veraison · setrofim · Jul 26, 2023 · Jul 18, 2023 · Jul 5, 2023 · Jul 5, 2023
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,7 @@ integration-tests/.built
 __generated__
 __pycache__
 __debug_bin
+management/cmd/management-service/management-service
 
 # Test binary, built with `go test -c`
 *.test

diff --git a/Makefile b/Makefile
@@ -8,6 +8,7 @@ SUBDIR += config
 SUBDIR += handler
 SUBDIR += kvstore
 SUBDIR += log
+SUBDIR += management
 SUBDIR += plugin
 SUBDIR += policy
 SUBDIR += proto

diff --git a/builtin/builtin_loader.go b/builtin/builtin_loader.go
@@ -112,6 +112,22 @@ func GetBuiltinHandleByNameUsing[I plugin.IPluggable](ldr *BuiltinLoader, name s
 	return handle, nil
 }
 
+func GetBuiltinLoadedAttestationSchemes[I plugin.IPluggable](ldr *BuiltinLoader) []string {
+	schemes := make([]string, len(ldr.loadedByName))
+
+	i := 0
+	for _, ihandle := range ldr.loadedByName {
+		if _, ok := ihandle.(I); !ok {
+			continue
+		}
+
+		schemes[i] = ihandle.GetAttestationScheme()
+		i += 1
+	}
+
+	return schemes
+}
+
 func GetBuiltinHandleByAttestationSchemeUsing[I plugin.IPluggable](
 	ldr *BuiltinLoader,
 	scheme string,

diff --git a/builtin/builtin_manager.go b/builtin/builtin_manager.go
@@ -82,6 +82,10 @@ func (o *BuiltinManager[I]) GetRegisteredMediaTypes() []string {
 	return registeredMediatTypes
 }
 
+func (o *BuiltinManager[I]) GetRegisteredAttestationSchemes() []string {
+	return GetBuiltinLoadedAttestationSchemes[I](o.loader)
+}
+
 func (o *BuiltinManager[I]) LookupByName(name string) (I, error) {
 	return GetBuiltinHandleByNameUsing[I](o.loader, name)
 }

diff --git a/capability/well-known.go b/capability/well-known.go
@@ -10,7 +10,8 @@ const (
 
 type WellKnownInfo struct {
 	PublicKey    jwk.Key           `json:"ear-verification-key,omitempty"`
-	MediaTypes   []string          `json:"media-types"`
+	MediaTypes   []string          `json:"media-types,omitempty"`
+	Schemes      []string          `json:"attestation-schemes,omitempty"`
 	Version      string            `json:"version"`
 	ServiceState string            `json:"service-state"`
 	ApiEndpoints map[string]string `json:"api-endpoints"`
@@ -32,11 +33,19 @@ func ServiceStateToAPI(ss string) string {
 	return t
 }
 
-func NewWellKnownInfoObj(key jwk.Key, mediaTypes []string, version string, serviceState string, endpoints map[string]string) (*WellKnownInfo, error) {
+func NewWellKnownInfoObj(
+	key jwk.Key,
+	mediaTypes []string,
+	schemes []string,
+	version string,
+	serviceState string,
+	endpoints map[string]string,
+) (*WellKnownInfo, error) {
 	// MUST be kept in sync with proto/state.proto
 	obj := &WellKnownInfo{
 		PublicKey:    key,
 		MediaTypes:   mediaTypes,
+		Schemes:      schemes,
 		Version:      version,
 		ServiceState: ServiceStateToAPI(serviceState),
 		ApiEndpoints: endpoints,

diff --git a/deployments/docker/Makefile b/deployments/docker/Makefile
@@ -24,9 +24,14 @@ SRC_DIR := $(THIS_DIR)src/
 BUILDER_CONTEXT := $(CONTEXT_DIR)/builder
 
 vts_FLAGS := -v $(STORES_VOLUME):/opt/veraison/stores
+management_FLAGS := -v $(STORES_VOLUME):/opt/veraison/stores -p $(MANAGEMENT_PORT):$(MANAGEMENT_PORT)
 provisioning_FLAGS := -p $(PROVISIONING_PORT):$(PROVISIONING_PORT)
 verification_FLAGS := -p $(VERIFICATION_PORT):$(VERIFICATION_PORT)
 
+ifneq ($(DEBUG_PORT),)
+DEBUG_PORT_FLAG := -p $(DEBUG_PORT):$(DEBUG_PORT)
+endif
+
 .PHONY: all
 all: builder build deploy deployment prune
 
