From 1396619befe713b54680ab89084cced370b4e756 Mon Sep 17 00:00:00 2001 From: chenjiayi Date: Fri, 28 Feb 2025 13:18:25 +0800 Subject: [PATCH] fix some bugs --- ...ted-error-message-if-http-error-happ.patch | 790 ++++++++++++++++++ ...-vendor-if-it-is-not-set-or-is-empty.patch | 42 + ...g-policies-if-any-policy-location-is.patch | 40 + ...vendor-for-resource-policy-if-it-is-.patch | 44 + ...t-error-message-when-modifying-a-non.patch | 81 ++ ...resource-policies-if-illegal-vendor-.patch | 106 +++ secGear.spec | 11 +- 7 files changed, 1113 insertions(+), 1 deletion(-) create mode 100644 0093-fix-raise-formatted-error-message-if-http-error-happ.patch create mode 100644 0094-fix-use-default-vendor-if-it-is-not-set-or-is-empty.patch create mode 100644 0095-fix-abort-binding-policies-if-any-policy-location-is.patch create mode 100644 0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch create mode 100644 0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch create mode 100644 0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch diff --git a/0093-fix-raise-formatted-error-message-if-http-error-happ.patch b/0093-fix-raise-formatted-error-message-if-http-error-happ.patch new file mode 100644 index 0000000..a345f34 --- /dev/null +++ b/0093-fix-raise-formatted-error-message-if-http-error-happ.patch @@ -0,0 +1,790 @@ +From a639aa650a7f0045474ec9c01e8dc9747cc3e3fe Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Thu, 27 Feb 2025 20:00:04 +0800 +Subject: [PATCH 1/3] fix: raise formatted error message if http error happens + +--- + .../attestation-client/src/client.rs | 2 +- + .../attestation-client/src/common.rs | 23 ++++ + .../attestation-client/src/error.rs | 22 ++-- + .../attestation-client/src/main.rs | 1 + + .../attestation-client/src/resource/client.rs | 120 ++++-------------- + .../attestation-client/src/resource/mod.rs | 90 ++++++++----- + .../src/resource_policy/client.rs | 107 ++++------------ + .../src/resource_policy/mod.rs | 75 +++++++---- + 8 files changed, 191 insertions(+), 249 deletions(-) + create mode 100644 service/attestation/attestation-client/src/common.rs + +diff --git a/service/attestation/attestation-client/src/client.rs b/service/attestation/attestation-client/src/client.rs +index 2c0f139..1200823 100644 +--- a/service/attestation/attestation-client/src/client.rs ++++ b/service/attestation/attestation-client/src/client.rs +@@ -30,7 +30,7 @@ pub(crate) struct AsClient { + impl AsClient { + pub(crate) fn new(cookie_store: bool, protocal: Protocal) -> Result { + let client = match &protocal { +- Protocal::Http { svr } => Client::builder().cookie_store(cookie_store).build()?, ++ Protocal::Http { svr: _ } => Client::builder().cookie_store(cookie_store).build()?, + }; + + Ok(Self { protocal, client }) +diff --git a/service/attestation/attestation-client/src/common.rs b/service/attestation/attestation-client/src/common.rs +new file mode 100644 +index 0000000..5f8ec98 +--- /dev/null ++++ b/service/attestation/attestation-client/src/common.rs +@@ -0,0 +1,23 @@ ++/* ++* Copyright (c) Huawei Technologies Co., Ltd. 2024. All rights reserved. ++* secGear is licensed under the Mulan PSL v2. ++* You can use this software according to the terms and conditions of the Mulan PSL v2. ++* You may obtain a copy of Mulan PSL v2 at: ++* http://license.coscl.org.cn/MulanPSL2 ++* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++* IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++* PURPOSE. ++* See the Mulan PSL v2 for more details. ++*/ ++ ++use reqwest::Response; ++ ++pub(crate) async fn response_display(resp: Response) { ++ if !resp.status().is_success() { ++ println!("{:?}", resp); ++ } ++ let txt = resp.text().await.unwrap(); ++ if !txt.is_empty() { ++ println!