From 2f628a347cea5baec8c0ec9c0d70900b3333cee9 Mon Sep 17 00:00:00 2001 From: houmingyong Date: Tue, 10 Sep 2024 19:07:25 +0800 Subject: [PATCH] add error type for api --- 0086-add-error-type-for-api.patch | 680 ++++++++++++++++++++++++++++++ secGear.spec | 6 +- 2 files changed, 685 insertions(+), 1 deletion(-) create mode 100644 0086-add-error-type-for-api.patch diff --git a/0086-add-error-type-for-api.patch b/0086-add-error-type-for-api.patch new file mode 100644 index 0000000..a429559 --- /dev/null +++ b/0086-add-error-type-for-api.patch @@ -0,0 +1,680 @@ +From fae0b444629f5cd20a544d5513870d9435f72ef0 Mon Sep 17 00:00:00 2001 +From: xuraoqing +Date: Mon, 9 Sep 2024 19:23:48 +0800 +Subject: [PATCH] add error type for api + +Signed-off-by: houmingyong +--- + .../agent/src/bin/aa-test/main.rs | 1 + + .../attestation-agent/agent/src/lib.rs | 24 +++++++-- + .../agent/src/restapi/mod.rs | 31 +++++++----- + .../attestation-agent/agent/src/result/mod.rs | 8 +++ + .../attestation-agent/token/Cargo.toml | 3 +- + .../attestation-agent/token/src/lib.rs | 49 +++++++++---------- + .../policy/src/policy_engine.rs | 3 ++ + .../attestation-service/reference/Cargo.toml | 3 +- + .../reference/src/reference/mod.rs | 39 ++++----------- + .../reference/src/store/mod.rs | 9 ++++ + .../attestation-service/service/src/lib.rs | 9 ++-- + .../service/src/restapi/mod.rs | 25 +++------- + .../service/src/result/mod.rs | 20 ++++++++ + .../attestation-service/token/Cargo.toml | 3 +- + .../attestation-service/token/src/lib.rs | 33 +++++++++---- + 15 files changed, 153 insertions(+), 107 deletions(-) + +diff --git a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +index 48e3e68e..4867a234 100644 +--- a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs ++++ b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +@@ -169,6 +169,7 @@ async fn aa_proc(i: i64) { + } + status => { + log::error!("thread {} case6 verify token failed response: {:?}", i, status); ++ log::error!("thread case6 verify token failed response:{}", res.text().await.unwrap()); + } + } + } +diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs +index f6e03c6c..f1c4510b 100644 +--- a/service/attestation/attestation-agent/agent/src/lib.rs ++++ b/service/attestation/attestation-agent/agent/src/lib.rs +@@ -22,6 +22,7 @@ use async_trait::async_trait; + use std::fs::File; + use std::path::Path; + use rand::RngCore; ++use thiserror; + + use attester::{Attester, AttesterAPIs}; + use token_verifier::{TokenVerifyConfig, TokenVerifier, TokenRawData}; +@@ -30,6 +31,22 @@ pub mod result; + use result::Error; + pub type TeeClaim = serde_json::Value; + ++#[derive(Debug, thiserror::Error)] ++pub enum AgentError { ++ #[error("challenge error: {0}")] ++ ChallengeError(String), ++ #[error("get evidence error: {0}")] ++ DecodeError(String), ++ #[error("get evidence error: {0}")] ++ GetEvidenceError(String), ++ #[error("verify evidence error: {0}")] ++ VerifyEvidenceError(String), ++ #[error("get token error: {0}")] ++ GetTokenError(String), ++ #[error("verify token error: {0}")] ++ VerifyTokenError(String), ++} ++ + #[cfg(feature = "no_as")] + use verifier::{Verifier, VerifierAPIs}; + +@@ -136,11 +153,8 @@ impl AttestationAgentAPIs for AttestationAgent { + + async fn verify_token(&self, token: String) -> Result { + let verifier = TokenVerifier::new(self.config.token_cfg.clone())?; +- let result = verifier.verify(&token); +- match result { +- Ok(raw_token) => Ok(raw_token as AsTokenClaim), +- Err(e) => bail!("verify token failed {:?