cdh: move kms crate to cdh module

the kms crate is used exclusively by cdh, so we don't
need to maintain it as individua crate, which helps
with naming conflicts and reduces build complexity.

Signed-off-by: Magnus Kulke <[email protected]>

.github/workflows/cdh_basic.yml

@@ -67,13 +67,13 @@ jobs:
 
       - name: Run cargo test
         run: |
-          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub
+          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p confidential-data-hub
 
       - name: Run cargo fmt check
         run: |
-          sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check
+          sudo -E PATH=$PATH -s cargo fmt -p confidential-data-hub -- --check
 
       - name: Run rust lint check
         run: |
           # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now
-          sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq 
+          sudo -E PATH=$PATH -s cargo clippy -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq 

Cargo.toml

@@ -11,7 +11,6 @@ members = [
     "attestation-agent/deps/sev",
     "attestation-agent/coco_keyprovider",
     "confidential-data-hub/hub",
-    "confidential-data-hub/kms",
     "image-rs",
     "ocicrypt-rs",
 ]

confidential-data-hub/hub/Cargo.toml

@@ -34,34 +34,48 @@ required-features = ["cli"]
 [dependencies]
 anyhow = { workspace = true, optional = true }
 async-trait.workspace = true
-attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false, optional = true }
+attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false }
 base64.workspace = true
+bincode = { workspace = true, optional = true }
 cfg-if = { workspace = true, optional = true }
+chrono = { workspace = true, optional = true }
 clap = { workspace = true, features = [ "derive" ], optional = true }
 config = { workspace = true, optional = true }
+const_format.workspace = true
 crypto.path = "../../attestation-agent/deps/crypto"
+ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true }
 env_logger = { workspace = true, optional = true }
+hex = { workspace = true, optional = true }
 image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] }
-kms = { path = "../kms", default-features = false }
+kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true }
 lazy_static.workspace = true
 log.workspace = true
+p12 = { version = "0.6.3", optional = true }
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
 rand.workspace = true
+reqwest = { workspace = true, optional = true }
 resource_uri.path = "../../attestation-agent/deps/resource_uri"
+ring = "0.17"
 serde = { workspace = true, optional = true }
 serde_json.workspace = true
+sev = { path = "../../attestation-agent/deps/sev", optional = true }
+sha2 = { workspace = true, optional = true }
 strum = { workspace = true, features = ["derive"] }
 tempfile = { workspace = true, optional = true }
 thiserror.workspace = true
 tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] }
+toml.workspace = true
 tonic = { workspace = true, optional = true }
 ttrpc = { workspace = true, features = ["async"], optional = true }
+url = { workspace = true, optional = true }
+uuid = { workspace = true, features = ["serde", "v4"], optional = true }
+yasna = { version = "0.5.2", optional = true }
 zeroize.workspace = true
 
 [build-dependencies]
 anyhow.workspace = true
-tonic-build = { workspace = true, optional = true }
+tonic-build.workspace = true
 ttrpc-codegen = { workspace = true, optional = true }
 
 [dev-dependencies]
@@ -77,21 +91,21 @@ tokio = { workspace = true, features = ["rt", "macros" ] }
 default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = ["tempfile"]
+aliyun = ["chrono", "hex", "p12", "prost", "reqwest/rustls-tls", "sha2", "tempfile", "tonic", "url", "yasna"]
 
 # support coco-KBS to provide confidential resources
-kbs = ["kms/kbs"]
+kbs = ["kbs_protocol"]
 
 # support sev to provide confidential resources
-sev = ["kms/sev"]
+sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"]
 
 # support eHSM stacks (KMS, ...)
-ehsm = []
+ehsm = ["ehsm_client"]
 
 # Binary RPC type
-bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ]
+bin = [ "anyhow", "cfg-if", "clap", "config", "env_logger", "serde" ]
 ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"]
-grpc = ["prost", "tonic", "tonic-build", "tokio/signal"]
+grpc = ["prost", "tonic", "tokio/signal"]
 
