Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sdk: move verify code into sdk #1030

Merged
merged 13 commits into from
Dec 4, 2024
Merged

sdk: move verify code into sdk #1030

merged 13 commits into from
Dec 4, 2024

Conversation

derpsteb
Copy link
Member

@derpsteb derpsteb commented Nov 25, 2024

Warning: Please note that the SDK introduced in this PR is not meant for external consumption for now.

Context

This PR is motivated by Continuum's need to call contrast verify from go code. Ideally, it can do this without embedding the Contrast CLI.

After discussing with Markus it seemed like the best way to have a go client on contrast main and marking it as unstable. We figured that this approach has higher chances of resulting in usable code for the first official release. It is also the easiest to work with from Continuum's perspective. Alternatives we talked about: not merging this branch, building something out of tree.

Proposed changes

Move the code interacting the coordinator from the CLI into a new module sdk. The only noteworthy new piece of code is the struct GetManifestsResponse. This is a new type used by the SDK to contain the data from userapi.GetManifestsRequest. This is done so we don't have to export userapi.

Resolves AB#4856

@derpsteb derpsteb requested a review from burgerdev November 25, 2024 14:41
@derpsteb derpsteb requested a review from katexochen as a code owner November 25, 2024 14:41
@derpsteb derpsteb added the no changelog PRs not listed in the release notes label Nov 25, 2024
sdk/common.go Outdated Show resolved Hide resolved
sdk/common.go Outdated Show resolved Hide resolved
sdk/common.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated
}

// GetManifests calls GetManifests on the coordinator's userapi.
func (c Client) GetManifests(ctx context.Context, manifestBytes []byte, endpoint string, policyHash []byte) (GetManifestsResponse, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the endpoint should be part of the client

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean here? It is intended that the sdk wraps the userapi pkg.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We talked about this on the phone. Right now I don't see a good argument for putting the endpoint into the client. To me the endpoint seems as much or as little sth that should be provided on each call as e.g. the manifest. It also seemed closer to the CLI behavior. One provides the endpoint on each command, instead of writing it into a config file.

If more people feel like endpoint should be a Client property I will change it.

sdk/verify.go Outdated Show resolved Hide resolved
@elchead
Copy link
Contributor

elchead commented Nov 26, 2024

When importing the package on darwin, I get the following issue:

(base) ➜  continuum git:(as/contrast-proxy) ✗ go run ./verifier/main.go 
# github.com/edgelesssys/contrast/internal/attestation/snp
../../go/pkg/mod/github.com/edgelesssys/[email protected]/internal/attestation/snp/issuer.go:109:21: undefined: client.LinuxConfigFsQuoteProvider
../../go/pkg/mod/github.com/edgelesssys/[email protected]/internal/attestation/snp/issuer.go:114:21: undefined: client.LinuxIoctlQuoteProvider

This can be easily fixed as proposed here: 1075e61

Could we integrate this in a followup?

@burgerdev
Copy link
Contributor

When importing the package on darwin, I get the following issue:

(base) ➜  continuum git:(as/contrast-proxy) ✗ go run ./verifier/main.go 
# github.com/edgelesssys/contrast/internal/attestation/snp
../../go/pkg/mod/github.com/edgelesssys/[email protected]/internal/attestation/snp/issuer.go:109:21: undefined: client.LinuxConfigFsQuoteProvider
../../go/pkg/mod/github.com/edgelesssys/[email protected]/internal/attestation/snp/issuer.go:114:21: undefined: client.LinuxIoctlQuoteProvider

This can be easily fixed as proposed here: 1075e61

Could we integrate this in a followup?

@elchead: would you mind opening a PR for this? But please make sure to keep some symmetry between SNP and TDX.

@elchead
Copy link
Contributor

elchead commented Nov 26, 2024

@burgerdev I'd also propose to rename the proto packages to a unique name, as advised in the style guide (https://protobuf.dev/programming-guides/style/#packages). This would avoid the current name clash in Continuum:

panic: proto: file "userapi.proto" has a name conflict over userapi.SetManifestResponse
        previously from: "github.com/edgelesssys/continuum/internal/proto/attestation-service/userapi"
        currently from:  "github.com/edgelesssys/contrast/internal/userapi"
See https://protobuf.dev/reference/go/faq#namespace-conflict

I suppose that this would be OK for Contrast compatibility because a CLI version is tied to the Contrast deployment version?

Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, thanks. I think @katexochen should take a look, and then we can add tests and doc comments.

cli/cmd/common.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify_test.go Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
sdk/verify.go Outdated Show resolved Hide resolved
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

packages/kata-debug-shell.sh Outdated Show resolved Hide resolved
* move cachedir() back to CLI
* make cache dir an input for sdk
* rename GetManifestsResponse to CoordinatorState
* rename hostData to coordinatorPolicyChecksum
* move back acidentally moved functions
* add New and NewWithSlog to fix logging dilemma
* make Verify a method
* update comments
* use discarding logger by default
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we're getting there. Maybe now is a good time to squash the commits?

sdk/README.md Outdated Show resolved Hide resolved
@derpsteb derpsteb merged commit c75797e into main Dec 4, 2024
11 checks passed
@derpsteb derpsteb deleted the ob/sdk branch December 4, 2024 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no changelog PRs not listed in the release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants