services/frontend/enclave/src/lib.rs - incubator-teaclave - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.

 #[macro_use]
 extern crate log;
 extern crate sgx_types;
 use anyhow::{anyhow, Result};
 use tokio::sync::Mutex;

 use std::sync::Arc;

 use teaclave_attestation::verifier;
 use teaclave_attestation::{AttestationConfig, RemoteAttestation};
 use teaclave_binder::proto::{
     ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
     StartServiceInput, StartServiceOutput,
 };
 use teaclave_binder::{handle_ecall, register_ecall_handler};
 use teaclave_config::build::AS_ROOT_CA_CERT;
 use teaclave_config::RuntimeConfig;
 use teaclave_proto::teaclave_access_control_service::TeaclaveAccessControlClient;
 use teaclave_proto::teaclave_authentication_service::TeaclaveAuthenticationInternalClient;
 use teaclave_proto::teaclave_frontend_service::TeaclaveFrontendServer;
 use teaclave_proto::teaclave_management_service::TeaclaveManagementClient;
 use teaclave_rpc::{config::SgxTrustedTlsServerConfig, transport::Server};
 use teaclave_service_enclave_utils::{
     create_trusted_access_control_endpoint, create_trusted_authentication_endpoint,
     create_trusted_management_endpoint, ServiceEnclave,
 };
 use teaclave_types::{TeeServiceError, TeeServiceResult};

 mod audit;
 mod error;
 mod service;

 // Sets the number of worker threads the Runtime will use.
 const N_WORKERS: usize = 8;

 async fn start_service(config: &RuntimeConfig) -> Result<()> {
     info!("Starting FrontEnd ...");

     let listen_address = config.api_endpoints.frontend.listen_address;
     let attestation_config = AttestationConfig::from_teaclave_config(config)?;
     let attested_tls_config = RemoteAttestation::new(attestation_config)
         .generate_and_endorse()?
         .attested_tls_config()
         .ok_or_else(|| anyhow!("cannot get attested TLS config"))?;

     info!(" Starting FrontEnd: Self attestation finished ...");

     let server_config =
         SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?.into();
     info!(" Starting FrontEnd: Server config setup finished ...");

     let enclave_info = teaclave_types::EnclaveInfo::from_bytes(&config.audit.enclave_info_bytes);
     let authentication_service_endpoint = create_trusted_authentication_endpoint(
         &config.internal_endpoints.authentication.advertised_address,
         &enclave_info,
         AS_ROOT_CA_CERT,
         verifier::universal_quote_verifier,
         attested_tls_config.clone(),
     )?;

     let authentication_channel = authentication_service_endpoint
         .connect()
         .await
         .map_err(|e| anyhow!("Failed to connect to authentication service, retry {:?}", e))?;
     let authentication_client = Arc::new(Mutex::new(
         TeaclaveAuthenticationInternalClient::new_with_builtin_config(authentication_channel),
     ));

     info!(" Starting FrontEnd: setup authentication client finished ...");

     let management_service_endpoint = create_trusted_management_endpoint(
         &config.internal_endpoints.management.advertised_address,
         &enclave_info,
         AS_ROOT_CA_CERT,
         verifier::universal_quote_verifier,
         attested_tls_config.clone(),
     )?;

     let management_channel = management_service_endpoint
         .connect()
         .await
         .map_err(|e| anyhow!("Failed to connect to management service, {:?}", e))?;
     let management_client = Arc::new(Mutex::new(
         TeaclaveManagementClient::new_with_builtin_config(management_channel),
     ));

     info!(" Starting FrontEnd: setup management client finished ...");

     let access_control_service_endpoint = create_trusted_access_control_endpoint(
         &config.internal_endpoints.access_control.advertised_address,
         &enclave_info,
         AS_ROOT_CA_CERT,
         verifier::universal_quote_verifier,
         attested_tls_config.clone(),
     )?;

     let access_control_channel = access_control_service_endpoint
         .connect()
         .await
         .map_err(|e| anyhow!("Failed to connect to access_control service, retry {:?}", e))?;
     let access_control_client = Arc::new(Mutex::new(TeaclaveAccessControlClient::new(
         access_control_channel,
     )));

     info!(" Starting FrontEnd: setup access_control client finished ...");

     let log_buffer = Arc::new(Mutex::new(Vec::new()));
     let audit_agent = audit::AuditAgent::new(management_client.clone(), log_buffer.clone());
     let agent_handle = tokio::spawn(async move {
         audit_agent.run().await;
     });

     let service = service::TeaclaveFrontendService::new(
         authentication_client,
         management_client,
         access_control_client,
         log_buffer,
     )
     .await?;

     info!(" Starting FrontEnd: start listening ...");
     Server::builder()
         .tls_config(server_config)
         .map_err(|_| anyhow!("TeaclaveFrontendServer tls config error"))?
         .add_service(TeaclaveFrontendServer::new_with_builtin_config(service))
         .serve(listen_address)
         .await?;

     agent_handle.await?;