@@ -71,7 +76,7 @@ debug: .built/builder .built/network
 		--network $(VERAISON_NETWORK) \
 		-v $(STORES_VOLUME):/veraison/stores -v $(LOGS_VOLUME):/veraison/logs \
 		-v $(THIS_DIR)../..:/veraison/build -v $(DEPLOY_DEST):/veraison/deploy \
-		$(DEBUG_FLAGS) --hostname $(DEBUG_HOST)\
+		$(DEBUG_FLAGS) $(DEBUG_PORT_FLAG) --hostname $(DEBUG_HOST)\
 		-i -t --user $(DEBUG_USER) --entrypoint /bin/bash \
 		veraison/builder
 
@@ -81,7 +86,8 @@ services:
 	@# image targets (possibly because of the need to recursively resolve %,
 	@# but I haven't looked too much into it). Recursively calling $(MAKE) here
 	@# resolves the issue.
-	$(MAKE) .built/vts-container .built/provisioning-container .built/verification-container
+	$(MAKE) .built/vts-container .built/provisioning-container .built/verification-container \
+		.built/management-container
 
 .PHONY: vts
 vts: deploy .built/vts-container
@@ -101,6 +107,12 @@ verification: deploy .built/verification-container
 .PHONY: verification-image
 verification-image: deploy .built/verification-image
 
+.PHONY: management
+management: deploy .built/management-container
+
+.PHONY: management-image
+management-image: deploy .built/management-image
+
 .PHONY: network
 network: .built/network
 
@@ -161,7 +173,7 @@ docker-clean:
 		docker volume rm -f $(DEPLOY_DEST); \
 	fi
 	@# -f ensures exit code 0, even if image doesn't exist
-	docker container rm -f vts-service provisioning-service verification-service
+	docker container rm -f vts-service provisioning-service verification-service management-service
 	docker volume rm -f veraison-logs veraison-stores
 	@# ubuntu uses an older version of docker without -f option for network; hence the || : cludge
 	docker network rm $(VERAISON_NETWORK) || :

diff --git a/deployments/docker/README.md b/deployments/docker/README.md
@@ -82,6 +82,10 @@ make targets:
 want to substitute the debug container in place of one of the service
 containers.
 
+`DEBUG_PORT`: if set with a port number, that port on the debug container will
+be forwarded to the host (debug container is run with `-p
+$(DEBUG_PORT):$(DEBUG_PORT)`).
+
 `DOCKER_BUILD_FLAGS`: additional flags to be passed to Docker when building
 various images. This is passed to all image build invocations, so should only
 be used for globally-applicable flags such as `--no-cache`.

diff --git a/deployments/docker/deployment.cfg b/deployments/docker/deployment.cfg
@@ -12,6 +12,7 @@ VERAISON_NETWORK=veraison-net
 VTS_PORT=50051
 PROVISIONING_PORT=8888
 VERIFICATION_PORT=8080
+MANAGEMENT_PORT=8088
 
 # Deploy destination is either an absolute path to a directory on the host, or
 # the name of a docker volume.

diff --git a/deployments/docker/env.bash b/deployments/docker/env.bash
@@ -7,4 +7,4 @@ set +a
 alias veraison="$__VERAISON_DIR/veraison"
 alias cocli="$__VERAISON_DIR/veraison -- cocli"
 alias evcli="$__VERAISON_DIR/veraison -- evcli"
-alias polcli="$__VERAISON_DIR/veraison -- polcli"
+alias pocli="$__VERAISON_DIR/veraison -- pocli"
diff --git a/deployments/docker/env.zsh b/deployments/docker/env.zsh
@@ -7,4 +7,4 @@ set +a
 alias veraison="$__VERAISON_DIR/veraison"
 alias cocli="$__VERAISON_DIR/veraison -- cocli"
 alias evcli="$__VERAISON_DIR/veraison -- evcli"
-alias polcli="$__VERAISON_DIR/veraison -- polcli"
+alias pocli="$__VERAISON_DIR/veraison -- pocli"
diff --git a/deployments/docker/src/builder-dispatcher b/deployments/docker/src/builder-dispatcher
@@ -31,13 +31,13 @@ function deploy() {
     cp $BUILD_DIR/provisioning/cmd/provisioning-service/provisioning-service $DEPLOY_DIR/
     cp $BUILD_DIR/verification/cmd/verification-service/verification-service $DEPLOY_DIR/
     cp $BUILD_DIR/vts/cmd/vts-service/vts-service $DEPLOY_DIR/
-    cp $BUILD_DIR/vts/cmd/vts-service/vts-service $DEPLOY_DIR/
+    cp $BUILD_DIR/management/cmd/management-service/management-service $DEPLOY_DIR/
     cp $BUILD_DIR/scheme/bin/* $DEPLOY_DIR/plugins/
     cp $BUILD_DIR/deployments/docker/src/skey.jwk $DEPLOY_DIR/
     cp $BUILD_DIR/deployments/docker/src/service-entrypoint $DEPLOY_DIR/
-    cp $BUILD_DIR/policy/cmd/polcli/polcli $DEPLOY_DIR/utils/
     cp $gobin/evcli $DEPLOY_DIR/utils/
     cp $gobin/cocli $DEPLOY_DIR/utils/
+    cp $gobin/pocli $DEPLOY_DIR/utils/
 
