-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KBS | Refactoring the codebase / update config file format / bring in plugin mechanism #514
base: main
Are you sure you want to change the base?
Commits on Sep 27, 2024
-
KBS: refactor attestation module
This refactoring combines all RCAR (attestation) related code into one module. This would help to better modularization and error handling. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ff2e518 - Browse repository at this point
Copy the full SHA ff2e518View commit details -
KBS: combine CoCo Token and Jwk Token verifier
Actually, the ITA token and CoCo Token are both JWTs. They both need a JWK to verify the JWT. The difference is the way to gather the JWK. This commit combined the two logic, and add two ways to get the JWK. 1. From the configured JwkSet when launching KBS 2. From the JWT's Header's jwk field. The two ways will check the jwk endorsement in different ways. The first way is to configure the trusted JwkSet from the config. The second way is to configure the trusted CA in config. Then get the public key cert chain from Jwk's x5c field. The both ways are also supported in this patch. Rust does not provide a mature crate to verify cert chain, thus openssl is used in this patch. We also abondon rustls and openssl feature of KBS because openssl is by default used. Then we use openssl by default to make the code base simpler. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 542f64c - Browse repository at this point
Copy the full SHA 542f64cView commit details
Commits on Sep 28, 2024
-
KBS: refactor policy engine module
This commit does some refactoring upon policy engine module. Including 1. Change ResourcePolicyError to PolicyEngineError. This is because in future, different client plugins would share same policy engine thus the new name will match better. 2. add a new `set_policy` api for PolicyEngine. This api will handle SetPolicyInput format request rather than the plaintext of policy. This would help to integrate into the KBS server. The plugin mechanism is by default enabled, thus we delete `opa` and `policy` feature. By default integrate `regorus` crate for policy. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a271f53 - Browse repository at this point
Copy the full SHA a271f53View commit details -
This module brings all admin authentication logic together. Currently it allows to use a public key to verify the admin access. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4d89589 - Browse repository at this point
Copy the full SHA 4d89589View commit details -
The resource module brings all resource storage logic together thus helps modularization. Also, it changes both `read_secret_resource` and `write_secret_resource` to Fn rather than FnMut. This leaves the synchronization handling to concrete underlying plugins, thus promote the performance because we can avoid a global Mutex. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a6cf383 - Browse repository at this point
Copy the full SHA a6cf383View commit details -
The Plugins module could provide a plugin way for developers to extend the ability of KBS client APIs. This also provides a Sample implementation for example. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9f08369 - Browse repository at this point
Copy the full SHA 9f08369View commit details -
This is mostly a refactoring patch for KBS. It brings API serving into one function, and will perform different sub-function due to the requested plugin name. This also changes all configuration codes to have a default value. This patch would have some compatibility issue as it changes the old configuration format. The old configuration format is not well classified. This patch tidies the configuration items. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1d2af16 - Browse repository at this point
Copy the full SHA 1d2af16View commit details -
KBS: fix CI and exampled configurations
This patch fixes example configurations of KBS inside this codebase. Also, it fixes the CI test. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8e83068 - Browse repository at this point
Copy the full SHA 8e83068View commit details -
AS: reorder the dep in lexicographic order
Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 823cc81 - Browse repository at this point
Copy the full SHA 823cc81View commit details -
KBS: change default feature to all backend AS and resource
Now the KBS could be built with support for all backend ASes and enable one of them runtimely due to configuration file. Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 82f4118 - Browse repository at this point
Copy the full SHA 82f4118View commit details -
KBS: move all admin APIs under /kbs/v0/admin
Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for db46ea2 - Browse repository at this point
Copy the full SHA db46ea2View commit details
Commits on Oct 8, 2024
-
Configuration menu - View commit details
-
Copy full SHA for bc176e4 - Browse repository at this point
Copy the full SHA bc176e4View commit details -
KBS: abondon admin API and make resource a plugin
Signed-off-by: Xynnn007 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c058c6a - Browse repository at this point
Copy the full SHA c058c6aView commit details