resolve comments

cmd/flags.go

@@ -126,8 +126,8 @@ func addInputFlag(cmd *cobra.Command) {
 
 // Lets this command specify an Attestation Server Address.
 func addAsAdressFlag(cmd *cobra.Command) {
-	cmd.PersistentFlags().StringVar(&asAddress, "asAddr", "",
-		"AS address (defaults to https://confidentialcomputing.googleapis.com)")
+	cmd.PersistentFlags().StringVar(&asAddress, "asAddr", "https://confidentialcomputing.googleapis.com",
+		"Attestation Service address")
 }
 
 // Lets this command specify an NVDATA index, for use with nvIndex.

cmd/gen_token.go → cmd/token.go

@@ -14,6 +14,7 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm-tools/launcher/agent"
+	"github.com/google/go-tpm-tools/launcher/spec"
 	"github.com/google/go-tpm-tools/launcher/verifier"
 	"github.com/google/go-tpm-tools/launcher/verifier/rest"
 	"github.com/google/go-tpm/legacy/tpm2"
@@ -25,8 +26,8 @@ import (
 var mdsClient *metadata.Client
 
 // If hardware technology needs a variable length teenonce then please modify the flags description
-var gentokenCmd = &cobra.Command{
-	Use:   "gentoken",
+var tokenCmd = &cobra.Command{
+	Use:   "token",
 	Short: "Attest and fetch an OIDC token from Google Attestation Verification Service.",
 	Long: `Gather attestation report and send it to Google Attestation Verification Service for an OIDC token.
 The OIDC token includes claims regarding the authentication of the user by the authorization server (Google IAM server) with the use of an OAuth client application(Google Cloud apps). Note that this command will only work on a GCE VM with confidential space image for now. And Confidential computing API needs to be enabled for your account to access Google Attestation Verification Service https://pantheon.corp.google.com/apis/api/confidentialcomputing.googleapis.com.
@@ -45,6 +46,7 @@ The OIDC token includes claims regarding the authentication of the user by the a
 		mdsClient = metadata.NewClient(nil)
 
 		ctx := namespaces.WithNamespace(context.Background(), namespaces.Default)
+		// TODO: principalFetcher is copied from go-tpm-tools/launcher/container_runner.go, to be refactored
 		// Fetch GCP specific ID token with specific audience.
 		// See https://cloud.google.com/functions/docs/securing/authenticating#functions-bearer-token-example-go.
 		principalFetcher := func(audience string) ([][]byte, error) {
@@ -56,62 +58,52 @@ The OIDC token includes claims regarding the authentication of the user by the a
 				}.Encode(),
 			}
 			idToken, err := mdsClient.Get(u.String())
-			fmt.Fprintf(debugOutput(), "GCP ID token fetched is: %s\n", idToken)
 			if err != nil {
 				return nil, fmt.Errorf("failed to get principal tokens: %w", err)
 			}
-
+			fmt.Fprintf(debugOutput(), "GCP ID token fetched is: %s\n", idToken)
 			tokens := [][]byte{[]byte(idToken)}
 			return tokens, nil
 		}
 
-		if asAddress == "" {
-			asAddress = "https://confidentialcomputing.googleapis.com"
-		}
 		fmt.Fprintf(debugOutput(), "Attestation Address is set to %s\n", asAddress)
 
-		Region, err := getRegion(mdsClient)
+		region, err := getRegion(mdsClient)
 		if err != nil {
-			return fmt.Errorf("failed to fetch Region from MDS: %v", err)
+			return fmt.Errorf("failed to fetch Region from MDS, the tool is probably not running in a GCE VM: %v", err)
 		}
 
-		ProjectID, err := mdsClient.ProjectID()
+		projectID, err := mdsClient.ProjectID()
 		if err != nil {
 			return fmt.Errorf("failed to retrieve ProjectID from MDS: %v", err)
 		}
 
-		verifierClient, err := getRESTClient(ctx, asAddress, ProjectID, Region)
+		verifierClient, err := getRESTClient(ctx, asAddress, projectID, region)
 		if err != nil {
 			return fmt.Errorf("failed to create REST verifier client: %v", err)
 		}
 