}", e), +- } ++ let result = verifier.verify(&token)?; ++ Ok(result) + } + } + +diff --git a/service/attestation/attestation-agent/agent/src/restapi/mod.rs b/service/attestation/attestation-agent/agent/src/restapi/mod.rs +index 490242aa..0570060b 100644 +--- a/service/attestation/attestation-agent/agent/src/restapi/mod.rs ++++ b/service/attestation/attestation-agent/agent/src/restapi/mod.rs +@@ -9,7 +9,7 @@ + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +-use attestation_agent::{AttestationAgent, AttestationAgentAPIs, TokenRequest}; ++use attestation_agent::{AttestationAgent, AttestationAgentAPIs, TokenRequest, AgentError}; + use attestation_agent::result::Result; + + use actix_web::{ post, get, web, HttpResponse}; +@@ -18,7 +18,6 @@ use serde::{Deserialize, Serialize}; + use std::sync::Arc; + use tokio::sync::RwLock; + use log; +-use base64_url; + + #[derive(Deserialize, Serialize, Debug)] + struct GetChallengeRequest {} +@@ -30,7 +29,8 @@ pub async fn get_challenge( + ) -> Result { + //let request = request.0; + log::debug!("get challenge request"); +- let challenge = agent.read().await.get_challenge().await?; ++ let challenge = agent.read().await.get_challenge().await ++ .map_err(|err| AgentError::ChallengeError(err.to_string()))?; + + Ok(HttpResponse::Ok().body(challenge)) + } +@@ -49,7 +49,8 @@ pub async fn get_evidence( + ) -> Result { + let request = request.0; + log::debug!("get evidence request: {:?}", request); +- let challenge = base64_url::decode(&request.challenge).expect("base64 decode challenge"); ++ let challenge = base64_url::decode(&request.challenge) ++ .map_err(|err|AgentError::DecodeError(err.to_string()))?; + let uuid = request.uuid; + let ima = request.ima; + let input = EvidenceRequest { +@@ -57,7 +58,8 @@ pub async fn get_evidence( + challenge: challenge, + ima: ima, + }; +- let evidence = agent.read().await.get_evidence(input).await?; ++ let evidence = agent.read().await.get_evidence(input).await ++ .map_err(|err|AgentError::GetEvidenceError(err.to_string()))?; + + + Ok(HttpResponse::Ok().body(evidence)) +@@ -76,11 +78,13 @@ pub async fn verify_evidence( + ) -> Result { + let request = request.0; + log::debug!("verify evidence request: {:?}", request); +- let challenge = base64_url::decode(&request.challenge).expect("base64 decode challenge"); ++ let challenge = base64_url::decode(&"request.challenge".to_string()) ++ .map_err(|err|AgentError::DecodeError(err.to_string()))?; + let evidence = request.evidence; + let policy_id = request.policy_id; + +- let claim = agent.read().await.verify_evidence(&challenge, evidence.as_bytes(), policy_id).await?; ++ let claim = agent.read().await.verify_evidence(&challenge, evidence.as_bytes(), policy_id).await ++ .map_err(|err|AgentError::VerifyEvidenceError(err.to_string()))?; + let string_claim = serde_json::to_string(&claim)?; + + Ok(HttpResponse::Ok().body(string_claim)) +@@ -101,7 +105,8 @@ pub async fn get_token( + ) -> Result { + let request = request.0; + log::debug!("get token request: {:?}", request); +- let challenge = base64_url::decode(&request.challenge).expect("base64 decode challenge"); ++ let challenge = base64_url::decode(&request.challenge) ++ .map_err(|err|AgentError::DecodeError(err.to_string()))?; + let uuid = request.uuid; + let ima = request.ima; + let policy_id = request.policy_id; +@@ -115,8 +120,8 @@ pub async fn get_token( + policy_id: policy_id, + }; + +- let token = agent.read().await.get_token(input).await?; +- ++ let token = agent.read().await.get_token(input).await ++ .map_err(|err|AgentError::GetTokenError(err.to_string()))?; + + Ok(HttpResponse::Ok().body(token)) + } +@@ -133,8 +138,10 @@ pub async fn verify_token( + let request = request.0; + log::debug!