openanolis · jialez0 · Dec 4, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -6,6 +6,7 @@ members = [
     "deps/verifier",
     "deps/eventlog",
     "deps/kms",
+    "iam",
 ]
 resolver = "2"
 
@@ -25,7 +26,7 @@ async-trait = "0.1.31"
 base64 = "0.21"
 byteorder = "1.5.0"
 cfg-if = "1.0.0"
-chrono = "0.4.19"
+chrono = { version = "0.4.19", features = ["serde"] }
 clap = { version = "4", features = ["derive"] }
 config = "0.13.3"
 ear = "0.3.0"
@@ -61,4 +62,4 @@ tokio = { version = "1", features = ["full"] }
 toml = "0.8.23"
 tempfile = "3.4.0"
 tonic = "0.12"
-tonic-build = "0.12"
+tonic-build = "0.12"
diff --git a/Dockerfile.iam b/Dockerfile.iam
@@ -0,0 +1,55 @@
+ARG BASE_IMAGE=alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
+
+FROM ${BASE_IMAGE} AS builder
+
+ARG ALL_PROXY
+ARG NO_PROXY
+ENV ALL_PROXY=$ALL_PROXY
+ENV NO_PROXY=$NO_PROXY
+
+ARG CARGO_JOBS
+
+RUN yum install -y perl wget curl clang openssh-clients openssl-devel protobuf-devel git
+
+WORKDIR /usr/src/trustee
+COPY . .
+
+# Install Rust toolchain from mirrored source for faster builds
+RUN export RUSTUP_DIST_SERVER='https://mirrors.ustc.edu.cn/rust-static' && \
+    export RUSTUP_UPDATE_ROOT='https://mirrors.ustc.edu.cn/rust-static/rustup' && \
+    curl --proto '=https' --tlsv1.2 -sSf https://mirrors.aliyun.com/repo/rust/rustup-init.sh | \
+    sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+RUN export RUSTUP_DIST_SERVER='https://mirrors.ustc.edu.cn/rust-static' && \
+    export RUSTUP_UPDATE_ROOT='https://mirrors.ustc.edu.cn/rust-static/rustup' && \
+    rustup toolchain install 1.79.0-x86_64-unknown-linux-gnu
+
+RUN printf '\
+    [source.crates-io]\n\
+    replace-with = "aliyun"\n\
+    [source.aliyun]\n\
+    registry = "sparse+https://mirrors.aliyun.com/crates.io-index/"\n\
+    ' >> /root/.cargo/config
+
+RUN if [ -n "$CARGO_JOBS" ]; then \
+      [ ! -d /root/.cargo ] && mkdir /root/.cargo; \
+      echo -e "[build]\njobs = $CARGO_JOBS" >> /root/.cargo/config.toml; \
+    fi
+
+RUN cargo build --locked --release -p iam
+
+FROM ${BASE_IMAGE}
+
+RUN yum install -y ca-certificates tzdata && \
+    mkdir -p /app/config
+
+COPY --from=builder /usr/src/trustee/target/release/iam /usr/local/bin/iam
+COPY iam/config/iam.toml /app/config/iam.toml
+
+WORKDIR /app
+EXPOSE 8090
+
+ENV RUST_LOG=info
+
+CMD ["/usr/local/bin/iam", "--config", "/app/config/iam.toml"]
+
diff --git a/deploy/configs/trustee-gateway.yml b/deploy/configs/trustee-gateway.yml
@@ -11,6 +11,11 @@ kbs:
   insecure_http: true
   ca_cert_file: ""
 
+iam:
+  url: "http://iam:8090"
+  insecure_http: true
+  ca_cert_file: ""
+
 attestation_service:
   url: "http://as-restful:50005"
   insecure_http: true

diff --git a/dist/Dockerfile b/dist/Dockerfile
@@ -14,5 +14,6 @@ VOLUME /etc/trustee
 
 EXPOSE 8081
 EXPOSE 8082
+EXPOSE 8090
 
 CMD ["/usr/bin/start.sh"]
diff --git a/dist/Makefile b/dist/Makefile
@@ -41,6 +41,7 @@ build:
 	cargo build --bin grpc-as --release --features grpc-bin --locked
 	cargo build --bin rvps --release
 	cargo build --bin rvps-tool --release
+	cargo build -p iam --release --locked
 	@echo "编译 trustee-gateway..."
 	@echo "编译完成"
 
