kbs: switch to Regorus for resource policy

Switch from Go-based policy engine to rust-based Regorus Switch from Anyhow to thiserror for resource policy Add several unit tests and test policies Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
confidential-containers · Apr 16, 2024 · 3d0b11d · 3d0b11d
1 parent 47d7a23
commit 3d0b11d
Show file tree

Hide file tree

Showing 16 changed files with 484 additions and 105 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,6 +34,7 @@ kbs-types = "0.5.3"
 jsonwebtoken = { version = "9", default-features = false }
 log = "0.4.17"
 prost = "0.11.0"
+regorus = { version = "0.1.2", default-features = false, features = ["regex", "base64", "time"] }
 rstest = "0.18.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.89"

diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile
@@ -6,7 +6,8 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     curl \
     gpg \
-    gnupg-agent
+    gnupg-agent \
+    git
 
 RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
     gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \

diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/Dockerfile.coco-as-grpc
@@ -3,7 +3,7 @@ FROM rust:latest as builder
 WORKDIR /usr/src/kbs
 COPY . .
 
-RUN apt-get update && apt install -y protobuf-compiler wget
+RUN apt-get update && apt install -y protobuf-compiler wget git
 
 RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
 RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz

diff --git a/kbs/docker/Dockerfile.intel-trust-authority b/kbs/docker/Dockerfile.intel-trust-authority
@@ -3,7 +3,7 @@ FROM rust:latest as builder
 WORKDIR /usr/src/kbs
 COPY . .
 
-RUN apt-get update && apt install -y wget
+RUN apt-get update && apt install -y wget git
 
 RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
 RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz

diff --git a/kbs/sample_policies/README.md b/kbs/sample_policies/README.md
@@ -1,7 +1,9 @@
 This directory contains sample policy files to configure the policy engine
 of the KBS. You can use these files to write your own policies.
 
+There are also several example policies used [for testing](../test/data). 
+
 | File | Description |
 | ---  | ---         |
 |[allow_all.rego](./allow_all.rego)|Equivalent to turning off the policy engine. Release resources unconditionally|
-|[deny_all.rego](./deny_all.rego)|Deny all resources release|
+|[deny_all.rego](./deny_all.rego)|Deny all resources release|
diff --git a/kbs/src/api/Cargo.toml b/kbs/src/api/Cargo.toml
@@ -40,6 +40,7 @@ log.workspace = true
 mobc = { version = "0.8.3", optional = true }
 prost = { version = "0.11", optional = true }
 rand = "0.8.5"
+regorus.workspace = true
 reqwest = { version = "0.11", features = ["json"], optional = true }
 rsa = { version = "0.9.2", optional = true, features = ["sha2"] }
 rustls = { version = "0.20.8", optional = true }

diff --git a/kbs/src/api/src/http/resource.rs b/kbs/src/api/src/http/resource.rs
@@ -108,7 +108,7 @@ pub(crate) async fn get_resource(
             resource_description.resource_type,
             resource_description.resource_tag
         );
-        let (resource_allowed, _extra_policy_output) = policy_engine
+        let resource_allowed = policy_engine
             .0
             .lock()
             .await