rvps: add flag to restrict operations to be read-only

Introduce rvps_read_only flag, that forces the rvps server to only allow
queries and not register new reference values.

This is useful for operator/kubernetes/container deployment where the
rvps is run as standalone and therefore not configured via
kbs-config.toml.

Signed-off-by: Emanuele Giuseppe Esposito <[email protected]>

Author: esposem

attestation-service/src/config.rs

@@ -94,6 +94,7 @@ mod tests {
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
             storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
             extractors: None,
+            rvps_read_only: false,
         }),
         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
             duration_min: 5,
@@ -107,6 +108,7 @@ mod tests {
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
             storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
             extractors: None,
+            rvps_read_only: false,
         }),
         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
             duration_min: 5,
@@ -124,6 +126,7 @@ mod tests {
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
             storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
             extractors: None,
+            rvps_read_only: false,
         }),
         attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
             duration_min: 5,
@@ -140,6 +143,7 @@ mod tests {
         rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
             storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
             extractors: None,
+            rvps_read_only: false,
         }),
         attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
             duration_min: 5,

integration-tests/src/common.rs

@@ -157,6 +157,7 @@ impl TestHarness {
                 storage: ReferenceValueStorageConfig::LocalJson(local_json::Config {
                     file_path: rv_path,
                 }),
+                rvps_read_only: false,
             }),
             RvpsType::Remote => {
                 info!("Starting Remote RVPS");

kbs/config/as-config.json

@@ -3,7 +3,8 @@
     "policy_engine": "opa",
     "rvps_config": {
         "type": "GrpcRemote",
-        "address": "http://rvps:50003"
+        "address": "http://rvps:50003",
+        "rvps_read_only": false
     },
     "attestation_token_broker": {
 	"type": "Ear",

kbs/config/rvps.json

@@ -2,5 +2,6 @@
     "storage": {
 	"type":"LocalFs",
 	"file_path": "/opt/confidential-containers/attestation-service/reference_values"
-    }
+    },
+	"rvps_read_only": false
 }

kbs/src/config.rs

@@ -320,6 +320,7 @@ mod tests {
                                 file_path: "/opt/confidential-containers/attestation-service/reference_values".into(),
                             }),
                             extractors: None,
+                            rvps_read_only: false,
                         }),
                         attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration{
                             duration_min: 5,

rvps/README.md

@@ -98,11 +98,13 @@ RVPS can be launched with a specified configuration file by `-c` flag. A configu
     "storage": {
         "type": "LocalFs",
         "file_path": "/opt/confidential-containers/attestation-service/reference_values"
-    }
+    },
+    "rvps_read_only": false
 }
 ```
 - `storage.type`: backend storage type to store reference values. Currently `LocalFs` and `LocalJson` are supported.
 - `storage.*`: Each different type of storage has its own associated configuration parameters. This is also a JSON map object.
+- `rvps_read_only`: Whether RVPS should run in read-only mode (disable reference value registration). Defaults to `false`.
 
 ## Integrate RVPS into the Attestation Service
 

rvps/src/bin/rvps.rs

@@ -53,6 +53,12 @@ async fn main() -> Result<()> {
 
     info!("Listen socket: {}", &cli.address);
 
+    if config.rvps_read_only {
+        info!("RVPS is running in READ-ONLY mode. Reference value registration is disabled.");
+    } else {
+        info!("RVPS is running in normal mode. Reference value registration is enabled.");
+    }
+
     let socket = cli.address.parse().context("parse socket addr failed")?;
 
     server::start(socket, config).await

rvps/src/config.rs

@@ -15,6 +15,9 @@ pub struct Config {
 
     #[serde(default)]
     pub extractors: Option<ExtractorsConfig>,
+
+    #[serde(default)]
+    pub rvps_read_only: bool,
 }
 
 impl Config {

rvps/src/lib.rs

@@ -52,6 +52,7 @@ fn default_version() -> String {
 pub struct Rvps {
     extractors: Extractors,
     storage: Box<dyn ReferenceValueStorage + Send + Sync>,
+    read_only: bool,
 }
 
 impl Rvps {
@@ -63,10 +64,17 @@ impl Rvps {
         Ok(Rvps {
             extractors,
             storage,
+            read_only: config.rvps_read_only,
         })
     }
 
     pub async fn verify_and_extract(&mut self, message: &str) -> Result<()> {
+        if self.read_only {
+            bail!(
+                "RVPS is configured in read-only mode. Reference value registration is disabled."
+            );
+        }
+
         let message: Message = serde_json::from_str(message).context("parse message")?;
 
         // Judge the version field