* feat: Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update dependencies and refactor attestation policy handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Migrate attestation verification to use CoRIM and remove deprecated policy handling and EAT verification tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Removed the `tdx` and `sev-snp` attestation policy scripts and their build configurations, along with related build and installation steps from the main Makefile.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Remove Rust CI workflow and Cargo Dependabot configuration, and enhance Go test setup for attestation policy paths.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Use WriteString instead of Write([]byte) for writing policy file content in test.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Refactor `ca-bundle` command to fetch bundles by product string using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: ignore return value of cmd.Help()
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement CoRIM generation for Azure and GCP attestation policies and add a CLI command to download and verify GCP OVMF files.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Upgrade Python virtual environment setup to include setuptools and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: Enhance attestation verification tests, including CoRIM integration and specific platform types like Azure SNP, vTPM, TDX, and IGVM.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add comprehensive test cases for `VerifyWithCoRIM` including success and measurement mismatch, and refine reference value validation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add Azure and TDX attestation verification tests and abstract external service dependencies for improved testability.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add new test cases for Azure measurement extraction, EAT platform types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: enhance CLI CoRIM generation and ATLS certificate verification tests, and refactor the Azure MAA client to use an interface.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat(kbs): implement KBS client for attestation and resource retrieval
- Added KBS client implementation in pkg/kbs/client.go with methods for attestation and resource retrieval.
- Introduced necessary data structures for requests and responses.
- Implemented error handling for various scenarios.
test(kbs): add unit tests for KBS client
- Created comprehensive tests for the KBS client in pkg/kbs/client_test.go.
- Included tests for attestation success and failure cases, as well as resource retrieval.
feat(registry): introduce HTTP and S3 registry implementations
- Added HTTPRegistry for downloading resources over HTTP/HTTPS with retry logic in pkg/registry/http.go.
- Implemented S3Registry for downloading resources from AWS S3 and S3-compatible services in pkg/registry/s3.go.
- Included error handling and configuration options for both registries.
chore(registry): define registry interface and configuration
- Created registry interface and configuration struct in pkg/registry/registry.go.
- Added default configuration settings for registry clients.
docs(cvms): update README for CVMS server configuration and usage
- Enhanced documentation for CVMS server with detailed command-line flags and usage examples.
- Clarified direct upload and remote resource modes, including KBS integration.
fix(cvms): integrate KBS for remote resource handling in main.go
- Updated main.go to support remote datasets and algorithms using KBS.
- Added validation for command-line flags to ensure proper configuration.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Move ifeq conditional outside define block in attestation-service.mk
Make conditionals cannot be evaluated inside define...endef blocks
when used as recipe bodies. Restructured to define the
ATTESTATION_SERVICE_INSTALL_INIT_SYSTEMD block conditionally based
on BR2_PACKAGE_CC_ATTESTATION_AGENT configuration.
* feat: Implement remote resource downloading for algorithms and datasets using AWS S3/MinIO credentials.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add comprehensive documentation and agent support for testing remote resource download with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Improve agent logging for remote resource configuration and KBS status, and add a testing guide for remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add a comprehensive guide for testing remote resource download with KBS attestation and update multiple package versions to a specific commit.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add failure transitions for resource reception states and a comprehensive guide for testing remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement remote resource download with KBS attestation in the agent and add a comprehensive testing guide.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: Add comprehensive guide for testing remote resource download with KBS attestation and include a debug log in the attestation client.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Delegate KBS attestation and token retrieval to a new attestation-agent service and document remote resource testing.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* client fixes
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* raw evidence
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Build all Go files in cmd directories, not just main.go
This fixes the issue where fetch_raw_evidence.go wasn't being included
in the attestation-service build.
* fix: Wrap binary evidence in JSON for KBS compatibility
Fixes 'invalid character' error by wrapping raw binary evidence
in a JSON structure with base64 encoding, as expected by KBS.
* chore: Update buildroot packages to c28cefae
Includes fixes for:
1. attestation-service build (including fetch_raw_evidence.go)
2. Agent KBS evidence format (wrapping binary in JSON)
* fix: Implement KBS RCAR handshake with cookies
Fixes 'cookie not found' error (401) from KBS by:
1. Adding CookieJar support to KBS client
2. Implementing GetChallenge() to perform /auth handshake and capture session cookie
3. Updating Agent to get challenge, decode nonce, and use it for evidence generation
4. Regenerating mocks
* chore: Update buildroot packages to f6981ac5
Includes KBS RCAR handshake fix (cookie support + GetChallenge loop)
* fix: Update KBS client JSON tags to kebab-case
Fixes deserialization error (401) from KBS by:
1. Using kebab-case (e.g. extra-params) for JSON tags as per protocol.
2. Initializing ExtraParams as empty object {} instead of null/omitted.
* fix: Wrap attestation evidence in primary_evidence format
Updates Agent to construct 'tee-evidence' payload with:
- primary_evidence: containing the actual quote/data
- additional_evidence: empty JSON object
This matches the Confidential Containers KBS Attestation Protocol requirements.
