diff --git a/.gitignore b/.gitignore index 424aa52b2..4c37f911c 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ image-rs/scripts/attestation-agent confidential-data-hub/kms/src/plugins/aliyun/example_credential/ confidential-data-hub/secret/tests/envelope_secret_aliyun_config/ confidential-data-hub/secret/tests/envelope_secret_ehsm_config/ -shell.nix \ No newline at end of file +shell.nix +*.swp diff --git a/Cargo.lock b/Cargo.lock index 4613bc94e..61b4568c1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -17,6 +17,12 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +[[package]] +name = "adler2" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" + [[package]] name = "aead" version = "0.5.2" @@ -114,15 +120,16 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.13" +version = "0.6.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d96bd03f33fe50a863e394ee9718a706f988b9079b20c3784fb726e7678b62fb" +checksum = "64e15c1ab1f89faffbf04a634d5e1962e9074f2741eef6d97f3c4e322426d526" dependencies = [ "anstyle", "anstyle-parse", "anstyle-query", - "anstyle-wincon 3.0.2", + "anstyle-wincon 3.0.4", "colorchoice", + "is_terminal_polyfill", "utf8parse", ] @@ -162,9 +169,9 @@ dependencies = [ [[package]] name = "anstyle-wincon" -version = "3.0.2" +version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7" +checksum = "5bf74e1b6e971609db8ca7a9ce79fd5768ab6ae46441c572e46cf596f59e57f8" dependencies = [ "anstyle", "windows-sys 0.52.0", @@ -172,9 +179,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.80" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1" +checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" [[package]] name = "api-server-rest" @@ -185,7 +192,7 @@ dependencies = [ "clap 4.2.7", "form_urlencoded", "hyper 0.14.28", - "protobuf 3.5.0", + "protobuf 3.5.1", "serde_json", "tokio", "ttrpc", @@ -232,13 +239,14 @@ dependencies = [ [[package]] name = "assert_cmd" -version = "2.0.15" +version = "2.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc65048dd435533bb1baf2ed9956b9a278fbfdcf90301b39ee117f06c0199d37" +checksum = "dc1835b7f27878de8525dc71410b5a31cdcc5f230aed5ba5df968e09c201b23d" dependencies = [ "anstyle", "bstr", "doc-comment", + "libc", "predicates", "predicates-core", "predicates-tree", @@ -247,9 +255,9 @@ dependencies = [ [[package]] name = "async-compression" -version = "0.4.10" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c90a406b4495d129f00461241616194cb8a032c8d1c53c657f0961d5f8e0498" +checksum = "fec134f64e2bc57411226dfc4e52dec859ddfc7e711fc5e07b612584f000e4aa" dependencies = [ "flate2", "futures-core", @@ -257,15 +265,15 @@ dependencies = [ "memchr", "pin-project-lite", "tokio", - "zstd 0.13.1", - "zstd-safe 7.1.0", + "zstd 0.13.2", + "zstd-safe 7.2.1", ] [[package]] name = "async-trait" -version = "0.1.78" +version = "0.1.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "461abc97219de0eaaf81fe3ef974a540158f3d079c2ab200f891f1a2ef201e85" +checksum = "6e0c28dcc82d7c8ead5cb13beb15405b57b8546e93215673ff8ca0349a028107" dependencies = [ "proc-macro2", "quote", @@ -285,16 +293,16 @@ dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.22.0", + "base64 0.22.1", "clap 4.2.7", "config", "const_format", - "env_logger 0.11.3", + "env_logger 0.11.5", "kbs-types", "kbs_protocol", "log", "prost 0.11.9", - "protobuf 3.5.0", + "protobuf 3.5.1", "reqwest 0.12.5", "rstest", "serde", @@ -319,7 +327,7 @@ dependencies = [ "async-trait", "az-snp-vtpm", "az-tdx-vtpm", - "base64 0.22.0", + "base64 0.22.1", "clap 4.2.7", "codicon", "csv-rs", @@ -328,7 +336,7 @@ dependencies = [ "hyper-tls 0.5.0", "kbs-types", "log", - "nix 0.28.0", + "nix 0.29.0", "occlum_dcap", "rstest", "s390_pv", @@ -468,7 +476,7 @@ dependencies = [ "cc", "cfg-if", "libc", - "miniz_oxide", + "miniz_oxide 0.7.2", "object", "rustc-demangle", ] @@ -493,9 +501,9 @@ checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" [[package]] name = "base64" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "base64-serde" @@ -513,7 +521,7 @@ version = "3.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "38e2b6c78c06f7288d5e3c3d683bde35a79531127c83b087e5d0d77c974b4b28" dependencies = [ - "base64 0.22.0", + "base64 0.22.1", ] [[package]] @@ -580,7 +588,7 @@ version = "0.69.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "cexpr", "clang-sys", "itertools 0.11.0", @@ -635,9 +643,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "blake2b_simd" @@ -652,9 +660,9 @@ dependencies = [ [[package]] name = "blake3" -version = "1.5.1" +version = "1.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30cca6d3674597c30ddf2c587bf8d9d65c9a84d2326d941cc79c9842dfe0ef52" +checksum = "e9ec96fe9a81b5e365f9db71fe00edc4fe4ca2cc7dcb7861f0603012a7caa210" dependencies = [ "arrayref", "arrayvec", @@ -822,11 +830,13 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.86" +version = "1.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" +checksum = "57b6a275aa2903740dc87da01c62040406b8812552e97129a63ea8850a17c6e6" dependencies = [ + "jobserver", "libc", + "shlex", ] [[package]] @@ -861,9 +871,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cfg_aliases" -version = "0.1.1" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd16c4719339c4530435d38e511904438d07cce7950afa3718a84ac36c10e89e" +checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" @@ -877,7 +887,7 @@ dependencies = [ "num-traits", "serde", "wasm-bindgen", - "windows-targets 0.52.4", + "windows-targets 0.52.6", ] [[package]] @@ -996,11 +1006,11 @@ version = "0.1.0" dependencies = [ "aes-gcm", "anyhow", - "base64 0.22.0", + "base64 0.22.1", "clap 4.2.7", "ctr", "daemonize", - "env_logger 0.11.3", + "env_logger 0.11.5", "futures", "jwt-simple", "log", @@ -1047,17 +1057,19 @@ dependencies = [ "anyhow", "async-trait", "attestation-agent", - "base64 0.22.0", + "base64 0.22.1", "cfg-if", "clap 4.2.7", "config", - "env_logger 0.11.3", + "enc_mesh", + "env_logger 0.11.5", "image", "kms", "lazy_static", "log", + "nix 0.29.0", "prost 0.11.9", - "protobuf 3.5.0", + "protobuf 3.5.1", "rstest", "secret", "serde", @@ -1259,7 +1271,7 @@ version = "0.1.0" dependencies = [ "aes-gcm", "anyhow", - "base64 0.22.0", + "base64 0.22.1", "ctr", "kbs-types", "openssl", @@ -1390,16 +1402,15 @@ dependencies = [ [[package]] name = "curve25519-dalek" -version = "4.1.2" +version = "4.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a677b8922c94e01bdbb12126b0bc852f00447528dee1782229af9c720c3f348" +checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" dependencies = [ "cfg-if", "cpufeatures", "curve25519-dalek-derive", "digest 0.10.7", "fiat-crypto", - "platforms", "rustc_version", "subtle", "zeroize", @@ -1437,12 +1448,12 @@ dependencies = [ [[package]] name = "darling" -version = "0.20.8" +version = "0.20.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54e36fcd13ed84ffdfda6f5be89b31287cbb80c439841fe69e04841435464391" +checksum = "6f63b86c8a8826a49b8c21f08a2d07338eec8d900540f8630dc76284be802989" dependencies = [ - "darling_core 0.20.8", - "darling_macro 0.20.8", + "darling_core 0.20.10", + "darling_macro 0.20.10", ] [[package]] @@ -1461,15 +1472,15 @@ dependencies = [ [[package]] name = "darling_core" -version = "0.20.8" +version = "0.20.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c2cf1c23a687a1feeb728783b993c4e1ad83d99f351801977dd809b48d0a70f" +checksum = "95133861a8032aaea082871032f5815eb9e98cef03fa916ab4500513994df9e5" dependencies = [ "fnv", "ident_case", "proc-macro2", "quote", - "strsim 0.10.0", + "strsim 0.11.1", "syn 2.0.50", ] @@ -1486,11 +1497,11 @@ dependencies = [ [[package]] name = "darling_macro" -version = "0.20.8" +version = "0.20.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a668eda54683121533a393014d8692171709ff57a7d61f187b6e782719f8933f" +checksum = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806" dependencies = [ - "darling_core 0.20.8", + "darling_core 0.20.10", "quote", "syn 2.0.50", ] @@ -1525,9 +1536,9 @@ dependencies = [ [[package]] name = "der_derive" -version = "0.7.2" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049" +checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" dependencies = [ "proc-macro2", "quote", @@ -1570,7 +1581,7 @@ version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d48cda787f839151732d396ac69e3473923d54312c070ee21e9effcaa8ca0b1d" dependencies = [ - "darling 0.20.8", + "darling 0.20.10", "proc-macro2", "quote", "syn 2.0.50", @@ -1597,16 +1608,16 @@ dependencies = [ [[package]] name = "devicemapper" -version = "0.34.2" +version = "0.34.