services/access_control/enclave/src/lib.rs - incubator-teaclave - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.

 #![cfg_attr(feature = "mesalock_sgx", no_std)]
 #[cfg(feature = "mesalock_sgx")]
 #[macro_use]
 extern crate sgx_tstd as std;

 #[macro_use]
 extern crate log;

 use std::prelude::v1::*;
 use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
 use teaclave_binder::proto::{
     ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
     StartServiceInput, StartServiceOutput,
 };
 use teaclave_binder::{handle_ecall, register_ecall_handler};
 use teaclave_config::build::{
     ACCESS_CONTROL_INBOUND_SERVICES, AS_ROOT_CA_CERT, AUDITOR_PUBLIC_KEYS,
 };
 use teaclave_config::RuntimeConfig;
 use teaclave_proto::teaclave_access_control_service::{
     TeaclaveAccessControlRequest, TeaclaveAccessControlResponse,
 };
 use teaclave_rpc::config::SgxTrustedTlsServerConfig;
 use teaclave_rpc::server::SgxTrustedTlsServer;
 use teaclave_service_enclave_utils::ServiceEnclave;
 use teaclave_types::{EnclaveInfo, TeeServiceError, TeeServiceResult};

 mod acs;
 mod service;

 fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
     let listen_address = config.internal_endpoints.access_control.listen_address;
     let attestation_config = AttestationConfig::from_teaclave_config(&config)?;
     let attested_tls_config = RemoteAttestation::new(attestation_config)
         .generate_and_endorse()
         .unwrap()
         .attested_tls_config()
         .unwrap();
     let enclave_info = EnclaveInfo::verify_and_new(
         config
             .audit
             .enclave_info_bytes
             .as_ref()
             .expect("enclave_info"),
         AUDITOR_PUBLIC_KEYS,
         config
             .audit
             .auditor_signatures_bytes
             .as_ref()
             .expect("auditor signatures"),
     )?;
     let accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr> = ACCESS_CONTROL_INBOUND_SERVICES
         .iter()
         .map(|service| {
             enclave_info
                 .get_enclave_attr(service)
                 .expect("enclave_info")
         })
         .collect();
     let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)
         .unwrap()
         .attestation_report_verifier(
             accepted_enclave_attrs,
             AS_ROOT_CA_CERT,
             verifier::universal_quote_verifier,
         )
         .unwrap();

     acs::init_acs().unwrap();
     let mut server = SgxTrustedTlsServer::<
         TeaclaveAccessControlResponse,
         TeaclaveAccessControlRequest,
     >::new(listen_address, server_config);
     let service = service::TeaclaveAccessControlService::new();
     match server.start(service) {
         Ok(_) => (),
         Err(e) => {
             error!("Service exit, error: {}.", e);
         }
     }
     Ok(())
 }

 #[handle_ecall]
 fn handle_start_service(input: &StartServiceInput) -> TeeServiceResult<StartServiceOutput> {
     start_service(&input.config).map_err(|_| TeeServiceError::ServiceError)?;
     Ok(StartServiceOutput)
 }

 #[handle_ecall]
 fn handle_init_enclave(_: &InitEnclaveInput) -> TeeServiceResult<InitEnclaveOutput> {
     ServiceEnclave::init(env!("CARGO_PKG_NAME"))?;
     Ok(InitEnclaveOutput)
 }

 #[handle_ecall]
 fn handle_finalize_enclave(_: &FinalizeEnclaveInput) -> TeeServiceResult<FinalizeEnclaveOutput> {
     ServiceEnclave::finalize()?;
     Ok(FinalizeEnclaveOutput)
 }

 register_ecall_handler!(
     type ECallCommand,
     (ECallCommand::StartService, StartServiceInput, StartServiceOutput),
     (ECallCommand::InitEnclave, InitEnclaveInput, InitEnclaveOutput),
     (ECallCommand::FinalizeEnclave, FinalizeEnclaveInput, FinalizeEnclaveOutput),
 );

 #[cfg(feature = "enclave_unit_test")]
 pub mod tests {
     use super::*;
     use teaclave_test_utils::*;

     pub fn run_tests() -> bool {
         if crate::acs::init_acs().is_err() {
             return false;
         }
         run_tests!(
             service::tests::user_access_data,
             service::tests::user_access_function,
             service::tests::user_access_task,
             service::tests::task_access_function,
             service::tests::task_access_data,
         )
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.