@@ -68,13 +69,15 @@ install:
 	install -m 644 system/as-restful.service $(BUILDROOT)$(PREFIX)/lib/systemd/system/as-restful.service
 	install -m 644 system/trustee.service $(BUILDROOT)$(PREFIX)/lib/systemd/system/trustee.service
 	install -m 644 system/trustee-gateway.service $(BUILDROOT)$(PREFIX)/lib/systemd/system/trustee-gateway.service
+	install -m 644 system/iam.service $(BUILDROOT)$(PREFIX)/lib/systemd/system/iam.service
 
 	# 创建配置目录并安装配置文件
 	install -d -p $(BUILDROOT)$(CONFIG_DIR)
 	install -m 644 configs/kbs-config.toml $(BUILDROOT)$(CONFIG_DIR)/kbs-config.toml
 	install -m 644 configs/as-config.json $(BUILDROOT)$(CONFIG_DIR)/as-config.json
 	install -m 644 configs/rvps.json $(BUILDROOT)$(CONFIG_DIR)/rvps.json
 	install -m 644 configs/gateway.yml $(BUILDROOT)$(CONFIG_DIR)/gateway.yml
+	install -m 644 configs/iam.toml $(BUILDROOT)$(CONFIG_DIR)/iam.toml
 
 	# 创建 bin 目录并安装可执行文件
 	install -d -p $(BUILDROOT)$(PREFIX)/bin
@@ -84,6 +87,7 @@ install:
 	install -m 755 ../target/release/rvps $(BUILDROOT)$(PREFIX)/bin/rvps
 	install -m 755 ../target/release/rvps-tool $(BUILDROOT)$(PREFIX)/bin/rvps-tool
 	install -m 755 ../trustee-gateway/gateway $(BUILDROOT)$(PREFIX)/bin/trustee-gateway
+	install -m 755 ../target/release/iam $(BUILDROOT)$(PREFIX)/bin/iam
 
 	install -d -p $(BUILDROOT)$(PREFIX)/include
 	install -d -p $(BUILDROOT)$(PREFIX)/lib64

diff --git a/dist/configs/gateway.yml b/dist/configs/gateway.yml
@@ -5,6 +5,9 @@ server:
 kbs:
   url: "http://127.0.0.1:8080"
 
+iam:
+  url: "http://127.0.0.1:8090"
+
 rvps:
   grpc_addr: "127.0.0.1:50003"
 

diff --git a/dist/configs/iam.toml b/dist/configs/iam.toml
@@ -0,0 +1,8 @@
+[server]
+bind_address = "0.0.0.0:8090"
+
+[crypto]
+issuer = "trustee-iam"
+hmac_secret = "change-me"
+default_ttl_seconds = 900
+
diff --git a/dist/install.sh b/dist/install.sh
@@ -48,17 +48,20 @@ install -m 644 system/as.service ${BUILDROOT}${PREFIX}/lib/systemd/system/as.ser
 install -m 644 system/rvps.service ${BUILDROOT}${PREFIX}/lib/systemd/system/rvps.service
 install -m 644 system/as-restful.service ${BUILDROOT}${PREFIX}/lib/systemd/system/as-restful.service
 install -m 644 system/trustee.service ${BUILDROOT}${PREFIX}/lib/systemd/system/trustee.service
+install -m 644 system/iam.service ${BUILDROOT}${PREFIX}/lib/systemd/system/iam.service
 install -d -p ${BUILDROOT}/etc/trustee
 install -m 644 configs/kbs-config.toml ${BUILDROOT}${CONFIG_DIR}/kbs-config.toml
 install -m 644 configs/as-config.json ${BUILDROOT}${CONFIG_DIR}/as-config.json
 install -m 644 configs/rvps.json ${BUILDROOT}${CONFIG_DIR}/rvps.json
+install -m 644 configs/iam.toml ${BUILDROOT}${CONFIG_DIR}/iam.toml
 install -d -p ${BUILDROOT}${PREFIX}/bin
 install -m 755 ../target/release/kbs ${BUILDROOT}${PREFIX}/bin/kbs
 install -m 755 ../target/release/restful-as ${BUILDROOT}${PREFIX}/bin/restful-as
 install -m 755 ../target/release/grpc-as ${BUILDROOT}${PREFIX}/bin/grpc-as
 install -m 755 ../target/release/rvps ${BUILDROOT}${PREFIX}/bin/rvps
 install -m 755 ../target/release/kbs-client ${BUILDROOT}${PREFIX}/bin/kbs-client
 install -m 755 ../target/release/rvps-tool ${BUILDROOT}${PREFIX}/bin/rvps-tool
+install -m 755 ../target/release/iam ${BUILDROOT}${PREFIX}/bin/iam
 install -d -p ${BUILDROOT}${PREFIX}/include
 install -d -p ${BUILDROOT}${PREFIX}/lib64
 cp intel-deps/include/sgx_* ${BUILDROOT}${PREFIX}/include/

