diff --git a/confidential-data-hub/hub/protos/api.proto b/confidential-data-hub/hub/protos/api.proto index 8a8ddaf26..f8a4f9aef 100644 --- a/confidential-data-hub/hub/protos/api.proto +++ b/confidential-data-hub/hub/protos/api.proto @@ -39,6 +39,14 @@ message SecureMountResponse { string mount_path = 1; } +message GetPublicKeyRequest { + string KeyId = 1; +} + +message GetPublicKeyResponse { + bytes PublicKeyPem = 1; +} + service SealedSecretService { rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {}; } @@ -54,3 +62,7 @@ service KeyProviderService { service SecureMountService { rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {}; } + +service GetPublicKeyService { + rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse) {}; +} diff --git a/confidential-data-hub/hub/src/api.rs b/confidential-data-hub/hub/src/api.rs index 880db037e..b9248ae41 100644 --- a/confidential-data-hub/hub/src/api.rs +++ b/confidential-data-hub/hub/src/api.rs @@ -29,4 +29,7 @@ pub trait DataHub { async fn get_resource(&self, uri: String) -> Result>; async fn secure_mount(&self, storage: Storage) -> Result; + + /// Get the public key due to the `key_id`. + async fn get_public_key(&self, key_id: &str) -> Result>; } diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs index 302ac804e..bf12f12cb 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.UnsealSecretInput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct UnsealSecretInput { // message fields // @@protoc_insertion_point(field:api.UnsealSecretInput.secret) @@ -147,8 +147,8 @@ impl ::protobuf::reflect::ProtobufValue for UnsealSecretInput { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.UnsealSecretOutput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct UnsealSecretOutput { // message fields // @@protoc_insertion_point(field:api.UnsealSecretOutput.plaintext) @@ -269,8 +269,8 @@ impl ::protobuf::reflect::ProtobufValue for UnsealSecretOutput { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.GetResourceRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceRequest { // message fields // @@protoc_insertion_point(field:api.GetResourceRequest.ResourcePath) @@ -391,8 +391,8 @@ impl ::protobuf::reflect::ProtobufValue for GetResourceRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.GetResourceResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceResponse { // message fields // @@protoc_insertion_point(field:api.GetResourceResponse.Resource) @@ -513,8 +513,8 @@ impl ::protobuf::reflect::ProtobufValue for GetResourceResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolInput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct KeyProviderKeyWrapProtocolInput { // message fields // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolInput.KeyProviderKeyWrapProtocolInput) @@ -635,8 +635,8 @@ impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolInput { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolOutput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct KeyProviderKeyWrapProtocolOutput { // message fields // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolOutput.KeyProviderKeyWrapProtocolOutput) @@ -757,8 +757,8 @@ impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolOutput { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.SecureMountRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct SecureMountRequest { // message fields // @@protoc_insertion_point(field:api.SecureMountRequest.driver) @@ -969,8 +969,8 @@ impl ::protobuf::reflect::ProtobufValue for SecureMountRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.SecureMountResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct SecureMountResponse { // message fields // @@protoc_insertion_point(field:api.SecureMountResponse.mount_path) @@ -1091,6 +1091,250 @@ impl ::protobuf::reflect::ProtobufValue for SecureMountResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } +// @@protoc_insertion_point(message:api.GetPublicKeyRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetPublicKeyRequest { + // message fields + // @@protoc_insertion_point(field:api.GetPublicKeyRequest.KeyId) + pub KeyId: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.GetPublicKeyRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetPublicKeyRequest { + fn default() -> &'a GetPublicKeyRequest { + ::default_instance() + } +} + +impl GetPublicKeyRequest { + pub fn new() -> GetPublicKeyRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyId", + |m: &GetPublicKeyRequest| { &m.KeyId }, + |m: &mut GetPublicKeyRequest| { &mut m.KeyId }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetPublicKeyRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetPublicKeyRequest { + const NAME: &'static str = "GetPublicKeyRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyId = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyId.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.KeyId); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyId.is_empty() { + os.write_string(1, &self.KeyId)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetPublicKeyRequest { + GetPublicKeyRequest::new() + } + + fn clear(&mut self) { + self.KeyId.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetPublicKeyRequest { + static instance: GetPublicKeyRequest = GetPublicKeyRequest { + KeyId: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetPublicKeyRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetPublicKeyRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetPublicKeyRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.GetPublicKeyResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetPublicKeyResponse { + // message fields + // @@protoc_insertion_point(field:api.GetPublicKeyResponse.PublicKeyPem) + pub PublicKeyPem: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.GetPublicKeyResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetPublicKeyResponse { + fn default() -> &'a GetPublicKeyResponse { + ::default_instance() + } +} + +impl GetPublicKeyResponse { + pub fn new() -> GetPublicKeyResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "PublicKeyPem", + |m: &GetPublicKeyResponse| { &m.PublicKeyPem }, + |m: &mut GetPublicKeyResponse| { &mut m.PublicKeyPem }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetPublicKeyResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetPublicKeyResponse { + const NAME: &'static str = "GetPublicKeyResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.PublicKeyPem = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.PublicKeyPem.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.PublicKeyPem); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.PublicKeyPem.is_empty() { + os.write_bytes(1, &self.PublicKeyPem)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetPublicKeyResponse { + GetPublicKeyResponse::new() + } + + fn clear(&mut self) { + self.PublicKeyPem.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetPublicKeyResponse { + static instance: GetPublicKeyResponse = GetPublicKeyResponse { + PublicKeyPem: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetPublicKeyResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetPublicKeyResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetPublicKeyResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + static file_descriptor_proto_data: &'static [u8] = b"\ \n\tapi.proto\x12\x03api\"+\n\x11UnsealSecretInput\x12\x16\n\x06secret\ \x18\x01\x20\x01(\x0cR\x06secret\"2\n\x12UnsealSecretOutput\x12\x1c\n\tp\ @@ -1107,13 +1351,17 @@ static file_descriptor_proto_data: &'static [u8] = b"\ \x04\x20\x01(\tR\x06fstype\x12\x18\n\x07options\x18\x05\x20\x03(\tR\x07o\ ptions\x12\x1f\n\x0bmount_point\x18\x06\x20\x01(\tR\nmountPoint\"4\n\x13\ SecureMountResponse\x12\x1d\n\nmount_path\x18\x01\x20\x01(\tR\tmountPath\ - 2V\n\x13SealedSecretService\x12?