* feat(kbs): implement KBS client for attestation and resource retrieval
- Added KBS client implementation in pkg/kbs/client.go with methods for attestation and resource retrieval.
- Introduced necessary data structures for requests and responses.
- Implemented error handling for various scenarios.
test(kbs): add unit tests for KBS client
- Created comprehensive tests for the KBS client in pkg/kbs/client_test.go.
- Included tests for attestation success and failure cases, as well as resource retrieval.
feat(registry): introduce HTTP and S3 registry implementations
- Added HTTPRegistry for downloading resources over HTTP/HTTPS with retry logic in pkg/registry/http.go.
- Implemented S3Registry for downloading resources from AWS S3 and S3-compatible services in pkg/registry/s3.go.
- Included error handling and configuration options for both registries.
chore(registry): define registry interface and configuration
- Created registry interface and configuration struct in pkg/registry/registry.go.
- Added default configuration settings for registry clients.
docs(cvms): update README for CVMS server configuration and usage
- Enhanced documentation for CVMS server with detailed command-line flags and usage examples.
- Clarified direct upload and remote resource modes, including KBS integration.
fix(cvms): integrate KBS for remote resource handling in main.go
- Updated main.go to support remote datasets and algorithms using KBS.
- Added validation for command-line flags to ensure proper configuration.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Move ifeq conditional outside define block in attestation-service.mk
Make conditionals cannot be evaluated inside define...endef blocks
when used as recipe bodies. Restructured to define the
ATTESTATION_SERVICE_INSTALL_INIT_SYSTEMD block conditionally based
on BR2_PACKAGE_CC_ATTESTATION_AGENT configuration.
* feat: Implement remote resource downloading for algorithms and datasets using AWS S3/MinIO credentials.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add comprehensive documentation and agent support for testing remote resource download with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Improve agent logging for remote resource configuration and KBS status, and add a testing guide for remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add a comprehensive guide for testing remote resource download with KBS attestation and update multiple package versions to a specific commit.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add failure transitions for resource reception states and a comprehensive guide for testing remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement remote resource download with KBS attestation in the agent and add a comprehensive testing guide.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: Add comprehensive guide for testing remote resource download with KBS attestation and include a debug log in the attestation client.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Delegate KBS attestation and token retrieval to a new attestation-agent service and document remote resource testing.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* client fixes
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* raw evidence
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Build all Go files in cmd directories, not just main.go
This fixes the issue where fetch_raw_evidence.go wasn't being included
in the attestation-service build.
* fix: Wrap binary evidence in JSON for KBS compatibility
Fixes 'invalid character' error by wrapping raw binary evidence
in a JSON structure with base64 encoding, as expected by KBS.
* chore: Update buildroot packages to c28cefae
Includes fixes for:
1. attestation-service build (including fetch_raw_evidence.go)
2. Agent KBS evidence format (wrapping binary in JSON)
* fix: Implement KBS RCAR handshake with cookies
Fixes 'cookie not found' error (401) from KBS by:
1. Adding CookieJar support to KBS client
2. Implementing GetChallenge() to perform /auth handshake and capture session cookie
3. Updating Agent to get challenge, decode nonce, and use it for evidence generation
4. Regenerating mocks
* chore: Update buildroot packages to f6981ac5
Includes KBS RCAR handshake fix (cookie support + GetChallenge loop)
* fix: Update KBS client JSON tags to kebab-case
Fixes deserialization error (401) from KBS by:
1. Using kebab-case (e.g. extra-params) for JSON tags as per protocol.
2. Initializing ExtraParams as empty object {} instead of null/omitted.
* fix: Wrap attestation evidence in primary_evidence format
Updates Agent to construct 'tee-evidence' payload with:
- primary_evidence: containing the actual quote/data
- additional_evidence: empty JSON object
This matches the Confidential Containers KBS Attestation Protocol requirements.
* fix: Update KBS protocol version to 0.4.0
KBS rejected 0.1.0 with a version mismatch error. Bumping to 0.4.0 to match server expectation.
* fix: Generate ephemeral key for KBS RuntimeData
Updates RuntimeData to include a valid ephemeral EC P-256 public key in JWK format, as required by the KBS RCAR protocol.
Also fixes the KBS client struct to support TEEPubKey as an object.
