From bf677875ab272c37081648f59018f9eaaac0beee Mon Sep 17 00:00:00 2001 From: Noor Date: Sat, 29 Mar 2025 21:09:31 +0530 Subject: [PATCH 1/4] wip fixing: remove TLS configuration from gRPC client setup --- Cargo.lock | 2 -- Cargo.toml | 3 ++- src/general/grpc.rs | 38 ++++++++++++++++++++++++++++++++++---- src/sgx/grpc_brain.rs | 5 ++++- src/sgx/grpc_dtpm.rs | 14 ++++++++++++-- src/snp/grpc.rs | 5 ++++- 6 files changed, 56 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e3fb603..a13f5d3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3585,10 +3585,8 @@ dependencies = [ "percent-encoding", "pin-project", "prost", - "rustls-pemfile", "socket2", "tokio", - "tokio-rustls", "tokio-stream", "tower 0.4.13", "tower-layer", diff --git a/Cargo.toml b/Cargo.toml index 69592f9..ff8a9ca 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,8 @@ serde_yaml = "0.9.34" tabled = "0.17.0" tokio-stream = "0.1.17" tokio = { version = "1.42.0", features = ["macros", "rt-multi-thread"] } -tonic = { version = "0.12", features = ["tls"] } +# tonic = { version = "0.12", features = ["tls"] } +tonic = { version = "0.12" } thiserror = "2.0.9" bs58 = "0.5.1" chrono = "0.4.39" diff --git a/src/general/grpc.rs b/src/general/grpc.rs index 0db1ba3..4b52343 100644 --- a/src/general/grpc.rs +++ b/src/general/grpc.rs @@ -3,8 +3,10 @@ use crate::snp::grpc::proto::VmContract; use crate::utils::sign_request; use detee_shared::general_proto::ReportNodeReq; use log::{debug, info, warn}; +use rustls::pki_types::pem::PemObject; use tokio_stream::StreamExt; -use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +use tonic::transport::Channel; pub mod proto { pub use detee_shared::common_proto::*; @@ -36,9 +38,34 @@ pub enum Error { async fn client() -> Result, Error> { let (brain_url, brain_san) = Config::get_brain_info(); + + use hyper_rustls::HttpsConnectorBuilder; + use rustls::pki_types::CertificateDer; + use rustls::{ClientConfig, RootCertStore}; + + let mut detee_root_ca_store = RootCertStore::empty(); + detee_root_ca_store + .add(CertificateDer::from_pem_file(Config::get_root_ca_path()?).unwrap()) + .unwrap(); + + let client_tls_config = + ClientConfig::builder().with_root_certificates(detee_root_ca_store).with_no_client_auth(); + let connector = HttpsConnectorBuilder::new() + .with_tls_config(client_tls_config) + .https_only() + .enable_http2() + .build(); + + // let channel = Channel::from_shared(brain_url.to_string()) + // .map_err(|_| Error::CorruptedBrainUrl)? + // .connect_with_connector(connector) + // .await + // .unwrap(); + Ok(BrainGeneralCliClient::new( Channel::from_shared(brain_url.to_string()) .map_err(|_| Error::CorruptedBrainUrl)? + /* .tls_config( ClientTlsConfig::new() .ca_certificate(Certificate::from_pem(std::fs::read_to_string( @@ -46,8 +73,10 @@ async fn client() -> Result, Error> { )?)) .domain_name(brain_san), )? - .connect() - .await?, + */ + .connect_with_connector(connector) + .await + .unwrap(), )) } @@ -162,7 +191,8 @@ pub async fn admin_list_accounts() -> Result, Error> { pub async fn admin_list_contracts() -> Result, Error> { let mut contracts = Vec::new(); - let mut grpc_stream = client().await?.list_all_vm_contracts(sign_request(Empty {})?).await?.into_inner(); + let mut grpc_stream = + client().await?.list_all_vm_contracts(sign_request(Empty {})?).await?.into_inner(); while let Some(stream_update) = grpc_stream.next().await { match stream_update { Ok(contract) => { diff --git a/src/sgx/grpc_brain.rs b/src/sgx/grpc_brain.rs index 6ae6a31..3ec90ba 100644 --- a/src/sgx/grpc_brain.rs +++ b/src/sgx/grpc_brain.rs @@ -5,7 +5,8 @@ use detee_shared::app_proto::{ }; use detee_shared::sgx::types::brain::AppDeployConfig; use tokio_stream::StreamExt; -use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +use tonic::transport::Channel; use crate::config::Config; use