chore: Merge branch 'release/4.13.0'

Cosmian · Mar 8, 2024 · ac8779e · ac8779e
2 parents fb1ed54 + 9106060
commit ac8779e
Show file tree

Hide file tree

Showing 215 changed files with 6,216 additions and 4,261 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -16,6 +16,7 @@ ignore = [
   "RUSTSEC-2023-0018", # openssl-src
   "RUSTSEC-2023-0034", # openssl-src
   "RUSTSEC-2023-0071", # rsa
+  "RUSTSEC-2023-0079", # pqc-kyber
 ]
 # informational_warnings = ["unmaintained"] # warn for categories of informational advisories
 # severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical")

diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
@@ -17,7 +17,18 @@ jobs:
       archive-name: centos7_tests
       commands: |
         cargo build --bins
-        cargo test -- --nocapture
+        cargo test --workspace -- --nocapture
+      artifacts: ''
+
+  rhel9-tests:
+    uses: ./.github/workflows/build_rhel9.yml
+    secrets: inherit
+    with:
+      toolchain: ${{ inputs.toolchain }}
+      archive-name: rhel9_tests
+      commands: |
+        cargo build --bins
+        cargo test --workspace -- --nocapture
       artifacts: ''
 
   fips-centos7-test:
@@ -28,7 +39,7 @@ jobs:
       archive-name: fips_centos7_tests
       commands: |
         cargo build --bins --features fips
-        cargo test --features fips -- --nocapture
+        cargo test --workspace --features fips -- --nocapture
       artifacts: ''
 
   ubuntu-20-tests:
@@ -40,7 +51,7 @@ jobs:
       archive-name: ubuntu_20_04_tests
       commands: |
         cargo build --bins
-        cargo test -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
+        cargo test --workspace -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
       artifacts: ''
 
   fips-ubuntu-20-tests:
@@ -52,7 +63,7 @@ jobs:
       archive-name: fips_ubuntu_20_04_tests
       commands: |
         cargo build --bins --features fips
-        cargo test --features fips -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
+        cargo test --workspace --features fips -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
       artifacts: ''
 
   ubuntu-22-tests:
@@ -64,5 +75,5 @@ jobs:
       archive-name: ubuntu_22_04_tests
       commands: |
         cargo build --bins
-        cargo test -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
+        cargo test --workspace -- --nocapture --skip test_mysql --skip test_pgsql --skip test_redis
       artifacts: ''
diff --git a/.github/workflows/build_all_release.yml b/.github/workflows/build_all_release.yml
@@ -25,6 +25,22 @@ jobs:
         target/release/ckms
         target/release/cosmian_kms_server
 
+  rhel9:
+    uses: ./.github/workflows/build_rhel9.yml
+    secrets: inherit
+    with:
+      toolchain: ${{ inputs.toolchain }}
+      archive-name: rhel9
+      commands: |
+        cargo build --release --bins
+
+        # Check binaries
+        target/release/ckms -h
+        target/release/cosmian_kms_server -h
+      artifacts: |
+        target/release/ckms
+        target/release/cosmian_kms_server
+
   fips-centos7:
     uses: ./.github/workflows/build_centos7.yml
     secrets: inherit

diff --git a/.github/workflows/build_docker_image.yml b/.github/workflows/build_docker_image.yml
@@ -89,7 +89,7 @@ jobs:
       - build-and-push-image
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop
     with:
-      branch: develop
+      branch: feature/covercrypt_rekey
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
 
   cloudproof_java:
@@ -98,7 +98,7 @@ jobs:
       - build-and-push-image
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_java_in_docker.yml@develop
     with:
-      branch: develop
+      branch: feature/covercrypt_rekey
       target: x86_64-unknown-linux-gnu
       extension: so
       destination: linux-x86-64
@@ -113,7 +113,7 @@ jobs:
       - build-and-push-image
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_python.yml@develop
     with:
-      branch: develop
+      branch: feature/covercrypt-rekey
       target: x86_64-unknown-linux-gnu
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
       copy_fresh_build: true