\n\x0cUnsealSecret\x12\x16.api.UnsealSec\ - retInput\x1a\x17.api.UnsealSecretOutput2V\n\x12GetResourceService\x12@\n\ - \x0bGetResource\x12\x17.api.GetResourceRequest\x1a\x18.api.GetResourceRe\ - sponse2n\n\x12KeyProviderService\x12X\n\tUnWrapKey\x12$.api.KeyProviderK\ - eyWrapProtocolInput\x1a%.api.KeyProviderKeyWrapProtocolOutput2V\n\x12Sec\ - ureMountService\x12@\n\x0bSecureMount\x12\x17.api.SecureMountRequest\x1a\ - \x18.api.SecureMountResponseb\x06proto3\ + \"+\n\x13GetPublicKeyRequest\x12\x14\n\x05KeyId\x18\x01\x20\x01(\tR\x05K\ + eyId\":\n\x14GetPublicKeyResponse\x12\"\n\x0cPublicKeyPem\x18\x01\x20\ + \x01(\x0cR\x0cPublicKeyPem2V\n\x13SealedSecretService\x12?\n\x0cUnsealSe\ + cret\x12\x16.api.UnsealSecretInput\x1a\x17.api.UnsealSecretOutput2V\n\ + \x12GetResourceService\x12@\n\x0bGetResource\x12\x17.api.GetResourceRequ\ + est\x1a\x18.api.GetResourceResponse2n\n\x12KeyProviderService\x12X\n\tUn\ + WrapKey\x12$.api.KeyProviderKeyWrapProtocolInput\x1a%.api.KeyProviderKey\ + WrapProtocolOutput2V\n\x12SecureMountService\x12@\n\x0bSecureMount\x12\ + \x17.api.SecureMountRequest\x1a\x18.api.SecureMountResponse2Z\n\x13GetPu\ + blicKeyService\x12C\n\x0cGetPublicKey\x12\x18.api.GetPublicKeyRequest\ + \x1a\x19.api.GetPublicKeyResponseb\x06proto3\ "; /// `FileDescriptorProto` object which was a source for this generated file @@ -1131,7 +1379,7 @@ pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { file_descriptor.get(|| { let generated_file_descriptor = generated_file_descriptor_lazy.get(|| { let mut deps = ::std::vec::Vec::with_capacity(0); - let mut messages = ::std::vec::Vec::with_capacity(8); + let mut messages = ::std::vec::Vec::with_capacity(10); messages.push(UnsealSecretInput::generated_message_descriptor_data()); messages.push(UnsealSecretOutput::generated_message_descriptor_data()); messages.push(GetResourceRequest::generated_message_descriptor_data()); @@ -1140,6 +1388,8 @@ pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { messages.push(KeyProviderKeyWrapProtocolOutput::generated_message_descriptor_data()); messages.push(SecureMountRequest::generated_message_descriptor_data()); messages.push(SecureMountResponse::generated_message_descriptor_data()); + messages.push(GetPublicKeyRequest::generated_message_descriptor_data()); + messages.push(GetPublicKeyResponse::generated_message_descriptor_data()); let mut enums = ::std::vec::Vec::with_capacity(0); ::protobuf::reflect::GeneratedFileDescriptor::new_generated( file_descriptor_proto(), diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs index 47b16b330..d1d82d843 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc; @@ -213,3 +211,51 @@ pub fn create_secure_mount_service(service: Arc Self { + GetPublicKeyServiceClient { + client, + } + } + + pub async fn get_public_key(&self, ctx: ttrpc::context::Context, req: &super::api::GetPublicKeyRequest) -> ::ttrpc::Result { + let mut cres = super::api::GetPublicKeyResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.GetPublicKeyService", "GetPublicKey", cres); + } +} + +struct GetPublicKeyMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for GetPublicKeyMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, GetPublicKeyRequest, get_public_key); + } +} + +#[async_trait] +pub trait GetPublicKeyService: Sync { + async fn get_public_key(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::GetPublicKeyRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.GetPublicKeyService/GetPublicKey is not supported".to_string()))) + } +} + +pub fn create_get_public_key_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("GetPublicKey".to_string(), + Box::new(GetPublicKeyMethod{service: service.clone()}) as Box); + + ret.insert("api.GetPublicKeyService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs index 6455b98b1..d9985029a 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs @@ -7,8 +7,8 @@ use std::{path::Path, sync::Arc}; use anyhow::{Context, Result}; use api_ttrpc::{ - create_get_resource_service, create_key_provider_service, create_sealed_secret_service, - create_secure_mount_service, + create_get_public_key_service, create_get_resource_service, create_key_provider_service, + create_sealed_secret_service, create_secure_mount_service, }; use clap::Parser; use log::info; @@ -60,13 +60,16 @@ async fn main() -> Result<()> { let get_resource_service = ttrpc_service!(create_get_resource_service); let key_provider_service = ttrpc_service!(create_key_provider_service); let secure_mount_service = ttrpc_service!(create_secure_mount_service); + let get_publickey_service = ttrpc_service!(create_get_public_key_service); + let mut server = TtrpcServer::new() .bind(&cli.socket) .context("cannot bind cdh ttrpc service")? .register_service(sealed_secret_service) .register_service(get_resource_service) .register_service(secure_mount_service) - .register_service(key_provider_service); + .register_service(key_provider_service) + .register_service(get_publickey_service); server.start().await?; diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs index 501f0850f..75c3c090f 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs @@ -16,11 +16,14 @@ use ttrpc::{asynchronous::TtrpcContext, Code, Error, Status}; use crate::{ api::{ - GetResourceRequest, GetResourceResponse, KeyProviderKeyWrapProtocolInput, - KeyProviderKeyWrapProtocolOutput, SecureMountRequest, SecureMountResponse, - UnsealSecretInput, UnsealSecretOutput, + GetPublicKeyRequest, GetPublicKeyResponse, GetResourceRequest, GetResourceResponse, + KeyProviderKeyWrapProtocolInput, KeyProviderKeyWrapProtocolOutput, SecureMountRequest, + SecureMountResponse, UnsealSecretInput, UnsealSecretOutput, + }, + api_ttrpc::{ + GetPublicKeyService, GetResourceService, KeyProviderService, SealedSecretService, + SecureMountService, }, - api_ttrpc::{GetResourceService, KeyProviderService, SealedSecretService, SecureMountService}, server::message::{KeyProviderInput, KeyUnwrapOutput, KeyUnwrapResults}, }; @@ -182,6 +185,32 @@ impl SecureMountService for Server { let mut reply = SecureMountResponse::new(); reply.mount_path = resource; debug!("send back the resource"); + + Ok(reply) + } +} + +#[async_trait] +impl GetPublicKeyService for Server { + async fn get_public_key( + &self, + _ctx: &TtrpcContext, + req: GetPublicKeyRequest, + ) -> ::ttrpc::Result { + debug!("get new GetPublicKey request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let pubkey_pem = reader.get_public_key(&req.KeyId).await.map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[CDH] [ERROR]: Get Public Key failed: {e}")); + Error::RpcStatus(status) + })?; + + let mut reply = GetPublicKeyResponse::new(); + reply.PublicKeyPem = pubkey_pem; + + debug!