opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
de50b6d2d45cbec1e422245c848c1ab465cec3f3
cocos/cmd/ingress-proxy/main.go
T
Sammy Kerata Oina de50b6d2d4 COCOS-560 - EAT (#561) 
* feat: Implement EAT (Evidence Attestation Token) generation and verification for attestation responses, replacing raw quotes with EAT tokens in the attestation service and protobuf.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* style: standardize comment formatting and fix a debug log format specifier.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix pkg test

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Introduce named constants for OEM IDs and use them in attestation claim extraction.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Implement and test minimum length validation for EAT nonce in `NewEATClaims`.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Add EATClaims.Sanitize method and integrate it into the validator to enforce claim dependencies.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Add Signature field to SNPExtensions and TDXExtensions for enhanced claim validation

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Update dependencies and improve code structure in attestation package

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Introduce comprehensive test suites for EAT, ATLS, TDX, Azure SNP, and vTPM attestation, and improve EAT decoder robustness.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add encryption and admin keys, an encrypted algorithm file, and update go.mod to use go-jose/v4.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: add new encryption and KBS admin keys while improving TDX attestation test error handling.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add new KBS admin and encryption keys, an encrypted linear regression algorithm, and refactor TDX test error message checks.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Implement Azure SNP attestation policy, update certificate verification, and add key management.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* refactor: replace hardcoded string literals with variables in Azure SNP attestation tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Refactor TDX EAT claims to use individual RTMR fields with `tdx_` prefixes and add an `IntUse` field.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: SammyOina <sammyoina@gmail.com>
2026-02-11 16:16:35 +01:00

145 lines
4.1 KiB
Go
Raw Blame History

// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package main
import (
"context"
"fmt"
"net/url"
"os"
"os/signal"
"syscall"
"github.com/absmach/certs/sdk"
mglog "github.com/absmach/supermq/logger"
"github.com/caarlos0/env/v11"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"github.com/ultravioletrs/cocos/pkg/atls"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
attestation_client "github.com/ultravioletrs/cocos/pkg/clients/grpc/attestation"
"github.com/ultravioletrs/cocos/pkg/ingress"
"golang.org/x/sync/errgroup"
)
const (
svcName = "ingress-proxy"
)
type config struct {
LogLevel string `env:"COCOS_LOG_LEVEL" envAlternate:"AGENT_LOG_LEVEL" envDefault:"info"`
Backend string `env:"COCOS_INGRESS_BACKEND" envDefault:"http://localhost:7001"`
// ATLS Config
CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""`
CVMId string `env:"AGENT_CVM_ID" envDefault:""`
CertsToken string `env:"AGENT_CERTS_TOKEN" envDefault:""`
AgentMaaURL string `env:"AGENT_MAA_URL" envDefault:"https://sharedeus2.eus2.attest.azure.net"`
AgentOSBuild string `env:"AGENT_OS_BUILD" envDefault:"UVC"`
AgentOSDistro string `env:"AGENT_OS_DISTRO" envDefault:"UVC"`
AgentOSType string `env:"AGENT_OS_TYPE" envDefault:"UVC"`
}
func main() {
var cfg config
if err := env.Parse(&cfg); err != nil {
fmt.Fprintf(os.Stderr, "failed to load configuration: %s\n", err)
os.Exit(1)
}
cmd := &cobra.Command{
Use: svcName,
Short: "Ingress Proxy Service",
RunE: func(cmd *cobra.Command, args []string) error {
return run(cfg)
},
}
pflag.StringVar(&cfg.LogLevel, "log-level", cfg.LogLevel, "Log level")
pflag.StringVar(&cfg.Backend, "backend", cfg.Backend, "Backend URL")
if err := cmd.Execute(); err != nil {
fmt.Fprintf(os.Stderr, "Error: %s\n", err)
os.Exit(1)
}
}
func run(cfg config) error {
logger, err := mglog.New(os.Stdout, cfg.LogLevel)
if err != nil {
return fmt.Errorf("failed to create logger: %w", err)
}
backendURL, err := url.Parse(cfg.Backend)
if err != nil {
return fmt.Errorf("failed to parse backend URL: %w", err)
}
// Initialize Certificate Provider
ccPlatform := attestation.CCPlatform()
azureConfig := azure.NewEnvConfigFromAgent(
cfg.AgentOSBuild,
cfg.AgentOSType,
cfg.AgentOSDistro,
cfg.AgentMaaURL,
)
azure.InitializeDefaultMAAVars(azureConfig)
var certProvider atls.CertificateProvider
if ccPlatform != attestation.NoCC {
// Create attestation client
attClient, err := attestation_client.NewClient("/run/cocos/attestation.sock")
if err != nil {
return fmt.Errorf("failed to create attestation client: %w", err)
}
defer attClient.Close()
var certsSDK sdk.SDK
if cfg.CAUrl != "" {
certsSDK = sdk.NewSDK(sdk.Config{
CertsURL: cfg.CAUrl,
})
}
certProvider, err = atls.NewProvider(attClient, ccPlatform, cfg.CertsToken, cfg.CVMId, certsSDK)
if err != nil {
return fmt.Errorf("failed to create certificate provider: %w", err)
}
} else {
logger.Warn("No Confidential Computing platform detected. ATLS will not be available.")
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
g, ctx := errgroup.WithContext(ctx)
// Create proxy server (but don't start it yet - it will be started per-computation)
_ = ingress.NewProxyServer(logger, backendURL, certProvider)
// Note: The proxy server will be started dynamically when a computation is initiated
// via the Manager's ComputationRunReq message. For now, we just keep the service alive.
logger.Info("ingress-proxy service initialized, waiting for computation requests...")
g.Go(func() error {
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
select {
case s := <-c:
logger.Info(fmt.Sprintf("received signal %s, stopping", s))
cancel()
return nil
case <-ctx.Done():
return nil
}
})
if err := g.Wait(); err != nil {
return fmt.Errorf("server exit with error: %w", err)
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink