diff --git a/attestation-service/attestation-service/src/bin/grpc/mod.rs b/attestation-service/attestation-service/src/bin/grpc/mod.rs index cd22fa7617..2f54805192 100644 --- a/attestation-service/attestation-service/src/bin/grpc/mod.rs +++ b/attestation-service/attestation-service/src/bin/grpc/mod.rs @@ -1,13 +1,15 @@ -use anyhow::{anyhow, Result}; use attestation_service::policy_engine::SetPolicyInput; use attestation_service::HashAlgorithm; -use attestation_service::{config::Config, AttestationService as Service, Tee}; +use attestation_service::{ + config::Config, config::ConfigError, AttestationService as Service, ServiceError, Tee, +}; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; use log::{debug, info}; use std::net::SocketAddr; use std::path::Path; use std::sync::Arc; +use thiserror::Error; use tokio::sync::RwLock; use tonic::transport::Server; use tonic::{Request, Response, Status}; @@ -40,15 +42,22 @@ fn to_kbs_tee(tee: GrpcTee) -> Tee { } } +#[derive(Error, Debug)] +pub enum GrpcError { + #[error("Read AS config file failed: {0}")] + Config(#[from] ConfigError), + #[error("Creating attestation service failed: {0}")] + Service(#[from] ServiceError), +} + pub struct AttestationServer { attestation_service: Service, } impl AttestationServer { - pub async fn new(config_path: Option) -> Result { + pub async fn new(config_path: Option) -> Result { let config = match config_path { - Some(path) => Config::try_from(Path::new(&path)) - .map_err(|e| anyhow!("Read AS config file failed: {:?}", e))?, + Some(path) => Config::try_from(Path::new(&path))?, None => Config::default(), }; @@ -222,7 +231,7 @@ impl ReferenceValueProviderService for Arc> { } } -pub async fn start(socket: SocketAddr, config_path: Option) -> Result<()> { +pub async fn start(socket: SocketAddr, config_path: Option) -> Result<(), GrpcError> { info!("Listen socket: {}", &socket); let attestation_server = Arc::new(RwLock::new(AttestationServer::new(config_path).await?)); @@ -231,6 +240,7 @@ pub async fn start(socket: SocketAddr, config_path: Option) -> Result<() .add_service(AttestationServiceServer::new(attestation_server.clone())) .add_service(ReferenceValueProviderServiceServer::new(attestation_server)) .serve(socket) - .await?; + .await + .map_err(|e| ServiceError::StartService(e.to_string()))?; Ok(()) } diff --git a/attestation-service/attestation-service/src/bin/restful-as.rs b/attestation-service/attestation-service/src/bin/restful-as.rs index de797f7e8e..d7ba964eb2 100644 --- a/attestation-service/attestation-service/src/bin/restful-as.rs +++ b/attestation-service/attestation-service/src/bin/restful-as.rs @@ -1,8 +1,8 @@ use std::{net::SocketAddr, path::Path, sync::Arc}; use actix_web::{web, App, HttpServer}; -use anyhow::{anyhow, Context, Result}; -use attestation_service::{config::Config, AttestationService}; +use anyhow::Result; +use attestation_service::{config::Config, config::ConfigError, AttestationService, ServiceError}; use clap::{arg, command, Parser}; use log::info; use openssl::{ @@ -10,6 +10,7 @@ use openssl::{ ssl::{SslAcceptor, SslMethod}, }; use strum::{AsRefStr, EnumString}; +use thiserror::Error; use tokio::sync::RwLock; use crate::restful::{attestation, set_policy}; @@ -49,8 +50,22 @@ enum WebApi { Policy, } +#[derive(Error, Debug)] +pub enum RestfulError { + #[error("Creating service failed: {0}: {0}")] + Service(#[from] ServiceError), + #[error("Failed to read AS config file: {0}")] + Config(#[from] ConfigError), + #[error("Openssl errorstack: {0}")] + Openssl(#[from] openssl::error::ErrorStack), + #[error("io error")] + IO(#[from] std::io::Error), + #[error("Failed to start server: {0}")] + StartServer(String), +} + #[actix_web::main] -async fn main() -> Result<()> { +async fn main() -> Result<(), RestfulError> { env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); let cli = Cli::parse(); @@ -58,8 +73,7 @@ async fn main() -> Result<()> { let config = match cli.config_file { Some(path) => { info!("Using config file {path}"); - Config::try_from(Path::new(&path)) - .map_err(|e| anyhow!("Read AS config file failed: {:?}", e))? + Config::try_from(Path::new(&path))? } None => { info!("No confile path provided, use default one."); @@ -81,18 +95,11 @@ async fn main() -> Result<()> { (Some(prikey), Some(pubkey_cert)) => { let mut builder = SslAcceptor::mozilla_modern(SslMethod::tls())?; - let prikey = tokio::fs::read(prikey) - .await - .context("read HTTPS private key")?; - let prikey = - PKey::private_key_from_pem(&prikey).context("read HTTPS private key from pem")?; - - builder - .set_private_key(&prikey) - .context("set private key failed")?; - builder - .set_certificate_chain_file(pubkey_cert) - .context("set HTTPS public key cert")?; + let prikey = tokio::fs::read(prikey).await?; + let prikey = PKey::private_key_from_pem(&prikey)?; + + builder.set_private_key(&prikey)?; + builder.set_certificate_chain_file(pubkey_cert)?; log::info!("starting HTTPS server at https://{}", cli.socket); server.bind_openssl(cli.socket, builder)?.run() } @@ -104,7 +111,9 @@ async fn main() -> Result<()> { } }; - server.await?; + server + .await + .map_err(|e| RestfulError::StartServer(e.to_string()))?; Ok(()) } diff --git a/attestation-service/attestation-service/src/config.rs b/attestation-service/attestation-service/src/config.rs index 814136ad64..7ae3b676a4 100644 --- a/attestation-service/attestation-service/src/config.rs +++ b/attestation-service/attestation-service/src/config.rs @@ -3,11 +3,11 @@ use crate::{ token::{AttestationTokenBrokerType, AttestationTokenConfig}, }; -use anyhow::{anyhow, Result}; use serde::Deserialize; use std::convert::TryFrom; use std::fs::File; use std::path::{Path, PathBuf}; +use thiserror::Error; /// Environment macro for Attestation Service work dir. const AS_WORK_DIR: &str = "AS_WORK_DIR"; @@ -34,6 +34,14 @@ pub struct Config { pub attestation_token_config: AttestationTokenConfig, } +#[derive(Error, Debug)] +pub enum ConfigError { + #[error("io error")] + IO(#[from] std::io::Error), + #[error("Serde Json Error")] + SerdeJson(#[from] serde_json::Error), +} + impl Default for Config { // Construct a default instance of `Config` fn default() -> Config { @@ -65,12 +73,9 @@ impl TryFrom<&Path> for Config { /// "duration_min": 5 /// } /// } - type Error = anyhow::Error; - fn try_from(config_path: &Path) -> Result { - let file = File::open(config_path) - .map_err(|e| anyhow!("failed to open AS config file {}", e.to_string()))?; - - serde_json::from_reader::(file) - .map_err(|e| anyhow!("failed to parse AS config file {}", e.to_string())) + type Error = ConfigError; + fn try_from(config_path: &Path) -> Result { + let file = File::open(config_path)?; + Ok(serde_json::from_reader::(file)?) } } diff --git a/attestation-service/attestation-service/src/lib.rs b/attestation-service/attestation-service/src/lib.rs index 85370f72b7..2f9affa093 100644 --- a/attestation-service/attestation-service/src/lib.rs +++ b/attestation-service/attestation-service/src/lib.rs @@ -12,17 +12,18 @@ mod utils; use crate::token::AttestationTokenBroker; -use anyhow::{anyhow, Context, Result}; +use anyhow::Result; use config::Config; pub use kbs_types::{Attestation, Tee}; use log::debug; use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput}; -use rvps::RvpsApi; +use rvps::{RvpsApi, RvpsError}; use serde_json::{json, Value}; use serde_variant::to_variant_name; use sha2::{Digest, Sha256, Sha384, Sha512}; use std::{collections::HashMap, str::FromStr}; use strum::{AsRefStr, EnumString}; +use thiserror::Error; use tokio::fs; use verifier::{InitDataHash, ReportData}; @@ -77,6 +78,24 @@ pub enum Data { Structured(Value), } +#[derive(Error, Debug)] +pub enum ServiceError { + #[error("io error: {0}")] + IO(#[from] std::io::Error), + #[error("Parse error:{0}")] + ParseError(#[from] strum::ParseError), + #[error("Policy Engine {0} is not supported")] + UnsupportedPolicyEngine(String), + #[error("Create rvps