* manager, cli and agent vtpm support
* rebase and changed atls for vtpm
* deleted unused code
* changed chekproto.yaml script so it find the manager proto file correctly
* fixe manager proto version
* fix agent tests
* fix server agent test
* fix attestation test
* fix attestation test gofumpt
* created dummy RWC for TPM
* fix comment
* add default PCR values
* rebase main
* fix rust ci and missing header
* changed embedded attestation to VMPL 2
* fix unused impot
* fix pkg test
* address attestation type
* fix agent attestation test
* add prc15 check
* fix comments
* fix cli tests
* add doc
* add mock for LeveledQuoteProvider when SEV-SNP device is not found
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix manager reading attestation policy
* refactor PCR value checks and update attestation policy values
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix tests for sev and grpc
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Co-authored-by: Sammy Oina <sammyoina@gmail.com>
* Update Dependabot configuration and Go dependencies; modify test command to include embed tag
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor CVMSClient computation handling and improve test message queue capacity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor TestManagerClient_Process to remove buffer from messageQueue and ensure proper handling of messages
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor(env): remove internal env package
No need for this package since the parent package github.com/caarlos0/env does everything we need
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
* refactor(jaeger): remove internal jaeger package
No need for this package since we can use magistrala exported package
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
* refactor(metrics): remove internal metrics pkg
Use exported magistrala prometheus package
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
* chore(dep): Update grpc and other dependencies
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
* style(linter): remove enabled by default linters
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
---------
Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
* Implement gRPC auth interceptors and update dependencies
Introduced gRPC authentication interceptors for unary and stream calls in the agent's API to enhance security. These interceptors verify signatures based on roles before handling requests, rejecting unauthorized ones. The authentication logic was refactored, adding relevant error handling.
Added mocks for authentication interfaces to facilitate testing and replaced direct errors with wrapped ones to provide additional context.
The Makefile now includes a version pin for the Mockery tool, ensuring consistent mock generation across environments.
Updated the gRPC server setup in `grpc.go` to utilize the new interceptors. This change aims to reinforce the API's access control by authenticating users according to their roles and is expected to prevent unauthorized access to sensitive endpoints.
Lastly, dependencies in go.mod and go.sum were updated, most notably the inclusion of testify for improved testing capabilities.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix linting errors
Signed-off-by: SammyOina <sammyoina@gmail.com>
* * chore(Makefile): remove unused variables and update 'mocks' target
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add hash verification for datasets and algorithms
Enhanced data integrity checking by incorporating hash fields in Dataset and Algorithm structures, and modified the corresponding service logic to validate these hashes during processing. The update includes SHA-3 for hash computation, replacing the former SHA-256 usage, and ensures the provided data matches the expected hash from the manifest to prevent processing malformed or corrupted data.
- Introduce `Hash` field to both Dataset and Algorithm structs to store the expected hash value.
- Implement SHA-3 hashing within service methods that process the data, ensuring consistency with newly added `Hash` fields.
- Add error handling for hash mismatches, preventing further processing and alerting to potential data integrity issues.
- Update Protocol Buffers serialization to accommodate the new hash fields for gRPC communication.
- Modify manager service's Run method to pass the hash information when creating agent configurations.
Go module dependencies were updated to include the new SHA-3 package and upgrade Go version to 1.21.6 for improved stability and compatibility.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Remove identifiers from protobuf and related code
The protobuf definitions and related service handling code have been revised to drop specific identifier fields (`AlgorithmID` and `DatasetID`) to simplify API responses and internal function signatures. These removals streamline the overall data flow between components, reduce unnecessary data transmission, and lead to an aligned server-client expectation where identifiers are no longer a part of the response payload. Consequently, these changes simplify the logic within various functions and client commands, reinforcing encapsulation by ensuring that internal identifiers do not need to be managed or exposed unnecessarily.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix lint
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
The HTTP server-related code, documentation, and configurations have been removed as part of a shift towards prioritizing gRPC for service communication. This update includes deletions of HTTP host and port configs across various components, the manager HTTP API alongside its Swagger definition, and the removal of related scaffolding and utility code. This change simplifies the overall architecture and eliminates redundant HTTP support, focusing on optimizing gRPC performance and security features.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Improve attestation and update deps
Enhanced the attestation process to require additional report data and a variable privacy level, catering to varying security requirements. The `Run` method's context parameter was removed to simplify invocation following API alignment. Dependencies got updated, notably adding `github.com/google/go-sev-guest` for attestation, and some were indirectly bumped. These updates ensure the agent service leverages the latest available features and improvements for security and stability.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Extend AttestationRequest with data fields
Enhanced the AttestationRequest message structure by introducing 'report_data' and 'vpml' fields to encapsulate additional attestation context. Adjusted service and middleware layers to incorporate these new parameters, enabling richer attestation workflows. The GRPC endpoint, logging, and metrics layers have been updated to handle the additional data, catering to more secure and nuanced attestation use cases.
