From 07b1970b1564bf1e1a77cd085ed84cea4cad0446 Mon Sep 17 00:00:00 2001 From: houmingyong Date: Tue, 26 Nov 2024 10:19:11 +0800 Subject: [PATCH] fix concurrent request error to aa or as --- ...concurrent-request-error-to-aa-or-as.patch | 269 ++++++++++++++++++ secGear.spec | 7 +- 2 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 0084-fix-concurrent-request-error-to-aa-or-as.patch diff --git a/0084-fix-concurrent-request-error-to-aa-or-as.patch b/0084-fix-concurrent-request-error-to-aa-or-as.patch new file mode 100644 index 0000000..9334e24 --- /dev/null +++ b/0084-fix-concurrent-request-error-to-aa-or-as.patch @@ -0,0 +1,269 @@ +From bc98b41d9cf8fb247d2c9502b775f03935a9f0dc Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Tue, 3 Sep 2024 10:57:51 +0800 +Subject: [PATCH] fix concurrent request error to aa or as + +Signed-off-by: houmingyong +--- + .../agent/src/bin/aa-test/main.rs | 34 ++++--------------- + .../attestation-agent/agent/src/lib.rs | 13 ++----- + .../attestation-service/service/src/main.rs | 3 -- + .../service/src/restapi/mod.rs | 30 ++-------------- + .../service/src/session.rs | 3 -- + .../verifier/src/itrustee/mod.rs | 4 +-- + 6 files changed, 14 insertions(+), 73 deletions(-) + +diff --git a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +index 89a301bf..48e3e68e 100644 +--- a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs ++++ b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +@@ -69,6 +69,7 @@ async fn aa_proc(i: i64) { + }); + log::info!("thread {} case2 get evidence, request body: {}", i, request_body); + let attest_endpoint = "http://127.0.0.1:8081/evidence"; ++ let client = reqwest::Client::new(); + let res = client + .get(attest_endpoint) + .header("Content-Type", "application/json") +@@ -89,38 +90,14 @@ async fn aa_proc(i: i64) { + return; + } + }; +- // verify evidence with no challenge +- #[cfg(not(feature = "no_as"))] +- { +- let request_body = json!({ +- "challenge": "", +- "evidence": evidence, +- }); +- log::info!("thread {} case3 verify evidence with no challenge", i); +- let res = client +- .post(attest_endpoint) +- .header("Content-Type", "application/json") +- .json(&request_body) +- .send() +- .await +- .unwrap(); +- +- match res.status() { +- reqwest::StatusCode::OK => { +- let respone = res.text().await.unwrap(); +- log::info!("thread {} case3 verify evidence with no challenge success response: {:?}", i, respone); +- } +- status => { +- log::error!("thread {} case3 verify evidence with no challenge failed response: {:?}", i, status); +- } +- } +- } ++ // case3 verify evidence with no challenge + // verify evidence with challenge + let request_body = json!({ + "challenge": challenge, + "evidence": evidence, + }); + log::info!("thread {} case4 verify evidence with challenge", i); ++ let client = reqwest::Client::new(); + let res = client + .post(attest_endpoint) + .header("Content-Type", "application/json") +@@ -148,7 +125,7 @@ async fn aa_proc(i: i64) { + "uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"), + }); + log::info!("thread {} case5 get token, request body: {}", i, request_body); +- ++ let client = reqwest::Client::new(); + let res = client + .get(token_endpoint) + .header("Content-Type", "application/json") +@@ -165,7 +142,7 @@ async fn aa_proc(i: i64) { + respone + } + status => { +- log::error!("thread {} case5 get token failed response: {:?}", i, status); ++ log::error!("thread {} case5 get token failed status: {:?} response: {:?}", i, status, res.text().await.unwrap()); + return; + } + }; +@@ -176,6 +153,7 @@ async fn aa_proc(i: i64) { + }); + + log::info!