("{}", txt); ++ } ++} +diff --git a/service/attestation/attestation-client/src/error.rs b/service/attestation/attestation-client/src/error.rs +index 2952de2..3245efa 100644 +--- a/service/attestation/attestation-client/src/error.rs ++++ b/service/attestation/attestation-client/src/error.rs +@@ -1,14 +1,14 @@ + /* +- * Copyright (c) Huawei Technologies Co., Ltd. 2024. All rights reserved. +- * secGear is licensed under the Mulan PSL v2. +- * You can use this software according to the terms and conditions of the Mulan PSL v2. +- * You may obtain a copy of Mulan PSL v2 at: +- * http://license.coscl.org.cn/MulanPSL2 +- * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +- * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +- * PURPOSE. +- * See the Mulan PSL v2 for more details. +- */ ++* Copyright (c) Huawei Technologies Co., Ltd. 2024. All rights reserved. ++* secGear is licensed under the Mulan PSL v2. ++* You can use this software according to the terms and conditions of the Mulan PSL v2. ++* You may obtain a copy of Mulan PSL v2 at: ++* http://license.coscl.org.cn/MulanPSL2 ++* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++* IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++* PURPOSE. ++* See the Mulan PSL v2 for more details. ++*/ + use thiserror::Error; + + pub type Result = std::result::Result; +@@ -18,6 +18,4 @@ pub type Result = std::result::Result; + pub enum ClientError { + #[error("reqwest error: {0}")] + ReqwestError(#[from] reqwest::Error), +- #[error("Http error {0}: {1}")] +- HttpError(String, http::status::StatusCode), + } +diff --git a/service/attestation/attestation-client/src/main.rs b/service/attestation/attestation-client/src/main.rs +index a779a71..512055e 100644 +--- a/service/attestation/attestation-client/src/main.rs ++++ b/service/attestation/attestation-client/src/main.rs +@@ -17,6 +17,7 @@ mod client; + mod error; + mod resource; + mod resource_policy; ++mod common; + + use crate::resource::ResourceArgs; + use crate::resource_policy::ResourcePolicyArgs; +diff --git a/service/attestation/attestation-client/src/resource/client.rs b/service/attestation/attestation-client/src/resource/client.rs +index e0dcb08..ecb8a7a 100644 +--- a/service/attestation/attestation-client/src/resource/client.rs ++++ b/service/attestation/attestation-client/src/resource/client.rs +@@ -13,12 +13,12 @@ + //! Implement web request for resource to attestation service + + use crate::client::AsClient; +-use crate::error::{ClientError, Result}; ++use crate::error::Result; + use attestation_types::{ + resource::ResourceLocation, + service::{GetResourceOp, SetResourceOp, SetResourceRequest}, + }; +-use reqwest::Client; ++use reqwest::{Client, Response}; + + pub(crate) struct ResourceClient { + client: AsClient, +@@ -37,27 +37,18 @@ impl ResourceClient { + self.client.client() + } + +- pub(crate) async fn vendor_get_resource(&self, vendor: &str) -> Result> { ++ pub(crate) async fn vendor_get_resource(&self, vendor: &str) -> Result { + let payload = GetResourceOp::VendorGet { + vendor: vendor.to_string(), + }; + +- let res = self ++ Ok(self + .client() + .get(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.json().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to get resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + + pub(crate) async fn vendor_add_resource( +@@ -66,7 +57,7 @@ impl ResourceClient { + path: &str, + content: &str, + policy: &Vec, +- ) -> Result { ++ ) -> Result { + let op = SetResourceOp::Add { + content: content.to_string(), + policy: policy.clone(), +@@ -75,46 +66,32 @@ impl ResourceClient { + op, + resource: ResourceLocation::new(Some(vendor.to_string()), path.to_string()), + }; +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to add resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + +- pub(crate) async fn vendor_delete_resource(&self, vendor: &str, path: &str) -> Result { ++ pub(crate) async fn vendor_delete_resource( ++ &self, ++ vendor: &str, ++ path: &str, ++ ) -> Result { + let op = SetResourceOp::Delete; + let payload = SetResourceRequest { + op, + resource: ResourceLocation::new(Some(vendor.to_string()), path.to_string()), + }; +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to delete resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + + pub(crate) async fn vendor_modify_resource( +@@ -122,7 +99,7 @@ impl ResourceClient { + vendor: &str, + path: &str, + content: &str, +- ) -> Result { ++ ) -> Result { + let op = SetResourceOp::Modify { + content: content.to_string(), + }; +@@ -130,22 +107,13 @@ impl ResourceClient { + op, + resource: ResourceLocation::new(Some(vendor.to_string()), path.to_string()), + }; +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to modify resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + + pub(crate) async fn vendor_bind_resource( +@@ -153,7 +121,7 @@ impl ResourceClient { + vendor: &str, + path: &str, + policy: &Vec, +- ) -> Result { ++ ) -> Result { + let op = SetResourceOp::Bind { + policy: policy.clone(), + }; +@@ -161,22 +129,13 @@ impl ResourceClient { + op, + resource: ResourceLocation::new(Some(vendor.to_string()), path.to_string()), + }; +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to bind resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + + pub(crate) async fn vendor_unbind_resource( +@@ -184,7 +143,7 @@ impl ResourceClient { + vendor: &str, + path: &str, + policy: &Vec, +- ) -> Result { ++ ) -> Result { + let op = SetResourceOp::Unbind { + policy: policy.clone(), + }; +@@ -192,43 +151,12 @@ impl ResourceClient { + op, + resource: ResourceLocation::new(Some(vendor.to_string()), path.to_string()), + }; +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to unbind resource: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + } +- +-// async fn get_challenge() { +-// let challenge_endpoint = format!("{}/challenge", self.config.svr_url); +-// let client = self.create_client(self.config.protocal.clone(), true)?; +-// let res = client +-// .get(challenge_endpoint) +-// .header("Content-Type", "application/json") +-// .header("content-length", 0) +-// .send() +-// .await?; +-// let challenge = match res.status() { +-// reqwest::StatusCode::OK => { +-// let respone: String = res.json().await.unwrap(); +-// log::debug!("get challenge success, AS Response: {:?}", respone); +-// respone +-// } +-// status => { +-// log::error!("get challenge Failed, AS Response: {:?}", status); +-// bail!("get challenge Failed") +-// } +-// }; +-// } +diff --git a/service/attestation/attestation-client/src/resource/mod.rs b/service/attestation/attestation-client/src/resource/mod.rs +index d198ef4..35c1c5a 100644 +--- a/service/attestation/attestation-client/src/resource/mod.rs ++++ b/service/attestation/attestation-client/src/resource/mod.rs +@@ -17,6 +17,7 @@ pub(crate) mod client; + + use self::client::ResourceClient; + use crate::client::AsClient; ++use crate::common::response_display; + use clap::{Args, Subcommand}; + + #[derive(Debug, Args)] +@@ -61,69 +62,88 @@ pub(crate) enum ResourceCommand { + + impl ResourceArgs { + pub(crate) fn process(&self, base_client: AsClient) { +- self.command.dispatch(base_client); ++ let runtime = tokio::runtime::Runtime::new().unwrap(); ++ runtime.block_on(self.command.dispatch(base_client)); + } + } + + impl ResourceCommand { +- fn dispatch(&self, base_client: AsClient) { ++ async fn dispatch(&self, base_client: AsClient) { + let client = ResourceClient::new(base_client); +- let runtime = tokio::runtime::Runtime::new().unwrap(); + + match self { +- ResourceCommand::Get { vendor } => { +- let ret = runtime +- .block_on(client.vendor_get_resource(vendor)) +- .unwrap(); +- println!("{:?}", ret); +- } ++ ResourceCommand::Get { vendor } => match client.vendor_get_resource(vendor).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ }, + ResourceCommand::Add { + vendor, + path, + content, + policy, + } => { +- let ret = runtime +- .block_on(client.vendor_add_resource(vendor, path, content, policy)) +- .unwrap(); +- println!("{:?}", ret); ++ match client ++ .vendor_add_resource(vendor, path, content, policy) ++ .await ++ { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } + ResourceCommand::Delete { vendor, path } => { +- let ret = runtime +- .block_on(client.vendor_delete_resource(vendor, path)) +- .unwrap(); +- println!("{:?}", ret); ++ match client.vendor_delete_resource(vendor, path).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } + ResourceCommand::Modify { + vendor, + path, + content, +- } => { +- let ret = runtime +- .block_on(client.vendor_modify_resource(vendor, path, content)) +- .unwrap(); +- println!