Work-In-Progress: kbs-client: Extend get-resource to support other pl…

…ugins

This is just a hack to be able to test the nebula_ca plugin.

$ cd kbs && make cli ATTESTER=snp-attester && make install-cli
$ docker compose up

$ kbs-client config --auth-private-key kbs/config/private.key set-resource-policy --policy-file  kbs/sample_policies/allow_all.rego
$ kbs-client get-resource --plugin-name "nebula_ca" --resource-path "credential?ip[ip]=10.9.8.2&ip[netbits]=21&name=podA"

Currently, the last command is failing reporting
Error: request unauthorized

and in the trustee log:
ERROR kbs::error] TokenVerifierError(TokenVerificationFailed { source: Cannot verify token since trusted JWK Set is empty })

I did not get to the bottom of the problem yet, but I think I may need
the PR confidential-containers#524 as well

Cargo.toml

@@ -29,7 +29,7 @@ config = "0.13.3"
 env_logger = "0.10.0"
 hex = "0.4.3"
 jwt-simple = "0.11"
-kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false }
+kbs_protocol = { git = "https://github.com/cclaudio/guest-components.git", rev="f89d45154d15995c26b7f65af61dd96e94f9cba2", default-features = false }
 kbs-types = "0.7.0"
 kms = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false }
 jsonwebtoken = { version = "9", default-features = false }

tools/kbs-client/src/lib.rs

@@ -45,13 +45,15 @@ pub async fn attestation(
 /// Get secret resources with attestation results token
 /// Input parameters:
 /// - url: KBS server root URL.
-/// - path: Resource path, format must be `<top>/<middle>/<tail>`, e.g. `alice/key/example`.
+/// - plugin_name: Plugin name.
+/// - path: Resource path.
 /// - tee_key_pem: TEE private key file path (PEM format). This key must consistent with the public key in `token` claims.
 /// - token: Attestation Results Token file path.
 /// - kbs_root_certs_pem: Custom HTTPS root certificate of KBS server. It can be left blank.
 pub async fn get_resource_with_token(
     url: &str,
-    path: &str,
+    plugin_name: &str,
+    resource_path: &str,
     tee_key_pem: String,
     token: String,
     kbs_root_certs_pem: Vec<String>,
@@ -66,10 +68,17 @@ pub async fn get_resource_with_token(
     }
     let mut client = client_builder.build()?;
 
-    let resource_kbs_uri = format!("kbs:///{path}");
-    let resource_bytes = client
-        .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?)
-        .await?;
+    let resource_bytes = if plugin_name == "resource" {
+        let resource_kbs_uri = format!("kbs:///{resource_path}");
+        client
+            .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?)
+            .await?
+    } else {
+        client
+            .get_plugin_resource(plugin_name.to_owned(), resource_path.to_owned())
+            .await?
+    };
+
     Ok(resource_bytes)
 }
 
@@ -81,7 +90,8 @@ pub async fn get_resource_with_token(
 /// - kbs_root_certs_pem: Custom HTTPS root certificate of KBS server. It can be left blank.
 pub async fn get_resource_with_attestation(
     url: &str,
-    path: &str,
+    plugin_name: &str,
+    resource_path: &str,
     tee_key_pem: Option<String>,
     kbs_root_certs_pem: Vec<String>,
 ) -> Result<Vec<u8>> {
@@ -96,10 +106,17 @@ pub async fn get_resource_with_attestation(
     }
     let mut client = client_builder.build()?;
 
-    let resource_kbs_uri = format!("kbs:///{path}");
-    let resource_bytes = client
-        .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?)
-        .await?;
+    let resource_bytes = if plugin_name == "resource" {
+        let resource_kbs_uri = format!("kbs:///{resource_path}");
+        client
+            .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?)
+            .await?
+    } else {
+        client
+            .get_plugin_resource(plugin_name.to_owned(), resource_path.to_owned())
+            .await?
+    };
+
     Ok(resource_bytes)
 }
 

tools/kbs-client/src/main.rs

@@ -35,10 +35,19 @@ enum Commands {
     /// Get confidential resource
     #[clap(arg_required_else_help = true)]
     GetResource {
-        /// KBS Resource path, e.g my_repo/resource_type/123abc
+        /// KBS plugin name, e.g:
+        /// resource
+        /// nebula_ca
+        #[clap(long, value_parser)]
+        plugin_name: String,
+
+        /// KBS plugin resource path, e.g:
+        /// nebula_ca:   credential?ip=10.9.8.1&netbits=21
+        /// resource:    my_repo/resource_type/123abc
+        ///
         /// Document: https://github.com/confidential-containers/attestation-agent/blob/main/docs/KBS_URI.md
         #[clap(long, value_parser)]
-        path: String,
+        resource_path: String,
 
         /// Custom TEE private Key (RSA) file path (PEM format)
         /// Used to protect the Respond Payload
@@ -139,7 +148,8 @@ async fn main() -> Result<()> {
             println!("{token}");
         }
         Commands::GetResource {
-            path,
+            plugin_name,
+            resource_path,
             tee_key_file,
             attestation_token,
         } => {
@@ -158,7 +168,8 @@ async fn main() -> Result<()> {
                 }
                 let resource_bytes = kbs_client::get_resource_with_token(
                     &cli.url,
-                    &path,
+                    &plugin_name,
+                    &resource_path,
                     tee_key.unwrap(),
                     token.unwrap(),
                     kbs_cert.clone(),
@@ -168,7 +179,8 @@ async fn main() -> Result<()> {
             } else {
                 let resource_bytes = kbs_client::get_resource_with_attestation(
                     &cli.url,
-                    &path,
+                    &plugin_name,
+                    &resource_path,
                     tee_key,
                     kbs_cert.clone(),
                 )