From 42bfebe70800ae6091f44d867b89da81a59c38a5 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 20 Nov 2024 10:08:49 +0100 Subject: [PATCH] cdh: move storage and secret crates to cdh modules the storage and secret crate is used exclusively by cdh, so we don't need to we don't need to maintain those as individual crates, helping with naming conflicts and reducing build complexity. the storage crate has a dep on the secret crate, so we have to cover them in a single change. Signed-off-by: Magnus Kulke --- .github/workflows/cdh_basic.yml | 6 +-- Cargo.lock | 49 ++----------------- Cargo.toml | 2 - README.md | 2 +- api-server-rest/openapi/api.json | 17 +++---- confidential-data-hub/docs/SEALED_SECRET.md | 8 +-- confidential-data-hub/docs/SECURE_STORAGE.md | 4 +- .../secure-mount-with-block-device.md | 4 +- confidential-data-hub/hub/Cargo.toml | 29 ++++++++--- confidential-data-hub/hub/src/api.rs | 2 +- .../hub/src/bin/cdh-oneshot.rs | 3 +- .../hub/src/bin/grpc-cdh-tool.rs | 2 +- .../hub/src/bin/grpc_server/mod.rs | 6 ++- .../{secret => hub}/src/bin/secret_cli.rs | 6 ++- .../hub/src/bin/ttrpc-cdh-tool.rs | 2 +- .../hub/src/bin/ttrpc_server/mod.rs | 6 ++- confidential-data-hub/hub/src/error.rs | 2 +- confidential-data-hub/hub/src/hub.rs | 5 +- confidential-data-hub/hub/src/lib.rs | 2 + .../{secret/src => hub/src/secret}/error.rs | 0 .../src/secret/layout/envelope.rs | 0 .../{secret => hub}/src/secret/layout/mod.rs | 0 .../src/secret/layout/vault.rs | 2 +- .../{secret => hub}/src/secret/mod.rs | 23 ++++++--- .../src}/secret/tests/envelope-1.json | 0 .../PrivateKmsCA_kst-bjj6____.pem | 0 .../clientKey_KAAP.2bc4____.json | 0 .../password_KAAP.2bc4____.json | 0 .../credential_16f3____.json | 0 .../src}/secret/tests/test_hsm_secrets.rs | 0 .../{ => hub/src}/secret/tests/vault-1.json | 0 .../hub/src/secret/tests/vault-12json | 0 .../{ => hub/src}/secret/tests/vault-2.json | 0 .../{storage/src => hub/src/storage}/error.rs | 2 +- .../src/lib.rs => hub/src/storage/mod.rs} | 3 +- .../src}/storage/scripts/luks-encrypt-storage | 0 .../src/storage}/volume_type/aliyun/error.rs | 0 .../src/storage}/volume_type/aliyun/mod.rs | 1 + .../storage}/volume_type/blockdevice/error.rs | 0 .../volume_type/blockdevice/luks/mod.rs | 0 .../storage}/volume_type/blockdevice/mod.rs | 1 + .../src/storage}/volume_type/mod.rs | 2 +- confidential-data-hub/secret/Cargo.toml | 41 ---------------- confidential-data-hub/secret/src/lib.rs | 22 --------- confidential-data-hub/storage/Cargo.toml | 32 ------------ 45 files changed, 88 insertions(+), 198 deletions(-) rename confidential-data-hub/{secret => hub}/src/bin/secret_cli.rs (98%) rename confidential-data-hub/{secret/src => hub/src/secret}/error.rs (100%) rename confidential-data-hub/{secret => hub}/src/secret/layout/envelope.rs (100%) rename confidential-data-hub/{secret => hub}/src/secret/layout/mod.rs (100%) rename confidential-data-hub/{secret => hub}/src/secret/layout/vault.rs (97%) rename confidential-data-hub/{secret => hub}/src/secret/mod.rs (87%) rename confidential-data-hub/{ => hub/src}/secret/tests/envelope-1.json (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/test_hsm_secrets.rs (100%) rename confidential-data-hub/{ => hub/src}/secret/tests/vault-1.json (100%) create mode 100644 confidential-data-hub/hub/src/secret/tests/vault-12json rename confidential-data-hub/{ => hub/src}/secret/tests/vault-2.json (100%) rename confidential-data-hub/{storage/src => hub/src/storage}/error.rs (96%) rename confidential-data-hub/{storage/src/lib.rs => hub/src/storage/mod.rs} (99%) rename confidential-data-hub/{ => hub/src}/storage/scripts/luks-encrypt-storage (100%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/aliyun/error.rs (100%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/aliyun/mod.rs (99%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/blockdevice/error.rs (100%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/blockdevice/luks/mod.rs (100%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/blockdevice/mod.rs (99%) rename confidential-data-hub/{storage/src => hub/src/storage}/volume_type/mod.rs (98%) delete mode 100644 confidential-data-hub/secret/Cargo.toml delete mode 100644 confidential-data-hub/secret/src/lib.rs delete mode 100644 confidential-data-hub/storage/Cargo.toml diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml index 33a2e82a0..713ce9302 100644 --- a/.github/workflows/cdh_basic.yml +++ b/.github/workflows/cdh_basic.yml @@ -67,13 +67,13 @@ jobs: - name: Run cargo test run: | - sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub -p secret + sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub - name: Run cargo fmt check run: | - sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -p secret -- --check + sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check - name: Run rust lint check run: | # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now - sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -p secret -- -D warnings -A clippy::derive-partial-eq-without-eq + sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq diff --git a/Cargo.lock b/Cargo.lock index 48c902eac..1cb1058f7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1085,6 +1085,7 @@ name = "confidential-data-hub" version = "0.1.0" dependencies = [ "anyhow", + "assert-json-diff", "assert_cmd", "async-trait", "attestation-agent", @@ -1101,13 +1102,13 @@ dependencies = [ "nix 0.29.0", "prost 0.13.3", "protobuf 3.5.1", + "rand", "resource_uri", "rstest", - "secret", "serde", "serde_json", "serial_test", - "storage", + "strum", "tempfile", "thiserror 2.0.3", "tokio", @@ -1115,6 +1116,7 @@ dependencies = [ "tonic-build", "ttrpc", "ttrpc-codegen", + "zeroize", ] [[package]] @@ -5574,29 +5576,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "secret" -version = "0.1.0" -dependencies = [ - "anyhow", - "assert-json-diff", - "assert_cmd", - "async-trait", - "base64 0.22.1", - "clap 4.2.7", - "crypto", - "kms", - "rand", - "rstest", - "serde", - "serde_json", - "strum", - "tempfile", - "thiserror 2.0.3", - "tokio", - "zeroize", -] - [[package]] name = "security-framework" version = "2.9.2" @@ -6112,26 +6091,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" -[[package]] -name = "storage" -version = "0.1.0" -dependencies = [ - "anyhow", - "async-trait", - "base64 0.22.1", - "kms", - "log", - "rand", - "rstest", - "secret", - "serde", - "serde_json", - "strum", - "tempfile", - "thiserror 2.0.3", - "tokio", -] - [[package]] name = "string_cache" version = "0.8.7" diff --git a/Cargo.toml b/Cargo.toml index 95c5eda5c..4bec4e106 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,8 +12,6 @@ members = [ "attestation-agent/coco_keyprovider", "confidential-data-hub/hub", "confidential-data-hub/kms", - "confidential-data-hub/secret", - "confidential-data-hub/storage", "image-rs", "ocicrypt-rs", ] diff --git a/README.md b/README.md index 8c53655c2..7e707f61f 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ CoCo Keyprovider. Used to encrypt the container images. ## Tools -[secret-cli](confidential-data-hub/secret) +[secret-cli](confidential-data-hub/hub/src/bin/secret_cli.rs) Utility for sealing and unsealing sealed secrets [CDH Client](confidential-data-hub/hub/src/bin) diff --git a/api-server-rest/openapi/api.json b/api-server-rest/openapi/api.json index dd0caf465..0d2f3c3f8 100644 --- a/api-server-rest/openapi/api.json +++ b/api-server-rest/openapi/api.json @@ -1,5 +1,5 @@ { - "openapi": "3.0.3", + "openapi": "3.1.0", "info": { "title": "CoCo Restful API", "description": "HTTP based API for CoCo containers to get resource/evidence/token from confidential-data-hub and attestation-agent.", @@ -20,9 +20,7 @@ "paths": { "/aa/evidence": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_evidence", "parameters": [ { @@ -67,9 +65,7 @@ }, "/aa/token": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_token", "parameters": [ { @@ -114,9 +110,7 @@ }, "/cdh/resource/{repository}/{type}/{tag}": { "get": { - "tags": [ - "crate" - ], + "tags": [], "operationId": "_resource", "responses": { "200": { @@ -144,5 +138,6 @@ } } } - } + }, + "components": {} } \ No newline at end of file diff --git a/confidential-data-hub/docs/SEALED_SECRET.md b/confidential-data-hub/docs/SEALED_SECRET.md index 4793140f1..33351d423 100644 --- a/confidential-data-hub/docs/SEALED_SECRET.md +++ b/confidential-data-hub/docs/SEALED_SECRET.md @@ -10,8 +10,11 @@ in conjunction with an attestation. The Confidential Data Hub provides an API for unsealing secrets inside of a confidential guest. -There is also a [secret cli](../secret/src/bin) tool that can be used to generate sealed -secrets. +You can also use the secret cli tool to generate a sealed secret: + +```bash +cargo run -p confidential-data-hub --bin secret +``` ## Kubernetes Secrets @@ -173,7 +176,6 @@ Start with a sealed secret such as } } ``` -You can use the [secret cli](../secret/src/bin) tool to generate a sealed secret. Encode the payload in BASE64URL ``` diff --git a/confidential-data-hub/docs/SECURE_STORAGE.md b/confidential-data-hub/docs/SECURE_STORAGE.md index 83826f365..e9439ffab 100644 --- a/confidential-data-hub/docs/SECURE_STORAGE.md +++ b/confidential-data-hub/docs/SECURE_STORAGE.md @@ -17,7 +17,7 @@ We reuse [direct block device assigned volume feature](https://github.com/kata-c [Aliyun OSS](https://www.alibabacloud.com/product/object-storage-service) is an object storage service provided by Alibaba Cloud (Aliyun). -The [plugin](../storage/src/volume_type/aliyun) provides two different modes for secure mount. +The [plugin](../hub/src/storage/volume_type/aliyun) provides two different modes for secure mount. Confidential Data Hub's `secure_mount()` [API](../hub/protos/api.proto) will help to instrument this. @@ -65,7 +65,7 @@ For more details, please refer to [the guide](use-cases/secure-mount-with-aliyun ### Block Device -The [plugin](../storage/src/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption. +The [plugin](../hub/src/storage/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption. #### LUKS Encryption diff --git a/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md b/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md index ac626da08..5d48a993b 100644 --- a/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md +++ b/confidential-data-hub/docs/use-cases/secure-mount-with-block-device.md @@ -30,7 +30,7 @@ Follow the instructions in the [CDH README](../../README.md#confidential-data-hu 2. Install `luks-encrypt-storage` -Install [luks-encrypt-storage](../../storage/scripts/luks-encrypt-storage) into `/usr/local/bin` +Install [luks-encrypt-storage](../../hub/src/storage/scripts/luks-encrypt-storage) into `/usr/local/bin` 3. Run CDH ```shell @@ -74,4 +74,4 @@ $ lsblk |grep "encrypted_disk" # Expected output: └─encrypted_disk_OEyEj_dif 253:1 0 968.6M 0 crypt └─encrypted_disk_OEyEj 253:2 0 968.6M 0 crypt /mnt/test-path -``` \ No newline at end of file +``` diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 43457b5bf..57fe37199 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -26,6 +26,11 @@ required-features = ["bin", "grpc"] name = "cdh-oneshot" required-features = ["bin"] +[[bin]] +name = "secret" +path = "src/bin/secret_cli.rs" +required-features = ["cli"] + [dependencies] anyhow = { workspace = true, optional = true } async-trait.workspace = true @@ -43,42 +48,50 @@ log.workspace = true prost = { workspace = true, optional = true } protobuf = { workspace = true, optional = true } resource_uri.path = "../../attestation-agent/deps/resource_uri" -secret.path = "../secret" -storage.path = "../storage" +rand.workspace = true serde = { workspace = true, optional = true } serde_json.workspace = true +strum = { workspace = true, features = ["derive"] } +tempfile = { workspace = true, optional = true } thiserror.workspace = true -tokio = { workspace = true, features = [ "rt-multi-thread", "macros", "sync" ] } +tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] } tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = ["async"], optional = true } +zeroize.workspace = true [build-dependencies] +anyhow.workspace = true tonic-build = { workspace = true, optional = true } ttrpc-codegen = { workspace = true, optional = true } [dev-dependencies] assert_cmd.workspace = true +assert-json-diff.workspace = true nix.workspace = true rstest.workspace = true serial_test.workspace = true tempfile.workspace = true +tokio = { workspace = true, features = ["rt", "macros" ] } [features] -default = ["kbs", "bin", "ttrpc", "grpc"] +default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"] # support aliyun stacks (KMS, ..) -aliyun = ["secret/aliyun"] +aliyun = ["tempfile"] # support coco-KBS to provide confidential resources -kbs = ["kms/kbs", "secret/kbs"] +kbs = ["kms/kbs"] # support sev to provide confidential resources -sev = ["kms/sev", "secret/sev"] +sev = ["kms/sev"] # support eHSM stacks (KMS, ...) -ehsm = ["secret/ehsm"] +ehsm = [] # Binary RPC type bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] grpc = ["prost", "tonic", "tonic-build", "tokio/signal"] + +# for secret_cli +cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] diff --git a/confidential-data-hub/hub/src/api.rs b/confidential-data-hub/hub/src/api.rs index 37f941443..77bf9d56c 100644 --- a/confidential-data-hub/hub/src/api.rs +++ b/confidential-data-hub/hub/src/api.rs @@ -5,8 +5,8 @@ use async_trait::async_trait; +use crate::storage::volume_type::Storage; use crate::Result; -use storage::volume_type::Storage; /// The APIs of the DataHub. See /// for diff --git a/confidential-data-hub/hub/src/bin/cdh-oneshot.rs b/confidential-data-hub/hub/src/bin/cdh-oneshot.rs index 58216b905..c1e1f9888 100644 --- a/confidential-data-hub/hub/src/bin/cdh-oneshot.rs +++ b/confidential-data-hub/hub/src/bin/cdh-oneshot.rs @@ -9,9 +9,8 @@ use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; -use confidential_data_hub::{hub::Hub, CdhConfig, DataHub}; +use confidential_data_hub::{hub::Hub, storage::volume_type::Storage, CdhConfig, DataHub}; use log::warn; -use storage::volume_type::Storage; #[derive(Parser)] #[command(name = "cdh_oneshot")] diff --git a/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs b/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs index 3d877876c..6b51efea0 100644 --- a/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs +++ b/confidential-data-hub/hub/src/bin/grpc-cdh-tool.rs @@ -16,7 +16,7 @@ use api::{ }; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; -use storage::volume_type::Storage; +use confidential_data_hub::storage::volume_type::Storage; mod api { tonic::include_proto!("api"); diff --git a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs index 24b7fb1ea..497607e43 100644 --- a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs @@ -5,10 +5,12 @@ use anyhow::*; -use confidential_data_hub::{hub::Hub, DataHub}; +use confidential_data_hub::{ + storage::volume_type::Storage, + {hub::Hub, DataHub}, +}; use log::{debug, error}; use std::{error::Error as _, net::SocketAddr, sync::Arc}; -use storage::volume_type::Storage; use tonic::{transport::Server, Request, Response, Status}; use crate::{ diff --git a/confidential-data-hub/secret/src/bin/secret_cli.rs b/confidential-data-hub/hub/src/bin/secret_cli.rs similarity index 98% rename from confidential-data-hub/secret/src/bin/secret_cli.rs rename to confidential-data-hub/hub/src/bin/secret_cli.rs index f50b8bd8e..52e1c3aac 100644 --- a/confidential-data-hub/secret/src/bin/secret_cli.rs +++ b/confidential-data-hub/hub/src/bin/secret_cli.rs @@ -7,6 +7,10 @@ use std::{env, path::Path}; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{command, Args, Parser, Subcommand}; +use confidential_data_hub::secret::{ + layout::{envelope::EnvelopeSecret, vault::VaultSecret}, + Secret, SecretContent, VERSION, +}; use crypto::WrapType; #[cfg(feature = "aliyun")] use kms::plugins::aliyun::AliyunKmsClient; @@ -14,8 +18,6 @@ use kms::plugins::aliyun::AliyunKmsClient; use kms::plugins::ehsm::EhsmKmsClient; use kms::{Encrypter, ProviderSettings}; use rand::Rng; -use secret::secret::layout::{envelope::EnvelopeSecret, vault::VaultSecret}; -use secret::secret::{Secret, SecretContent, VERSION}; #[cfg(feature = "ehsm")] use serde_json::Value; use tokio::{fs, io::AsyncWriteExt}; diff --git a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs index 6a7a67103..da72e2fce 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs @@ -9,6 +9,7 @@ use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; +use confidential_data_hub::storage::volume_type::Storage; use protos::{ api::*, api_ttrpc::{ @@ -18,7 +19,6 @@ use protos::{ keyprovider::*, keyprovider_ttrpc::KeyProviderServiceClient, }; -use storage::volume_type::Storage; use ttrpc::context; mod protos; diff --git a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs index 448c49323..671912061 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs @@ -7,9 +7,11 @@ use std::error::Error as _; use anyhow::Result; use async_trait::async_trait; -use confidential_data_hub::{hub::Hub, CdhConfig, DataHub}; +use confidential_data_hub::{ + storage::volume_type::Storage, + {hub::Hub, CdhConfig, DataHub}, +}; use log::{debug, error}; -use storage::volume_type::Storage; use ttrpc::{asynchronous::TtrpcContext, Code, Error, Status}; use crate::{ diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index fee920e33..8b31eaff2 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use crate::image; +use crate::{image, secret, storage}; use thiserror::Error; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index 18fc42b08..a850703e7 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -9,12 +9,13 @@ use async_trait::async_trait; use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient}; use kms::{Annotations, ProviderSettings}; use log::{debug, info}; -use storage::volume_type::Storage; use tokio::sync::{Mutex, OnceCell}; -use crate::{image, CdhConfig, DataHub, Error, Result}; +use crate::storage::volume_type::Storage; +use crate::{image, secret, CdhConfig, DataHub, Error, Result}; pub struct Hub { + #[allow(dead_code)] pub(crate) credentials: HashMap, image_client: OnceCell>, config: CdhConfig, diff --git a/confidential-data-hub/hub/src/lib.rs b/confidential-data-hub/hub/src/lib.rs index 468abeff0..0118fb138 100644 --- a/confidential-data-hub/hub/src/lib.rs +++ b/confidential-data-hub/hub/src/lib.rs @@ -17,3 +17,5 @@ pub mod config; pub use config::*; pub mod image; +pub mod secret; +pub mod storage; diff --git a/confidential-data-hub/secret/src/error.rs b/confidential-data-hub/hub/src/secret/error.rs similarity index 100% rename from confidential-data-hub/secret/src/error.rs rename to confidential-data-hub/hub/src/secret/error.rs diff --git a/confidential-data-hub/secret/src/secret/layout/envelope.rs b/confidential-data-hub/hub/src/secret/layout/envelope.rs similarity index 100% rename from confidential-data-hub/secret/src/secret/layout/envelope.rs rename to confidential-data-hub/hub/src/secret/layout/envelope.rs diff --git a/confidential-data-hub/secret/src/secret/layout/mod.rs b/confidential-data-hub/hub/src/secret/layout/mod.rs similarity index 100% rename from confidential-data-hub/secret/src/secret/layout/mod.rs rename to confidential-data-hub/hub/src/secret/layout/mod.rs diff --git a/confidential-data-hub/secret/src/secret/layout/vault.rs b/confidential-data-hub/hub/src/secret/layout/vault.rs similarity index 97% rename