diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 0b320adb25..8a9630d3f7 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -23,6 +23,42 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aae1277d39aeec15cb388266ecc24b11c80469deae6067e17a1a7aa9e5c1f234" +[[package]] +name = "aead" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b613b8e1e3cf911a086f53f03bf286f52fd7a7258e4fa606f0ef220d39d8877" +dependencies = [ + "generic-array", +] + +[[package]] +name = "aes" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8" +dependencies = [ + "cfg-if 1.0.0", + "cipher", + "cpufeatures", + "ctr", + "opaque-debug", +] + +[[package]] +name = "aes-gcm" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "df5f85a83a7d8b0442b6aa7b504b8212c1733da07b98aae43d4bc21b2cb3cdf6" +dependencies = [ + "aead", + "aes", + "cipher", + "ctr", + "ghash", + "subtle", +] + [[package]] name = "aho-corasick" version = "0.7.18" @@ -64,6 +100,27 @@ dependencies = [ "syn 1.0.72", ] +[[package]] +name = "async-stream" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "171374e7e3b2504e0e5236e3b59260560f9fe94bfe9ac39ba5e4e929c5590625" +dependencies = [ + "async-stream-impl", + "futures-core", +] + +[[package]] +name = "async-stream-impl" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "648ed8c8d2ce5409ccd57453d9d1b214b342a0d69376a6feda1fd6cae3299308" +dependencies = [ + "proc-macro2 1.0.26", + "quote 1.0.9", + "syn 1.0.72", +] + [[package]] name = "async-trait" version = "0.1.50" @@ -96,6 +153,31 @@ dependencies = [ "rustc-demangle", ] +[[package]] +name = "base64" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b25d992356d2eb0ed82172f5248873db5560c4721f564b13cb5193bda5e668e" +dependencies = [ + "byteorder", +] + +[[package]] +name = "base64" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" + +[[package]] +name = "base64-serde" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e964e3e0a930303c7c0bdb28ebf691dd98d9eee4b8b68019d2c995710b58a18" +dependencies = [ + "base64 0.13.0", + "serde", +] + [[package]] name = "bincode" version = "1.3.3" @@ -111,6 +193,15 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" +[[package]] +name = "block-buffer" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" +dependencies = [ + "generic-array", +] + [[package]] name = "bumpalo" version = "3.6.1" @@ -208,10 +299,44 @@ dependencies = [ "libc", "num-integer", "num-traits", - "time", + "time 0.1.43", "winapi", ] +[[package]] +name = "cipher" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7ee52072ec15386f770805afd189a01c8841be8696bed250fa2f13c4c0d6dfb7" +dependencies = [ + "generic-array", +] + +[[package]] +name = "core-foundation" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6888e10551bb93e424d8df1d07f1a8b4fceb0001a3a4b048bfc47554946f47b3" +dependencies = [ + "core-foundation-sys", + "libc", +] + +[[package]] +name = "core-foundation-sys" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" + +[[package]] +name = "cpufeatures" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95059428f66df56b63431fdb4e1947ed2190586af5c5a8a8b71122bdf5a7f469" +dependencies = [ + "libc", +] + [[package]] name = "crc32fast" version = "1.2.1" @@ -242,6 +367,25 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "crypto-mac" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714" +dependencies = [ + "generic-array", + "subtle", +] + +[[package]] +name = "ctr" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "049bb91fb4aaf0e3c7efa6cd5ef877dbbbd15b39dad06d9948de4ec8a75761ea" +dependencies = [ + "cipher", +] + [[package]] name = "derive-new" version = "0.5.9" @@ -253,12 +397,30 @@ dependencies = [ "syn 1.0.72", ] +[[package]] +name = "digest" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" +dependencies = [ + "generic-array", +] + [[package]] name = "either" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" +[[package]] +name = "encoding_rs" +version = "0.8.29" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a74ea89a0a1b98f6332de42c95baff457ada66d1cb4030f9ff151b2041a1c746" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "errno" version = "0.2.7" @@ -295,12 +457,55 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "86d4de0081402f5e88cdac65c8dcdcc73118c1a7a465e2a05f0da05843a8ea33" +[[package]] +name = "fixedbitset" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "398ea4fabe40b9b0d885340a2a991a44c8a645624075ad966d21f88688e2b69e" + +[[package]] +name = "flate2" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e6988e897c1c9c485f43b47a529cef42fde0547f9d8d41a7062518f1d8fc53f" +dependencies = [ + "cfg-if 1.0.0", + "crc32fast", + "libc", + "miniz_oxide", +] + [[package]] name = "fnv" version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + +[[package]] +name = "form_urlencoded" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +dependencies = [ + "matches", + "percent-encoding 2.1.0", +] + [[package]] name = "futures" version = "0.3.15" @@ -401,6 +606,16 @@ version = "0.3.55" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2" +[[package]] +name = "generic-array" +version = "0.14.