("verify token request: {:?}", request); + +- let claim = agent.read().await.verify_token(request.token).await?; +- let string_claim = serde_json::to_string(&claim)?; ++ let claim = agent.read().await.verify_token(request.token).await ++ .map_err(|err|AgentError::VerifyTokenError(err.to_string()))?; ++ let string_claim = serde_json::to_string(&claim) ++ .map_err(|err|AgentError::VerifyTokenError(err.to_string()))?; + + Ok(HttpResponse::Ok().body(string_claim)) + } +\ No newline at end of file +diff --git a/service/attestation/attestation-agent/agent/src/result/mod.rs b/service/attestation/attestation-agent/agent/src/result/mod.rs +index f06f064b..a33be0cb 100644 +--- a/service/attestation/attestation-agent/agent/src/result/mod.rs ++++ b/service/attestation/attestation-agent/agent/src/result/mod.rs +@@ -11,6 +11,8 @@ + */ + use actix_web::{body::BoxBody, HttpResponse, ResponseError}; + ++use crate::AgentError; ++ + pub type Result = std::result::Result; + + /// libdevice error +@@ -30,6 +32,12 @@ pub enum Error { + source: actix_web::error::Error, + }, + ++ #[error("Agent error: {source:?}")] ++ Agent { ++ #[from] ++ source: AgentError, ++ }, ++ + #[error("Deserialize error: {source:?}")] + Deserialize { + #[from] +diff --git a/service/attestation/attestation-agent/token/Cargo.toml b/service/attestation/attestation-agent/token/Cargo.toml +index aa5cafcf..916f2a2e 100644 +--- a/service/attestation/attestation-agent/token/Cargo.toml ++++ b/service/attestation/attestation-agent/token/Cargo.toml +@@ -10,4 +10,5 @@ jsonwebtoken.workspace = true + serde.workspace = true + serde_json.workspace = true + anyhow.workspace = true +-attestation-types.workspace = true +\ No newline at end of file ++attestation-types.workspace = true ++thiserror.workspace = true +\ No newline at end of file +diff --git a/service/attestation/attestation-agent/token/src/lib.rs b/service/attestation/attestation-agent/token/src/lib.rs +index 50a7a7a0..37aab9eb 100644 +--- a/service/attestation/attestation-agent/token/src/lib.rs ++++ b/service/attestation/attestation-agent/token/src/lib.rs +@@ -9,12 +9,23 @@ + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +-use anyhow::{Result, bail}; + use std::path::Path; + use serde::{Deserialize, Serialize}; + use jsonwebtoken::{decode, decode_header, Algorithm, DecodingKey, Validation }; + use attestation_types::Claims; + ++#[derive(thiserror::Error, Debug)] ++pub enum VerifyError { ++ #[error("parse fail:{0:?}")] ++ CommError(#[from] jsonwebtoken::errors::Error), ++ #[error("unknown algorithm:{0}")] ++ UnknownAlg(String), ++ #[error("certificate not exist:{0}")] ++ CertNotExist(String), ++ #[error("serialize fail:{0}")] ++ SerializeFail(#[from] serde_json::error::Error), ++} ++ + #[derive(Clone, Debug, Serialize, Deserialize)] + pub struct TokenVerifyConfig { + pub cert: String, // Attestation Service cert to verify jwt token signature +@@ -52,7 +63,7 @@ pub struct TokenRawData { + } + + impl TokenVerifier { +- pub fn new(config: TokenVerifyConfig) -> Result { ++ pub fn new(config: TokenVerifyConfig) -> Result { + Ok(TokenVerifier { config }) + } + fn support_rs(alg: &Algorithm) -> bool +@@ -72,43 +83,29 @@ impl TokenVerifier { + pub fn verify( + &self, + token: &String +- ) -> Result { +- let header = match decode_header(&token) { +- Ok(h) => h, +- Err(e) => bail!("decode jwt header error {:?}", e), +- }; ++ ) -> Result { ++ let header = decode_header(&token)?; + let alg: Algorithm = header.alg; + + if !Self::support_rs(&alg) && !Self::support_ps(&alg) { +- bail!("unknown algrithm {:?