("send back the public key in PEM encoding"); Ok(reply) } } diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index 07abc2bf2..f806a9e01 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -9,6 +9,9 @@ pub type Result = std::result::Result; #[derive(Error, Debug)] pub enum Error { + #[error("get public key failed: {0}")] + GetPublicKey(String), + #[error("get resource failed: {0}")] GetResource(String), diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index a6e95f2d1..cd59a8d57 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -82,4 +82,11 @@ impl DataHub for Hub { .map_err(|e| Error::SecureMount(e.to_string()))?; Ok(res) } + + async fn get_public_key(&self, key_id: &str) -> Result> { + let pubkey = kms::get_public_key(key_id) + .await + .map_err(|e| Error::GetPublicKey(e.to_string()))?; + Ok(pubkey) + } } diff --git a/confidential-data-hub/kms/src/api.rs b/confidential-data-hub/kms/src/api.rs index d0c9c6e9e..eda923473 100644 --- a/confidential-data-hub/kms/src/api.rs +++ b/confidential-data-hub/kms/src/api.rs @@ -77,3 +77,9 @@ pub trait Getter: Send + Sync { /// `annotations`. async fn get_secret(&mut self, name: &str, annotations: &Annotations) -> Result>; } + +#[async_trait] +pub trait PubkeyProvider: Send + Sync { + /// Get public key from the KMS due to the given key id. + async fn get_public_key(&mut self, key_id: &str) -> Result>; +} diff --git a/confidential-data-hub/kms/src/error.rs b/confidential-data-hub/kms/src/error.rs index 980d352bb..7741e1adc 100644 --- a/confidential-data-hub/kms/src/error.rs +++ b/confidential-data-hub/kms/src/error.rs @@ -22,4 +22,9 @@ pub enum Error { #[error("Unsupported provider: {0}")] UnsupportedProvider(String), + + #[error( + "Unsupported public key id: {0}. should be, e.g. `kbs:///example/key/1` or `aliyun://xxx`" + )] + UnsupportedPublicKeyId(String), } diff --git a/confidential-data-hub/kms/src/lib.rs b/confidential-data-hub/kms/src/lib.rs index ca9f7cbd0..f1049b708 100644 --- a/confidential-data-hub/kms/src/lib.rs +++ b/confidential-data-hub/kms/src/lib.rs @@ -10,4 +10,4 @@ pub mod error; pub use error::*; pub mod plugins; -pub use plugins::{new_decryptor, new_getter}; +pub use plugins::{get_public_key, new_decryptor, new_getter}; diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client.rs b/confidential-data-hub/kms/src/plugins/aliyun/client.rs index 28c8d2e70..7c80d8c10 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client.rs @@ -18,9 +18,11 @@ use serde_json::Value; use sha2::{Digest, Sha256}; use tokio::fs; -use crate::plugins::aliyun::client::dkms_api::{DecryptRequest, EncryptRequest}; +use crate::plugins::aliyun::client::dkms_api::{ + DecryptRequest, EncryptRequest, GetPublicKeyRequest, +}; use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH; -use crate::{Annotations, Decrypter, Encrypter, ProviderSettings}; +use crate::{Annotations, Decrypter, Encrypter, ProviderSettings, PubkeyProvider}; use crate::{Error, Result}; use super::annotations::{AliAnnotations, AliProviderSettings}; @@ -223,6 +225,40 @@ impl Decrypter for AliyunKmsClient { } } +#[async_trait] +impl PubkeyProvider for AliyunKmsClient { + /// a typical key id of aliyun KMS is like + /// `key-shh65012xxxmpi4oxtxxx` + async fn get_public_key(&mut self, key_id: &str) -> Result> { + let get_public_key_request = GetPublicKeyRequest { + key_id: key_id.into(), + }; + let mut body = Vec::new(); + get_public_key_request.encode(&mut body).map_err(|e| { + Error::AliyunKmsError(format!( + "encode get public key request using protobuf failed: {e}" + )) + })?; + let headers = self.build_headers("GetPublicKey", &body).map_err(|e| { + Error::AliyunKmsError(format!( + "build get public key request http header failed: {e}" + )) + })?; + + let res = self + .do_request(body, headers) + .await + .map_err(|e| Error::AliyunKmsError(format!("do request to kms server failed: {e}")))?; + + let decrypt_response = dkms_api::GetPublicKeyResponse::decode(&res[..]).map_err(|e| { + Error::AliyunKmsError(format!( + "decode decrypt response using protobuf failed: {e}" + )) + })?; + Ok(decrypt_response.public_key.into()) + } +} + impl AliyunKmsClient { const API_VERSION: &'static str = "dkms-gcs-0.2"; const SIGNATURE_METHOD: &'static str = "RSA_PKCS1_SHA_256"; diff --git a/confidential-data-hub/kms/src/plugins/aliyun/protobuf/dkms_api.proto b/confidential-data-hub/kms/src/plugins/aliyun/protobuf/dkms_api.proto index 6a731ac80..d25fea924 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/protobuf/dkms_api.proto +++ b/confidential-data-hub/kms/src/plugins/aliyun/protobuf/dkms_api.proto @@ -37,6 +37,16 @@ message DecryptResponse { string PaddingMode = 5; } +message GetPublicKeyRequest { + string KeyId = 1; +} + +message GetPublicKeyResponse { + string KeyId = 1; + string PublicKey = 2; + string RequestId = 3; +} + message Error { int32 StatusCode = 1; string ErrorCode = 2; diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs index 3c7c5e9ec..a1ad7ef56 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/mod.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/mod.rs @@ -23,7 +23,7 @@ use std::fs; use std::path::Path; use tokio::sync::Mutex; -use crate::{Annotations, Error, Getter, Result}; +use crate::{Annotations, Error, Getter, PubkeyProvider, Result}; const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json"; @@ -100,6 +100,13 @@ impl Getter for KbcClient { } } +#[async_trait] +impl PubkeyProvider for KbcClient { + async fn get_public_key(&mut self, key_id: &str) -> Result> { + self.get_secret(key_id, &Annotations::new()).await + } +} + impl KbcClient { pub async fn new() -> Result { let client = KBS_CLIENT.clone(); diff --git a/confidential-data-hub/kms/src/plugins/mod.rs b/confidential-data-hub/kms/src/plugins/mod.rs index a014433e1..346df74d9 100644 --- a/confidential-data-hub/kms/src/plugins/mod.rs +++ b/confidential-data-hub/kms/src/plugins/mod.rs @@ -5,7 +5,7 @@ use strum::{AsRefStr, EnumString}; -use crate::{Decrypter, Error, Getter, ProviderSettings, Result}; +use crate::{Decrypter, Error, Getter, ProviderSettings, PubkeyProvider, Result}; const _IN_GUEST_DEFAULT_KEY_PATH: &str = "/run/confidential-containers/cdh/kms-credential"; @@ -66,3 +66,43 @@ pub async fn new_getter( VaultProvider::Kbs => Ok(Box::new(kbs::KbcClient::new().await?) as Box), } } + +#[derive(AsRefStr, EnumString)] +pub enum PublicKeyProvider { + #[cfg(feature = "kbs")] + #[strum(ascii_case_insensitive)] + Kbs, + #[cfg(feature = "aliyun")] + #[strum(ascii_case_insensitive)] + Aliyun, +} + +/// Create a new [`PubkeyProvider`] by given provider name +async fn new_public_key_provider(provider_name: &str) -> Result> { + let provider = PublicKeyProvider::try_from(provider_name) + .map_err(|_| Error::UnsupportedProvider(provider_name.to_string()))?; + match provider { + #[cfg(feature = "kbs")] + PublicKeyProvider::Kbs => { + Ok(Box::new(kbs::KbcClient::new().await?) as Box) + } + #[cfg(feature = "aliyun")] + PublicKeyProvider::Aliyun => Ok(Box::new( + aliyun::AliyunKmsClient::from_provider_settings(&ProviderSettings::default()).await?, + ) as Box), + } +} + +/// Get the public key due to the given `key_id`. +/// For example `key_id`: +/// +/// - KBS: `kbs:///default/key/1` +/// - Aliyun KMS: `aliyun://key-shh65012626mpi4oxxxxx` +pub async fn get_public_key(key_id: &str) -> Result> { + let (provider, keyid) = key_id + .split_once("://") + .ok_or(Error::UnsupportedPublicKeyId(key_id.to_string()))?; + let mut provider = new_public_key_provider(provider).await?; + let pubkey = provider.get_public_key(keyid).await?; + Ok(pubkey) +} diff --git a/image-rs/Cargo.toml b/image-rs/Cargo.toml index 7e06aef7e..5ad9635e8 100644 --- a/image-rs/Cargo.toml +++ b/image-rs/Cargo.toml @@ -93,6 +93,15 @@ encryption = ["ocicrypt-rs/block-cipher"] encryption-ring = ["ocicrypt-rs/block-cipher-ring", "encryption"] encryption-openssl = ["ocicrypt-rs/block-cipher-openssl", "encryption"] +# Get needed image verification keys from Confidential Data Hub +# This is a workaround feature. Because currently to decrypt image, AA will +# be connected. This feature controls if the public key to verify signature +# is got from Confidential Data Hub. +# The final goal is both image decryption and public key is handled by CDH. +# At that time this feature should be depreciated. This work relies on moving +# all non-attestation features of AA to CDH. +confidential-data-hub = ["dep:ttrpc", "dep:protobuf"] + keywrap-cmd = ["ocicrypt-rs/keywrap-keyprovider-cmd"] keywrap-grpc = ["ocicrypt-rs/keywrap-keyprovider-grpc", "prost", "tonic", "tonic-build"] keywrap-native = ["ocicrypt-rs/keywrap-keyprovider-native", "attestation_agent"] diff --git a/image-rs/build.rs b/image-rs/build.rs index 2d4bfcac1..0060e588c 100644 --- a/image-rs/build.rs +++ b/image-rs/build.rs @@ -10,18 +10,33 @@ fn main() -> Result<()> { tonic_build::compile_protos("./protos/getresource.proto").context("tonic build")?; #[cfg(feature = "ttrpc-codegen")] - ttrpc_codegen::Codegen::new() - .out_dir("./src/resource/kbs/ttrpc_proto") - .input("./protos/getresource.proto") - .include("./protos") - .rust_protobuf() - .customize(ttrpc_codegen::Customize { - async_all: true, - ..Default::default() - }) - .