* fix: Update KBS protocol version to 0.4.0
KBS rejected 0.1.0 with a version mismatch error. Bumping to 0.4.0 to match server expectation.
* fix: Generate ephemeral key for KBS RuntimeData
Updates RuntimeData to include a valid ephemeral EC P-256 public key in JWK format, as required by the KBS RCAR protocol.
Also fixes the KBS client struct to support TEEPubKey as an object.
* fix: Update sample attestation quote to valid JSON
The default attestation.bin was binary, but the KBS Sample Verifier expects a valid JSON quote containing 'svn' and 'report_data'.
Updated the embedded bin file to contain this JSON structure.
* fix: Generate dynamic JSON quote for Sample TEE in FetchRawEvidence
The KBS Sample Verifier expects a JSON object with 'svn' and 'report_data'.
Previously, we were returning raw binary data (reportData+nonce).
This commit updates FetchRawEvidence to return a marshaled JSON structure with:
- svn: "1"
- report_data: base64(req.ReportData)
* refactor: Delegate Sample Attestation to Provider
Refactored sample attestation logic:
- Moved JSON Quote generation into EmptyProvider (standalone mode).
- Updated FetchRawEvidence to call provider.TeeAttestation instead of manual generation.
This enables using the real CC Attestation Agent for UNSPECIFIED platform if configured.
* feat: Add comprehensive debug logging and enforce CC AA usage
Changes:
- Updated EmptyProvider to return error instead of generating mock data
This forces proper use of CC Attestation Agent's sample attester
- Added detailed logging to attestation-service FetchRawEvidence:
* Hex dump of evidence (first 200 bytes)
* String preview of evidence
* Total evidence length
- Added detailed logging to agent service:
* Raw evidence hex and string previews
* KBS evidence JSON preview (first 500 bytes)
* Evidence lengths at each transformation step
This logging will help diagnose why KBS Sample Verifier is rejecting evidence.
* fix: Enable CC AA by default and add attestation-service log forwarding
Changes:
- Set USE_CC_ATTESTATION_AGENT=true by default in systemd service
- Added StandardOutput/StandardError to forward logs to /var/log/cocos/
- Updated HAL makefile to handle new default value
- This ensures attestation-service uses CC AA's sample attester
- Logs will now be visible in CVMS output for debugging
* feat: Add gRPC log forwarding to attestation-service
Implemented the same log forwarding mechanism used by the agent:
- Added ProtoHandler to write logs to both stdout and logQueue
- Connected to log client (/run/cocos/log.sock) for gRPC forwarding
- Added goroutine to forward logs to CVMS via log client
- Logs will now appear in CVMS output during computation runs
This enables visibility into attestation-service debug output including:
- CC AA connection status
- Evidence generation details (hex dumps, string previews)
- Any errors from providers
* fix: Parse sample evidence JSON instead of base64-encoding it
The attestation-service returns sample evidence as JSON:
{"svn":"1","report_data":"base64..."}
The agent was incorrectly base64-encoding this JSON string again.
KBS Sample Verifier expects the parsed JSON object directly.
Fixed by:
- Parsing the JSON evidence from attestation-service
- Passing the parsed object directly in primary_evidence.evidence
- This matches what KBS Sample Verifier expects
* debug: Increase KBS evidence logging preview to 1000 bytes
Show the complete JSON structure being sent to KBS to debug
the attestation failure.
* debug: Add comprehensive CC AA configuration logging
Added debug logs to show:
- Whether CC AA is enabled in config
- CC AA address being used
- Connection success/failure
- Which provider is ultimately selected
- Warning when falling back to EmptyProvider
This will help diagnose why EmptyProvider is being used
instead of CC Attestation Agent.
* debug: Add startup logging for log client connection
Added log message to show if log client connection succeeds
at attestation-service startup. This will help diagnose why
logs aren't appearing in CVMS output.