* fix: Update sample attestation quote to valid JSON
The default attestation.bin was binary, but the KBS Sample Verifier expects a valid JSON quote containing 'svn' and 'report_data'.
Updated the embedded bin file to contain this JSON structure.
* fix: Generate dynamic JSON quote for Sample TEE in FetchRawEvidence
The KBS Sample Verifier expects a JSON object with 'svn' and 'report_data'.
Previously, we were returning raw binary data (reportData+nonce).
This commit updates FetchRawEvidence to return a marshaled JSON structure with:
- svn: "1"
- report_data: base64(req.ReportData)
* refactor: Delegate Sample Attestation to Provider
Refactored sample attestation logic:
- Moved JSON Quote generation into EmptyProvider (standalone mode).
- Updated FetchRawEvidence to call provider.TeeAttestation instead of manual generation.
This enables using the real CC Attestation Agent for UNSPECIFIED platform if configured.
* feat: Add comprehensive debug logging and enforce CC AA usage
Changes:
- Updated EmptyProvider to return error instead of generating mock data
This forces proper use of CC Attestation Agent's sample attester
- Added detailed logging to attestation-service FetchRawEvidence:
* Hex dump of evidence (first 200 bytes)
* String preview of evidence
* Total evidence length
- Added detailed logging to agent service:
* Raw evidence hex and string previews
* KBS evidence JSON preview (first 500 bytes)
* Evidence lengths at each transformation step
This logging will help diagnose why KBS Sample Verifier is rejecting evidence.
* fix: Enable CC AA by default and add attestation-service log forwarding
Changes:
- Set USE_CC_ATTESTATION_AGENT=true by default in systemd service
- Added StandardOutput/StandardError to forward logs to /var/log/cocos/
- Updated HAL makefile to handle new default value
- This ensures attestation-service uses CC AA's sample attester
- Logs will now be visible in CVMS output for debugging
* feat: Add gRPC log forwarding to attestation-service
Implemented the same log forwarding mechanism used by the agent:
- Added ProtoHandler to write logs to both stdout and logQueue
- Connected to log client (/run/cocos/log.sock) for gRPC forwarding
- Added goroutine to forward logs to CVMS via log client
- Logs will now appear in CVMS output during computation runs
This enables visibility into attestation-service debug output including:
- CC AA connection status
- Evidence generation details (hex dumps, string previews)
- Any errors from providers
* fix: Parse sample evidence JSON instead of base64-encoding it
The attestation-service returns sample evidence as JSON:
{"svn":"1","report_data":"base64..."}
The agent was incorrectly base64-encoding this JSON string again.
KBS Sample Verifier expects the parsed JSON object directly.
Fixed by:
- Parsing the JSON evidence from attestation-service
- Passing the parsed object directly in primary_evidence.evidence
- This matches what KBS Sample Verifier expects
* debug: Increase KBS evidence logging preview to 1000 bytes
Show the complete JSON structure being sent to KBS to debug
the attestation failure.
* debug: Add comprehensive CC AA configuration logging
Added debug logs to show:
- Whether CC AA is enabled in config
- CC AA address being used
- Connection success/failure
- Which provider is ultimately selected
- Warning when falling back to EmptyProvider
This will help diagnose why EmptyProvider is being used
instead of CC Attestation Agent.
* debug: Add startup logging for log client connection
Added log message to show if log client connection succeeds
at attestation-service startup. This will help diagnose why
logs aren't appearing in CVMS output.
* feat: Add retry logic with exponential backoff to log client
Added simple retry mechanism to handle concurrent log requests:
- 3 retry attempts with exponential backoff (10ms, 20ms, 40ms)
- Applies to both SendLog and SendEvent methods
- Centralized in log client so all services benefit
- Should eliminate 'failed to send log' errors from concurrent requests
This fixes the issue where attestation-service logs weren't
appearing in CVMS output due to dropped messages.
* fix: Flatten sample evidence fields in primary_evidence for KBS
KBS Sample Verifier expects svn and report_data at the top level
of primary_evidence, not nested under an 'evidence' key.
Changed structure from:
{"primary_evidence": {"tee": "sample", "evidence": {"svn": "1", ...}}}
To:
{"primary_evidence": {"tee": "sample", "svn": "1", "report_data": "...", ...}}
This matches what KBS expects when deserializing the Quote structure.