}", alg); ++ return Err(VerifyError::UnknownAlg(format!("unknown algrithm {:?}", alg))); + } + if !Path::new(&self.config.cert).exists() { +- bail!("token verfify failed, {:?} cert not exist", self.config.cert); ++ return Err(VerifyError::CertNotExist(format!("{:?} not exist", self.config.cert))); + } + let cert = std::fs::read(&self.config.cert).unwrap(); + + /* 使用配置的公钥 */ +- let key_value: DecodingKey = match DecodingKey::from_rsa_pem(&cert) +- { +- Ok(key) => key, +- Err(e) => bail!("get key from pem error {:?}", e), +- }; ++ let key_value: DecodingKey = DecodingKey::from_rsa_pem(&cert)?; + + let mut validation = Validation::new(alg); + validation.set_issuer(&[self.config.iss.clone()]); + validation.validate_exp = true; + +- let data = decode::(&token, &key_value, &validation); +- match data { +- Ok(d) => { +- let header = d.header.clone(); +- let claims = d.claims.clone(); +- Ok(TokenRawData { +- header: serde_json::to_string(&header).unwrap(), +- claim: serde_json::to_string(&claims).unwrap(), +- }) +- } +- Err(e) => bail!("verfiy jwt failed {:?}", e), +- } ++ let data = decode::(&token, &key_value, &validation)?; ++ Ok(TokenRawData { ++ header: serde_json::to_string(&data.header)?, ++ claim: serde_json::to_string(&data.claims)?, ++ }) + } + } +diff --git a/service/attestation/attestation-service/policy/src/policy_engine.rs b/service/attestation/attestation-service/policy/src/policy_engine.rs +index a03a8cc8..7a8508ef 100644 +--- a/service/attestation/attestation-service/policy/src/policy_engine.rs ++++ b/service/attestation/attestation-service/policy/src/policy_engine.rs +@@ -10,6 +10,7 @@ + * See the Mulan PSL v2 for more details. + */ + use std::{collections::HashMap, fmt::Display}; ++ + #[derive(Debug)] + pub enum PolicyEngineError { + InvalidPolicy(String), +@@ -50,6 +51,8 @@ impl Display for PolicyEngineError { + } + } + ++impl std::error::Error for PolicyEngineError {} ++ + pub trait PolicyEngine { + fn evaluate( + &self, +diff --git a/service/attestation/attestation-service/reference/Cargo.toml b/service/attestation/attestation-service/reference/Cargo.toml +index b36991e7..fb0a4bbb 100644 +--- a/service/attestation/attestation-service/reference/Cargo.toml ++++ b/service/attestation/attestation-service/reference/Cargo.toml +@@ -13,4 +13,5 @@ base64.workspace = true + sled.workspace = true + openssl.workspace = true + hex.workspace = true +-lazy_static.workspace = true +\ No newline at end of file ++lazy_static.workspace = true ++thiserror.workspace = true +\ No newline at end of file +diff --git a/service/attestation/attestation-service/reference/src/reference/mod.rs b/service/attestation/attestation-service/reference/src/reference/mod.rs +index bf56c854..6ec43714 100644 +--- a/service/attestation/attestation-service/reference/src/reference/mod.rs ++++ b/service/attestation/attestation-service/reference/src/reference/mod.rs +@@ -15,6 +15,7 @@ use crate::store::{KvError, KvStore}; + use openssl::sha::sha256; + use serde::{Deserialize, Serialize}; + use serde_json::{json, Value}; ++use thiserror::{self, Error}; + + pub struct ReferenceOps { + store: Box, +@@ -40,16 +41,12 @@ pub struct Ref { + pub value: Value, + } + +-#[derive(Debug, PartialEq)] ++#[derive(Error, Debug, PartialEq)] + pub enum RefOpError { ++ #[error("reference operation error {0}")] + Err(String), +-} +-impl From for RefOpError { +- fn from(value: KvError) -> Self { +- match value { +- KvError::Err(v) => RefOpError::Err(v), +- } +- } ++ #[error("reference store error: {0:?