github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 17:59:31 +00:00
Code Issues Projects Releases Wiki Activity

Merge 5041123c68 into 9379a18c8a

Browse Source
This commit is contained in:
Jiyeon Park 2025-08-12 11:32:46 +08:00 committed by GitHub
commit 83bb9e7447
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 46 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/agent/src/confidential_data_hub/mod.rs
View File

@ -22,6 +22,8 @@ use protocols::{
}; };
use safe_path::scoped_join; use safe_path::scoped_join;
use std::fs; use std::fs;
use std::fs::File;
use std::io::{self, Read};
use std::path::Path; use std::path::Path;
use std::{os::unix::fs::symlink, path::PathBuf}; use std::{os::unix::fs::symlink, path::PathBuf};
use tokio::sync::OnceCell; use tokio::sync::OnceCell;
@ -235,8 +237,8 @@ pub async fn unseal_file(path: &str) -> Result<()> {
} }
let secret_name = entry.file_name(); let secret_name = entry.file_name();
let contents = fs::read_to_string(&target_path)?; if content_starts_with_prefix(&target_path, SEALED_SECRET_PREFIX).await? {
if contents.starts_with(SEALED_SECRET_PREFIX) { let contents = fs::read_to_string(&target_path)?;
// Get the directory name of the sealed secret file // Get the directory name of the sealed secret file
let dir_name = target_path let dir_name = target_path
.parent() .parent()
@ -262,6 +264,17 @@ pub async fn unseal_file(path: &str) -> Result<()> {
Ok(()) Ok(())
} }
pub async fn content_starts_with_prefix(path: &Path, prefix: &str) -> io::Result<bool> {
let mut file = File::open(path)?;
let mut buffer = vec![0u8; prefix.len()];
match file.read_exact(&mut buffer) {
Ok(()) => Ok(buffer == prefix.as_bytes()),
Err(ref e) if e.kind() == io::ErrorKind::UnexpectedEof => Ok(false),
Err(e) => Err(e),
}
}
pub async fn secure_mount( pub async fn secure_mount(
volume_type: &str, volume_type: &str,
options: &std::collections::HashMap<String, String>, options: &std::collections::HashMap<String, String>,
@ -294,7 +307,7 @@ mod tests {
use std::fs::File; use std::fs::File;
use std::io::{Read, Write}; use std::io::{Read, Write};
use std::sync::Arc; use std::sync::Arc;
use tempfile::tempdir; use tempfile::{tempdir, NamedTempFile};
use test_utils::skip_if_not_root; use test_utils::skip_if_not_root;
use tokio::signal::unix::{signal, SignalKind}; use tokio::signal::unix::{signal, SignalKind};
struct TestService; struct TestService;
@ -416,4 +429,34 @@ mod tests {
rt.shutdown_background(); rt.shutdown_background();
std::thread::sleep(std::time::Duration::from_secs(2)); std::thread::sleep(std::time::Duration::from_secs(2));
} }
#[tokio::test]
fn test_content_starts_with_prefix() {
// Normal case: content matches the prefix
let mut f = NamedTempFile::new().unwrap();
write!(f, "sealed.hello_world").unwrap();
assert!(content_starts_with_prefix(f.path(), "sealed.")
.await
.unwrap());
// Does not match the prefix
let mut f2 = NamedTempFile::new().unwrap();
write!(f2, "notsealed.hello_world").unwrap();
assert!(!content_starts_with_prefix(f2.path(), "sealed.")
.await
.unwrap());
// File length < prefix.len()
let mut f3 = NamedTempFile::new().unwrap();
write!(f3, "seal").unwrap();
assert!(!content_starts_with_prefix(f3.path(), "sealed.")
.await
.unwrap());
// Empty file
let f4 = NamedTempFile::new().unwrap();
assert!(!content_starts_with_prefix(f4.path(), "sealed.")
.await
.unwrap());
}
} }