diff --git a/dist/start.sh b/dist/start.sh
@@ -30,7 +30,7 @@ EOF
 }
 
 # Setup log rotation for each service
-for service in rvps as as-restful kbs trustee-gateway trustee-frontend nginx; do
+for service in rvps as as-restful kbs iam trustee-gateway trustee-frontend nginx; do
   setup_log_rotation $service
 done
 
@@ -66,6 +66,14 @@ start_kbs() {
   echo "KBS service started, PID: $(cat /opt/trustee/logs/kbs.pid)"
 }
 
+# Start IAM service
+start_iam() {
+  echo "Starting IAM service..."
+  nohup /usr/bin/iam --config /etc/trustee/iam.toml > >(tee -a /opt/trustee/logs/iam.log) 2>&1 &
+  echo $! > /opt/trustee/logs/iam.pid
+  echo "IAM service started, PID: $(cat /opt/trustee/logs/iam.pid)"
+}
+
 # Start Trustee-Gateway service
 start_trustee_gateway() {
   echo "Starting Trustee-Gateway service..."
@@ -91,6 +99,8 @@ start_as_restful
 sleep 2
 start_kbs
 sleep 1
+start_iam
+sleep 1
 start_trustee_gateway
 sleep 1
 start_trustee_frontend
@@ -100,7 +110,7 @@ echo "All services started. Log files are located in /opt/trustee/logs/ director
 # Check service status
 check_services() {
   echo "Checking service status..."
-  for service in rvps as as-restful kbs trustee-gateway nginx-trustee-frontend; do
+  for service in rvps as as-restful kbs iam trustee-gateway nginx-trustee-frontend; do
     if [ -f "/opt/trustee/logs/${service}.pid" ]; then
       pid=$(cat /opt/trustee/logs/${service}.pid)
       if ps -p $pid > /dev/null; then

diff --git a/dist/system/iam.service b/dist/system/iam.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Trustee IAM Service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/iam --config /etc/trustee/iam.toml
+Environment=RUST_LOG=info
+Restart=always
+RestartSec=5
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/dist/system/trustee.service b/dist/system/trustee.service
@@ -1,14 +1,14 @@
 [Unit]
 Description=Trustee
 After=network.target
-Wants=kbs.service as.service as-restful.service rvps.service trustee-gateway.service
+Wants=kbs.service iam.service as.service as-restful.service rvps.service trustee-gateway.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/bin/systemctl start kbs as as-restful rvps trustee-gateway
-ExecStop=/usr/bin/systemctl stop kbs as as-restful rvps trustee-gateway
-ExecReload=/usr/bin/systemctl restart kbs as as-restful rvps trustee-gateway
+ExecStart=/usr/bin/systemctl start kbs iam as as-restful rvps trustee-gateway
+ExecStop=/usr/bin/systemctl stop kbs iam as as-restful rvps trustee-gateway
+ExecReload=/usr/bin/systemctl restart kbs iam as as-restful rvps trustee-gateway
 
 [Install]
 WantedBy=multi-user.target
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,5 +1,18 @@
 version: '3.2'
 services:
+  iam:
+    build:
+      context: .
+      network: host
+      dockerfile: Dockerfile.iam
+    restart: always
+    ports:
+      - "8090:8090"
+    volumes:
+      - ./iam/config/iam.toml:/app/config/iam.toml:ro
+    depends_on:
+      - as
+
   kbs:
     build:
       context: .
@@ -110,6 +123,7 @@ services:
     - kbs
     - as
     - rvps
+    - iam
 
   frontend:
     build:
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,9 @@ server: @@
     kbs:
       url: "http://127.0.0.1:8080"
+    iam:
+      url: "http://127.0.0.1:8090"
     rvps:
       grpc_addr: "127.0.0.1:50003"
@@ Expand Down @@