Modified Connector to use new attestation end-point for Azure tdvm. (#100)

arvind5 · arvind5 · commit 1c1f7336bc1e · 2024-03-27T13:07:25.000+05:30
diff --git a/go-connector/attest.go b/go-connector/attest.go
@@ -24,7 +24,7 @@ func (connector *trustAuthorityConnector) Attest(args AttestArgs) (AttestRespons
 		return response, errors.Errorf("Failed to collect evidence from adapter: %s", err)
 	}
 
-	tokenResponse, err := connector.GetToken(GetTokenArgs{nil, evidence, args.PolicyIds, args.RequestId, args.TokenSigningAlg})
+	tokenResponse, err := connector.GetToken(GetTokenArgs{nonceResponse.Nonce, evidence, args.PolicyIds, args.RequestId, args.TokenSigningAlg})
 	response.Token, response.Headers = tokenResponse.Token, tokenResponse.Headers
 	if err != nil {
 		return response, errors.Errorf("Failed to collect token from Trust Authority: %s", err)
diff --git a/go-connector/attest_test.go b/go-connector/attest_test.go
@@ -26,7 +26,7 @@ func TestAttest(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"val":"` + nonceVal + `","iat":"` + nonceIat + `","signature":"` + nonceSig + `"}`))
 	})
@@ -35,7 +35,7 @@ func TestAttest(t *testing.T) {
 	evidence := &Evidence{}
 	adapter.On("CollectEvidence", mock.Anything).Return(evidence, nil)
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"token":"` + token + `"}`))
 	})
@@ -50,15 +50,15 @@ func TestAttest_nonceFailure(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`invalid nonce`))
 	})
 
 	adapter := MockAdapter{}
 	adapter.On("CollectEvidence", mock.Anything).Return(mock.Anything, nil)
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"token":"` + token + `"}`))
 	})
@@ -96,7 +96,7 @@ func TestAttest_evidenceFailure(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"val":"` + nonceVal + `","iat":"` + nonceIat + `","signature":"` + nonceSig + `"}`))
 	})
@@ -105,7 +105,7 @@ func TestAttest_evidenceFailure(t *testing.T) {
 	evidence := &Evidence{}
 	adapter.On("CollectEvidence", mock.Anything).Return(evidence, errors.New("failed to collect evidence"))
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"token":"` + token + `"}`))
 	})
@@ -120,7 +120,7 @@ func TestAttest_tokenFailure(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"val":"` + nonceVal + `","iat":"` + nonceIat + `","signature":"` + nonceSig + `"}`))
 	})
@@ -129,7 +129,7 @@ func TestAttest_tokenFailure(t *testing.T) {
 	evidence := &Evidence{}
 	adapter.On("CollectEvidence", mock.Anything).Return(evidence, nil)
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`invalid token`))
 	})
diff --git a/go-connector/connector.go b/go-connector/connector.go
@@ -75,10 +75,11 @@ type AttestResponse struct {
 
 // Evidence is used to store Quote to be sent for Attestation
 type Evidence struct {
-	Type     uint32
-	Evidence []byte
-	UserData []byte
-	EventLog []byte
+	Type        uint32
+	Quote       []byte
+	UserData    []byte
+	EventLog    []byte
+	RuntimeData []byte
 }
 
 // RetryConfig holds the configuration for automatic retries to tolerate minor outages
diff --git a/go-connector/const.go b/go-connector/const.go
@@ -12,6 +12,9 @@ const (
 	HeaderRequestId   = "request-id"
 	HeaderTraceId     = "trace-id"
 
+	nonceEndpoint  = "/appraisal/v1/nonce"
+	attestEndpoint = "/appraisal/v1/attest/azure/tdxvm"
+
 	mimeApplicationJson        = "application/json"
 	AtsCertChainMaxLen         = 10
 	MaxRetries                 = 2
diff --git a/go-connector/nonce.go b/go-connector/nonce.go
@@ -7,7 +7,6 @@ package connector
 
 import (
 	"encoding/json"
-	"fmt"
 	"io"
 	"net/http"
 