diff --git a/.github/workflows/build_rhel9.yml b/.github/workflows/build_rhel9.yml
@@ -0,0 +1,139 @@
+---
+name: RHEL
+
+on:
+  workflow_call:
+    inputs:
+      toolchain:
+        required: true
+        type: string
+      commands:
+        required: true
+        type: string
+      archive-name:
+        required: true
+        type: string
+      artifacts:
+        required: true
+        type: string
+
+env:
+  OPENSSL_DIR: /usr/local/openssl
+
+jobs:
+  rhel9-tests:
+    services:
+      # Label used to access the service container
+      postgres:
+        # Docker Hub image
+        image: postgres
+        # Provide the password for postgres
+        env:
+          POSTGRES_USER: kms
+          PGUSER: kms
+          POSTGRES_PASSWORD: kms
+          POSTGRES_DB: kms
+        # Set health checks to wait until postgres has started
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+      mariadb:
+        image: mariadb
+        env:
+          MYSQL_DATABASE: kms
+          MYSQL_ROOT_PASSWORD: kms
+
+      redis:
+        image: redis
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 6379:6379
+
+    runs-on: ubuntu-22.04
+    name: ${{ inputs.archive-name }}
+    container:
+      image: alvistack/rhel-9
+
+    steps:
+      - name: Display cpuinfo
+        run: cat /proc/cpuinfo
+
+      - uses: actions/checkout@v3
+
+      - name: RHEL 9 prerequisites
+        run: |
+          set -x
+
+          # Disable subscription manager
+          sed -i "s/enabled=1/enabled=0/g" /etc/yum/pluginconf.d/subscription-manager.conf
+          rm -rfv /var/cache/yum/*
+          yum clean all
+
+          yum -y install curl wget
+          yum -y install perl-IPC-Cmd perl-Digest-SHA1 perl-CPAN perl-devel
+
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ inputs.toolchain }}
+          components: rustfmt, clippy
+
+      - name: Local OpenSSL FIPS Install
+        run: |
+          bash ./scripts/local_ossl_instl.sh ${{ env.OPENSSL_DIR }}
+
+      - name: Pre-cleanup
+        run: |
+          set -x
+          rm -rf /tmp/sqlite-data /tmp/tmp.json
+
+      - name: Build and tests
+        run: |
+          set -x
+          ${{ inputs.commands }}
+        env:
+          OPENSSL_DIR: ${{ env.OPENSSL_DIR }}
+          RUST_LOG: cosmian_kms_server=trace
+
+          POSTGRES_USER: kms
+          PGUSER: kms
+          POSTGRES_PASSWORD: kms
+          POSTGRES_DB: kms
+          KMS_POSTGRES_URL: postgres://kms:kms@postgres/kms
+
+          MYSQL_DATABASE: kms
+          MYSQL_ROOT_PASSWORD: kms
+          KMS_MYSQL_URL: mysql://root:kms@mariadb/kms
+
+          KMS_ENCLAVE_DIR_PATH: data/public
+          KMS_SQLITE_PATH: data/shared
+          KMS_CERTBOT_SSL_PATH: data/private
+
+          REDIS_HOST: redis
+
+          # Google variables
+          TEST_GOOGLE_OAUTH_CLIENT_ID: ${{ secrets.TEST_GOOGLE_OAUTH_CLIENT_ID }}
+          TEST_GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.TEST_GOOGLE_OAUTH_CLIENT_SECRET }}
+          TEST_GOOGLE_OAUTH_REFRESH_TOKEN: ${{ secrets.TEST_GOOGLE_OAUTH_REFRESH_TOKEN }}
+
+          # Speeds up Ristretto 25519 multiplication x 2
+          RUSTFLAGS: --cfg curve25519_dalek_backend="simd" -C target-cpu=native
+
+      - name: Remove large files before saving cache
+        run: |
+          find target/ -type f -size +40M -delete
+
+      - name: Upload KMS for RHEL 9
+        if: inputs.artifacts != ''
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ inputs.archive-name }}
+          path: ${{ inputs.artifacts }}
+          retention-days: 1
+          if-no-files-found: error
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -19,9 +19,6 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
-  cargo-udeps:
-    uses: Cosmian/reusable_workflows/.github/workflows/cargo-udeps.yml@develop
-
   cargo-lint:
     uses: ./.github/workflows/clippy.yml
     with:

