From eeee5458da7861914c38a560051ebc47c380f807 Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Sun, 25 Jan 2026 10:30:05 +0000
Subject: [PATCH] vmm-cli: require --kms and --kms-url when using --env-file

Add validation to ensure KMS is properly configured when --env-file is used:

1. compose command: --env-file requires --kms flag
2. deploy command: --env-file requires both --kms-url and kms_enabled=true in compose
3. update command: --env-file requires --kms-url
4. update-env command: requires --kms-url

Environment variables need KMS to be enabled for decryption inside the VM,
and need --kms-url to encrypt them before sending.
---
 vmm/src/vmm-cli.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/vmm/src/vmm-cli.py b/vmm/src/vmm-cli.py
index 347f1795..2828d1f7 100755
--- a/vmm/src/vmm-cli.py
+++ b/vmm/src/vmm-cli.py
@@ -520,6 +520,11 @@ def calc_app_id(self, compose_file: str) -> str:
     def create_app_compose(self, args) -> None:
         """Create a new app compose file"""
         envs = parse_env_file(args.env_file) or {}
+
+        # Validate: --env-file requires --kms
+        if envs and not args.kms:
+            raise Exception("--env-file requires --kms to enable KMS for environment variable decryption")
+
         app_compose = {
             "manifest_version": 2,
             "name": args.name,
@@ -565,6 +570,17 @@ def create_vm(self, args) -> None:
 
         envs = parse_env_file(args.env_file)
 
+        # Validate: --env-file requires --kms-url and kms_enabled in compose
+        if envs:
+            if not args.kms_url:
+                raise Exception("--env-file requires --kms-url to encrypt environment variables")
+            try:
+                compose_json = json.loads(compose_content)
+                if not compose_json.get('kms_enabled', False):
+                    raise Exception("--env-file requires kms_enabled=true in the compose file (use --kms when creating compose)")
+            except json.JSONDecodeError:
+                pass  # Let the server handle invalid JSON
+
         # Read user config file if provided
         user_config = ""
         if args.user_config:
@@ -620,6 +636,10 @@ def create_vm(self, args) -> None:
 
     def update_vm_env(self, vm_id: str, envs: Dict[str, str], kms_urls: Optional[List[str]] = None) -> None:
         """Update environment variables for a VM"""
+        # Validate: requires --kms-url
+        if not kms_urls:
+            raise Exception("--kms-url is required to encrypt environment variables")
+
         envs = envs or {}
         # First get the VM info to retrieve the app_id
         vm_info_response = self.rpc_call('GetInfo', {'id': vm_id})
@@ -709,6 +729,10 @@ def update_vm(
         no_tee: Optional[bool] = None,
     ) -> None:
         """Update multiple aspects of a VM in one command"""
+        # Validate: --env-file requires --kms-url
+        if env_file and not kms_urls:
+            raise Exception("--env-file requires --kms-url to encrypt environment variables")
+
         updates = []
 
         # handle resize operations (vcpu, memory, disk, image)