* feat: Add retry logic with exponential backoff to log client
Added simple retry mechanism to handle concurrent log requests:
- 3 retry attempts with exponential backoff (10ms, 20ms, 40ms)
- Applies to both SendLog and SendEvent methods
- Centralized in log client so all services benefit
- Should eliminate 'failed to send log' errors from concurrent requests
This fixes the issue where attestation-service logs weren't
appearing in CVMS output due to dropped messages.
* fix: Flatten sample evidence fields in primary_evidence for KBS
KBS Sample Verifier expects svn and report_data at the top level
of primary_evidence, not nested under an 'evidence' key.
Changed structure from:
{"primary_evidence": {"tee": "sample", "evidence": {"svn": "1", ...}}}
To:
{"primary_evidence": {"tee": "sample", "svn": "1", "report_data": "...", ...}}
This matches what KBS expects when deserializing the Quote structure.
* fix: Use sample quote directly as primary_evidence per KBS protocol
According to KBS attestation protocol spec, for sample TEE type,
primary_evidence should be the sample quote JSON directly:
{"svn": "1", "report_data": "..."}
Removed extra 'tee' and 'platform' fields that were causing KBS
to fail deserializing the Quote structure. The 'tee' field is
already sent in the Request payload during RCAR handshake.
Refs:
- https://github.com/confidential-containers/trustee/blob/main/kbs/docs/kbs_attestation_protocol.md
- https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/sample/mod.rs
* fix: Make CC AA required for sample attestation when configured
When USE_CC_ATTESTATION_AGENT=true, attestation-service now
requires AA to be available for NoCC/sample platform. This ensures
sample evidence always comes from AA with the correct KBS format.
Changes:
- Error out if AA connection fails for NoCC platform when AA is configured
- Only use EmptyProvider if AA is explicitly NOT configured
- Prevents incorrect sample evidence format from EmptyProvider
This ensures attestation-service delegates to AA for sample evidence
generation instead of creating it itself.
* fix: Implement proper RCAR protocol with tee-pubkey and runtime-data hash
Fixed KBS attestation error 'REPORT_DATA is different from that in Sample Quote'
Changes:
1. Generate ephemeral EC key pair BEFORE getting evidence from AA
2. Create runtime-data with nonce + tee-pubkey (JWK format)
3. Hash runtime-data (SHA-256) and use as report_data for AA
4. This binds the tee-pubkey to the TEE evidence per RCAR protocol
The report_data in the evidence now matches what KBS expects:
hash(runtime-data) instead of computation ID.
This completes the full RCAR protocol implementation:
- Request → Challenge → Attestation (with bound tee-pubkey) → Response
* fix(agent): use simple nonce for Sample attestation report_data
For Sample/NoCC attestation, use the raw nonce bytes directly as
report_data instead of hashing runtime-data. This avoids JSON
serialization mismatches with the KBS Sample verifier.
Real TEEs (TDX/SNP) still use runtime-data hash binding to
cryptographically bind the ephemeral tee-pubkey to the evidence.
* fix(agent): use RFC 8785 canonical JSON for runtime-data hashing
The KBS Sample attestation verifier (and likely others) expects the
report_data to be the SHA-256 hash of the *canonical* JSON serialization
(RFC 8785) of the runtime-data. Standard Go JSON marshaling does not
guarantee key ordering, leading to hash mismatches.
This change uses github.com/gowebpki/jcs to canonicalize the runtime-data
before hashing, ensuring compatibility with the KBS RCAR implementation.
Also reverted the temporary 'simple nonce' workaround.
* feat(hal): add CoCo Keyprovider and Skopeo packages
- Add coco-keyprovider buildroot package with systemd service
- Add skopeo buildroot package for OCI image handling
- Add ocicrypt_keyprovider.conf for encrypted image decryption
- Update Config.in to include new packages
This enables standard CoCo ecosystem integration for encrypted
OCI images instead of custom S3/HTTP registry clients.
* feat(oci): add OCI image handling package with Skopeo integration
- Add pkg/oci/types.go with ResourceSource and ImageManifest types
- Add pkg/oci/skopeo.go with Skopeo wrapper for pull/decrypt
- Add pkg/oci/extract.go for extracting algorithms and datasets from layers
This package provides OCI image handling using Skopeo and CoCo
Keyprovider for encrypted image decryption, replacing custom
S3/HTTP registry clients.