-		//  supports GCE VM. Hard code the AK type.
-		key = "gceAK"
-		fmt.Fprintf(debugOutput(), "key is set to gceAK\n")
-
-		// Set GCE AK (EK signing) cert
-		if key == "gceAK" {
-			var gceAK *client.Key
-			var err error
-			if keyAlgo == tpm2.AlgRSA {
-				gceAK, err = client.GceAttestationKeyRSA(rwc)
-			}
-			if keyAlgo == tpm2.AlgECC {
-				gceAK, err = client.GceAttestationKeyECC(rwc)
-			}
-			if err != nil {
-				return err
-			}
-			if gceAK.Cert() == nil {
-				return errors.New("failed to find gceAKCert on this VM: try creating a new VM or contacting support")
-			}
-			gceAK.Close()
+		// Supports GCE VM. Hard code the AK type. Set GCE AK (EK signing) cert
+		var gceAK *client.Key
+		if keyAlgo == tpm2.AlgRSA {
+			gceAK, err = client.GceAttestationKeyRSA(rwc)
 		}
+		if keyAlgo == tpm2.AlgECC {
+			gceAK, err = client.GceAttestationKeyECC(rwc)
+		}
+		if err != nil {
+			return err
+		}
+		if gceAK.Cert() == nil {
+			return errors.New("failed to find gceAKCert on this VM: try creating a new VM or contacting support")
+		}
+		gceAK.Close()
 
-		attestAgent := agent.CreateAttestationAgent(rwc, attestationKeys[key][keyAlgo], verifierClient, principalFetcher)
+		key = "gceAK"
+		attestAgent := agent.CreateAttestationAgent(rwc, attestationKeys[key][keyAlgo], verifierClient, principalFetcher, nil, spec.LaunchSpec{}, nil)
 
 		fmt.Fprintf(debugOutput(), "Fetching attestation verifier OIDC token\n")
-		token, err := attestAgent.Attest(ctx)
+		token, err := attestAgent.Attest(ctx, agent.AttestAgentOpts{})
 		if err != nil {
 			return fmt.Errorf("failed to retrieve attestation service token: %v", err)
 		}
@@ -139,8 +131,6 @@ The OIDC token includes claims regarding the authentication of the user by the a
 			return fmt.Errorf("failed to format claims: %w", err)
 		}
 
-		fmt.Fprintf(debugOutput(), string(claimsString)+"\n")
-
 		if output == "" {
 			fmt.Fprintf(messageOutput(), string(token)+"\n")
 		}
@@ -152,10 +142,12 @@ The OIDC token includes claims regarding the authentication of the user by the a
 			}
 		}
 
+		fmt.Fprintf(debugOutput(), string(claimsString)+"\n")
 		return nil
 	},
 }
 
+// TODO: getRESTClient is copied from go-tpm-tools/launcher/container_runner.go, to be refactored.
 // getRESTClient returns a REST verifier.Client that points to the given address.
 // It defaults to the Attestation Verifier instance at
 // https://confidentialcomputing.googleapis.com.
@@ -190,11 +182,11 @@ func getRegion(client *metadata.Client) (string, error) {
 }
 
 func init() {
-	RootCmd.AddCommand(gentokenCmd)
-	addOutputFlag(gentokenCmd)
-	addPublicKeyAlgoFlag(gentokenCmd)
-	addAsAdressFlag(gentokenCmd)
+	RootCmd.AddCommand(tokenCmd)
+	addOutputFlag(tokenCmd)
+	addPublicKeyAlgoFlag(tokenCmd)
+	addAsAdressFlag(tokenCmd)
 	// TODO: Add TEE hardware OIDC token generation
-	// addTeeNonceflag(gentokenCmd)
-	// addTeeTechnology(gentokenCmd)
+	// addTeeNonceflag(tokenCmd)
+	// addTeeTechnology(tokenCmd)
 }

cmd/gen_token_test.go → cmd/token_test.go

@@ -19,11 +19,11 @@ import (
 	"golang.org/x/oauth2/google"
 )
 
-func TestGenTokenWithGCEAK(t *testing.T) {
+func TestTokenWithGCEAK(t *testing.T) {
 	rwc := test.GetTPM(t)
 	defer client.CheckedClose(t, rwc)
 	ExternalTPM = rwc
-	secretFile1 := makeOutputFile(t, "gentoken")
+	secretFile1 := makeOutputFile(t, "token")
 	defer os.RemoveAll(secretFile1)
 	var template = map[string]tpm2.Public{
 		"rsa": GCEAKTemplateRSA(),
@@ -72,7 +72,7 @@ func TestGenTokenWithGCEAK(t *testing.T) {
 			}
 			defer mockAttestationServer.Stop()
 
-			RootCmd.SetArgs([]string{"gentoken", "--algo", op.algo, "--output", secretFile1, "--asAddr", mockAttestationServer.server.URL})
+			RootCmd.SetArgs([]string{"token", "--algo", op.algo, "--output", secretFile1, "--asAddr", mockAttestationServer.server.URL})
 			if err := RootCmd.Execute(); err != nil {
 				t.Error(err)
 			}

launcher/container_runner.go

@@ -217,7 +217,7 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		return nil, fmt.Errorf("failed to create REST verifier client: %v", err)
 	}
 
-	// Create a new signaturediscovery cleint to fetch signatures.
+	// Create a new signaturediscovery client to fetch signatures.
 	sdClient := getSignatureDiscoveryClient(cdClient, token, image.Target())
 	return &ContainerRunner{
 		container,