Skip to content

plugins: expose init-data to plugins #928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fitzthum wants to merge 1 commit into
base: main
Choose a base branch
from
Open

plugins: expose init-data to plugins #928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions kbs/src/api_server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ pub(crate) async fn api(
// Plugin calls need to be authorized by the admin auth
core.admin_auth.validate_auth(&request)?;
let response = plugin
.handle(&body, query, additional_path, request.method())
.handle(&body, query, additional_path, request.method(), None)
.await
.map_err(|e| Error::PluginInternalError { source: e })?;

Expand All @@ -282,6 +282,8 @@ pub(crate) async fn api(
.map_err(|_| Error::TokenNotFound)?;

let claims = core.token_verifier.verify(token).await?;
let init_data = claims
.pointer("/submods/cpu0/ear.veraison.annotated-evidence/init_data_claims");
Comment on lines +285 to +286
Copy link
Contributor

@mythi mythi Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since it's just a subset of the token claims, any reason why we shouldn't make the full token available instead?

Copy link
Member Author

@fitzthum fitzthum Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good point. There's a little bit of a tradeoff here. Giving plugin authors the full plugin could make the interface more powerful but it makes things more complicated for plugin authors. I couldn't think of a use case for a plugin using the whole token so I thought this would be a little more convenient. wdyt?


let claim_str = serde_json::to_string(&claims)?;

Expand All @@ -299,7 +301,7 @@ pub(crate) async fn api(
KBS_POLICY_APPROVALS.inc();

let response = plugin
.handle(&body, query, additional_path, request.method())
.handle(&body, query, additional_path, request.method(), init_data)
.await
.map_err(|e| Error::PluginInternalError { source: e })?;
if plugin
Expand Down
1 change: 1 addition & 0 deletions kbs/src/plugins/implementations/nebula_ca.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,7 @@ impl ClientPlugin for NebulaCaPlugin {
query: &str,
path: &str,
method: &Method,
_init_data: Option<&serde_json::Value>,
) -> Result<Vec<u8>> {
let sub_path = path
.strip_prefix('/')
Expand Down
1 change: 1 addition & 0 deletions kbs/src/plugins/implementations/pkcs11.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ impl ClientPlugin for Pkcs11Backend {
_query: &str,
path: &str,
method: &Method,
_init_data: Option<&serde_json::Value>,
) -> Result<Vec<u8>> {
let desc = path
.strip_prefix('/')
Expand Down
1 change: 1 addition & 0 deletions kbs/src/plugins/implementations/resource/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ impl ClientPlugin for ResourceStorage {
_query: &str,
path: &str,
method: &Method,
_init_data: Option<&serde_json::Value>,
) -> Result<Vec<u8>> {
let resource_desc = path
.strip_prefix('/')
Expand Down
1 change: 1 addition & 0 deletions kbs/src/plugins/implementations/sample.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ impl ClientPlugin for Sample {
_query: &str,
_path: &str,
_method: &Method,
_init_data: Option<&serde_json::Value>,
) -> Result<Vec<u8>> {
Ok("sample plugin response".as_bytes().to_vec())
}
Expand Down
29 changes: 26 additions & 3 deletions kbs/src/plugins/plugin_manager.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,31 @@ type ClientPluginInstance = Arc<dyn ClientPlugin>;

#[async_trait::async_trait]
pub trait ClientPlugin: Send + Sync {
/// This function is the entry to a client plugin. The function
/// marks `&self` rather than `&mut self`, because it will leave
/// state and synchronization issues down to the concrete plugin.
/// Plugins fulfill requests using this function
/// and following REST semantics.
///
/// A request is provided to the plugin in parts.
/// The @path is the base of the request and usually represents
/// some object that the plugin will provide.
///
/// The @query is a query string passed in addition to the path
/// that can represent additional parameters not expressed
/// in the path.
///
/// The request @method can be GET or POST. GET requests are typically
/// used from inside the guest to retrieve a resource.
/// POST requests are usually made by admins configuring a resource.
/// The @body of the request is also provided, but this should only
/// be used with POST requests.
///
/// The @init_data field provides measured guest configuration
/// if it is provided by the guest and validated by the
/// attestation agent.
///
///
/// The handle function takes `&self` rather than `&mut self`,
/// because individual plugin backends are expected to
/// implement their own synchronization logic.
///
/// TODO: change body from Vec slice into Reader to apply for large
/// body stream.
Expand All @@ -32,6 +54,7 @@ pub trait ClientPlugin: Send + Sync {
query: &str,
path: &str,
method: &Method,
init_data: Option<&serde_json::Value>,
) -> Result<Vec<u8>>;

/// Whether the concrete request needs to validate the admin auth.
Expand Down
Loading