Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 37 additions & 2 deletions crates/tessera-issuer/src/key_provider.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ impl KeyProviderConfig {
match self {
Self::Ephemeral => Ok(()),
Self::File { path } => check_path_usable(path, "TESSERA_KEY_FILE"),
Self::DstackKms { socket, key_id } => crate::dstack_kms::preflight(socket, key_id),
Self::DstackKms { socket, key_id } => dstack_preflight(socket, key_id),
}
}

Expand All @@ -116,7 +116,7 @@ impl KeyProviderConfig {
match self {
Self::Ephemeral => Ok(ServerPrivateKey::setup(rng)),
Self::File { path } => Ok(ensure_shared_key(path)),
Self::DstackKms { socket, key_id } => crate::dstack_kms::establish(socket, key_id),
Self::DstackKms { socket, key_id } => dstack_establish(socket, key_id),
}
}

Expand All @@ -140,6 +140,41 @@ impl KeyProviderConfig {
}
}

// `dstack-kms` parses on every platform (so config validation is portable), but it
// can only *run* on Unix (it talks to the guest-agent Unix socket). On a non-Unix
// target it fails closed at preflight/establish rather than failing to compile.
#[cfg(unix)]
fn dstack_preflight(socket: &str, key_id: &str) -> Result<(), String> {
crate::dstack_kms::preflight(socket, key_id)
}

#[cfg(not(unix))]
fn dstack_preflight(_socket: &str, _key_id: &str) -> Result<(), String> {
Err(
"TESSERA_KEY_PROVIDER=dstack-kms requires a Unix platform (the dstack guest-agent socket)"
.to_string(),
)
}

#[cfg(unix)]
fn dstack_establish(
socket: &str,
key_id: &str,
) -> Result<(ServerPrivateKey, ServerPublicKey), String> {
crate::dstack_kms::establish(socket, key_id)
}

#[cfg(not(unix))]
fn dstack_establish(
_socket: &str,
_key_id: &str,
) -> Result<(ServerPrivateKey, ServerPublicKey), String> {
Err(
"TESSERA_KEY_PROVIDER=dstack-kms requires a Unix platform (the dstack guest-agent socket)"
.to_string(),
)
}

fn reject_key_file_with_provider(provider: &str, key_file: Option<&str>) -> Result<(), String> {
if key_file.is_some() {
Err(format!(
Expand Down
4 changes: 4 additions & 0 deletions crates/tessera-issuer/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ use rand_core::RngCore;
use sha2::{Digest, Sha256};
use std::collections::HashSet;

// dstack-kms is a Unix-domain-socket client (the dstack guest agent); it is
// Unix-only, so it is not compiled for non-Unix targets such as the `wasm32`
// build of this crate.
#[cfg(unix)]
pub mod dstack_kms;
pub mod key_provider;
pub mod keyfile;
Expand Down
Loading