diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml index 713ce9302..12c1ff37e 100644 --- a/.github/workflows/cdh_basic.yml +++ b/.github/workflows/cdh_basic.yml @@ -67,13 +67,13 @@ jobs: - name: Run cargo test run: | - sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub + sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p confidential-data-hub - name: Run cargo fmt check run: | - sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check + sudo -E PATH=$PATH -s cargo fmt -p confidential-data-hub -- --check - name: Run rust lint check run: | # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now - sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq + sudo -E PATH=$PATH -s cargo clippy -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq diff --git a/Cargo.lock b/Cargo.lock index 1cb1058f7..8a8a3d462 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1090,32 +1090,46 @@ dependencies = [ "async-trait", "attestation-agent", "base64 0.22.1", + "bincode", "cfg-if", + "chrono", "clap 4.2.7", "config", + "const_format", "crypto", + "ehsm_client", "env_logger 0.11.5", + "hex", "image-rs", - "kms", + "kbs_protocol", "lazy_static", "log", "nix 0.29.0", + "p12", "prost 0.13.3", "protobuf 3.5.1", "rand", + "reqwest 0.12.9", "resource_uri", + "ring", "rstest", "serde", "serde_json", "serial_test", + "sev 0.1.0", + "sha2 0.10.8", "strum", "tempfile", "thiserror 2.0.3", "tokio", + "toml 0.8.19", "tonic", "tonic-build", "ttrpc", "ttrpc-codegen", + "url", + "uuid", + "yasna 0.5.2", "zeroize", ] @@ -3302,46 +3316,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "kms" -version = "0.1.0" -dependencies = [ - "anyhow", - "async-trait", - "attestation-agent", - "base64 0.22.1", - "bincode", - "chrono", - "const_format", - "crypto", - "ehsm_client", - "hex", - "kbs_protocol", - "lazy_static", - "log", - "p12", - "prost 0.13.3", - "rand", - "reqwest 0.12.9", - "resource_uri", - "ring", - "rstest", - "serde", - "serde_json", - "sev 0.1.0", - "sha2 0.10.8", - "strum", - "thiserror 2.0.3", - "tokio", - "toml 0.8.19", - "tonic", - "tonic-build", - "url", - "uuid", - "yasna 0.5.2", - "zeroize", -] - [[package]] name = "krata-tokio-tar" version = "0.4.2" diff --git a/Cargo.toml b/Cargo.toml index 4bec4e106..8f7e0563e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,7 +11,6 @@ members = [ "attestation-agent/deps/sev", "attestation-agent/coco_keyprovider", "confidential-data-hub/hub", - "confidential-data-hub/kms", "image-rs", "ocicrypt-rs", ] diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 025e26918..89edc7f62 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -34,34 +34,48 @@ required-features = ["cli"] [dependencies] anyhow = { workspace = true, optional = true } async-trait.workspace = true -attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false, optional = true } +attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false } base64.workspace = true +bincode = { workspace = true, optional = true } cfg-if = { workspace = true, optional = true } +chrono = { workspace = true, optional = true } clap = { workspace = true, features = [ "derive" ], optional = true } config = { workspace = true, optional = true } +const_format.workspace = true crypto.path = "../../attestation-agent/deps/crypto" +ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } env_logger = { workspace = true, optional = true } +hex = { workspace = true, optional = true } image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] } -kms = { path = "../kms", default-features = false } +kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true } lazy_static.workspace = true log.workspace = true +p12 = { version = "0.6.3", optional = true } prost = { workspace = true, optional = true } protobuf = { workspace = true, optional = true } rand.workspace = true +reqwest = { workspace = true, optional = true } resource_uri.path = "../../attestation-agent/deps/resource_uri" +ring = "0.17" serde = { workspace = true, optional = true } serde_json.workspace = true +sev = { path = "../../attestation-agent/deps/sev", optional = true } +sha2 = { workspace = true, optional = true } strum = { workspace = true, features = ["derive"] } tempfile = { workspace = true, optional = true } thiserror.workspace = true tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] } +toml.workspace = true tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = ["async"], optional = true } +url = { workspace = true, optional = true } +uuid = { workspace = true, features = ["serde", "v4"], optional = true } +yasna = { version = "0.5.2", optional = true } zeroize.workspace = true [build-dependencies] anyhow.workspace = true -tonic-build = { workspace = true, optional = true } +tonic-build.workspace = true ttrpc-codegen = { workspace = true, optional = true } [dev-dependencies] @@ -77,21 +91,21 @@ tokio = { workspace = true, features = ["rt", "macros" ] } default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"] # support aliyun stacks (KMS, ..) -aliyun = ["tempfile"] +aliyun = ["chrono", "hex", "p12", "prost", "reqwest/rustls-tls", "sha2", "tempfile", "tonic", "url", "yasna"] # support coco-KBS to provide confidential resources -kbs = ["kms/kbs"] +kbs = ["kbs_protocol"] # support sev to provide confidential resources -sev = ["kms/sev"] +sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"] # support eHSM stacks (KMS, ...) -ehsm = [] +ehsm = ["ehsm_client"] # Binary RPC type -bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ] +bin = [ "anyhow", "cfg-if", "clap", "config", "env_logger", "serde" ] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] -grpc = ["prost", "tonic", "tonic-build", "tokio/signal"] +grpc = ["prost", "tonic", "tokio/signal"] # for secret_cli cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] diff --git a/confidential-data-hub/hub/build.rs b/confidential-data-hub/hub/build.rs index a87a5612a..b989a3843 100644 --- a/confidential-data-hub/hub/build.rs +++ b/confidential-data-hub/hub/build.rs @@ -4,6 +4,19 @@ // fn main() { + #[cfg(feature = "aliyun")] + tonic_build::compile_protos( + "./src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto", + ) + .expect("Generate aliyun protocol code failed."); + + #[cfg(feature = "sev")] + tonic_build::configure() + .build_server(true) + .out_dir("./src/kms/plugins/kbs/sev") + .compile_protos(&["./src/kms/plugins/kbs/sev/protos/getsecret.proto"], &[""]) + .expect("Generate sev protocol code failed."); + #[cfg(feature = "grpc")] { tonic_build::configure() diff --git a/confidential-data-hub/hub/src/auth/kbs.rs b/confidential-data-hub/hub/src/auth/kbs.rs index 32d2c0410..4eee1d711 100644 --- a/confidential-data-hub/hub/src/auth/kbs.rs +++ b/confidential-data-hub/hub/src/auth/kbs.rs @@ -8,10 +8,10 @@ use std::path::PathBuf; -use kms::{plugins::kbs::KbcClient, Annotations, Getter}; use log::debug; use tokio::fs; +use crate::kms::{plugins::kbs::KbcClient, Annotations, Getter}; use crate::{hub::Hub, Error, Result}; /// This directory is used to store all the kbs resources get by CDH's init diff --git a/confidential-data-hub/hub/src/bin/secret_cli.rs b/confidential-data-hub/hub/src/bin/secret_cli.rs index 52e1c3aac..6aee93cf6 100644 --- a/confidential-data-hub/hub/src/bin/secret_cli.rs +++ b/confidential-data-hub/hub/src/bin/secret_cli.rs @@ -7,16 +7,17 @@ use std::{env, path::Path}; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{command, Args, Parser, Subcommand}; +#[cfg(feature = "aliyun")] +use confidential_data_hub::kms::plugins::aliyun::AliyunKmsClient; +#[cfg(feature = "ehsm")] +use confidential_data_hub::kms::plugins::ehsm::EhsmKmsClient; +use confidential_data_hub::kms::{Encrypter, ProviderSettings}; use confidential_data_hub::secret::{ layout::{envelope::EnvelopeSecret, vault::VaultSecret}, Secret, SecretContent, VERSION, }; + use crypto::WrapType; -#[cfg(feature = "aliyun")] -use kms::plugins::aliyun::AliyunKmsClient; -#[cfg(feature = "ehsm")] -use kms::plugins::ehsm::EhsmKmsClient; -use kms::{Encrypter, ProviderSettings}; use rand::Rng; #[cfg(feature = "ehsm")] use serde_json::Value; diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index 8b31eaff2..f8b0f8f68 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use crate::{image, secret, storage}; +use crate::{image, kms, secret, storage}; use thiserror::Error; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index a850703e7..871874140 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -7,10 +7,11 @@ use std::{collections::HashMap, path::Path}; use