Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KBS | Refactoring the codebase / update config file format / bring in plugin mechanism #514

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
+2,699 −2,101
Open

KBS | Refactoring the codebase / update config file format / bring in plugin mechanism #514

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ff2e518
KBS: refactor attestation module
Xynnn007 Sep 27, 2024
542f64c
KBS: combine CoCo Token and Jwk Token verifier
Xynnn007 Sep 27, 2024
a271f53
KBS: refactor policy engine module
Xynnn007 Sep 27, 2024
4d89589
KBS: add Admin auth module
Xynnn007 Sep 27, 2024
a6cf383
KBS: add resource module
Xynnn007 Sep 27, 2024
9f08369
KBS: add Plugins module
Xynnn007 Sep 27, 2024
1d2af16
KBS: Use new launch Config
Xynnn007 Sep 27, 2024
8e83068
KBS: fix CI and exampled configurations
Xynnn007 Sep 27, 2024
823cc81
AS: reorder the dep in lexicographic order
Xynnn007 Sep 27, 2024
82f4118
KBS: change default feature to all backend AS and resource
Xynnn007 Sep 27, 2024
db46ea2
KBS: move all admin APIs under /kbs/v0/admin
Xynnn007 Sep 28, 2024
bc176e4
fixup! KBS: add resource module
Xynnn007 Oct 8, 2024
c058c6a
KBS: abondon admin API and make resource a plugin
Xynnn007 Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion attestation-service/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ use thiserror::Error;
const AS_WORK_DIR: &str = "AS_WORK_DIR";
const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service";

#[derive(Clone, Debug, Deserialize)]
#[derive(Clone, Debug, Deserialize, PartialEq)]
pub struct Config {
/// The location for Attestation Service to store data.
pub work_dir: PathBuf,
Expand All @@ -19,6 +19,7 @@ pub struct Config {
pub policy_engine: String,

/// Configurations for RVPS.
#[serde(default)]
pub rvps_config: RvpsConfig,

/// The Attestation Result Token Broker type.
Expand All @@ -28,6 +29,7 @@ pub struct Config {
pub attestation_token_broker: AttestationTokenBrokerType,

/// The Attestation Result Token Broker Config
#[serde(default)]
pub attestation_token_config: AttestationTokenConfig,
}

Expand Down
6 changes: 3 additions & 3 deletions attestation-service/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@

pub mod config;
pub mod policy_engine;
mod rvps;
mod token;
mod utils;
pub mod rvps;
pub mod token;
pub mod utils;

use crate::token::AttestationTokenBroker;

Expand Down
6 changes: 4 additions & 2 deletions attestation-service/src/rvps/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@

use anyhow::Result;
use log::{info, warn};
use reference_value_provider_service::config::{Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE};
pub use reference_value_provider_service::config::{
Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE,
};
use serde::Deserialize;
use serde_json::{json, Value};
use thiserror::Error;
Expand Down Expand Up @@ -38,7 +40,7 @@ fn default_store_config() -> Value {
json!({})
}

#[derive(Deserialize, Clone, Debug)]
#[derive(Deserialize, Clone, Debug, PartialEq)]
pub struct RvpsConfig {
/// Address of remote RVPS. If this field is given, a remote RVPS will be connected to.
/// If this field is not given, a built-in RVPS will be used.
Expand Down
15 changes: 10 additions & 5 deletions attestation-service/src/token/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
use anyhow::*;
use serde::Deserialize;
use serde_json::Value;
use simple::COCO_AS_ISSUER_NAME;
use strum::{Display, EnumString};

mod simple;

const DEFAULT_TOKEN_TIMEOUT: i64 = 5;
pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service";
pub const DEFAULT_TOKEN_TIMEOUT: i64 = 5;

pub trait AttestationTokenBroker {
/// Issue an signed attestation token with custom claims.
Expand All @@ -23,7 +23,7 @@ pub trait AttestationTokenBroker {
fn pubkey_jwks(&self) -> Result<String>;
}

#[derive(Deserialize, Debug, Clone, EnumString, Display)]
#[derive(Deserialize, Debug, Clone, EnumString, Display, PartialEq)]
pub enum AttestationTokenBrokerType {
Simple,
}
Expand All @@ -42,9 +42,10 @@ impl AttestationTokenBrokerType {
}
}

#[derive(Deserialize, Debug, Clone)]
#[derive(Deserialize, Debug, Clone, PartialEq)]
pub struct AttestationTokenConfig {
/// The Attestation Result Token duration time(in minute)
#[serde(default = "default_duration_min")]
pub duration_min: i64,

#[serde(default = "default_issuer_name")]
Expand All @@ -53,11 +54,15 @@ pub struct AttestationTokenConfig {
pub signer: Option<TokenSignerConfig>,
}

fn default_duration_min() -> i64 {
DEFAULT_TOKEN_TIMEOUT
}

fn default_issuer_name() -> String {
COCO_AS_ISSUER_NAME.to_string()
}

#[derive(Deserialize, Debug, Clone)]
#[derive(Deserialize, Debug, Clone, PartialEq)]
pub struct TokenSignerConfig {
pub key_path: String,
pub cert_url: Option<String>,
Expand Down
3 changes: 1 addition & 2 deletions attestation-service/src/token/simple.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ use serde_json::{json, Value};

use crate::token::{AttestationTokenBroker, AttestationTokenConfig};

pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service";
const RSA_KEY_BITS: u32 = 2048;
const SIMPLE_TOKEN_ALG: &str = "RS384";

Expand Down Expand Up @@ -92,6 +91,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
let header_value = json!({
"typ": "JWT",
"alg": SIMPLE_TOKEN_ALG,
"jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
});
let header_string = serde_json::to_string(&header_value)?;
let header_b64 = URL_SAFE_NO_PAD.encode(header_string.as_bytes());
Expand All @@ -109,7 +109,6 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
"iss": self.config.issuer_name.clone(),
"iat": now.unix_timestamp(),
"jti": id,
"jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
"nbf": now.unix_timestamp(),
"exp": exp.unix_timestamp(),
})
Expand Down
Loading