Merge pull request #633 from fitzthum/rvps-config-rework

Improve RVPS storage config

attestation-service/config.json

@@ -2,10 +2,12 @@
     "work_dir": "/var/lib/attestation-service/",
     "rvps_config": {
         "type": "BuiltIn",
-        "store_type": "LocalFs"
+        "storage": {
+            "type": "LocalFs"
+	}
     },
     "attestation_token_broker": {
         "type": "Simple",
         "duration_min": 5
     }
-}
+}

attestation-service/docs/config.md

@@ -74,10 +74,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set
 
 | Property       | Type                    | Description                                                           | Required | Default  |
 |----------------|-------------------------|-----------------------------------------------------------------------|----------|----------|
-| `store_type`   | String                  | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`)       | No       | `LocalFs`|
-| `store_config` | JSON Map                | The optional configurations to the underlying storage.                | No       | Null     |
+| `storage`   | ReferenceValueStorageConfig | Configuration of storage for reference values (`LocalFs` or `LocalJson`)       | No       | `LocalFs`|
 
-Different `store_type` will have different `store_config` items.
+`ReferenceValueStorageConfig` can contain either a `LocalFs` configuration or a `LocalJson` configuration.
 
 For `LocalFs`, the following properties can be set
 
@@ -110,8 +109,8 @@ Running with a built-in RVPS:
     "policy_engine": "opa",
     "rvps_config": {
         "type": "BuiltIn",
-        "store_type": "LocalFs",
-        "store_config": {
+        "storage": {
+            "type": "LocalFs"
             "file_path": "/var/lib/attestation-service/reference-values"
         }
     },

attestation-service/src/config.rs

@@ -58,9 +58,10 @@ impl TryFrom<&Path> for Config {
     ///        "work_dir": "/var/lib/attestation-service/",
     ///        "policy_engine": "opa",
     ///        "rvps_config": {
-    ///            "store_type": "LocalFs",
+    ///            "storage": {
+    ///                "type": "LocalFs"
+    ///            }
     ///            "store_config": {},
-    ///            "remote_addr": ""
     ///        },
     ///        "attestation_token_broker": {
     ///            "type": "Ear",
@@ -76,24 +77,22 @@ impl TryFrom<&Path> for Config {
 
 #[cfg(test)]
 mod tests {
-    use std::path::PathBuf;
-
     use rstest::rstest;
-    use serde_json::json;
+    use std::path::PathBuf;
 
     use super::Config;
     use crate::rvps::RvpsCrateConfig;
     use crate::{
         rvps::RvpsConfig,
         token::{ear_broker, simple, AttestationTokenConfig},
     };
+    use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig};
 
     #[rstest]
     #[case("./tests/configs/example1.json", Config {
         work_dir: PathBuf::from("/var/lib/attestation-service/"),
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-            store_type: "LocalFs".into(),
-            store_config: json!({}),
+            storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
         }),
         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
             duration_min: 5,
@@ -105,8 +104,7 @@ mod tests {
     #[case("./tests/configs/example2.json", Config {
         work_dir: PathBuf::from("/var/lib/attestation-service/"),
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-            store_type: "LocalFs".into(),
-            store_config: json!({}),
+            storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
         }),
         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
             duration_min: 5,
@@ -122,8 +120,7 @@ mod tests {
     #[case("./tests/configs/example3.json", Config {
         work_dir: PathBuf::from("/var/lib/attestation-service/"),
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-            store_type: "LocalFs".into(),
-            store_config: json!({}),
+            storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
         }),
         attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
             duration_min: 5,
@@ -138,8 +135,7 @@ mod tests {
     #[case("./tests/configs/example4.json", Config {
         work_dir: PathBuf::from("/var/lib/attestation-service/"),
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-            store_type: "LocalFs".into(),
-            store_config: json!({}),
+            storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
         }),
         attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
             duration_min: 5,

attestation-service/tests/configs/example1.json

@@ -2,8 +2,9 @@
     "work_dir": "/var/lib/attestation-service/",
     "rvps_config": {
 	"type": "BuiltIn",
-        "store_type": "LocalFs",
-        "remote_addr": ""
+	"storage": {
+            "type": "LocalFs"
+	}
     },
     "attestation_token_broker": {
         "type": "Simple",

