First revision of cascade plugins

Signed-off-by: Yogesh Deshpande <[email protected]>

deployments/docker/src/config.yaml.template

@@ -36,7 +36,7 @@ po-store:
 po-agent:
     backend: opa
 auth:
-  backend: keycloak
+  backend: none
   host: keycloak-service
   port: ${KEYCLOAK_PORT}
 # vim: set ft=yaml:

proto/evidence.proto

@@ -10,4 +10,6 @@ message EvidenceContext {
   string trust_anchor_id = 2 [json_name = "trust-anchor-id"];
   string reference_id = 3 [json_name = "reference-id"];
   google.protobuf.Struct evidence = 5;
+  bool require_further_processing = 6 [json_name = "require-further-processing"];
+  string media_type = 7 [json_name = "media-type"];
 }

provisioning/cmd/provisioning-service/config.yaml

@@ -5,5 +5,5 @@ logging:
 provisioning:
   listen-addr: 0.0.0.0:8888
 vts:
-  server-addr: vts-service:50051
+  server-addr: localhost:50051
 # vim: set ft=yaml:

verification/cmd/verification-service/config.yaml

@@ -5,5 +5,5 @@ logging:
 verification:
   listen-addr: 0.0.0.0:8080
 vts:
-  server-addr: vts-service:50051
+  server-addr: localhost:50051
 # vim: set ft=yaml:

vts/cmd/vts-service/config.yaml

@@ -6,21 +6,21 @@ ta-store:
   backend: sql
   sql:
     driver: sqlite3
-    datasource: /veraison/stores/vts/ta-store.sql
+    datasource: ta-store.sql
 en-store:
   backend: sql
   sql:
     driver: sqlite3
-    datasource: /veraison/stores/vts/en-store.sql
+    datasource: en-store.sql
 po-store:
   backend: sql
   sql:
     driver: sqlite3
-    datasource: /veraison/stores/vts/po-store.sql
+    datasource: po-store.sql
 po-agent:
   backend: opa
 vts:
-  server-addr: 127.0.0.1:50051
+  server-addr: localhost:50051
 ear-signer:
   alg: ES256
   key: ./skey.jwk

vts/trustedservices/trustedservices_grpc.go

@@ -315,24 +315,19 @@ func (o *GRPC) addTrustAnchor(
 	return nil
 }
 
-func (o *GRPC) GetAttestation(
-	ctx context.Context,
-	token *proto.AttestationToken,
-) (*proto.AppraisalContext, error) {
-	o.logger.Infow("get attestation", "media-type", token.MediaType,
-		"tenant-id", token.TenantId)
+func (o *GRPC) getPerSchemeAttestation(ctx context.Context, mediaType string, token *proto.AttestationToken) (*appraisal.Appraisal, error) {
 
-	handler, err := o.EvPluginManager.LookupByMediaType(token.MediaType)
+	handler, err := o.EvPluginManager.LookupByMediaType(mediaType)
 	if err != nil {
 		appraisal := appraisal.New(token.TenantId, token.Nonce, "ERROR")
 		appraisal.SetAllClaims(ear.UnexpectedEvidenceClaim)
 		appraisal.AddPolicyClaim("problem", "could not resolve media type")
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	appraisal, err := o.initEvidenceContext(handler, token)
 	if err != nil {
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	ta, err := o.getTrustAnchor(appraisal.EvidenceContext.TrustAnchorId)
@@ -343,21 +338,21 @@ func (o *GRPC) GetAttestation(
 			appraisal.SetAllClaims(ear.CryptoValidationFailedClaim)
 			appraisal.AddPolicyClaim("problem", "no trust anchor for evidence")
 		}
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	extracted, err := handler.ExtractClaims(token, ta)
 	if err != nil {
 		if errors.Is(err, handlermod.BadEvidenceError{}) {
 			appraisal.AddPolicyClaim("problem", err.Error())
 		}
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	appraisal.EvidenceContext.Evidence, err = structpb.NewStruct(extracted.ClaimsSet)
 	if err != nil {
 		err = fmt.Errorf("unserializable claims in result: %w", err)
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	appraisal.EvidenceContext.ReferenceId = extracted.ReferenceID
@@ -368,7 +363,7 @@ func (o *GRPC) GetAttestation(
 
 	endorsements, err := o.EnStore.Get(appraisal.EvidenceContext.ReferenceId)
 	if err != nil && !errors.Is(err, kvstore.ErrKeyNotFound) {
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	if len(endorsements) > 0 {
@@ -380,25 +375,51 @@ func (o *GRPC) GetAttestation(
 			appraisal.SetAllClaims(ear.CryptoValidationFailedClaim)
 			appraisal.AddPolicyClaim("problem", "integrity validation failed")
 		}
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	appraisedResult, err := handler.AppraiseEvidence(appraisal.EvidenceContext, endorsements)
 	if err != nil {
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 	appraisedResult.Nonce = appraisal.Result.Nonce
 	appraisal.Result = appraisedResult
 	appraisal.InitPolicyID()
 
 	err = o.PolicyManager.Evaluate(ctx, handler.GetAttestationScheme(), appraisal, endorsements)
 	if err != nil {
-		return o.finalize(appraisal, err)
+		return appraisal, err
 	}
 
 	o.logger.Infow("evaluated attestation result", "attestation-result", appraisal.Result)
 
-	return o.finalize(appraisal, nil)
+	return appraisal, nil
+}
+
+func (o *GRPC) GetAttestation(
+	ctx context.Context,
+	token *proto.AttestationToken,
+) (*proto.AppraisalContext, error) {
+	o.logger.Infow("get attestation", "media-type", token.MediaType,
+		"tenant-id", token.TenantId)
+
+	mediaType := token.MediaType
+	requireAttestation := true
+
+	for requireAttestation {
+		appraisal, err := o.getPerSchemeAttestation(ctx, mediaType, token)
+		if err != nil {
+			return o.finalize(appraisal, err)
+		}
+		if appraisal.EvidenceContext.RequireFurtherProcessing {
+			requireAttestation = true
+			mediaType = appraisal.EvidenceContext.MediaType
+		} else {
+			o.logger.Infow("evaluated attestation result", "attestation-result", appraisal.Result)
+			return o.finalize(appraisal, err)
+		}
+	}
+	return nil, fmt.Errorf("invalid condition reached")
 }
 
 func (c *GRPC) initEvidenceContext(