From 683a482d64b0406152c22b788386088afb1e17cf Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Fri, 7 Mar 2025 13:51:57 +0000 Subject: [PATCH] protos: Add CDH GetResourceService Add service to get arbitrary data from Confidential Data Hub. Taken from https://github.com/confidential-containers/guest-components/tree/main/api-server-rest. Marked as `#[allow(dead_code)]` because planned use is architecture-specific at this time. Signed-off-by: Jakob Naucke --- src/agent/src/cdh.rs | 36 +++++++++++++++++-- .../protos/confidential_data_hub.proto | 12 +++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/src/agent/src/cdh.rs b/src/agent/src/cdh.rs index f3be4bc701..07f7347578 100644 --- a/src/agent/src/cdh.rs +++ b/src/agent/src/cdh.rs @@ -11,8 +11,12 @@ use crate::AGENT_CONFIG; use anyhow::{bail, Context, Result}; use derivative::Derivative; use protocols::{ - confidential_data_hub, confidential_data_hub_ttrpc_async, - confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient}, + confidential_data_hub, + confidential_data_hub::GetResourceRequest, + confidential_data_hub_ttrpc_async, + confidential_data_hub_ttrpc_async::{ + GetResourceServiceClient, SealedSecretServiceClient, SecureMountServiceClient, + }, }; use std::fs; use std::os::unix::fs::symlink; @@ -39,6 +43,8 @@ pub struct CDHClient { sealed_secret_client: SealedSecretServiceClient, #[derivative(Debug = "ignore")] secure_mount_client: SecureMountServiceClient, + #[derivative(Debug = "ignore")] + get_resource_client: GetResourceServiceClient, } impl CDHClient { @@ -47,10 +53,13 @@ impl CDHClient { let sealed_secret_client = confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone()); let secure_mount_client = - confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client); + confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client.clone()); + let get_resource_client = + confidential_data_hub_ttrpc_async::GetResourceServiceClient::new(client); Ok(CDHClient { sealed_secret_client, secure_mount_client, + get_resource_client, }) } @@ -84,6 +93,18 @@ impl CDHClient { .await?; Ok(()) } + + pub async fn get_resource(&self, resource_path: &str) -> Result> { + let req = GetResourceRequest { + ResourcePath: format!("kbs://{}", resource_path), + ..Default::default() + }; + let res = self + .get_resource_client + .get_resource(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req) + .await?; + Ok(res.Resource) + } } pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> { @@ -201,6 +222,15 @@ pub async fn secure_mount( Ok(()) } +#[allow(dead_code)] +pub async fn get_cdh_resource(resource_path: &str) -> Result> { + let cdh_client = CDH_CLIENT + .get() + .expect("Confidential Data Hub not initialized"); + + cdh_client.get_resource(resource_path).await +} + #[cfg(test)] mod tests { use super::*; diff --git a/src/libs/protocols/protos/confidential_data_hub.proto b/src/libs/protocols/protos/confidential_data_hub.proto index 8752925a0c..f639c94c98 100644 --- a/src/libs/protocols/protos/confidential_data_hub.proto +++ b/src/libs/protocols/protos/confidential_data_hub.proto @@ -34,4 +34,16 @@ service SealedSecretService { service SecureMountService { rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {}; +} + +message GetResourceRequest { + string ResourcePath = 1; +} + +message GetResourceResponse { + bytes Resource = 1; +} + +service GetResourceService { + rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {}; } \ No newline at end of file