     echo "creating config"
     set -a

diff --git a/deployments/docker/src/builder.docker b/deployments/docker/src/builder.docker
@@ -60,6 +60,7 @@ RUN go mod download &&\
     go install github.com/mitchellh/[email protected] &&\
     go install github.com/veraison/corim/cocli@latest &&\
     go install github.com/veraison/evcli/v2@latest &&\
+    go install github.com/veraison/pocli@latest &&\
     go install github.com/go-delve/delve/cmd/dlv@latest
 
 ADD --chown=builder:builder builder-dispatcher .

diff --git a/deployments/docker/src/config.yaml.template b/deployments/docker/src/config.yaml.template
@@ -7,6 +7,8 @@ provisioning:
   listen-addr: 0.0.0.0:${PROVISIONING_PORT}
 verification:
   listen-addr: 0.0.0.0:${VERIFICATION_PORT}
+management:
+  listen-addr: 0.0.0.0:${MANAGEMENT_PORT}
 vts:
   server-addr: vts-service:${VTS_PORT}
 ear-signer:

diff --git a/deployments/docker/src/load-config.mk b/deployments/docker/src/load-config.mk
@@ -10,6 +10,7 @@ VERAISON_NETWORK ?= veraison-net
 VTS_PORT ?= 50051
 PROVISIONING_PORT ?= 8888
 VERIFICATION_PORT ?= 8080
+MANAGEMENT_PORT ?= 8088
 
 # Deploy destination is either an absolute path to a directory on the host, or
 # the name of a docker volume.

diff --git a/deployments/docker/src/management.docker b/deployments/docker/src/management.docker
@@ -0,0 +1,28 @@
+# Management service container.
+# The context for building this image is assumed to be the Veraison deployment
+# directory (/tmp/veraison is the default for make build).
+FROM debian as veraison-management
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install \
+        --assume-yes \
+        --no-install-recommends \
+	uuid-runtime \
+    && uuidgen | tr -d - > /etc/machine-id \
+    && apt-get clean \
+    && apt-get autoremove --assume-yes \
+    && rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
+
+RUN groupadd -g 616 veraison && \
+    useradd -m  -g veraison  --system veraison
+
+USER veraison
+
+WORKDIR /opt/veraison
+
+ADD --chown=veraison:nogroup plugins plugins
+ADD --chown=veraison:nogroup config.yaml management-service service-entrypoint ./
+
+ENTRYPOINT ["/opt/veraison/service-entrypoint"]
+CMD ["/opt/veraison/management-service"]
+
diff --git a/deployments/docker/src/manager-dispatcher b/deployments/docker/src/manager-dispatcher
@@ -57,8 +57,8 @@ function evcli() {
     /bin/bash -c "$cmd"
 }
 
-function polcli() {
-    local cmd="$_utils_dir/polcli $@"
+function pocli() {
+    local cmd="$_utils_dir/pocli $@"
     /bin/bash -c "$cmd"
 }
 
@@ -80,6 +80,6 @@ case $command in
     clear-logs) clear_logs "$@";;
     cocli)  cocli "$@";;
     evcli)  evcli "$@";;
-    polcli)  polcli "$@";;
+    pocli)  pocli "$@";;
     *) echo -e "$_error: unexpected command: \"$command\"";;
 esac
diff --git a/deployments/docker/src/manager.docker b/deployments/docker/src/manager.docker
@@ -32,7 +32,10 @@ USER manager
 
 WORKDIR /opt/veraison
 
-ADD --chown=manager:nogroup utils/evcli utils/cocli utils/polcli ./utils/
+RUN mkdir -p /home/manager/.config/pocli && \
+    echo "host: management-service" > /home/manager/.config/pocli/config.yaml
+
+ADD --chown=manager:nogroup utils/evcli utils/cocli utils/pocli ./utils/
 ADD --chown=manager:nogroup manager-dispatcher ./
 