attestation-service/tests/configs/example2.json

@@ -2,8 +2,9 @@
     "work_dir": "/var/lib/attestation-service/",
     "rvps_config": {
 	"type": "BuiltIn",
-        "store_type": "LocalFs",
-        "remote_addr": ""
+	"storage": {
+            "type": "LocalFs"
+	}
     },
     "attestation_token_broker": {
         "type": "Simple",

attestation-service/tests/configs/example3.json

@@ -2,8 +2,9 @@
     "work_dir": "/var/lib/attestation-service/",
     "rvps_config": {
 	"type": "BuiltIn",
-        "store_type": "LocalFs",
-        "remote_addr": ""
+	"storage": {
+            "type": "LocalFs"
+	}
     },
     "attestation_token_broker": {
         "type": "Ear",

attestation-service/tests/configs/example4.json

@@ -2,8 +2,9 @@
     "work_dir": "/var/lib/attestation-service/",
     "rvps_config": {
 	"type": "BuiltIn",
-        "store_type": "LocalFs",
-        "remote_addr": ""
+	"storage": {
+            "type": "LocalFs"
+	}
     },
     "attestation_token_broker": {
         "type": "Ear",

deps/verifier/src/se/README.md

@@ -103,17 +103,19 @@ insecure_http = true
 [attestation_token]
 insecure_key = true
 
-[as_config]
+[attestation_service]
 work_dir = "/opt/confidential-containers/attestation-service"
 policy_engine = "opa"
 
-[as_config.attestation_token_broker]
+[attestation_service.attestation_token_broker]
 type = "Ear"
 duration_min = 5
 