* fix: Use sample quote directly as primary_evidence per KBS protocol
According to KBS attestation protocol spec, for sample TEE type,
primary_evidence should be the sample quote JSON directly:
{"svn": "1", "report_data": "..."}
Removed extra 'tee' and 'platform' fields that were causing KBS
to fail deserializing the Quote structure. The 'tee' field is
already sent in the Request payload during RCAR handshake.
Refs:
- https://github.com/confidential-containers/trustee/blob/main/kbs/docs/kbs_attestation_protocol.md
- https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/sample/mod.rs
* fix: Make CC AA required for sample attestation when configured
When USE_CC_ATTESTATION_AGENT=true, attestation-service now
requires AA to be available for NoCC/sample platform. This ensures
sample evidence always comes from AA with the correct KBS format.
Changes:
- Error out if AA connection fails for NoCC platform when AA is configured
- Only use EmptyProvider if AA is explicitly NOT configured
- Prevents incorrect sample evidence format from EmptyProvider
This ensures attestation-service delegates to AA for sample evidence
generation instead of creating it itself.
* fix: Implement proper RCAR protocol with tee-pubkey and runtime-data hash
Fixed KBS attestation error 'REPORT_DATA is different from that in Sample Quote'
Changes:
1. Generate ephemeral EC key pair BEFORE getting evidence from AA
2. Create runtime-data with nonce + tee-pubkey (JWK format)
3. Hash runtime-data (SHA-256) and use as report_data for AA
4. This binds the tee-pubkey to the TEE evidence per RCAR protocol
The report_data in the evidence now matches what KBS expects:
hash(runtime-data) instead of computation ID.
This completes the full RCAR protocol implementation:
- Request → Challenge → Attestation (with bound tee-pubkey) → Response
* fix(agent): use simple nonce for Sample attestation report_data
For Sample/NoCC attestation, use the raw nonce bytes directly as
report_data instead of hashing runtime-data. This avoids JSON
serialization mismatches with the KBS Sample verifier.
Real TEEs (TDX/SNP) still use runtime-data hash binding to
cryptographically bind the ephemeral tee-pubkey to the evidence.
* fix(agent): use RFC 8785 canonical JSON for runtime-data hashing
The KBS Sample attestation verifier (and likely others) expects the
report_data to be the SHA-256 hash of the *canonical* JSON serialization
(RFC 8785) of the runtime-data. Standard Go JSON marshaling does not
guarantee key ordering, leading to hash mismatches.
This change uses github.com/gowebpki/jcs to canonicalize the runtime-data
before hashing, ensuring compatibility with the KBS RCAR implementation.
Also reverted the temporary 'simple nonce' workaround.
* feat(hal): add CoCo Keyprovider and Skopeo packages
- Add coco-keyprovider buildroot package with systemd service
- Add skopeo buildroot package for OCI image handling
- Add ocicrypt_keyprovider.conf for encrypted image decryption
- Update Config.in to include new packages
This enables standard CoCo ecosystem integration for encrypted
OCI images instead of custom S3/HTTP registry clients.
* feat(oci): add OCI image handling package with Skopeo integration
- Add pkg/oci/types.go with ResourceSource and ImageManifest types
- Add pkg/oci/skopeo.go with Skopeo wrapper for pull/decrypt
- Add pkg/oci/extract.go for extracting algorithms and datasets from layers
This package provides OCI image handling using Skopeo and CoCo
Keyprovider for encrypted image decryption, replacing custom
S3/HTTP registry clients.
* chore: regenerate protobuf files for updated cvms.proto
* refactor(agent): replace S3/HTTP/KBS with OCI package
- Remove pkg/kbs and pkg/registry imports
- Add pkg/oci import for OCI image handling
- Replace downloadAndDecryptResource with OCI-based implementation
- Use Skopeo + CoCo Keyprovider for automatic decryption
- Reduce code from ~240 lines to ~70 lines
This eliminates custom KBS RCAR handshake, S3/HTTP registry clients,
and manual decryption logic. CoCo Keyprovider handles all decryption
automatically via ocicrypt protocol.