}")] ++ StoreErr(#[from] KvError) + } + + impl ReferenceOps { +@@ -68,36 +65,20 @@ impl ReferenceOps { + fn register_reference(&mut self, reference: &Ref) -> Result<(), RefOpError> { + // generate reference key + let key = Self::generate_reference_key(reference); +- match self.store.write( ++ self.store.write( + &key, + serde_json::to_string(&reference) + .unwrap() + .as_bytes() + .as_ref(), +- ) { +- Ok(_) => { +- return Ok(()); +- } +- Err(err) => match err { +- KvError::Err(err) => { +- return Err(RefOpError::Err(err)); +- } +- }, +- } ++ )?; ++ Ok(()) + } + + fn unregister_reference(&mut self, reference: &Ref) -> Result<(), RefOpError> { + let key = Self::generate_reference_key(reference); +- match self.store.delete(&key) { +- Ok(_) => { +- return Ok(()); +- } +- Err(err) => match err { +- KvError::Err(err) => { +- return Err(RefOpError::Err(err)); +- } +- }, +- } ++ self.store.delete(&key)?; ++ Ok(()) + } + + fn query_reference(&mut self, reference: &Ref) -> Option> { +diff --git a/service/attestation/attestation-service/reference/src/store/mod.rs b/service/attestation/attestation-service/reference/src/store/mod.rs +index c8c82607..c9597f6a 100644 +--- a/service/attestation/attestation-service/reference/src/store/mod.rs ++++ b/service/attestation/attestation-service/reference/src/store/mod.rs +@@ -9,9 +9,18 @@ + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ ++#[derive(Debug, PartialEq)] + pub enum KvError { + Err(String), + } ++impl std::fmt::Display for KvError { ++ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { ++ match self { ++ KvError::Err(msg) => write!(f, "kv store error:{}", msg) ++ } ++ } ++} ++impl std::error::Error for KvError {} + pub trait KvStore { + fn write(&mut self, key: &str, value: &[u8]) -> Result<(), KvError>; + fn read(&mut self, key: &str) -> Option>; +diff --git a/service/attestation/attestation-service/service/src/lib.rs b/service/attestation/attestation-service/service/src/lib.rs +index 3ec73d3d..31e6305d 100644 +--- a/service/attestation/attestation-service/service/src/lib.rs ++++ b/service/attestation/attestation-service/service/src/lib.rs +@@ -134,7 +134,7 @@ impl AttestationService { + Ok(eval) => { + for id in eval.keys() { + let val = Value::from_str(&eval[id].clone())?; +- let refs = match val.as_object().ok_or(Err(anyhow!(""))) { ++ let refs = match val.as_object().ok_or(Err(anyhow!("json value to map fail"))) { + Err(err) => { return Err(err.unwrap()); } + Ok(ret) => { ret } + }; +@@ -165,7 +165,7 @@ impl AttestationService { + // demo get signer, todo default signer + let signer = TokenSigner::new(self.config.token_cfg.clone())?; + +- signer.sign(&evl_report) ++ Ok(signer.sign(&evl_report)?) + } + + pub async fn generate_challenge(&self) -> String { +@@ -174,7 +174,6 @@ impl AttestationService { + base64_url::encode(&nonce) + } + +- // todo pub fun set policy + pub async fn set_policy(&self, + id: &String, + policy: &String, +@@ -185,7 +184,7 @@ impl AttestationService { + .set_policy(id, policy) + .await + } +- // todo pub fun get policy ++ + pub async fn get_policy(&self, + policy_dir: &String, + ) -> Result { +@@ -203,7 +202,7 @@ impl AttestationService { + Err(err) => Err(err) + } + } +- // todo pub fun import reference value ++ + pub async fn register_reference(&self, + ref_set: &String + ) -> Result<(), RefOpError> { +diff --git a/service/attestation/attestation-service/service/src/restapi/mod.rs b/service/attestation/attestation-service/service/src/restapi/mod.rs +index a7e6012b..f49d1755 100644 +--- a/service/attestation/attestation-service/service/src/restapi/mod.rs ++++ b/service/attestation/attestation-service/service/src/restapi/mod.rs +@@ -77,8 +77,8 @@ pub async fn attestation( + } + } + +- let nonce = base64_url::decode(&challenge).expect("base64 decode nonce"); +- let evidence = base64_url::decode(&request.evidence).expect("base64 decode evidence"); ++ let nonce = base64_url::decode(&challenge)?; ++ let evidence = base64_url::decode(&request.evidence)?; + let ids = request.policy_id; + let token = service.read().await.evaluate(&nonce, &evidence, &ids).await?; + +@@ -97,10 +97,8 @@ pub async fn reference( + ) -> Result { + let request = request.0; + log::debug!