Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enchanced TA validation + CLI auth in docker deployment #197

Merged
merged 2 commits into from
Sep 20, 2023
Merged

Enchanced TA validation + CLI auth in docker deployment #197

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b93231b
Enhanced trust anchor validation
setrofim Sep 15, 2023
c6824b6
deploy/docker: CLI auth support
setrofim Sep 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/linters.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- name: Install golangci-lint
run: |
go version
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.48.0
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.51.1
- name: Install Protoc
uses: arduino/setup-protoc@v1
with:
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,5 @@ tags

.ipynb_checkpoints

# generated by build-test-vector scripts
scheme/**/*Comid*.cbor
2 changes: 2 additions & 0 deletions deployments/docker/src/builder-dispatcher
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ function deploy() {
set +a
cat $BUILD_DIR/deployments/docker/src/config.yaml.template | envsubst > $DEPLOY_DIR/config.yaml
cat $BUILD_DIR/deployments/docker/src/keycloak.conf.template | envsubst > $DEPLOY_DIR/keycloak.conf
cat $BUILD_DIR/deployments/docker/src/cocli-config.yaml.template | envsubst > $DEPLOY_DIR/utils/cocli-config.yaml
cat $BUILD_DIR/deployments/docker/src/pocli-config.yaml.template | envsubst > $DEPLOY_DIR/utils/pocli-config.yaml

echo "initializing stores"
for t in en ta po
Expand Down
2 changes: 1 addition & 1 deletion deployments/docker/src/builder.docker
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ RUN go mod download &&\
go install google.golang.org/protobuf/cmd/[email protected] &&\
go install google.golang.org/grpc/cmd/[email protected] &&\
go install github.com/mitchellh/[email protected] &&\
go install github.com/veraison/corim/cocli@latest &&\
go install github.com/veraison/corim/cocli@eeb7bd48 &&\
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we strongly enforce revisions now?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That hash is assocated with a v2.0.0rc0 tag, however because it's a v2 tag for a modules without a /v2, using it won't work. (conversely, moving to /v2 without publishing a release won't work either), it's a catch22 in the go module versioning system, it seems. So have to use the hash here.

go install github.com/veraison/evcli/v2@latest &&\
go install github.com/veraison/pocli@latest &&\
go install github.com/go-delve/delve/cmd/dlv@latest
Expand Down
8 changes: 8 additions & 0 deletions deployments/docker/src/cocli-config.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
api_server: http://provisioning-service:${PROVISIONING_PORT}/endorsement-provisioning/v1/submit
auth: oauth2
username: veraison-provisioner
password: veraison
client_id: veraison-client
client_secret: YifmabB4cVSPPtFLAmHfq7wKaEHQn10Z
token_url: http://keycloak-service:${KEYCLOAK_PORT}/realms/veraison/protocol/openid-connect/token
# vim: set ft=yaml:
2 changes: 1 addition & 1 deletion deployments/docker/src/config.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,5 @@ po-agent:
auth:
backend: keycloak
host: keycloak-service
port: 11111
port: ${KEYCLOAK_PORT}
# vim: set ft=yaml:
4 changes: 3 additions & 1 deletion deployments/docker/src/manager.docker
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,12 @@ USER manager
WORKDIR /opt/veraison

RUN mkdir -p /home/manager/.config/pocli && \
echo "host: management-service" > /home/manager/.config/pocli/config.yaml
mkdir -p /home/manager/.config/cocli

ADD --chown=manager:nogroup utils/evcli utils/cocli utils/pocli ./utils/
ADD --chown=manager:nogroup manager-dispatcher ./
ADD --chown=manager:nogroup utils/cocli-config.yaml /home/manager/.config/cocli/config.yaml
ADD --chown=manager:nogroup utils/pocli-config.yaml /home/manager/.config/pocli/config.yaml

ENTRYPOINT ["/opt/veraison/manager-dispatcher"]
CMD ["help"]
Expand Down
9 changes: 9 additions & 0 deletions deployments/docker/src/pocli-config.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
host: management-service
port: ${MANAGEMENT_PORT}
auth: oauth2
username: veraison-provisioner
password: veraison
client_id: veraison-client
client_secret: YifmabB4cVSPPtFLAmHfq7wKaEHQn10Z
token_url: http://keycloak-service:${KEYCLOAK_PORT}/realms/veraison/protocol/openid-connect/token
# vim: set ft=yaml:
Binary file modified end-to-end/input/cca-endorsements.cbor
View file
Open in desktop
Binary file not shown.
18 changes: 18 additions & 0 deletions end-to-end/input/corim-src/build-endorsements.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/bash
set -e