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68d15851812d2feb80b0b51ab7d440927e4a900c16d33b154e64a2828e0d7041" +checksum = "59209790c5d189070a52937581950947207e740fadc87f68af14f34d0eb333df" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "devicemapper-sys", - "env_logger 0.11.3", - "lazy_static", + "env_logger 0.11.5", "log", - "nix 0.28.0", + "nix 0.29.0", + "once_cell", "rand", "retry", "semver", @@ -1651,9 +1662,9 @@ dependencies = [ [[package]] name = "dircpy" -version = "0.3.16" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29259db751c34980bfc44100875890c507f585323453b91936960ab1104272ca" +checksum = "a88521b0517f5f9d51d11925d8ab4523497dcf947073fa3231a311b63941131c" dependencies = [ "jwalk", "log", @@ -1857,11 +1868,33 @@ dependencies = [ [[package]] name = "ena" -version = "0.14.2" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c533630cf40e9caa44bd91aadc88a75d75a4c3a12b4cfde353cbed41daa1e1f1" +checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5" +dependencies = [ + "log", +] + +[[package]] +name = "enc_mesh" +version = "0.1.0" dependencies = [ + "anyhow", + "async-trait", + "base64 0.22.1", + "kms", "log", + "nix 0.29.0", + "rand", + "rstest", + "secret", + "serde", + "serde_json", + "serde_yml", + "strum", + "tempfile", + "thiserror", + "tokio", ] [[package]] @@ -1895,9 +1928,9 @@ dependencies = [ [[package]] name = "env_filter" -version = "0.1.0" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a009aa4810eb158359dda09d0c87378e4bbb89b5a801f016885a4707ba24f7ea" +checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab" dependencies = [ "log", "regex", @@ -1918,11 +1951,11 @@ dependencies = [ [[package]] name = "env_logger" -version = "0.11.3" +version = "0.11.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38b35839ba51819680ba087cd351788c9a3c476841207e0b8cee0b04722343b9" +checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d" dependencies = [ - "anstream 0.6.13", + "anstream 0.6.15", "anstyle", "env_filter", "humantime", @@ -1984,9 +2017,9 @@ dependencies = [ [[package]] name = "fiat-crypto" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38793c55593b33412e3ae40c2c9781ffaa6f438f6f8c10f24e71846fbd7ae01e" +checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" [[package]] name = "filetime" @@ -2014,19 +2047,19 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flagset" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdeb3aa5e95cf9aabc17f060cfa0ced7b83f042390760ca53bf09df9968acaa1" +checksum = "b3ea1ec5f8307826a5b71094dd91fc04d4ae75d5709b20ad351c7fb4815c86ec" [[package]] name = "flate2" -version = "1.0.31" +version = "1.0.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f211bbe8e69bbd0cfdea405084f128ae8b4aaa6b0b522fc8f2b009084797920" +checksum = "324a1be68054ef05ad64b861cc9eaf1d623d2d8cb25b4bf2cb9cdd902b4bf253" dependencies = [ "crc32fast", "libz-sys", - "miniz_oxide", + "miniz_oxide 0.8.0", ] [[package]] @@ -2184,9 +2217,9 @@ checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" [[package]] name = "futures-timer" -version = "3.0.2" +version = "3.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e64b03909df88034c26dc1547e8970b91f98bdb65165d6a4e9110d94263dbb2c" +checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24" [[package]] name = "futures-util" @@ -2264,7 +2297,7 @@ version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b903b73e45dc0c6c596f2d37eccece7c1c8bb6e4407b001096387c63d0d93724" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "libc", "libgit2-sys", "log", @@ -2290,9 +2323,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.3.24" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9" +checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8" dependencies = [ "bytes", "fnv", @@ -2300,7 +2333,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.2.3", + "indexmap 2.5.0", "slab", "tokio", "tokio-util", @@ -2319,7 +2352,7 @@ dependencies = [ "futures-core", "futures-sink", "http 1.1.0", - "indexmap 2.2.3", + "indexmap 2.5.0", "slab", "tokio", "tokio-util", @@ -2543,7 +2576,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "h2 0.3.24", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "httparse", @@ -2720,7 +2753,7 @@ version = "0.1.0" dependencies = [ "anyhow", "assert-json-diff", - "base64 0.22.0", + "base64 0.22.1", "crypto", "kms", "resource_uri", @@ -2737,7 +2770,7 @@ dependencies = [ "anyhow", "async-compression", "async-trait", - "base64 0.22.0", + "base64 0.22.1", "cfg-if", "devicemapper", "dircpy", @@ -2752,14 +2785,14 @@ dependencies = [ "lazy_static", "log", "loopdev", - "nix 0.28.0", + "nix 0.29.0", "nydus-api", "nydus-service", "oci-client", "oci-spec", "ocicrypt-rs", "prost 0.11.9", - "protobuf 3.5.0", + "protobuf 3.5.1", "reqwest 0.12.5", "resource_uri", "ring", @@ -2798,9 +2831,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.2.3" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "233cf39063f058ea2caae4091bf4a3ef70a653afbc026f5c4a4135d114e3c177" +checksum = "68b900aa2f7301e21c36462b170ee99994de34dff39a4a6a528e80e7376d07e5" dependencies = [ "equivalent", "hashbrown 0.14.3", @@ -2856,6 +2889,12 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "06d198e9919d9822d5f7083ba8530e04de87841eaf21ead9af8f2304efd57c89" +[[package]] +name = "is_terminal_polyfill" +version = "1.70.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" + [[package]] name = "itertools" version = "0.10.5" @@ -2876,9 +2915,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" [[package]] name = "jni" @@ -2902,14 +2941,23 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" +[[package]] +name = "jobserver" +version = "0.1.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" +dependencies = [ + "libc", +] + [[package]] name = "josekit" -version = "0.8.6" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0953340cf63354cec4a385f1fbcb3f409a5823778cae236078892f6030ed4565" +checksum = "54b85e2125819afc4fd2ae57416207e792c7e12797858e5db2a6c6f24a166829" dependencies = [ "anyhow", - "base64 0.21.7", + "base64 0.22.1", "flate2", "once_cell", "openssl", @@ -2943,9 +2991,9 @@ dependencies = [ [[package]] name = "json-syntax" -version = "0.12.3" +version = "0.12.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbe45447363747ecc18deb478f945df8482edafbae21e51bdc73eab76883c6a5" +checksum = "044a68aba3f96d712f492b72be25e10f96201eaaca3207a7d6e68d6d5105fda9" dependencies = [ "decoded-char", "hashbrown 0.12.3", @@ -3059,7 +3107,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", - "base64 0.22.0", + "base64 0.22.1", "bincode", "crypto", "foreign-types 0.5.0", @@ -3097,12 +3145,12 @@ dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.22.0", + "base64 0.22.1", "crypto", "jwt-simple", "kbs-types", "log", - "protobuf 3.5.0", + "protobuf 3.5.1", "reqwest 0.12.5", "resource_uri", "rstest", @@ -3127,7 +3175,7 @@ dependencies = [ "anyhow", "async-trait", "attestation-agent", - "base64 0.22.0", + "base64 0.22.1", "bincode", "chrono", "const_format", @@ -3207,11 +3255,11 @@ dependencies = [ [[package]] name = "lazy_static" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" dependencies = [ - "spin 0.5.2", + "spin", ] [[package]] @@ -3318,7 +3366,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.52.4", + "windows-targets 0.52.6", ] [[package]] @@ -3333,16 +3381,22 @@ version = "0.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "85c833ca1e66078851dba29046874e38f08b2c883700aa29a03ddd3b23814ee8" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "libc", "redox_syscall 0.4.1", ] +[[package]] +name = "libyml" +version = "0.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64804cc6a5042d4f05379909ba25b503ec04e2c082151d62122d5dcaa274b961" + [[package]] name = "libz-sys" -version = "1.1.16" +version = "1.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e143b5e666b2695d28f6bca6497720813f699c9602dd7f5cac91008b8ada7f9" +checksum = "d2d16453e800a8cf6dd2fc3eb4bc99b786a9b90c663b8559a5b1a041bf89e472" dependencies = [ "cc", "cmake", @@ -3409,9 +3463,9 @@ dependencies = [ [[package]] name = "lz4" -version = "1.24.0" +version = "1.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e9e2dd86df36ce760a60f6ff6ad526f7ba1f14ba0356f8254fb6905e6494df1" +checksum = "958b4caa893816eea05507c20cfe47574a43d9a697138a7872990bba8a0ece68" dependencies = [ "libc", "lz4-sys", @@ -3419,9 +3473,9 @@ dependencies = [ [[package]] name = "lz4-sys" -version = "1.9.4" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57d27b317e207b10f69f5e75494119e391a96f48861ae870d1da6edac98ca900" +checksum = "109de74d5d2353660401699a4174a4ff23fcc649caf553df71933c7fb45ad868" dependencies = [ "cc", "libc", @@ -3455,9 +3509,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.2" +version = "2.