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "501466ecc8a30d1d3b7fc9229b122b2ce8ed6e9d9223f1138d4babb253e51817" +dependencies = [ + "typenum", + "version_check 0.9.3", +] + [[package]] name = "getrandom" version = "0.2.2" @@ -412,12 +627,47 @@ dependencies = [ "wasi", ] +[[package]] +name = "ghash" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1583cc1656d7839fd3732b80cf4f38850336cdb9b8ded1cd399ca62958de3c99" +dependencies = [ + "opaque-debug", + "polyval", +] + [[package]] name = "gimli" version = "0.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f0a01e0497841a3b2db4f8afa483cce65f7e96a3498bd6c541734792aeac8fe7" +[[package]] +name = "h2" +version = "0.3.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7fd819562fcebdac5afc5c113c3ec36f902840b70fd4fc458799c8ce4607ae55" +dependencies = [ + "bytes 1.0.1", + "fnv", + "futures-core", + "futures-sink", + "futures-util", + "http 0.2.5", + "indexmap", + "slab", + "tokio", + "tokio-util", + "tracing", +] + +[[package]] +name = "hashbrown" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" + [[package]] name = "heck" version = "0.3.3" @@ -442,6 +692,160 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hmac" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b" +dependencies = [ + "crypto-mac", + "digest", +] + +[[package]] +name = "http" +version = "0.1.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6ccf5ede3a895d8856620237b2f02972c1bbc78d2965ad7fe8838d4a0ed41f0" +dependencies = [ + "bytes 0.4.12", + "fnv", + "itoa", +] + +[[package]] +name = "http" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1323096b05d41827dadeaee54c9981958c0f94e670bc94ed80037d1a7b8b186b" +dependencies = [ + "bytes 1.0.1", + "fnv", + "itoa", +] + +[[package]] +name = "http-body" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ff4f84919677303da5f147645dbea6b1881f368d03ac84e1dc09031ebd7b2c6" +dependencies = [ + "bytes 1.0.1", + "http 0.2.5", + "pin-project-lite", +] + +[[package]] +name = "httparse" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "acd94fdbe1d4ff688b67b04eee2e17bd50995534a61539e45adfefb45e5e5503" + +[[package]] +name = "httpdate" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" + +[[package]] +name = "hyper" +version = "0.14.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "436ec0091e4f20e655156a30a0df3770fe2900aa301e548e08446ec794b6953c" +dependencies = [ + "bytes 1.0.1", + "futures-channel", + "futures-core", + "futures-util", + "h2", + "http 0.2.5", + "http-body", + "httparse", + "httpdate", + "itoa", + "pin-project-lite", + "socket2", + "tokio", + "tower-service", + "tracing", + "want", +] + +[[package]] +name = "hyper-timeout" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" +dependencies = [ + "hyper", + "pin-project-lite", + "tokio", + "tokio-io-timeout", +] + +[[package]] +name = "hyper-tls" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +dependencies = [ + "bytes 1.0.1", + "hyper", + "native-tls", + "tokio", + "tokio-native-tls", +] + +[[package]] +name = "hyperx" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e4a94cbc2c6f63028e5736ca4e811ae36d3990059c384cbe68298c66728a9776" +dependencies = [ + "base64 0.10.1", + "bytes 0.4.12", + "http 0.1.21", + "httparse", + "language-tags", + "log", + "mime", + "percent-encoding 1.0.1", + "time 0.1.43", + "unicase 2.6.0", +] + +[[package]] +name = "idna" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38f09e0f0b1fb55fdee1f17470ad800da77af5186a1a76c026b679358b7e844e" +dependencies = [ + "matches", + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "idna" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +dependencies = [ + "matches", + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "indexmap" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bc633605454125dec4b66843673f01c7df2b89479b32e0ed634e43a91cff62a5" +dependencies = [ + "autocfg", + "hashbrown", +] + [[package]] name = "inotify" version = "0.9.3" @@ -482,6 +886,12 @@ dependencies = [ "libc", ] +[[package]] +name = "ipnet" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68f2d64f2edebec4ce84ad108148e67e1064789bee435edc5b60ad398714a3a9" + [[package]] name = "ipnetwork" version = "0.17.0" @@ -500,12 +910,38 @@ dependencies = [ "either", ] +[[package]] +name = "itertools" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69ddb889f9d0d08a67338271fa9b62996bc788c7796a5c18cf057420aaed5eaf" +dependencies = [ + "either", +] + [[package]] name = "itoa" version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736" +[[package]] +name = "josekit" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16e84ea7acc05b40e2fe6fa02a54b3731323c77e6015c36749f0b10c4dbbc32f" +dependencies = [ + "anyhow", + "base64 0.13.0", + "flate2", + "once_cell", + "openssl", + "regex", + "serde_json", + "thiserror", + "time 0.3.5", +] + [[package]] name = "js-sys" version = "0.3.51" @@ -534,6 +970,9 @@ dependencies = [ "netlink-sys", "nix 0.21.0", "oci", + "oci-distribution", + "ocicrypt-rs", + "openssl", "opentelemetry", "procfs", "prometheus", @@ -547,6 +986,7 @@ dependencies = [ "serde", "serde_json", "serial_test", + "sha2", "slog", "slog-scope", "slog-stdlog", @@ -562,6 +1002,12 @@ dependencies = [ "vsock-exporter", ] +[[package]] +name = "language-tags" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a91d884b6667cd606bb5a69aa0c99ba811a115fc68915e7056ec08a46e93199a" + [[package]] name = "lazy_static" version = "1.4.0" @@ -570,9 +1016,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.96" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5600b4e6efc5421841a2138a6b082e07fe12f9aaa12783d50e5d13325b26b4fc" +checksum = "8521a1b57e76b1ec69af7599e75e38e7b7fad6610f037db8c79b127201b5d119" [[package]] name = "libflate" @@ -650,6 +1096,12 @@ dependencies = [ "regex-automata", ] +[[package]] +name = "matches" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" + [[package]] name = "memchr" version = "2.4.0" @@ -665,6 +1117,12 @@ dependencies = [ "autocfg", ] +[[package]] +name = "mime" +version = "0.3.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d" + [[package]] name = "miniz_oxide" version = "0.4.4" @@ -703,6 +1161,30 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2eb04b9f127583ed176e163fb9ec6f3e793b87e21deedd5734a69386a18a0151" +[[package]] +name = "multimap" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" + +[[package]] +name = "native-tls" +version = "0.2.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48ba9f7719b5a0f42f338907614285fb5fd70e53858141f69898a1fb7203b24d" +dependencies = [ + "lazy_static", + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "netlink-packet-core" version = "0.2.4" @@ -888,12 +1370,108 @@ dependencies = [ "serde_json", ] +[[package]] +name = "oci-distribution" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c9f50cb73141efc685844c84c98c361429c3a7db550d8d9888af037d93358a7" +dependencies = [ + "anyhow", + "futures-util", + "hyperx", + "lazy_static", + "regex", + "reqwest", + "serde", + "serde_json", + "sha2", + "tokio", + "tracing", + "www-authenticate", +] + +[[package]] +name = "ocicrypt-rs" +version = "0.1.0" +source = "git+https://github.com/containers/ocicrypt-rs#9af596112a64326828416806e049cf0e0ffc9320" +dependencies = [ + "aes", + "aes-gcm", + "anyhow", + "base64 0.13.0", + "base64-serde", + "ctr", + "hmac", + "josekit", + "lazy_static", + "oci-distribution", + "prost 0.9.0", + "prost-types 0.9.0", + "rand", + "serde", + "serde_derive", + "serde_json", + "sha2", + "tokio", + "tonic", + "tonic-build", +] + [[package]] name = "once_cell" version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3" +[[package]] +name = "opaque-debug" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" + +[[package]] +name = "openssl" +version = "0.10.38" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c7ae222234c30df141154f159066c5093ff73b63204dcda7121eb082fc56a95" +dependencies = [ + "bitflags", + "cfg-if 1.0.0", + "foreign-types", + "libc", + "once_cell", + "openssl-sys", +] + +[[package]] +name = "openssl-probe" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" + +[[package]] +name = "openssl-src" +version = "300.0.2+3.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "14a760a11390b1a5daf72074d4f6ff1a6e772534ae191f999f57e9ee8146d1fb" +dependencies = [ + "cc", +] + +[[package]] +name = "openssl-sys" +version = "0.9.71" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7df13d165e607909b363a4757a6f133f8a818a74e9d3a98d09c6128e15fa4c73" +dependencies = [ + "autocfg", + "cc", + "libc", + "openssl-src", + "pkg-config", + "vcpkg", +] + [[package]] name = "opentelemetry" version = "0.14.0" @@ -905,7 +1483,7 @@ dependencies = [ "futures", "js-sys", "lazy_static", - "percent-encoding", + "percent-encoding 2.1.0", "pin-project", "rand", "serde", @@ -964,6 +1542,12 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "percent-encoding" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "31010dd2e1ac33d5b46a5b413495239882813e0369f8ed8a5e266f173602f831" + [[package]] name = "percent-encoding" version = "2.1.0" @@ -976,7 +1560,17 @@ version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c3659d1ee90221741f65dd128d9998311b0e40c5d3c23a62445938214abce4f" dependencies = [ - "fixedbitset", + "fixedbitset 0.1.9", +] + +[[package]] +name = "petgraph" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4a13a2fa9d0b63e5f22328828741e523766fff0ee9e779316902290dff3f824f" +dependencies = [ + "fixedbitset 0.4.0", + "indexmap", ] [[package]] @@ -1017,6 +1611,18 @@ version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c" +[[package]] +name = "polyval" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8419d2b623c7c0896ff2d5d96e2cb4ede590fed28fcc34934f4c33c036e620a1" +dependencies = [ + "cfg-if 1.0.0", + "cpufeatures", + "opaque-debug", + "universal-hash", +] + [[package]] name = "ppv-lite86" version = "0.2.10" @@ -1092,7 +1698,17 @@ checksum = "96d14b1c185652833d24aaad41c5832b0be5616a590227c1fbff57c616754b23" dependencies = [ "byteorder", "bytes 0.4.12", - "prost-derive", + "prost-derive 0.5.0", +] + +[[package]] +name = "prost" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "444879275cb4fd84958b1a1d5420d15e6fcf7c235fe47f053c9c2a80aceb6001" +dependencies = [ + "bytes 1.0.1", + "prost-derive 0.9.0", ] [[package]] @@ -1103,14 +1719,34 @@ checksum = "eb788126ea840817128183f8f603dce02cb7aea25c2a0b764359d8e20010702e" dependencies = [ "bytes 0.4.12", "heck", - "itertools", + "itertools 0.8.2", "log", - "multimap", - "petgraph", - "prost", - "prost-types", + "multimap 0.4.0", + "petgraph 0.4.13", + "prost 0.5.0", + "prost-types 0.5.0", "tempfile", - "which", + "which 2.0.1", +] + +[[package]] +name = "prost-build" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62941722fb675d463659e49c4f3fe1fe792ff24fe5bbaa9c08cd3b98a1c354f5" +dependencies = [ + "bytes 1.0.1", + "heck", + "itertools 0.10.1", + "lazy_static", + "log", + "multimap 0.8.3", + "petgraph 0.6.0", + "prost 0.9.0", + "prost-types 0.9.0", + "regex", + "tempfile", + "which 4.2.2", ] [[package]] @@ -1120,12 +1756,25 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5e7dc378b94ac374644181a2247cebf59a6ec1c88b49ac77f3a94b86b79d0e11" dependencies = [ "failure", - "itertools", + "itertools 0.8.2", "proc-macro2 0.4.30", "quote 0.6.13", "syn 0.15.44", ] +[[package]] +name = "prost-derive" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f9cc1a3263e07e0bf68e96268f37665207b49560d98739662cdfaae215c720fe" +dependencies = [ + "anyhow", + "itertools 0.10.1", + "proc-macro2 1.0.26", + "quote 1.0.9", + "syn 1.0.72", +] + [[package]] name = "prost-types" version = "0.5.0" @@ -1133,7 +1782,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1de482a366941c8d56d19b650fac09ca08508f2a696119ee7513ad590c8bac6f" dependencies = [ "bytes 0.4.12", - "prost", + "prost 0.5.0", +] + +[[package]] +name = "prost-types" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "534b7a0e836e3c482d2693070f982e39e7611da9695d4d1f5a4b186b51faef0a" +dependencies = [ + "bytes 1.0.1", + "prost 0.9.0", ] [[package]] @@ -1280,6 +1939,41 @@ dependencies = [ "winapi", ] +[[package]] +name = "reqwest" +version = "0.11.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "66d2927ca2f685faf0fc620ac4834690d29e7abb153add10f5812eef20b5e280" +dependencies = [ + "base64 0.13.0", + "bytes 1.0.1", + "encoding_rs", + "futures-core", + "futures-util", + "http 0.2.5", + "http-body", + "hyper", + "hyper-tls", + "ipnet", + "js-sys", + "lazy_static", + "log", + "mime", + "native-tls", + "percent-encoding 2.1.0", + "pin-project-lite", + "serde", + "serde_json", + "serde_urlencoded", + "tokio", + "tokio-native-tls", + "url 2.2.2", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", + "winreg", +] + [[package]] name = "rle-decode-fast" version = "1.0.1" @@ -1365,12 +2059,45 @@ dependencies = [ "regex", ] +[[package]] +name = "schannel" +version = "0.1.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75" +dependencies = [ + "lazy_static", + "winapi", +] + [[package]] name = "scopeguard" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "security-framework" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "23a2ac85147a3a11d77ecf1bc7166ec0b92febfa4461c37944e180f319ece467" +dependencies = [ + "bitflags", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9dd14d83160b528b7bfd66439110573efcfbe281b17fc2ca9f39f550d619c7e" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "serde" version = "1.0.130" @@ -1397,6 +2124,19 @@ version = "1.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0f690853975602e1bfe1ccbf50504d67174e3bcf340f23b5ea9992e0587a52d8" dependencies = [ + "indexmap", + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "serde_urlencoded" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "edfa57a7f8d9c1d260a549e7224100f6c43d43f9103e06dd8b4095a9b2b43ce9" +dependencies = [ + "form_urlencoded", "itoa", "ryu", "serde", @@ -1424,6 +2164,19 @@ dependencies = [ "syn 1.0.72", ] +[[package]] +name = "sha2" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b69f9a4c9740d74c5baa3fd2e547f9525fa8088a8a958e0ca2409a514e33f5fa" +dependencies = [ + "block-buffer", + "cfg-if 1.0.0", + "cpufeatures", + "digest", + "opaque-debug", +] + [[package]] name = "sharded-slab" version = "0.1.1" @@ -1512,12 +2265,28 @@ version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e" +[[package]] +name = "socket2" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5dc90fe6c7be1a323296982db1836d1ea9e47b6839496dde9a541bc496df3516" +dependencies = [ + "libc", + "winapi", +] + [[package]] name = "spin" version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "subtle" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" + [[package]] name = "syn" version = "0.15.44" @@ -1600,10 +2369,34 @@ dependencies = [ ] [[package]] -name = "tokio" -version = "1.8.1" +name = "time" +version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "98c8b05dc14c75ea83d63dd391100353789f5f24b8b3866542a5e85c8be8e985" +checksum = "41effe7cfa8af36f439fac33861b66b049edc6f9a32331e2312660529c1c24ad" +dependencies = [ + "libc", +] + +[[package]] +name = "tinyvec" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2c1c1d5a42b6245520c249549ec267180beaffcc0615401ac8e31853d4b6d8d2" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" + +[[package]] +name = "tokio" +version = "1.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70e992e41e0d2fb9f755b37446f20900f64446ef54874f40a60c78f021ac6144" dependencies = [ "autocfg", "bytes 1.0.1", @@ -1620,16 +2413,36 @@ dependencies = [ ] [[package]] -name = "tokio-macros" -version = "1.2.0" +name = "tokio-io-timeout" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c49e3df43841dafb86046472506755d8501c5615673955f6aa17181125d13c37" +checksum = "90c49f106be240de154571dd31fbe48acb10ba6c6dd6f6517ad603abffa42de9" +dependencies = [ + "pin-project-lite", + "tokio", +] + +[[package]] +name = "tokio-macros" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9efc1aba077437943f7515666aa2b882dfabfbfdf89c819ea75a8d6e9eaba5e" dependencies = [ "proc-macro2 1.0.26", "quote 1.0.9", "syn 1.0.72", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.6" @@ -1677,6 +2490,81 @@ dependencies = [ "serde", ] +[[package]] +name = "tonic" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24203b79cf2d68909da91178db3026e77054effba0c5d93deb870d3ca7b35afa" +dependencies = [ + "async-stream", + "async-trait", + "base64 0.13.0", + "bytes 1.0.1", + "futures-core", + "futures-util", + "h2", + "http 0.2.5", + "http-body", + "hyper", + "hyper-timeout", + "percent-encoding 2.1.0", + "pin-project", + "prost 0.9.0", + "prost-derive 0.9.0", + "tokio", + "tokio-stream", + "tokio-util", + "tower", + "tower-layer", + "tower-service", + "tracing", + "tracing-futures", +] + +[[package]] +name = "tonic-build" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88358bb1dcfeb62dcce85c63006cafb964b7be481d522b7e09589d4d1e718d2a" +dependencies = [ + "proc-macro2 1.0.26", + "prost-build 0.9.0", + "quote 1.0.9", + "syn 1.0.72", +] + +[[package]] +name = "tower" +version = "0.4.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f60422bc7fefa2f3ec70359b8ff1caff59d785877eb70595904605bcc412470f" +dependencies = [ + "futures-core", + "futures-util", + "indexmap", + "pin-project", + "rand", + "slab", + "tokio", + "tokio-stream", + "tokio-util", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "tower-layer" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "343bc9466d3fe6b0f960ef45960509f84480bf4fd96f92901afe7ff3df9d3a62" + +[[package]] +name = "tower-service" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" + [[package]] name = "tracing" version = "0.1.26" @@ -1684,6 +2572,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09adeb8c97449311ccd28a427f96fb563e7fd31aabf994189879d9da2394b89d" dependencies = [ "cfg-if 1.0.0", + "log", "pin-project-lite", "tracing-attributes", "tracing-core", @@ -1709,6 +2598,16 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "tracing-futures" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97d095ae15e245a057c8e8451bab9b3ee1e1f68e9ba2b4fbc18d0ac5237835f2" +dependencies = [ + "pin-project", + "tracing", +] + [[package]] name = "tracing-log" version = "0.1.2" @@ -1765,6 +2664,12 @@ dependencies = [ "tracing-serde", ] +[[package]] +name = "try-lock" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" + [[package]] name = "ttrpc" version = "0.5.1" @@ -1803,14 +2708,53 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8c2f2ce8c9a6e9422d0714bc8058b705d503fc9d028e69fae2236050c4721d75" dependencies = [ "derive-new", - "prost", - "prost-build", - "prost-types", + "prost 0.5.0", + "prost-build 0.5.0", + "prost-types 0.5.0", "protobuf", "protobuf-codegen", "tempfile", ] +[[package]] +name = "typenum" +version = "1.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b63708a265f51345575b27fe43f9500ad611579e764c79edbc2037b1121959ec" + +[[package]] +name = "unicase" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f4765f83163b74f957c797ad9253caf97f103fb064d3999aea9568d09fc8a33" +dependencies = [ + "version_check 0.1.5", +] + +[[package]] +name = "unicase" +version = "2.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50f37be617794602aabbeee0be4f259dc1778fabe05e2d67ee8f79326d5cb4f6" +dependencies = [ + "version_check 0.9.3", +] + +[[package]] +name = "unicode-bidi" +version = "0.3.