Skip to content

Commit

Permalink
CDH: delete RwLock for gRPC version
Browse files Browse the repository at this point in the history 
The pull_image API of CDH is marked as Fn not FnMut thus we do not need
a RwLock to protect the synchronization. Also, fixes a bug that CDH does
not support image pull gRPC.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
  • Loading branch information
@Xynnn007
Xynnn007 committed Sep 27, 2024
1 parent 387e3cb commit 95521ea
Showing 1 changed file with 35 additions and 31 deletions.
66 changes: 35 additions & 31 deletions confidential-data-hub/hub/src/bin/grpc_server/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ use confidential_data_hub::{hub::Hub, DataHub};
use log::{debug, error};
use std::{error::Error as _, net::SocketAddr, sync::Arc};
use storage::volume_type::Storage;
use tokio::sync::RwLock;
use tonic::{transport::Server, Request, Response, Status};

use crate::{
Expand All @@ -18,7 +17,7 @@ use crate::{
};
use api::{
get_resource_service_server::{GetResourceService, GetResourceServiceServer},
image_pull_service_server::ImagePullService,
image_pull_service_server::{ImagePullService, ImagePullServiceServer},
key_provider_service_server::{KeyProviderService, KeyProviderServiceServer},
sealed_secret_service_server::{SealedSecretService, SealedSecretServiceServer},
secure_mount_service_server::{SecureMountService, SecureMountServiceServer},
Expand All @@ -33,7 +32,7 @@ mod api {
}

pub struct Cdh {
inner: RwLock<Hub>,
inner: Hub,
}

#[tonic::async_trait]
Expand All @@ -45,13 +44,15 @@ impl SealedSecretService for Arc<Cdh> {
debug!("[gRPC CDH] get new UnsealSecret request");
let request = request.into_inner();

let cdh = self.inner.read().await;

let plaintext = cdh.unseal_secret(request.secret).await.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to unseal secret failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH unseal secret failed: {}", e))
})?;
let plaintext = self
.inner
.unseal_secret(request.secret)
.await
.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to unseal secret failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH unseal secret failed: {}", e))
})?;

debug!("[gRPC CDH] Unseal secret successfully!");

Expand All @@ -70,13 +71,15 @@ impl GetResourceService for Arc<Cdh> {
debug!("[gRPC CDH] get new GetResource request");
let request = request.into_inner();

let cdh = self.inner.read().await;

let resource = cdh.get_resource(request.resource_path).await.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to get resource failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH get resource failed: {}", e))
})?;
let resource = self
.inner
.get_resource(request.resource_path)
.await
.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to get resource failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH get resource failed: {}", e))
})?;

debug!("[gRPC CDH] Get resource successfully!");

Expand All @@ -95,14 +98,13 @@ impl SecureMountService for Arc<Cdh> {
debug!("[gRPC CDH] get new SecureMount request");
let request = request.into_inner();

let cdh = self.inner.read().await;
let storage = Storage {
volume_type: request.volume_type,
options: request.options,
flags: request.flags,
mount_point: request.mount_point,
};
let mount_path = cdh.secure_mount(storage).await.map_err(|e| {
let mount_path = self.inner.secure_mount(storage).await.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to secure mount failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH secure mount failed: {}", e))
Expand All @@ -125,9 +127,8 @@ impl ImagePullService for Arc<Cdh> {
debug!("[gRPC CDH] get new ImagePull request");
let request = request.into_inner();

let cdh = self.inner.read().await;

let manifest_digest = cdh
let manifest_digest = self
.inner
.pull_image(&request.image_url, &request.bundle_path)
.await
.map_err(|e| {
Expand Down Expand Up @@ -160,8 +161,6 @@ impl KeyProviderService for Arc<Cdh> {
debug!("[gRPC CDH] get new UnwrapKey request");
let request = request.into_inner();

let cdh = self.inner.read().await;

let key_provider_input: KeyProviderInput = serde_json::from_slice(
&request.key_provider_key_wrap_protocol_input[..],
)
Expand All @@ -177,11 +176,15 @@ impl KeyProviderService for Arc<Cdh> {
Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e))
})?;

let decrypted_optsdata = cdh.unwrap_key(&annotation_packet).await.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to Unwrap Key failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e))
})?;
let decrypted_optsdata = self
.inner
.unwrap_key(&annotation_packet)
.await
.map_err(|e| {
let detailed_error = format_error!(e);
error!("[gRPC CDH] Call CDH to Unwrap Key failed:\n{detailed_error}");
Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e))
})?;

// Construct output structure and serialize it as the return value of gRPC
let output_struct = KeyUnwrapOutput {
Expand All @@ -206,13 +209,14 @@ impl KeyProviderService for Arc<Cdh> {
}
}

pub async fn start_grpc_service(socket: SocketAddr, cdh: Hub) -> Result<()> {
let service = Cdh { inner: cdh.into() };
pub async fn start_grpc_service(socket: SocketAddr, inner: Hub) -> Result<()> {
let service = Cdh { inner };
let service = Arc::new(service);
Server::builder()
.add_service(SealedSecretServiceServer::new(service.clone()))
.add_service(GetResourceServiceServer::new(service.clone()))
.add_service(SecureMountServiceServer::new(service.clone()))
.add_service(ImagePullServiceServer::new(service.clone()))
.add_service(KeyProviderServiceServer::new(service))
.serve(socket)
.await?;
Expand Down

0 comments on commit 95521ea

Please sign in to comment.