crate::sgx::utils::calculate_nanolp_for_app; @@ -70,6 +71,7 @@ async fn client() -> Result> { Ok(BrainAppCliClient::new( Channel::from_shared(brain_url.to_string()) .map_err(|_| Error::CorruptedBrainUrl)? + /* .tls_config( ClientTlsConfig::new() .ca_certificate(Certificate::from_pem(std::fs::read_to_string( @@ -77,6 +79,7 @@ async fn client() -> Result> { )?)) .domain_name(brain_san), )? + */ .connect() .await?, )) diff --git a/src/sgx/grpc_dtpm.rs b/src/sgx/grpc_dtpm.rs index 6930279..f200e7e 100644 --- a/src/sgx/grpc_dtpm.rs +++ b/src/sgx/grpc_dtpm.rs @@ -63,7 +63,11 @@ pub async fn connect_dtpm_grpc_client( .enable_http2() .build(); - let channel = Endpoint::from_shared(hratls_uri)?.connect_with_connector(connector).await?; + let channel = Endpoint::from_shared(hratls_uri)? + // .tls_config(client_tls_config.into())? + .connect_with_connector(connector) + .await + .unwrap(); Ok(DtpmConfigManagerClient::new(channel)) } @@ -74,7 +78,13 @@ pub async fn attest_and_send_config(loaded_config: DtpmConfig, uuid: &str) -> Re log::trace!("Decoded the configuration... {:?}", req_data); - let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; + // let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; + // let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; + // dbg!(&hratls_uri, mr_enclave); + + let hratls_uri = "https://212.95.45.139:33950".to_string(); + let mr_enclave = None; + log::info!("hratls uri: {}\nmr_enclave: {:?}", &hratls_uri, &mr_enclave); let client = connect_dtpm_grpc_client(hratls_uri, mr_enclave).await?; diff --git a/src/snp/grpc.rs b/src/snp/grpc.rs index b07a4ec..f0a9e35 100644 --- a/src/snp/grpc.rs +++ b/src/snp/grpc.rs @@ -13,7 +13,8 @@ use proto::{ use tokio_stream::StreamExt; use tonic::metadata::errors::InvalidMetadataValue; use tonic::metadata::AsciiMetadataValue; -use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; +use tonic::transport::Channel; use tonic::Request; lazy_static! { @@ -88,6 +89,7 @@ async fn client() -> Result, Error> { Ok(BrainVmCliClient::new( Channel::from_shared(brain_url.to_string()) .map_err(|_| Error::CorruptedBrainUrl)? + /* .tls_config( ClientTlsConfig::new() .ca_certificate(Certificate::from_pem(std::fs::read_to_string( @@ -95,6 +97,7 @@ async fn client() -> Result, Error> { )?)) .domain_name(brain_san), )? + */ .connect() .await?, )) -- 2.43.0 From 27519ef8232a697ac7893cc615c5eaea87be146d Mon Sep 17 00:00:00 2001 From: ghe0 Date: Sat, 29 Mar 2025 19:15:16 +0200 Subject: [PATCH 2/4] add brain channel creation for tonic --- src/config.rs | 44 +++++++++++++++++++++++++++++++++++++++++++ src/general/grpc.rs | 44 +------------------------------------------ src/sgx/grpc_brain.rs | 17 +---------------- src/sgx/grpc_dtpm.rs | 7 +------ src/snp/grpc.rs | 17 +---------------- 5 files changed, 48 insertions(+), 81 deletions(-) diff --git a/src/config.rs b/src/config.rs index b5d990e..43d51d3 100644 --- a/src/config.rs +++ b/src/config.rs @@ -83,6 +83,10 @@ pub enum Error { SshKeyNoDefined, #[error{"RSA Error: {0}"}] RSAError(#[from] openssl::error::ErrorStack), + #[error{"Internal CLI error: {0}"}] + InternalError(String), + #[error(transparent)] + BrainConnection(#[from] tonic::transport::Error), } impl Config { @@ -310,6 +314,46 @@ impl Config { } } + pub async fn get_brain_channel() -> Result { + let (brain_url, brain_san) = Self::get_brain_info(); + + use hyper_rustls::HttpsConnectorBuilder; + use rustls::pki_types::pem::PemObject; + use rustls::pki_types::CertificateDer; + use rustls::{ClientConfig, RootCertStore}; + + let mut detee_root_ca_store = RootCertStore::empty(); + detee_root_ca_store + .add(CertificateDer::from_pem_file(Config::get_root_ca_path()?).map_err(|e| { + Error::InternalError(format!