From 95521ea3da128e89b422229cc5869caf7c3fe282 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 16:45:58 +0800 Subject: [PATCH] CDH: delete RwLock for gRPC version The pull_image API of CDH is marked as Fn not FnMut thus we do not need a RwLock to protect the synchronization. Also, fixes a bug that CDH does not support image pull gRPC. Signed-off-by: Xynnn007 --- .../hub/src/bin/grpc_server/mod.rs | 66 ++++++++++--------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs index 7f16e112e..24b7fb1ea 100644 --- a/confidential-data-hub/hub/src/bin/grpc_server/mod.rs +++ b/confidential-data-hub/hub/src/bin/grpc_server/mod.rs @@ -9,7 +9,6 @@ use confidential_data_hub::{hub::Hub, DataHub}; use log::{debug, error}; use std::{error::Error as _, net::SocketAddr, sync::Arc}; use storage::volume_type::Storage; -use tokio::sync::RwLock; use tonic::{transport::Server, Request, Response, Status}; use crate::{ @@ -18,7 +17,7 @@ use crate::{ }; use api::{ get_resource_service_server::{GetResourceService, GetResourceServiceServer}, - image_pull_service_server::ImagePullService, + image_pull_service_server::{ImagePullService, ImagePullServiceServer}, key_provider_service_server::{KeyProviderService, KeyProviderServiceServer}, sealed_secret_service_server::{SealedSecretService, SealedSecretServiceServer}, secure_mount_service_server::{SecureMountService, SecureMountServiceServer}, @@ -33,7 +32,7 @@ mod api { } pub struct Cdh { - inner: RwLock, + inner: Hub, } #[tonic::async_trait] @@ -45,13 +44,15 @@ impl SealedSecretService for Arc { debug!("[gRPC CDH] get new UnsealSecret request"); let request = request.into_inner(); - let cdh = self.inner.read().await; - - let plaintext = cdh.unseal_secret(request.secret).await.map_err(|e| { - let detailed_error = format_error!(e); - error!("[gRPC CDH] Call CDH to unseal secret failed:\n{detailed_error}"); - Status::internal(format!("[ERROR] CDH unseal secret failed: {}", e)) - })?; + let plaintext = self + .inner + .unseal_secret(request.secret) + .await + .map_err(|e| { + let detailed_error = format_error!(e); + error!("[gRPC CDH] Call CDH to unseal secret failed:\n{detailed_error}"); + Status::internal(format!("[ERROR] CDH unseal secret failed: {}", e)) + })?; debug!("[gRPC CDH] Unseal secret successfully!"); @@ -70,13 +71,15 @@ impl GetResourceService for Arc { debug!("[gRPC CDH] get new GetResource request"); let request = request.into_inner(); - let cdh = self.inner.read().await; - - let resource = cdh.get_resource(request.resource_path).await.map_err(|e| { - let detailed_error = format_error!(e); - error!("[gRPC CDH] Call CDH to get resource failed:\n{detailed_error}"); - Status::internal(format!("[ERROR] CDH get resource failed: {}", e)) - })?; + let resource = self + .inner + .get_resource(request.resource_path) + .await + .map_err(|e| { + let detailed_error = format_error!(e); + error!("[gRPC CDH] Call CDH to get resource failed:\n{detailed_error}"); + Status::internal(format!("[ERROR] CDH get resource failed: {}", e)) + })?; debug!("[gRPC CDH] Get resource successfully!"); @@ -95,14 +98,13 @@ impl SecureMountService for Arc { debug!("[gRPC CDH] get new SecureMount request"); let request = request.into_inner(); - let cdh = self.inner.read().await; let storage = Storage { volume_type: request.volume_type, options: request.options, flags: request.flags, mount_point: request.mount_point, }; - let mount_path = cdh.secure_mount(storage).await.map_err(|e| { + let mount_path = self.inner.secure_mount(storage).await.map_err(|e| { let detailed_error = format_error!(e); error!("[gRPC CDH] Call CDH to secure mount failed:\n{detailed_error}"); Status::internal(format!("[ERROR] CDH secure mount failed: {}", e)) @@ -125,9 +127,8 @@ impl ImagePullService for Arc { debug!("[gRPC CDH] get new ImagePull request"); let request = request.into_inner(); - let cdh = self.inner.read().await; - - let manifest_digest = cdh + let manifest_digest = self + .inner .pull_image(&request.image_url, &request.bundle_path) .await .map_err(|e| { @@ -160,8 +161,6 @@ impl KeyProviderService for Arc { debug!("[gRPC CDH] get new UnwrapKey request"); let request = request.into_inner(); - let cdh = self.inner.read().await; - let key_provider_input: KeyProviderInput = serde_json::from_slice( &request.key_provider_key_wrap_protocol_input[..], ) @@ -177,11 +176,15 @@ impl KeyProviderService for Arc { Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e)) })?; - let decrypted_optsdata = cdh.unwrap_key(&annotation_packet).await.map_err(|e| { - let detailed_error = format_error!(e); - error!("[gRPC CDH] Call CDH to Unwrap Key failed:\n{detailed_error}"); - Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e)) - })?; + let decrypted_optsdata = self + .inner + .unwrap_key(&annotation_packet) + .await + .map_err(|e| { + let detailed_error = format_error!(e); + error!("[gRPC CDH] Call CDH to Unwrap Key failed:\n{detailed_error}"); + Status::internal(format!("[ERROR] CDH Unwrap Key failed: {}", e)) + })?; // Construct output structure and serialize it as the return value of gRPC let output_struct = KeyUnwrapOutput { @@ -206,13 +209,14 @@ impl KeyProviderService for Arc { } } -pub async fn start_grpc_service(socket: SocketAddr, cdh: Hub) -> Result<()> { - let service = Cdh { inner: cdh.into() }; +pub async fn start_grpc_service(socket: SocketAddr, inner: Hub) -> Result<()> { + let service = Cdh { inner }; let service = Arc::new(service); Server::builder() .add_service(SealedSecretServiceServer::new(service.clone())) .add_service(GetResourceServiceServer::new(service.clone())) .add_service(SecureMountServiceServer::new(service.clone())) + .add_service(ImagePullServiceServer::new(service.clone())) .add_service(KeyProviderServiceServer::new(service)) .serve(socket) .await?;