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a01404663e3db436ed2746d9fefef640d868edae3cceb81c3b8d5732fda678f" + +[[package]] +name = "unicode-normalization" +version = "0.1.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d54590932941a9e9266f0832deed84ebe1bf2e4c9e4a3554d393d18f5e854bf9" +dependencies = [ + "tinyvec", +] + [[package]] name = "unicode-segmentation" version = "1.8.0" @@ -1829,6 +2773,57 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" +[[package]] +name = "universal-hash" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f214e8f697e925001e66ec2c6e37a4ef93f0f78c2eed7814394e10c62025b05" +dependencies = [ + "generic-array", + "subtle", +] + +[[package]] +name = "url" +version = "1.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dd4e7c0d531266369519a4aa4f399d748bd37043b00bde1e4ff1f60a120b355a" +dependencies = [ + "idna 0.1.5", + "matches", + "percent-encoding 1.0.1", +] + +[[package]] +name = "url" +version = "2.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c" +dependencies = [ + "form_urlencoded", + "idna 0.2.3", + "matches", + "percent-encoding 2.1.0", +] + +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + +[[package]] +name = "version_check" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "914b1a6776c4c929a602fafd8bc742e06365d4bcbe48c30f9cca5824f70dc9dd" + +[[package]] +name = "version_check" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe" + [[package]] name = "void" version = "1.0.2" @@ -1862,6 +2857,16 @@ dependencies = [ "tokio-vsock", ] +[[package]] +name = "want" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0" +dependencies = [ + "log", + "try-lock", +] + [[package]] name = "wasi" version = "0.10.2+wasi-snapshot-preview1" @@ -1893,6 +2898,18 @@ dependencies = [ "wasm-bindgen-shared", ] +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fba7978c679d53ce2d0ac80c8c175840feb849a161664365d1287b41f2e67f1" +dependencies = [ + "cfg-if 1.0.0", + "js-sys", + "wasm-bindgen", + "web-sys", +] + [[package]] name = "wasm-bindgen-macro" version = "0.2.74" @@ -1922,6 +2939,16 @@ version = "0.2.74" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7cff876b8f18eed75a66cf49b65e7f967cb354a7aa16003fb55dbfd25b44b4f" +[[package]] +name = "web-sys" +version = "0.3.51" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e828417b379f3df7111d3a2a9e5753706cae29c41f7c4029ee9fd77f3e09e582" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "which" version = "2.0.1" @@ -1932,6 +2959,17 @@ dependencies = [ "libc", ] +[[package]] +name = "which" +version = "4.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea187a8ef279bc014ec368c27a920da2024d2a711109bfbe3440585d5cf27ad9" +dependencies = [ + "either", + "lazy_static", + "libc", +] + [[package]] name = "winapi" version = "0.3.9" @@ -1953,3 +2991,23 @@ name = "winapi-x86_64-pc-windows-gnu" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + +[[package]] +name = "winreg" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0120db82e8a1e0b9fb3345a539c478767c0048d842860994d96113d5b667bd69" +dependencies = [ + "winapi", +] + +[[package]] +name = "www-authenticate" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8c62efb8259cda4e4c732287397701237b78daa4c43edcf3e613c8503a6c07dd" +dependencies = [ + "hyperx", + "unicase 1.4.2", + "url 1.7.2", +] diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index a6ba05dd5d..4dbb4b07eb 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -61,6 +61,13 @@ vsock-exporter = { path = "vsock-exporter" } serde = { version = "1.0.129", features = ["derive"] } toml = "0.5.8" +# Image pull/decrypt +oci-distribution = "0.7.0" +ocicrypt-rs = { git = "https://github.com/containers/ocicrypt-rs" } +sha2 = "0.9.8" +# "vendored" feature for openssl is required by musl build +openssl = { version = "0.10.38", features = ["vendored"] } + [dev-dependencies] tempfile = "3.1.0" diff --git a/src/agent/src/image_rpc.rs b/src/agent/src/image_rpc.rs index 84c943cb39..f140f9dc5c 100644 --- a/src/agent/src/image_rpc.rs +++ b/src/agent/src/image_rpc.rs @@ -3,9 +3,9 @@ // SPDX-License-Identifier: Apache-2.0 // +use std::env; use std::fs; -use std::io::Write; -use std::path::Path; +use std::path::{Path, PathBuf}; use std::process::{Command, ExitStatus}; use std::sync::atomic::{AtomicBool, Ordering}; use std::sync::Arc; @@ -13,6 +13,8 @@ use std::sync::Arc; use anyhow::{anyhow, ensure, Result}; use async_trait::async_trait; use protocols::image; +use std::convert::TryFrom; +use std::fs::File; use tokio::sync::Mutex; use ttrpc::{self, error::get_rpc_status as ttrpc_error}; @@ -20,12 +22,33 @@ use crate::rpc::{verify_cid, CONTAINER_BASE}; use crate::sandbox::Sandbox; use crate::AGENT_CONFIG; +use oci_distribution::client::{ImageData, ImageLayer}; +use oci_distribution::manifest::{OciDescriptor, OciManifest}; +use