Centralize base path variable

Cargo.toml

@@ -6,6 +6,7 @@ members = [
     "tools/kbs-client",
     "deps/verifier",
     "deps/eventlog",
+    "deps/trustee-config",
     "integration-tests",
 ]
 resolver = "2"

attestation-service/Cargo.toml

@@ -70,6 +70,7 @@ tonic = { workspace = true, optional = true }
 uuid = { version = "1.18.0", features = ["v4"] }
 verifier = { path = "../deps/verifier", default-features = false }
 actix-cors = { version = "0.7", optional = true}
+trustee-config = { version = "0.1.0", path = "../deps/trustee-config" }
 
 [build-dependencies]
 shadow-rs.workspace = true

attestation-service/src/config.rs

@@ -5,10 +5,11 @@ use serde::Deserialize;
 use std::fs::File;
 use std::path::{Path, PathBuf};
 use thiserror::Error;
+use trustee_config::default_base_path;
 
 /// Environment macro for Attestation Service work dir.
 const AS_WORK_DIR: &str = "AS_WORK_DIR";
-pub const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service";
+pub(crate) const DEFAULT_WORK_DIR: &str = "attestation-service";
 
 #[derive(Clone, Debug, Deserialize, PartialEq)]
 pub struct Config {
@@ -26,7 +27,11 @@ pub struct Config {
 }
 
 fn default_work_dir() -> PathBuf {
-    PathBuf::from(std::env::var(AS_WORK_DIR).unwrap_or_else(|_| DEFAULT_WORK_DIR.to_string()))
+    if let Ok(value) = std::env::var(AS_WORK_DIR) {
+        PathBuf::from(value)
+    } else {
+        default_base_path().join(DEFAULT_WORK_DIR)
+    }
 }
 
 #[derive(Error, Debug)]

deps/trustee-config/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "trustee-config"
+version.workspace = true
+authors.workspace = true
+description.workspace = true
+documentation.workspace = true
+edition.workspace = true
+
+[dependencies]
+dirs = "6.0.0"
+nix = { version = "0.30.1", features = ["user"] }

deps/trustee-config/src/lib.rs

@@ -0,0 +1,15 @@
+use dirs::home_dir;
+use nix::unistd::Uid;
+use std::path::PathBuf;
+
+/// default_base_path calculates a default base folder for Trustee according to the current user.
+///
+/// - `/opt/confidential-containers/` remains the base path when running as root.
+/// - `$HOME/.trustee` for all users other than root.
+pub fn default_base_path() -> PathBuf {
+    if Uid::effective().is_root() {
+        "/opt/confidential-containers".into()
+    } else {
+        home_dir().unwrap_or_default().join(".trustee")
+    }
+}

deps/verifier/Cargo.toml

@@ -78,6 +78,7 @@ bitflags = { version = "2.8.0", features = ["serde"] }
 time = "0.3.41"
 nvml-wrapper = { version = "0.11.0", optional = true, default-features = false, features = ["serde"]}
 p384 = { version = "0.13.1", optional = true }
+trustee-config = { version = "0.1.0", path = "../trustee-config" }
 
 [build-dependencies]
 shadow-rs.workspace = true

deps/verifier/src/cca/config.rs

@@ -8,8 +8,7 @@ use std::fs::File;
 use std::path::{Path, PathBuf};
 use thiserror::Error;
 
-pub const DEFAULT_CCA_CONFIG: &str =
-    "/opt/confidential-containers/attestation-service/cca/config.json";
+pub const DEFAULT_CCA_CONFIG: &str = "attestation-service/cca/config.json";
 
 #[derive(Serialize, Deserialize, Clone, Debug, Default)]
 #[serde(rename_all = "kebab-case")]

deps/verifier/src/cca/mod.rs

@@ -13,8 +13,8 @@ use core::result::Result::Ok;
 use ear::{Ear, RawValue};
 use log::debug;
 use serde::{Deserialize, Serialize};
-use std::path::Path;
-use std::{collections::BTreeMap, str};
+use std::{collections::BTreeMap, path::PathBuf, str};
+use trustee_config::default_base_path;
 use veraison_apiclient::*;
 
 mod config;
@@ -76,11 +76,14 @@ impl Verifier for CCA {
         expected_report_data: &ReportData,
         expected_init_data_hash: &InitDataHash,
     ) -> Result<Vec<(TeeEvidenceParsedClaim, TeeClass)>> {
-        let config_file =
-            std::env::var(CCA_CONFIG_FILE).unwrap_or_else(|_| DEFAULT_CCA_CONFIG.to_string());
+        let config_file = if let Ok(value) = std::env::var(CCA_CONFIG_FILE) {
+            PathBuf::from(value)
+        } else {
+            default_base_path().join(DEFAULT_CCA_CONFIG)
+        };
 
-        let config = Config::try_from(Path::new(&config_file))
-            .map_err(|e| anyhow!("parsing {config_file}: {e}"))?;
+        let config = Config::try_from(config_file.as_path())
+            .map_err(|e| anyhow!("parsing {config_file:?}: {e}"))?;
 
         let ReportData::Value(expected_report_data) = expected_report_data else {
             bail!("CCA verifier must provide report data field!");

kbs/Cargo.toml

@@ -88,6 +88,7 @@ openssl.workspace = true
 az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
 derivative = "2.2.0"
 vaultrs = { version = "0.7.4", optional = true }
+trustee-config = { version = "0.1.0", path = "../deps/trustee-config" }
 