("{:?}", ret); +- } ++ } => match client.vendor_modify_resource(vendor, path, content).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(rsp) => { ++ println!("{:?}", rsp); ++ } ++ }, + ResourceCommand::BindPolicy { + vendor, + path, + policy, +- } => { +- let ret = runtime +- .block_on(client.vendor_bind_resource(vendor, path, policy)) +- .unwrap(); +- println!("{:?}", ret); +- } ++ } => match client.vendor_bind_resource(vendor, path, policy).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(rsp) => { ++ println!("{:?}", rsp); ++ } ++ }, + ResourceCommand::UnbindPolicy { + vendor, + path, + policy, +- } => { +- let ret = runtime +- .block_on(client.vendor_unbind_resource(vendor, path, policy)) +- .unwrap(); +- println!("{:?}", ret); +- } ++ } => match client.vendor_unbind_resource(vendor, path, policy).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(rsp) => { ++ println!("{:?}", rsp); ++ } ++ }, + } + } + } +diff --git a/service/attestation/attestation-client/src/resource_policy/client.rs b/service/attestation/attestation-client/src/resource_policy/client.rs +index 582a6bd..08b75c1 100644 +--- a/service/attestation/attestation-client/src/resource_policy/client.rs ++++ b/service/attestation/attestation-client/src/resource_policy/client.rs +@@ -14,12 +14,12 @@ + //! + + use crate::client::AsClient; +-use crate::error::{ClientError, Result}; ++use crate::error::Result; + use attestation_types::{ + resource::policy::PolicyLocation, + service::{GetResourcePolicyOp, SetResourcePolicyOp}, + }; +-use reqwest::Client; ++use reqwest::{Client, Response}; + + pub(crate) struct ResourcePolicyClient { + client: AsClient, +@@ -38,7 +38,7 @@ impl ResourcePolicyClient { + self.client.client() + } + +- pub(crate) async fn vendor_get_one(&self, vendor: &str, id: &str) -> Result { ++ pub(crate) async fn vendor_get_one(&self, vendor: &str, id: &str) -> Result { + let payload = GetResourcePolicyOp::GetOne { + policy: PolicyLocation { + vendor: Some(vendor.to_string()), +@@ -46,70 +46,44 @@ impl ResourcePolicyClient { + }, + }; + +- let res = self ++ Ok(self + .client() + .get(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to get resource policy: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } +- pub(crate) async fn vendor_get_all(&self) -> Result> { ++ pub(crate) async fn vendor_get_all(&self) -> Result { + let payload = GetResourcePolicyOp::GetAll; + +- let res = self ++ Ok(self + .client() + .get(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.json().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to get all resource policy: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } +- pub(crate) async fn vendor_get_all_in_vendor(&self, vendor: &str) -> Result> { ++ pub(crate) async fn vendor_get_all_in_vendor(&self, vendor: &str) -> Result { + let payload = GetResourcePolicyOp::GetAllInVendor { + vendor: vendor.to_string(), + }; + +- let res = self ++ Ok(self + .client() + .get(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.json().await?) +- } else { +- Err(ClientError::HttpError( +- format!( +- "failed to get all resource policy in vendor {}: {}", +- vendor, +- res.text().await? +- ), +- status, +- )) +- } ++ .await?) + } +- pub(crate) async fn vendor_add(&self, vendor: &str, id: &str, content: &str) -> Result { ++ pub(crate) async fn vendor_add( ++ &self, ++ vendor: &str, ++ id: &str, ++ content: &str, ++ ) -> Result { + let payload = SetResourcePolicyOp::Add { + policy: PolicyLocation { + vendor: Some(vendor.to_string()), +@@ -118,24 +92,15 @@ impl ResourcePolicyClient { + content: content.to_string(), + }; + +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to add resource policy: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } +- pub(crate) async fn vendor_delete(&self, vendor: &str, id: &str) -> Result { ++ pub(crate) async fn vendor_delete(&self, vendor: &str, id: &str) -> Result { + let payload = SetResourcePolicyOp::Delete { + policy: PolicyLocation { + vendor: Some(vendor.to_string()), +@@ -143,48 +108,26 @@ impl ResourcePolicyClient { + }, + }; + +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!