|
1 | | -# Cosmian KMS |
| 1 | +# Cosmian KMS — Build and Test Guide |
2 | 2 |
|
3 | | -Cosmian KMS is a high-performance, open-source FIPS 140-3 compliant Key Management System written in Rust. The repository contains the KMS server (`cosmian_kms_server`) and supporting libraries for cryptographic operations, database management, and various integrations. |
| 3 | +Cosmian KMS is a high-performance, open-source FIPS 140-3 compliant Key Management System written in Rust. |
4 | 4 |
|
5 | | -Always reference these instructions first and fallback to search or bash commands only when you encounter unexpected information that does not match the info here. |
| 5 | +## Quick start |
6 | 6 |
|
7 | | -## Working Effectively |
8 | | - |
9 | | -- **Bootstrap and build the repository:** |
10 | | - |
11 | | - - First, initialize git submodules: `git submodule update --recursive --init` |
12 | | - - System requires Rust stable toolchain (1.90.0) with rustfmt and clippy components |
13 | | - - OpenSSL 3.2.0 is REQUIRED (not 3.0.13+) for proper FIPS compliance and static linking |
14 | | - - OpenSSL must be installed to `/usr/local/openssl` using `.github/reusable_scripts/get_openssl_binaries.sh` |
15 | | - - Build process follows CI workflow: `bash .github/scripts/cargo_build.sh` |
16 | | - - Environment variables required: `OPENSSL_DIR=/usr/local/openssl`, `DEBUG_OR_RELEASE=debug|release` |
17 | | - - For non-FIPS builds: `FEATURES=non-fips` |
18 | | - - The CLI binary `cosmian` IS built in this repository and included in build artifacts |
19 | | - |
20 | | -- **UI and Packaging:** |
| 7 | +```bash |
| 8 | +# Build the project (FIPS mode is default) |
| 9 | +cargo build --release |
21 | 10 |
|
22 | | - - UI is built on Ubuntu distributions using `bash .github/scripts/build_ui.sh` |
23 | | - - UI files are located in `crate/server/ui` directory |
24 | | - - Release builds create Debian packages via `cargo deb -p cosmian_kms_server` |
25 | | - - RPM packages created via `cargo generate-rpm -p crate/server` |
26 | | - - Packages support both FIPS and non-FIPS variants |
| 11 | +# Run tests (FIPS mode is default) |
| 12 | +cargo test |
27 | 13 |
|
28 | | -- **Testing and validation:** |
| 14 | +# For non-FIPS mode (includes additional algorithms) |
| 15 | +cargo build --release --features non-fips |
| 16 | +cargo test --features non-fips |
| 17 | +``` |
29 | 18 |
|
30 | | - - Multi-database testing: sqlite, postgresql, mysql, redis-findex |
31 | | - - Database environment variables: `KMS_POSTGRES_URL=postgresql://kms:kms@127.0.0.1:5432/kms`, `KMS_MYSQL_URL=mysql://kms:kms@localhost:3306/kms`, `KMS_SQLITE_PATH=data/shared` |
32 | | - - MySQL tests are currently disabled (skipped in CI) |
33 | | - - Redis-findex tests skipped in FIPS mode (not supported) |
34 | | - - Debug builds only test sqlite; release builds test all enabled databases |
35 | | - - macOS runners only support sqlite tests (no docker containers) |
36 | | - - HSM testing on Ubuntu with Utimaco: `HSM_USER_PASSWORD="12345678" cargo test -p utimaco_pkcs11_loader --features utimaco` |
37 | | - - Logging control: `RUST_LOG="cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"` |
38 | | - - Test execution: `cargo test --workspace --lib $RELEASE $FEATURES -- --nocapture $SKIP_SERVICES_TESTS` |
| 19 | +## Testing |
39 | 20 |
|
40 | | -- **Build artifacts and binaries:** |
| 21 | +```bash |
| 22 | +# Run all tests (FIPS mode is default) |
| 23 | +cargo test |
41 | 24 |
|
42 | | - - Primary binaries: `cosmian`, `cosmian_kms`, `cosmian_findex_server` |
43 | | - - Binary locations: `target/$DEBUG_OR_RELEASE/` (e.g., `target/debug/`) |
44 | | - - Release builds include benchmarks: `cargo bench $FEATURES --no-run` |
45 | | - - Static linking verified (no dynamic OpenSSL dependencies): `ldd cosmian_kms | grep ssl` should fail |
46 | | - - Version verification: `cosmian_kms --info` must show OpenSSL 3.2.0 |
47 | | - - Binary tests: `cargo test --workspace --bins $RELEASE $FEATURES` |
| 25 | +# Run tests for a specific package |
| 26 | +cargo test -p cosmian_kms_server |
| 27 | +cargo test -p cosmian_kms_cli |
48 | 28 |
|
49 | | -- **Run the KMS server:** |
| 29 | +# Run specific test suites |
| 30 | +cargo test sqlite # SQLite tests |
| 31 | +cargo test postgres # PostgreSQL tests (requires local PostgreSQL) |
| 32 | +cargo test redis # Redis tests |
50 | 33 |
|
51 | | - - ALWAYS build first using the build script above |
52 | | - - Debug mode: `./target/debug/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data` |
53 | | - - Release mode: `./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data` |
54 | | - - Server listens on <http://0.0.0.0:9998> by default |
55 | | - - Supported databases: sqlite, postgresql, mysql, redis-findex (redis-findex not available in FIPS mode) |
| 34 | +# Run tests in non-FIPS mode (includes additional algorithms) |
| 35 | +cargo test --features non-fips |
| 36 | +cargo test --features non-fips sqlite |
| 37 | +``` |
56 | 38 |
|
57 | | -- **Docker usage:** |
58 | | - - Development with services: `docker compose up -d` (starts postgresql, mysql, redis) |
59 | | - - Production: `docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:latest` |
60 | | - - Pre-built images include UI at <http://localhost:9998/ui> |
61 | | - - Local Docker builds use the same OpenSSL setup as CI |
| 39 | +Environment variables for DB tests: |
62 | 40 |
|
63 | | -## Validation |
| 41 | +- `KMS_POSTGRES_URL=postgresql://kms:kms@127.0.0.1:5432/kms` |
| 42 | +- `KMS_MYSQL_URL=mysql://kms:kms@localhost:3306/kms` |
| 43 | +- `KMS_SQLITE_PATH=data/shared` |
64 | 44 |
|
65 | | -- **CRITICAL**: Always manually test server functionality after making changes by starting the server and verifying it responds to HTTP requests |
66 | | -- Test server startup: Start server with `--database-type sqlite --sqlite-path /tmp/test-db` |
67 | | -- Test API responses: `curl -s -X POST -H "Content-Type: application/json" -d '{}' http://localhost:9998/kmip/2_1` should return KMIP validation error (confirms server is working) |
68 | | -- Test server version: `./target/release/cosmian_kms --version` should show version 5.12.1 |
69 | | -- OpenSSL validation: `./target/release/cosmian_kms --info` should show OpenSSL 3.2.0 |
70 | | -- Static linking check: `ldd ./target/release/cosmian_kms | grep ssl` should return empty (no dynamic OpenSSL) |
71 | | -- Always run `cargo fmt --check` before committing (takes 3 seconds) |
72 | | -- Clippy requires installation: `rustup component add clippy` |
| 45 | +Notes: |
73 | 46 |
|
74 | | -## Common tasks |
| 47 | +- MySQL tests are currently disabled in CI |
| 48 | +- Redis-findex tests are skipped in FIPS mode |
| 49 | +- FIPS mode is the default; use `--features non-fips` for non-approved algorithms |
| 50 | +- Start database backends with `docker compose up -d` before running DB tests |
75 | 51 |
|
76 | | -The following are outputs from frequently run commands. Reference them instead of viewing, searching, or running bash commands to save time. |
