Merge branch 'main' into update-diesel

Author: nullr0ute

Cargo.lock

@@ -56,6 +56,9 @@ where
     /// Gets an OV
     fn get_ov(guid: &str, conn: &mut T) -> Result<OwnerOV>;
 
+    /// Returns all the OVs in the DB
+    fn get_all_ovs(conn: &mut T) -> Result<Vec<OwnerOV>>;
+
     /// Deletes an OV
     fn delete_ov(guid: &str, conn: &mut T) -> Result<()>;
 
@@ -101,6 +104,9 @@ where
     /// Gets an OV
     fn get_ov(guid: &str, conn: &mut T) -> Result<RendezvousOV>;
 
+    /// Returns all the OVs in the DB
+    fn get_all_ovs(conn: &mut T) -> Result<Vec<RendezvousOV>>;
+
     /// Deletes an OV
     fn delete_ov(guid: &str, conn: &mut T) -> Result<()>;
 

db/src/lib.rs

@@ -113,6 +113,13 @@ impl DBStoreOwner<PgConnection> for PostgresOwnerDB {
         Ok(result)
     }
 
+    fn get_all_ovs(conn: &mut PgConnection) -> Result<Vec<OwnerOV>> {
+        let result = super::schema::owner_vouchers::dsl::owner_vouchers
+            .select(OwnerOV::as_select())
+            .load(conn)?;
+        Ok(result)
+    }
+
     fn delete_ov(guid: &str, conn: &mut PgConnection) -> Result<()> {
         diesel::delete(owner_vouchers::dsl::owner_vouchers)
             .filter(super::schema::owner_vouchers::guid.eq(guid))
@@ -222,6 +229,13 @@ impl DBStoreRendezvous<PgConnection> for PostgresRendezvousDB {
         Ok(result)
     }
 
+    fn get_all_ovs(conn: &mut PgConnection) -> Result<Vec<RendezvousOV>> {
+        let result = super::schema::rendezvous_vouchers::dsl::rendezvous_vouchers
+            .select(RendezvousOV::as_select())
+            .load(conn)?;
+        Ok(result)
+    }
+
     fn delete_ov(guid: &str, conn: &mut PgConnection) -> Result<()> {
         diesel::delete(rendezvous_vouchers::dsl::rendezvous_vouchers)
             .filter(super::schema::rendezvous_vouchers::guid.eq(guid))

db/src/postgres.rs

@@ -115,6 +115,13 @@ impl DBStoreOwner<SqliteConnection> for SqliteOwnerDB {
         Ok(result)
     }
 
+    fn get_all_ovs(conn: &mut SqliteConnection) -> Result<Vec<OwnerOV>> {
+        let result = super::schema::owner_vouchers::dsl::owner_vouchers
+            .select(OwnerOV::as_select())
+            .load(conn)?;
+        Ok(result)
+    }
+
     fn delete_ov(guid: &str, conn: &mut SqliteConnection) -> Result<()> {
         diesel::delete(owner_vouchers::dsl::owner_vouchers)
             .filter(super::schema::owner_vouchers::guid.eq(guid))
@@ -224,6 +231,13 @@ impl DBStoreRendezvous<SqliteConnection> for SqliteRendezvousDB {
         Ok(result)
     }
 
+    fn get_all_ovs(conn: &mut SqliteConnection) -> Result<Vec<RendezvousOV>> {
+        let result = super::schema::rendezvous_vouchers::dsl::rendezvous_vouchers
+            .select(RendezvousOV::as_select())
+            .load(conn)?;
+        Ok(result)
+    }
+
     fn delete_ov(guid: &str, conn: &mut SqliteConnection) -> Result<()> {
         diesel::delete(rendezvous_vouchers::dsl::rendezvous_vouchers)
             .filter(super::schema::rendezvous_vouchers::guid.eq(guid))

db/src/sqlite.rs

@@ -20,28 +20,28 @@ diun_pub_key_insecure=$(getarg fdo.diun_pub_key_insecure= ||:)
 diun_pub_key_hash=$(getarg fdo.diun_pub_key_hash= ||:)
 diun_pub_key_root_certs=$(getarg fdo.diun_pub_key_root_certs= ||:)
 mfg_string_type_mac_iface=$(getarg fdo.di_mfg_string_type_mac_iface= ||:)
-cat >"/etc/manufacturing-client-config" <<EOF
+cat >"/run/manufacturing-client-config" <<EOF
 # Automatically generated by live-generator
 MANUFACTURING_SERVER_URL="${manufacturing_server_url}"
 EOF
 if [ -n "${diun_pub_key_insecure}" ]; then
-cat >>"/etc/manufacturing-client-config" <<EOF
+cat >>"/run/manufacturing-client-config" <<EOF
 DIUN_PUB_KEY_INSECURE="${diun_pub_key_insecure}"
 EOF
 fi
 if [ -n "${diun_pub_key_hash}" ]; then
-cat >>"/etc/manufacturing-client-config" <<EOF
+cat >>"/run/manufacturing-client-config" <<EOF
 DIUN_PUB_KEY_HASH="${diun_pub_key_hash}"
 EOF
 fi
 if [ -n "${diun_pub_key_root_certs}" ]; then
-cat >>"/etc/manufacturing-client-config" <<EOF
+cat >>"/run/manufacturing-client-config" <<EOF
 DIUN_PUB_KEY_ROOTCERTS="${diun_pub_key_root_certs}"
 EOF
 fi
 