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false)) - .run() - .context("ttrpc build")?; + { + ttrpc_codegen::Codegen::new() + .out_dir("./src/resource/kbs/ttrpc_proto") + .input("./protos/getresource.proto") + .include("./protos") + .rust_protobuf() + .customize(ttrpc_codegen::Customize { + async_all: true, + ..Default::default() + }) + .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false)) + .run() + .context("ttrpc build")?; + #[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))] + ttrpc_codegen::Codegen::new() + .out_dir("./src/signature/mechanism/cosign") + .input("../confidential-data-hub/hub/protos/api.proto") + .include("../confidential-data-hub/hub/protos") + .rust_protobuf() + .customize(ttrpc_codegen::Customize { + async_all: true, + ..Default::default() + }) + .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false)) + .run() + .context("ttrpc build")?; + } Ok(()) } diff --git a/image-rs/src/resource/kbs/ttrpc_proto/getresource.rs b/image-rs/src/resource/kbs/ttrpc_proto/getresource.rs index d655b2c8b..cadeb6eee 100644 --- a/image-rs/src/resource/kbs/ttrpc_proto/getresource.rs +++ b/image-rs/src/resource/kbs/ttrpc_proto/getresource.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:getresource.GetResourceRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceRequest { // message fields // @@protoc_insertion_point(field:getresource.GetResourceRequest.ResourcePath) @@ -183,8 +183,8 @@ impl ::protobuf::reflect::ProtobufValue for GetResourceRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:getresource.GetResourceResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceResponse { // message fields // @@protoc_insertion_point(field:getresource.GetResourceResponse.Resource) diff --git a/image-rs/src/resource/kbs/ttrpc_proto/getresource_ttrpc.rs b/image-rs/src/resource/kbs/ttrpc_proto/getresource_ttrpc.rs index 8f0c6bd9d..40c5e226a 100644 --- a/image-rs/src/resource/kbs/ttrpc_proto/getresource_ttrpc.rs +++ b/image-rs/src/resource/kbs/ttrpc_proto/getresource_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc; diff --git a/image-rs/src/signature/mechanism/cosign/api.rs b/image-rs/src/signature/mechanism/cosign/api.rs new file mode 100644 index 000000000..bf12f12cb --- /dev/null +++ b/image-rs/src/signature/mechanism/cosign/api.rs @@ -0,0 +1,1403 @@ +// This file is generated by rust-protobuf 3.3.0. Do not edit +// .proto file is parsed by pure +// @generated + +// https://github.com/rust-lang/rust-clippy/issues/702 +#![allow(unknown_lints)] +#![allow(clippy::all)] + +#![allow(unused_attributes)] +#![cfg_attr(rustfmt, rustfmt::skip)] + +#![allow(box_pointers)] +#![allow(dead_code)] +#![allow(missing_docs)] +#![allow(non_camel_case_types)] +#![allow(non_snake_case)] +#![allow(non_upper_case_globals)] +#![allow(trivial_casts)] +#![allow(unused_results)] +#![allow(unused_mut)] + +//! Generated file from `api.proto` + +/// Generated files are compatible only with the same version +/// of protobuf runtime. +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; + +// @@protoc_insertion_point(message:api.UnsealSecretInput) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct UnsealSecretInput { + // message fields + // @@protoc_insertion_point(field:api.UnsealSecretInput.secret) + pub secret: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.UnsealSecretInput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a UnsealSecretInput { + fn default() -> &'a UnsealSecretInput { + ::default_instance() + } +} + +impl UnsealSecretInput { + pub fn new() -> UnsealSecretInput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "secret", + |m: &UnsealSecretInput| { &m.secret }, + |m: &mut UnsealSecretInput| { &mut m.secret }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "UnsealSecretInput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for UnsealSecretInput { + const NAME: &'static str = "UnsealSecretInput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.secret = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.secret.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.secret); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.secret.is_empty() { + os.write_bytes(1, &self.secret)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> UnsealSecretInput { + UnsealSecretInput::new() + } + + fn clear(&mut self) { + self.secret.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static UnsealSecretInput { + static instance: UnsealSecretInput = UnsealSecretInput { + secret: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for UnsealSecretInput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("UnsealSecretInput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for UnsealSecretInput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for UnsealSecretInput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.UnsealSecretOutput) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct UnsealSecretOutput { + // message fields + // @@protoc_insertion_point(field:api.UnsealSecretOutput.plaintext) + pub plaintext: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.UnsealSecretOutput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a UnsealSecretOutput { + fn default() -> &'a UnsealSecretOutput { + ::default_instance() + } +} + +impl UnsealSecretOutput { + pub fn new() -> UnsealSecretOutput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "plaintext", + |m: &UnsealSecretOutput| { &m.plaintext }, + |m: &mut UnsealSecretOutput| { &mut m.plaintext }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "UnsealSecretOutput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for UnsealSecretOutput { + const NAME: &'static str = "UnsealSecretOutput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.plaintext = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.plaintext.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.plaintext); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.plaintext.is_empty() { + os.write_bytes(1, &self.plaintext)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> UnsealSecretOutput { + UnsealSecretOutput::new() + } + + fn clear(&mut self) { + self.plaintext.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static UnsealSecretOutput { + static instance: UnsealSecretOutput = UnsealSecretOutput { + plaintext: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for UnsealSecretOutput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("UnsealSecretOutput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for UnsealSecretOutput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for UnsealSecretOutput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.GetResourceRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetResourceRequest { + // message fields + // @@protoc_insertion_point(field:api.GetResourceRequest.ResourcePath) + pub ResourcePath: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.GetResourceRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetResourceRequest { + fn default() -> &'a GetResourceRequest { + ::default_instance() + } +} + +impl GetResourceRequest { + pub fn new() -> GetResourceRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "ResourcePath", + |m: &GetResourceRequest| { &m.ResourcePath }, + |m: &mut GetResourceRequest| { &mut m.ResourcePath }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetResourceRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetResourceRequest { + const NAME: &'static str = "GetResourceRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.ResourcePath = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.ResourcePath.