| 52 | +## Running the server |
77 | 53 |
|
78 | | -### Repo root structure |
| 54 | +After building, you can run the server manually: |
79 | 55 |
|
80 | | -```text |
81 | | -.cargo/ # Cargo configuration |
82 | | -.github/ # CI/CD workflows and scripts |
83 | | - scripts/ # Build scripts (cargo_build.sh, build_ui.sh) |
84 | | - reusable_scripts/ # OpenSSL setup scripts |
85 | | -crate/ # Rust workspace crates |
86 | | - server/ # KMS server binary crate |
87 | | - ui/ # Web UI files (built by build_ui.sh) |
88 | | - cli/ # CLI binary crate (cosmian) |
89 | | - crypto/ # Cryptographic operations |
90 | | - kmip/ # KMIP protocol implementation |
91 | | - client_utils/ # Client utilities |
92 | | - kms_client/ # KMS client library |
93 | | - access/ # Access control |
94 | | - interfaces/ # Database and HSM interfaces |
95 | | - server_database/ # Database management |
96 | | - hsm/ # HSM integrations (proteccio, utimaco, softhsm2) |
97 | | -documentation/ # Project documentation |
98 | | -docker-compose.yml # Development services (postgres, mysql, redis) |
99 | | -Dockerfile # Container build |
100 | | -README.md # Project documentation |
101 | | -Cargo.toml # Workspace configuration |
102 | | -rust-toolchain.toml # Rust toolchain: 1.90.0 |
| 56 | +```bash |
| 57 | +cargo run --release --bin cosmian_kms -- --database-type sqlite --sqlite-path /tmp/kms-data |
103 | 58 | ``` |
104 | 59 |
|
105 | | -### Key build commands and timing |
| 60 | +Or run the compiled binary directly: |
106 | 61 |
|
107 | 62 | ```bash |
108 | | -# Full CI build process (includes UI, packaging, multi-database tests) |
109 | | -git submodule update --recursive --init |
110 | | -export OPENSSL_DIR=/usr/local/openssl |
111 | | -export DEBUG_OR_RELEASE=debug # or release |
112 | | -export FEATURES=non-fips # optional, for non-FIPS builds |
113 | | - |
114 | | -# OpenSSL setup (required first) |
115 | | -sudo mkdir -p /usr/local/openssl/ssl /usr/local/openssl/lib64/ossl-modules |
116 | | -sudo chown -R $USER /usr/local/openssl |
117 | | -bash .github/reusable_scripts/get_openssl_binaries.sh |
118 | | -bash .github/scripts/cargo_build.sh |
119 | | - |
120 | | - |
121 | | -# UI build (Ubuntu only) |
122 | | -bash .github/scripts/build_ui.sh |
123 | | - |
124 | | -# Individual builds (after OpenSSL setup) |
125 | | -cargo build --features non-fips |
126 | | -cargo build --release --features non-fips |
127 | | - |
128 | | -# Multi-database testing |
129 | | -export KMS_TEST_DB=sqlite # or postgresql, mysql, redis-findex |
130 | | -cargo test --workspace --lib --features non-fips |
131 | | - |
132 | | -# HSM testing (Ubuntu only) |
133 | | -bash .github/reusable_scripts/test_utimaco.sh |
134 | | -HSM_USER_PASSWORD="12345678" cargo test -p utimaco_pkcs11_loader --features utimaco |
135 | | - |
136 | | -# Packaging (release builds only) |
137 | | -cargo install cargo-deb cargo-generate-rpm |
138 | | -cargo deb -p cosmian_kms_server |
139 | | -cargo generate-rpm -p crate/server |
140 | | - |
141 | | -# Format check (3 seconds) |
142 | | -cargo fmt --check |
| 63 | +./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data |
143 | 64 | ``` |
144 | 65 |
|
145 | | -### Server startup and validation |
| 66 | +Basic API probe: |
146 | 67 |
|
147 | 68 | ```bash |
148 | | -# Start server (debug) |
149 | | -./target/debug/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data |
150 | | - |
151 | | -# Start server (release) |