* chore: regenerate protobuf files for updated cvms.proto
* refactor(agent): replace S3/HTTP/KBS with OCI package
- Remove pkg/kbs and pkg/registry imports
- Add pkg/oci import for OCI image handling
- Replace downloadAndDecryptResource with OCI-based implementation
- Use Skopeo + CoCo Keyprovider for automatic decryption
- Reduce code from ~240 lines to ~70 lines
This eliminates custom KBS RCAR handshake, S3/HTTP registry clients,
and manual decryption logic. CoCo Keyprovider handles all decryption
automatically via ocicrypt protocol.
* chore: remove obsolete pkg/kbs and pkg/registry packages
- Delete pkg/kbs/ (custom KBS client, ~300 lines)
- Delete pkg/registry/ (S3/HTTP registry clients, ~400 lines)
- Remove unused imports from agent/service.go
- Run go mod tidy to clean up dependencies
These packages have been replaced by pkg/oci with Skopeo and
CoCo Keyprovider for standard CoCo ecosystem integration.
* fix(agent): update ResourceSource struct to include type and encryption fields
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix(hal): update CoCo Keyprovider to v0.16.0 and fix build path
- Update version from v0.11.0 to v0.16.0 (matches attestation agent)
- Fix install path: target is at repo root, not in coco_keyprovider subdir
- This fixes the build error where coco_keyprovider binary wasn't found
The cargo workspace in guest-components builds to a shared target/
directory at the repository root, not within each crate's subdirectory.
* feat: Update remote resources testing guide to use kbs-client and coco-keyprovider for key management and encryption, enable insecure TLS for Skopeo, and enhance CVMS with
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update component versions, revise image encryption documentation, and sanitize OCI image paths for Skopeo compatibility.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `decompress` option to Dataset and `algo_type`/`algo_args` to Algorithm protobuf messages, updating client, test, and build configurations.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update multiple package versions and enhance OCI image extraction error reporting for missing algorithm files.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Bump package versions, improve OCI image extraction debugging by returning seen files, and remove unused dataset type parsing from test code.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Migrate OCI extraction to use structured logging with `slog` and `context`, and update package versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Bump multiple component versions, add encrypted status for computation inputs and algorithms, and refine OCI layer extraction warnings.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* logging
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `Encrypted` field to algorithm and dataset resource sources and update all component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update component versions, integrate coco-keyprovider service, and configure ocicrypt key provider.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add support for KBS parameters and dataset/algorithm hash calculations in CVMS
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update resource download and extraction logic to support requirements.txt and improve hash verification
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Update dependencies, improve code style, and add GetRawEvidence to attestation client mocks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor code structure for improved readability and maintainability
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: update golangci configuration to include errcheck for build path and remove unnecessary exclusions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: streamline kernel command line handling in QEMU args construction
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add attestation binary and update checksum tests and policy structure
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for attestation agent, attestation, log, crypto, OCI, and Skopeo clients
- Implement tests for the attestation agent client including Unix socket and TCP address handling, token retrieval, and error scenarios.
- Enhance attestation client tests to cover fetching raw evidence for various platforms (SNP, TDX, VTPM, SNPvTPM) and validate error handling.
- Introduce log client tests to verify retry behavior for sending logs and events.
- Create comprehensive tests for crypto package focusing on AES-GCM decryption, encrypted resource parsing, and key unwrapping.
- Add tests for OCI package to validate algorithm and dataset extraction, including JSON serialization of OCILayout.
- Implement Skopeo client tests to ensure proper functionality for image pulling, inspecting, and resource source handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: handle JSON marshal errors in test cases for decrypt and extract functions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add comprehensive tests for algorithm and dataset extraction with various scenarios
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded Python script content with constant variable
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: remove redundant mock expectation for SendAgentConfig in TestCreateVMWithAaKbsParams
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for event sending failure, dataset extraction with path traversal, and Skopeo client behavior
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for download and decryption of resources with various URL formats
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Introduce OCIClient interface for agent service to improve testability of OCI image operations and enhance related tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Change `get_uint64_from_tcb` to accept `TcbVersion` by value and use `u64::from` for type conversions.
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement EAT (Evidence Attestation Token) generation and verification for attestation responses, replacing raw quotes with EAT tokens in the attestation service and protobuf.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* style: standardize comment formatting and fix a debug log format specifier.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix pkg test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce named constants for OEM IDs and use them in attestation claim extraction.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Implement and test minimum length validation for EAT nonce in `NewEATClaims`.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add EATClaims.Sanitize method and integrate it into the validator to enforce claim dependencies.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add Signature field to SNPExtensions and TDXExtensions for enhanced claim validation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update dependencies and improve code structure in attestation package
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce comprehensive test suites for EAT, ATLS, TDX, Azure SNP, and vTPM attestation, and improve EAT decoder robustness.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add encryption and admin keys, an encrypted algorithm file, and update go.mod to use go-jose/v4.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add new encryption and KBS admin keys while improving TDX attestation test error handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add new KBS admin and encryption keys, an encrypted linear regression algorithm, and refactor TDX test error message checks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement Azure SNP attestation policy, update certificate verification, and add key management.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded string literals with variables in Azure SNP attestation tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Refactor TDX EAT claims to use individual RTMR fields with `tdx_` prefixes and add an `IntUse` field.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Update dependencies and refactor certificate generation to include context
- Updated `cloud.google.com/go/compute/metadata` from v0.8.0 to v0.9.0.
- Updated `github.com/absmach/certs` from v0.18.0 to v0.18.2.
- Updated `github.com/absmach/supermq` from v0.18.1 to v0.18.2.
- Updated `github.com/go-logfmt/logfmt` from v0.6.0 to v0.6.1.
- Updated `github.com/grpc-ecosystem/grpc-gateway/v2` from v2.27.2 to v2.27.3.
- Updated `github.com/prometheus/common` from v0.66.1 to v0.67.1.
- Updated `github.com/rogpeppe/go-internal` from v1.13.1 to v1.14.1.
- Updated `github.com/segmentio/asm` from v1.2.0 to v1.2.1.
- Updated `go.opentelemetry.io/auto/sdk` from v1.1.0 to v1.2.1.
- Updated `go.opentelemetry.io/proto/otlp` from v1.7.1 to v1.8.0.
- Updated `golang.org/x/net` from v0.45.0 to v0.46.0.
- Updated `golang.org/x/oauth2` from v0.30.0 to v0.32.0.
- Updated `google.golang.org/genproto/googleapis/api` and `google.golang.org/genproto/googleapis/rpc` to the latest versions.
- Refactored `generateCASignedCertificate` method in `certificate_provider.go` to accept a context parameter.
- Updated calls to `generateCASignedCertificate` in `GetCertificate` and `TestCASignedCertificateErrors` to pass the context.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update mockSDK method signatures in certificate error tests to include additional parameters
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor mock interfaces to use 'any' instead of 'interface{}' for improved type safety and readability across multiple files in the manager and pkg directories.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update Go version to 1.25.x in CI workflows and remove obsolete Go package files
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add mock implementations for various components in the attestation and SDK packages
- Created mock for MeasurementProvider in pkg/attestation/cmdconfig/mocks/mocks_test.go
- Created mock for Provider in pkg/attestation/mocks/mocks_test.go
- Created mock for Client in pkg/clients/grpc/mocks/mocks_test.go
- Created mock for SDK in pkg/sdk/mocks/mocks_test.go
These mocks are generated using mockery and are intended for unit testing purposes.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove autogenerated mock files and update mock usage in tests
- Deleted mocks for gRPC clients in pkg/clients/grpc/mocks/mocks_test.go and pkg/sdk/mocks/mocks_test.go.
- Updated test files in pkg/progressbar/progress_test.go to use the new mock structure without type parameters for gRPC client interfaces.
- Refactored mock generation in pkg/sdk/mocks/sdk.go to streamline the mock creation process and ensure consistency across mock methods.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update protobuf generated files for events and manager
- Bump protoc-gen-go version from v1.36.5 to v1.36.8 in events.pb.go and manager.pb.go.
- Refactor raw descriptor definitions in events.pb.go and manager.pb.go to use string concatenation for better readability and maintainability.
- Ensure compatibility with the latest protobuf specifications and improve code generation consistency.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update test commands to use GOTOOLCHAIN for consistent Go version handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix GOTOOLCHAIN usage in test command for consistency
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update Go version to 1.24.x in CI workflows and fix supermq version in go.mod
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor CI workflow to separate linting and testing jobs, and streamline test execution for multiple modules
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Downgrade Go version from 1.23.10 to 1.23.8 in go.mod
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor and update dependencies in the project
- Updated go.sum to replace `github.com/absmach/magistrala` with `github.com/absmach/supermq` across various modules.
- Removed VSock configuration from environment variables and QEMU arguments.
- Updated QEMU configuration and related tests to remove references to guest CID and VSock.
- Added new HTTP transport layer for API endpoints in the manager.