* chore: remove obsolete pkg/kbs and pkg/registry packages
- Delete pkg/kbs/ (custom KBS client, ~300 lines)
- Delete pkg/registry/ (S3/HTTP registry clients, ~400 lines)
- Remove unused imports from agent/service.go
- Run go mod tidy to clean up dependencies
These packages have been replaced by pkg/oci with Skopeo and
CoCo Keyprovider for standard CoCo ecosystem integration.
* fix(agent): update ResourceSource struct to include type and encryption fields
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix(hal): update CoCo Keyprovider to v0.16.0 and fix build path
- Update version from v0.11.0 to v0.16.0 (matches attestation agent)
- Fix install path: target is at repo root, not in coco_keyprovider subdir
- This fixes the build error where coco_keyprovider binary wasn't found
The cargo workspace in guest-components builds to a shared target/
directory at the repository root, not within each crate's subdirectory.
* feat: Update remote resources testing guide to use kbs-client and coco-keyprovider for key management and encryption, enable insecure TLS for Skopeo, and enhance CVMS with
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update component versions, revise image encryption documentation, and sanitize OCI image paths for Skopeo compatibility.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `decompress` option to Dataset and `algo_type`/`algo_args` to Algorithm protobuf messages, updating client, test, and build configurations.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update multiple package versions and enhance OCI image extraction error reporting for missing algorithm files.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Bump package versions, improve OCI image extraction debugging by returning seen files, and remove unused dataset type parsing from test code.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Migrate OCI extraction to use structured logging with `slog` and `context`, and update package versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Bump multiple component versions, add encrypted status for computation inputs and algorithms, and refine OCI layer extraction warnings.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* logging
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `Encrypted` field to algorithm and dataset resource sources and update all component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update component versions, integrate coco-keyprovider service, and configure ocicrypt key provider.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add support for KBS parameters and dataset/algorithm hash calculations in CVMS
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update resource download and extraction logic to support requirements.txt and improve hash verification
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Update dependencies, improve code style, and add GetRawEvidence to attestation client mocks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor code structure for improved readability and maintainability
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: update golangci configuration to include errcheck for build path and remove unnecessary exclusions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: streamline kernel command line handling in QEMU args construction
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add attestation binary and update checksum tests and policy structure
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for attestation agent, attestation, log, crypto, OCI, and Skopeo clients
- Implement tests for the attestation agent client including Unix socket and TCP address handling, token retrieval, and error scenarios.
- Enhance attestation client tests to cover fetching raw evidence for various platforms (SNP, TDX, VTPM, SNPvTPM) and validate error handling.
- Introduce log client tests to verify retry behavior for sending logs and events.
- Create comprehensive tests for crypto package focusing on AES-GCM decryption, encrypted resource parsing, and key unwrapping.
- Add tests for OCI package to validate algorithm and dataset extraction, including JSON serialization of OCILayout.
- Implement Skopeo client tests to ensure proper functionality for image pulling, inspecting, and resource source handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: handle JSON marshal errors in test cases for decrypt and extract functions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add comprehensive tests for algorithm and dataset extraction with various scenarios
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded Python script content with constant variable
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: remove redundant mock expectation for SendAgentConfig in TestCreateVMWithAaKbsParams
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for event sending failure, dataset extraction with path traversal, and Skopeo client behavior
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for download and decryption of resources with various URL formats
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Introduce OCIClient interface for agent service to improve testability of OCI image operations and enhance related tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Change `get_uint64_from_tcb` to accept `TcbVersion` by value and use `u64::from` for type conversions.
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add Confidential Containers attestation agent as an alternative attestation backend with new proto definitions and build system integration.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Update protoc-gen-go and protoc-gen-go-grpc versions in CI workflow
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add mock implementation for AttestationAgentServiceClient and corresponding tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Add missing periods to test function comments in provider_test.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor attestation handling to remove quoteprovider dependency
- Removed references to quoteprovider in various files, replacing them with vtpm where necessary.
- Updated function signatures and implementations to use SEVNonce instead of quoteprovider.Nonce.
- Introduced new vtpm package to handle SEV-related attestation logic, including fetching and verifying attestation reports.
- Adjusted tests to reflect changes in the attestation logic and ensure compatibility with the new structure.
