harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 23:23:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #150 from matter-labs/VAULT_AUTH_TEE_SHA256_FILE

Browse source 
fix(tee-vault-unseal): pick either `VAULT_AUTH_TEE_SHA256` string or file
This commit is contained in:
Harald Hoyer 2024-07-03 14:58:37 +02:00 committed by GitHub
commit 8dadc1f76b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

21
bin/tee-vault-unseal/src/main.rs
View file

@ -12,7 +12,7 @@ mod unseal;
use actix_web::rt::time::sleep; use actix_web::rt::time::sleep;
use actix_web::web::Data; use actix_web::web::Data;
use actix_web::{web, App, HttpServer}; use actix_web::{web, App, HttpServer};
use anyhow::{Context, Result}; use anyhow::{bail, Context, Result};
use awc::Client; use awc::Client;
use clap::Parser; use clap::Parser;
use init::post_init; use init::post_init;
@ -97,8 +97,10 @@ struct Args {
/// port to listen on /// port to listen on
#[arg(long, env = "PORT", default_value = "8443")] #[arg(long, env = "PORT", default_value = "8443")]
port: u16, port: u16,
/// the sha256 of the `vault_auth_tee` plugin, with precedence over the file
#[arg(long, env = "VAULT_AUTH_TEE_SHA256")] #[arg(long, env = "VAULT_AUTH_TEE_SHA256")]
vault_auth_tee_sha: String, vault_auth_tee_sha: Option<String>,
/// the file containing the sha256 of the `vault_auth_tee` plugin
#[arg(long, env = "VAULT_AUTH_TEE_SHA256_FILE")] #[arg(long, env = "VAULT_AUTH_TEE_SHA256_FILE")]
vault_auth_tee_sha_file: Option<PathBuf>, vault_auth_tee_sha_file: Option<PathBuf>,
#[arg(long, env = "VAULT_AUTH_TEE_VERSION")] #[arg(long, env = "VAULT_AUTH_TEE_VERSION")]
@ -123,7 +125,7 @@ async fn main() -> Result<()> {
); );
tracing::subscriber::set_global_default(subscriber).unwrap(); tracing::subscriber::set_global_default(subscriber).unwrap();
let mut args = Args::parse(); let args = Args::parse();
info!("Starting up"); info!("Starting up");
@ -146,20 +148,23 @@ async fn main() -> Result<()> {
let server_state = get_vault_status(&args.attestation.vault_addr, conn.client()).await; let server_state = get_vault_status(&args.attestation.vault_addr, conn.client()).await;
// If sha file given, override env variable with contents let vault_auth_tee_sha = if let Some(vault_auth_tee_sha) = args.vault_auth_tee_sha {
if let Some(sha_file) = args.vault_auth_tee_sha_file { vault_auth_tee_sha
} else if let Some(sha_file) = args.vault_auth_tee_sha_file {
let mut file = std::fs::File::open(sha_file)?; let mut file = std::fs::File::open(sha_file)?;
let mut contents = String::new(); let mut contents = String::new();
file.read_to_string(&mut contents)?; file.read_to_string(&mut contents)?;
args.vault_auth_tee_sha = contents.trim_end().into(); contents.trim_end().into()
} } else {
bail!("Neither `VAULT_AUTH_TEE_SHA256_FILE` nor `VAULT_AUTH_TEE_SHA256` set!");
};
info!("Starting HTTPS server at port {}", args.port); info!("Starting HTTPS server at port {}", args.port);
let server_config = Arc::new(UnsealServerConfig { let server_config = Arc::new(UnsealServerConfig {
vault_url: args.attestation.vault_addr, vault_url: args.attestation.vault_addr,
report_data: Box::from(report_data), report_data: Box::from(report_data),
allowed_tcb_levels: Some(args.allowed_tcb_levels), allowed_tcb_levels: Some(args.allowed_tcb_levels),
vault_auth_tee_sha: args.vault_auth_tee_sha, vault_auth_tee_sha,
vault_auth_tee_version: args.vault_auth_tee_version, vault_auth_tee_version: args.vault_auth_tee_version,
ca_cert_file: args.ca_cert_file, ca_cert_file: args.ca_cert_file,
}); });