     Ok(())
 }

 #[handle_ecall]
 fn handle_start_service(input: &StartServiceInput) -> TeeServiceResult<StartServiceOutput> {
     let result = tokio::runtime::Builder::new_multi_thread()
         .worker_threads(N_WORKERS)
         .enable_all()
         .build()
         .map_err(|_| TeeServiceError::SgxError)?
         .block_on(start_service(&input.config));

     match result {
         Ok(_) => Ok(StartServiceOutput),
         Err(e) => {
             error!("Failed to run service: {}", e);
             Err(TeeServiceError::ServiceError)
         }
     }
 }

 #[handle_ecall]
 fn handle_init_enclave(_: &InitEnclaveInput) -> TeeServiceResult<InitEnclaveOutput> {
     ServiceEnclave::init(env!("CARGO_PKG_NAME"))?;
     Ok(InitEnclaveOutput)
 }

 #[handle_ecall]
 fn handle_finalize_enclave(_: &FinalizeEnclaveInput) -> TeeServiceResult<FinalizeEnclaveOutput> {
     ServiceEnclave::finalize()?;
     Ok(FinalizeEnclaveOutput)
 }

 register_ecall_handler!(
     type ECallCommand,
     (ECallCommand::StartService, StartServiceInput, StartServiceOutput),
     (ECallCommand::InitEnclave, InitEnclaveInput, InitEnclaveOutput),
     (ECallCommand::FinalizeEnclave, FinalizeEnclaveInput, FinalizeEnclaveOutput),
 );

 #[cfg(feature = "enclave_unit_test")]
 pub mod tests {
     pub fn run_tests() -> bool {
         true
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.

	#[macro_use]
	extern crate log;
	extern crate sgx_types;
	use anyhow::{anyhow, Result};
	use tokio::sync::Mutex;

	use std::sync::Arc;

	use teaclave_attestation::verifier;
	use teaclave_attestation::{AttestationConfig, RemoteAttestation};
	use teaclave_binder::proto::{
	ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
	StartServiceInput, StartServiceOutput,
	};
	use teaclave_binder::{handle_ecall, register_ecall_handler};
	use teaclave_config::build::AS_ROOT_CA_CERT;
	use teaclave_config::RuntimeConfig;
	use teaclave_proto::teaclave_access_control_service::TeaclaveAccessControlClient;
	use teaclave_proto::teaclave_authentication_service::TeaclaveAuthenticationInternalClient;
	use teaclave_proto::teaclave_frontend_service::TeaclaveFrontendServer;
	use teaclave_proto::teaclave_management_service::TeaclaveManagementClient;
	use teaclave_rpc::{config::SgxTrustedTlsServerConfig, transport::Server};
	use teaclave_service_enclave_utils::{
	create_trusted_access_control_endpoint, create_trusted_authentication_endpoint,
	create_trusted_management_endpoint, ServiceEnclave,
	};
	use teaclave_types::{TeeServiceError, TeeServiceResult};

	mod audit;
	mod error;
	mod service;

	// Sets the number of worker threads the Runtime will use.
	const N_WORKERS: usize = 8;

	async fn start_service(config: &RuntimeConfig) -> Result<()> {
	info!("Starting FrontEnd ...");

	let listen_address = config.api_endpoints.frontend.listen_address;
	let attestation_config = AttestationConfig::from_teaclave_config(config)?;
	let attested_tls_config = RemoteAttestation::new(attestation_config)
	.generate_and_endorse()?
	.attested_tls_config()
	.ok_or_else(\|\| anyhow!("cannot get attested TLS config"))?;

	info!(" Starting FrontEnd: Self attestation finished ...");

	let server_config =
	SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?.into();
	info!(" Starting FrontEnd: Server config setup finished ...");