@@ -16,7 +15,7 @@ import (
 
 // GetNonce is used to get Intel Trust Authority signed nonce
 func (connector *trustAuthorityConnector) GetNonce(args GetNonceArgs) (GetNonceResponse, error) {
-	url := fmt.Sprintf("%s/appraisal/v1/nonce", connector.cfg.ApiUrl)
+	url := connector.cfg.ApiUrl + nonceEndpoint
 
 	newRequest := func() (*http.Request, error) {
 		return http.NewRequest(http.MethodGet, url, nil)
diff --git a/go-connector/nonce_test.go b/go-connector/nonce_test.go
@@ -22,7 +22,7 @@ func TestGetNonce(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"val":"` + nonceVal + `","iat":"` + nonceIat + `","signature":"` + nonceSig + `"}`))
 	})
@@ -51,7 +51,7 @@ func TestGetNonce_invalidNonce(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/nonce", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(nonceEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`invalid nonce`))
 	})
diff --git a/go-connector/token.go b/go-connector/token.go
@@ -31,7 +31,7 @@ type tokenRequest struct {
 	VerifierNonce   *VerifierNonce `json:"verifier_nonce,omitempty"`
 	RuntimeData     []byte         `json:"runtime_data,omitempty"`
 	PolicyIds       []uuid.UUID    `json:"policy_ids,omitempty"`
-	EventLog        []byte         `json:"event_log,omitempty"`
+	UserData        []byte         `json:"user_data,omitempty"`
 	TokenSigningAlg string         `json:"token_signing_alg,omitempty"`
 }
 
@@ -42,15 +42,15 @@ type AttestationTokenResponse struct {
 
 // GetToken is used to get attestation token from Intel Trust Authority
 func (connector *trustAuthorityConnector) GetToken(args GetTokenArgs) (GetTokenResponse, error) {
-	url := fmt.Sprintf("%s/appraisal/v1/attest", connector.cfg.ApiUrl)
+	url := connector.cfg.ApiUrl + attestEndpoint
 
 	newRequest := func() (*http.Request, error) {
 		tr := tokenRequest{
-			Quote:           args.Evidence.Evidence,
+			Quote:           args.Evidence.Quote,
 			VerifierNonce:   args.Nonce,
-			RuntimeData:     args.Evidence.UserData,
+			RuntimeData:     args.Evidence.RuntimeData,
 			PolicyIds:       args.PolicyIds,
-			EventLog:        args.Evidence.EventLog,
+			UserData:        args.Evidence.UserData,
 			TokenSigningAlg: args.TokenSigningAlg,
 		}
 
diff --git a/go-connector/token_test.go b/go-connector/token_test.go
@@ -34,7 +34,7 @@ func TestGetToken(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"token":"` + token + `"}`))
 	})
@@ -51,7 +51,7 @@ func TestGetToken_invalidToken(t *testing.T) {
 	connector, mux, _, teardown := setup()
 	defer teardown()
 
-	mux.HandleFunc("/appraisal/v1/attest", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`invalid token`))
 	})
diff --git a/go-sgx/collect_evidence.go b/go-sgx/collect_evidence.go
@@ -86,7 +86,7 @@ func (adapter *sgxAdapter) CollectEvidence(nonce []byte) (*connector.Evidence, e
 
 	return &connector.Evidence{
 		Type:     0,
-		Evidence: quote_buffer,
+		Quote:    quote_buffer,
 		UserData: adapter.uData,
 	}, nil
 }
diff --git a/go-tdx/azure_adapter.go b/go-tdx/azure_adapter.go
@@ -118,10 +118,11 @@ func (adapter *azureAdapter) CollectEvidence(nonce []byte) (*connector.Evidence,
 	}
 
 	return &connector.Evidence{
-		Type:     1,
-		Evidence: quote,
-		UserData: runtimeData,
-		EventLog: eventLog,
+		Type:        1,
+		Quote:       quote,
+		UserData:    adapter.uData,
+		EventLog:    eventLog,
+		RuntimeData: runtimeData,
 	}, nil
 }
 
diff --git a/go-tdx/mock_adapter.go b/go-tdx/mock_adapter.go
@@ -27,7 +27,7 @@ func (adapter *mockAdapter) CollectEvidence(nonce []byte) (*connector.Evidence,
 
 	return &connector.Evidence{
 		Type:     1,
-		Evidence: nil,
+		Quote:    nil,
 		UserData: nil,
 		EventLog: nil,
 	}, nil
diff --git a/tdx-cli/README.md b/tdx-cli/README.md
@@ -75,7 +75,7 @@ The `token` command requires an Intel Trust Authority configuration to be passed
 Save this data in a `config.json` file and then invoke the `token` command.
 
 ```sh
-sudo ./trustauthority-cli token --config config.json --user-data <base64 encoded userdata>  --no-eventlog
+sudo ./trustauthority-cli token --config config.json --user-data <base64 encoded userdata>
 ```
 
 
diff --git a/tdx-cli/cmd/quote.go b/tdx-cli/cmd/quote.go
@@ -83,8 +83,8 @@ func getQuote(cmd *cobra.Command) error {
 		return errors.Wrap(err, "Failed to collect evidence")
 	}
 