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.ResourcePath); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.ResourcePath.is_empty() { + os.write_string(1, &self.ResourcePath)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetResourceRequest { + GetResourceRequest::new() + } + + fn clear(&mut self) { + self.ResourcePath.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetResourceRequest { + static instance: GetResourceRequest = GetResourceRequest { + ResourcePath: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetResourceRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetResourceRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetResourceRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetResourceRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.GetResourceResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetResourceResponse { + // message fields + // @@protoc_insertion_point(field:api.GetResourceResponse.Resource) + pub Resource: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.GetResourceResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetResourceResponse { + fn default() -> &'a GetResourceResponse { + ::default_instance() + } +} + +impl GetResourceResponse { + pub fn new() -> GetResourceResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "Resource", + |m: &GetResourceResponse| { &m.Resource }, + |m: &mut GetResourceResponse| { &mut m.Resource }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetResourceResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetResourceResponse { + const NAME: &'static str = "GetResourceResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.Resource = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.Resource.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.Resource); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.Resource.is_empty() { + os.write_bytes(1, &self.Resource)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetResourceResponse { + GetResourceResponse::new() + } + + fn clear(&mut self) { + self.Resource.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetResourceResponse { + static instance: GetResourceResponse = GetResourceResponse { + Resource: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetResourceResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetResourceResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetResourceResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetResourceResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolInput) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct KeyProviderKeyWrapProtocolInput { + // message fields + // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolInput.KeyProviderKeyWrapProtocolInput) + pub KeyProviderKeyWrapProtocolInput: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.KeyProviderKeyWrapProtocolInput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a KeyProviderKeyWrapProtocolInput { + fn default() -> &'a KeyProviderKeyWrapProtocolInput { + ::default_instance() + } +} + +impl KeyProviderKeyWrapProtocolInput { + pub fn new() -> KeyProviderKeyWrapProtocolInput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyProviderKeyWrapProtocolInput", + |m: &KeyProviderKeyWrapProtocolInput| { &m.KeyProviderKeyWrapProtocolInput }, + |m: &mut KeyProviderKeyWrapProtocolInput| { &mut m.KeyProviderKeyWrapProtocolInput }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "KeyProviderKeyWrapProtocolInput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for KeyProviderKeyWrapProtocolInput { + const NAME: &'static str = "KeyProviderKeyWrapProtocolInput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyProviderKeyWrapProtocolInput = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyProviderKeyWrapProtocolInput.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.KeyProviderKeyWrapProtocolInput); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyProviderKeyWrapProtocolInput.is_empty() { + os.write_bytes(1, &self.KeyProviderKeyWrapProtocolInput)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> KeyProviderKeyWrapProtocolInput { + KeyProviderKeyWrapProtocolInput::new() + } + + fn clear(&mut self) { + self.KeyProviderKeyWrapProtocolInput.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static KeyProviderKeyWrapProtocolInput { + static instance: KeyProviderKeyWrapProtocolInput = KeyProviderKeyWrapProtocolInput { + KeyProviderKeyWrapProtocolInput: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for KeyProviderKeyWrapProtocolInput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("KeyProviderKeyWrapProtocolInput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for KeyProviderKeyWrapProtocolInput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolInput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolOutput) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct KeyProviderKeyWrapProtocolOutput { + // message fields + // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolOutput.KeyProviderKeyWrapProtocolOutput) + pub KeyProviderKeyWrapProtocolOutput: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.KeyProviderKeyWrapProtocolOutput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a KeyProviderKeyWrapProtocolOutput { + fn default() -> &'a KeyProviderKeyWrapProtocolOutput { + ::default_instance() + } +} + +impl KeyProviderKeyWrapProtocolOutput { + pub fn new() -> KeyProviderKeyWrapProtocolOutput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyProviderKeyWrapProtocolOutput", + |m: &KeyProviderKeyWrapProtocolOutput| { &m.KeyProviderKeyWrapProtocolOutput }, + |m: &mut KeyProviderKeyWrapProtocolOutput| { &mut m.KeyProviderKeyWrapProtocolOutput }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "KeyProviderKeyWrapProtocolOutput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for KeyProviderKeyWrapProtocolOutput { + const NAME: &'static str = "KeyProviderKeyWrapProtocolOutput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyProviderKeyWrapProtocolOutput = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyProviderKeyWrapProtocolOutput.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.KeyProviderKeyWrapProtocolOutput); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyProviderKeyWrapProtocolOutput.is_empty() { + os.write_bytes(1, &self.KeyProviderKeyWrapProtocolOutput)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> KeyProviderKeyWrapProtocolOutput { + KeyProviderKeyWrapProtocolOutput::new() + } + + fn clear(&mut self) { + self.KeyProviderKeyWrapProtocolOutput.