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c8640c5d730cb13ebd907d8d04b52f55ac9a2eec55b440c8892f40d56c76c1d" +checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "memoffset" @@ -3488,9 +3542,9 @@ dependencies = [ [[package]] name = "memsec" -version = "0.6.3" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa0916b001582d253822171bd23f4a0229d32b9507fae236f5da8cad515ba7c" +checksum = "c797b9d6bb23aab2fc369c65f871be49214f5c759af65bde26ffaaa2b646b492" [[package]] name = "mime" @@ -3513,6 +3567,15 @@ dependencies = [ "adler", ] +[[package]] +name = "miniz_oxide" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" +dependencies = [ + "adler2", +] + [[package]] name = "mio" version = "0.8.11" @@ -3600,14 +3663,15 @@ dependencies = [ [[package]] name = "nix" -version = "0.28.0" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab2156c4fce2f8df6c499cc1c763e4394b7482525bf2a9701c9d79d215f519e4" +checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "cfg-if", "cfg_aliases", "libc", + "memoffset 0.9.0", ] [[package]] @@ -3838,11 +3902,13 @@ checksum = "7891e71393cd1f227313c9379a26a584ff3d7e6e7159e988851f0934c993f0f8" [[package]] name = "objc2-foundation" -version = "0.2.0" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cfaefe14254871ea16c7d88968c0ff14ba554712a20d76421eec52f0a7fb8904" +checksum = "0ee638a5da3799329310ad4cfa62fbf045d5f56e3ef5ba4149e7452dcf89d5a8" dependencies = [ + "bitflags 2.6.0", "block2", + "libc", "objc2", ] @@ -3867,9 +3933,9 @@ dependencies = [ [[package]] name = "oci-client" -version = "0.12.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce611137700c3ec179993d5357dddde194bd706690b361f2f6b9235d4e29830e" +checksum = "0f5098b86f972ac3484f7c9011bbbbd64aaa7e21d10d2c1a91fefb4ad0ba2ad9" dependencies = [ "bytes", "chrono", @@ -3917,12 +3983,14 @@ dependencies = [ [[package]] name = "oci-spec" -version = "0.6.7" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bdf88ddc01cc6bccbe1044adb6a29057333f523deadcb4953c011a73158cfa5e" +checksum = "3f5a3fe998d50101ae009351fec56d88a69f4ed182e11000e711068c2f5abf72" dependencies = [ "derive_builder", "getset", + "once_cell", + "regex", "serde", "serde_json", "strum", @@ -3938,7 +4006,7 @@ dependencies = [ "aes-gcm", "anyhow", "async-trait", - "base64 0.22.0", + "base64 0.22.1", "base64-serde", "cfg-if", "crypto", @@ -3950,7 +4018,7 @@ dependencies = [ "openssl", "pin-project-lite", "prost 0.11.9", - "protobuf 3.5.0", + "protobuf 3.5.1", "resource_uri", "ring", "serde", @@ -4002,7 +4070,7 @@ version = "0.10.66" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "cfg-if", "foreign-types 0.3.2", "libc", @@ -4107,6 +4175,20 @@ dependencies = [ "sha2 0.10.8", ] +[[package]] +name = "p521" +version = "0.13.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fc9e2161f1f215afdfce23677034ae137bbd45016a880c2eb3ba8eb95f085b2" +dependencies = [ + "base16ct", + "ecdsa", + "elliptic-curve", + "primeorder", + "rand_core", + "sha2 0.10.8", +] + [[package]] name = "parking_lot" version = "0.12.1" @@ -4169,7 +4251,7 @@ version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" dependencies = [ - "base64 0.22.0", + "base64 0.22.1", "serde", ] @@ -4190,9 +4272,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.10" +version = "2.7.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "560131c633294438da9f7c4b08189194b20946c8274c6b9e38881a7874dc8ee8" +checksum = "cd53dff83f26735fdc1ca837098ccf133605d794cdae66acfc2bfac3ec809d95" dependencies = [ "memchr", "thiserror", @@ -4201,9 +4283,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.7.10" +version = "2.7.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26293c9193fbca7b1a3bf9b79dc1e388e927e6cacaa78b4a3ab705a1d3d41459" +checksum = "2a548d2beca6773b1c244554d36fcf8548a8a58e74156968211567250e48e49a" dependencies = [ "pest", "pest_generator", @@ -4211,9 +4293,9 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.10" +version = "2.7.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ec22af7d3fb470a85dd2ca96b7c577a1eb4ef6f1683a9fe9a8c16e136c04687" +checksum = "3c93a82e8d145725dcbaf44e5ea887c8a869efdcc28706df2d08c69e17077183" dependencies = [ "pest", "pest_meta", @@ -4224,9 +4306,9 @@ dependencies = [ [[package]] name = "pest_meta" -version = "2.7.10" +version = "2.7.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7a240022f37c361ec1878d646fc5b7d7c4d28d5946e1a80ad5a7a4f4ca0bdcd" +checksum = "a941429fea7e08bedec25e4f6785b6ffaacc6b755da98df5ef3e7dcf4a124c4f" dependencies = [ "once_cell", "pest", @@ -4250,7 +4332,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" dependencies = [ "fixedbitset 0.4.2", - "indexmap 2.2.3", + "indexmap 2.5.0", ] [[package]] @@ -4373,12 +4455,6 @@ version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" -[[package]] -name = "platforms" -version = "3.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db23d408679286588f4d4644f965003d056e3dd5abcaaa938116871d7ce2fee7" - [[package]] name = "poly1305" version = "0.8.0" @@ -4433,15 +4509,15 @@ dependencies = [ [[package]] name = "predicates-core" -version = "1.0.6" +version = "1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b794032607612e7abeb4db69adb4e33590fa6cf1149e95fd7cb00e634b92f174" +checksum = "ae8177bee8e75d6846599c6b9ff679ed51e882816914eec639944d7c9aa11931" [[package]] name = "predicates-tree" -version = "1.0.9" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "368ba315fb8c5052ab692e68a0eefec6ec57b23a36959c14496f0b0df2c0cecf" +checksum = "41b740d195ed3166cd147c8047ec98db0e22ec019eb8eeb76d343b795304fb13" dependencies = [ "predicates-core", "termtree", @@ -4612,9 +4688,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94" [[package]] name = "protobuf" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df67496db1a89596beaced1579212e9b7c53c22dca1d9745de00ead76573d514" +checksum = "0bcc343da15609eaecd65f8aa76df8dc4209d325131d8219358c0aaaebab0bf6" dependencies = [ "once_cell", "protobuf-support", @@ -4632,13 +4708,13 @@ dependencies = [ [[package]] name = "protobuf-codegen" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eab09155fad2d39333d3796f67845d43e29b266eea74f7bc93f153f707f126dc" +checksum = "c4d0cde5642ea4df842b13eb9f59ea6fafa26dcb43e3e1ee49120e9757556189" dependencies = [ "anyhow", "once_cell", - "protobuf 3.5.0", + "protobuf 3.5.1", "protobuf-parse", "regex", "tempfile", @@ -4647,14 +4723,14 @@ dependencies = [ [[package]] name = "protobuf-parse" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a16027030d4ec33e423385f73bb559821827e9ec18c50e7874e4d6de5a4e96f" +checksum = "1b0e9b447d099ae2c4993c0cbb03c7a9d6c937b17f2d56cfc0b1550e6fcfdb76" dependencies = [ "anyhow", - "indexmap 2.2.3", + "indexmap 2.5.0", "log", - "protobuf 3.5.0", + "protobuf 3.5.1", "protobuf-support", "tempfile", "thiserror", @@ -4663,9 +4739,9 @@ dependencies = [ [[package]] name = "protobuf-support" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70e2d30ab1878b2e72d1e2fc23ff5517799c9929e2cf81a8516f9f4dcf2b9cf3" +checksum = "f0766e3675a627c327e4b3964582594b0e8741305d628a98a5de75a1d15f99b9" dependencies = [ "thiserror", ] @@ -4833,9 +4909,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.4" +version = "1.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c117dbdfde9c8308975b6a18d71f3f385c89461f7b3fb054288ecf2a2058ba4c" +checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" dependencies = [ "aho-corasick", "memchr", @@ -4871,7 +4947,7 @@ dependencies = [ "encoding_rs", "futures-core", "futures-util", - "h2 0.3.24", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.28", @@ -4906,7 +4982,7 @@ version = "0.12.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7d6d2a27d57148378eb5e111173f4276ad26340ecc5c49a4a2152167a2d6a37" dependencies = [ - "base64 0.22.0", + "base64 0.22.1", "bytes", "cookie", "cookie_store", @@ -4989,7 +5065,7 @@ dependencies = [ "cfg-if", "getrandom", "libc", - "spin 0.9.8", + "spin", "untrusted", "windows-sys 0.52.0", ] @@ -5063,18 +5139,18 @@ dependencies = [ [[package]] name = "rust-fsm" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "021d7de715253e45ad24a2fbb0725a0f7f271fd8d3163b130bd65ce2816a860d" +checksum = "496dfc1e9384e6e6f53e1f0386825724d86c5b47a7f37ddcad84600744064144" dependencies = [ "rust-fsm-dsl", ] [[package]] name = "rust-fsm-dsl" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a66b1273014079e4cf2b04aad1f3a2849e26e9a106f0411be2b1c15c23a791a" +checksum = "a3967e3a7a0ff2cb3d652b971ddb7bb1404e4525f5074b2aa27a0ca723855109" dependencies = [ "quote", "syn 1.0.109", @@ -5123,7 +5199,7 @@ version = "0.38.31" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.6.0", "errno 0.3.8", "libc", "linux-raw-sys", @@ -5159,7 +5235,7 @@ version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d" dependencies = [ - "base64 0.22.0", + "base64 0.22.1", "rustls-pki-types", ] @@ -5188,9 +5264,9 @@ checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" [[package]] name = "ryu" -version = "1.0.17" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" [[package]] name = "ryu-js" @@ -5250,9 +5326,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.1.6" +version = "2.