- Introduced Prometheus monitoring configuration with alert rules and Alertmanager setup.
- Updated service and VM interfaces to remove unused methods and references.
- Refactored tests to align with the new structure and dependencies.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add MaxVMs configuration and enforce limit on VM creation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for HTTP transport handlers and endpoints
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add test case for exceeding maximum number of VMs in TestRun
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Improve error handling in TestHandlerWithCustomRouter to ensure response writing is checked
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update dependencies to latest versions
- Upgrade cel.dev/expr from v0.23.0 to v0.24.0
- Upgrade github.com/absmach/supermq from v0.16.0 to v0.17.0
- Upgrade github.com/cenkalti/backoff from v4.3.0 to v5.0.2
- Upgrade github.com/cncf/xds/go to v0.0.0-20250501225837-2ac532fd4443
- Upgrade github.com/go-chi/chi/v5 from v5.2.1 to v5.2.2
- Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.4
- Upgrade github.com/gofrs/uuid/v5 from v5.3.0 to v5.3.2
- Upgrade github.com/prometheus/client_golang from v1.22.0 to v1.23.0
- Upgrade github.com/prometheus/client_model from v0.6.1 to v0.6.2
- Upgrade github.com/prometheus/common from v0.62.0 to v0.65.0
- Upgrade github.com/prometheus/procfs from v0.15.1 to v0.16.1
- Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from v0.60.0 to v0.62.0
- Upgrade go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.36.0 to v1.37.0
- Upgrade golang.org/x/crypto from v0.39.0 to v0.40.0
- Upgrade golang.org/x/sys from v0.33.0 to v0.34.0
- Upgrade golang.org/x/text from v0.26.0 to v0.27.0
- Upgrade golang.org/x/time from v0.11.0 to v0.12.0
- Upgrade google.golang.org/grpc from v1.73.0 to v1.74.2
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Implement IMAMeasurements method in agentSDK and add corresponding unit tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for NewIMAMeasurements command in CLI
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add error assertion for command execution in NewIMAMeasurements test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix nil pointer dereference in Close method and update NewCreateVMCmd logic for manager client initialization
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor file permission settings to use octal notation and improve cleanup handling in NewCreateVMCmd test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive unit tests for state machine functionality
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add mock implementation for Algorithm interface and corresponding test cases
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor file permission settings to use octal notation in TestStopComputationIntegration
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove redundant reset test cases from TestStateMachine_Reset
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix race condition in action call verification in TestStateMachine_HandleEvent
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance state machine with reset functionality and improve thread safety in event handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Improve error handling in state machine start function during tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove concurrent reset and send event test from state machine tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove error logging for Start function in transition tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add mock implementations for AgentService_IMAMeasurementsClient and Service Shutdown method; enhance progress tests for IMA measurements handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for FileStorage functionality including loading, saving, and concurrent access
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance tests by adding dataset and algorithm hashes in handleRunReqChunks; improve error handling in TestFileStorage_ErrorHandling cleanup
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance TestManagerClient_Process by adding new test cases for Agent state and Disconnect requests; update setupMocks to include grpcClient
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix graceful shutdown in gRPC server by adding nil checks for health and server instances
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance TestAttestation by adding mock expectations for VTpmAttestation and Attestation methods; update service call to include platform parameter
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance gRPC Server by adding synchronization for start/stop methods; prevent multiple starts and ensure graceful shutdown
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for gRPC server methods including VM creation, removal, and info retrieval
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add tests for SEVSNP and TDX host capabilities; remove unused vsock code
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add a newline for better readability in vm_test.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add integration tests for gRPC client in cvm_test.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove unused vsock dependencies and add comprehensive unit tests for GCP attestation functions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Skip GCP tests if credentials are not set
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add tests for error handling in attestation configuration and GCP commands
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Improve error handling in Azure VM test response writing
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Skip tests in GCP functions if credentials are not set
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive unit tests for Azure attestation provider and verifier
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for TPM functionality and improve error handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for attestation functionality and improve error handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add validation for teeNonce in TeeAttestation and implement comprehensive tests for provider methods
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor error messages in TDX attestation tests for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix error message in TeeAttestation test for valid nonce case
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add MeasurementProvider mock and update mockery configuration
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add logging for product in parseUints and rename test functions for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor TestSevsnpverify to reset configuration and improve error logging
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Sammy Kerata Oina
dependabot[bot]
Danko Miladinovic
Washington Kigani Kamadi