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static KeyProviderKeyWrapProtocolOutput { + static instance: KeyProviderKeyWrapProtocolOutput = KeyProviderKeyWrapProtocolOutput { + KeyProviderKeyWrapProtocolOutput: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for KeyProviderKeyWrapProtocolOutput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("KeyProviderKeyWrapProtocolOutput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for KeyProviderKeyWrapProtocolOutput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolOutput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.SecureMountRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct SecureMountRequest { + // message fields + // @@protoc_insertion_point(field:api.SecureMountRequest.driver) + pub driver: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.driver_options) + pub driver_options: ::std::vec::Vec<::std::string::String>, + // @@protoc_insertion_point(field:api.SecureMountRequest.source) + pub source: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.fstype) + pub fstype: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.options) + pub options: ::std::vec::Vec<::std::string::String>, + // @@protoc_insertion_point(field:api.SecureMountRequest.mount_point) + pub mount_point: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.SecureMountRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SecureMountRequest { + fn default() -> &'a SecureMountRequest { + ::default_instance() + } +} + +impl SecureMountRequest { + pub fn new() -> SecureMountRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(6); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "driver", + |m: &SecureMountRequest| { &m.driver }, + |m: &mut SecureMountRequest| { &mut m.driver }, + )); + fields.push(::protobuf::reflect::rt::v2::make_vec_simpler_accessor::<_, _>( + "driver_options", + |m: &SecureMountRequest| { &m.driver_options }, + |m: &mut SecureMountRequest| { &mut m.driver_options }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "source", + |m: &SecureMountRequest| { &m.source }, + |m: &mut SecureMountRequest| { &mut m.source }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "fstype", + |m: &SecureMountRequest| { &m.fstype }, + |m: &mut SecureMountRequest| { &mut m.fstype }, + )); + fields.push(::protobuf::reflect::rt::v2::make_vec_simpler_accessor::<_, _>( + "options", + |m: &SecureMountRequest| { &m.options }, + |m: &mut SecureMountRequest| { &mut m.options }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "mount_point", + |m: &SecureMountRequest| { &m.mount_point }, + |m: &mut SecureMountRequest| { &mut m.mount_point }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SecureMountRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SecureMountRequest { + const NAME: &'static str = "SecureMountRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.driver = is.read_string()?; + }, + 18 => { + self.driver_options.push(is.read_string()?); + }, + 26 => { + self.source = is.read_string()?; + }, + 34 => { + self.fstype = is.read_string()?; + }, + 42 => { + self.options.push(is.read_string()?); + }, + 50 => { + self.mount_point = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.driver.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.driver); + } + for value in &self.driver_options { + my_size += ::protobuf::rt::string_size(2, &value); + }; + if !self.source.is_empty() { + my_size += ::protobuf::rt::string_size(3, &self.source); + } + if !self.fstype.is_empty() { + my_size += ::protobuf::rt::string_size(4, &self.fstype); + } + for value in &self.options { + my_size += ::protobuf::rt::string_size(5, &value); + }; + if !self.mount_point.is_empty() { + my_size += ::protobuf::rt::string_size(6, &self.mount_point); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.driver.is_empty() { + os.write_string(1, &self.driver)?; + } + for v in &self.driver_options { + os.write_string(2, &v)?; + }; + if !self.source.is_empty() { + os.write_string(3, &self.source)?; + } + if !self.fstype.is_empty() { + os.write_string(4, &self.fstype)?; + } + for v in &self.options { + os.write_string(5, &v)?; + }; + if !self.mount_point.is_empty() { + os.write_string(6, &self.mount_point)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SecureMountRequest { + SecureMountRequest::new() + } + + fn clear(&mut self) { + self.driver.clear(); + self.driver_options.clear(); + self.source.clear(); + self.fstype.clear(); + self.options.clear(); + self.mount_point.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static SecureMountRequest { + static instance: SecureMountRequest = SecureMountRequest { + driver: ::std::string::String::new(), + driver_options: ::std::vec::Vec::new(), + source: ::std::string::String::new(), + fstype: ::std::string::String::new(), + options: ::std::vec::Vec::new(), + mount_point: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SecureMountRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SecureMountRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SecureMountRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SecureMountRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.SecureMountResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct SecureMountResponse { + // message fields + // @@protoc_insertion_point(field:api.SecureMountResponse.mount_path) + pub mount_path: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.SecureMountResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SecureMountResponse { + fn default() -> &'a SecureMountResponse { + ::default_instance() + } +} + +impl SecureMountResponse { + pub fn new() -> SecureMountResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "mount_path", + |m: &SecureMountResponse| { &m.mount_path }, + |m: &mut SecureMountResponse| { &mut m.mount_path }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SecureMountResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SecureMountResponse { + const NAME: &'static str = "SecureMountResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.mount_path = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.mount_path.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.mount_path); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.mount_path.is_empty() { + os.write_string(1, &self.mount_path)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SecureMountResponse { + SecureMountResponse::new() + } + + fn clear(&mut self) { + self.mount_path.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static SecureMountResponse { + static instance: SecureMountResponse = SecureMountResponse { + mount_path: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SecureMountResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SecureMountResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SecureMountResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SecureMountResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.GetPublicKeyRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetPublicKeyRequest { + // message fields + // @@protoc_insertion_point(field:api.GetPublicKeyRequest.KeyId) + pub KeyId: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.GetPublicKeyRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetPublicKeyRequest { + fn default() -> &'a GetPublicKeyRequest { + ::default_instance() + } +} + +impl GetPublicKeyRequest { + pub fn new() -> GetPublicKeyRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyId", + |m: &GetPublicKeyRequest| { &m.KeyId }, + |m: &mut GetPublicKeyRequest| { &mut m.KeyId }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetPublicKeyRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetPublicKeyRequest { + const NAME: &'static str = "GetPublicKeyRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyId = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyId.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.KeyId); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyId.is_empty() { + os.write_string(1, &self.KeyId)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetPublicKeyRequest { + GetPublicKeyRequest::new() + } + + fn clear(&mut self) { + self.KeyId.