo.toml deleted file mode 100644 index a0db9ad3a..000000000 --- a/confidential-data-hub/secret/Cargo.toml +++ /dev/null @@ -1,41 +0,0 @@ -[package] -name = "secret" -version = "0.1.0" -authors = ["The Confidential Container Authors"] -edition = "2021" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - -[[bin]] -name = "secret_cli" -required-features = [ "cli" ] - -[dependencies] -anyhow.workspace = true -async-trait.workspace = true -base64.workspace = true -clap = { workspace = true, optional = true } -crypto.path = "../../attestation-agent/deps/crypto" -kms = { path = "../kms", default-features = false } -rand = { workspace = true, optional = true } -serde = "1" -serde_json = "1" -strum = { workspace = true, features = ["derive"] } -thiserror.workspace = true -tokio = { workspace = true, features = ["io-util"], optional = true } -zeroize.workspace = true - -[dev-dependencies] -assert_cmd = "2.0" -assert-json-diff.workspace = true -rstest.workspace = true -tempfile.workspace = true - -[features] -default = [ "cli" ] -cli = ["clap/derive", "rand", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] - -aliyun = ["kms/aliyun"] -kbs = ["kms/kbs"] -sev = ["kms/sev"] -ehsm = ["kms/ehsm"] diff --git a/confidential-data-hub/secret/src/lib.rs b/confidential-data-hub/secret/src/lib.rs deleted file mode 100644 index 65896afec..000000000 --- a/confidential-data-hub/secret/src/lib.rs +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) 2023 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -pub mod error; -pub mod secret; - -use crate::secret::Secret; - -pub use error::*; -pub use kms::{Annotations, ProviderSettings}; - -/// The input sealed secret is in the following format -/// `sealed`.`JWS header`.`JWS body (secret content)`.`signature` -pub async fn unseal_secret(secret: &[u8]) -> Result> { - let secret_string = String::from_utf8(secret.to_vec()) - .map_err(|_| SecretError::ParseFailed("Secret string must be UTF-8"))?; - - let secret = Secret::from_signed_base64_string(secret_string)?; - secret.unseal().await -} diff --git a/confidential-data-hub/storage/Cargo.toml b/confidential-data-hub/storage/Cargo.toml deleted file mode 100644 index 1289f7aef..000000000 --- a/confidential-data-hub/storage/Cargo.toml +++ /dev/null @@ -1,32 +0,0 @@ -[package] -name = "storage" -version = "0.1.0" -edition = "2021" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - -[dependencies] -anyhow.workspace = true -async-trait.workspace = true -base64.workspace = true -log.workspace = true -kms = { path = "../kms", features = ["kbs"] } -rand = { workspace = true, optional = true } -secret = { path = "../secret" } -serde.workspace = true -serde_json.workspace = true -strum = { workspace = true, features = ["derive"] } -tempfile = { workspace = true, optional = true } -thiserror.workspace = true -tokio = { workspace = true, optional = true } - -[dev-dependencies] -rstest.workspace = true -tokio = { workspace = true, features = ["rt", "macros" ] } - -[build-dependencies] -anyhow.workspace = true - -[features] -default = ["aliyun"] -aliyun = [ "rand", "tempfile", "tokio/fs", "tokio/process", "tokio/io-util", "tokio/time" ]