-[as_config.rvps_config]
+[attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
+
+[attestation_service.rvps_config]
+type = "LocalFs"
 ```
 
 - Launch the KBS program

docker-compose.yml

@@ -52,6 +52,11 @@ services:
     volumes:
       - ./kbs/data/reference-values:/opt/confidential-containers/attestation-service/reference_values:rw
       - ./kbs/config/rvps.json:/etc/rvps.json:rw
+    command: [
+      "rvps",
+      "--address",
+      "0.0.0.0:50003"
+    ]
 
   keyprovider:
     image: ghcr.io/confidential-containers/coco-keyprovider:latest

kbs/Cargo.toml

@@ -82,9 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals
     "se-verifier",
 ], optional = true }
 
+
 [dev-dependencies]
 tempfile.workspace = true
 rstest.workspace = true
+reference-value-provider-service.path = "../rvps"
 
 [build-dependencies]
 tonic-build = { workspace = true, optional = true }

kbs/config/kbs-config.toml

@@ -15,7 +15,6 @@ duration_min = 5
 
 [attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
 
 [policy_engine]
 policy_path = "/opa/confidential-containers/kbs/policy.rego"

kbs/config/kubernetes/base/kbs-config.toml

@@ -20,7 +20,6 @@ key_path = "/kbs/as-private-key.pem"
 
 [attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
 
 [admin]
 auth_public_key = "/kbs/kbs.pem"

kbs/config/rvps.json

@@ -1,7 +1,6 @@
 {
-    "address": "0.0.0.0:50003",
-    "store_type": "LocalFs",
-    "store_config": {
-        "file_path": "/opt/confidential-containers/attestation-service/reference_values"
+    "storage": {
+	"type":"LocalFs",
+	"file_path": "/opt/confidential-containers/attestation-service/reference_values"
     }
-}
+}

kbs/docs/config.md

@@ -143,10 +143,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set
 
 | Property       | Type                    | Description                                                           | Required | Default  |
 |----------------|-------------------------|-----------------------------------------------------------------------|----------|----------|
-| `store_type`   | String                  | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`)       | No       | `LocalFs`|
-| `store_config` | JSON Map                | The optional configurations to the underlying storage.                | No       | Null     |
+| `storage`   | ReferenceValueStorageConfig | Configuration of the storage for reference values (`LocalFs` or `LocalJson`) | No       | `LocalFs`|
 
-Different `store_type` will have different `store_config` items.
+A `ReferenceValueStorageConfig` can either be of type `LocalFs` or `LocalJson`
 
 For `LocalFs`, the following properties can be set
 
@@ -276,7 +275,9 @@ policy_engine = "opa"
 
     [attestation_service.rvps_config]
     type = "BuiltIn"
-    store_type = "LocalFs"
+
+    [attestation_service.rvps_config.storage]
+    type = "LocalFs"
 
 [[plugins]]
 name = "resource"

kbs/docs/self-signed-https.md

@@ -88,7 +88,9 @@ policy_engine = "opa"
 
     [attestation_service.rvps_config]
     type = "BuiltIn"
-    store_type = "LocalFs"
+
+    [attestation_service.rvps_config.storage]
+    type = "LocalFs"
 
 [[plugins]]
 name = "resource"

kbs/src/config.rs

@@ -124,8 +124,9 @@ mod tests {
         token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION},
     };
 
+    use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig};
+
     use rstest::rstest;
-    use serde_json::json;
 
     #[rstest]
     #[case("test_data/configs/coco-as-grpc-1.toml",         KbsConfig {
@@ -293,9 +294,10 @@ mod tests {
                 crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn(
                     attestation_service::config::Config {
                         work_dir: "/opt/confidential-containers/attestation-service".into(),
-                        rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-                            store_type: "LocalFs".into(),
-                            store_config: json!({}),
+                        rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig{
+                            storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config{
+                                file_path: "/opt/confidential-containers/attestation-service/reference_values".into(),
+                            }),
                         }),
                         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration{
                             duration_min: 5,
@@ -423,10 +425,7 @@ mod tests {
                 crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn(
                     attestation_service::config::Config {
                         work_dir: "/opt/confidential-containers/attestation-service".into(),
-                        rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
-                            store_type: "LocalFs".into(),
-                            ..Default::default()
-                        }),
+                        rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig::default()),
                         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
                             duration_min: 5,
                             policy_dir: "/opt/confidential-containers/attestation-service/simple-policies".into(),

kbs/test/config/kbs.toml

@@ -22,7 +22,6 @@ cert_path = "./work/token-cert-chain.pem"
 
 [attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
 
 [policy_engine]
 policy_path = "./work/kbs-policy.rego"

kbs/test_data/configs/coco-as-builtin-2.toml

@@ -17,7 +17,9 @@ duration_min = 5
 
 [attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
+
+[attestation_service.rvps_config.storage]
+type = "LocalFs"
 
 [admin]
 auth_public_key = "/kbs/kbs.pem"

kbs/test_data/configs/coco-as-builtin-3.toml

@@ -16,7 +16,9 @@ policy_dir = "/opt/confidential-containers/attestation-service/simple-policies"
 
 [attestation_service.rvps_config]
 type = "BuiltIn"
-store_type = "LocalFs"
+
+[attestation_service.rvps_config.storage]
+type = "LocalFs"
 
 [policy_engine]
 policy_path = "/opa/confidential-containers/kbs/policy.rego"

rvps/README.md

@@ -77,22 +77,20 @@ cd .. && docker build -t rvps -f rvps/docker/Dockerfile .
 
 Run
 ```bash
-docker run -d -p 50003:50003 rvps
+docker run -d -p 50003:50003 rvps --address 0.0.0.0:50003
 ```
 
 ### Configuration file
 
 RVPS can be launched with a specified configuration file by `-c` flag. A configuration file looks lile
 ```json
 {
-    "address": "0.0.0.0:50003",
-    "store_type": "LocalFs",
-    "store_config": {
+    "storage": {
+	"type": "LocalFs",
         "file_path": "/opt/confidential-containers/attestation-service/reference_values"
     }
 }
 ```
-- `address`: socket listening to requests.
 - `store_type`: backend storage type to store reference values. Currently `LocalFs` and `LocalJson` are supported.
 - `store_config`: optional extra parameters for different kinds of `store_type`. This is also a JSON map object. The concrete content is different due to different `store_type`.
 
@@ -126,7 +124,7 @@ A client tool helps to perform as a client to rvps. It can
 Run RVPS in docker or the following commands
 ```bash
 RVPS_ADDR=127.0.0.1:50003
-rvps --socket $RVPS_ADDR
+rvps --address $RVPS_ADDR
 ```
 
 Edit an test message in [sample format](./src/extractors/extractor_modules/sample/README.md)