oci_distribution::{manifest, secrets::RegistryAuth, Client, Reference}; +use ocicrypt_rs::config::CryptoConfig; +use ocicrypt_rs::encryption::decrypt_layer; +use ocicrypt_rs::helpers::create_decrypt_config; +use ocicrypt_rs::spec::{ + MEDIA_TYPE_LAYER_ENC, MEDIA_TYPE_LAYER_GZIP_ENC, MEDIA_TYPE_LAYER_NON_DISTRIBUTABLE_ENC, + MEDIA_TYPE_LAYER_NON_DISTRIBUTABLE_GZIP_ENC, +}; +use serde::Serialize; +use sha2::{Digest, Sha256}; +use std::collections::HashMap; +use std::io::{Read, Write}; + const SKOPEO_PATH: &str = "/usr/bin/skopeo"; const UMOCI_PATH: &str = "/usr/local/bin/umoci"; const IMAGE_OCI: &str = "image_oci"; const AA_PATH: &str = "/usr/local/bin/attestation-agent"; const AA_PORT: &str = "127.0.0.1:50000"; const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json"; +const OCI_ANNOTATION_REF_NAME: &str = "org.opencontainers.image.ref.name"; +const OCI_IMAGE_MANIFEST_NAME: &str = "application/vnd.oci.image.manifest.v1+json"; +const OCI_LAYOUT: &str = r#"{"imageLayoutVersion": "1.0.0"}"#; +const IMAGE_DOCKER_LAYER_FOREIGN_GZIP_MEDIA_TYPE: &str = + "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"; +const DIGEST_SHA256: &str = "sha256"; // Convenience macro to obtain the scope logger macro_rules! sl { @@ -34,6 +57,13 @@ macro_rules! sl { }; } +#[derive(Serialize, Debug, Default, Clone)] +#[serde(rename_all = "camelCase")] +pub struct IndexDescriptor { + pub schema_version: u8, + pub manifests: Vec, +} + pub struct ImageService { sandbox: Arc>, attestation_agent_started: AtomicBool, @@ -47,6 +77,214 @@ impl ImageService { } } + fn build_oci_path(cid: &str) -> PathBuf { + let mut oci_path = PathBuf::from("/tmp"); + oci_path.push(cid); + oci_path.push(IMAGE_OCI); + oci_path + } + + fn decrypt_layer_data( + layer: &ImageLayer, + layer_digest: &str, + image_manifest: &mut OciManifest, + crypto_config: &CryptoConfig, + oci_blob_path: &Path, + ) -> Result<()> { + if let Some(decrypt_config) = &crypto_config.decrypt_config { + for layer_desc in image_manifest.layers.iter_mut() { + if layer_desc.digest.as_str() == layer_digest { + let (layer_decryptor, _dec_digest) = + decrypt_layer(decrypt_config, layer.data.as_slice(), layer_desc, false)?; + let mut plaintxt_data: Vec = Vec::new(); + let mut decryptor = + layer_decryptor.ok_or_else(|| anyhow!("Missing layer decryptor"))?; + + decryptor.read_to_end(&mut plaintxt_data)?; + let layer_name = format!("{:x}", Sha256::digest(&plaintxt_data)); + let mut out_file = File::create(oci_blob_path.join(&layer_name))?; + out_file.write_all(&plaintxt_data)?; + layer_desc.media_type = manifest::IMAGE_LAYER_GZIP_MEDIA_TYPE.to_string(); + + layer_desc.digest = format!("{}:{}", DIGEST_SHA256, layer_name); + } + } + } else { + return Err(anyhow!("No decrypt config available")); + } + + Ok(()) + } + + fn handle_layer_data( + image_data: &ImageData, + image_manifest: &mut OciManifest, + crypto_config: &CryptoConfig, + oci_blob_path: &Path, + ) -> Result<()> { + for layer in image_data.layers.iter() { + let layer_digest = layer.clone().sha256_digest(); + + if layer.media_type == MEDIA_TYPE_LAYER_GZIP_ENC + || layer.media_type == MEDIA_TYPE_LAYER_ENC + { + Self::decrypt_layer_data( + layer, + &layer_digest, + image_manifest, + crypto_config, + oci_blob_path, + )?; + } else if let Some(layer_name) = + layer_digest.strip_prefix(format!("{}:", DIGEST_SHA256).as_str()) + { + let mut out_file = File::create(oci_blob_path.join(&layer_name))?; + out_file.write_all(&layer.data)?; + } else { + error!( + sl!(), + "layer digest algo not supported:: {:?}", layer_digest + ); + } + } + + Ok(()) + } + + #[tokio::main] + async fn download_image( + image: &str, + auth: &RegistryAuth, + ) -> anyhow::Result<(OciManifest, String, ImageData)> { + let reference = Reference::try_from(image)?; + let mut client = Client::default(); + let (image_manifest, _image_digest, image_config) = + client.pull_manifest_and_config(&reference, auth).await?; + + // TODO: Get the value from config + let max_attempt = 2; + let attempt_interval = 1; + for i in 1..max_attempt { + match client + .pull( + &reference, + auth, + vec![ + manifest::IMAGE_DOCKER_LAYER_GZIP_MEDIA_TYPE, + manifest::IMAGE_LAYER_GZIP_MEDIA_TYPE, + MEDIA_TYPE_LAYER_GZIP_ENC, + MEDIA_TYPE_LAYER_ENC, + MEDIA_TYPE_LAYER_NON_DISTRIBUTABLE_ENC, + MEDIA_TYPE_LAYER_NON_DISTRIBUTABLE_GZIP_ENC, + ], + ) + .await + { + Ok(data) => return Ok((image_manifest, image_config, data)), + Err(e) => { + info!( + sl!(), + "Got error on pull call attempt #{}. Will retry in {}s: {:?}", + attempt_interval, + i, + e + ); + tokio::time::sleep(tokio::time::Duration::from_secs(attempt_interval)).await; + } + } + } + + Err(anyhow!