Initial proof of concept of a constellation-based verification service (#62)

* Initial proof of concept of a constellation-based verification service

* Require origin when requesting verification.

Author: jsantell

Cargo.lock

@@ -2,7 +2,8 @@
 members = [
   "rust/usuba",
   "rust/usuba-compat",
-  "rust/usuba-bundle"
+  "rust/usuba-bundle",
+  "rust/verification-svc"
 ]
 
 # See: https://github.com/rust-lang/rust/issues/90148#issuecomment-949194352
@@ -14,6 +15,7 @@ async-trait = { version = "0.1" }
 axum = { version = "0.7" }
 blake3 = { version = "1.5" }
 bytes = { version = "1" }
+clap = { version = "4.5" }
 deno_emit = { version = "0.42" }
 deno_graph = { version = "0.78" }
 http = { version = "1.1" }

Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "verification-svc"
+description = "A local service that can verify a Constellation cluster"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = { workspace = true }
+async-trait = { workspace = true }
+axum = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+yaml-rust2 = { version = "0.8.1" }
+tempfile = { workspace = true }
+thiserror = { workspace = true }
+tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
+tower-http = { workspace = true, features = ["cors"] }
+tracing = { workspace = true }
+tracing-subscriber = { workspace = true }
+url = { workspace = true }

rust/verification-svc/Cargo.toml

@@ -0,0 +1,17 @@
+# verification-svc 
+
+Initial prototype exposing `constellation verify` to a web service to report
+cluster verification to other properties. This is a part of evaluating Constellation and how to expose external verification of a cluster, will most likely be significantly reworked, and should *not* be trusted as anything beyond a demo.
+
+## Usage
+
+Run providing a path to a directory containing `constellation-state.yaml` and `constellation-conf.yaml`, ensuring `constellation` is installed and configured:
+
+```sh
+$ verification-svc /path/to/constellation_dir
+```
+
+```sh
+$ curl -H "Content-Type: application/json" -d '{"origin":"50.0.0.20"}' http://0.0.0.0:30125/api/v0/verify
+{"success":true}
+```

rust/verification-svc/README.md

@@ -0,0 +1,14 @@
+use clap::Parser;
+use std::path::PathBuf;
+
+#[derive(Parser)]
+#[command(version, about, long_about = None)]
+pub struct Cli {
+    /// The path to the directory containing
+    /// `constellation-conf.yaml` and `constellation-state.yaml`
+    pub config_dir: PathBuf,
+
+    /// Port to listen on
+    #[arg(short, long, default_value_t = 30125)]
+    pub port: u16,
+}

rust/verification-svc/src/cli.rs

@@ -0,0 +1,71 @@
+use anyhow::{anyhow, Result};
+use std::{
+    fs,
+    path::{Path, PathBuf},
+    process::Command,
+};
+use yaml_rust2::YamlLoader;
+
+fn check_path_exists(path: &Path) -> Result<()> {
+    match path.exists() {
+        true => Ok(()),
+        false => Err(anyhow!("{} could not be found.", path.to_string_lossy())),
+    }
+}
+
+/// Represents stored measurements for a cluster by origin.
+#[derive(Clone)]
+pub struct ClusterMeasurements {
+    measurements_dir: PathBuf,
+    origin: String,
+}
+
+impl ClusterMeasurements {
+    pub fn measurements_dir(&self) -> &Path {
+        &self.measurements_dir
+    }
+
+    pub fn origin(&self) -> &str {
+        &self.origin
+    }
+
+    /// Verify cluster against stored measurements.
+    pub fn verify(&self) -> Result<bool> {
+        //pub fn verify(cluster_url: &Url, cluster_id: &str) -> Result<bool> {
+        let output = Command::new("constellation")
+            .current_dir(&self.measurements_dir)
+            .arg("verify")
+            //.arg("-e")
+            //.arg(cluster_url.as_str())
+            //.arg("--cluster-id")
+            //.arg(cluster_id)
+            .output()?;
+        Ok(output.status.success())
+    }
+}
+
+impl TryFrom<&Path> for ClusterMeasurements {
+    type Error = anyhow::Error;
+    fn try_from(measurements_dir: &Path) -> std::result::Result<Self, Self::Error> {
+        let state_path = measurements_dir.join("constellation-state.yaml");
+        let conf_path = measurements_dir.join("constellation-conf.yaml");
+        check_path_exists(&state_path)?;
+        check_path_exists(&conf_path)?;
+
+        let state_yaml = YamlLoader::load_from_str(&fs::read_to_string(&state_path)?)?;
+        let endpoint_yaml = &state_yaml[0]["infrastructure"]["clusterEndpoint"];
+        if endpoint_yaml.is_badvalue() {
+            return Err(anyhow!(
+                "constellation-conf.yaml does not contain cluster endpoint."
+            ));
+        }
+        let origin = endpoint_yaml
+            .as_str()
+            .ok_or_else(|| anyhow!("constellation-conf.yaml cluster endpoint is not a string."))?;
+
+        Ok(ClusterMeasurements {
+            origin: origin.to_owned(),
+            measurements_dir: measurements_dir.to_owned(),
+        })
+    }
+}