 ENTRYPOINT ["/opt/veraison/manager-dispatcher"]

diff --git a/deployments/docker/veraison b/deployments/docker/veraison
@@ -8,19 +8,21 @@ function status() {
     local vts=$(_get_container_state vts-service)
     local prov=$(_get_container_state provisioning-service)
     local verif=$(_get_container_state verification-service)
+    local manage=$(_get_container_state management-service)
 
     if [[ $_quiet == true ]]; then
         local vts=$(_strip_color $vts)
         local prov=$(_strip_color $prov)
         local verif=$(_strip_color $verif)
+        local manage=$(_strip_color $manage)
 
         local status="${_yell}stopped${_reset}"
 
-        if [[ "$vts" == "running" || "$prov" == "running" || "$verif" == "running" ]]; then
+        if [[ "$vts" == "running" || "$prov" == "running" || "$verif" == "running" || "$manage" == "running" ]]; then
             status="${_yell}partial${_yell}"
         fi
 
-        if [[ "$vts" == "running" && "$prov" == "running" && "$verif" == "running" ]]; then
+        if [[ "$vts" == "running" && "$prov" == "running" && "$verif" == "running"  && "$manage" == "running" ]]; then
             status="${_green}running${_reset}"
         fi
 
@@ -29,6 +31,7 @@ function status() {
         echo -e "         vts: $vts"
         echo -e "provisioning: $prov"
         echo -e "verification: $verif"
+        echo -e "  management: $manage"
     fi
 }
 
@@ -40,12 +43,15 @@ function start() {
         sleep 0.5 # wait for vts to start before starting the services that depend on it.
         start_provisioning
         start_verification
+        start_management
     elif [[ "$what" == "vts" || "$what" == "vts-service" ]]; then
         start_vts
     elif [[ "$what" == "provisioning" || "$what" == "provisioning-service" ]]; then
         start_provisioning
     elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
         start_verification
+    elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
+        start_management
     else
         echo -e "$_error: unknown service: $what"
         exit 1
@@ -56,6 +62,7 @@ function stop() {
     local what=$1
 
     if [[ "x$what" == "x" ]]; then
+        stop_management
         stop_verification
         stop_provisioning
         stop_vts
@@ -65,6 +72,8 @@ function stop() {
         stop_provisioning
     elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
         stop_verification
+    elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
+        stop_management
     else
         echo -e "$_error: unknown service: $what"
         exit 1
@@ -80,6 +89,8 @@ function follow() {
         follow_provisioning
     elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
         follow_verification
+    elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
+        follow_management
     else
         echo -e "$_error: unknown service: $what"
         exit 1
@@ -122,6 +133,18 @@ function follow_verification() {
     docker container logs --follow --timestamps verification-service
 }
 
+function start_management() {
+    docker container start management-service
+}
+
+function stop_management() {
+    docker container stop management-service
+}
+
+function follow_management() {
+    docker container logs --follow --timestamps management-service
+}
+
 function manager() {
     docker container run --rm -t \
 	    --network veraison-net \
@@ -222,9 +245,9 @@ function evcli() {
     manager evcli $translated_args
 }
 
-function polcli() {
+function pocli() {
     local translated_args=$(_translate_host_paths "$@")
-    manager evcli $translated_args
+    manager pocli $translated_args
 }
 
 function help() {
@@ -437,7 +460,7 @@ case $command in
     stop-tmux | kill-tmux) kill_tmux_session $2;;
     cocli) shift; cocli $@;;
     evcli) shift; evcli $@;;
-    polcli) shift; polcli $@;;
+    pocli) shift; pocli $@;;
     debug) manager_debug $@;;
     *) echo -e "$_error: unexpected command: \"$command\" (use -h for help)";;
 esac
diff --git a/integration-tests/Makefile b/integration-tests/Makefile
@@ -23,12 +23,8 @@ $(DEPLOYMENT_SRC_DIR).built/%:
 
 
 CONTAINER_FLAGS := --env-file  $(DEPLOYMENT_SRC_DIR)deployment.cfg --network veraison-net \
-		   -v $(THIS_DIR):/integration-tests
-
-DEPLOYMENT_DEPS := $(DEPLOYMENT_SRC_DIR).built/network \
-		   $(DEPLOYMENT_SRC_DIR).built/vts-container \
-		   $(DEPLOYMENT_SRC_DIR).built/provisioning-container \
-		   $(DEPLOYMENT_SRC_DIR).built/verification-container
+		   -v $(THIS_DIR):/integration-tests \
+		   -v $(STORES_VOLUME):/opt/veraison/stores
 
 CLEANFILES := .pytest_cache utils/__pycache__ __generated__