From 435930496f40963194de6d09b7e85f1ed4e33701 Mon Sep 17 00:00:00 2001 From: Claudio Carvalho Date: Sat, 19 Oct 2024 04:33:08 +0000 Subject: [PATCH] Work-In-Progress: kbs-client: Extend get-resource to support other plugins This is just a hack to be able to test the nebula_ca plugin. $ cd kbs && make cli ATTESTER=snp-attester && make install-cli $ docker compose up $ kbs-client config --auth-private-key kbs/config/private.key set-resource-policy --policy-file kbs/sample_policies/allow_all.rego $ kbs-client get-resource --plugin-name "nebula_ca" --resource-path "credential?ip[ip]=10.9.8.2&ip[netbits]=21&name=podA" Currently, the last command is failing reporting Error: request unauthorized and in the trustee log: ERROR kbs::error] TokenVerifierError(TokenVerificationFailed { source: Cannot verify token since trusted JWK Set is empty }) I did not get to the bottom of the problem yet, but I think I may need the PR #524 as well --- Cargo.toml | 2 +- tools/kbs-client/src/lib.rs | 39 ++++++++++++++++++++++++++---------- tools/kbs-client/src/main.rs | 22 +++++++++++++++----- 3 files changed, 46 insertions(+), 17 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 6afdd26b5..4aaee3bdd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,7 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } +kbs_protocol = { git = "https://github.com/cclaudio/guest-components.git", rev="f89d45154d15995c26b7f65af61dd96e94f9cba2", default-features = false } kbs-types = "0.7.0" kms = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } jsonwebtoken = { version = "9", default-features = false } diff --git a/tools/kbs-client/src/lib.rs b/tools/kbs-client/src/lib.rs index 664527927..35a99c9c6 100644 --- a/tools/kbs-client/src/lib.rs +++ b/tools/kbs-client/src/lib.rs @@ -45,13 +45,15 @@ pub async fn attestation( /// Get secret resources with attestation results token /// Input parameters: /// - url: KBS server root URL. -/// - path: Resource path, format must be `//`, e.g. `alice/key/example`. +/// - plugin_name: Plugin name. +/// - path: Resource path. /// - tee_key_pem: TEE private key file path (PEM format). This key must consistent with the public key in `token` claims. /// - token: Attestation Results Token file path. /// - kbs_root_certs_pem: Custom HTTPS root certificate of KBS server. It can be left blank. pub async fn get_resource_with_token( url: &str, - path: &str, + plugin_name: &str, + resource_path: &str, tee_key_pem: String, token: String, kbs_root_certs_pem: Vec, @@ -66,10 +68,17 @@ pub async fn get_resource_with_token( } let mut client = client_builder.build()?; - let resource_kbs_uri = format!("kbs:///{path}"); - let resource_bytes = client - .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?) - .await?; + let resource_bytes = if plugin_name == "resource" { + let resource_kbs_uri = format!("kbs:///{resource_path}"); + client + .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?) + .await? + } else { + client + .get_plugin_resource(plugin_name.to_owned(), resource_path.to_owned()) + .await? + }; + Ok(resource_bytes) } @@ -81,7 +90,8 @@ pub async fn get_resource_with_token( /// - kbs_root_certs_pem: Custom HTTPS root certificate of KBS server. It can be left blank. pub async fn get_resource_with_attestation( url: &str, - path: &str, + plugin_name: &str, + resource_path: &str, tee_key_pem: Option, kbs_root_certs_pem: Vec, ) -> Result> { @@ -96,10 +106,17 @@ pub async fn get_resource_with_attestation( } let mut client = client_builder.build()?; - let resource_kbs_uri = format!("kbs:///{path}"); - let resource_bytes = client - .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?) - .await?; + let resource_bytes = if plugin_name == "resource" { + let resource_kbs_uri = format!("kbs:///{resource_path}"); + client + .get_resource(serde_json::from_str(&format!("\"{resource_kbs_uri}\""))?) + .await? + } else { + client + .get_plugin_resource(plugin_name.to_owned(), resource_path.to_owned()) + .await? + }; + Ok(resource_bytes) } diff --git a/tools/kbs-client/src/main.rs b/tools/kbs-client/src/main.rs index 178db4a44..3c664d607 100644 --- a/tools/kbs-client/src/main.rs +++ b/tools/kbs-client/src/main.rs @@ -35,10 +35,19 @@ enum Commands { /// Get confidential resource #[clap(arg_required_else_help = true)] GetResource { - /// KBS Resource path, e.g my_repo/resource_type/123abc + /// KBS plugin name, e.g: + /// resource + /// nebula_ca + #[clap(long, value_parser)] + plugin_name: String, + + /// KBS plugin resource path, e.g: + /// nebula_ca: credential?ip=10.9.8.1&netbits=21 + /// resource: my_repo/resource_type/123abc + /// /// Document: https://github.com/confidential-containers/attestation-agent/blob/main/docs/KBS_URI.md #[clap(long, value_parser)] - path: String, + resource_path: String, /// Custom TEE private Key (RSA) file path (PEM format) /// Used to protect the Respond Payload @@ -139,7 +148,8 @@ async fn main() -> Result<()> { println!("{token}"); } Commands::GetResource { - path, + plugin_name, + resource_path, tee_key_file, attestation_token, } => { @@ -158,7 +168,8 @@ async fn main() -> Result<()> { } let resource_bytes = kbs_client::get_resource_with_token( &cli.url, - &path, + &plugin_name, + &resource_path, tee_key.unwrap(), token.unwrap(), kbs_cert.clone(), @@ -168,7 +179,8 @@ async fn main() -> Result<()> { } else { let resource_bytes = kbs_client::get_resource_with_attestation( &cli.url, - &path, + &plugin_name, + &resource_path, tee_key, kbs_cert.clone(), )