 if [ -n "${mfg_string_type_mac_iface}" ]; then
-cat >>"/etc/manufacturing-client-config" <<EOF
+cat >>"/run/manufacturing-client-config" <<EOF
 DI_MFG_STRING_TYPE_MAC_IFACE="${mfg_string_type_mac_iface}"
 EOF
 fi

dracut/52fdo/manufacturing-client-generator

@@ -3,16 +3,18 @@ Description=Manufacturing client DIUN
 DefaultDependencies=false
 
 After=coreos-installer.service
+Before=coreos-installer-poweroff.service
+Before=coreos-installer-noreboot.service
 Before=coreos-installer-reboot.service
-ConditionPathExists=/etc/manufacturing-client-config
+ConditionPathExists=/run/manufacturing-client-config
 Requires=dev-disk-by\x2dlabel-boot.device
 
 OnFailure=emergency.target
-OnFailureJobMode=replace-irreversibly
+OnFailureJobMode=isolate
 
 [Service]
 Type=oneshot
 Environment=LOG_LEVEL=info
-EnvironmentFile=/etc/manufacturing-client-config
+EnvironmentFile=/run/manufacturing-client-config
 ExecStart=/usr/libexec/manufacturing-client-service
-RemainAfterExit=yes
+RemainAfterExit=yes

dracut/52fdo/manufacturing-client.service

@@ -17,6 +17,9 @@ warp = "0.3.6"
 log = "0.4"
 hex = "0.4"
 serde_yaml = "0.9"
+tar = "0.4.41"
+flate2 = "1.0.31"
+tempdir = "0.3.7"
 
 fdo-data-formats = { path = "../data-formats", version = "0.5.0" }
 fdo-http-wrapper = { path = "../http-wrapper", version = "0.5.0", features = ["server"] }

manufacturing-server/Cargo.toml

@@ -1,26 +1,32 @@
 use std::collections::BTreeMap;
 use std::convert::{TryFrom, TryInto};
-use std::fs;
+use std::fs::{self, File};
+use std::io::Read;
 use std::str::FromStr;
 use std::sync::Arc;
 
+use fdo_data_formats::{constants::ErrorCode, ProtocolVersion};
+use fdo_store::Store;
+
+use warp::{Filter, Rejection};
+
 use anyhow::{bail, Context, Error, Result};
 use openssl::{
     pkey::{PKey, Private},
     x509::X509,
 };
 use serde_yaml::Value;
+use tempdir::TempDir;
 use tokio::signal::unix::{signal, SignalKind};
-use warp::Filter;
+use warp::reply::Response;
 
 use fdo_data_formats::{
     constants::{KeyStorageType, MfgStringType, PublicKeyType, RendezvousVariable},
     ownershipvoucher::OwnershipVoucher,
     publickey::{PublicKey, X5Chain},
     types::{Guid, RendezvousInfo},
-    ProtocolVersion,
+    Serializable,
 };
-use fdo_store::Store;
 use fdo_util::servers::{
     configuration::manufacturing_server::{DiunSettings, ManufacturingServerSettings},
     settings_for, yaml_to_cbor, OwnershipVoucherStoreMetadataKey,
@@ -56,7 +62,7 @@ struct ManufacturingServiceUD {
     session_store: Arc<fdo_http_wrapper::server::SessionStore>,
     ownership_voucher_store: Box<
         dyn Store<
-            fdo_store::WriteOnlyOpen,
+            fdo_store::ReadWriteOpen,
             Guid,
             OwnershipVoucher,
             OwnershipVoucherStoreMetadataKey,
@@ -267,8 +273,99 @@ async fn main() -> Result<()> {
     });
 