Refactors Attestation command in CLI to accept report data argument and include an optional 'vpml' flag for specifying virtual machine privilege level. This change empowers users to request attestation with specific context directly from the CLI.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor attestation to remove vpml dependency
Removed the `vpml` field from the AttestationRequest protobuf, and all associated handling code, streamlining the attestation process. Code adjustments were made in gRPC client, server, and service layers to ensure proper request construction and validation that focuses only on report data. This change simplifies the attestation API and its usage, reducing error risk and improving maintainability. It reflects a decision to decouple the protocol from specific vendor measurement levels, potentially due to a shift towards a more generalized attestation procedure.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Enhance CLI usability and streamline SDK attestation
- Added a usage example to the CLI attestation command for better user guidance.
- Simplified the SDK attestation function by removing an unused parameter and directly populating the request structure with report data to align function parameters with actual usage requirements.
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Simplify event handling and config
Streamlined event service interface by consolidating `SendEvent` and introducing `SendRaw`. Removed `notification_server_url` and `instance_id` parameters from several event publication calls to leverage centralized event construction. This change not only cleans up redundancy in event-related code but also simplifies the configuration data flow across the system, making it easier to manage and less error-prone. Uniform event generation now improves consistency and maintainability.
Refactored configuration management in the agent and manager services. Removed notifications URL from the agent configuration, relying on a simplification that assumes a single source of events. Updated Manager Port to VsockConfigPort for clarity and consistency across vsock communication.
These modifications should facilitate easier integration and extension of event and configuration systems in the future.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix lint
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor error handling in agent event forwarding
Introduced context and error channel handling to the agent event forwarding process. The logger now warns on errors during forward operations asynchronously, allowing for non-blocking error reporting. Additionally, reliance on the global logger was removed in favor of passing error information via channels, improving modularity and error flow control.
Resolves issue with silent forwarding failures by providing a means to alert system operators without halting the service. This enhancement makes the error reporting more robust and reactive while maintaining service continuity.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* remove unused field
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Enhance agent logging via vsock connection
Redirected agent logging to use a vsock connection instead of standard output, improving the process isolation and enabling centralized log management. The change involved dialing to the specified vsock log port and initializing the logger with the vsock connection rather than stdout.
Additionally, the manager service now maintains a map of agent vsock cids to computation IDs, providing better tracking of computation resources. A routine to retrieve logs from agents was also initiated during the service setup to facilitate log collection.
Consequential to these changes is the removal of a redundant os package import in the agent's main.go, further cleaning up the dependencies.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fail gracefully
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Updated backoff strategy and VM configurations
- Added `github.com/cenkalti/backoff` to direct dependencies for robust retry logic in agent configuration sending.
- Modified the vsock logs port to align with the updated port range standards.
- Enclosed kernel console arguments in quotes to ensure proper parsing in QEMU configurations.
- Implemented exponential backoff when sending agent configurations to handle transient failures.
Refactors:
- Streamlined creation of `AgentConfig` within the computation setup to avoid unnecessary initializations when `c.AgentConfig` is not nil.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor command execution and improve argument construction
Consolidated the error handling in the command execution function for better readability. In the QEMU configuration, the argument assembly process is enhanced for clarity and correctness; the VNC parameter is now separate, and string quoting is handled properly for kernel parameters. These changes result in more maintainable code and prevent potential formatting issues during QEMU argument parsing.