("failed to delete resource policy: {}", res.text().await?), +- status, +- )) +- } ++ .await?) + } + +- pub(crate) async fn vendor_clear_all(&self, vendor: &str) -> Result { ++ pub(crate) async fn vendor_clear_all(&self, vendor: &str) -> Result { + let payload = SetResourcePolicyOp::ClearAll { + vendor: vendor.to_string(), + }; + +- let res = self ++ Ok(self + .client() + .post(self.endpoint()) + .header("Content-Type", "application/json") + .json(&payload) + .send() +- .await?; +- let status = res.status(); +- if status.is_success() { +- Ok(res.text().await?) +- } else { +- Err(ClientError::HttpError( +- format!( +- "failed to clear resource policy in vendor {}: {}", +- vendor, +- res.text().await? +- ), +- status, +- )) +- } ++ .await?) + } + } +diff --git a/service/attestation/attestation-client/src/resource_policy/mod.rs b/service/attestation/attestation-client/src/resource_policy/mod.rs +index 4879412..d8afb6b 100644 +--- a/service/attestation/attestation-client/src/resource_policy/mod.rs ++++ b/service/attestation/attestation-client/src/resource_policy/mod.rs +@@ -17,6 +17,7 @@ pub(crate) mod client; + + use self::client::ResourcePolicyClient; + use crate::client::AsClient; ++use crate::common::response_display; + use clap::{Args, Subcommand}; + + #[derive(Debug, Args)] +@@ -53,47 +54,75 @@ pub(crate) enum ResourcePolicyCommand { + + impl ResourcePolicyArgs { + pub(crate) fn process(&self, base_client: AsClient) { +- self.command.dispatch(base_client); ++ let runtime = tokio::runtime::Runtime::new().unwrap(); ++ runtime.block_on(self.command.dispatch(base_client)); + } + } + + impl ResourcePolicyCommand { +- fn dispatch(&self, base_client: AsClient) { ++ async fn dispatch(&self, base_client: AsClient) { + let client = ResourcePolicyClient::new(base_client); +- let runtime = tokio::runtime::Runtime::new().unwrap(); + + match self { + ResourcePolicyCommand::GetOne { vendor, id } => { +- let ret = runtime.block_on(client.vendor_get_one(vendor, id)).unwrap(); +- println!("{}", ret); +- } +- ResourcePolicyCommand::GetAll => { +- let ret = runtime.block_on(client.vendor_get_all()).unwrap(); +- println!("{}", serde_json::json!(ret).to_string()); ++ match client.vendor_get_one(vendor, id).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } ++ ResourcePolicyCommand::GetAll => match client.vendor_get_all().await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(rsp) => { ++ println!("{:?}", rsp); ++ } ++ }, + ResourcePolicyCommand::GetAllInVendor { vendor } => { +- let ret = runtime +- .block_on(client.vendor_get_all_in_vendor(vendor)) +- .unwrap(); +- println!("{}", serde_json::json!(ret).to_string()); ++ match client.vendor_get_all_in_vendor(vendor).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } + ResourcePolicyCommand::Add { + vendor, + id, + content, +- } => { +- let ret = runtime +- .block_on(client.vendor_add(vendor, id, content)) +- .unwrap(); +- println!("{}", ret); +- } ++ } => match client.vendor_add(vendor, id, content).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(rsp) => { ++ println!("{:?}", rsp); ++ } ++ }, + ResourcePolicyCommand::Delete { vendor, id } => { +- let ret = runtime.block_on(client.vendor_delete(vendor, id)).unwrap(); +- println!("{}", ret); ++ match client.vendor_delete(vendor, id).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } + ResourcePolicyCommand::ClearAll { vendor } => { +- let ret = runtime.block_on(client.vendor_clear_all(vendor)).unwrap(); +- println!("{}", ret); ++ match client.vendor_clear_all(vendor).await { ++ Ok(ret) => { ++ response_display(ret).await; ++ } ++ Err(e) => { ++ println!("{:?