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05ccfb12511cdb770157ace92d7dda771e498445b78f9886e8cdbc5140a4eced" +checksum = "aeb7ac86243095b70a7920639507b71d51a63390d1ba26c4f60a552fbb914a37" dependencies = [ "sdd", ] @@ -5312,9 +5388,9 @@ dependencies = [ [[package]] name = "sdd" -version = "2.1.0" +version = "3.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "177258b64c0faaa9ffd3c65cd3262c2bc7e2588dbbd9c1641d0346145c1bbda8" +checksum = "0495e4577c672de8254beb68d01a9b62d0e8a13c099edecdbedccce3223cd29f" [[package]] name = "sec1" @@ -5338,7 +5414,7 @@ dependencies = [ "assert-json-diff", "assert_cmd", "async-trait", - "base64 0.22.0", + "base64 0.22.1", "clap 4.2.7", "crypto", "kms", @@ -5384,14 +5460,14 @@ checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" [[package]] name = "sequoia-openpgp" -version = "1.20.0" +version = "1.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06f82708c8568218b8544b4abbba1f6483067dca0a946a54991c1d3f424dcade" +checksum = "13261ee216b44d932ef93b2d4a75d45199bef77864bcc5b77ecfc7bc0ecb02d6" dependencies = [ "aes", "aes-gcm", "anyhow", - "base64 0.22.0", + "base64 0.22.1", "block-padding", "blowfish", "buffered-reader", @@ -5423,6 +5499,8 @@ dependencies = [ "num-bigint-dig", "once_cell", "p256", + "p384", + "p521", "rand", "rand_core", "regex", @@ -5440,9 +5518,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.205" +version = "1.0.209" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e33aedb1a7135da52b7c21791455563facbbcc43d0f0f66165b42c21b3dfb150" +checksum = "99fce0ffe7310761ca6bf9faf5115afbc19688edd00171d81b1bb1b116c63e09" dependencies = [ "serde_derive", ] @@ -5467,9 +5545,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.205" +version = "1.0.209" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "692d6f5ac90220161d6774db30c662202721e64aed9058d2c394f451261420c1" +checksum = "a5831b979fd7b5439637af1752d535ff49f4860c0f341d1baeb6faf0f4242170" dependencies = [ "proc-macro2", "quote", @@ -5482,7 +5560,7 @@ version = "1.0.122" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "784b6203951c57ff748476b126ccb5e8e2959a5c19e5c617ab1956be3dbc68da" dependencies = [ - "indexmap 2.2.3", + "indexmap 2.5.0", "itoa", "memchr", "ryu", @@ -5550,13 +5628,30 @@ version = "0.9.34+deprecated" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47" dependencies = [ - "indexmap 2.2.3", + "indexmap 2.5.0", "itoa", "ryu", "serde", "unsafe-libyaml", ] +[[package]] +name = "serde_yml" +version = "0.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48e76bab63c3fd98d27c17f9cbce177f64a91f5e69ac04cafe04e1bb25d1dc3c" +dependencies = [ + "indexmap 2.5.0", + "itoa", + "libyml", + "log", + "memchr", + "ryu", + "serde", + "serde_json", + "tempfile", +] + [[package]] name = "serial_test" version = "3.1.1" @@ -5709,7 +5804,7 @@ version = "0.9.0" source = "git+https://github.com/sigstore/sigstore-rs.git?rev=1b6ccf0f64d173350ec5515bd69ab48a26a9c0a3#1b6ccf0f64d173350ec5515bd69ab48a26a9c0a3" dependencies = [ "async-trait", - "base64 0.22.0", + "base64 0.22.1", "cfg-if", "chrono", "const-oid", @@ -5812,12 +5907,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - [[package]] name = "spin" version = "0.9.8" @@ -5852,7 +5941,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", - "base64 0.22.0", + "base64 0.22.1", "kms", "log", "rand", @@ -5891,6 +5980,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "strsim" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" + [[package]] name = "strum" version = "0.26.3" @@ -6022,14 +6117,15 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.10.0" +version = "3.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a365e8cd18e44762ef95d87f284f4b5cd04107fec2ff3052bd6a3e6069669e67" +checksum = "04cbcdd0c794ebb0d4cf35e88edd2f7d2c4c3e9a5a6dab322839b321c6a87a64" dependencies = [ "cfg-if", "fastrand", + "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -6333,7 +6429,7 @@ version = "0.22.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d" dependencies = [ - "indexmap 2.2.3", + "indexmap 2.5.0", "serde", "serde_spanned", "toml_datetime", @@ -6352,7 +6448,7 @@ dependencies = [ "bytes", "futures-core", "futures-util", - "h2 0.3.24", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.28", @@ -6497,8 +6593,8 @@ dependencies = [ "libc", "log", "nix 0.26.4", - "protobuf 3.5.0", - "protobuf-codegen 3.5.0", + "protobuf 3.5.1", + "protobuf-codegen 3.5.1", "thiserror", "tokio", "tokio-vsock", @@ -6512,7 +6608,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2" dependencies = [ "protobuf 2.28.0", - "protobuf-codegen 3.5.0", + "protobuf-codegen 3.5.1", "protobuf-support", "ttrpc-compiler", ] @@ -6695,7 +6791,7 @@ version = "3.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d82b1bc5417102a73e8464c686eef947bdfb99fcdfc0a4f228e81afa9526470a" dependencies = [ - "indexmap 2.2.3", + "indexmap 2.5.0", "serde", "serde_json", "utoipa-gen", @@ -6980,7 +7076,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" dependencies = [ - "windows-targets 0.52.4", + "windows-targets 0.52.6", ] [[package]] @@ -7007,7 +7103,16 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.4", + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-sys" +version = "0.59.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" +dependencies = [ + "windows-targets 0.52.6", ] [[package]] @@ -7042,17 +7147,18 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm 0.52.4", - "windows_aarch64_msvc 0.52.4", - "windows_i686_gnu 0.52.4", - "windows_i686_msvc 0.52.4", - "windows_x86_64_gnu 0.52.4", - "windows_x86_64_gnullvm 0.52.4", - "windows_x86_64_msvc 0.52.4", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -7069,9 +7175,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" [[package]] name = "windows_aarch64_msvc" @@ -7087,9 +7193,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_aarch64_msvc" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" [[package]] name = "windows_i686_gnu" @@ -7105,9 +7211,15 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_gnu" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" [[package]] name = "windows_i686_msvc" @@ -7123,9 +7235,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_i686_msvc" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" [[package]] name = "windows_x86_64_gnu" @@ -7141,9 +7253,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnu" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" [[package]] name = "windows_x86_64_gnullvm" @@ -7159,9 +7271,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_gnullvm" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" [[package]] name = "windows_x86_64_msvc" @@ -7177,9 +7289,9 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" [[package]] name = "windows_x86_64_msvc" -version = "0.52.4" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" @@ -7248,9 +7360,9 @@ dependencies = [ [[package]] name = "xxhash-rust" -version = "0.8.10" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "927da81e25be1e1a2901d59b81b37dd2efd1fc9c9345a55007f09bf5a2d3ee03" +checksum = "63658493314859b4dfdf3fb8c1defd61587839def09582db50b8a4e93afca6bb" [[package]] name = "yaml-rust" @@ -7337,11 +7449,11 @@ dependencies = [ [[package]] name = "zstd" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d789b1514203a1120ad2429eae43a7bd32b90976a7bb8a05f7ec02fa88cc23a" +checksum = "fcf2b778a664581e31e389454a7072dab1647606d44f7feea22cd5abb9c9f3f9" dependencies = [ - "zstd-safe 7.1.0", + "zstd-safe 7.2.1", ] [[package]] @@ -7366,18 +7478,18 @@ dependencies = [ [[package]] name = "zstd-safe" -version = "7.1.0" +version = "7.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cd99b45c6bc03a018c8b8a86025678c87e55526064e38f9df301989dce7ec0a" +checksum = "54a3ab4db68cea366acc5c897c7b4d4d1b8994a9cd6e6f841f8964566a419059" dependencies = [ "zstd-sys", ] [[package]] name = "zstd-sys" -version = "2.0.10+zstd.1.5.6" +version = "2.0.13+zstd.1.