("Failed to download image data")) + } + + fn pull_image_with_oci_distribution( + image: &str, + cid: &str, + source_creds: &Option, + aa_kbc_params: &str, + ) -> Result<()> { + let oci_path = Self::build_oci_path(cid); + fs::create_dir_all(&oci_path)?; + + let mut auth = RegistryAuth::Anonymous; + if let Some(source_creds) = source_creds { + if let Some((username, password)) = source_creds.split_once(':') { + auth = RegistryAuth::Basic(username.to_string(), password.to_string()); + } else { + return Err(anyhow!("Invalid authentication info ({:?})", source_creds)); + } + } + + let (mut image_manifest, image_config, image_data) = Self::download_image(image, &auth)?; + + // Prepare OCI layout storage for umoci + image_manifest.config.media_type = manifest::IMAGE_CONFIG_MEDIA_TYPE.to_string(); + // TODO: support other digest algo like sha512 + let oci_blob_path = oci_path.join(format!("blobs/{}", DIGEST_SHA256)); + fs::create_dir_all(&oci_blob_path)?; + + if let Some(config_name) = &image_manifest + .config + .digest + .strip_prefix(format!("{}:", DIGEST_SHA256).as_str()) + { + let mut out_file = File::create(oci_blob_path.join(config_name))?; + out_file.write_all(image_config.as_bytes())?; + } + + let mut cc = CryptoConfig::default(); + + if !aa_kbc_params.is_empty() { + let decrypt_config = format!("provider:attestation-agent:{}", aa_kbc_params); + cc = create_decrypt_config(vec![decrypt_config], vec![])?; + } + + // Covert docker layer media type to OCI type + for layer_desc in image_manifest.layers.iter_mut() { + if layer_desc.media_type == manifest::IMAGE_DOCKER_LAYER_GZIP_MEDIA_TYPE + || layer_desc.media_type == IMAGE_DOCKER_LAYER_FOREIGN_GZIP_MEDIA_TYPE + { + layer_desc.media_type = manifest::IMAGE_LAYER_GZIP_MEDIA_TYPE.to_string(); + } + } + + Self::handle_layer_data(&image_data, &mut image_manifest, &cc, &oci_blob_path)?; + + let manifest_json = serde_json::to_string(&image_manifest)?; + let manifest_digest = format!("{:x}", Sha256::digest(manifest_json.as_bytes())); + + let mut out_file = File::create(oci_blob_path.join(manifest_digest))?; + out_file.write_all(manifest_json.as_bytes())?; + + let mut annotations = HashMap::new(); + annotations.insert(OCI_ANNOTATION_REF_NAME.to_string(), "latest".to_string()); + + let manifest_descriptor = OciDescriptor { + media_type: OCI_IMAGE_MANIFEST_NAME.to_string(), + digest: format!( + "{}:{:x}", + DIGEST_SHA256, + Sha256::digest(manifest_json.as_bytes()) + ), + size: manifest_json.len() as i64, + annotations: Some(annotations), + ..Default::default() + }; + + let index_descriptor = IndexDescriptor { + schema_version: image_manifest.schema_version, + manifests: vec![manifest_descriptor], + }; + + let mut out_file = File::create(format!("{}/index.json", oci_path.to_string_lossy()))?; + out_file.write_all(serde_json::to_string(&index_descriptor)?.as_bytes())?; + + let mut out_file = File::create(format!("{}/oci-layout", oci_path.to_string_lossy()))?; + out_file.write_all(OCI_LAYOUT.as_bytes())?; + + Ok(()) + } + fn pull_image_from_registry( image: &str, cid: &str, @@ -62,8 +300,6 @@ impl ImageService { fs::create_dir_all(&oci_path)?; - info!(sl!(), "Attempting to pull image {}...", &source_image); - let mut pull_command = Command::new(SKOPEO_PATH); pull_command .arg("copy") @@ -166,6 +402,8 @@ impl ImageService { } async fn pull_image(&self, req: &image::PullImageRequest) -> Result { + env::set_var("OCICRYPT_KEYPROVIDER_CONFIG", OCICRYPT_CONFIG_PATH); + let image = req.get_image(); let mut cid = req.get_container_id(); @@ -196,12 +434,30 @@ impl ImageService { let source_creds = (!req.get_source_creds().is_empty()).then(|| req.get_source_creds()); - // Read the policy path from the agent config - let config_policy_path = &AGENT_CONFIG.read().await.container_policy_path; - let policy_path = (!config_policy_path.is_empty()).then(|| config_policy_path); - info!(sl!(), "Using container policy_path: {:?}...", &policy_path); + if Path::new(SKOPEO_PATH).exists() { + // Read the policy path from the agent config + let config_policy_path = &AGENT_CONFIG.read().await.container_policy_path; + let policy_path = (!config_policy_path.is_empty()).then(|| config_policy_path); + + Self::pull_image_from_registry(image, cid, &source_creds, &policy_path, aa_kbc_params)?; + } else { + let image = image.to_string(); + let cid = cid.to_string(); + let source_creds = + (!req.get_source_creds().is_empty()).then(|| req.get_source_creds().to_string()); + let aa_kbc_params = aa_kbc_params.to_string(); + + // ocicrypt-rs keyprovider module will create a new runtime to talk with + // attestation agent, to avoid startup a runtime within a runtime, we + // spawn a new thread here. + tokio::task::spawn_blocking(move || { + Self::pull_image_with_oci_distribution(&image, &cid, &source_creds, &aa_kbc_params) + .map_err(|err| warn!(sl!(), "pull image failed: {:?}", err)) + .ok(); + }) + .await?; + } - Self::pull_image_from_registry(image, cid, &source_creds, &policy_path, aa_kbc_params)?; Self::unpack_image(cid)?; let mut sandbox = self.sandbox.lock().await;