failed.")] + Rvps(#[from] RvpsError), + #[error("Set Policy failed {0}")] + SetPolicyFailed(String), + #[error("Starting service failed: {0}")] + StartService(String), + #[error("token broker error: {0}")] + TokenBroker(String), +} + pub struct AttestationService { _config: Config, policy_engine: Box, @@ -86,26 +105,21 @@ pub struct AttestationService { impl AttestationService { /// Create a new Attestation Service instance. - pub async fn new(config: Config) -> Result { + pub async fn new(config: Config) -> Result { if !config.work_dir.as_path().exists() { - fs::create_dir_all(&config.work_dir) - .await - .context("Create AS work dir failed: {:?}")?; + fs::create_dir_all(&config.work_dir).await?; } - let policy_engine = PolicyEngineType::from_str(&config.policy_engine) - .map_err(|_| anyhow!("Policy Engine {} is not supported", &config.policy_engine))? - .to_policy_engine(config.work_dir.as_path())?; + let policy_engine = PolicyEngineType::from_str(&config.policy_engine)? + .to_policy_engine(config.work_dir.as_path()) + .map_err(|e| ServiceError::UnsupportedPolicyEngine(e.to_string()))?; - let rvps = config - .rvps_config - .to_rvps() - .await - .context("create rvps failed.")?; + let rvps = config.rvps_config.to_rvps().await?; let token_broker = config .attestation_token_broker - .to_token_broker(config.attestation_token_config.clone())?; + .to_token_broker(config.attestation_token_config.clone()) + .map_err(|e| ServiceError::TokenBroker(e.to_string()))?; Ok(Self { _config: config, @@ -116,11 +130,13 @@ impl AttestationService { } /// Set Attestation Verification Policy. - pub async fn set_policy(&mut self, input: SetPolicyInput) -> Result<()> { + pub async fn set_policy(&mut self, input: SetPolicyInput) -> Result<(), ServiceError> { self.policy_engine .set_policy(input) .await - .map_err(|e| anyhow!("Cannot Set Policy: {:?}", e)) + .map_err(|e| ServiceError::SetPolicyFailed(e.to_string()))?; + + Ok(()) } /// Evaluate Attestation Evidence. @@ -153,15 +169,14 @@ impl AttestationService { let verifier = verifier::to_verifier(&tee)?; let (report_data, runtime_data_claims) = - parse_data(runtime_data, &runtime_data_hash_algorithm).context("parse runtime data")?; + parse_data(runtime_data, &runtime_data_hash_algorithm)?; let report_data = match &report_data { Some(data) => ReportData::Value(data), None => ReportData::NotProvided, }; - let (init_data, init_data_claims) = - parse_data(init_data, &init_data_hash_algorithm).context("parse init data")?; + let (init_data, init_data_claims) = parse_data(init_data, &init_data_hash_algorithm)?; let init_data_hash = match &init_data { Some(data) => InitDataHash::Value(data), @@ -170,23 +185,18 @@ impl AttestationService { let claims_from_tee_evidence = verifier .evaluate(&evidence, &report_data, &init_data_hash) - .await - .map_err(|e| anyhow!("Verifier evaluate failed: {e:?}"))?; + .await?; let flattened_claims = flatten_claims(tee, &claims_from_tee_evidence)?; let tcb_json = serde_json::to_string(&flattened_claims)?; - let reference_data_map = self - .get_reference_data(flattened_claims.keys()) - .await - .map_err(|e| anyhow!("Generate reference data failed: {:?}", e))?; + let reference_data_map = self.get_reference_data(flattened_claims.keys()).await?; let evaluation_report = self .policy_engine .evaluate(reference_data_map.clone(), tcb_json, policy_ids.clone()) - .await - .map_err(|e| anyhow!("Policy Engine evaluation failed: {e}"))?; + .await?; let policies: Vec<_> = evaluation_report .into_iter() @@ -252,8 +262,7 @@ fn parse_data( Data::Raw(raw) => Ok((Some(raw), Value::Null)), Data::Structured(structured) => { // by default serde_json will enforence the alphabet order for keys - let hash_materials = - serde_json::to_vec(&structured).context("parse JSON structured data")?; + let hash_materials = serde_json::to_vec(&structured)?; let digest = hash_algorithm.accumulate_hash(hash_materials); Ok((Some(digest), structured)) } diff --git a/attestation-service/attestation-service/src/rvps/builtin.rs