Skip to content

Commit bb10bf3

Browse files
committed
chore: Merge branch 'release/5.13.0'
2 parents 0dc86c2 + 00991ac commit bb10bf3

448 files changed

Lines changed: 42413 additions & 6840 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.cargo/config.toml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ format = "fmt --all -- --check"
66
build-all = "build --workspace --all-targets --all-features --bins"
77
build-all-release = "build --release --workspace --all-targets --all-features --bins"
88

9+
# Test FIPS and non-FIPS builds
10+
test-fips = "test --lib --workspace"
11+
test-non-fips = "test --lib --workspace --features non-fips"
12+
913
# Run Clippy on all code paths
1014
clippy-all = "clippy --workspace --all-targets --all-features -- -D warnings"
1115

@@ -15,6 +19,10 @@ coverage = "tarpaulin --release -v -f -t 1800 --out Xml --ignore-tests --exclude
1519
# Find unused dependencies
1620
deps = "udeps --workspace --all-targets --all-features --backend depinfo"
1721

22+
# Publish dry-run helpers (allow dirty tree during local checks)
23+
publish-dry = "publish --dry-run --workspace --allow-dirty"
24+
publish-dry-crate = "publish --dry-run --allow-dirty"
25+
1826
###
1927
# This options have been commented out because the Github runners responsible to build the KMS docker image have unpredictable CPU architectures, resulting in an error code 132 when running the generated container.
2028
# However, those flags are specifically given by CI in other builds (macos, windows, linux, centos7) in cargo_build.yml via the RUSTFLAGS environment variable.

.github/README.md

Lines changed: 834 additions & 0 deletions
Large diffs are not rendered by default.

.github/copilot-instructions.md

Lines changed: 62 additions & 159 deletions
Original file line numberDiff line numberDiff line change
@@ -1,196 +1,99 @@
1-
# Cosmian KMS
1+
# Cosmian KMS — Build and Test Guide
22

3-
Cosmian KMS is a high-performance, open-source FIPS 140-3 compliant Key Management System written in Rust. The repository contains the KMS server (`cosmian_kms_server`) and supporting libraries for cryptographic operations, database management, and various integrations.
3+
Cosmian KMS is a high-performance, open-source FIPS 140-3 compliant Key Management System written in Rust.
44

5-
Always reference these instructions first and fallback to search or bash commands only when you encounter unexpected information that does not match the info here.
5+
## Quick start
66

7-
## Working Effectively
8-
9-
- **Bootstrap and build the repository:**
10-
11-
- First, initialize git submodules: `git submodule update --recursive --init`
12-
- System requires Rust stable toolchain (1.90.0) with rustfmt and clippy components
13-
- OpenSSL 3.2.0 is REQUIRED (not 3.0.13+) for proper FIPS compliance and static linking
14-
- OpenSSL must be installed to `/usr/local/openssl` using `.github/reusable_scripts/get_openssl_binaries.sh`
15-
- Build process follows CI workflow: `bash .github/scripts/cargo_build.sh`
16-
- Environment variables required: `OPENSSL_DIR=/usr/local/openssl`, `DEBUG_OR_RELEASE=debug|release`
17-
- For non-FIPS builds: `FEATURES=non-fips`
18-
- The CLI binary `cosmian` IS built in this repository and included in build artifacts
19-
20-
- **UI and Packaging:**
7+
```bash
8+
# Build the project (FIPS mode is default)
9+
cargo build --release
2110

22-
- UI is built on Ubuntu distributions using `bash .github/scripts/build_ui.sh`
23-
- UI files are located in `crate/server/ui` directory
24-
- Release builds create Debian packages via `cargo deb -p cosmian_kms_server`
25-
- RPM packages created via `cargo generate-rpm -p crate/server`
26-
- Packages support both FIPS and non-FIPS variants
11+
# Run tests (FIPS mode is default)
12+
cargo test
2713

28-
- **Testing and validation:**
14+
# For non-FIPS mode (includes additional algorithms)
15+
cargo build --release --features non-fips
16+
cargo test --features non-fips
17+
```
2918

30-
- Multi-database testing: sqlite, postgresql, mysql, redis-findex
31-
- Database environment variables: `KMS_POSTGRES_URL=postgresql://kms:kms@127.0.0.1:5432/kms`, `KMS_MYSQL_URL=mysql://kms:kms@localhost:3306/kms`, `KMS_SQLITE_PATH=data/shared`
32-
- MySQL tests are currently disabled (skipped in CI)
33-
- Redis-findex tests skipped in FIPS mode (not supported)
34-
- Debug builds only test sqlite; release builds test all enabled databases
35-
- macOS runners only support sqlite tests (no docker containers)
36-
- HSM testing on Ubuntu with Utimaco: `HSM_USER_PASSWORD="12345678" cargo test -p utimaco_pkcs11_loader --features utimaco`
37-
- Logging control: `RUST_LOG="cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"`
38-
- Test execution: `cargo test --workspace --lib $RELEASE $FEATURES -- --nocapture $SKIP_SERVICES_TESTS`
19+
## Testing
3920

