Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: new flag for Azure JSON output of constellation verify #2391

Merged
merged 8 commits into from
Oct 7, 2023

Conversation

elchead
Copy link
Contributor

@elchead elchead commented Sep 28, 2023

Context

Motivated by #2357, this PR provides a JSON output format as communication interface between the CLI and the attestationconfigapi upload tool through a new flag constellation verify --output json.

Proposed change(s)

  • new internal pkg verify to provide the types for JSON serialization.
  • new --output flag to support 'json' for Azure
  • BREAKING: moved --raw to --output raw

Related issue

Additional info

To only obtain the JSON output needed for the upload tool, some lines need to be omitted:
./constellation verify --force --json | tail -n +3 | head -n -1

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@netlify
Copy link

netlify bot commented Sep 28, 2023

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 8ea7593
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6520214f66e2f5000853095b

@elchead elchead added the feature This introduces new functionality label Sep 28, 2023
@elchead elchead added this to the v2.12.0 milestone Sep 28, 2023
@elchead elchead force-pushed the cli/verify/json-output branch from 2af8031 to 96905b7 Compare September 28, 2023 14:22
@elchead elchead marked this pull request as ready for review September 28, 2023 14:22
@elchead elchead requested review from derpsteb and 3u13r September 28, 2023 14:23
@elchead elchead force-pushed the cli/verify/json-output branch from 96905b7 to 669e53d Compare September 28, 2023 15:20
@elchead elchead requested a review from thomasten as a code owner September 28, 2023 15:20
@3u13r
Copy link
Member

3u13r commented Sep 28, 2023

This is not the implementation I suggested.

implement a custom mashaller and unmarshaller which recursively parses the attestationDoc to a struct containing the parsed InstanceInfo

I said that we should implement a custom mashaller and unmarsaller. As we already do in e.g. https://github.com/edgelesssys/constellation/blob/cli/verify/json-output/internal/attestation/idkeydigest/idkeydigest.go#L180

Did you encounter any issue with this approach, or why did you prefer your implementation?

@daniel-weisse
Copy link
Member

To only obtain the JSON output needed for the upload tool, some lines need to be omitted

This seems like bad UX. If a command offers me the option to receive JSON output, I would expected all output to be JSON, not just some of it.
What about omitting the hints about retrieval of information from the id/state file, and potentially adding the verification status to the JSON output?
E.g.

$ constellation verify
{
  "attestationDocument": {
    // ...
  },
  "verification": "ok",
}

@thomasten
Copy link
Member

If a command offers me the option to receive JSON output, I would expected all output to be JSON, not just some of it.

A common way tools solve this is printing the JSON output to stdout and everything else to stderr.

@elchead
Copy link
Contributor Author

elchead commented Sep 29, 2023

This is not the implementation I suggested.

implement a custom mashaller and unmarshaller which recursively parses the attestationDoc to a struct containing the parsed InstanceInfo

I said that we should implement a custom mashaller and unmarsaller. As we already do in e.g. https://github.com/edgelesssys/constellation/blob/cli/verify/json-output/internal/attestation/idkeydigest/idkeydigest.go#L180

Did you encounter any issue with this approach, or why did you prefer your implementation?

I think if we wan

To only obtain the JSON output needed for the upload tool, some lines need to be omitted

This seems like bad UX. If a command offers me the option to receive JSON output, I would expected all output to be JSON, not just some of it. What about omitting the hints about retrieval of information from the id/state file, and potentially adding the verification status to the JSON output? E.g.

$ constellation verify
{
  "attestationDocument": {
    // ...
  },
  "verification": "ok",
}

I print to stderr now. Do we need the verification ok in the json output too? Since we don't foresee consuming this json in any other way besides the upload tool at the moment, I would not include it. An error of verify should indicate that the verification was not ok right?

@elchead
Copy link
Contributor Author

elchead commented Sep 29, 2023

This is not the implementation I suggested.

implement a custom mashaller and unmarshaller which recursively parses the attestationDoc to a struct containing the parsed InstanceInfo

I said that we should implement a custom mashaller and unmarsaller. As we already do in e.g. https://github.com/edgelesssys/constellation/blob/cli/verify/json-output/internal/attestation/idkeydigest/idkeydigest.go#L180

Did you encounter any issue with this approach, or why did you prefer your implementation?