 # for secret_cli
 cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"]

confidential-data-hub/hub/build.rs

@@ -4,6 +4,19 @@
 //
 
 fn main() {
+    #[cfg(feature = "aliyun")]
+    tonic_build::compile_protos(
+        "./src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto",
+    )
+    .expect("Generate aliyun protocol code failed.");
+
+    #[cfg(feature = "sev")]
+    tonic_build::configure()
+        .build_server(true)
+        .out_dir("./src/kms/plugins/kbs/sev")
+        .compile_protos(&["./src/kms/plugins/kbs/sev/protos/getsecret.proto"], &[""])
+        .expect("Generate sev protocol code failed.");
+
     #[cfg(feature = "grpc")]
     {
         tonic_build::configure()

confidential-data-hub/hub/src/auth/kbs.rs

@@ -8,10 +8,10 @@
 
 use std::path::PathBuf;
 
-use kms::{plugins::kbs::KbcClient, Annotations, Getter};
 use log::debug;
 use tokio::fs;
 
+use crate::kms::{plugins::kbs::KbcClient, Annotations, Getter};
 use crate::{hub::Hub, Error, Result};
 
 /// This directory is used to store all the kbs resources get by CDH's init

confidential-data-hub/hub/src/bin/secret_cli.rs

@@ -7,16 +7,17 @@ use std::{env, path::Path};
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use clap::{command, Args, Parser, Subcommand};
+#[cfg(feature = "aliyun")]
+use confidential_data_hub::kms::plugins::aliyun::AliyunKmsClient;
+#[cfg(feature = "ehsm")]
+use confidential_data_hub::kms::plugins::ehsm::EhsmKmsClient;
+use confidential_data_hub::kms::{Encrypter, ProviderSettings};
 use confidential_data_hub::secret::{
     layout::{envelope::EnvelopeSecret, vault::VaultSecret},
     Secret, SecretContent, VERSION,
 };
+
 use crypto::WrapType;
-#[cfg(feature = "aliyun")]
-use kms::plugins::aliyun::AliyunKmsClient;
-#[cfg(feature = "ehsm")]
-use kms::plugins::ehsm::EhsmKmsClient;
-use kms::{Encrypter, ProviderSettings};
 use rand::Rng;
 #[cfg(feature = "ehsm")]
 use serde_json::Value;

confidential-data-hub/hub/src/error.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use crate::{image, secret, storage};
+use crate::{image, kms, secret, storage};
 use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, Error>;

confidential-data-hub/hub/src/hub.rs

@@ -7,10 +7,11 @@ use std::{collections::HashMap, path::Path};
 
 use async_trait::async_trait;
 use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient};
-use kms::{Annotations, ProviderSettings};
 use log::{debug, info};
 use tokio::sync::{Mutex, OnceCell};
 
+use crate::kms;
+use crate::kms::{Annotations, ProviderSettings};
 use crate::storage::volume_type::Storage;
 use crate::{image, secret, CdhConfig, DataHub, Error, Result};
 

confidential-data-hub/hub/src/image/annotation_packet/v1.rs

@@ -7,6 +7,7 @@ use resource_uri::ResourceUri;
 use serde::{Deserialize, Serialize};
 
 use crate::image::{Error, Result};
+use crate::kms;
 
 /// `AnnotationPacket` is what a encrypted image layer's
 /// `org.opencontainers.image.enc.keys.provider.attestation-agent`

confidential-data-hub/hub/src/image/annotation_packet/v2.rs

@@ -8,11 +8,12 @@
 
 use anyhow::anyhow;
 use base64::{engine::general_purpose::STANDARD, Engine};
-use kms::{plugins::VaultProvider, Annotations, ProviderSettings};
 use serde::{Deserialize, Serialize};
 use serde_json::Map;
 
 use crate::image::{Error, Result};
+use crate::kms;
+use crate::kms::{plugins::VaultProvider, Annotations, ProviderSettings};
 
 pub const DEFAULT_VERSION: &str = "0.1.0";
 

confidential-data-hub/hub/src/image/error.rs

@@ -5,6 +5,8 @@
 
 use thiserror::Error;
 
