agent:config: Support secure_storage_integrity option for trusted storage

After enable secure storage integrity for trusted storage, the initialize
time will take more times, the default value will be NOT enabled but add this config to
allow the user to enable if they care more strict security.

Fixes: #8142

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Co-authored-by: Wang, Arron <arron.wang@intel.com>
This commit is contained in:
ChengyuZhu6 2024-07-10 20:54:11 +08:00
parent 775f6bdc5c
commit 94347e2537

View File

@ -31,6 +31,7 @@ const GUEST_COMPONENTS_REST_API_OPTION: &str = "agent.guest_components_rest_api"
const GUEST_COMPONENTS_PROCS_OPTION: &str = "agent.guest_components_procs";
#[cfg(feature = "guest-pull")]
const IMAGE_REGISTRY_AUTH_OPTION: &str = "agent.image_registry_auth";
const SECURE_STORAGE_INTEGRITY_OPTION: &str = "agent.secure_storage_integrity";
// Configure the proxy settings for HTTPS requests in the guest,
// to solve the problem of not being able to access the specified image in some cases.
@ -110,6 +111,7 @@ pub struct AgentConfig {
pub guest_components_procs: GuestComponentsProcs,
#[cfg(feature = "guest-pull")]
pub image_registry_auth: String,
pub secure_storage_integrity: bool,
}
#[derive(Debug, Deserialize)]
@ -131,6 +133,7 @@ pub struct AgentConfigBuilder {
pub guest_components_procs: Option<GuestComponentsProcs>,
#[cfg(feature = "guest-pull")]
pub image_registry_auth: Option<String>,
pub secure_storage_integrity: Option<bool>,
}
macro_rules! config_override {
@ -198,6 +201,7 @@ impl Default for AgentConfig {
guest_components_procs: GuestComponentsProcs::default(),
#[cfg(feature = "guest-pull")]
image_registry_auth: String::from(""),
secure_storage_integrity: false,
}
}
}
@ -237,7 +241,7 @@ impl FromStr for AgentConfig {
config_override!(agent_config_builder, agent_config, guest_components_procs);
#[cfg(feature = "guest-pull")]
config_override!(agent_config_builder, agent_config, image_registry_auth);
config_override!(agent_config_builder, agent_config, secure_storage_integrity);
Ok(agent_config)
}
}
@ -359,6 +363,12 @@ impl AgentConfig {
config.image_registry_auth,
get_string_value
);
parse_cmdline_param!(
param,
SECURE_STORAGE_INTEGRITY_OPTION,
config.secure_storage_integrity,
get_bool_value
);
}
config.override_config_from_envs();
@ -586,6 +596,7 @@ mod tests {
guest_components_procs: GuestComponentsProcs,
#[cfg(feature = "guest-pull")]
image_registry_auth: &'a str,
secure_storage_integrity: bool,
}
impl Default for TestData<'_> {
@ -607,6 +618,7 @@ mod tests {
guest_components_procs: GuestComponentsProcs::default(),
#[cfg(feature = "guest-pull")]
image_registry_auth: "",
secure_storage_integrity: false,
}
}
}
@ -1050,6 +1062,31 @@ mod tests {
image_registry_auth: "kbs:///default/credentials/test",
..Default::default()
},
TestData {
contents: "",
secure_storage_integrity: false,
..Default::default()
},
TestData {
contents: "agent.secure_storage_integrity=true",
secure_storage_integrity: true,
..Default::default()
},
TestData {
contents: "agent.secure_storage_integrity=false",
secure_storage_integrity: false,
..Default::default()
},
TestData {
contents: "agent.secure_storage_integrity=1",
secure_storage_integrity: true,
..Default::default()
},
TestData {
contents: "agent.secure_storage_integrity=0",
secure_storage_integrity: false,
..Default::default()
},
];
let dir = tempdir().expect("failed to create tmpdir");
@ -1111,6 +1148,11 @@ mod tests {
);
#[cfg(feature = "guest-pull")]
assert_eq!(d.image_registry_auth, config.image_registry_auth, "{}", msg);
assert_eq!(
d.secure_storage_integrity, config.secure_storage_integrity,
"{}",
msg
);
for v in vars_to_unset {
env::remove_var(v);