diff --git a/.github/workflows/main_release.yml b/.github/workflows/main_release.yml
@@ -1,5 +1,5 @@
 ---
-name: CI release
+name: CI nightly release
 
 on:
   push:
@@ -25,9 +25,6 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
-  cargo-udeps:
-    uses: Cosmian/reusable_workflows/.github/workflows/cargo-udeps.yml@develop
-
   cargo-lint:
     uses: ./.github/workflows/clippy.yml
     with:
@@ -78,6 +75,9 @@ jobs:
           - archive_name: centos7
             kms_path: .
             os: ubuntu-20.04
+          - archive_name: rhel9
+            kms_path: .
+            os: ubuntu-22.04
           - archive_name: fips_centos7
             kms_path: __w/kms/kms/target/release
             os: ubuntu-20.04
@@ -136,19 +136,17 @@ jobs:
     name: release
     needs:
       - cargo-audit
-      - cargo-udeps
       - cargo-lint
       - cargo-doc
       - build
       - python_and_docker
       - clean_env_test
-      - ckms_gui
     runs-on: [self-hosted, not-sgx]
     env:
-      ARCHIVE_NAMES: centos7 fips_centos7 ubuntu_20_04 fips_ubuntu_20_04 ubuntu_22_04 macos windows kms_python_linux kms_python_macos kms_python_windows
+      ARCHIVE_NAMES: centos7 rhel9 fips_centos7 ubuntu_20_04 fips_ubuntu_20_04 ubuntu_22_04 macos windows kms_python_linux kms_python_macos kms_python_windows
 
     steps:
-      - run: rm -rf kms_* fips_* python-* windows* ubuntu* macos centos7
+      - run: rm -rf kms_* fips_* python-* windows* ubuntu* macos centos7 rhel9
       - uses: actions/download-artifact@v3
       - run: find .
 

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -142,6 +142,12 @@ repos:
           - markdown-katex
         entry: bash -c 'cd documentation && mkdocs build --strict'
 
+  - repo: https://github.com/cisagov/pre-commit-packer
+    rev: v0.0.2
+    hooks:
+      - id: packer_validate
+      - id: packer_fmt
+
   - repo: https://github.com/Cosmian/git-hooks.git
     rev: v1.0.25
     hooks:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.13.0] - 2024-03-08
+
+### Features
+
+- Save KMIP Attributes in a proper column of `Objects` table [#166](https://github.com/Cosmian/kms/pull/166):
+  - Remove all custom tags `_cert_spki`, `_cert_cn`, `_cert_issuer` and `_cert_sk`
+- Add support for CoverCrypt `rekey`, `prune`, and `Policy` editing methods [#179](https://github.com/Cosmian/kms/pull/179):
+  - Add CLI commands to perform these actions
+- Accurate CryptographicUsageMask for KMIP creation (RSA and EC keys) [#189](https://github.com/Cosmian/kms/pull/189) and [#187](https://github.com/Cosmian/kms/pull/187).
+
+### Refactor
+
+- Rework utils/crypto [#178](https://github.com/Cosmian/kms/pull/178).
+
+### Ci
+
+- Add build on RHEL9 [#196](https://github.com/Cosmian/kms/pull/196).
+
+### Bug fixes
+
+- Fixing inconsistent crypto consts [#190](https://github.com/Cosmian/kms/pull/190).
+- Fix interpolation in error macros [#184](https://github.com/Cosmian/kms/pull/184).
+- Move internal KMIP Objects into `Box` to avoid stack memory overflow [#200](https://github.com/Cosmian/kms/pull/200).
+
 ## [4.12.0] - 2024-02-08
 
 ### Features