- Deleted the now redundant quoteprovider/sev_test.go file.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Add veraison/go-cose dependency to go.mod
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce TLS package for enhanced security configuration and refactor client code to utilize new TLS utilities
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement EAT (Evidence Attestation Token) generation and verification for attestation responses, replacing raw quotes with EAT tokens in the attestation service and protobuf.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* style: standardize comment formatting and fix a debug log format specifier.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix pkg test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce named constants for OEM IDs and use them in attestation claim extraction.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Implement and test minimum length validation for EAT nonce in `NewEATClaims`.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add EATClaims.Sanitize method and integrate it into the validator to enforce claim dependencies.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add Signature field to SNPExtensions and TDXExtensions for enhanced claim validation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update dependencies and improve code structure in attestation package
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce comprehensive test suites for EAT, ATLS, TDX, Azure SNP, and vTPM attestation, and improve EAT decoder robustness.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add encryption and admin keys, an encrypted algorithm file, and update go.mod to use go-jose/v4.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add new encryption and KBS admin keys while improving TDX attestation test error handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add new KBS admin and encryption keys, an encrypted linear regression algorithm, and refactor TDX test error message checks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement Azure SNP attestation policy, update certificate verification, and add key management.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded string literals with variables in Azure SNP attestation tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Refactor TDX EAT claims to use individual RTMR fields with `tdx_` prefixes and add an `IntUse` field.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Introduce computation runner, log forwarder, ingress, and egress proxy services.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update Go environment variable parsing and build system to use new architecture and repository.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update package sources to `sammyoina/cocos-ai` at a specific commit, add log-forwarder pre-start hook, and rename proxy binaries.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Update build system references to a specific commit and enhance logging for service connections and message processing.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* build: Update package source repositories and versions, migrate client logging to slog, and adjust ingress/egress proxy build and install steps.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug stuck
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add HTTP/2 support to egress proxy and update build system to use specific commit hashes
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: enhance egress proxy CONNECT handling, update package sources, and add gRPC test utility
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update build system for various services to a specific commit from a new repository, change agent gRPC port to 7001, and add a gRPC test client.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Migrate agent-internal gRPC communication to Unix sockets, set ingress proxy to port 7002, and update build hashes.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Remove standalone ingress-proxy systemd service and update component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Prevent computation re-initialization in agent and update component versions across several packages.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update package versions and enable h2c support in ingress proxy.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: refactor ingress proxy to support HTTP/2 over Unix sockets and update component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update build system package sources to `ultravioletrs/cocos` and reduce agent logging verbosity.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: improve error handling in proxy commands and remove unused gRPC test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add mock service state return value in handleRunReqChunks test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add comprehensive tests for service and proxy components
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix linter
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* improve coverage
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add gRPC client and ingress adapter tests, and update egress proxy tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* improve coverage
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update dependencies and refactor certificate generation to include context
- Updated `cloud.google.com/go/compute/metadata` from v0.8.0 to v0.9.0.
- Updated `github.com/absmach/certs` from v0.18.0 to v0.18.2.
- Updated `github.com/absmach/supermq` from v0.18.1 to v0.18.2.
- Updated `github.com/go-logfmt/logfmt` from v0.6.0 to v0.6.1.
- Updated `github.com/grpc-ecosystem/grpc-gateway/v2` from v2.27.2 to v2.27.3.
- Updated `github.com/prometheus/common` from v0.66.1 to v0.67.1.
- Updated `github.com/rogpeppe/go-internal` from v1.13.1 to v1.14.1.
- Updated `github.com/segmentio/asm` from v1.2.0 to v1.2.1.
- Updated `go.opentelemetry.io/auto/sdk` from v1.1.0 to v1.2.1.
- Updated `go.opentelemetry.io/proto/otlp` from v1.7.1 to v1.8.0.
- Updated `golang.org/x/net` from v0.45.0 to v0.46.0.
- Updated `golang.org/x/oauth2` from v0.30.0 to v0.32.0.
- Updated `google.golang.org/genproto/googleapis/api` and `google.golang.org/genproto/googleapis/rpc` to the latest versions.
- Refactored `generateCASignedCertificate` method in `certificate_provider.go` to accept a context parameter.
- Updated calls to `generateCASignedCertificate` in `GetCertificate` and `TestCASignedCertificateErrors` to pass the context.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update mockSDK method signatures in certificate error tests to include additional parameters
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor ATLS and gRPC server to use CertificateProvider interface
- Removed unused test cases and mock dependencies in atls_test.go.
- Updated TestGetPlatformVerifier to use CertificateVerifier struct.
- Introduced CertificateProvider interface for better abstraction in TLS handling.
- Refactored gRPC server to accept CertificateProvider and configure TLS accordingly.
- Simplified TLS configuration logic in both gRPC and HTTP servers.
- Removed unnecessary parameters from server initialization in tests and main function.
- Enhanced logging for TLS configurations.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix comments for consistency and clarity in atls.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update expected error messages in VM command tests for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance tests by integrating mock providers and improving error messages for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for certificate generation and attestation providers
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Implement certificate and attestation providers with unified generation logic
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor certificate and attestation provider structures for consistency; implement CertificateVerifier interface and related methods
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor attestation and certificate provider methods for consistency; rename methods and update related logic
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Implement gRPC server with TLS and mTLS support
- Added gRPC server implementation in pkg/server/grpc.
- Introduced server configuration options for TLS and mTLS.
- Implemented health check service for gRPC.
- Created tests for server initialization, startup, and shutdown scenarios.
- Added mock server for testing purposes.
- Implemented graceful shutdown handling for the server.
- Included documentation for the server package.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add TLS and ATLS support to gRPC and HTTP clients; refactor security handling
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor server configuration structure to use Config instead of BaseConfig
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix comments for consistency and clarity in TLS-related code
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add comprehensive tests for TLS and ATLS configurations in clients package
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor file permission constants in client tests to use octal notation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add tests for HTTP server's TLS configuration and lifecycle management
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for TLS certificate handling and configuration
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for HTTP client configuration and transport
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor AttestationReportSize constant declaration for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor client configuration structure and update gRPC client implementations
- Consolidated client configuration types into a unified structure with BaseConfig.
- Introduced AttestedClientConfig and StandardClientConfig for specific use cases.
- Updated gRPC client creation functions to utilize new configuration types.
- Refactored tests to align with the new configuration structure.
- Removed redundant ClientConfiguration interface and related methods.
- Simplified TLS configuration loading logic for both standard and attested clients.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor client configuration structure and TLS handling
- Introduced StandardClientConfig to replace BaseConfig, simplifying client configuration.
- Updated AttestedClientConfig to embed StandardClientConfig instead of BaseConfig.
- Modified ClientConfiguration interface to use Config() method instead of GetBaseConfig().
- Refactored various client tests to accommodate changes in configuration structure.
- Added new TLS handling functions to support basic and attested TLS configurations.
- Implemented comprehensive tests for TLS loading and configuration validation.
- Removed deprecated methods and unnecessary code related to BaseConfig.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor mock interfaces to use 'any' instead of 'interface{}' for improved type safety and readability across multiple files in the manager and pkg directories.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update Go version to 1.25.x in CI workflows and remove obsolete Go package files
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add mock implementations for various components in the attestation and SDK packages
- Created mock for MeasurementProvider in pkg/attestation/cmdconfig/mocks/mocks_test.go
- Created mock for Provider in pkg/attestation/mocks/mocks_test.go
- Created mock for Client in pkg/clients/grpc/mocks/mocks_test.go
- Created mock for SDK in pkg/sdk/mocks/mocks_test.go
These mocks are generated using mockery and are intended for unit testing purposes.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove autogenerated mock files and update mock usage in tests
- Deleted mocks for gRPC clients in pkg/clients/grpc/mocks/mocks_test.go and pkg/sdk/mocks/mocks_test.go.
- Updated test files in pkg/progressbar/progress_test.go to use the new mock structure without type parameters for gRPC client interfaces.
- Refactored mock generation in pkg/sdk/mocks/sdk.go to streamline the mock creation process and ensure consistency across mock methods.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update protobuf generated files for events and manager
- Bump protoc-gen-go version from v1.36.5 to v1.36.8 in events.pb.go and manager.pb.go.
- Refactor raw descriptor definitions in events.pb.go and manager.pb.go to use string concatenation for better readability and maintainability.
- Ensure compatibility with the latest protobuf specifications and improve code generation consistency.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update test commands to use GOTOOLCHAIN for consistent Go version handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix GOTOOLCHAIN usage in test command for consistency
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Sammy Kerata Oina
dusan
dependabot[bot]
Danko Miladinovic
Jovan Djukic
Washington Kigani Kamadi