("reference request: {:?}", request); +- match service.read().await.register_reference(&request.refs).await { +- Ok(_) => Ok(HttpResponse::Ok().body("set reference success")), +- Err(_err) => Ok(HttpResponse::Ok().body("set reference fail")), +- } ++ service.read().await.register_reference(&request.refs).await?; ++ Ok(HttpResponse::Ok().body("set reference success")) + } + + #[derive(Deserialize, Serialize, Debug)] +@@ -120,13 +118,8 @@ pub async fn set_policy( + let policy_id = request.id.clone(); + let policy = request.policy.clone(); + let dir:String = String::from(DEFAULT_POLICY_DIR); +- match service.read().await.set_policy(&policy_id, &policy, &dir).await { +- Ok(_) => Ok(HttpResponse::Ok().body("set policy success")), +- Err(err) => { +- log::debug!("set policy error: {:?}", err); +- Ok(HttpResponse::Ok().body("set policy fail")) +- } +- } ++ service.read().await.set_policy(&policy_id, &policy, &dir).await?; ++ Ok(HttpResponse::Ok().body("set policy success")) + } + + #[get("/policy")] +@@ -136,8 +129,6 @@ pub async fn get_policy( + ) -> Result { + log::debug!("get policy request: {:?}", request); + let dir:String = String::from(DEFAULT_POLICY_DIR); +- match service.read().await.get_policy(&dir).await { +- Ok(ret) => Ok(HttpResponse::Ok().body(ret)), +- Err(_err) => Ok(HttpResponse::Ok().body("get policy fail")), +- } ++ let ret = service.read().await.get_policy(&dir).await?; ++ Ok(HttpResponse::Ok().body(ret)) + } +diff --git a/service/attestation/attestation-service/service/src/result/mod.rs b/service/attestation/attestation-service/service/src/result/mod.rs +index fcb1c123..7261d19b 100644 +--- a/service/attestation/attestation-service/service/src/result/mod.rs ++++ b/service/attestation/attestation-service/service/src/result/mod.rs +@@ -22,6 +22,26 @@ pub enum Error { + #[from] + source: std::io::Error, + }, ++ #[error("attestation error: {source:?}")] ++ DecodeError { ++ #[from] ++ source: base64::DecodeError, ++ }, ++ #[error("Policy Engine error: {source:?}")] ++ PolicyEngine { ++ #[from] ++ source: policy::policy_engine::PolicyEngineError, ++ }, ++ #[error("Reference error: {source:?}")] ++ Reference { ++ #[from] ++ source: reference::reference::RefOpError, ++ }, ++ #[error("Sign error: {source:?}")] ++ Sign { ++ #[from] ++ source: token_signer::SignError, ++ }, + + #[error("Web error: {source:?}")] + Web { +diff --git a/service/attestation/attestation-service/token/Cargo.toml b/service/attestation/attestation-service/token/Cargo.toml +index c4b885c0..029008a1 100644 +--- a/service/attestation/attestation-service/token/Cargo.toml ++++ b/service/attestation/attestation-service/token/Cargo.toml +@@ -10,4 +10,5 @@ jsonwebtoken.workspace = true + serde.workspace = true + serde_json.workspace = true + anyhow.workspace = true +-attestation-types.workspace = true +\ No newline at end of file ++attestation-types.workspace = true ++thiserror.workspace = true +\ No newline at end of file +diff --git a/service/attestation/attestation-service/token/src/lib.rs b/service/attestation/attestation-service/token/src/lib.rs +index