async_trait::async_trait; use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient}; -use kms::{Annotations, ProviderSettings}; use log::{debug, info}; use tokio::sync::{Mutex, OnceCell}; +use crate::kms; +use crate::kms::{Annotations, ProviderSettings}; use crate::storage::volume_type::Storage; use crate::{image, secret, CdhConfig, DataHub, Error, Result}; diff --git a/confidential-data-hub/hub/src/image/annotation_packet/v1.rs b/confidential-data-hub/hub/src/image/annotation_packet/v1.rs index 4af2f30cd..8670c26d5 100644 --- a/confidential-data-hub/hub/src/image/annotation_packet/v1.rs +++ b/confidential-data-hub/hub/src/image/annotation_packet/v1.rs @@ -7,6 +7,7 @@ use resource_uri::ResourceUri; use serde::{Deserialize, Serialize}; use crate::image::{Error, Result}; +use crate::kms; /// `AnnotationPacket` is what a encrypted image layer's /// `org.opencontainers.image.enc.keys.provider.attestation-agent` diff --git a/confidential-data-hub/hub/src/image/annotation_packet/v2.rs b/confidential-data-hub/hub/src/image/annotation_packet/v2.rs index f745c0f15..12b66aad5 100644 --- a/confidential-data-hub/hub/src/image/annotation_packet/v2.rs +++ b/confidential-data-hub/hub/src/image/annotation_packet/v2.rs @@ -8,11 +8,12 @@ use anyhow::anyhow; use base64::{engine::general_purpose::STANDARD, Engine}; -use kms::{plugins::VaultProvider, Annotations, ProviderSettings}; use serde::{Deserialize, Serialize}; use serde_json::Map; use crate::image::{Error, Result}; +use crate::kms; +use crate::kms::{plugins::VaultProvider, Annotations, ProviderSettings}; pub const DEFAULT_VERSION: &str = "0.1.0"; diff --git a/confidential-data-hub/hub/src/image/error.rs b/confidential-data-hub/hub/src/image/error.rs index 557be45f9..af6e3e8b2 100644 --- a/confidential-data-hub/hub/src/image/error.rs +++ b/confidential-data-hub/hub/src/image/error.rs @@ -5,6 +5,8 @@ use thiserror::Error; +use crate::kms; + pub type Result = std::result::Result; #[derive(Error, Debug)] diff --git a/confidential-data-hub/kms/src/api.rs b/confidential-data-hub/hub/src/kms/api.rs similarity index 99% rename from confidential-data-hub/kms/src/api.rs rename to confidential-data-hub/hub/src/kms/api.rs index fec9f08cc..4a807f460 100644 --- a/confidential-data-hub/kms/src/api.rs +++ b/confidential-data-hub/hub/src/kms/api.rs @@ -29,7 +29,7 @@ //! - `Decrypter` and `Getter` are used in-guest, while `Encrypter` and `Setter` //! are used userside. They do not need to be implemented by a same object. -use crate::Result; +use crate::kms::Result; use async_trait::async_trait; use serde_json::{Map, Value}; diff --git a/confidential-data-hub/kms/src/error.rs b/confidential-data-hub/hub/src/kms/error.rs similarity index 100% rename from confidential-data-hub/kms/src/error.rs rename to confidential-data-hub/hub/src/kms/error.rs diff --git a/confidential-data-hub/kms/src/lib.rs b/confidential-data-hub/hub/src/kms/mod.rs similarity index 100% rename from confidential-data-hub/kms/src/lib.rs rename to confidential-data-hub/hub/src/kms/mod.rs diff --git a/confidential-data-hub/kms/src/plugins/aliyun/annotations.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/annotations.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/annotations.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/annotations.rs diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/config.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/config.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/config.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/config.rs diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/credential.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/credential.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/credential.