CapsuleManager sdk offers several apis to access CapsuleManager Service, which is designed to manage metadata of user data and authorization information.
There are two ways to use CapsuleManager SDK:
docker run -it --name capsule-manager-sdk --network=host secretflow/trustedflow-release-ubuntu22.04:latest bash
conda create -n capsule-manager-sdk python=3.10 -y
conda activate capsule-manager-sdk
pip install capsule-manager-sdk
You can just call functions defined in file python/sdc/capsule_manager_frame.py. The function is as follows:
example:
from sdc.capsule_manager_frame import CapsuleManagerFrame
auth_frame = CapsuleManagerFrame(
"127.0.0.1:8888",
"sim"
None,
None,
)
public_key_pem = auth_frame.get_public_key()
print(public_key_pem)
For more examples please see file python/tests/test_capsule_manager.py
There are three commands in terminal, the commands are following:
Command cms is the main command, it includes several subcommands which are following:
cms --help
Usage: cms [OPTIONS] COMMAND [ARGS]...
Options:
--config-file TEXT the config path
--help Show this message and exit.
Commands:
add-data-rule add data rule for a specific...
delete-data-key delete the data key of a...
delete-data-policy delete data policy of a...
delete-data-rule delete data rule for a...
get-data-policys get data policy of the party...
get-export-data-key get the data key of export...
get-public-key get the pem format of public...
register-cert upload the cert of party...
register-data-keys upload data_keys of several...
register-data-policy upload data policy of a...
If you want to know what subcommands or parameters are supported, just use --help
# view supported subcommands
cms --help
# view supported parameters
cms --config-file=cli/cms/cli.yaml delete-data-rule --help
commands: each command call one corresponding function in file python/sdc/capsule_manager_frame.py. I believe you can distinguish them from their names, for example, command get-public-key is calling function get_public_key
cms --config-file=cli/cms/cli.yaml get-public-key
# this will print public-key
There are three parts in the config file python/cli/cli-template.yaml.
main section: it will be used to instantiate class CapsuleManagerFrame defined in file python/sdc/capsule_manager_frame.py
host: "127.0.0.1"
tee_plat: "sim"
tee_constraints:
mr_plat: null
mr_boot: null
mr_ta: null
mr_signer: null
root_ca_file: null
private_key_file: null
# List[str], cert chain file
cert_chain_file: null
common section: the common config of function part
common:
# str
party_id: "alice"
# List[str], cert chain file
cert_pems_file: null
# str
scheme: "RSA"
# file contains private key
private_key_file: null
function section: each section corresponds to a function call. for example, the fuction create_data_keys. As you can see, the configuration corresponds to the function parameters one-to-one.(of course, there are some function parameters in the common section)
# function defination
def create_data_keys(
self,
owner_party_id: str,
data_keys: List[dict],
cert_pems: List[bytes] = None,
private_key: Union[bytes, str, rsa.RSAPrivateKey] = None,
):
# the function part of the config file
register_data_keys:
data_keys:
-
# (required) str
resource_uri:
# (required) str
data_key_b64:
After the above explanation, you should understand the design concept of this configuration file, but there are two points to note:
If the content of a configuration field is too long, it will be changed to read from a file. for example, the RSA key pair:
root_ca_file: null
private_key_file: null
cert_chain_file: null
If the type of the content of a configuration field cannot be represented by a string, it will be changed to be represented by a string. for example, the type of data key is bytes, we will base64 encode it
# str
data_key_b64:
so, How to modify the configuration file by cms_config command?
Command cms_config help modify the config file python/cli/cli-template.yaml which will be used in cms command
Command cms_config is the main command, it includes several subcommands which are following:
cms_config --help
Usage: cms_config [OPTIONS] COMMAND [ARGS]...
Options:
--config-file TEXT config file path
--help Show this message and exit.
Commands:
add-data-rule
common
create-data-policy
delete-data-policy
delete-data-rule
get-data-keys
get-data-policys
init
If you want to know what subcommands or parameters are supported, just use --help
# view supported subcommands
cms_config --help
# view supported parameters
cms_config --config-file=cli/cms/cli.yaml init --help
Since cms_config modifies the config file and the config file has three sections, so the corresponding cms_config has three types of subcommands.
cms_config --config-file=cli/cms/cli.yaml init
cms_config --config-file=cli/cms/cli.yaml common
cms_config --config-file=cli/cms/cli.yaml delete-data-rule
Please note that some parameters cannot be modified via the command cms_config, this is because we follow two principles:
if the parameter type is list, it cannot be modified through the command line because click does not support nested lists.
if the parameter content is too long, we do not support passing it in through the command line.
Command cms_util offers several convenient subcommands to use
cms_util --help
Usage: cms_util [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
decrypt-file decrypt file using data key
decrypt-file-inplace decrypt file inplace using data key, it will...
encrypt-file encrypt file using data key
encrypt-file-inplace encrypt file inplace using data key, it will...
generate-data-key-b64 generate the base64 encode data key
generate-party-id generate the party id according to the certificate
generate-rsa-keypair generate rsa key pair (private_key, cert_chain)
generate-vote-result generate vote result json from...
sign-vote-request generate the vote request with signature when...
voter-sign generate voter signature when exporting the...
If you want to know what subcommands or parameters are supported, just use --help
# view supported subcommands
cms_util --help
# view supported parameters
cms_config decrypt-file --help
for command cms_util, just use it. for example
cms_util generate-data-key-b64
# output
emK2Imaz9f6nZNWO2hBjdA==
For most functions, you can tell what they do by their names. For a small number of functions that are difficult to understand, here is a detailed description.
generate-data-key-b64: generate data key and encode it with base64
generate-party-id: generate the identifier of party based on its certificate
merge-cert-chain-files: merge multiple certificate files into a certificate chain file. Note that the order of the certificates is important. The last certificate is the CA.
sign-vote-request: when exporting data, data participants are required to vote whether to agree to the data export. This function is used to sign the vote request. A template vote-request-template.yaml is provided to config vote request.
voter-sign: voter APPROVE the exporting vote request and sign the vote. A template voter-template.yaml is provided to config voter sign.
The design idea of python/cli/vote-request-template.yaml and python/cli/voter-template.yaml is consistent with the previous file python/cli/cli-template.yaml and is not difficult to understand.
vote_request:
# (required) str, vote type, should be "TEE_DOWNLOAD" when export data keys for tee tasks' encrypted result
type: "TEE_DOWNLOAD"
# (required) int, vote approved threshold
approved_threshold:
# (required) str, vote approved action, shoule be "tee/download,xxxx_uuid", replace "xxxx_uuid" with tee task's result data_uuid
approved_action: "tee/download,xxxx_uuid"
# (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
# file num can be 1 if the cert is self-signed
cert_chain_file:
# (required) str, file contains private key
private_key_file:
# (required) str, vote request signature
vote_request_signature:
# (required) str, APPROVE/REJECT
action: "APPROVE"
# (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
# file num can be 1 if the cert is self-signed
cert_chain_file:
# (required) str, file contains voter's private key
private_key_file:
This project is licensed under the Apache License