TEMP_DIR=/tmp/veraison-end-to-end
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

mkdir -p $TEMP_DIR

for scheme in psa cca; do
cocli comid create --template ${SCRIPT_DIR}/comid-${scheme}-ta.json \
--template ${SCRIPT_DIR}/comid-${scheme}-refval.json \
--output-dir $TEMP_DIR
cocli corim create --template ${SCRIPT_DIR}/corim-${scheme}.json \
--comid ${TEMP_DIR}/comid-${scheme}-refval.cbor \
--comid ${TEMP_DIR}/comid-${scheme}-ta.cbor \
--output ${SCRIPT_DIR}/../${scheme}-endorsements.cbor
done

109 changes: 109 additions & 0 deletions end-to-end/input/corim-src/comid-cca-refval.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
{
"lang": "en-GB",
"tag-identity": {
"id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16",
"version": 0
},
"entities": [
{
"name": "ACME Ltd.",
"regid": "https://acme.example",
"roles": [
"tagCreator",
"creator",
"maintainer"
]
}
],
"triples": {
"reference-values": [
{
"environment": {
"class": {
"id": {
"type": "psa.impl-id",
"value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
},
"vendor": "ACME",
"model": "RoadRunner"
}
},
"measurements": [
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "BL",
"version": "3.4.2",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
}
},
"value": {
"digests": [
"sha-256;BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
]
}
},
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "M1",
"version": "1.2.0",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
}
},
"value": {
"digests": [
"sha-256;CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
]
}
},
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "M2",
"version": "1.2.3",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
}
},
"value": {
"digests": [
"sha-256;DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
]
}
},
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "M3",
"version": "1.0.0",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
}
},
"value": {
"digests": [
"sha-256;EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
]
}
},
{
"key": {
"type": "cca.platform-config-id",
"value": "cfg v1.0.0"
},
"value": {
"raw-value": {
"type": "bytes",
"value": "cmF3dmFsdWUKcmF3dmFsdWUK"
}
}
}
]
}
]
}
}

44 changes: 44 additions & 0 deletions end-to-end/input/corim-src/comid-cca-ta.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"lang": "en-GB",
"tag-identity": {
"id": "366D0A0A-5988-45ED-8488-2F2A544F6242",
"version": 0
},
"entities": [
{
"name": "ACME Ltd.",
"regid": "https://acme.example",
"roles": [
"tagCreator",
"creator",
"maintainer"
]
}
],
"triples": {
"attester-verification-keys": [
{
"environment": {
"class": {
"id": {
"type": "psa.impl-id",
"value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
},
"vendor": "ACME",
"model": "RoadRunner"
},
"instance": {
"type": "ueid",
"value": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
}
},
"verification-keys": [
{
"type": "pkix-base64-key",
"value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----"
}
]
}
]
}
}
81 changes: 81 additions & 0 deletions end-to-end/input/corim-src/comid-psa-refval.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"lang": "en-GB",
"tag-identity": {
"id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16",
"version": 0
},
"entities": [
{
"name": "ACME Ltd.",
"regid": "https://acme.example",
"roles": [
"tagCreator",
"creator",
"maintainer"
]
}
],
"triples": {
"reference-values": [
{
"environment": {
"class": {
"id": {
"type": "psa.impl-id",
"value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
},
"vendor": "ACME",
"model": "RoadRunner"
}
},
"measurements": [
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "BL",
"version": "2.1.0",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
}
},
"value": {
"digests": [
"sha-256;h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc="
]
}
},
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "PRoT",
"version": "1.3.5",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
}
},
"value": {
"digests": [
"sha-256;AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8="
]
}
},
{
"key": {
"type": "psa.refval-id",
"value": {
"label": "ARoT",
"version": "0.1.4",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
}
},
"value": {
"digests": [
"sha-256;o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg="
]
}
}
]
}
]
}
}
44 changes: 44 additions & 0 deletions end-to-end/input/corim-src/comid-psa-ta.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"lang": "en-GB",
"tag-identity": {
"id": "366D0A0A-5988-45ED-8488-2F2A544F6242",
"version": 0
},
"entities": [
{
"name": "ACME Ltd.",
"regid": "https://acme.example",
"roles": [
"tagCreator",
"creator",
"maintainer"
]
}
],
"triples": {
"attester-verification-keys": [
{
"environment": {
"class": {
"id": {
"type": "psa.impl-id",
"value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
},
"vendor": "ACME",
"model": "RoadRunner"
},
"instance": {
"type": "ueid",
"value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI"
}
},
"verification-keys": [
{
"type": "pkix-base64-key",
"value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----"
}
]
}
]
}
}
Loading
Loading