packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!227 [sync] PR-226: fix concurrent request error to aa or as

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @houmingyong 
Signed-off-by: @houmingyong
This commit is contained in:
openeuler-ci-bot 2024-11-26 03:22:00 +00:00 committed by Gitee
commit 4648ed96d8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 275 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

269
0084-fix-concurrent-request-error-to-aa-or-as.patch Normal file
View File

@ -0,0 +1,269 @@
From bc98b41d9cf8fb247d2c9502b775f03935a9f0dc Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Tue, 3 Sep 2024 10:57:51 +0800
Subject: [PATCH] fix concurrent request error to aa or as
Signed-off-by: houmingyong <houmingyong@huawei.com>
---
.../agent/src/bin/aa-test/main.rs | 34 ++++---------------
.../attestation-agent/agent/src/lib.rs | 13 ++-----
.../attestation-service/service/src/main.rs | 3 --
.../service/src/restapi/mod.rs | 30 ++--------------
.../service/src/session.rs | 3 --
.../verifier/src/itrustee/mod.rs | 4 +--
6 files changed, 14 insertions(+), 73 deletions(-)
diff --git a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs
index 89a301bf..48e3e68e 100644
--- a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs
+++ b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs
@@ -69,6 +69,7 @@ async fn aa_proc(i: i64) {
});
log::info!("thread {} case2 get evidence, request body: {}", i, request_body);
let attest_endpoint = "http://127.0.0.1:8081/evidence";
+ let client = reqwest::Client::new();
let res = client
.get(attest_endpoint)
.header("Content-Type", "application/json")
@@ -89,38 +90,14 @@ async fn aa_proc(i: i64) {
return;
}
};
- // verify evidence with no challenge
- #[cfg(not(feature = "no_as"))]
- {
- let request_body = json!({
- "challenge": "",
- "evidence": evidence,
- });
- log::info!("thread {} case3 verify evidence with no challenge", i);
- let res = client
- .post(attest_endpoint)
- .header("Content-Type", "application/json")
- .json(&request_body)
- .send()
- .await
- .unwrap();
-
- match res.status() {
- reqwest::StatusCode::OK => {
- let respone = res.text().await.unwrap();
- log::info!("thread {} case3 verify evidence with no challenge success response: {:?}", i, respone);
- }
- status => {
- log::error!("thread {} case3 verify evidence with no challenge failed response: {:?}", i, status);
- }
- }
- }
+ // case3 verify evidence with no challenge
// verify evidence with challenge
let request_body = json!({
"challenge": challenge,
"evidence": evidence,
});
log::info!("thread {} case4 verify evidence with challenge", i);
+ let client = reqwest::Client::new();
let res = client
.post(attest_endpoint)
.header("Content-Type", "application/json")
@@ -148,7 +125,7 @@ async fn aa_proc(i: i64) {
"uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"),
});
log::info!("thread {} case5 get token, request body: {}", i, request_body);
-
+ let client = reqwest::Client::new();
let res = client
.get(token_endpoint)
.header("Content-Type", "application/json")
@@ -165,7 +142,7 @@ async fn aa_proc(i: i64) {
respone
}
status => {
- log::error!("thread {} case5 get token failed response: {:?}", i, status);
+ log::error!("thread {} case5 get token failed status: {:?} response: {:?}", i, status, res.text().await.unwrap());
return;
}
};
@@ -176,6 +153,7 @@ async fn aa_proc(i: i64) {
});
log::info!("thread {} case6 verify token", i);
+ let client = reqwest::Client::new();
let res = client
.post(token_endpoint)
.header("Content-Type", "application/json")
diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs
index c4d913b6..393914d6 100644
--- a/service/attestation/attestation-agent/agent/src/lib.rs
+++ b/service/attestation/attestation-agent/agent/src/lib.rs
@@ -171,7 +171,6 @@ impl TryFrom<&Path> for AAConfig {
#[derive(Debug)]
pub struct AttestationAgent {
config: AAConfig,
- client: reqwest::Client,
}
#[allow(dead_code)]
@@ -187,14 +186,8 @@ impl AttestationAgent {
AAConfig::default()
}
};
- let client = reqwest::ClientBuilder::new()
- .cookie_store(true)
- .user_agent("attestation-agent-client")
- .build()
- .map_err(|e| result::Error::AttestationAgentError(format!("build http client {e}")))?;
Ok(AttestationAgent {
config,
- client,
})
}
@@ -211,7 +204,7 @@ impl AttestationAgent {
});
let attest_endpoint = format!("{}/attestation", self.config.svr_url);
- let res = self.client
+ let res = reqwest::Client::new()
.post(attest_endpoint)
.header("Content-Type", "application/json")
.json(&request_body)
@@ -256,7 +249,7 @@ impl AttestationAgent {
}
async fn get_challenge_from_as(&self) -> Result<String> {
let challenge_endpoint = format!("{}/challenge", self.config.svr_url);
- let res = self.client
+ let res = reqwest::Client::new()
.get(challenge_endpoint)
.header("Content-Type", "application/json")
.header("content-length", 0)
@@ -265,7 +258,7 @@ impl AttestationAgent {
.await?;
let challenge = match res.status() {
reqwest::StatusCode::OK => {
- let respone = res.json().await.unwrap();
+ let respone = res.text().await?;
log::debug!("get challenge success, AS Response: {:?}", respone);
respone
}
diff --git a/service/attestation/attestation-service/service/src/main.rs b/service/attestation/attestation-service/service/src/main.rs
index 1ccb1521..3ced10b9 100644