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c253a4914af5bafc8fa8c86ee400827e83cf6ec01195ec1f1ed8441bf00d65aa" +checksum = "38ff0f21cfee8f97d94cef41359e0c89aa6113028ab0291aa8ca0038995a95aa" dependencies = [ "cc", "pkg-config", diff --git a/Cargo.toml b/Cargo.toml index 4b8ac4c93..0dc4689b5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,8 +24,9 @@ aes = "0.8.3" aes-gcm = "0.10.2" anyhow = "1.0" assert-json-diff = "2.0" +assert_cmd = "2" async-trait = "0.1.78" -base64 = "0.22.0" +base64 = "0.22.1" base64-serde = "0.7" bincode = "1.3.3" cfg-if = "1.0.0" @@ -34,17 +35,17 @@ clap = "~4.2.7" config = "0.13.4" const_format = "0.2.30" ctr = "0.9.2" -env_logger = "0.11.3" +env_logger = "0.11.5" hex = "0.4.3" hmac = "0.12.1" jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] } kbs-types = "0.7.0" -lazy_static = "1.4.0" +lazy_static = "1.5.0" log = "0.4.22" -nix = "0.28" +nix = "0.29" openssl = "0.10" prost = "0.11" -protobuf = "3.5.0" +protobuf = "3.5.1" rand = "0.8.5" reqwest = { version = "0.12", default-features = false } resource_uri = { path = "attestation-agent/deps/resource_uri" } @@ -54,10 +55,11 @@ rstest = "0.17" serde = { version = "1.0", features = ["derive"] } serde_with = { version = "1.11.0", features = ["base64"] } serde_json = "1.0" +serde_yml = "0.0.11" serial_test = "3" sha2 = "0.10.7" strum = { version = "0.26", features = ["derive"] } -tempfile = "3.2" +tempfile = "3.12" testcontainers = "0.14" thiserror = "1.0" tokio = "1.39" diff --git a/api-server-rest/src/ttrpc_proto/attestation_agent.rs b/api-server-rest/src/ttrpc_proto/attestation_agent.rs index 1538eb7d6..b1c66c9d8 100644 --- a/api-server-rest/src/ttrpc_proto/attestation_agent.rs +++ b/api-server-rest/src/ttrpc_proto/attestation_agent.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:attestation_agent.GetEvidenceRequest) #[derive(PartialEq,Clone,Default,Debug)] diff --git a/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs b/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs index 39a4b9f91..0902e6217 100644 --- a/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs +++ b/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:api.GetResourceRequest) #[derive(PartialEq,Clone,Default,Debug)] diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc-aa/ttrpc_protocol/attestation_agent.rs b/attestation-agent/attestation-agent/src/bin/ttrpc-aa/ttrpc_protocol/attestation_agent.rs index 69634d962..4b6cfcac1 100644 --- a/attestation-agent/attestation-agent/src/bin/ttrpc-aa/ttrpc_protocol/attestation_agent.rs +++ b/attestation-agent/attestation-agent/src/bin/ttrpc-aa/ttrpc_protocol/attestation_agent.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:attestation_agent.GetEvidenceRequest) #[derive(PartialEq,Clone,Default,Debug)] diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs index 69634d962..4b6cfcac1 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:attestation_agent.GetEvidenceRequest) #[derive(PartialEq,Clone,Default,Debug)] diff --git a/confidential-data-hub/Makefile b/confidential-data-hub/Makefile index 35af0fd8e..60a421dbf 100644 --- a/confidential-data-hub/Makefile +++ b/confidential-data-hub/Makefile @@ -18,7 +18,7 @@ SOURCE_ARCH := $(shell uname -m) RPC ?= ttrpc ARCH ?= $(shell uname -m) DEBUG ?= -LIBC ?= gnu +LIBC ?= musl RESOURCE_PROVIDER ?= kbs,sev KMS_PROVIDER ?= aliyun,ehsm DESTDIR ?= $(PREFIX)/bin @@ -97,8 +97,9 @@ ifneq ($(RUSTFLAGS_ARGS),) endif build: - cd hub && $(RUST_FLAGS) cargo build $(release) --no-default-features --features "$(features)" $(binary) $(LIBC_FLAG) - mv $(TARGET_DIR)/$(binary_name) $(TARGET) + #cd hub && $(RUST_FLAGS) cargo build $(release) --no-default-features --features "$(features)" $(binary) $(LIBC_FLAG) + cd hub && $(RUST_FLAGS) CARGO_LOG=cargo::core::compiler::fingerprint=info cargo build $(release) --no-default-features --features "$(features)" $(binary) $(LIBC_FLAG) + mv $(TARGET_DIR)/$(binary_name) $(TARGET) || true TARGET := $(TARGET_DIR)/$(BIN_NAME) diff --git a/confidential-data-hub/README.md b/confidential-data-hub/README.md index 5b1d02bc6..195f915a5 100644 --- a/confidential-data-hub/README.md +++ b/confidential-data-hub/README.md @@ -94,7 +94,7 @@ run the following to build ```shell git clone https://github.com/confidential-containers/guest-components cd guest-components/confidential-data-hub/hub -cargo build --bin ttrpc-cdh-tool --features bin,ttrpc +cargo build --bin ttrpc-cdh-tool --no-default-features --features bin,ttrpc ``` Install @@ -108,10 +108,10 @@ run the following to build ```shell git clone https://github.com/confidential-containers/guest-components cd guest-components/confidential-data-hub/hub -cargo build --bin grpc-cdh-tool --features bin,grpc +cargo build --bin grpc-cdh-tool --no-default-features --features bin,grpc ``` Install ```shell install -D -m0755 ../../target/x86_64-unknown-linux-gnu/release/grpc-cdh-tool /usr/local/bin/grpc-cdh-tool -``` \ No newline at end of file +``` diff --git a/confidential-data-hub/enc-mesh/Cargo.toml b/confidential-data-hub/enc-mesh/Cargo.toml new file mode 100644 index 000000000..11d9dd892 --- /dev/null +++ b/confidential-data-hub/enc-mesh/Cargo.toml @@ -0,0 +1,32 @@ +[package] +name = "enc_mesh" +version = "0.1.0" +edition = "2021" + +[dependencies] +anyhow.workspace = true +async-trait.workspace = true +base64.workspace = true +log.workspace = true +rand = { workspace = true, optional = true } +secret = { path = "../secret" } +serde.workspace = true +serde_json.workspace = true +strum = { workspace = true, features = ["derive"] } +tempfile = { workspace = true, optional = true } +thiserror.workspace = true +tokio = { workspace = true, optional = true } +nix = { workspace = true, features = ["net"] } +kms = { path = "../kms", default-features = false } +serde_yml.workspace = true + +[dev-dependencies] +rstest.workspace = true +tokio = { workspace = true, features = ["rt", "macros" ] } + +[build-dependencies] +anyhow.workspace = true + +[features] +default = [] +enc-mesh = [] diff --git a/confidential-data-hub/enc-mesh/src/enc_mesh/mod.rs b/confidential-data-hub/enc-mesh/src/enc_mesh/mod.rs new file mode 100644 index 000000000..8340c18e9 --- /dev/null +++ b/confidential-data-hub/enc-mesh/src/enc_mesh/mod.rs @@ -0,0 +1,5 @@ +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod nebula; diff --git a/confidential-data-hub/enc-mesh/src/enc_mesh/nebula.rs b/confidential-data-hub/enc-mesh/src/enc_mesh/nebula.rs new file mode 100644 index 000000000..5eae862b5 --- /dev/null +++ b/confidential-data-hub/enc-mesh/src/enc_mesh/nebula.rs @@ -0,0 +1,226 @@ +// +// SPDX-License-Identifier: Apache-2.0 +// + +use std::{str::FromStr}; + +use serde::{Serialize, Deserialize}; +use serde_json::Value; + +use std::process::Command; + +use kms::{Annotations, ProviderSettings}; +use std::fs; + +use nix::ifaddrs::getifaddrs; +use nix::sys::socket::{SockaddrStorage, SockaddrLike, AddressFamily}; +use std::net::{Ipv4Addr}; + +use serde_yml; + +use crate::{Result, EncMeshError}; + + +pub struct NebulaMesh; + +// FIXME This should be a shared struct, if possible, with trustee's nebula +// plugin. It's that plugin's custom protocol. +#[derive(Debug, Serialize, Deserialize)] +pub struct NebulaPluginResponse { + pub node_crt: Vec, + pub node_key: Vec, + pub ca_crt: Vec, +} + + +const CA_CERT_PATH: &str = "/tmp/nebula/ca.crt"; +const POD_CERT_PATH: &str = "/tmp/nebula/pod.crt"; +const POD_KEY_PATH: &str = "/tmp/nebula/pod.key"; + +// FIXME the LIGHTHOUSE_CONFIG_PATH and the WORKER_CONFIG_TEMPLATE_PATH are +// determined at image/rootfs build time. Those values must be consistent +// with whatever is here. +const LIGHTHOUSE_CONFIG_PATH: &str = "/opt/enc-mesh/lighthouse-config.yaml"; +const WORKER_CONFIG_TEMPLATE_PATH: &str = "/opt/enc-mesh/config.yaml"; +const WORKER_CONFIG_PATH: &str = "/tmp/nebula/config.yaml"; + +// FIXME These should be configurable +const LIGHTHOUSE_IP: Ipv4Addr = Ipv4Addr::new(192, 168, 100, 100); +const LIGHTHOUSE_MASK: Ipv4Addr = Ipv4Addr::new(255, 255, 255, 0); + + +impl NebulaMesh { + + /// Set up a nebula mesh. The general approach is as follows: + /// - Calculate what the mesh IP will be for this worker. + /// - Ask trustee for its nebula credentials + /// - Start the nebula daemon. + pub async fn set_up(&self, + pod_name: String, + lighthouse_pub_ip: String) -> Result<()> { + let is_lighthouse: bool = lighthouse_pub_ip.is_empty(); + let mut mesh_ip = LIGHTHOUSE_IP; + if !is_lighthouse { + mesh_ip = self.generate_mesh_ip()?; + } + + // FIXME: kbs hard-coded to localhost is wrong. This should be based on + // ResourceUri? Where does it come from? + let prefix_len: u32 = self.netmask_to_prefix_len(LIGHTHOUSE_MASK); + let neb_cred_uri: String = format!