+use crate::kms;
+
 pub type Result<T> = std::result::Result<T, Error>;
 
 #[derive(Error, Debug)]

confidential-data-hub/kms/src/api.rs → confidential-data-hub/hub/src/kms/api.rs

@@ -29,7 +29,7 @@
 //! - `Decrypter` and `Getter` are used in-guest, while `Encrypter` and `Setter`
 //!   are used userside. They do not need to be implemented by a same object.
 
-use crate::Result;
+use crate::kms::Result;
 
 use async_trait::async_trait;
 use serde_json::{Map, Value};

confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs → confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs

@@ -19,8 +19,8 @@ use tokio::fs;
 mod config;
 mod credential;
 
-use crate::{Annotations, Decrypter, Encrypter, ProviderSettings};
-use crate::{Error, Result};
+use crate::kms::{Annotations, Decrypter, Encrypter, ProviderSettings};
+use crate::kms::{Error, Result};
 
 use super::super::annotations::*;
 use super::ALIYUN_IN_GUEST_DEFAULT_KEY_PATH;

confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs → confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs

@@ -11,8 +11,7 @@ use serde::Deserialize;
 use serde_json::Value;
 use tokio::fs;
 
-use crate::{Annotations, ProviderSettings};
-use crate::{Error, Result};
+use crate::kms::{Annotations, Error, ProviderSettings, Result};
 
 use super::sts_token_client::credential::StsCredential;
 use super::{sts_token_client::StsTokenClient, ALIYUN_IN_GUEST_DEFAULT_KEY_PATH};

confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs → confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs

@@ -12,9 +12,9 @@ mod client_key_client;
 mod ecs_ram_role_client;
 mod sts_token_client;
 
-use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH;
-use crate::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings};
-use crate::{Error, Result};
+use crate::kms::plugins::_IN_GUEST_DEFAULT_KEY_PATH;
+use crate::kms::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings};
+use crate::kms::{Error, Result};
 
 use client_key_client::ClientKeyClient;
 use ecs_ram_role_client::EcsRamRoleClient;

confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs → confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs

@@ -20,7 +20,7 @@ use serde::Deserialize;
 use serde_json::Value;
 use tokio::fs;
 
-use crate::{
+use crate::kms::{
     error::{Error, Result},
     plugins::aliyun::annotations::AliSecretAnnotations,
     Annotations, ProviderSettings,

confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs → confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs

@@ -13,7 +13,7 @@ use kbs_protocol::{
 };
 use log::{info, warn};
 
-use crate::{Error, Result};
+use super::{Error, Result};
 
 use super::Kbc;
 

confidential-data-hub/kms/src/plugins/kbs/mod.rs → confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs

@@ -21,7 +21,7 @@ use lazy_static::lazy_static;
 pub use resource_uri::ResourceUri;
 use tokio::sync::Mutex;
 
-use crate::{Annotations, Error, Getter, Result};
+use crate::kms::{Annotations, Error, Getter, Result};
 
 enum RealClient {
     #[cfg(feature = "kbs")]

confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs → confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs

@@ -12,9 +12,8 @@ use log::warn;
 use resource_uri::ResourceUri;
 use tokio::fs;
 
-use crate::{Error, Result};
-
 use super::Kbc;
+use super::{Error, Result};
 
 const KEYS_PATH: &str = "/etc/aa-offline_fs_kbc-keys.json";
 const RESOURCES_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
@@ -82,7 +81,7 @@ mod tests {
     use resource_uri::ResourceUri;
     use rstest::rstest;
 
-    use crate::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc};
+    use crate::kms::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc};
 
     #[rstest]
     #[tokio::test]