--- a/service/attestation/attestation-service/service/src/main.rs
+++ b/service/attestation/attestation-service/service/src/main.rs
@@ -15,7 +15,6 @@ use attestation_service::AttestationService;
mod restapi;
use restapi::{get_challenge, attestation, reference, get_policy, set_policy};
mod session;
-use session::SessionMap;
use anyhow::Result;
use env_logger;
@@ -55,13 +54,11 @@ async fn main() -> Result<()> {
let cli = Cli::parse();
let server:AttestationService = AttestationService::new(Some(cli.config)).unwrap();
- let session_map = web::Data::new(SessionMap::new());
let service = web::Data::new(Arc::new(RwLock::new(server)));
HttpServer::new(move || {
App::new()
.app_data(web::Data::clone(&service))
- .app_data(web::Data::clone(&session_map))
.service(get_challenge)
.service(attestation)
.service(reference)
diff --git a/service/attestation/attestation-service/service/src/restapi/mod.rs b/service/attestation/attestation-service/service/src/restapi/mod.rs
index ab2ccbfd..291b8657 100644
--- a/service/attestation/attestation-service/service/src/restapi/mod.rs
+++ b/service/attestation/attestation-service/service/src/restapi/mod.rs
@@ -10,8 +10,7 @@
* See the Mulan PSL v2 for more details.
*/
use attestation_service::AttestationService;
-use attestation_service::result::{Result, Error};
-use crate::session::{Session, SessionMap};
+use attestation_service::result::{Result};
use actix_web::{ post, get, web, HttpResponse, HttpRequest};
use serde::{Deserialize, Serialize};
@@ -26,20 +25,12 @@ pub struct ChallengeRequest {}
#[get("/challenge")]
pub async fn get_challenge(
- map: web::Data<SessionMap>,
service: web::Data<Arc<RwLock<AttestationService>>>,
) -> Result<HttpResponse> {
log::debug!("challenge request");
let challenge = service.read().await.generate_challenge().await;
- let timeout = service.read().await.config.token_cfg.valid_duration;
- let session = Session::new(challenge, timeout.try_into().unwrap());
- let response = HttpResponse::Ok()
- .cookie(session.cookie())
- .json(session.challenge.clone());
- map.insert(session);
-
- Ok(response)
+ Ok(HttpResponse::Ok().body(challenge))
}
#[derive(Deserialize, Serialize, Debug)]
@@ -52,26 +43,11 @@ pub struct AttestationRequest {
#[post("/attestation")]
pub async fn attestation(
request: web::Json<AttestationRequest>,
- http_req: HttpRequest,
- map: web::Data<SessionMap>,
service: web::Data<Arc<RwLock<AttestationService>>>,
) -> Result<HttpResponse> {
log::debug!("attestation request is coming");
let request = request.0;
- let mut challenge = request.challenge;
- if challenge == "" {
- let cookie = http_req.cookie("oeas-session-id").ok_or(Error::CookieMissing)?;
- let session = map
- .session_map
- .get_async(cookie.value())
- .await
- .ok_or(Error::CookieNotFound)?;
- if session.is_expired() {
- return Err(Error::SessionExpired);
- }
- log::debug!("session challenge:{}", session.challenge);
- challenge = session.challenge.clone();
- }
+ let challenge = request.challenge;
let nonce = base64_url::decode(&challenge).expect("base64 decode nonce");
let evidence = base64_url::decode(&request.evidence).expect("base64 decode evidence");
diff --git a/service/attestation/attestation-service/service/src/session.rs b/service/attestation/attestation-service/service/src/session.rs
index 5f191a77..2aee35a3 100644
--- a/service/attestation/attestation-service/service/src/session.rs
+++ b/service/attestation/attestation-service/service/src/session.rs
@@ -52,7 +52,4 @@ impl SessionMap {
pub fn insert(&self, session: Session) {
let _ = self.session_map.insert(session.id.clone(), session);
}
- pub fn delete(&self, session: Session) {
- let _ = self.session_map.remove(&session.id);
- }
}
\ No newline at end of file
diff --git a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs
index 67c857ac..8ce4d24b 100644
--- a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs
+++ b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs
@@ -42,8 +42,8 @@ fn evalute_wrapper(user_data: &[u8], evidence: &[u8]) -> Result<TeeClaim> {
size: in_data.len() as ::std::os::raw::c_uint,
buf: in_data.as_mut_ptr() as *mut ::std::os::raw::c_uchar,
};
- log::info!("input nonce:{:?}", nonce);
- let policy: std::os::raw::c_int = 1;
+
+ let policy: std::os::raw::c_int = 1; // 1: verify ta_imag; 2: verfiy ta_mem; 3: verify ta_img and ta_mem hash;
if !Path::new(ITRUSTEE_REF_VALUE_FILE).exists() {
log::error!("itrustee verify report {} not exists", ITRUSTEE_REF_VALUE_FILE);
bail!("itrustee verify report {} not exists", ITRUSTEE_REF_VALUE_FILE);
--
2.46.0

7
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear
Version: 0.1.0
Release: 47
Release: 48
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
@ -93,6 +93,8 @@ Patch79: 0080-add-attestation-service.patch
Patch80: 0081-modify-default-agent-config.patch
Patch81: 0082-optimize-ima-verify.patch
Patch82: 0083-optimize-log-level.patch
Patch83: 0084-fix-concurrent-request-error-to-aa-or-as.patch
BuildRequires: gcc python automake autoconf libtool
BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel
@ -289,6 +291,9 @@ popd
systemctl restart rsyslog
%changelog
* Tue Nov 26 2024 houmingyong<houmingyong@huawei.com> - 0.1.0-48
- fix concurrent request error to aa or as
* Fri Nov 8 2024 houmingyong<houmingyong@huawei.com> - 0.1.0-47
- remove attestation-agent and attestation-service from devel