40-
- **Build artifacts and binaries:**
21+
```bash
22+
# Run all tests (FIPS mode is default)
23+
cargo test
4124

42-
- Primary binaries: `cosmian`, `cosmian_kms`, `cosmian_findex_server`
43-
- Binary locations: `target/$DEBUG_OR_RELEASE/` (e.g., `target/debug/`)
44-
- Release builds include benchmarks: `cargo bench $FEATURES --no-run`
45-
- Static linking verified (no dynamic OpenSSL dependencies): `ldd cosmian_kms | grep ssl` should fail
46-
- Version verification: `cosmian_kms --info` must show OpenSSL 3.2.0
47-
- Binary tests: `cargo test --workspace --bins $RELEASE $FEATURES`
25+
# Run tests for a specific package
26+
cargo test -p cosmian_kms_server
27+
cargo test -p cosmian_kms_cli
4828

49-
- **Run the KMS server:**
29+
# Run specific test suites
30+
cargo test sqlite # SQLite tests
31+
cargo test postgres # PostgreSQL tests (requires local PostgreSQL)
32+
cargo test redis # Redis tests
5033

51-
- ALWAYS build first using the build script above
52-
- Debug mode: `./target/debug/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data`
53-
- Release mode: `./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data`
54-
- Server listens on <http://0.0.0.0:9998> by default
55-
- Supported databases: sqlite, postgresql, mysql, redis-findex (redis-findex not available in FIPS mode)
34+
# Run tests in non-FIPS mode (includes additional algorithms)
35+
cargo test --features non-fips
36+
cargo test --features non-fips sqlite
37+
```
5638

57-
- **Docker usage:**
58-
- Development with services: `docker compose up -d` (starts postgresql, mysql, redis)
59-
- Production: `docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:latest`
60-
- Pre-built images include UI at <http://localhost:9998/ui>
61-
- Local Docker builds use the same OpenSSL setup as CI
39+
Environment variables for DB tests:
6240

63-
## Validation
41+
- `KMS_POSTGRES_URL=postgresql://kms:kms@127.0.0.1:5432/kms`
42+
- `KMS_MYSQL_URL=mysql://kms:kms@localhost:3306/kms`
43+
- `KMS_SQLITE_PATH=data/shared`
6444

65-
- **CRITICAL**: Always manually test server functionality after making changes by starting the server and verifying it responds to HTTP requests
66-
- Test server startup: Start server with `--database-type sqlite --sqlite-path /tmp/test-db`
67-
- Test API responses: `curl -s -X POST -H "Content-Type: application/json" -d '{}' http://localhost:9998/kmip/2_1` should return KMIP validation error (confirms server is working)
68-
- Test server version: `./target/release/cosmian_kms --version` should show version 5.12.1
69-
- OpenSSL validation: `./target/release/cosmian_kms --info` should show OpenSSL 3.2.0
70-
- Static linking check: `ldd ./target/release/cosmian_kms | grep ssl` should return empty (no dynamic OpenSSL)
71-
- Always run `cargo fmt --check` before committing (takes 3 seconds)
72-
- Clippy requires installation: `rustup component add clippy`
45+
Notes:
7346

74-
## Common tasks
47+
- MySQL tests are currently disabled in CI
48+
- Redis-findex tests are skipped in FIPS mode
49+
- FIPS mode is the default; use `--features non-fips` for non-approved algorithms
50+
- Start database backends with `docker compose up -d` before running DB tests
7551

76-
The following are outputs from frequently run commands. Reference them instead of viewing, searching, or running bash commands to save time.
52+
## Running the server
7753

78-
### Repo root structure
54+
After building, you can run the server manually:
7955