	let enclave_info = teaclave_types::EnclaveInfo::from_bytes(&config.audit.enclave_info_bytes);
	let authentication_service_endpoint = create_trusted_authentication_endpoint(
	&config.internal_endpoints.authentication.advertised_address,
	&enclave_info,
	AS_ROOT_CA_CERT,
	verifier::universal_quote_verifier,
	attested_tls_config.clone(),
	)?;

	let authentication_channel = authentication_service_endpoint
	.connect()
	.await
	.map_err(\|e\| anyhow!("Failed to connect to authentication service, retry {:?}", e))?;
	let authentication_client = Arc::new(Mutex::new(
	TeaclaveAuthenticationInternalClient::new_with_builtin_config(authentication_channel),
	));

	info!(" Starting FrontEnd: setup authentication client finished ...");

	let management_service_endpoint = create_trusted_management_endpoint(
	&config.internal_endpoints.management.advertised_address,
	&enclave_info,
	AS_ROOT_CA_CERT,
	verifier::universal_quote_verifier,
	attested_tls_config.clone(),
	)?;

	let management_channel = management_service_endpoint
	.connect()
	.await
	.map_err(\|e\| anyhow!("Failed to connect to management service, {:?}", e))?;
	let management_client = Arc::new(Mutex::new(
	TeaclaveManagementClient::new_with_builtin_config(management_channel),
	));

	info!(" Starting FrontEnd: setup management client finished ...");

	let access_control_service_endpoint = create_trusted_access_control_endpoint(
	&config.internal_endpoints.access_control.advertised_address,
	&enclave_info,
	AS_ROOT_CA_CERT,
	verifier::universal_quote_verifier,
	attested_tls_config.clone(),
	)?;

	let access_control_channel = access_control_service_endpoint
	.connect()
	.await
	.map_err(\|e\| anyhow!("Failed to connect to access_control service, retry {:?}", e))?;
	let access_control_client = Arc::new(Mutex::new(TeaclaveAccessControlClient::new(
	access_control_channel,
	)));

	info!(" Starting FrontEnd: setup access_control client finished ...");

	let log_buffer = Arc::new(Mutex::new(Vec::new()));
	let audit_agent = audit::AuditAgent::new(management_client.clone(), log_buffer.clone());
	let agent_handle = tokio::spawn(async move {
	audit_agent.run().await;
	});

	let service = service::TeaclaveFrontendService::new(
	authentication_client,
	management_client,
	access_control_client,
	log_buffer,
	)
	.await?;

	info!(" Starting FrontEnd: start listening ...");
	Server::builder()
	.tls_config(server_config)
	.map_err(\|_\| anyhow!("TeaclaveFrontendServer tls config error"))?
	.add_service(TeaclaveFrontendServer::new_with_builtin_config(service))
	.serve(listen_address)
	.await?;

	agent_handle.await?;

	Ok(())
	}

	#[handle_ecall]
	fn handle_start_service(input: &StartServiceInput) -> TeeServiceResult<StartServiceOutput> {
	let result = tokio::runtime::Builder::new_multi_thread()
	.worker_threads(N_WORKERS)
	.enable_all()
	.build()
	.map_err(\|_\| TeeServiceError::SgxError)?
	.block_on(start_service(&input.config));

	match result {
	Ok(_) => Ok(StartServiceOutput),
	Err(e) => {
	error!("Failed to run service: {}", e);
	Err(TeeServiceError::ServiceError)
	}
	}
	}

	#[handle_ecall]
	fn handle_init_enclave(_: &InitEnclaveInput) -> TeeServiceResult<InitEnclaveOutput> {
	ServiceEnclave::init(env!("CARGO_PKG_NAME"))?;
	Ok(InitEnclaveOutput)
	}

	#[handle_ecall]
	fn handle_finalize_enclave(_: &FinalizeEnclaveInput) -> TeeServiceResult<FinalizeEnclaveOutput> {
	ServiceEnclave::finalize()?;
	Ok(FinalizeEnclaveOutput)
	}

	register_ecall_handler!(
	type ECallCommand,
	(ECallCommand::StartService, StartServiceInput, StartServiceOutput),
	(ECallCommand::InitEnclave, InitEnclaveInput, InitEnclaveOutput),
	(ECallCommand::FinalizeEnclave, FinalizeEnclaveInput, FinalizeEnclaveOutput),
	);

	#[cfg(feature = "enclave_unit_test")]
	pub mod tests {
	pub fn run_tests() -> bool {
	true
	}
	}