("kbs://127.0.0.1:8080/plugin/\ + nebula/credential\ + ?ip[ip]={}\ + &ip[netbits]={}\ + &name={}", + mesh_ip, prefix_len, pod_name).to_owned(); + + let client = kms::new_getter("kbs", ProviderSettings::default()) + .await + .map_err(|e| EncMeshError::KbsClient{ source: e })?; + let response = client + .get_secret(&neb_cred_uri, &Annotations::default()) + .await + .map_err(|e| EncMeshError::GetSecret{ source: e })?; + let response: NebulaPluginResponse = serde_json::from_slice(&response)?; + + fs::create_dir("/tmp/nebula")?; + fs::write(CA_CERT_PATH, response.ca_crt)?; + fs::write(POD_CERT_PATH, response.node_crt)?; + fs::write(POD_KEY_PATH, response.node_key)?; + + let mut which_config = LIGHTHOUSE_CONFIG_PATH; + if !is_lighthouse { + which_config = WORKER_CONFIG_PATH; + let content = std::fs::read_to_string(WORKER_CONFIG_TEMPLATE_PATH)?; + let mut rule_file = serde_yml::from_str::(&content)?; + // FIXME ? should the 4242 port be hard-coded + let static_host_map_str = format!("\"{}\": [\"{}:4242\"]", + LIGHTHOUSE_IP, lighthouse_pub_ip); + let static_host_map = serde_yml::from_str::(&static_host_map_str)?; + + // FIXME these are Option<>s + *rule_file.get_mut("static_host_map").unwrap() = static_host_map.into(); + rule_file.get_mut("lighthouse").unwrap().get_mut("hosts").unwrap()[0] + = format!("{}", LIGHTHOUSE_IP).into(); + + let fp = std::fs::File::create(which_config).expect("error creating file"); + serde_yml::to_writer(fp, &rule_file)?; + } + + Command::new("/opt/enc-mesh/nebula") + .arg("-config") + .arg(which_config) + .spawn() + .expect("nebula command failed to start"); + + Ok(()) + } + + + /// Read /proc/net/route to get the default gateway's interface, + /// e.g. "eth0". + /// TODO This is brittle. Is there a reason to not use procfs::net here? + fn get_iface_of_default_gateway(&self) -> Result { + let binding = fs::read_to_string("/proc/net/route")?; + let s: Vec<&str> = binding.split("\n").collect(); + let mut iface: &str = ""; + for part in s { + let tokens: Vec<&str> = part.split_whitespace().collect(); + iface = tokens[0]; + let destination: &str = tokens[1]; + let mask: &str = tokens[7]; + // FIXME ? Should mask also be checked? + if destination == "00000000" { + break; + } + } + Ok(iface.to_string()) + } + + + /// Get the IP address and netmask for some iface. This relies on the nix + /// library's getifaddrs support. + fn get_ip_and_mask(&self, iface: &String) -> Result<(Ipv4Addr, Ipv4Addr)> { + let addrs = getifaddrs().map_err(|e| EncMeshError::IfaceDetails(format!( + "getifaddrs returned error: {}", e)))?; + for ifaddr in addrs { + if ifaddr.interface_name == *iface { + let Some(address) = ifaddr.address else { continue }; + let Some(netmask) = ifaddr.netmask else { continue }; + if let Some(AddressFamily::Inet) = address.family() { // ipv4 + println!("interface {} address {} netmask {}", + ifaddr.interface_name, address, netmask); + let Some(address) = address.as_sockaddr_in() else { continue }; + let Some(netmask) = netmask.as_sockaddr_in() else { continue }; + return Ok((address.ip(), netmask.ip())); + } + } + } + return Err(EncMeshError::IfaceDetails(format!("Unable to find address \ + and mask for {}", iface))); + } + + + /// Convert a netmask to its prefix length (e.g. convert 255.255.255.0 to 24) + fn netmask_to_prefix_len(&self, netmask: Ipv4Addr) -> u32 { + netmask.octets().iter().fold(0, |count, oct| count + oct.count_ones()) + } + + + /// Form the IP address that this worker will have in the mesh. This is done + /// by combining the upper bits of the (known, predetermined) lighthouse IP + /// with the lower bits of the (dynamic) k8s-assigned IP of the worker's + /// default interface. + /// TODO It is an error for the k8s netmask to be smaller than the mesh (i.e. + /// for the addressable range to be larger than the mesh's). This could + /// cause IP assignment collisions for the mesh, even when using a benign + /// k8s. + /// TODO Similar: Need to handle collisions in the case of a malicious k8s. + /// Or, at least, document behavior (e.g. DoS). + /// TODO Do not collide on the lighthouse IP address. + fn generate_mesh_ip(&self) -> Result { + let iface: String = self.get_iface_of_default_gateway()?; + let (iface_ip, iface_mask) = self.get_ip_and_mask(&iface)?; + if iface_mask != LIGHTHOUSE_MASK { + return Err(EncMeshError::NetmaskMismatch(format!("worker netmask \ + ({}) and lighthouse netmask ({}) do \ + not match", iface_mask, LIGHTHOUSE_MASK))); + } + let mesh_ip = (LIGHTHOUSE_IP & LIGHTHOUSE_MASK) + | (iface_ip & !LIGHTHOUSE_MASK); + Ok(mesh_ip) + } + +} + + + + + + +#[cfg(test)] +mod tests { + use super::*; + use rstest::rstest; + use nix::sys::socket::SockaddrIn; + + use nix::libc::in_addr; + + #[rstest] + #[case(255, 255, 255, 255, 32)] + #[case(255, 255, 255, 0, 24)] + #[case( 0, 0, 0, 0, 0)] + #[case(255, 255, 254, 0, 23)] + #[case(255, 255, 255, 8, 25)] + fn test_netmask_to_prefix_len(#[case] a: u8, + #[case] b: u8, + #[case] c: u8, + #[case] d: u8, + #[case] prefix_len: u32) { + let ip: Ipv4Addr = Ipv4Addr::new(a, b, c, d); + let nm: NebulaMesh = NebulaMesh {}; + let rv: u32 = nm.netmask_to_prefix_len(ip); + assert_eq!(rv, prefix_len); + } + +} diff --git a/confidential-data-hub/enc-mesh/src/error.rs b/confidential-data-hub/enc-mesh/src/error.rs new file mode 100644 index 000000000..b9d37ec2e --- /dev/null +++ b/confidential-data-hub/enc-mesh/src/error.rs @@ -0,0 +1,47 @@ +// +// SPDX-License-Identifier: Apache-2.0 +// + +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, Debug)] +pub enum EncMeshError { + + #[error("Encrypted mesh setup failed: {0}")] + Setup(String), + + #[error("Mesh netmask (user-configured) and worker netmask (assigned by \ + the control plane) should match: {0}")] + NetmaskMismatch(String), + + #[error("Unable to get iface details: {0}")] + IfaceDetails(String), + + + #[error("KBS client initialization failed")] + KbsClient { + #[source] + source: kms::Error, + }, + + #[error("Get secret failed")] + GetSecret { + #[source] + source: kms::Error, + }, + + #[error("Failed to parse KBS response")] + ResponseParse(#[from] serde_json::Error), + + #[error("Error while handling yaml data")] + SerdeYmlFail(#[from] serde_yml::Error), + + #[error("I/O error")] + IoError(#[from] std::io::Error), + + #[error("Error parsing Ipv4Addr")] + AddrParseFail(#[from] std::net::AddrParseError), + +} diff --git a/confidential-data-hub/enc-mesh/src/lib.rs b/confidential-data-hub/enc-mesh/src/lib.rs new file mode 100644 index 000000000..24ab8dd4f --- /dev/null +++ b/confidential-data-hub/enc-mesh/src/lib.rs @@ -0,0 +1,25 @@ +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod error; +pub mod enc_mesh; +pub use error::*; +use log::info; +use crate::enc_mesh::nebula::NebulaMesh; + + +pub async fn set_up(pod_name: String, + lighthouse_pub_ip: String) -> Result<()> { + #[cfg(feature = "enc-mesh")] + { + let nm: NebulaMesh = NebulaMesh {}; + nm.set_up(pod_name, lighthouse_pub_ip).await?; + Ok(()) + } + #[cfg(not(feature = "enc-mesh"))] + { + info!("encrypted mesh not supported "); + Ok(()) + } +} diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 8a91ad1af..e0607de20 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -35,10 +35,12 @@ image = { path = "../image", default-features = false } kms = { path = "../kms", default-features = false } lazy_static.workspace = true log.workspace = true +nix = { workspace = true, features = ["net"] } prost = { workspace = true, optional = true } protobuf = { workspace = true, optional = true } secret.path = "../secret" storage.path = "../storage" +enc_mesh.path = "../enc-mesh" serde = { workspace = true, optional = true } serde_json.workspace = true thiserror.workspace = true @@ -73,3 +75,6 @@ ehsm = ["image/ehsm", "secret/ehsm"] bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] grpc = ["prost", "tonic", "tonic-build", "tokio/signal"] + +# support encrypted mesh +enc-mesh = [] diff --git a/confidential-data-hub/hub/build.rs b/confidential-data-hub/hub/build.rs index 7e8404875..6fac730ba 100644 --- a/confidential-data-hub/hub/build.rs +++ b/confidential-data-hub/hub/build.rs @@ -8,7 +8,7 @@ fn main() { { tonic_build::configure() .build_server(true) - .protoc_arg("--experimental_allow_proto3_optional") + //.protoc_arg("--experimental_allow_proto3_optional") .compile( &["./protos/api.proto", "./protos/keyprovider.proto"], &["./protos"], diff --git a/confidential-data-hub/hub/protos/api.proto b/confidential-data-hub/hub/protos/api.proto index 3d084146e..c7b906419 100644 --- a/confidential-data-hub/hub/protos/api.proto +++ b/confidential-data-hub/hub/protos/api.proto @@ -33,6 +33,15 @@ message SecureMountResponse { string mount_path = 1; } +message SetUpEncryptedMeshRequest { + string pod_name = 1; + string lighthouse_pub_ip = 2; +} + +message SetUpEncryptedMeshResponse { + int32 return_code = 1; +} + service SealedSecretService { rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {}; } @@ -44,3 +53,7 @@ service GetResourceService { service SecureMountService { rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {}; } + +service EncryptedMeshService { + rpc SetUpEncryptedMesh(SetUpEncryptedMeshRequest) returns (SetUpEncryptedMeshResponse) {}; +} diff --git a/confidential-data-hub/hub/src/api.rs b/confidential-data-hub/hub/src/api.rs index 880db037e..c18ba1907 100644 --- a/confidential-data-hub/hub/src/api.rs +++ b/confidential-data-hub/hub/src/api.rs @@ -29,4 +29,10 @@ pub trait DataHub { async fn get_resource(&self, uri: String) -> Result>; async fn secure_mount(&self, storage: Storage) -> Result; + + async fn set_up_encrypted_mesh( + &self, + pod_name: String, + lighthouse_pub_ip: String, + ) -> Result>; } diff --git a/confidential-data-hub/hub/src/bin/protos/api.rs b/confidential-data-hub/hub/src/bin/protos/api.rs index ce08349a8..790777fef 100644 --- a/confidential-data-hub/hub/src/bin/protos/api.rs +++ b/confidential-data-hub/hub/src/bin/protos/api.