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/credential.rs diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs similarity index 99% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs index c86db6e7f..aead70dab 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs @@ -19,8 +19,8 @@ use tokio::fs; mod config; mod credential; -use crate::{Annotations, Decrypter, Encrypter, ProviderSettings}; -use crate::{Error, Result}; +use crate::kms::{Annotations, Decrypter, Encrypter, ProviderSettings}; +use crate::kms::{Error, Result}; use super::super::annotations::*; use super::ALIYUN_IN_GUEST_DEFAULT_KEY_PATH; diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs similarity index 98% rename from confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs index 376ffb6b0..322602d7a 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs @@ -11,8 +11,7 @@ use serde::Deserialize; use serde_json::Value; use tokio::fs; -use crate::{Annotations, ProviderSettings}; -use crate::{Error, Result}; +use crate::kms::{Annotations, Error, ProviderSettings, Result}; use super::sts_token_client::credential::StsCredential; use super::{sts_token_client::StsTokenClient, ALIYUN_IN_GUEST_DEFAULT_KEY_PATH}; diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs similarity index 98% rename from confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs index 419f456f1..bccce95d4 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs @@ -12,9 +12,9 @@ mod client_key_client; mod ecs_ram_role_client; mod sts_token_client; -use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH; -use crate::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings}; -use crate::{Error, Result}; +use crate::kms::plugins::_IN_GUEST_DEFAULT_KEY_PATH; +use crate::kms::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings}; +use crate::kms::{Error, Result}; use client_key_client::ClientKeyClient; use ecs_ram_role_client::EcsRamRoleClient; diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/credential.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/credential.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/credential.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/credential.rs diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs similarity index 99% rename from confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs index 0216aa613..7ff595a00 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs @@ -20,7 +20,7 @@ use serde::Deserialize; use serde_json::Value; use tokio::fs; -use crate::{ +use crate::kms::{ error::{Error, Result}, plugins::aliyun::annotations::AliSecretAnnotations, Annotations, ProviderSettings, diff --git a/confidential-data-hub/kms/src/plugins/aliyun/mod.rs b/confidential-data-hub/hub/src/kms/plugins/aliyun/mod.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/aliyun/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/aliyun/mod.rs diff --git a/confidential-data-hub/kms/src/plugins/ehsm/README.md b/confidential-data-hub/hub/src/kms/plugins/ehsm/README.md similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/README.md rename to confidential-data-hub/hub/src/kms/plugins/ehsm/README.md diff --git a/confidential-data-hub/kms/src/plugins/ehsm/annotations.rs b/confidential-data-hub/hub/src/kms/plugins/ehsm/annotations.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/annotations.rs rename to confidential-data-hub/hub/src/kms/plugins/ehsm/annotations.rs diff --git a/confidential-data-hub/kms/src/plugins/ehsm/client.rs b/confidential-data-hub/hub/src/kms/plugins/ehsm/client.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/client.rs rename to confidential-data-hub/hub/src/kms/plugins/ehsm/client.rs diff --git a/confidential-data-hub/kms/src/plugins/ehsm/credential.rs b/confidential-data-hub/hub/src/kms/plugins/ehsm/credential.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/credential.rs rename to confidential-data-hub/hub/src/kms/plugins/ehsm/credential.rs diff --git a/confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json b/confidential-data-hub/hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json rename to confidential-data-hub/hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json diff --git a/confidential-data-hub/kms/src/plugins/ehsm/mod.rs b/confidential-data-hub/hub/src/kms/plugins/ehsm/mod.