("Could not parse PEM certificate: {e}")) + })?) + .unwrap(); + + let client_tls_config = ClientConfig::builder() + .with_root_certificates(detee_root_ca_store) + .with_no_client_auth(); + let connector = HttpsConnectorBuilder::new() + .with_tls_config(client_tls_config) + .https_only() + .with_server_name_resolver(hyper_rustls::FixedServerNameResolver::new( + brain_san.clone().try_into().map_err(|e| { + Error::InternalError(format!( + "Could not parse {brain_san} into domain resolver: {e}" + )) + })?, + )) + .enable_http2() + .build(); + Ok(tonic::transport::Channel::from_shared(brain_url.to_string()) + .map_err(|e| { + Error::InternalError(format!( + "Could not parse {brain_san} into domain resolver: {e}" + )) + })? + .connect_with_connector(connector) + .await?) + } + pub fn set_network(mut network: &str) { if network != "staging" { log::error!( diff --git a/src/general/grpc.rs b/src/general/grpc.rs index 4b52343..18b39fb 100644 --- a/src/general/grpc.rs +++ b/src/general/grpc.rs @@ -3,9 +3,7 @@ use crate::snp::grpc::proto::VmContract; use crate::utils::sign_request; use detee_shared::general_proto::ReportNodeReq; use log::{debug, info, warn}; -use rustls::pki_types::pem::PemObject; use tokio_stream::StreamExt; -// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; use tonic::transport::Channel; pub mod proto { @@ -37,47 +35,7 @@ pub enum Error { } async fn client() -> Result, Error> { - let (brain_url, brain_san) = Config::get_brain_info(); - - use hyper_rustls::HttpsConnectorBuilder; - use rustls::pki_types::CertificateDer; - use rustls::{ClientConfig, RootCertStore}; - - let mut detee_root_ca_store = RootCertStore::empty(); - detee_root_ca_store - .add(CertificateDer::from_pem_file(Config::get_root_ca_path()?).unwrap()) - .unwrap(); - - let client_tls_config = - ClientConfig::builder().with_root_certificates(detee_root_ca_store).with_no_client_auth(); - let connector = HttpsConnectorBuilder::new() - .with_tls_config(client_tls_config) - .https_only() - .enable_http2() - .build(); - - // let channel = Channel::from_shared(brain_url.to_string()) - // .map_err(|_| Error::CorruptedBrainUrl)? - // .connect_with_connector(connector) - // .await - // .unwrap(); - - Ok(BrainGeneralCliClient::new( - Channel::from_shared(brain_url.to_string()) - .map_err(|_| Error::CorruptedBrainUrl)? - /* - .tls_config( - ClientTlsConfig::new() - .ca_certificate(Certificate::from_pem(std::fs::read_to_string( - Config::get_root_ca_path()?, - )?)) - .domain_name(brain_san), - )? - */ - .connect_with_connector(connector) - .await - .unwrap(), - )) + Ok(BrainGeneralCliClient::new(Config::get_brain_channel().await?)) } pub async fn get_balance(account: &str) -> Result { diff --git a/src/sgx/grpc_brain.rs b/src/sgx/grpc_brain.rs index 3ec90ba..8a80677 100644 --- a/src/sgx/grpc_brain.rs +++ b/src/sgx/grpc_brain.rs @@ -67,22 +67,7 @@ impl crate::HumanOutput for AppContract { } async fn client() -> Result> { - let (brain_url, brain_san) = Config::get_brain_info(); - Ok(BrainAppCliClient::new( - Channel::from_shared(brain_url.to_string()) - .map_err(|_| Error::CorruptedBrainUrl)? - /* - .tls_config( - ClientTlsConfig::new() - .ca_certificate(Certificate::from_pem(std::fs::read_to_string( - Config::get_root_ca_path()?, - )?)) - .domain_name(brain_san), - )? - */ - .connect() - .await?, - )) + Ok(BrainAppCliClient::new(Config::get_brain_channel().await?)) } pub async fn new_app(app_deploy_config: AppDeployConfig) -> Result { diff --git a/src/sgx/grpc_dtpm.rs b/src/sgx/grpc_dtpm.rs index f200e7e..c2a5674 100644 --- a/src/sgx/grpc_dtpm.rs +++ b/src/sgx/grpc_dtpm.rs @@ -78,12 +78,7 @@ pub async fn attest_and_send_config(loaded_config: DtpmConfig, uuid: &str) -> Re log::trace!("Decoded the configuration... {:?}", req_data); - // let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; - // let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; - // dbg!(&hratls_uri, mr_enclave); - - let hratls_uri = "https://212.95.45.139:33950".to_string(); - let mr_enclave = None; + let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; log::info!