 [target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies]
 attestation-service = { path = "../attestation-service", default-features = false, features = [

kbs/src/plugins/implementations/nebula_ca.rs

@@ -27,7 +27,7 @@ const DEFAULT_NEBULA_CA_NAME: &str = "Trustee Nebula CA plugin";
 const DEFAULT_NEBULA_CERT_PATH: &str = "nebula-cert";
 /// Default Nebula CA working directory.
 /// It must have read-write permission.
-const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/kbs/nebula-ca";
+const DEFAULT_WORK_DIR: &str = "kbs/nebula-ca";
 /// Minimum nebula-cert version required.
 const NEBULA_CERT_VERSION_REQUIREMENT: &str = ">=1.9.5";
 
@@ -105,7 +105,11 @@ impl TryFrom<NebulaCaPluginConfig> for NebulaCaPlugin {
     type Error = Error;
 
     fn try_from(config: NebulaCaPluginConfig) -> Result<Self> {
-        let work_dir = PathBuf::from(config.work_dir.unwrap_or(DEFAULT_WORK_DIR.into()));
+        let work_dir = if let Some(config_work_dir) = config.work_dir {
+            PathBuf::from(config_work_dir)
+        } else {
+            default_base_path.join(DEFAULT_WORK_DIR)
+        };
         let path = PathBuf::from(
             config
                 .nebula_cert_bin_path

kbs/src/plugins/implementations/resource/local_fs.rs

@@ -9,8 +9,9 @@ use std::{
     fs,
     path::{Path, PathBuf},
 };
+use trustee_config::default_base_path;
 
-pub const DEFAULT_REPO_DIR_PATH: &str = "/opt/confidential-containers/kbs/repository";
+pub const DEFAULT_REPO_DIR_PATH: &str = "kbs/repository";
 
 #[derive(Debug, Deserialize, Clone, PartialEq)]
 pub struct LocalFsRepoDesc {
@@ -21,7 +22,10 @@ pub struct LocalFsRepoDesc {
 impl Default for LocalFsRepoDesc {
     fn default() -> Self {
         Self {
-            dir_path: DEFAULT_REPO_DIR_PATH.into(),
+            dir_path: default_base_path()
+                .join(DEFAULT_REPO_DIR_PATH)
+                .to_string_lossy()
+                .to_string(),
         }
     }
 }

kbs/src/policy_engine/mod.rs

@@ -9,13 +9,14 @@ use tokio::sync::Mutex;
 
 use std::path::PathBuf;
 use std::sync::Arc;
+use trustee_config::default_base_path;
 
 mod opa;
 
 mod error;
 pub use error::*;
 
-pub const DEFAULT_POLICY_PATH: &str = "/opt/confidential-containers/kbs/policy.rego";
+pub const DEFAULT_POLICY_PATH: &str = "kbs/policy.rego";
 
 /// Resource policy engine interface
 ///
@@ -50,7 +51,7 @@ pub struct PolicyEngineConfig {
 impl Default for PolicyEngineConfig {
     fn default() -> Self {
         Self {
-            policy_path: PathBuf::from(DEFAULT_POLICY_PATH),
+            policy_path: default_base_path().join(DEFAULT_POLICY_PATH),
         }
     }
 }

rvps/Cargo.toml

@@ -43,6 +43,7 @@ strum.workspace = true
 tempfile.workspace = true
 tokio = { workspace = true, optional = true }
 tonic = { workspace = true, optional = true }
+trustee-config = { version = "0.1.0", path = "../deps/trustee-config" }
 
 [build-dependencies]
 shadow-rs.workspace = true

rvps/src/storage/local_fs/mod.rs

@@ -8,14 +8,15 @@
 use anyhow::*;
 use async_trait::async_trait;
 use serde::Deserialize;
+use trustee_config::default_base_path;
 
 use crate::ReferenceValue;
 
 use super::ReferenceValueStorage;
 
 /// Local directory path to store the reference values,
 /// which is created by sled engine.
-const FILE_PATH: &str = "/opt/confidential-containers/attestation-service/reference_values";
+const FILE_PATH: &str = "attestation-service/reference_values";
 
 /// `LocalFs` implements [`ReferenceValueStorage`] trait. And
 /// it uses rocksdb inside.
@@ -24,7 +25,10 @@ pub struct LocalFs {
 }
 
 fn default_file_path() -> String {
-    FILE_PATH.to_string()
+    default_base_path()
+        .join(FILE_PATH)
+        .to_string_lossy()
+        .to_string()
 }
 
 #[derive(Clone, Debug, Deserialize, PartialEq)]

rvps/src/storage/local_json/mod.rs

@@ -7,16 +7,20 @@ use async_trait::async_trait;
 use log::debug;
 use serde::Deserialize;
 use tokio::sync::RwLock;
+use trustee_config::default_base_path;
 
-const FILE_PATH: &str = "/opt/confidential-containers/attestation-service/reference_values.json";
+const FILE_PATH: &str = "attestation-service/reference_values.json";
 
 pub struct LocalJson {
     file_path: String,
     lock: RwLock<i32>,
 }
 
 fn default_file_path() -> String {
-    FILE_PATH.to_string()
+    default_base_path()
+        .join(FILE_PATH)
+        .to_string_lossy()
+        .to_string()
 }
 
 #[derive(Clone, Debug, Deserialize, PartialEq)]