From 56c846e1fd7277857b4a29f59640a4df0ed7b697 Mon Sep 17 00:00:00 2001 From: ghe0 Date: Fri, 28 Mar 2025 17:17:12 +0200 Subject: [PATCH] added support for self signed TLS certificates --- Cargo.lock | 4 ++++ Cargo.toml | 2 +- scripts/install_daemon.sh | 1 + src/config.rs | 2 +- src/global.rs | 3 +++ src/grpc.rs | 28 ++++++++++++++++++++++++---- src/main.rs | 4 ++-- 7 files changed, 36 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bc3ab7d..666c767 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1495,7 +1495,9 @@ version = "0.23.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b" dependencies = [ + "log", "once_cell", + "ring", "rustls-pki-types", "rustls-webpki", "subtle", @@ -1916,8 +1918,10 @@ dependencies = [ "percent-encoding", "pin-project", "prost", + "rustls-pemfile", "socket2", "tokio", + "tokio-rustls", "tokio-stream", "tower 0.4.13", "tower-layer", diff --git a/Cargo.toml b/Cargo.toml index a23603f..0fcab8c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ prost-types = "0.13.4" rand = "0.8.5" tokio = { version = "1.42.0", features = ["macros", "rt-multi-thread"] } tokio-stream = "0.1.17" -tonic = "0.12" +tonic = { version = "0.12", features = ["tls"] } serde_json = "1.0.135" bs58 = "0.5.1" chrono = "0.4.39" diff --git a/scripts/install_daemon.sh b/scripts/install_daemon.sh index a028240..68a48b2 100755 --- a/scripts/install_daemon.sh +++ b/scripts/install_daemon.sh @@ -15,6 +15,7 @@ chmod +x /usr/local/bin/detee-snp-daemon wget -O /usr/local/bin/detee/start_qemu_vm.sh https://registry.detee.ltd/daemon/start_qemu_vm.sh chmod +x /usr/local/bin/detee/start_qemu_vm.sh wget -O /etc/systemd/system/detee-snp-daemon.service https://registry.detee.ltd/daemon/detee-snp-daemon.service +wget -O /etc/detee/root_ca.pem https://registry.detee.ltd/root_ca.pem echo "Take a look at /etc/detee/daemon/sample_config.yaml" echo "Modify config based on your setup and save it to /etc/detee/daemon/config.yaml" diff --git a/src/config.rs b/src/config.rs index 17cf5da..a47e01d 100644 --- a/src/config.rs +++ b/src/config.rs @@ -45,7 +45,7 @@ pub enum InterfaceType { #[derive(Deserialize, Debug)] pub struct Config { pub owner_wallet: String, - pub brain_url: String, + pub network: String, pub max_cores_per_vm: usize, pub max_vcpu_reservation: usize, pub max_mem_reservation_mb: usize, diff --git a/src/global.rs b/src/global.rs index bec2b0e..0892e75 100644 --- a/src/global.rs +++ b/src/global.rs @@ -5,6 +5,9 @@ use log::{info, warn}; use sha2::{Digest, Sha256}; use std::{fs::File, io::Read, io::Write}; +pub(crate) const DETEE_ROOT_CA: &str = "/etc/detee/root_ca.pem"; +pub(crate) const BRAIN_STAGING: (&str, &str) = ("https://159.65.58.38:31337", "staging-brain"); +pub(crate) const BRAIN_TESTING: (&str, &str) = ("https://164.92.249.180:31337", "testing-brain"); pub(crate) const VM_BOOT_DIR: &str = "/var/lib/detee/boot/"; pub(crate) const USED_RESOURCES: &str = "/etc/detee/daemon/used_resources.yaml"; pub(crate) const VM_CONFIG_DIR: &str = "/etc/detee/daemon/vms/"; diff --git a/src/grpc.rs b/src/grpc.rs index 2b1d18d..1d00ee5 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -10,16 +10,36 @@ use tokio::{ task::JoinSet, }; use tokio_stream::{wrappers::ReceiverStream, StreamExt}; -use tonic::transport::Channel; +use tonic::transport::{Certificate, Channel, ClientTlsConfig}; pub mod snp_proto { pub use detee_shared::vm_proto::*; } +async fn client(network: &str) -> Result> { + let (brain_url, brain_san) = match network { + "staging" => BRAIN_STAGING, + "testnet" => BRAIN_TESTING, + _ => { + return Err(anyhow::anyhow!( + "The only networks currently supported are staging and testnet." + )) + } + }; + let pem = std::fs::read_to_string(DETEE_ROOT_CA)?; + let ca = Certificate::from_pem(pem); + + let tls = ClientTlsConfig::new().ca_certificate(ca).domain_name(brain_san); + + let channel = Channel::from_shared(brain_url.to_string())?.tls_config(tls)?.connect().await?; + + Ok(BrainVmDaemonClient::new(channel)) +} + pub async fn register_node(config: &crate::config::Config) -> Result> { use tonic::metadata::AsciiMetadataValue; use tonic::Request; - let mut client = BrainVmDaemonClient::connect(config.brain_url.clone()).await?; + let mut client = client(&config.network).await?; debug!("Starting node registration..."); let ip_info = IP_INFO.clone(); let req = RegisterVmNodeReq { @@ -109,14 +129,14 @@ async fn send_messages( pub struct ConnectionData { pub contracts: Vec, - pub brain_url: String, + pub network: String, pub brain_msg_tx: Sender, pub daemon_msg_rx: Receiver, pub daemon_msg_tx: Sender, } pub async fn connect_and_run(cd: ConnectionData) -> Result<()> { - let client = BrainVmDaemonClient::connect(cd.brain_url).await?; + let client = client(&cd.network).await?; let mut streaming_tasks = JoinSet::new(); streaming_tasks.spawn(receive_messages(client.clone(), cd.contracts.clone(), cd.brain_msg_tx)); diff --git a/src/main.rs b/src/main.rs index 2780093..1019b13 100644 --- a/src/main.rs +++ b/src/main.rs @@ -251,7 +251,7 @@ async fn main() { let (daemon_msg_tx, daemon_msg_rx) = tokio::sync::mpsc::channel(6); let mut vm_handler = VMHandler::new(brain_msg_rx, daemon_msg_tx.clone()); - let brain_url = vm_handler.config.brain_url.clone(); + let network = vm_handler.config.network.clone(); info!("Registering with the brain and getting back VM Contracts (if they exist)."); let mut contracts: Vec = Vec::new(); @@ -270,7 +270,7 @@ async fn main() { info!("Connecting to brain..."); if let Err(e) = grpc::connect_and_run(grpc::ConnectionData { contracts, - brain_url, + network, brain_msg_tx, daemon_msg_rx, daemon_msg_tx,