     // Initialize handlers
-    let hello = warp::get().map(|| "Hello from the manufacturing server");
-    let handler_ping = fdo_http_wrapper::server::ping_handler();
+    let hello = warp::path::end().map(|| "Hello from the manufacturing server");
+    let ud = user_data.clone();
+    let handler_ovs = warp::path!("ov" / String)
+        .map(move |guid| (guid, ud.clone()))
+        .and_then(
+            |(guid, ud): (String, Arc<ManufacturingServiceUD>)| async move {
+                let typed_guid = match Guid::from_str(&guid) {
+                    Ok(v) => v,
+                    Err(e) => {
+                        return Err(Rejection::from(fdo_http_wrapper::server::Error::new(
+                            ErrorCode::InternalServerError,
+                            fdo_data_formats::constants::MessageType::Invalid,
+                            &e.to_string(),
+                        )))
+                    }
+                };
+                let ov = match ud.ownership_voucher_store.load_data(&typed_guid).await {
+                    Ok(ov) => ov.unwrap(),
+                    Err(e) => {
+                        return Err(Rejection::from(fdo_http_wrapper::server::Error::new(
+                            ErrorCode::InternalServerError,
+                            fdo_data_formats::constants::MessageType::Invalid,
+                            &format!("Error loading ownership voucher with guid {}: {}", guid, e),
+                        )))
+                    }
+                };
+                let ov_pem = match ov.to_pem() {
+                    Ok(v) => v,
+                    Err(e) => {
+                        return Err(Rejection::from(fdo_http_wrapper::server::Error::new(
+                            ErrorCode::InternalServerError,
+                            fdo_data_formats::constants::MessageType::Invalid,
+                            &format!("Error converting ownership voucher to pem: {}", e),
+                        )))
+                    }
+                };
+                let mut res = Response::new(ov_pem.into());
+                res.headers_mut().insert(
+                    "Content-Type",
+                    warp::http::header::HeaderValue::from_static("application/x-pem-file"),
+                );
+                Ok(res)
+            },
+        );
+    let ud = user_data.clone();
+    let handler_export = warp::post()
+        .and(warp::path("export").map(move || (ud.clone())).and_then(
+            |ud: Arc<ManufacturingServiceUD>| async move {
+                match ud.ownership_voucher_store.load_all_data().await {
+                    Ok(ovs) => Ok(ovs),
+                    Err(_) => Err(Rejection::from(fdo_http_wrapper::server::Error::new(
+                        ErrorCode::InternalServerError,
+                        fdo_data_formats::constants::MessageType::Invalid,
+                        "Error loading ownership vouchers",
+                    ))),
+                }
+            },
+        ))
+        .map(|ovs: Vec<OwnershipVoucher>| {
+            if ovs.is_empty() {
+                let mut res = Response::new("".into());
+                *res.status_mut() = warp::http::StatusCode::NOT_FOUND;
+                return res;
+            }
+            let tmp_dir = TempDir::new("manufacturer-server-ovs").unwrap();
+            for ov in ovs {
+                let file_path = tmp_dir.path().join(ov.header().guid().to_string());
+                let tmp_file = File::create(file_path).unwrap();
+                OwnershipVoucher::serialize_to_writer(&ov, &tmp_file).unwrap();
+            }
+            let tmp_dir_archive = TempDir::new("manufacturer-server-ovs-archive").unwrap();
+            let tar_gz = File::create(tmp_dir_archive.path().join("ovs.tar.gz")).unwrap();
+            let mut tar = tar::Builder::new(tar_gz);
+            tar.append_dir_all(".", tmp_dir).unwrap();
+            tar.finish().unwrap();
+            let mut file = File::open(tmp_dir_archive.path().join("ovs.tar.gz")).unwrap();
+            let mut data: Vec<u8> = Vec::new();
+            match file.read_to_end(&mut data) {
+                Err(why) => {
+                    let mut res = Response::new(why.to_string().into());
+                    *res.status_mut() = warp::http::StatusCode::INTERNAL_SERVER_ERROR;
+                    res
+                }
+                Ok(_) => {
+                    let mut res = Response::new(data.into());
+                    res.headers_mut().insert(
+                        "Content-Type",
+                        warp::http::header::HeaderValue::from_static("application/x-tar"),
+                    );
+                    res
+                }
+            }
+        });
 
     // DI
     let handler_di_app_start = fdo_http_wrapper::server::fdo_request_filter(
@@ -307,7 +404,7 @@ async fn main() -> Result<()> {
     let routes = warp::post()
         .and(
             hello
-                .or(handler_ping)
+                .or(fdo_http_wrapper::server::ping_handler())
                 // DI
                 .or(handler_di_app_start)
                 .or(handler_di_set_hmac)
@@ -316,6 +413,8 @@ async fn main() -> Result<()> {
                 .or(handler_diun_request_key_parameters)
                 .or(handler_diun_provide_key),
         )
+        .or(handler_export)
+        .or(handler_ovs)
         .recover(fdo_http_wrapper::server::handle_rejection)
         .with(warp::log("manufacturing-server"));
 

manufacturing-server/src/main.rs

@@ -117,6 +117,7 @@ async fn _handle_report_to_rendezvous(udt: &OwnerServiceUDT, ov: &OwnershipVouch
 }
 
 async fn report_to_rendezvous(udt: OwnerServiceUDT) -> Result<()> {
+    // TODO: this below (query_data vs query_ovs_db) should be abstracted into the store's Filter's query stuff
     match udt.ownership_voucher_store.query_data().await {
         Ok(mut ft) => {
             ft.neq(

owner-onboarding-server/src/main.rs

@@ -15,6 +15,7 @@ serde = { version = "1", features = ["derive"] }
 serde_yaml = "0.9"
 tokio = { version = "1", features = ["full"] }
 tss-esapi = { version = "7.4", features = ["generate-bindings"] }
+reqwest = { version = "0.12.7", features = ["blocking"] }
 
 fdo-util = { path = "../util", version = "0.5.0" }
 fdo-data-formats = { path = "../data-formats", version = "0.5.0" }