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetPublicKeyRequest { + static instance: GetPublicKeyRequest = GetPublicKeyRequest { + KeyId: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetPublicKeyRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetPublicKeyRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetPublicKeyRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:api.GetPublicKeyResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct GetPublicKeyResponse { + // message fields + // @@protoc_insertion_point(field:api.GetPublicKeyResponse.PublicKeyPem) + pub PublicKeyPem: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.GetPublicKeyResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a GetPublicKeyResponse { + fn default() -> &'a GetPublicKeyResponse { + ::default_instance() + } +} + +impl GetPublicKeyResponse { + pub fn new() -> GetPublicKeyResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "PublicKeyPem", + |m: &GetPublicKeyResponse| { &m.PublicKeyPem }, + |m: &mut GetPublicKeyResponse| { &mut m.PublicKeyPem }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "GetPublicKeyResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for GetPublicKeyResponse { + const NAME: &'static str = "GetPublicKeyResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.PublicKeyPem = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.PublicKeyPem.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.PublicKeyPem); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.PublicKeyPem.is_empty() { + os.write_bytes(1, &self.PublicKeyPem)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> GetPublicKeyResponse { + GetPublicKeyResponse::new() + } + + fn clear(&mut self) { + self.PublicKeyPem.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static GetPublicKeyResponse { + static instance: GetPublicKeyResponse = GetPublicKeyResponse { + PublicKeyPem: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for GetPublicKeyResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for GetPublicKeyResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for GetPublicKeyResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +static file_descriptor_proto_data: &'static [u8] = b"\ + \n\tapi.proto\x12\x03api\"+\n\x11UnsealSecretInput\x12\x16\n\x06secret\ + \x18\x01\x20\x01(\x0cR\x06secret\"2\n\x12UnsealSecretOutput\x12\x1c\n\tp\ + laintext\x18\x01\x20\x01(\x0cR\tplaintext\"8\n\x12GetResourceRequest\x12\ + \"\n\x0cResourcePath\x18\x01\x20\x01(\tR\x0cResourcePath\"1\n\x13GetReso\ + urceResponse\x12\x1a\n\x08Resource\x18\x01\x20\x01(\x0cR\x08Resource\"k\ + \n\x1fKeyProviderKeyWrapProtocolInput\x12H\n\x1fKeyProviderKeyWrapProtoc\ + olInput\x18\x01\x20\x01(\x0cR\x1fKeyProviderKeyWrapProtocolInput\"n\n\ + \x20KeyProviderKeyWrapProtocolOutput\x12J\n\x20KeyProviderKeyWrapProtoco\ + lOutput\x18\x01\x20\x01(\x0cR\x20KeyProviderKeyWrapProtocolOutput\"\xbe\ + \x01\n\x12SecureMountRequest\x12\x16\n\x06driver\x18\x01\x20\x01(\tR\x06\ + driver\x12%\n\x0edriver_options\x18\x02\x20\x03(\tR\rdriverOptions\x12\ + \x16\n\x06source\x18\x03\x20\x01(\tR\x06source\x12\x16\n\x06fstype\x18\ + \x04\x20\x01(\tR\x06fstype\x12\x18\n\x07options\x18\x05\x20\x03(\tR\x07o\ + ptions\x12\x1f\n\x0bmount_point\x18\x06\x20\x01(\tR\nmountPoint\"4\n\x13\ + SecureMountResponse\x12\x1d\n\nmount_path\x18\x01\x20\x01(\tR\tmountPath\ + \"+\n\x13GetPublicKeyRequest\x12\x14\n\x05KeyId\x18\x01\x20\x01(\tR\x05K\ + eyId\":\n\x14GetPublicKeyResponse\x12\"\n\x0cPublicKeyPem\x18\x01\x20\ + \x01(\x0cR\x0cPublicKeyPem2V\n\x13SealedSecretService\x12?\n\x0cUnsealSe\ + cret\x12\x16.api.UnsealSecretInput\x1a\x17.api.UnsealSecretOutput2V\n\ + \x12GetResourceService\x12@\n\x0bGetResource\x12\x17.api.GetResourceRequ\ + est\x1a\x18.api.GetResourceResponse2n\n\x12KeyProviderService\x12X\n\tUn\ + WrapKey\x12$.api.KeyProviderKeyWrapProtocolInput\x1a%.api.KeyProviderKey\ + WrapProtocolOutput2V\n\x12SecureMountService\x12@\n\x0bSecureMount\x12\ + \x17.api.SecureMountRequest\x1a\x18.api.SecureMountResponse2Z\n\x13GetPu\ + blicKeyService\x12C\n\x0cGetPublicKey\x12\x18.api.GetPublicKeyRequest\ + \x1a\x19.api.GetPublicKeyResponseb\x06proto3\ +"; + +/// `FileDescriptorProto` object which was a source for this generated file +fn file_descriptor_proto() -> &'static ::protobuf::descriptor::FileDescriptorProto { + static file_descriptor_proto_lazy: ::protobuf::rt::Lazy<::protobuf::descriptor::FileDescriptorProto> = ::protobuf::rt::Lazy::new(); + file_descriptor_proto_lazy.get(|| { + ::protobuf::Message::parse_from_bytes(file_descriptor_proto_data).unwrap() + }) +} + +/// `FileDescriptor` object which allows dynamic access to files +pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { + static generated_file_descriptor_lazy: ::protobuf::rt::Lazy<::protobuf::reflect::GeneratedFileDescriptor> = ::protobuf::rt::Lazy::new(); + static file_descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::FileDescriptor> = ::protobuf::rt::Lazy::new(); + file_descriptor.get(|| { + let generated_file_descriptor = generated_file_descriptor_lazy.get(|| { + let mut deps = ::std::vec::Vec::with_capacity(0); + let mut messages = ::std::vec::Vec::with_capacity(10); + messages.push(UnsealSecretInput::generated_message_descriptor_data()); + messages.push(UnsealSecretOutput::generated_message_descriptor_data()); + messages.push(GetResourceRequest::generated_message_descriptor_data()); + messages.push(GetResourceResponse::generated_message_descriptor_data()); + messages.push(KeyProviderKeyWrapProtocolInput::generated_message_descriptor_data()); + messages.push(KeyProviderKeyWrapProtocolOutput::generated_message_descriptor_data()); + messages.push(SecureMountRequest::generated_message_descriptor_data()); + messages.push(SecureMountResponse::generated_message_descriptor_data()); + messages.push(GetPublicKeyRequest::generated_message_descriptor_data()); + messages.push(GetPublicKeyResponse::generated_message_descriptor_data()); + let mut enums = ::std::vec::Vec::with_capacity(0); + ::protobuf::reflect::GeneratedFileDescriptor::new_generated( + file_descriptor_proto(), + deps, + messages, + enums, + ) + }); + ::protobuf::reflect::FileDescriptor::new_generated_2(generated_file_descriptor) + }) +} diff --git a/image-rs/src/signature/mechanism/cosign/api_ttrpc.rs b/image-rs/src/signature/mechanism/cosign/api_ttrpc.rs new file mode 100644 index 000000000..ec3b1e7dd --- /dev/null +++ b/image-rs/src/signature/mechanism/cosign/api_ttrpc.rs @@ -0,0 +1,261 @@ +// This file is generated by ttrpc-compiler 0.6.2. Do not edit +// @generated + +#![cfg_attr(rustfmt, rustfmt_skip)] +#![allow(unknown_lints)] +#![allow(clipto_camel_casepy)] +#![allow(box_pointers)] +#![allow(dead_code)] +#![allow(missing_docs)] +#![allow(non_camel_case_types)] +#![allow(non_snake_case)] +#![allow(non_upper_case_globals)] +#![allow(trivial_casts)] +#![allow(unsafe_code)] +#![allow(unused_imports)] +#![allow(unused_results)] +#![allow(clippy::all)] +use protobuf::{CodedInputStream, CodedOutputStream, Message}; +use std::collections::HashMap; +use std::sync::Arc; +use async_trait::async_trait; + +#[derive(Clone)] +pub struct SealedSecretServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl SealedSecretServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + SealedSecretServiceClient { + client: client, + } + } + + pub async fn unseal_secret(&self, ctx: ttrpc::context::Context, req: &super::api::UnsealSecretInput) -> ::ttrpc::Result { + let mut cres = super::api::UnsealSecretOutput::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.SealedSecretService", "UnsealSecret", cres); + } +} + +struct UnsealSecretMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for UnsealSecretMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, UnsealSecretInput, unseal_secret); + } +} + +#[async_trait] +pub trait SealedSecretService: Sync { + async fn unseal_secret(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::UnsealSecretInput) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.SealedSecretService/UnsealSecret