("thread {} case6 verify token", i); ++ let client = reqwest::Client::new(); + let res = client + .post(token_endpoint) + .header("Content-Type", "application/json") +diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs +index c4d913b6..393914d6 100644 +--- a/service/attestation/attestation-agent/agent/src/lib.rs ++++ b/service/attestation/attestation-agent/agent/src/lib.rs +@@ -171,7 +171,6 @@ impl TryFrom<&Path> for AAConfig { + #[derive(Debug)] + pub struct AttestationAgent { + config: AAConfig, +- client: reqwest::Client, + } + + #[allow(dead_code)] +@@ -187,14 +186,8 @@ impl AttestationAgent { + AAConfig::default() + } + }; +- let client = reqwest::ClientBuilder::new() +- .cookie_store(true) +- .user_agent("attestation-agent-client") +- .build() +- .map_err(|e| result::Error::AttestationAgentError(format!("build http client {e}")))?; + Ok(AttestationAgent { + config, +- client, + }) + } + +@@ -211,7 +204,7 @@ impl AttestationAgent { + }); + + let attest_endpoint = format!("{}/attestation", self.config.svr_url); +- let res = self.client ++ let res = reqwest::Client::new() + .post(attest_endpoint) + .header("Content-Type", "application/json") + .json(&request_body) +@@ -256,7 +249,7 @@ impl AttestationAgent { + } + async fn get_challenge_from_as(&self) -> Result { + let challenge_endpoint = format!("{}/challenge", self.config.svr_url); +- let res = self.client ++ let res = reqwest::Client::new() + .get(challenge_endpoint) + .header("Content-Type", "application/json") + .header("content-length", 0) +@@ -265,7 +258,7 @@ impl AttestationAgent { + .await?; + let challenge = match res.status() { + reqwest::StatusCode::OK => { +- let respone = res.json().await.unwrap(); ++ let respone = res.text().await?; + log::debug!("get challenge success, AS Response: {:?}", respone); + respone + } +diff --git a/service/attestation/attestation-service/service/src/main.rs b/service/attestation/attestation-service/service/src/main.rs +index 1ccb1521..3ced10b9 100644 +--- a/service/attestation/attestation-service/service/src/main.rs ++++ b/service/attestation/attestation-service/service/src/main.rs +@@ -15,7 +15,6 @@ use attestation_service::AttestationService; + mod restapi; + use restapi::{get_challenge, attestation, reference, get_policy, set_policy}; + mod session; +-use session::SessionMap; + + use anyhow::Result; + use env_logger; +@@ -55,13 +54,11 @@ async fn main() -> Result<()> { + + let cli = Cli::parse(); + let server:AttestationService = AttestationService::new(Some(cli.config)).unwrap(); +- let session_map = web::Data::new(SessionMap::new()); + + let service = web::Data::new(Arc::new(RwLock::new(server))); + HttpServer::new(move || { + App::new() + .app_data(web::Data::clone(&service)) +- .app_data(web::Data::clone(&session_map)) + .service(get_challenge) + .service(attestation) + .service(reference) +diff --git a/service/attestation/attestation-service/service/src/restapi/mod.rs b/service/attestation/attestation-service/service/src/restapi/mod.rs +index ab2ccbfd..291b8657 100644 +--- a/service/attestation/attestation-service/service/src/restapi/mod.rs ++++ b/service/attestation/attestation-service/service/src/restapi/mod.rs +@@ -10,8 +10,7 @@ + * See the Mulan PSL v2 for more details. + */ + use attestation_service::AttestationService; +-use attestation_service::result::{Result, Error}; +-use crate::session::{Session, SessionMap}; ++use attestation_service::result::{Result}; + + use actix_web::{ post, get, web, HttpResponse, HttpRequest}; + use serde::{Deserialize, Serialize}; +@@ -26,20 +25,12 @@ pub struct ChallengeRequest {} + + #[get("/challenge")] + pub async fn get_challenge( +- map: web::Data, + service: web::Data>>, + ) -> Result { + log::debug!