Resolves issues with argument construction in QEMU config module.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refine default config handling and unpacking
Improved the agent configuration by dynamically setting default values for the log level and port if they are not specified in the incoming configuration. Also streamlined configuration unpacking in the endpoint and service layers, reducing redundancy and ensuring all required fields are correctly copied over to the Manager's configuration structure. This change ensures better fault tolerance and more maintainable code by handling edge cases where configuration values might be missing.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* rename dir
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix lint
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Ensure runRes.Empty() reflects non-empty state
Changed the always-true return value of the `runRes.Empty()` method to `false` to accurately indicate the presence of a response body. This adjustment ensures downstream handling of API responses aligns with actual content state.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Replace mglog with slog across codebase
Updated various components to replace the `mglog` logger implementation with the `slog` logger. This change affects logging initialization and calls throughout the codebase including the agent, manager, and internal server components. Transitioning to `slog` is part of a broader shift to standardize the logging mechanism to improve maintainability and consistency.
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Optimize QEMU launch and add V-sock support
Refactored QEMU argument construction and launching logic by removing the dependency on 'agent.Computation'. This simplification makes the VM creation process more streamlined. Additionally, introduced V-sock capabilities in the QEMU configuration to facilitate improved guest-host communication. Updated the README to include kernel module setup instructions for the new V-sock feature.
The V-sock implementation enables VMs to use a consistent communication channel that is not affected by network configuration changes, enhancing reliability and potential interoperability with host services. It's important to ensure that the necessary kernel modules are loaded as part of the setup process, as documented.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add vsock-based communication to manager
Introduced virtual socket (vsock) communication abilities in the manager package by implementing a new socket service. This includes establishing a vsock listener and stub methods for sending computation results and cleaning up resources. The addition provides the groundwork for interprocess communication between guest and host in virtualized environments.
- Integrated the `mdlayher/vsock` library for handling virtual socket operations.
- Created a new `sockService` struct to encapsulate vsock listener handling.
- Implemented `NewVsock` constructor to initialize the listener with domain value `3`.
- Added placeholder methods for future computation sending and service closing logic.
This enhancement targets scenarios where efficient VM-to-host communication is required.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* remove env
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor agent config and use vsock
Introduce `AgentConfig` struct to group agent-related configurations, and update `Computation` struct to include the new `AgentConfig` field. Replace command-line computation extraction with vsock-based config retrieval for robustness and decoupling. The agent configuration is now read from a vsock connection during runtime, allowing for more dynamic and flexible deployments. Adjusted the main agent application logic to support these configuration changes, and corresponding changes have been made in the manager to facilitate vsock communication.
This approach aligns with modern practices for microservices by streamlining configuration management and reducing reliance on static command-line parameters. Moreover, it enhances the scalability of the agent service by allowing configuration to be managed externally.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor agent config and remove deprecated code
Consolidated agent configuration management into a single `AgentConfig` message and pruned deprecated Protobuf `ComputationReq`, `DatasetReq`, and `AlgorithmReq` messages. Adapted corresponding manager service logic to the new configuration structure. These modifications align with updated manager API schema, facilitate clearer configuration handling, and improve maintainability.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* send configuration
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Switch agent to listen mode for manager connections
Previously, the agent established a connection to the manager using a direct dial. This change shifts the setup to where the agent listens on a specified port and accepts incoming connections. It ensures that the agent properly handles incoming requests by initiating a listening socket and waiting for the manager to connect, enhancing the system's flexibility in connection management. This adjustment also includes graceful closure of the listening socket.
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add CoCos-AI Manager API specification
This commit adds the CoCos-AI Manager API specification
in the form of a YAML file. The specification includes
information about the title, description, contact,
license, and version of the API. It also defines the
servers where the API is hosted and the paths and
operations available, such as running computation on
a virtual machine.
The API specification is based on OpenAPI 3.0.1 and
provides a clear and concise overview of the CoCos-AI
Manager service.
The commit also includes a link to the CoCos-AI repository
and the license information.
This commit is necessary to provide a clear and documented
API specification for the CoCos-AI Manager service.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor go.mod and go.sum files
The go.mod and go.sum files have been refactored to remove the go.opentelemetry.io/contrib/propagators/jaeger package, which is no longer needed. This package was causing compatibility issues with the current version of the project. The refactoring ensures that the project is using the latest compatible versions of the required dependencies.
This commit removes the go.opentelemetry.io/contrib/propagators/jaeger package from the go.mod file and updates the go.sum file accordingly.
Note: The go.mod file now uses go.opentelemetry.io/otel v1.19.0 and go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0.