is not supported".to_string()))) + } +} + +pub fn create_sealed_secret_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("UnsealSecret".to_string(), + Box::new(UnsealSecretMethod{service: service.clone()}) as Box); + + ret.insert("api.SealedSecretService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} + +#[derive(Clone)] +pub struct GetResourceServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl GetResourceServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + GetResourceServiceClient { + client: client, + } + } + + pub async fn get_resource(&self, ctx: ttrpc::context::Context, req: &super::api::GetResourceRequest) -> ::ttrpc::Result { + let mut cres = super::api::GetResourceResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.GetResourceService", "GetResource", cres); + } +} + +struct GetResourceMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for GetResourceMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, GetResourceRequest, get_resource); + } +} + +#[async_trait] +pub trait GetResourceService: Sync { + async fn get_resource(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::GetResourceRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.GetResourceService/GetResource is not supported".to_string()))) + } +} + +pub fn create_get_resource_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("GetResource".to_string(), + Box::new(GetResourceMethod{service: service.clone()}) as Box); + + ret.insert("api.GetResourceService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} + +#[derive(Clone)] +pub struct KeyProviderServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl KeyProviderServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + KeyProviderServiceClient { + client: client, + } + } + + pub async fn un_wrap_key(&self, ctx: ttrpc::context::Context, req: &super::api::KeyProviderKeyWrapProtocolInput) -> ::ttrpc::Result { + let mut cres = super::api::KeyProviderKeyWrapProtocolOutput::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.KeyProviderService", "UnWrapKey", cres); + } +} + +struct UnWrapKeyMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for UnWrapKeyMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, KeyProviderKeyWrapProtocolInput, un_wrap_key); + } +} + +#[async_trait] +pub trait KeyProviderService: Sync { + async fn un_wrap_key(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::KeyProviderKeyWrapProtocolInput) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.KeyProviderService/UnWrapKey is not supported".to_string()))) + } +} + +pub fn create_key_provider_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("UnWrapKey".to_string(), + Box::new(UnWrapKeyMethod{service: service.clone()}) as Box); + + ret.insert("api.KeyProviderService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} + +#[derive(Clone)] +pub struct SecureMountServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl SecureMountServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + SecureMountServiceClient { + client: client, + } + } + + pub async fn secure_mount(&self, ctx: ttrpc::context::Context, req: &super::api::SecureMountRequest) -> ::ttrpc::Result { + let mut cres = super::api::SecureMountResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.SecureMountService", "SecureMount", cres); + } +} + +struct SecureMountMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for SecureMountMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, SecureMountRequest, secure_mount); + } +} + +#[async_trait] +pub trait SecureMountService: Sync { + async fn secure_mount(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::SecureMountRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.SecureMountService/SecureMount is not supported".to_string()))) + } +} + +pub fn create_secure_mount_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("SecureMount".to_string(), + Box::new(SecureMountMethod{service: service.clone()}) as Box); + + ret.insert("api.SecureMountService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} + +#[derive(Clone)] +pub struct GetPublicKeyServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl GetPublicKeyServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + GetPublicKeyServiceClient { + client: client, + } + } + + pub async fn get_public_key(&self, ctx: ttrpc::context::Context, req: &super::api::GetPublicKeyRequest) -> ::ttrpc::Result { + let mut cres = super::api::GetPublicKeyResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.GetPublicKeyService", "GetPublicKey", cres); + } +} + +struct GetPublicKeyMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for GetPublicKeyMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, GetPublicKeyRequest, get_public_key); + } +} + +#[async_trait] +pub trait GetPublicKeyService: Sync { + async fn get_public_key(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::GetPublicKeyRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.GetPublicKeyService/GetPublicKey is not supported".to_string()))) + } +} + +pub fn create_get_public_key_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("GetPublicKey".to_string(), + Box::new(GetPublicKeyMethod{service: service.clone()}) as Box); + + ret.insert("api.GetPublicKeyService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} diff --git a/image-rs/src/signature/mechanism/cosign/mod.rs b/image-rs/src/signature/mechanism/cosign/mod.rs index e919758e5..e974b0d5a 100644 --- a/image-rs/src/signature/mechanism/cosign/mod.rs +++ b/image-rs/src/signature/mechanism/cosign/mod.rs @@ -5,6 +5,15 @@ //! Cosign verification +#[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))] +mod api; + +#[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))] +mod api_ttrpc; + +#[cfg(feature = "signature-cosign")] +mod public_key; + use anyhow::{anyhow, bail, Result}; use async_trait::async_trait; use oci_distribution::secrets::RegistryAuth; @@ -23,7 +32,6 @@ use sigstore::{ use std::str::FromStr; use super::SignScheme; -use crate::resource; use crate::signature::{ image::Image, mechanism::Paths, payload::simple_signing::SigPayload, policy::ref_match::PolicyReqMatchType, @@ -130,7 +138,7 @@ impl CosignParameters { // Get the pubkey let key = match (&self.key_data, &self.key_path) { (None, None) => bail!("Neither keyPath nor keyData is specified."), - (None, Some(key_path)) => resource::get_resource(key_path).await?, + (None, Some(key_path)) => public_key::get_public_key(key_path).await?, (Some(key_data), None) => key_data.as_bytes().to_vec(), (Some(_), Some(_)) => bail!("Both keyPath and keyData are specified."), }; diff --git a/image-rs/src/signature/mechanism/cosign/public_key.rs b/image-rs/src/signature/mechanism/cosign/public_key.rs new file mode 100644 index 000000000..60d6c13dc --- /dev/null +++ b/image-rs/src/signature/mechanism/cosign/public_key.rs @@ -0,0 +1,32 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::Result; + +pub(super) async fn get_public_key(keyid: &str) -> Result> { + #[cfg(feature = "confidential-data-hub")] + { + use super::{api::GetPublicKeyRequest, api_ttrpc::GetPublicKeyServiceClient}; + const CONFIDENTIAL_DATA_HUB_SOCKET: &str = "unix:///run/confidential-containers/cdh.sock"; + const TTRPC_TIMEOUT: i64 = 50 * 1000 * 1000 * 1000; + + let inner = ttrpc::asynchronous::Client::connect(CONFIDENTIAL_DATA_HUB_SOCKET)?; + let client = GetPublicKeyServiceClient::new(inner); + + let req = GetPublicKeyRequest { + KeyId: keyid.to_string(), + ..Default::default() + }; + let res = client + .get_public_key(ttrpc::context::with_timeout(TTRPC_TIMEOUT), &req) + .await?; + Ok(res.PublicKeyPem) + } + + #[cfg(not(feature = "confidential-data-hub"))] + { + crate::resource::get_resource(keyid).await + } +}