("challenge request"); + + let challenge = service.read().await.generate_challenge().await; +- let timeout = service.read().await.config.token_cfg.valid_duration; +- let session = Session::new(challenge, timeout.try_into().unwrap()); +- let response = HttpResponse::Ok() +- .cookie(session.cookie()) +- .json(session.challenge.clone()); +- map.insert(session); +- +- Ok(response) ++ Ok(HttpResponse::Ok().body(challenge)) + } + + #[derive(Deserialize, Serialize, Debug)] +@@ -52,26 +43,11 @@ pub struct AttestationRequest { + #[post("/attestation")] + pub async fn attestation( + request: web::Json, +- http_req: HttpRequest, +- map: web::Data, + service: web::Data>>, + ) -> Result { + log::debug!("attestation request is coming"); + let request = request.0; +- let mut challenge = request.challenge; +- if challenge == "" { +- let cookie = http_req.cookie("oeas-session-id").ok_or(Error::CookieMissing)?; +- let session = map +- .session_map +- .get_async(cookie.value()) +- .await +- .ok_or(Error::CookieNotFound)?; +- if session.is_expired() { +- return Err(Error::SessionExpired); +- } +- log::debug!("session challenge:{}", session.challenge); +- challenge = session.challenge.clone(); +- } ++ let challenge = request.challenge; + + let nonce = base64_url::decode(&challenge).expect("base64 decode nonce"); + let evidence = base64_url::decode(&request.evidence).expect("base64 decode evidence"); +diff --git a/service/attestation/attestation-service/service/src/session.rs b/service/attestation/attestation-service/service/src/session.rs +index 5f191a77..2aee35a3 100644 +--- a/service/attestation/attestation-service/service/src/session.rs ++++ b/service/attestation/attestation-service/service/src/session.rs +@@ -52,7 +52,4 @@ impl SessionMap { + pub fn insert(&self, session: Session) { + let _ = self.session_map.insert(session.id.clone(), session); + } +- pub fn delete(&self, session: Session) { +- let _ = self.session_map.remove(&session.id); +- } + } +\ No newline at end of file +diff --git a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs +index 67c857ac..8ce4d24b 100644 +--- a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs ++++ b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs +@@ -42,8 +42,8 @@ fn evalute_wrapper(user_data: &[u8], evidence: &[u8]) -> Result { + size: in_data.len() as ::std::os::raw::c_uint, + buf: in_data.as_mut_ptr() as *mut ::std::os::raw::c_uchar, + }; +- log::info!("input nonce:{:?}", nonce); +- let policy: std::os::raw::c_int = 1; ++ ++ let policy: std::os::raw::c_int = 1; // 1: verify ta_imag; 2: verfiy ta_mem; 3: verify ta_img and ta_mem hash; + if !Path::new(ITRUSTEE_REF_VALUE_FILE).exists() { + log::error!("itrustee verify report {} not exists", ITRUSTEE_REF_VALUE_FILE); + bail!("itrustee verify report {} not exists", ITRUSTEE_REF_VALUE_FILE); +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index f017dd1..1e0dcc3 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 47 +Release: 48 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -93,6 +93,8 @@ Patch79: 0080-add-attestation-service.patch Patch80: 0081-modify-default-agent-config.patch Patch81: 0082-optimize-ima-verify.patch Patch82: 0083-optimize-log-level.patch +Patch83: 0084-fix-concurrent-request-error-to-aa-or-as.patch + BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -289,6 +291,9 @@ popd systemctl restart rsyslog %changelog +* Tue Nov 26 2024 houmingyong - 0.1.0-48 +- fix concurrent request error to aa or as + * Fri Nov 8 2024 houmingyong - 0.1.0-47 - remove attestation-agent and attestation-service from devel -- Gitee