}", e); ++ } ++ } + } + } + } +-- +2.46.0 + diff --git a/0094-fix-use-default-vendor-if-it-is-not-set-or-is-empty.patch b/0094-fix-use-default-vendor-if-it-is-not-set-or-is-empty.patch new file mode 100644 index 0000000..0f21a99 --- /dev/null +++ b/0094-fix-use-default-vendor-if-it-is-not-set-or-is-empty.patch @@ -0,0 +1,42 @@ +From 28d4f96fa92f342a32b4f7e145db964291a111a4 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Mon, 3 Mar 2025 21:23:43 +0800 +Subject: [PATCH 2/3] fix: use default vendor if it is not set or is empty + +--- + .../attestation-types/src/resource/mod.rs | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/mod.rs b/service/attestation/attestation-types/src/resource/mod.rs +index 037c086..f5c7fa8 100644 +--- a/service/attestation/attestation-types/src/resource/mod.rs ++++ b/service/attestation/attestation-types/src/resource/mod.rs +@@ -50,14 +50,17 @@ impl std::convert::TryFrom for PathBuf { + + impl Display for ResourceLocation { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { +- write!( +- f, +- "{}/{}", +- self.vendor +- .clone() +- .unwrap_or(DEFAULT_VENDOR_BASE.to_string()), +- self.path, +- ) ++ let vendor = self ++ .vendor ++ .clone() ++ .unwrap_or(DEFAULT_VENDOR_BASE.to_string()); ++ let v = if vendor.is_empty() { ++ DEFAULT_VENDOR_BASE.to_string() ++ } else { ++ vendor ++ }; ++ ++ write!(f, "{}/{}", v, self.path,) + } + } + +-- +2.46.0 + diff --git a/0095-fix-abort-binding-policies-if-any-policy-location-is.patch b/0095-fix-abort-binding-policies-if-any-policy-location-is.patch new file mode 100644 index 0000000..5494eda --- /dev/null +++ b/0095-fix-abort-binding-policies-if-any-policy-location-is.patch @@ -0,0 +1,40 @@ +From 6aa683bcbb5a04a79d2784bac2edc3cc1ad0e1b5 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Mon, 3 Mar 2025 21:46:14 +0800 +Subject: [PATCH 3/3] fix: abort binding policies if any policy location is + illegal + +--- + .../src/resource/admin/simple.rs | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/admin/simple.rs b/service/attestation/attestation-types/src/resource/admin/simple.rs +index bf2b5dd..641d903 100644 +--- a/service/attestation/attestation-types/src/resource/admin/simple.rs ++++ b/service/attestation/attestation-types/src/resource/admin/simple.rs +@@ -118,15 +118,14 @@ impl ResourceAdminInterface for SimpleResourceAdmin { + async fn bind_policy(&self, location: ResourceLocation, policy: Vec) -> Result<()> { + let mut legal_policy: Vec = vec![]; + for p in policy.iter() { +- if let Ok(p) = p.parse::() { +- if !location.check_policy_legal(&p) { +- return Err(ResourceError::UnmatchedPolicyResource( +- location.to_string(), +- p.to_string(), +- )); +- } +- legal_policy.push(p); ++ let p = p.parse::()?; ++ if !location.check_policy_legal(&p) { ++ return Err(ResourceError::UnmatchedPolicyResource( ++ location.to_string(), ++ p.to_string(), ++ )); + } ++ legal_policy.push(p); + } + self.storage_engine + .lock() +-- +2.46.0 + diff --git a/0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch b/0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch new file mode 100644 index 0000000..b5a4dab --- /dev/null +++ b/0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch @@ -0,0 +1,44 @@ +From 59f5903023a97bacae25abf2e097156bbd9a3225 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Mon, 3 Mar 2025 21:23:43 +0800 +Subject: [PATCH 1/3] fix: use default vendor for resource policy if it is not + set or is empty + +--- + .../src/resource/policy/mod.rs | 20 +++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/policy/mod.rs b/service/attestation/attestation-types/src/resource/policy/mod.rs +index d7ae01d..6ad05dd 100644 +--- a/service/attestation/attestation-types/src/resource/policy/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/mod.rs +@@ -64,14 +64,18 @@ impl std::convert::TryFrom<&PolicyLocation> for PathBuf { + + impl Display for PolicyLocation { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { +- write!( +- f, +- "{}/{}", +- self.vendor +- .clone() +- .unwrap_or(DEFAULT_VENDOR_BASE.to_string()), +- self.id, +- ) ++ let vendor = self ++ .vendor ++ .clone() ++ .unwrap_or(DEFAULT_VENDOR_BASE.to_string()); ++ ++ let v = if vendor.is_empty() { ++ DEFAULT_VENDOR_BASE.to_string() ++ } else { ++ vendor ++ }; ++ ++ write!