-	fmt.Println("Quote:", base64.StdEncoding.EncodeToString(evidence.Evidence))
-	fmt.Println("runtime_data:", base64.StdEncoding.EncodeToString(evidence.UserData))
+	fmt.Println("Quote:", base64.StdEncoding.EncodeToString(evidence.Quote))
+	fmt.Println("runtime_data:", base64.StdEncoding.EncodeToString(evidence.RuntimeData))
 	fmt.Println("user_data:", userData)
 
 	return nil
diff --git a/tdx-cli/cmd/token.go b/tdx-cli/cmd/token.go
@@ -61,7 +61,7 @@ func init() {
 	tokenCmd.Flags().StringP(constants.PublicKeyPathOption, "f", "", "Public key to be used as userdata")
 	tokenCmd.Flags().StringP(constants.RequestIdOption, "r", "", "Request id to be associated with request")
 	tokenCmd.Flags().StringP(constants.TokenAlgOption, "a", "", "Token signing algorithm to be used, support PS384 and RS256")
-	tokenCmd.Flags().Bool(constants.NoEventLogOption, false, "Do not collect Event Log")
+	tokenCmd.Flags().Bool(constants.NoEventLogOption, true, "Do not collect Event Log")
 	tokenCmd.MarkFlagRequired(constants.ConfigOption)
 }
 
diff --git a/tdx-cli/test/test.go b/tdx-cli/test/test.go
@@ -32,7 +32,7 @@ var attestationToken = `
 
 func MockTrustAuthorityServer(t *testing.T) *httptest.Server {
 	nonceApi := "/appraisal/v1/nonce"
-	attestApi := "/appraisal/v1/attest"
+	attestApi := "/appraisal/v1/attest/azure/tdxvm"
 
 	r := mux.NewRouter()
 

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ func (connector *trustAuthorityConnector) Attest(args AttestArgs) (AttestRespons`
`24`	`24`	`return response, errors.Errorf("Failed to collect evidence from adapter: %s", err)`
`25`	`25`	`}`
`26`	`26`
`27`		`- tokenResponse, err := connector.GetToken(GetTokenArgs{nil, evidence, args.PolicyIds, args.RequestId, args.TokenSigningAlg})`
	`27`	`+ tokenResponse, err := connector.GetToken(GetTokenArgs{nonceResponse.Nonce, evidence, args.PolicyIds, args.RequestId, args.TokenSigningAlg})`
`28`	`28`	`response.Token, response.Headers = tokenResponse.Token, tokenResponse.Headers`
`29`	`29`	`if err != nil {`
`30`	`30`	`return response, errors.Errorf("Failed to collect token from Trust Authority: %s", err)`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func (adapter sgxAdapter) CollectEvidence(nonce []byte) (connector.Evidence, e`
`86`	`86`
`87`	`87`	`return &connector.Evidence{`
`88`	`88`	`Type: 0,`
`89`		`- Evidence: quote_buffer,`
	`89`	`+ Quote: quote_buffer,`
`90`	`90`	`UserData: adapter.uData,`
`91`	`91`	`}, nil`
`92`	`92`	`}`
Original file line number	Diff line number	Diff line change
`@@ -118,10 +118,11 @@ func (adapter azureAdapter) CollectEvidence(nonce []byte) (connector.Evidence,`
`118`	`118`	`}`
`119`	`119`
`120`	`120`	`return &connector.Evidence{`
`121`		`- Type: 1,`
`122`		`- Evidence: quote,`
`123`		`- UserData: runtimeData,`
`124`		`- EventLog: eventLog,`
	`121`	`+ Type: 1,`
	`122`	`+ Quote: quote,`
	`123`	`+ UserData: adapter.uData,`
	`124`	`+ EventLog: eventLog,`
	`125`	`+ RuntimeData: runtimeData,`
`125`	`126`	`}, nil`
`126`	`127`	`}`
`127`	`128`