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:api.UnsealSecretInput) #[derive(PartialEq,Clone,Default,Debug)] @@ -826,6 +825,268 @@ impl ::protobuf::reflect::ProtobufValue for SecureMountResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } +// @@protoc_insertion_point(message:api.SetUpEncryptedMeshRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct SetUpEncryptedMeshRequest { + // message fields + // @@protoc_insertion_point(field:api.SetUpEncryptedMeshRequest.pod_name) + pub pod_name: ::std::string::String, + // @@protoc_insertion_point(field:api.SetUpEncryptedMeshRequest.lighthouse_pub_ip) + pub lighthouse_pub_ip: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.SetUpEncryptedMeshRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SetUpEncryptedMeshRequest { + fn default() -> &'a SetUpEncryptedMeshRequest { + ::default_instance() + } +} + +impl SetUpEncryptedMeshRequest { + pub fn new() -> SetUpEncryptedMeshRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(2); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "pod_name", + |m: &SetUpEncryptedMeshRequest| { &m.pod_name }, + |m: &mut SetUpEncryptedMeshRequest| { &mut m.pod_name }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "lighthouse_pub_ip", + |m: &SetUpEncryptedMeshRequest| { &m.lighthouse_pub_ip }, + |m: &mut SetUpEncryptedMeshRequest| { &mut m.lighthouse_pub_ip }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SetUpEncryptedMeshRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SetUpEncryptedMeshRequest { + const NAME: &'static str = "SetUpEncryptedMeshRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.pod_name = is.read_string()?; + }, + 18 => { + self.lighthouse_pub_ip = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.pod_name.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.pod_name); + } + if !self.lighthouse_pub_ip.is_empty() { + my_size += ::protobuf::rt::string_size(2, &self.lighthouse_pub_ip); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.pod_name.is_empty() { + os.write_string(1, &self.pod_name)?; + } + if !self.lighthouse_pub_ip.is_empty() { + os.write_string(2, &self.lighthouse_pub_ip)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SetUpEncryptedMeshRequest { + SetUpEncryptedMeshRequest::new() + } + + fn clear(&mut self) { + self.pod_name.clear(); + self.lighthouse_pub_ip.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static SetUpEncryptedMeshRequest { + static instance: SetUpEncryptedMeshRequest = SetUpEncryptedMeshRequest { + pod_name: ::std::string::String::new(), + lighthouse_pub_ip: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SetUpEncryptedMeshRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SetUpEncryptedMeshRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SetUpEncryptedMeshRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SetUpEncryptedMeshRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.SetUpEncryptedMeshResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct SetUpEncryptedMeshResponse { + // message fields + // @@protoc_insertion_point(field:api.SetUpEncryptedMeshResponse.return_code) + pub return_code: i32, + // special fields + // @@protoc_insertion_point(special_field:api.SetUpEncryptedMeshResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SetUpEncryptedMeshResponse { + fn default() -> &'a SetUpEncryptedMeshResponse { + ::default_instance() + } +} + +impl SetUpEncryptedMeshResponse { + pub fn new() -> SetUpEncryptedMeshResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "return_code", + |m: &SetUpEncryptedMeshResponse| { &m.return_code }, + |m: &mut SetUpEncryptedMeshResponse| { &mut m.return_code }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SetUpEncryptedMeshResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SetUpEncryptedMeshResponse { + const NAME: &'static str = "SetUpEncryptedMeshResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 8 => { + self.return_code = is.read_int32()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if self.return_code != 0 { + my_size += ::protobuf::rt::int32_size(1, self.return_code); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if self.return_code != 0 { + os.write_int32(1, self.return_code)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SetUpEncryptedMeshResponse { + SetUpEncryptedMeshResponse::new() + } + + fn clear(&mut self) { + self.return_code = 0; + self.special_fields.clear(); + } + + fn default_instance() -> &'static SetUpEncryptedMeshResponse { + static instance: SetUpEncryptedMeshResponse = SetUpEncryptedMeshResponse { + return_code: 0, + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SetUpEncryptedMeshResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SetUpEncryptedMeshResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SetUpEncryptedMeshResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SetUpEncryptedMeshResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + static file_descriptor_proto_data: &'static [u8] = b"\ \n\tapi.proto\x12\x03api\"+\n\x11UnsealSecretInput\x12\x16\n\x06secret\ \x18\x01\x20\x01(\x0cR\x06secret\"2\n\x12UnsealSecretOutput\x12\x1c\n\tp\ @@ -838,14 +1099,19 @@ static file_descriptor_proto_data: &'static [u8] = b"\ (\tR\x05flags\x12\x1f\n\x0bmount_point\x18\x04\x20\x01(\tR\nmountPoint\ \x1a:\n\x0cOptionsEntry\x12\x10\n\x03key\x18\x01\x20\x01(\tR\x03key\x12\ \x14\n\x05value\x18\x02\x20\x01(\tR\x05value:\x028\x01\"4\n\x13SecureMou\ - ntResponse\x12\x1d\n\nmount_path\x18\x01\x20\x01(\tR\tmountPath2V\n\x13S\ - ealedSecretService\x12?\n\x0cUnsealSecret\x12\x16.api.UnsealSecretInput\ - \x1a\x17.api.UnsealSecretOutput2V\n\x12GetResourceService\x12@\n\x0bGetR\ - esource\x12\x17.api.GetResourceRequest\x1a\x18.api.GetResourceResponse2V\ - \n\x12SecureMountService\x12@\n\x0bSecureMount\x12\x17.api.SecureMountRe\ - quest\x1a\x18.api.SecureMountResponseBaZ_github.com/confidential-contain\ - ers/guest-components/confidential-data-hub/golang/pkg/api/cdhapib\x06pro\ - to3\ + ntResponse\x12\x1d\n\nmount_path\x18\x01\x20\x01(\tR\tmountPath\"b\n\x19\ + SetUpEncryptedMeshRequest\x12\x19\n\x08pod_name\x18\x01\x20\x01(\tR\x07p\ + odName\x12*\n\x11lighthouse_pub_ip\x18\x02\x20\x01(\tR\x0flighthousePubI\ + p\"=\n\x1aSetUpEncryptedMeshResponse\x12\x1f\n\x0breturn_code\x18\x01\ + \x20\x01(\x05R\nreturnCode2V\n\x13SealedSecretService\x12?\n\x0cUnsealSe\ + cret\x12\x16.api.UnsealSecretInput\x1a\x17.api.UnsealSecretOutput2V\n\ + \x12GetResourceService\x12@\n\x0bGetResource\x12\x17.api.GetResourceRequ\ + est\x1a\x18.api.GetResourceResponse2V\n\x12SecureMountService\x12@\n\x0b\ + SecureMount\x12\x17.api.SecureMountRequest\x1a\x18.api.SecureMountRespon\ + se2m\n\x14EncryptedMeshService\x12U\n\x12SetUpEncryptedMesh\x12\x1e.api.