from confidential-data-hub/secret/src/secret/layout/vault.rs rename to confidential-data-hub/hub/src/secret/layout/vault.rs index 2b9d6962b..24bc60adc 100644 --- a/confidential-data-hub/secret/src/secret/layout/vault.rs +++ b/confidential-data-hub/hub/src/secret/layout/vault.rs @@ -3,11 +3,11 @@ // SPDX-License-Identifier: Apache-2.0 // -use kms::ProviderSettings; use serde::{Deserialize, Serialize}; use thiserror::Error; pub use kms::Annotations; +pub use kms::ProviderSettings; pub type Result = std::result::Result; diff --git a/confidential-data-hub/secret/src/secret/mod.rs b/confidential-data-hub/hub/src/secret/mod.rs similarity index 87% rename from confidential-data-hub/secret/src/secret/mod.rs rename to confidential-data-hub/hub/src/secret/mod.rs index f1ad97cb4..e17ef0dbc 100644 --- a/confidential-data-hub/secret/src/secret/mod.rs +++ b/confidential-data-hub/hub/src/secret/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // +pub mod error; pub mod layout; use base64::{engine::general_purpose::URL_SAFE_NO_PAD as b64, Engine}; @@ -10,7 +11,7 @@ use serde::{Deserialize, Serialize}; use self::layout::{envelope::EnvelopeSecret, vault::VaultSecret}; -use crate::{Result, SecretError}; +pub use error::{Result, SecretError}; #[derive(Serialize, Deserialize, PartialEq, Debug)] #[serde(tag = "type", rename_all = "lowercase")] @@ -29,6 +30,14 @@ pub struct Secret { pub const VERSION: &str = "0.1.0"; +pub async fn unseal_secret(secret: &[u8]) -> Result> { + let secret_string = String::from_utf8(secret.to_vec()) + .map_err(|_| SecretError::ParseFailed("Secret string must be UTF-8"))?; + + let secret = Secret::from_signed_base64_string(secret_string)?; + secret.unseal().await +} + impl Secret { pub async fn unseal(&self) -> Result> { if self.version != VERSION { @@ -81,15 +90,15 @@ mod tests { use crypto::WrapType; use rstest::rstest; - use crate::{ - secret::layout::{envelope::EnvelopeSecret, vault::VaultSecret}, - Annotations, ProviderSettings, + use crate::secret::layout::{ + envelope::EnvelopeSecret, + vault::{Annotations, ProviderSettings, VaultSecret}, }; use super::{Secret, SecretContent}; #[rstest] - #[case(include_str!("../../tests/envelope-1.json"), Secret { + #[case(include_str!("./tests/envelope-1.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Envelope(EnvelopeSecret { provider: "aliyun".into(), @@ -102,7 +111,7 @@ mod tests { annotations: Annotations::default(), }), })] - #[case(include_str!("../../tests/vault-1.json"), Secret { + #[case(include_str!("./tests/vault-1.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Vault(VaultSecret { provider: "aliyun".into(), @@ -111,7 +120,7 @@ mod tests { name: "xxx".into(), }), })] - #[case(include_str!("../../tests/vault-2.json"), Secret { + #[case(include_str!("./tests/vault-2.json"), Secret { version: "0.1.0".into(), r#type: SecretContent::Vault(VaultSecret { provider: "kbs".into(), diff --git a/confidential-data-hub/secret/tests/envelope-1.json b/confidential-data-hub/hub/src/secret/tests/envelope-1.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope-1.json rename to confidential-data-hub/hub/src/secret/tests/envelope-1.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/PrivateKmsCA_kst-bjj6____.pem diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/clientKey_KAAP.2bc4____.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_aliyun_config_sample/password_KAAP.2bc4____.json diff --git a/confidential-data-hub/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json b/confidential-data-hub/hub/src/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json similarity index 100% rename from confidential-data-hub/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json rename to confidential-data-hub/hub/src/secret/tests/envelope_secret_ehsm_config_sample/credential_16f3____.json diff --git a/confidential-data-hub/secret/tests/test_hsm_secrets.rs