152 | | -./target/release/cosmian_kms --database-type sqlite --sqlite-path /tmp/kms-data |
153 | | - |
154 | | -# Test server is responding |
155 | 69 | curl -s -X POST -H "Content-Type: application/json" -d '{}' http://localhost:9998/kmip/2_1 |
156 | | -# Expected response: "Invalid Request: missing field `tag` at line 1 column 2" |
| 70 | +``` |
157 | 71 |
|
158 | | -# Check version and OpenSSL |
159 | | -./target/release/cosmian_kms --version |
160 | | -# Expected: "cosmian_kms_server 5.12.1" |
| 72 | +Expected response is a KMIP validation error, confirming the server is alive. |
161 | 73 |
|
162 | | -./target/release/cosmian_kms --info |
163 | | -# Expected: Output containing "OpenSSL 3.2.0" |
| 74 | +## Repository layout (high level) |
164 | 75 |
|
165 | | -# Verify static linking (should return empty) |
166 | | -ldd ./target/release/cosmian_kms | grep ssl |
| 76 | +```text |
| 77 | +.github/ # CI workflows and scripts |
| 78 | +crate/ # Rust workspace crates (server, cli, crypto, …) |
| 79 | +pkg/ # Packaging metadata (deb/rpm service files, configs) |
| 80 | +documentation/ # Documentation and guides |
| 81 | +resources/ # Configuration files and resources |
| 82 | +test_data/ # Test fixtures and data |
| 83 | +ui/ # Web UI source |
167 | 84 | ``` |
168 | 85 |
|
169 | | -### Docker quick start |
| 86 | +## Tips |
| 87 | + |
| 88 | +- Format/lints: run `cargo fmt --check` and `cargo clippy` to check code style |
| 89 | +- Use `cargo build --release` for optimized builds |
| 90 | +- Run `cargo test` frequently to ensure changes don't break functionality |
| 91 | + |
| 92 | +## Docker |
170 | 93 |
|
171 | 94 | ```bash |
172 | | -# Pull and run pre-built image (includes UI) |
173 | 95 | docker pull ghcr.io/cosmian/kms:latest |
174 | 96 | docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:latest |
175 | | - |
176 | | -# Development with services |
177 | | -docker compose up -d |
178 | | - |
179 | | -# Access UI |
180 | | -curl http://localhost:9998/ui |
181 | | -# Expected: HTML content with KMS web interface |
182 | 97 | ``` |
183 | 98 |
|
184 | | -## Important notes |
185 | | - |
186 | | -- **OpenSSL Version**: OpenSSL 3.2.0 is mandatory, not 3.0.13+. The build verifies this specific version. |
187 | | -- **Static Linking**: All binaries must be statically linked with OpenSSL. CI verifies no dynamic OpenSSL dependencies. |
188 | | -- **Build Artifacts**: Three primary binaries are built: `cosmian`, `cosmian_kms`, `cosmian_findex_server` |
189 | | -- **Database Testing**: Only sqlite works in debug mode and on macOS. Full database testing requires release builds. |
190 | | -- **FIPS vs non-FIPS**: Redis-findex database support is not available in FIPS mode |
191 | | -- **UI Building**: UI is only built on Ubuntu distributions and requires separate build script |
192 | | -- **Packaging**: Debian and RPM packages are created as part of release builds with proper FIPS/non-FIPS variants |
193 | | -- **HSM Support**: Utimaco HSM testing is included but only runs on Ubuntu with specific setup |
194 | | -- **MySQL**: MySQL database tests are currently disabled in CI |
195 | | -- **Workspace**: Build from workspace root using cargo_build.sh script, not individual crate directories |
196 | | -- **HashMaps**: Verify that when creating HashMaps, use `HashMap::with_capacity(n)` to avoid unnecessary reallocations instead of `HashMap::new()`. |
| 99 | +Images include the UI at `http://localhost:9998/ui`. |
0 commit comments