(f, "{}/{}", v, self.id,) + } + } + +-- +2.46.0 + diff --git a/0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch b/0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch new file mode 100644 index 0000000..29a2b47 --- /dev/null +++ b/0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch @@ -0,0 +1,81 @@ +From 5d920a9902e66565c92e7a62b025fdceb5a1647d Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Tue, 4 Mar 2025 10:36:29 +0800 +Subject: [PATCH 2/3] fix: fix incorrect error message when modifying a + non-existing resource + +--- + .../service/src/restapi/resource/storage.rs | 4 +--- + service/attestation/attestation-types/src/resource/error.rs | 6 +++--- + service/attestation/attestation-types/src/resource/mod.rs | 2 +- + .../attestation-types/src/resource/storage/simple.rs | 2 +- + 4 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/service/attestation/attestation-service/service/src/restapi/resource/storage.rs b/service/attestation/attestation-service/service/src/restapi/resource/storage.rs +index 7b90cda..18fcfab 100644 +--- a/service/attestation/attestation-service/service/src/restapi/resource/storage.rs ++++ b/service/attestation/attestation-service/service/src/restapi/resource/storage.rs +@@ -108,9 +108,7 @@ async fn tee_get_resource( + } + Err(e) => { + log::debug!("{}", e); +- Err(result::AsError::Resource( +- attestation_types::resource::error::ResourceError::LoadPolicy(e), +- )) ++ Err(result::AsError::Other(e)) + } + } + } +diff --git a/service/attestation/attestation-types/src/resource/error.rs b/service/attestation/attestation-types/src/resource/error.rs +index 296aae8..8061730 100644 +--- a/service/attestation/attestation-types/src/resource/error.rs ++++ b/service/attestation/attestation-types/src/resource/error.rs +@@ -20,8 +20,8 @@ pub enum ResourceError { + NotImplemented, + #[error("Policy is missing.")] + PolicyMissing, +- #[error("Failed to load policy: {0}")] +- LoadPolicy(#[from] anyhow::Error), ++ #[error("{0}")] ++ Other(#[from] anyhow::Error), + #[error("Resource error: {0}")] + ResourceError(#[from] std::io::Error), + #[error("Illegal resource path: {0}")] +@@ -35,7 +35,7 @@ pub enum ResourceError { + #[error("Unmatched vendor between resource {0} and policy {1}")] + UnmatchedPolicyResource(String, String), + #[error("Convert error: {0}")] +- IoError(#[from] core::convert::Infallible), ++ ConvertError(#[from] core::convert::Infallible), + #[error("Strip Prefix fail: {0}")] + StripPrefix(#[from] StripPrefixError), + #[error("Illegal policy suffix: {0}")] +diff --git a/service/attestation/attestation-types/src/resource/mod.rs b/service/attestation/attestation-types/src/resource/mod.rs +index f5c7fa8..66007d6 100644 +--- a/service/attestation/attestation-types/src/resource/mod.rs ++++ b/service/attestation/attestation-types/src/resource/mod.rs +@@ -136,7 +136,7 @@ impl Resource { + pub(crate) async fn read_from_file(path: PathBuf) -> Result { + let content = tokio::fs::read(path) + .await +- .context("failed to add resource")?; ++ .context("failed to read resource")?; + Ok(serde_json::from_str( + &String::from_utf8(content).context("from utf8 error")?, + )?) +diff --git a/service/attestation/attestation-types/src/resource/storage/simple.rs b/service/attestation/attestation-types/src/resource/storage/simple.rs +index dad24e0..7ac9fdf 100644 +--- a/service/attestation/attestation-types/src/resource/storage/simple.rs ++++ b/service/attestation/attestation-types/src/resource/storage/simple.rs +@@ -105,7 +105,7 @@ impl StorageOp for SimpleStorage { + } + tokio::fs::write(regularized, serde_json::to_string(&resource)?) + .await +- .context("failed to add resource")?; ++ .context("failed to store resource")?; + Ok(()) + } + +-- +2.46.0 + diff --git a/0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch b/0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch new file mode 100644 index 0000000..18255f9 --- /dev/null +++ b/0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch @@ -0,0 +1,106 @@ +From dbe45fa419ff70f3f0077efd6359a1cc253f2bfc Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Tue, 4 Mar 2025 15:27:24 +0800 +Subject: [PATCH 3/3] fix: avoid clear resource policies if illegal vendor is + given + +--- + .../attestation-types/src/resource/error.rs | 2 ++ + .../src/resource/policy/opa/mod.rs | 33 +++++++++++++++---- + 2 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/error.rs