b/confidential-data-hub/hub/src/secret/tests/test_hsm_secrets.rs similarity index 100% rename from confidential-data-hub/secret/tests/test_hsm_secrets.rs rename to confidential-data-hub/hub/src/secret/tests/test_hsm_secrets.rs diff --git a/confidential-data-hub/secret/tests/vault-1.json b/confidential-data-hub/hub/src/secret/tests/vault-1.json similarity index 100% rename from confidential-data-hub/secret/tests/vault-1.json rename to confidential-data-hub/hub/src/secret/tests/vault-1.json diff --git a/confidential-data-hub/hub/src/secret/tests/vault-12json b/confidential-data-hub/hub/src/secret/tests/vault-12json new file mode 100644 index 000000000..e69de29bb diff --git a/confidential-data-hub/secret/tests/vault-2.json b/confidential-data-hub/hub/src/secret/tests/vault-2.json similarity index 100% rename from confidential-data-hub/secret/tests/vault-2.json rename to confidential-data-hub/hub/src/secret/tests/vault-2.json diff --git a/confidential-data-hub/storage/src/error.rs b/confidential-data-hub/hub/src/storage/error.rs similarity index 96% rename from confidential-data-hub/storage/src/error.rs rename to confidential-data-hub/hub/src/storage/error.rs index 6693b4375..ef57cc3f1 100644 --- a/confidential-data-hub/storage/src/error.rs +++ b/confidential-data-hub/hub/src/storage/error.rs @@ -5,7 +5,7 @@ use thiserror::Error; -use crate::volume_type; +use super::volume_type; pub type Result = std::result::Result; diff --git a/confidential-data-hub/storage/src/lib.rs b/confidential-data-hub/hub/src/storage/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/lib.rs rename to confidential-data-hub/hub/src/storage/mod.rs index 391985321..964deed03 100644 --- a/confidential-data-hub/storage/src/lib.rs +++ b/confidential-data-hub/hub/src/storage/mod.rs @@ -4,6 +4,5 @@ // pub mod error; -pub mod volume_type; - pub use error::*; +pub mod volume_type; diff --git a/confidential-data-hub/storage/scripts/luks-encrypt-storage b/confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage similarity index 100% rename from confidential-data-hub/storage/scripts/luks-encrypt-storage rename to confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage diff --git a/confidential-data-hub/storage/src/volume_type/aliyun/error.rs b/confidential-data-hub/hub/src/storage/volume_type/aliyun/error.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/aliyun/error.rs rename to confidential-data-hub/hub/src/storage/volume_type/aliyun/error.rs diff --git a/confidential-data-hub/storage/src/volume_type/aliyun/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/volume_type/aliyun/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs index e4b44547b..fd04229fb 100644 --- a/confidential-data-hub/storage/src/volume_type/aliyun/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/aliyun/mod.rs @@ -19,6 +19,7 @@ use tokio::{ process::Command, }; +use crate::secret; use error::{AliyunError, Result}; use super::SecureMount; diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/error.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/error.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/blockdevice/error.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/error.rs diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/luks/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/luks/mod.rs similarity index 100% rename from confidential-data-hub/storage/src/volume_type/blockdevice/luks/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/luks/mod.rs diff --git a/confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs similarity index 99% rename from confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs index c8f14ccb0..27e76fd44 100644 --- a/confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs @@ -6,6 +6,7 @@ pub mod error; pub mod luks; use super::SecureMount; +use crate::secret; use async_trait::async_trait; use error::{BlockDeviceError, Result}; use