	#![cfg_attr(feature = "mesalock_sgx", no_std)]
	#[cfg(feature = "mesalock_sgx")]
	#[macro_use]
	extern crate sgx_tstd as std;

	#[macro_use]
	extern crate log;

	use std::prelude::v1::*;
	use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
	use teaclave_binder::proto::{
	ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
	StartServiceInput, StartServiceOutput,
	};
	use teaclave_binder::{handle_ecall, register_ecall_handler};
	use teaclave_config::build::{
	ACCESS_CONTROL_INBOUND_SERVICES, AS_ROOT_CA_CERT, AUDITOR_PUBLIC_KEYS,
	};
	use teaclave_config::RuntimeConfig;
	use teaclave_proto::teaclave_access_control_service::{
	TeaclaveAccessControlRequest, TeaclaveAccessControlResponse,
	};
	use teaclave_rpc::config::SgxTrustedTlsServerConfig;
	use teaclave_rpc::server::SgxTrustedTlsServer;
	use teaclave_service_enclave_utils::ServiceEnclave;
	use teaclave_types::{EnclaveInfo, TeeServiceError, TeeServiceResult};

	mod acs;
	mod service;

	fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
	let listen_address = config.internal_endpoints.access_control.listen_address;
	let attestation_config = AttestationConfig::from_teaclave_config(&config)?;
	let attested_tls_config = RemoteAttestation::new(attestation_config)
	.generate_and_endorse()
	.unwrap()
	.attested_tls_config()
	.unwrap();
	let enclave_info = EnclaveInfo::verify_and_new(
	config
	.audit
	.enclave_info_bytes
	.as_ref()
	.expect("enclave_info"),
	AUDITOR_PUBLIC_KEYS,
	config
	.audit
	.auditor_signatures_bytes
	.as_ref()
	.expect("auditor signatures"),
	)?;
	let accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr> = ACCESS_CONTROL_INBOUND_SERVICES
	.iter()
	.map(\|service\| {
	enclave_info
	.get_enclave_attr(service)
	.expect("enclave_info")
	})
	.collect();
	let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)
	.unwrap()
	.attestation_report_verifier(
	accepted_enclave_attrs,
	AS_ROOT_CA_CERT,
	verifier::universal_quote_verifier,
	)
	.unwrap();

	acs::init_acs().unwrap();
	let mut server = SgxTrustedTlsServer::<
	TeaclaveAccessControlResponse,
	TeaclaveAccessControlRequest,
	>::new(listen_address, server_config);
	let service = service::TeaclaveAccessControlService::new();
	match server.start(service) {
	Ok(_) => (),
	Err(e) => {
	error!("Service exit, error: {}.", e);
	}
	}
	Ok(())
	}

	#[handle_ecall]
	fn handle_start_service(input: &StartServiceInput) -> TeeServiceResult<StartServiceOutput> {
	start_service(&input.config).map_err(\|_\| TeeServiceError::ServiceError)?;
	Ok(StartServiceOutput)
	}

	#[handle_ecall]
	fn handle_init_enclave(_: &InitEnclaveInput) -> TeeServiceResult<InitEnclaveOutput> {
	ServiceEnclave::init(env!("CARGO_PKG_NAME"))?;
	Ok(InitEnclaveOutput)
	}

	#[handle_ecall]
	fn handle_finalize_enclave(_: &FinalizeEnclaveInput) -> TeeServiceResult<FinalizeEnclaveOutput> {
	ServiceEnclave::finalize()?;
	Ok(FinalizeEnclaveOutput)
	}

	register_ecall_handler!(
	type ECallCommand,
	(ECallCommand::StartService, StartServiceInput, StartServiceOutput),
	(ECallCommand::InitEnclave, InitEnclaveInput, InitEnclaveOutput),
	(ECallCommand::FinalizeEnclave, FinalizeEnclaveInput, FinalizeEnclaveOutput),
	);

	#[cfg(feature = "enclave_unit_test")]
	pub mod tests {
	use super::*;
	use teaclave_test_utils::*;

	pub fn run_tests() -> bool {
	if crate::acs::init_acs().is_err() {
	return false;
	}
	run_tests!(
	service::tests::user_access_data,
	service::tests::user_access_function,
	service::tests::user_access_task,
	service::tests::task_access_function,
	service::tests::task_access_data,
	)
	}
	}