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/ehsm/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/ehsm/mod.rs diff --git a/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs similarity index 98% rename from confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs index 222edd03f..2e8e77052 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs +++ b/confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs @@ -13,7 +13,7 @@ use kbs_protocol::{ }; use log::{info, warn}; -use crate::{Error, Result}; +use super::{Error, Result}; use super::Kbc; diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs similarity index 98% rename from confidential-data-hub/kms/src/plugins/kbs/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs index d3d0c17c1..f3c816350 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs @@ -21,7 +21,7 @@ use lazy_static::lazy_static; pub use resource_uri::ResourceUri; use tokio::sync::Mutex; -use crate::{Annotations, Error, Getter, Result}; +use crate::kms::{Annotations, Error, Getter, Result}; enum RealClient { #[cfg(feature = "kbs")] diff --git a/confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs similarity index 96% rename from confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs index 6e7907908..e0d5316dc 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs +++ b/confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs @@ -12,9 +12,8 @@ use log::warn; use resource_uri::ResourceUri; use tokio::fs; -use crate::{Error, Result}; - use super::Kbc; +use super::{Error, Result}; const KEYS_PATH: &str = "/etc/aa-offline_fs_kbc-keys.json"; const RESOURCES_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json"; @@ -82,7 +81,7 @@ mod tests { use resource_uri::ResourceUri; use rstest::rstest; - use crate::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc}; + use crate::kms::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc}; #[rstest] #[tokio::test] diff --git a/confidential-data-hub/kms/src/plugins/kbs/sev/client.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/sev/client.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/kbs/sev/client.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/sev/client.rs diff --git a/confidential-data-hub/kms/src/plugins/kbs/sev/keybroker.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/sev/keybroker.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/kbs/sev/keybroker.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/sev/keybroker.rs diff --git a/confidential-data-hub/kms/src/plugins/kbs/sev/mod.rs b/confidential-data-hub/hub/src/kms/plugins/kbs/sev/mod.rs similarity index 100% rename from confidential-data-hub/kms/src/plugins/kbs/sev/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/kbs/sev/mod.rs diff --git a/confidential-data-hub/kms/src/plugins/kbs/sev/protos/getsecret.proto b/confidential-data-hub/hub/src/kms/plugins/kbs/sev/protos/getsecret.proto similarity index 100% rename from confidential-data-hub/kms/src/plugins/kbs/sev/protos/getsecret.proto rename to confidential-data-hub/hub/src/kms/plugins/kbs/sev/protos/getsecret.proto diff --git a/confidential-data-hub/kms/src/plugins/mod.rs b/confidential-data-hub/hub/src/kms/plugins/mod.rs similarity index 97% rename from confidential-data-hub/kms/src/plugins/mod.rs rename to confidential-data-hub/hub/src/kms/plugins/mod.rs index 280f59070..5f65badfb 100644 --- a/confidential-data-hub/kms/src/plugins/mod.rs +++ b/confidential-data-hub/hub/src/kms/plugins/mod.rs @@ -7,7 +7,7 @@ use std::str::FromStr; use strum::{AsRefStr, EnumString}; -use crate::{Decrypter, Error, Getter, ProviderSettings, Result}; +use super::{Decrypter, Error, Getter, ProviderSettings, Result}; const _IN_GUEST_DEFAULT_KEY_PATH: &str = "/run/confidential-containers/cdh/kms-credential"; diff --git a/confidential-data-hub/hub/src/lib.rs b/confidential-data-hub/hub/src/lib.rs index 0118fb138..62e829856 100644 --- a/confidential-data-hub/hub/src/lib.rs +++ b/confidential-data-hub/hub/src/lib.rs @@ -17,5 +17,6 @@ pub mod config; pub use config::*; pub mod image; +pub mod kms; pub mod secret; pub mod storage; diff --git a/confidential-data-hub/hub/src/secret/layout/envelope.rs b/confidential-data-hub/hub/src/secret/layout/envelope.rs index 945fb4a17..0996aae58 100644 --- a/confidential-data-hub/hub/src/secret/layout/envelope.rs +++ b/confidential-data-hub/hub/src/secret/layout/envelope.rs @@ -3,15 +3,16 @@ // SPDX-License-Identifier: Apache-2.0 // -pub use kms::Annotations; - use base64::{engine::general_purpose::STANDARD, Engine}; use crypto::WrapType; -use kms::ProviderSettings; use serde::{Deserialize, Serialize}; use