ed41a4ec..3ee785e5 100644 +--- a/service/attestation/attestation-service/token/src/lib.rs ++++ b/service/attestation/attestation-service/token/src/lib.rs +@@ -9,7 +9,7 @@ + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +-use anyhow::{Result, bail}; ++use anyhow::{Result}; + use jsonwebtoken::{encode, get_current_timestamp, + Algorithm, EncodingKey, Header, + }; +@@ -17,7 +17,21 @@ use std::path::Path; + use serde::{Deserialize, Serialize}; + use serde_json::Value; + use attestation_types::{EvlResult, Claims}; ++use thiserror; + ++#[derive(thiserror::Error, Debug)] ++pub enum SignError { ++ #[error("get unix time fail:{0:?}")] ++ ToUnixTimeFail(#[from] std::num::TryFromIntError), ++ #[error("unsupport algorith:{0}")] ++ UnsupportAlg(String), ++ #[error("key not exist:{0}")] ++ KeyNotExist(String), ++ #[error("key content read fail:{0}")] ++ ReadKeyFail(String), ++ #[error("sign fail:{0:?}")] ++ SignFail(#[from] jsonwebtoken::errors::Error) ++} + + #[derive(Debug, Clone, Serialize, Deserialize)] + pub struct TokenSignConfig { +@@ -79,36 +93,35 @@ impl TokenSigner { + } + return false; + } +- pub fn sign(&self, report: &EvlReport) -> Result { ++ pub fn sign(&self, report: &EvlReport) -> Result { + let alg: Algorithm = self.config.alg; + let mut header = Header::new(alg); + header.typ = Some("JWT".to_string()); + let unix_time = get_current_timestamp(); + let claims: Claims = Claims { + iss: self.config.iss.clone(), +- iat: usize::try_from(unix_time).expect("unix time to usize error"), +- nbf: usize::try_from(unix_time).expect("unix time to usize error"), +- exp: usize::try_from(unix_time).expect("unix time to usize error") +- + self.config.valid_duration, ++ iat: usize::try_from(unix_time)?, ++ nbf: usize::try_from(unix_time)?, ++ exp: usize::try_from(unix_time)? + self.config.valid_duration, + evaluation_reports: report.result.clone(), + tee: report.tee.clone(), + tcb_status: report.tcb_status.clone(), + }; + if !Self::support_rs(&alg) && !Self::support_ps(&alg) { +- bail!("unknown algrithm {:?}", alg); ++ return Err(SignError::UnsupportAlg(format!("unknown algrithm {:?}", alg))); + } + if !Path::new(&self.config.key).exists() { +- bail!("token verfify failed, {:?} cert not exist", self.config.key); ++ return Err(SignError::UnsupportAlg(format!("token verfify failed, {:?} cert not exist", self.config.key))); + } + let key = std::fs::read(&self.config.key).unwrap(); + let key_value: EncodingKey = match EncodingKey::from_rsa_pem(&key) { + Ok(val) => val, +- _ => bail!("get key from input error"), ++ _ => {return Err(SignError::ReadKeyFail(format!("get key from input error")));} + }; + + let token = match encode(&header, &claims, &key_value) { + Ok(val) => val, +- Err(e) => bail!("sign jwt token error {:?}", e), ++ Err(e) => {return Err(SignError::SignFail(e));} + }; + Ok(token) + } +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index 1e90c98..4d4806a 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 56 +Release: 57 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features Group: OS Security @@ -94,6 +94,7 @@ Patch81: 0082-optimize-ima-verify.patch Patch82: 0083-optimize-log-level.patch Patch83: 0084-fix-concurrent-request-error-to-aa-or-as.patch Patch84: 0085-fix-multi-thread-request-as-generate-challenge-and-v.patch +Patch85: 0086-add-error-type-for-api.patch BuildRequires: gcc python automake autoconf libtool @@ -294,6 +295,9 @@ popd systemctl restart rsyslog %changelog +* Tue Sep 10 2024 houmingyong - 0.1.0-57 +- add error type for api + * Fri Sep 06 2024 houmingyong - 0.1.0-56 - fix multi-thread request error -- Gitee