add HTTPS support to owner onboarding server

http-wrapper/Cargo.toml

@@ -24,7 +24,7 @@ aws-nitro-enclaves-cose = "0.4.0"
 
 # Server-side
 uuid = { version = "1.3", features = ["v4"], optional = true }
-warp = { version = "0.3", optional = true }
+warp = { version = "0.3", optional = true, default-features = false }
 warp-sessions = { version = "1.0", optional = true }
 time = "0.3"
 

integration-tests/tests/ov_management.rs

@@ -0,0 +1,79 @@
+mod common;
+use anyhow::{bail, Context, Result};
+use common::{Binary, TestContext};
+
+#[tokio::test]
+async fn test_ov_management() -> Result<()> {
+    let mut ctx = TestContext::new().context("Error building test context")?;
+    // start server
+    let owner_onboarding_server = ctx
+        .start_test_server(
+            Binary::OwnerOnboardingServer,
+            |cfg| {
+                Ok(cfg.prepare_config_file(None, |cfg| {
+                    cfg.insert("serviceinfo_api_server_port", &8083);
+                    Ok(())
+                })?)
+            },
+            |_| Ok(()),
+        )
+        .context("Error creating owner server")?;
+    ctx.wait_until_servers_ready()
+        .await
+        .context("Error waiting for servers to start")?;
+
+    //sending request
+    let client = reqwest::Client::new();
+
+    let add_ov = client
+        .post(format!(
+            "https://localhost:{}/management/v1/ownership_voucher", //DevSkim: ignore DS137138
+            owner_onboarding_server.server_port().unwrap()
+        ))
+        .header("Authorization", "Bearer TestAdminToken")
+        .header("X-Number-Of-Vouchers", "1")
+        .header("content-type", "application/x-pem-file")
+        .body("THIS IS A INVALID BODY")
+        .send()
+        .await?;
+    let mut failed = Vec::new();
+    if add_ov.status() != 400 {
+        failed.push(TestCase {
+            action: "Add OV",
+            error: format!("expected 400 got {}", add_ov.status()),
+        })
+    }
+
+    let ov_list: [&str; 1] = ["89cb17fd-95e7-4de8-a36a-686926a7f88f"];
+    let delete_ov = client
+        .post(format!(
+            "http://localhost:{}/management/v1/ownership_voucher/delete",
+            owner_onboarding_server.server_port().unwrap()
+        ))
+        .json(&ov_list)
+        .send()
+        .await?;
+    if delete_ov.status() != 400 {
+        failed.push(TestCase {
+            action: "Delete OV",
+            error: format!("expected 400 got {}", delete_ov.status()),
+        })
+    }
+
+    if failed.is_empty() {
+        Ok(())
+    } else {
+        for failed_case in failed {
+            eprintln!("Failed test: {:?}", failed_case);
+        }
+        bail!("Some tests failed");
+    }
+}
+
+#[derive(Debug)]
+struct TestCase {
+    #[allow(dead_code)]
+    action: &'static str,
+    #[allow(dead_code)]
+    error: String,
+}

owner-onboarding-server/Cargo.toml

@@ -13,9 +13,12 @@ tokio = { version = "1", features = ["full"] }
 thiserror= "1"
 serde = "1"
 openssl = "0.10.55"
-warp = "0.3"
+warp = { version = "0.3", default-features = false, features = ["tls"]}
+hyper = { version = "0.14", features = ["tcp"] }
+tls-listener = { version = "0.7.0", features =  ["openssl", "hyper-h1"]}
 serde_bytes = "0.11"
 serde_cbor = "0.11"
+serde_json = "1.0.79"
 log = "0.4"
 serde_yaml = "0.9"
 time = "0.3"

owner-onboarding-server/src/main.rs

@@ -1,5 +1,6 @@
 use std::convert::{TryFrom, TryInto};
 use std::fs;
+use std::net::SocketAddr;
 use std::sync::Arc;
 
 use anyhow::{bail, Context, Result};
@@ -32,8 +33,15 @@ use fdo_util::servers::{
     configuration::{owner_onboarding_server::OwnerOnboardingServerSettings, AbsolutePathBuf},
     settings_for, OwnershipVoucherStoreMetadataKey,
 };
+use hyper::server::conn::AddrIncoming;
+use std::convert::Infallible;
+use tls_listener::TlsListener;
+
+pub mod tls_config;
 
 mod handlers;
+mod ov_management;
+use crate::ov_management::ov_filter;
 
 pub(crate) struct OwnerServiceUD {
     // Trusted keys
@@ -278,6 +286,7 @@ async fn main() -> Result<()> {
 
     // Bind information
     let bind_addr = settings.bind.clone();
+    let addr = SocketAddr::from(([0, 0, 0, 0], 8081));
 
     // Trusted keys
     let trusted_device_keys = {
@@ -423,32 +432,48 @@ async fn main() -> Result<()> {
                 .or(handler_to2_prove_device)
                 .or(handler_to2_device_service_info_ready)
                 .or(handler_to2_device_service_info)
-                .or(handler_to2_done),
+                .or(handler_to2_done)
+                .or(ov_filter(user_data.clone())),
         )
         .recover(fdo_http_wrapper::server::handle_rejection)
         .with(warp::log("owner-onboarding-service"));
 
-    log::info!("Listening on {}", bind_addr);
-    let server = warp::serve(routes);
-
-    let maintenance_runner =
-        tokio::spawn(async move { perform_maintenance(user_data.clone()).await });
-
-    let server = server
-        .bind_with_graceful_shutdown(bind_addr, async {
-            signal(SignalKind::terminate()).unwrap().recv().await;
-            log::info!("Terminating");
-        })
-        .1;
-    let server = tokio::spawn(server);
-
-    tokio::select!(
-    _ = server => {
-        log::info!("Server terminated");
-    },
-    _ = maintenance_runner => {
-        log::info!("Maintenance runner terminated");
+    log::info!("Listening on {}", addr);
+
+    let service = warp::service(routes);
+
+    let make_svc = hyper::service::make_service_fn(move |_| {
+        let svc = service.clone();
+        async move { Ok::<_, Infallible>(svc) }
     });
 
+    let incoming = TlsListener::new(
+        tls_config::tls_config::tls_acceptor(),
+        AddrIncoming::bind(&addr)?,
+    );
+    let server = hyper::Server::builder(incoming).serve(make_svc);
+    log::info!("starting at https://{}", addr);
+    server.await?;
+    // let server = warp::serve(routes);
+
+    // let maintenance_runner =
+    //     tokio::spawn(async move { perform_maintenance(user_data.clone()).await });
+
+    // let server = server
+    //     .bind_with_graceful_shutdown(bind_addr, async {
+    //         signal(SignalKind::terminate()).unwrap().recv().await;
+    //         log::info!("Terminating");
+    //     })
+    //     .1;
+    // let server = tokio::spawn(server);
+
+    // tokio::select!(
+    // _ = server => {
+    //     log::info!("Server terminated");
+    // },
+    // _ = maintenance_runner => {
+    //     log::info!("Maintenance runner terminated");
+    // });
+
     Ok(())
 }