\ + SetUpEncryptedMeshRequest\x1a\x1f.api.SetUpEncryptedMeshResponseBaZ_gith\ + ub.com/confidential-containers/guest-components/confidential-data-hub/go\ + lang/pkg/api/cdhapib\x06proto3\ "; /// `FileDescriptorProto` object which was a source for this generated file @@ -863,13 +1129,15 @@ pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { file_descriptor.get(|| { let generated_file_descriptor = generated_file_descriptor_lazy.get(|| { let mut deps = ::std::vec::Vec::with_capacity(0); - let mut messages = ::std::vec::Vec::with_capacity(6); + let mut messages = ::std::vec::Vec::with_capacity(8); messages.push(UnsealSecretInput::generated_message_descriptor_data()); messages.push(UnsealSecretOutput::generated_message_descriptor_data()); messages.push(GetResourceRequest::generated_message_descriptor_data()); messages.push(GetResourceResponse::generated_message_descriptor_data()); messages.push(SecureMountRequest::generated_message_descriptor_data()); messages.push(SecureMountResponse::generated_message_descriptor_data()); + messages.push(SetUpEncryptedMeshRequest::generated_message_descriptor_data()); + messages.push(SetUpEncryptedMeshResponse::generated_message_descriptor_data()); let mut enums = ::std::vec::Vec::with_capacity(0); ::protobuf::reflect::GeneratedFileDescriptor::new_generated( file_descriptor_proto(), diff --git a/confidential-data-hub/hub/src/bin/protos/api_ttrpc.rs b/confidential-data-hub/hub/src/bin/protos/api_ttrpc.rs index 971ce04e5..557d911aa 100644 --- a/confidential-data-hub/hub/src/bin/protos/api_ttrpc.rs +++ b/confidential-data-hub/hub/src/bin/protos/api_ttrpc.rs @@ -163,3 +163,51 @@ pub fn create_secure_mount_service(service: Arc Self { + EncryptedMeshServiceClient { + client, + } + } + + pub async fn set_up_encrypted_mesh(&self, ctx: ttrpc::context::Context, req: &super::api::SetUpEncryptedMeshRequest) -> ::ttrpc::Result { + let mut cres = super::api::SetUpEncryptedMeshResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.EncryptedMeshService", "SetUpEncryptedMesh", cres); + } +} + +struct SetUpEncryptedMeshMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for SetUpEncryptedMeshMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, SetUpEncryptedMeshRequest, set_up_encrypted_mesh); + } +} + +#[async_trait] +pub trait EncryptedMeshService: Sync { + async fn set_up_encrypted_mesh(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::SetUpEncryptedMeshRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.EncryptedMeshService/SetUpEncryptedMesh is not supported".to_string()))) + } +} + +pub fn create_encrypted_mesh_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("SetUpEncryptedMesh".to_string(), + Box::new(SetUpEncryptedMeshMethod{service: service.clone()}) as Box); + + ret.insert("api.EncryptedMeshService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} diff --git a/confidential-data-hub/hub/src/bin/protos/keyprovider.rs b/confidential-data-hub/hub/src/bin/protos/keyprovider.rs index c1e719871..a5e5c412c 100644 --- a/confidential-data-hub/hub/src/bin/protos/keyprovider.rs +++ b/confidential-data-hub/hub/src/bin/protos/keyprovider.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.5.0. Do not edit +// This file is generated by rust-protobuf 3.5.1. Do not edit // .proto file is parsed by pure // @generated @@ -9,7 +9,6 @@ #![allow(unused_attributes)] #![cfg_attr(rustfmt, rustfmt::skip)] -#![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] #![allow(non_camel_case_types)] @@ -23,7 +22,7 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_5_1; // @@protoc_insertion_point(message:keyprovider.KeyProviderKeyWrapProtocolInput) #[derive(PartialEq,Clone,Default,Debug)] diff --git a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs index 5921ba97b..417a561af 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc-cdh-tool.rs @@ -11,7 +11,10 @@ use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{Args, Parser, Subcommand}; use protos::{ api::*, - api_ttrpc::{GetResourceServiceClient, SealedSecretServiceClient, SecureMountServiceClient}, + api_ttrpc::{ + EncryptedMeshServiceClient, GetResourceServiceClient, SealedSecretServiceClient, + SecureMountServiceClient, + }, keyprovider::*, keyprovider_ttrpc::KeyProviderServiceClient, }; @@ -53,6 +56,9 @@ enum Operation { /// Secure mount SecureMount(SecureMountArgs), + + /// Set up an encrypted mesh + SetUpEncryptedMesh(SetUpEncryptedMeshArgs), } #[derive(Args)] @@ -87,6 +93,16 @@ struct SecureMountArgs { storage_path: String, } +#[derive(Debug, Args)] +#[command(author, version, about, long_about = None)] +struct SetUpEncryptedMeshArgs { + /// FIXME some arg to set up the encrypted mesh + #[arg(short, long)] + pod_name: String, + #[arg(short, long)] + lighthouse_pub_ip: String, +} + #[tokio::main] async fn main() { let args = Cli::parse(); @@ -154,5 +170,17 @@ async fn main() { .expect("request to CDH"); println!("mount path: {}", res.mount_path); } + Operation::SetUpEncryptedMesh(arg) => { + let client = EncryptedMeshServiceClient::new(inner); + let req = SetUpEncryptedMeshRequest { + pod_name: arg.pod_name, + lighthouse_pub_ip: arg.lighthouse_pub_ip, + ..Default::default() + }; + let res = client + .set_up_encrypted_mesh(context::with_timeout(args.timeout * NANO_PER_SECOND), &req) + .await + .expect("request to CDH"); + } } } diff --git a/confidential-data-hub/hub/src/bin/ttrpc-cdh.rs b/confidential-data-hub/hub/src/bin/ttrpc-cdh.rs index 073b711aa..0a34c780d 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc-cdh.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc-cdh.rs @@ -10,7 +10,8 @@ use clap::Parser; use log::info; use protos::{ api_ttrpc::{ - create_get_resource_service, create_sealed_secret_service, create_secure_mount_service, + create_encrypted_mesh_service, create_get_resource_service, create_sealed_secret_service, + create_secure_mount_service, }, keyprovider_ttrpc::create_key_provider_service, }; @@ -76,6 +77,7 @@ async fn main() -> Result<()> { let get_resource_service = ttrpc_service!(create_get_resource_service, &credentials); let key_provider_service = ttrpc_service!(create_key_provider_service, &credentials); let secure_mount_service = ttrpc_service!(create_secure_mount_service, &credentials); + let encrypted_mesh_service = ttrpc_service!(create_encrypted_mesh_service, &credentials); let mut server = TtrpcServer::new() .bind(&config.socket) @@ -83,7 +85,8 @@ async fn main() -> Result<()> { .register_service(sealed_secret_service) .register_service(get_resource_service) .register_service(secure_mount_service) - .register_service(key_provider_service); + .register_service(key_provider_service) + .register_service(encrypted_mesh_service); info!( "[ttRPC] Confidential Data Hub starts to listen to request: {}", diff --git a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs index aff8ffcd9..20a159e79 100644 --- a/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/ttrpc_server/mod.rs @@ -20,9 +20,12 @@ use crate::{ protos::{ api::{ GetResourceRequest, GetResourceResponse, SecureMountRequest, SecureMountResponse, - UnsealSecretInput, UnsealSecretOutput, + SetUpEncryptedMeshRequest, SetUpEncryptedMeshResponse, UnsealSecretInput, + UnsealSecretOutput, + }, + api_ttrpc::{ + EncryptedMeshService, GetResourceService, SealedSecretService, SecureMountService, }, - api_ttrpc::{GetResourceService, SealedSecretService, SecureMountService}, keyprovider::{KeyProviderKeyWrapProtocolInput, KeyProviderKeyWrapProtocolOutput}, keyprovider_ttrpc::KeyProviderService, }, @@ -194,3 +197,31 @@ impl SecureMountService for Server { Ok(reply) } } + +#[async_trait] +impl EncryptedMeshService for Server { + async fn set_up_encrypted_mesh( + &self, + _ctx: &TtrpcContext, + req: SetUpEncryptedMeshRequest, + ) -> ::ttrpc::Result { + debug!("[ttRPC CDH] Set up encrypted mesh request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let _resource = reader + .set_up_encrypted_mesh(req.pod_name, req.lighthouse_pub_ip) + .await + .map_err(|e| { + let detailed_error = format_error!(e); + error!("[ttRPC CDH] Set Up Encrypted Mesh:\n{detailed_error}"); + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message("[CDH] [ERROR]: set up encryptd mesh failed".to_string()); + Error::RpcStatus(status) + })?; + + let reply = SetUpEncryptedMeshResponse::new(); + debug!("[ttRPC CDH] setup encrypted mesh succeeded."); + Ok(reply) + } +} diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index 7d64a1c02..48c48d5fe 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -32,4 +32,7 @@ pub enum Error { #[error("secure mount failed")] SecureMount(#[from] storage::Error), + + #[error("set up encrypted mesh failed")] + EncMeshSetup(#[from] enc_mesh::EncMeshError), } diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index 2fe1fa508..0bdaa96d5 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -62,4 +62,16 @@ impl DataHub for Hub { let res = storage.mount().await?; Ok(res) } + + async fn set_up_encrypted_mesh( + &self, + pod_name: String, + lighthouse_pub_ip: String, + ) -> Result> { + info!("set up encrypted mesh called"); + enc_mesh::set_up(pod_name, lighthouse_pub_ip).await?; + // FIXME remove return value for this interface if we don't need + // anything here. + Ok(Vec::::new()) + } } diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs index bb09aa813..6e9c50047 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/mod.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/mod.rs @@ -18,6 +18,7 @@ use std::{env, sync::Arc}; use async_trait::async_trait; use attestation_agent::config::aa_kbc_params::AaKbcParams; use lazy_static::lazy_static; +use log::info; pub use resource_uri::ResourceUri; use tokio::sync::Mutex;