b/service/attestation/attestation-types/src/resource/error.rs +index 8061730..1ce2cbe 100644 +--- a/service/attestation/attestation-types/src/resource/error.rs ++++ b/service/attestation/attestation-types/src/resource/error.rs +@@ -26,6 +26,8 @@ pub enum ResourceError { + ResourceError(#[from] std::io::Error), + #[error("Illegal resource path: {0}")] + IllegalResource(String), ++ #[error("Illegal vendor: {0}")] ++ IllegalVendor(String), + #[error("Invalid resource content: {0}")] + ResourceFromUtf8(#[from] std::string::FromUtf8Error), + #[error("Serde deserialize failure: {0}")] +diff --git a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +index ad159f5..8e2486a 100644 +--- a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +@@ -33,6 +33,27 @@ impl OpenPolicyAgent { + OpenPolicyAgent { base } + } + ++ pub(crate) fn regular(&self, vendor: &str) -> Result { ++ if !Self::check_vendor_legal(vendor) { ++ return Err(ResourceError::IllegalVendor(vendor.to_string())); ++ } ++ ++ let v = if vendor.is_empty() { ++ DEFAULT_VENDOR_BASE ++ } else { ++ vendor ++ }; ++ ++ Ok(self.base.join(v)) ++ } ++ ++ pub(crate) fn check_vendor_legal(vendor: &str) -> bool { ++ if vendor.contains('.') { ++ return false; ++ } ++ true ++ } ++ + pub fn default() -> Self { + Self::new(PathBuf::from(DEFAULT_RESOURCE_POLICY_DIR)) + } +@@ -136,13 +157,13 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn get_policy(&self, path: PolicyLocation) -> Result { +- let p = self.base.join(format!("{}", path)); ++ let p = self.regular(&format!("{}", path))?; + let raw = tokio::fs::read(p).await?; + Ok(String::from_utf8(raw)?) + } + + async fn add_policy(&self, path: PolicyLocation, policy: &str) -> Result<()> { +- let p = self.base.join(format!("{}", path)); ++ let p = self.regular(&format!("{}", path))?; + if let Some(parent) = p.parent() { + if let Err(e) = tokio::fs::create_dir_all(parent).await { + log::warn!( +@@ -157,7 +178,7 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn delete_policy(&self, path: PolicyLocation) -> Result<()> { +- let p = self.base.join(format!("{}", path)); ++ let p = self.regular(&format!("{}", path))?; + tokio::fs::remove_file(p).await?; + Ok(()) + } +@@ -200,7 +221,7 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn get_all_policy_in_vendor(&self, vendor: &str) -> Result> { +- let vendor_dir = self.base.join(&vendor); ++ let vendor_dir = self.regular(vendor)?; + let mut dir = tokio::fs::read_dir(vendor_dir).await?; + let mut ret: Vec = vec![]; + while let Some(d) = dir.next_entry().await? { +@@ -264,10 +285,10 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn clear_all_policy_in_vendor(&self, vendor: &str) -> Result<()> { +- let vendor_dir = self.base.join(&vendor); ++ let vendor_dir = self.regular(vendor)?; + let md = tokio::fs::metadata(&vendor_dir) + .await +- .context("invalid vendor")?; ++ .context("fetching metadata failed")?; + if md.is_dir() { + tokio::fs::remove_dir_all(vendor_dir).await?; + } +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index ebfc376..2c5f3bb 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 55 +Release: 56 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -102,6 +102,12 @@ Patch88: 0089-features-support-resource-maitainance.patch Patch89: 0090-add-ra_tls-support.patch Patch90: 0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch Patch91: 0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch +Patch92: 0093-fix-raise-formatted-error-message-if-http-error-happ.patch +Patch93: 0094-fix-use-default-vendor-if-it-is-not-set-or-is-empty.patch +Patch94: 0095-fix-abort-binding-policies-if-any-policy-location-is.patch +Patch95: 0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch +Patch96: 0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch +Patch97: 0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -342,6 +348,9 @@ popd systemctl restart rsyslog %changelog +* Tue Mar 4 2025 chenjiayi - 0.1.0-56 +- fix several bugs. + * Wed Feb 19 2025 chenjiayi - 0.1.0-55 - fix bugs on resource policy binding, unbindg, etc. Also install - default resource policy. -- Gitee