kms::{Annotations, ProviderSettings}; diff --git a/confidential-data-hub/storage/src/volume_type/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/mod.rs similarity index 98% rename from confidential-data-hub/storage/src/volume_type/mod.rs rename to confidential-data-hub/hub/src/storage/volume_type/mod.rs index 76f27dc28..dc1e7a241 100644 --- a/confidential-data-hub/storage/src/volume_type/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/mod.rs @@ -8,7 +8,7 @@ pub mod aliyun; pub mod blockdevice; use std::{collections::HashMap, str::FromStr}; -use crate::Result; +use super::error::Result; use async_trait::async_trait; diff --git a/confidential-data-hub/secret/Cargo.toml b/confidential-data-hub/secret/Cargo.toml deleted file mode 100644 index a0db9ad3a..000000000 --- a/confidential-data-hub/secret/Cargo.toml +++ /dev/null @@ -1,41 +0,0 @@ -[package] -name = "secret" -version = "0.1.0" -authors = ["The Confidential Container Authors"] -edition = "2021" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - -[[bin]] -name = "secret_cli" -required-features = [ "cli" ] - -[dependencies] -anyhow.workspace = true -async-trait.workspace = true -base64.workspace = true -clap = { workspace = true, optional = true } -crypto.path = "../../attestation-agent/deps/crypto" -kms = { path = "../kms", default-features = false } -rand = { workspace = true, optional = true } -serde = "1" -serde_json = "1" -strum = { workspace = true, features = ["derive"] } -thiserror.workspace = true -tokio = { workspace = true, features = ["io-util"], optional = true } -zeroize.workspace = true - -[dev-dependencies] -assert_cmd = "2.0" -assert-json-diff.workspace = true -rstest.workspace = true -tempfile.workspace = true - -[features] -default = [ "cli" ] -cli = ["clap/derive", "rand", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] - -aliyun = ["kms/aliyun"] -kbs = ["kms/kbs"] -sev = ["kms/sev"] -ehsm = ["kms/ehsm"] diff --git a/confidential-data-hub/secret/src/lib.rs b/confidential-data-hub/secret/src/lib.rs deleted file mode 100644 index 65896afec..000000000 --- a/confidential-data-hub/secret/src/lib.rs +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) 2023 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -pub mod error; -pub mod secret; - -use crate::secret::Secret; - -pub use error::*; -pub use kms::{Annotations, ProviderSettings}; - -/// The input sealed secret is in the following format -/// `sealed`.`JWS header`.`JWS body (secret content)`.`signature` -pub async fn unseal_secret(secret: &[u8]) -> Result> { - let secret_string = String::from_utf8(secret.to_vec()) - .map_err(|_| SecretError::ParseFailed("Secret string must be UTF-8"))?; - - let secret = Secret::from_signed_base64_string(secret_string)?; - secret.unseal().await -} diff --git a/confidential-data-hub/storage/Cargo.toml b/confidential-data-hub/storage/Cargo.toml deleted file mode 100644 index 1289f7aef..000000000 --- a/confidential-data-hub/storage/Cargo.toml +++ /dev/null @@ -1,32 +0,0 @@ -[package] -name = "storage" -version = "0.1.0" -edition = "2021" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - -[dependencies] -anyhow.workspace = true -async-trait.workspace = true -base64.workspace = true -log.workspace = true -kms = { path = "../kms", features = ["kbs"] } -rand = { workspace = true, optional = true } -secret = { path = "../secret" } -serde.workspace = true -serde_json.workspace = true -strum = { workspace = true, features = ["derive"] } -tempfile = { workspace = true, optional = true } -thiserror.workspace = true -tokio = { workspace = true, optional = true } - -[dev-dependencies] -rstest.workspace = true -tokio = { workspace = true, features = ["rt", "macros" ] } - -[build-dependencies] -anyhow.workspace = true - -[features] -default = ["aliyun"] -aliyun = [ "rand", "tempfile", "tokio/fs", "tokio/process", "tokio/io-util", "tokio/time" ]