("hratls uri: {}\nmr_enclave: {:?}", &hratls_uri, &mr_enclave); diff --git a/src/snp/grpc.rs b/src/snp/grpc.rs index f0a9e35..a9eda82 100644 --- a/src/snp/grpc.rs +++ b/src/snp/grpc.rs @@ -85,22 +85,7 @@ impl crate::HumanOutput for VmNodeListResp { } async fn client() -> Result, Error> { - let (brain_url, brain_san) = Config::get_brain_info(); - Ok(BrainVmCliClient::new( - Channel::from_shared(brain_url.to_string()) - .map_err(|_| Error::CorruptedBrainUrl)? - /* - .tls_config( - ClientTlsConfig::new() - .ca_certificate(Certificate::from_pem(std::fs::read_to_string( - Config::get_root_ca_path()?, - )?)) - .domain_name(brain_san), - )? - */ - .connect() - .await?, - )) + Ok(BrainVmCliClient::new(Config::get_brain_channel().await?)) } fn sign_request(req: T) -> Result, Error> { -- 2.43.0 From c56843b3fdcc8866a09f8431ca207244b25290f2 Mon Sep 17 00:00:00 2001 From: ghe0 Date: Sat, 29 Mar 2025 20:01:59 +0200 Subject: [PATCH 3/4] small modifications --- src/sgx/grpc_dtpm.rs | 7 +------ src/sgx/mod.rs | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/sgx/grpc_dtpm.rs b/src/sgx/grpc_dtpm.rs index c2a5674..6930279 100644 --- a/src/sgx/grpc_dtpm.rs +++ b/src/sgx/grpc_dtpm.rs @@ -63,11 +63,7 @@ pub async fn connect_dtpm_grpc_client( .enable_http2() .build(); - let channel = Endpoint::from_shared(hratls_uri)? - // .tls_config(client_tls_config.into())? - .connect_with_connector(connector) - .await - .unwrap(); + let channel = Endpoint::from_shared(hratls_uri)?.connect_with_connector(connector).await?; Ok(DtpmConfigManagerClient::new(channel)) } @@ -79,7 +75,6 @@ pub async fn attest_and_send_config(loaded_config: DtpmConfig, uuid: &str) -> Re log::trace!("Decoded the configuration... {:?}", req_data); let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await; - log::info!("hratls uri: {}\nmr_enclave: {:?}", &hratls_uri, &mr_enclave); let client = connect_dtpm_grpc_client(hratls_uri, mr_enclave).await?; diff --git a/src/sgx/mod.rs b/src/sgx/mod.rs index 80c9662..4169e28 100644 --- a/src/sgx/mod.rs +++ b/src/sgx/mod.rs @@ -186,7 +186,7 @@ pub struct AppDeployResponse { impl crate::HumanOutput for AppDeployResponse { fn human_cli_print(&self) { - println!("App deployd with UUID: {}, App Name: {}", self.uuid, self.name); + println!("The application got deployed under the UUID: {}", self.uuid); } } -- 2.43.0 From 82fd32a896f07dd6f42d63f7b1956c5a5bda7cd2 Mon Sep 17 00:00:00 2001 From: ghe0 Date: Sat, 29 Mar 2025 20:08:01 +0200 Subject: [PATCH 4/4] remove comments --- Cargo.toml | 1 - src/sgx/grpc_brain.rs | 1 - src/snp/grpc.rs | 1 - 3 files changed, 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index ff8a9ca..5fe3ceb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,6 @@ serde_yaml = "0.9.34" tabled = "0.17.0" tokio-stream = "0.1.17" tokio = { version = "1.42.0", features = ["macros", "rt-multi-thread"] } -# tonic = { version = "0.12", features = ["tls"] } tonic = { version = "0.12" } thiserror = "2.0.9" bs58 = "0.5.1" diff --git a/src/sgx/grpc_brain.rs b/src/sgx/grpc_brain.rs index 8a80677..dd92e18 100644 --- a/src/sgx/grpc_brain.rs +++ b/src/sgx/grpc_brain.rs @@ -5,7 +5,6 @@ use detee_shared::app_proto::{ }; use detee_shared::sgx::types::brain::AppDeployConfig; use tokio_stream::StreamExt; -// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; use tonic::transport::Channel; use crate::config::Config; diff --git a/src/snp/grpc.rs b/src/snp/grpc.rs index a9eda82..81e7ec0 100644 --- a/src/snp/grpc.rs +++ b/src/snp/grpc.rs @@ -13,7 +13,6 @@ use proto::{ use tokio_stream::StreamExt; use tonic::metadata::errors::InvalidMetadataValue; use tonic::metadata::AsciiMetadataValue; -// use tonic::transport::{Certificate, Channel, ClientTlsConfig}; use tonic::transport::Channel; use tonic::Request; -- 2.43.0