thiserror::Error; use zeroize::Zeroizing; +use crate::kms; +pub use crate::kms::Annotations; +use crate::kms::ProviderSettings; + pub type Result = std::result::Result; #[derive(Error, Debug)] diff --git a/confidential-data-hub/hub/src/secret/layout/vault.rs b/confidential-data-hub/hub/src/secret/layout/vault.rs index 24bc60adc..40e10fb60 100644 --- a/confidential-data-hub/hub/src/secret/layout/vault.rs +++ b/confidential-data-hub/hub/src/secret/layout/vault.rs @@ -6,8 +6,8 @@ use serde::{Deserialize, Serialize}; use thiserror::Error; -pub use kms::Annotations; -pub use kms::ProviderSettings; +use crate::kms; +pub use crate::kms::{Annotations, ProviderSettings}; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs index 27e76fd44..f2203f793 100644 --- a/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs @@ -6,15 +6,17 @@ pub mod error; pub mod luks; use super::SecureMount; -use crate::secret; use async_trait::async_trait; use error::{BlockDeviceError, Result}; -use kms::{Annotations, ProviderSettings}; use log::{debug, error}; use serde::{Deserialize, Serialize}; use std::collections::HashMap; use strum::{Display, EnumString}; +use crate::kms; +use crate::kms::{Annotations, ProviderSettings}; +use crate::secret; + #[derive(EnumString, Serialize, Deserialize, Display, Debug, PartialEq, Eq)] pub enum BlockDeviceEncryptType { #[strum(serialize = "luks")] diff --git a/confidential-data-hub/kms/Cargo.toml b/confidential-data-hub/kms/Cargo.toml deleted file mode 100644 index 9f23e370c..000000000 --- a/confidential-data-hub/kms/Cargo.toml +++ /dev/null @@ -1,56 +0,0 @@ -[package] -name = "kms" -version = "0.1.0" -authors = ["The Confidential Container Authors"] -publish = false -edition = "2021" - -[dependencies] -anyhow.workspace = true -async-trait.workspace = true -attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false } -base64.workspace = true -bincode = { workspace = true, optional = true } -chrono = { workspace = true, optional = true } -const_format.workspace = true -crypto = { path = "../../attestation-agent/deps/crypto", optional = true } -ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } -hex = { workspace = true, optional = true } -kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true } -lazy_static.workspace = true -log.workspace = true -p12 = { version = "0.6.3", optional = true } -prost = { workspace = true, optional = true } -rand = { workspace = true, optional = true } -reqwest = { workspace = true, optional = true } -resource_uri = { path = "../../attestation-agent/deps/resource_uri" } -ring = "0.17" -sha2 = { workspace = true, optional = true } -serde.workspace = true -serde_json.workspace = true -sev = { path = "../../attestation-agent/deps/sev", optional = true } -strum.workspace = true -thiserror.workspace = true -tokio = { workspace = true, features = ["fs"] } -toml.workspace = true -tonic = { workspace = true, optional = true } -url = { workspace = true, optional = true } -uuid = { workspace = true, features = ["serde", "v4"], optional = true } -yasna = { version = "0.5.2", optional = true } -zeroize = { workspace = true, optional = true } - -[dev-dependencies] -rstest.workspace = true -tokio = { workspace = true, features = ["rt", "macros" ] } - -[build-dependencies] -anyhow.workspace = true -tonic-build.workspace = true - -[features] -default = ["aliyun", "kbs"] - -aliyun = ["chrono", "hex", "p12", "prost", "rand", "reqwest/rustls-tls", "sha2", "tonic", "url", "yasna"] -kbs = ["kbs_protocol"] -ehsm = ["ehsm_client"] -sev = ["bincode", "crypto", "dep:sev", "prost", "tonic", "uuid", "zeroize"] diff --git a/confidential-data-hub/kms/build.rs b/confidential-data-hub/kms/build.rs deleted file mode 100644 index 2ad98883c..000000000 --- a/confidential-data-hub/kms/build.rs +++ /dev/null @@ -1,20 +0,0 @@ -#![allow(missing_docs)] - -// extern crate tonic_build; - -use anyhow::*; - -fn main() -> Result<()> { - #[cfg(feature = "aliyun")] - tonic_build::compile_protos( - "./src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto", - )?; - - #[cfg(feature = "sev")] - tonic_build::configure() - .build_server(true) - .out_dir("./src/plugins/kbs/sev") - .compile_protos(&["./src/plugins/kbs/sev/protos/getsecret.proto"], &[""])?; - - Ok(()) -}