protos: Add CDH GetResourceService

Add service to get arbitrary data from Confidential Data Hub. Taken from https://github.com/confidential-containers/guest-components/tree/main/api-server-rest. Marked as `#[allow(dead_code)]` because planned use is architecture-specific at this time. Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2025-08-19 08:28:19 +00:00 · 2025-03-07 13:51:57 +00:00 · 2025-03-07 13:51:57 +00:00 · 683a482d64
commit 683a482d64
parent f6a1c6d0e0
2 changed files with 45 additions and 3 deletions
--- a/src/agent/src/cdh.rs
+++ b/src/agent/src/cdh.rs
@ -11,8 +11,12 @@ use crate::AGENT_CONFIG;
 use anyhow::{bail, Context, Result};
 use derivative::Derivative;
 use protocols::{
-    confidential_data_hub, confidential_data_hub_ttrpc_async,
-    confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient},
+    confidential_data_hub,
+    confidential_data_hub::GetResourceRequest,
+    confidential_data_hub_ttrpc_async,
+    confidential_data_hub_ttrpc_async::{
+        GetResourceServiceClient, SealedSecretServiceClient, SecureMountServiceClient,
+    },
 };
 use std::fs;
 use std::os::unix::fs::symlink;
@ -39,6 +43,8 @@ pub struct CDHClient {
    sealed_secret_client: SealedSecretServiceClient,
    #[derivative(Debug = "ignore")]
    secure_mount_client: SecureMountServiceClient,
+    #[derivative(Debug = "ignore")]
+    get_resource_client: GetResourceServiceClient,
 }

 impl CDHClient {
@ -47,10 +53,13 @@ impl CDHClient {
        let sealed_secret_client =
            confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone());
        let secure_mount_client =
-            confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client);
+            confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client.clone());
+        let get_resource_client =
+            confidential_data_hub_ttrpc_async::GetResourceServiceClient::new(client);
        Ok(CDHClient {
            sealed_secret_client,
            secure_mount_client,
+            get_resource_client,
        })
    }

@ -84,6 +93,18 @@ impl CDHClient {
            .await?;
        Ok(())
    }
+
+    pub async fn get_resource(&self, resource_path: &str) -> Result<Vec<u8>> {
+        let req = GetResourceRequest {
+            ResourcePath: format!("kbs://{}", resource_path),
+            ..Default::default()
+        };
+        let res = self
+            .get_resource_client
+            .get_resource(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req)
+            .await?;
+        Ok(res.Resource)
+    }
 }

 pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> {
@ -201,6 +222,15 @@ pub async fn secure_mount(
    Ok(())
 }

+#[allow(dead_code)]
+pub async fn get_cdh_resource(resource_path: &str) -> Result<Vec<u8>> {
+    let cdh_client = CDH_CLIENT
+        .get()
+        .expect("Confidential Data Hub not initialized");
+
+    cdh_client.get_resource(resource_path).await
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/src/libs/protocols/protos/confidential_data_hub.proto
+++ b/src/libs/protocols/protos/confidential_data_hub.proto
@ -34,4 +34,16 @@ service SealedSecretService {

 service SecureMountService {
    rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
+}
+
+message GetResourceRequest {
+    string ResourcePath = 1;
+}
+
+message GetResourceResponse {
+    bytes Resource = 1;
+}
+
+service GetResourceService {
+    rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {};
 }