b/attestation-service/attestation-service/src/rvps/builtin.rs index 49fca776e9..0dc7577030 100644 --- a/attestation-service/attestation-service/src/rvps/builtin.rs +++ b/attestation-service/attestation-service/src/rvps/builtin.rs @@ -1,3 +1,4 @@ +use crate::rvps::RvpsError; use anyhow::*; use async_trait::async_trait; use reference_value_provider_service::Core; @@ -9,16 +10,21 @@ pub struct Rvps { } impl Rvps { - pub fn new(store_type: &str) -> Result { - let core = Core::new(store_type)?; - Ok(Self { core }) + pub fn new(store_type: &str) -> Result { + Core::new(store_type) + .map(|core| Self::from_core(core)) + .map_err(|error| RvpsError::CreateRvps(error.to_string())) + } + + fn from_core(core: Core) -> Self { + Self { core } } } #[async_trait] impl RvpsApi for Rvps { async fn verify_and_extract(&mut self, message: &str) -> Result<()> { - self.core.verify_and_extract(message).await + Ok(self.core.verify_and_extract(message).await?) } async fn get_digests(&self, name: &str) -> Result> { diff --git a/attestation-service/attestation-service/src/rvps/grpc.rs b/attestation-service/attestation-service/src/rvps/grpc.rs index e749884825..1595b7a6ac 100644 --- a/attestation-service/attestation-service/src/rvps/grpc.rs +++ b/attestation-service/attestation-service/src/rvps/grpc.rs @@ -1,4 +1,5 @@ -use anyhow::*; +use crate::rvps::RvpsError; +use anyhow::Result; use tokio::sync::Mutex; use self::rvps_api::{ @@ -17,7 +18,7 @@ pub struct Agent { } impl Agent { - pub async fn new(addr: &str) -> Result { + pub async fn new(addr: &str) -> Result { Ok(Self { client: Mutex::new( ReferenceValueProviderServiceClient::connect(addr.to_string()).await?, @@ -25,7 +26,6 @@ impl Agent { }) } } - #[async_trait::async_trait] impl RvpsApi for Agent { async fn verify_and_extract(&mut self, message: &str) -> Result<()> { @@ -37,8 +37,7 @@ impl RvpsApi for Agent { .lock() .await .register_reference_value(req) - .await - .context("register failed")?; + .await?; Ok(()) } diff --git a/attestation-service/attestation-service/src/rvps/mod.rs b/attestation-service/attestation-service/src/rvps/mod.rs index f826ab12ef..a2b535d983 100644 --- a/attestation-service/attestation-service/src/rvps/mod.rs +++ b/attestation-service/attestation-service/src/rvps/mod.rs @@ -3,9 +3,10 @@ // SPDX-License-Identifier: Apache-2.0 // -use anyhow::*; +use anyhow::Result; use log::{info, warn}; use serde::Deserialize; +use thiserror::Error; /// The interfaces of Reference Value Provider Service /// * `verify_and_extract` is responsible for verify a message and @@ -55,10 +56,24 @@ impl Default for RvpsConfig { } } +#[derive(Error, Debug)] +pub enum RvpsError { + #[error("Failed creating rvps service: {0}")] + CreateRvps(String), + #[error("feature `rvps-grpc` or `rvps-builtin` should be enabled")] + FeatureNotEnabled, + #[error("Serde Json Error")] + SerdeJson(#[from] serde_json::Error), + #[error("Returned status: {0}")] + Status(#[from] tonic::Status), + #[error("tonic transport error: {0}")] + TonicTransport(#[from] tonic::transport::Error), +} + impl RvpsConfig { /// If remote addr is specified and the feature `rvps-grpc` is enabled when /// built, will try to connect the remote rvps. Or, will use a built-in rvps. - pub async fn to_rvps(&self) -> Result> { + pub async fn to_rvps(&self) -> Result, RvpsError> { cfg_if::cfg_if! { if #[cfg(feature = "rvps-grpc")] { if !self.remote_addr.is_empty() { @@ -70,7 +85,7 @@ impl RvpsConfig { warn!("No RVPS address provided and will launch a built-in rvps"); Ok(Box::new(builtin::Rvps::new(&self.store_type)?) as Box) } else { - Err(anyhow!("either feature `rvps-grpc` or `rvps-builtin` should be enabled.")) + return RvpsError::FeatureNotEnabled; } } } @@ -78,7 +93,7 @@ impl RvpsConfig { info!("launch a built-in RVPS."); Ok(Box::new(builtin::Rvps::new(&self.store_type)) as Box) } else { - Err(anyhow!("either feature `rvps-grpc` or `rvps-builtin` should be enabled.")) + return RvpsError::FeatureNotEnabled; } } }