Please review the changes to ensure compatibility and functionality.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix typo
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix bug in agent state machine
The bug in the agent state machine caused an error when attempting an invalid transition. This commit fixes the bug by properly locking and unlocking the state machine before and after transitioning to the next state. Additionally, the logger now correctly logs the current and next state during a valid transition.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix race condition in state machine
The commit fixes a race condition in the state machine implementation in the `Start` method. The race condition occurs when multiple goroutines try to access and modify the state concurrently. To fix this, a mutex lock and unlock are added around the critical sections of code to ensure exclusive access to the state variable. This prevents race conditions and ensures the state transitions are executed correctly.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix race condition in StateMachine.Start()
The StateMachine.Start() method was experiencing a race condition
when multiple events were being processed concurrently. This was
caused by not properly locking and unlocking the state machine
before and after updating the state. This commit fixes the issue
by adding proper locking and unlocking around the state update
operation. Additionally, the logging statement has been updated
to include the previous and next states for better debugging.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* add magistrala dep
Signed-off-by: SammyOina <sammyoina@gmail.com>
* remove mainflux
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix agentService New function to include messaging.Publisher parameter
The agentService New function has been updated to include a messaging.Publisher parameter. This change allows the agent service to publish messages to a messaging system. The messaging.Publisher parameter has been added to the agentService struct and the New function signature has been updated accordingly. This change ensures that the agent service can communicate with other components using the messaging system.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor service.go state functions
The commit refactors the state functions in the service.go file.
The functions for each state have been modified to use the svc.publishEvent
method to publish events with appropriate messages.
- Refactor state functions in service.go
- Use svc.publishEvent to publish events with messages for each state
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix computation run event publishing and add pubsub functionality
The computation run event publishing in the agent service was fixed to correctly call the publishEvent function. Additionally, the pubsub functionality was added to the manager package.
- Fixed computation run event publishing in agent service
- Added pubsub functionality to manager package
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix license header in pubsub.go file
The commit fixes the license header in the pubsub.go file.
The copyright and SPDX-License-Identifier have been added
to comply with the Apache-2.0 license.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add Docker environment variables for Nats, RabbitMQ, Message Broker, and Jaeger.
The commit message should be:
"Add Docker environment variables for Nats, RabbitMQ, Message Broker, and Jaeger"
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix Makefile to properly set DOCKER_PROJECT and COCOS_MESSAGE_BROKER_TYPE
The Makefile has been updated to fix an issue with setting the DOCKER_PROJECT and COCOS_MESSAGE_BROKER_TYPE variables. The USER_REPO variable is now used to generate the DOCKER_PROJECT name following the Docker Compose guidelines. Additionally, the COCOS_MESSAGE_BROKER_TYPE variable is now properly set to "nats" if it is empty. This ensures that the correct values are used when compiling and installing the service.
Summary:
Fix Makefile to properly set DOCKER_PROJECT and COCOS_MESSAGE_BROKER_TYPE
Details:
- Update USER_REPO variable to generate DOCKER_PROJECT name
- Set COCOS_MESSAGE_BROKER_TYPE to "nats" if empty
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix Makefile Docker profile assignment and build flags
The Makefile was updated to fix the assignment of the Docker profile and build flags. The Docker profile is now assigned based on the value of COCOS_MESSAGE_BROKER_TYPE, and if it is not provided, the default value is set to "nats". The build flags were also updated to include the COCOS_MESSAGE_BROKER_TYPE value as a tag for the Go build process.
This commit addresses the issue with the Docker profile assignment and ensures that the correct build flags are used during the build process.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* fix makefile
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix notification topic in agent service and update NATS ports in Docker environment variables
The agent service's notification topic was incorrectly set to "channels.manager" instead of "agent". This commit fixes the issue by updating the notification topic.
Additionally, the NATS ports in the Docker environment variables were incorrect. The COCOS_NATS_PORT and COCOS_NATS_HTTP_PORT have been updated to the correct values.
These changes ensure that the agent service uses the correct notification topic and the NATS ports are properly configured.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* add pubsub
Signed-off-by: SammyOina <sammyoina@gmail.com>
* update protoc
Signed-off-by: SammyOina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
Danko Miladinovic
dependabot[bot]
Sammy Kerata Oina
dorcaslitunya
Smith Jilks
b1ackd0t
Filip Bugarski
Drasko Draskovic
SammyOina
WashingtonKK
Darko Draskovic