80-
```text
81-
.cargo/ # Cargo configuration
82-
.github/ # CI/CD workflows and scripts
83-
scripts/ # Build scripts (cargo_build.sh, build_ui.sh)
84-
reusable_scripts/ # OpenSSL setup scripts
85-
crate/ # Rust workspace crates
86-
server/ # KMS server binary crate
87-
ui/ # Web UI files (built by build_ui.sh)
88-
cli/ # CLI binary crate (cosmian)
89-
crypto/ # Cryptographic operations
90-
kmip/ # KMIP protocol implementation
91-
client_utils/ # Client utilities
92-
kms_client/ # KMS client library
93-
access/ # Access control
94-
interfaces/ # Database and HSM interfaces
95-
server_database/ # Database management
96-
hsm/ # HSM integrations (proteccio, utimaco, softhsm2)
97-
documentation/ # Project documentation
98-
docker-compose.yml # Development services (postgres, mysql, redis)
99-
Dockerfile # Container build
100-
README.md # Project documentation
101-
Cargo.toml # Workspace configuration
102-
rust-toolchain.toml # Rust toolchain: 1.90.0
56+
```bash
57+
cargo run --release --bin cosmian_kms -- --database-type sqlite --sqlite-path /tmp/kms-data
10358
```
10459

105-
### Key build commands and timing
60+
Or run the compiled binary directly:
10661

10762
```bash
108-
# Full CI build process (includes UI, packaging, multi-database tests)
109-
git submodule update --recursive --init
110-
export OPENSSL_DIR=/usr/local/openssl
111-
export DEBUG_OR_RELEASE=debug # or release
112-
export FEATURES=non-fips # optional, for non-FIPS builds
113-
114-
# OpenSSL setup (required first)
115-
sudo mkdir -p /usr/local/openssl/ssl /usr/local/openssl/lib64/ossl-modules
116-
sudo chown -R $USER /usr/local/openssl
117-
bash .github/reusable_scripts/get_openssl_binaries.sh
118-
bash .github/scripts/cargo_build.sh
119-
120-
121-
# UI build (Ubuntu only)
122-
bash .github/scripts/build_ui.sh
123-
124-
# Individual builds (after OpenSSL setup)
125-
cargo build --features non-fips
126-
cargo build --release --features non-fips
127-
128-
# Multi-database testing
129-
export KMS_TEST_DB=sqlite # or postgresql, mysql, redis-findex
130-
cargo test --workspace --lib --features non-fips
131-
132-
# HSM testing (Ubuntu only)
133-
bash .github/reusable_scripts/test_utimaco.sh
134-
HSM_USER_PASSWORD="12345678" cargo test -p utimaco_pkcs11_loader --features utimaco
135-
136-
# Packaging (release builds only)
137-
cargo install cargo-deb cargo-generate-rpm
138-
cargo deb -p cosmian_kms_server
139-
cargo generate-rpm -p crate/server
140-
141-
# Format check (3 seconds)
142-
cargo fmt --check
63+
./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data
14364
```
14465

145-
### Server startup and validation
66+
Basic API probe:
14667

14768
```bash
148-
# Start server (debug)
149-
./target/debug/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data
150-
151-
# Start server (release)
152-
./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data
153-
154-
# Test server is responding
15569
curl -s -X POST -H "Content-Type: application/json" -d '{}' http://localhost:9998/kmip/2_1
156-
# Expected response: "Invalid Request: missing field `tag` at line 1 column 2"
70+
```
15771

158-
# Check version and OpenSSL
159-
./target/release/cosmian_kms --version
160-
# Expected: "cosmian_kms_server 5.12.1"
72+
Expected response is a KMIP validation error, confirming the server is alive.
16173

162-
./target/release/cosmian_kms --info
163-
# Expected: Output containing "OpenSSL 3.2.0"
74+
## Repository layout (high level)
16475

165-
# Verify static linking (should return empty)
166-
ldd ./target/release/cosmian_kms | grep ssl
76+
```text
77+
.github/ # CI workflows and scripts
78+
crate/ # Rust workspace crates (server, cli, crypto, …)
79+
pkg/ # Packaging metadata (deb/rpm service files, configs)
80+
documentation/ # Documentation and guides
81+
resources/ # Configuration files and resources
82+
test_data/ # Test fixtures and data
83+
ui/ # Web UI source
16784
```
16885

169-
### Docker quick start
86+
## Tips
87+
88+
- Format/lints: run `cargo fmt --check` and `cargo clippy` to check code style
89+
- Use `cargo build --release` for optimized builds
90+
- Run `cargo test` frequently to ensure changes don't break functionality
91+
92+
## Docker
17093

17194
```bash
172-
# Pull and run pre-built image (includes UI)
17395
docker pull ghcr.io/cosmian/kms:latest
17496
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:latest
175-
176-
# Development with services
177-
docker compose up -d
178-
179-
# Access UI
180-
curl http://localhost:9998/ui
181-
# Expected: HTML content with KMS web interface
18297
```
18398

184-
## Important notes
185-
186-
- **OpenSSL Version**: OpenSSL 3.2.0 is mandatory, not 3.0.13+. The build verifies this specific version.
187-
- **Static Linking**: All binaries must be statically linked with OpenSSL. CI verifies no dynamic OpenSSL dependencies.
188-
- **Build Artifacts**: Three primary binaries are built: `cosmian`, `cosmian_kms`, `cosmian_findex_server`
189-
- **Database Testing**: Only sqlite works in debug mode and on macOS. Full database testing requires release builds.
190-
- **FIPS vs non-FIPS**: Redis-findex database support is not available in FIPS mode
191-
- **UI Building**: UI is only built on Ubuntu distributions and requires separate build script
192-
- **Packaging**: Debian and RPM packages are created as part of release builds with proper FIPS/non-FIPS variants
193-
- **HSM Support**: Utimaco HSM testing is included but only runs on Ubuntu with specific setup
194-
- **MySQL**: MySQL database tests are currently disabled in CI
195-
- **Workspace**: Build from workspace root using cargo_build.sh script, not individual crate directories
196-
- **HashMaps**: Verify that when creating HashMaps, use `HashMap::with_capacity(n)` to avoid unnecessary reallocations instead of `HashMap::new()`.
99+
Images include the UI at `http://localhost:9998/ui`.

0 commit comments

Comments
 (0)