I think it's better to use a proper type, because to unmarshal and read the struct we would need this anyways (as required by the upload tool)

@elchead elchead force-pushed the cli/verify/json-output branch 4 times, most recently from d8a1823 to 195acc2 Compare September 29, 2023 09:32
@derpsteb
Copy link
Member

derpsteb commented Oct 5, 2023

Recap of our conversation on the phone:

  • Ideally we could use a type from go-sev-guest that recursively parses all fields in an SNP report. However, looking at how scattered the bits of parsing logic currently are, it seems like considerably more effort to change the type upstream. It is also questionable if the maintainers would even want such a change.
  • I personally don't think it is urgent to upstream this. It would be easy to adapt this PR to an upstream implementation, if one would be released/implemented tomorrow.
  • Using newSNPReport in the existing formatter would make sense to reduce code duplication.
  • A point in the future when we should try upstreaming this imo: when we plan on using the Report type in more places than attestationconfigapi and verify.
  • I opened an issue to see how the upstream maintainers feel about such a contribution. The answer can help inform our decision here: Deeply nested SNP Report type google/go-sev-guest#91

Apart from that: LGTM 👍

cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
internal/verify/verify.go Outdated Show resolved Hide resolved
internal/verify/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
@elchead elchead requested a review from 3u13r October 5, 2023 14:24
@elchead elchead force-pushed the cli/verify/json-output branch from 920b2f2 to 65a1337 Compare October 5, 2023 14:31
@elchead elchead force-pushed the cli/verify/json-output branch from 65a1337 to ca829c3 Compare October 5, 2023 14:47
3u13r
3u13r previously approved these changes Oct 5, 2023
Copy link
Member

@3u13r 3u13r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT, I'd suggest to get a second approval for this though.

@3u13r
Copy link
Member

3u13r commented Oct 5, 2023

euler@work:~/projects/constellation/build/aws$ ./constellation verify --output json
Using endpoint from "constellation-id.json". Specify --node-endpoint to override this.
Using ID from "constellation-id.json". Specify --cluster-id to override this.
Error: printing attestation document: parsing SNP report: parsing report to proto: array size is 0x0, an SEV-SNP attestation report size is 0x4a0

This does not work for AWS (nitro attestation).

euler@work:~/projects/constellation/build/gcp$ ./constellation verify --output json
Using endpoint from "constellation-id.json". Specify --node-endpoint to override this.
Using ID from "constellation-id.json". Specify --cluster-id to override this.
Error: printing attestation document: parsing SNP report: parsing report to proto: array size is 0x0, an SEV-SNP attestation report size is 0x4a0

Also doesn't work on GCP. Either we gracefully handle this as an error with a message that this is currently not supported or we implement this.

@3u13r 3u13r self-requested a review October 5, 2023 16:45
@3u13r 3u13r dismissed their stale review October 5, 2023 16:46

Doesn't work on AWS and GCP

@elchead
Copy link
Contributor Author

elchead commented Oct 6, 2023

good catch, thanks! Since we also only support this for Azure on the default printer, I return an unsupported message:

./constellation verify -o json
Using endpoint from "constellation-id.json". Specify --node-endpoint to override this.
Using ID from "constellation-id.json". Specify --cluster-id to override this.
Error: printing attestation document: JSON output is currently only supported for Azure

@elchead elchead added the breaking change Change breaks existing API or configuration. label Oct 6, 2023
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
@elchead elchead force-pushed the cli/verify/json-output branch from 61bed29 to c4bc669 Compare October 6, 2023 12:27
@elchead elchead force-pushed the cli/verify/json-output branch from c4bc669 to 02ae569 Compare October 6, 2023 12:29
@elchead elchead requested a review from derpsteb October 6, 2023 12:29
Copy link
Member

@derpsteb derpsteb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

3u13r
3u13r previously requested changes Oct 6, 2023
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Show resolved Hide resolved
@github-actions
Copy link
Contributor

github-actions bot commented Oct 6, 2023

Coverage report

Package Old New Trend
cli/internal/cmd 56.20% 54.70% ↘️
internal/verify 0.00% [no test files] 🚨

Copy link
Member

@3u13r 3u13r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@elchead elchead merged commit fdd47b7 into main Oct 7, 2023
13 of 15 checks passed
@elchead elchead deleted the cli/verify/json-output branch October 7, 2023 14:24
@elchead elchead changed the title cli: new flag for JSON output of constellation verify cli: new flag for Azure JSON output of constellation verify Oct 7, 2023
@malt3 malt3 removed the feature This introduces new functionality label Oct 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking change Change breaks existing API or configuration.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants