chore: split-out vault code from teepot in teepot-vault

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

crates/teepot-vault/bin/tee-stress-client/src/main.rs

@@ -0,0 +1,105 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2024-2025 Matter Labs
+
+//! Server to handle requests to the Vault TEE
+
+#![deny(missing_docs)]
+#![deny(clippy::all)]
+
+use actix_web::rt::time::sleep;
+use anyhow::{Context, Result};
+use clap::Parser;
+use serde::{Deserialize, Serialize};
+use std::time::Duration;
+use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
+use teepot_vault::{
+    client::vault::VaultConnection,
+    server::{
+        attestation::{get_quote_and_collateral, VaultAttestationArgs},
+        pki::make_self_signed_cert,
+    },
+};
+use tracing::{error, trace};
+use tracing_log::LogTracer;
+use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Arguments {
+    /// allowed TCB levels, comma separated
+    #[arg(long, value_parser = parse_tcb_levels, env = "ALLOWED_TCB_LEVELS", default_value = "Ok")]
+    my_sgx_allowed_tcb_levels: EnumSet<TcbLevel>,
+    #[clap(flatten)]
+    pub attestation: VaultAttestationArgs,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct MySecret {
+    val: usize,
+}
+
+#[actix_web::main]
+async fn main() -> Result<()> {
+    LogTracer::init().context("Failed to set logger")?;
+
+    let subscriber = Registry::default()
+        .with(EnvFilter::from_default_env())
+        .with(fmt::layer().with_writer(std::io::stderr));
+    tracing::subscriber::set_global_default(subscriber).unwrap();
+
+    let args = Arguments::parse();
+
+    let (report_data, _cert_chain, _priv_key) = make_self_signed_cert("CN=localhost", None)?;
+    if let Err(e) = get_quote_and_collateral(Some(args.my_sgx_allowed_tcb_levels), &report_data) {
+        error!("failed to get quote and collateral: {e:?}");
+        // don't return for now, we can still serve requests but we won't be able to attest
+    }
+
+    let mut vault_1 = args.attestation.clone();
+    let mut vault_2 = args.attestation.clone();
+    let mut vault_3 = args.attestation.clone();
+
+    vault_1.vault_addr = "https://vault-1:8210".to_string();
+    vault_2.vault_addr = "https://vault-2:8210".to_string();
+    vault_3.vault_addr = "https://vault-3:8210".to_string();
+
+    let servers = vec![vault_1.clone(), vault_2.clone(), vault_3.clone()];
+
+    let mut val: usize = 1;
+
+    loop {
+        let mut conns = Vec::new();
+        for server in &servers {
+            match VaultConnection::new(&server.into(), "stress".to_string()).await {
+                Ok(conn) => conns.push(conn),
+                Err(e) => {
+                    error!("connecting to {}: {}", server.vault_addr, e);
+                    continue;
+                }
+            }
+        }
+
+        if conns.is_empty() {
+            error!("no connections");
+            sleep(Duration::from_secs(1)).await;
+            continue;
+        }
+
+        let i = val % conns.len();
+        trace!("storing secret");
+        conns[i]
+            .store_secret(MySecret { val }, "val")
+            .await
+            .context("storing secret")?;
+        for conn in conns {
+            let got: MySecret = conn
+                .load_secret("val")
+                .await
+                .context("loading secret")?
+                .context("loading secret")?;
+            assert_eq!(got.val, val,);
+        }
+        val += 1;
+        sleep(Duration::from_secs(1)).await;
+    }
+}

crates/teepot-vault/bin/tee-stress-client/src/stress.json

@@ -0,0 +1,22 @@
+{
+  "last_digest": "",
+  "commands": [
+    {
+      "url": "/v1/sys/policies/acl/tee-stress",
+      "data": {
+        "policy": "path \"secret/data/tee/stress/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\" ] }\n"
+      }
+    },
+    {
+      "url": "/v1/auth/tee/tees/stress",
+      "data": {
+        "lease": "1000",
+        "name": "stress",
+        "sgx_allowed_tcb_levels": "Ok,SwHardeningNeeded",
+        "sgx_mrsigner": "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d",
+        "token_policies": "tee-stress",
+        "types": "sgx"
+      }
+    }
+  ]
+}

crates/teepot-vault/bin/tee-stress-client/src/stress.json.asc

@@ -0,0 +1,26 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEC0Pk344t4+guABNk9RmhFDs/vjIFAmUn5WkACgkQ9RmhFDs/
+vjK5kw/8Dl1XuMOfJ+mxshaRH4JexPmB/+c4x5JnaYS6GGJaJ/eOp+hSFchxnwfI
+OXRV3S+/kgaytfu5zVEepqyypX43LbV+eZ5s450xa3qI0fR/rd+LnJeJNqFoJVrZ
+M+xTGpkBPvPB3340ebyti5k49I+uhgO8c5Cd1FpM00dWN0qUUJMsFuOKNueFURlC
+Sk9HLDk63G2/ZDyBzT83vMpFUZbtJ46yJmS2++W1UfEt2GZvL6sc2wr7pwlb5EtF
+wEgLtaIAy749h1Lzilw6RTWVC3ShQvaddIFIh+XagnrKmk2D0gha2XprbvBSkpYf
+a/9tZKH/4U8wfONR3sJ83wlODwks6zdIibspk7868vY5Bm9Yr2N1cIIPGtnnypHE
+xPZI9QXY/zUSnTXgs5JyEZkea8j29v135zhuGINFPVWOa+frGYTIN/zZ3sjdhZMt
++4rRL8SZbFbkCDc/zGdlJOcTygUbEJBiseNJ8GXgbWrXzY/WDZpxL1xdxjkPK4PA
+xtKyaPlBP1B1RyHkZGYDq86t9DzX2H/gkqBHJpuSavcx/7/Q/b6KGYdf/QFxo7kY
+S0jdVXRVem0ClxWtEVZU9Wu9QykcYQbj3AM7hk+9Khmq32w7b3bwOndYNAojwzP+
+9UEVOAXv2K8LSBbq6RXott5KMKDwowOu4hQCNsDuvmBYkr1Sy5OJAcUEAAEIAC8W
+IQSBoxLFnWedkw+p6LBtco8potur+AUCZSflbREcdGVzdEBleGFtcGxlLmNvbQAK
+CRBtco8potur+LwPC/wOjT27sE4D/4Cadg58lXlRE2qoFdtc8vfs+ioxS7UxQX4m
+ggY4P6lHq8u2TkY4jDe9FpA5S7LNGQJoQx2zrr3lGwonBwGkj4nRM60/uNSar+wd
+Wknke8IUiv8E8MzITy+gKdFHwu95ZZh9IXefiQ4Fq8UQurELAfVA/sNk+1ovGzsO
+/S4srkR4uejsAuk84PCA7dgNLYobcU/7SMH/ffgorqE6BOXwzfIy13c9TV5ZztWo
+eK6R+wc92hza0ZvXVmB4i5NBe+aO7gSLe0QcJqHdaTpkcVhhhE+v8HdpF1JIgOH8
+/336W/ZOp1q1K0hL2rNU2YX40MOaZZLoxjfXNmC/dAZPel5HJMwTLzM6Aqqk49sB
+LHEPgHjefUWiHe2C31PGM0THM3fuA6i5OwypnZRI14WYVDlVa5KRmj/titcCt6aQ
++fbzK5lYIg4AhLl8rIns8+/yJnwTIw3Zy94H8Xwjq8tplk6nSUWm0GKjYqFquwUf
+6PyKGVnqs2Cp0hFmD9o=
+=AsWI
+-----END PGP SIGNATURE-----