API Refactor: Allow the agent to use the experimental AttestAgent API #1739
Conversation
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
amartinezfayo
requested review from
APTy,
azdagron,
evan2645 and
mcpherrinm
as code owners
| return nil, fmt.Errorf("failed to get updated bundle %v", err) | ||
| } | ||
|
|
||
| b, err := api.ProtoToBundle(updatedBundle) |
There was a problem hiding this comment.
you are using code from server inside agent, is that ok?
There was a problem hiding this comment.
Good point. I'll move the bundleFromProto function recently added to the client package to the bundleutil package.
| @@ -0,0 +1,445 @@ | |||
| package attestor | |||
| return ta.bundleClient | ||
| } | ||
|
|
||
| ta.agentClient.joinToken = testCase.joinToken |
There was a problem hiding this comment.
maybe you can add agentClient to tt instead all separated value?and just set it?
| } | ||
|
|
||
| var attestReq *agent.AttestAgentRequest | ||
| if data.AttestationData != nil { |
There was a problem hiding this comment.
Hmm, I think the new APIs force us to think about this a little differently. Only the first message should contain parameters, the rest (if any) should be challenge/response.
I'd assume something like:
1. fetch data from plugin
2. send data to server
3. loop
3a. read response, if challenge is nil, goto 4
3b. send challenge to plugin
3c. recv challenge response from plugin
3d. send challenge response to server
3e. goto 3a
4. parse svid from response
|
|
||
| func getSVIDFromAttestAgentResponse(r *agent.AttestAgentResponse) ([]*x509.Certificate, error) { | ||
| if r.GetResult().Svid == nil { | ||
| return nil, errors.New("missing svid update") |
There was a problem hiding this comment.
| return nil, errors.New("missing svid update") | |
| return nil, errors.New("attest response is missing SVID") |
| for _, rawCert := range r.GetResult().Svid.CertChain { | ||
| cert, err := x509.ParseCertificate(rawCert) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("invalid svid cert chain: %v", err) |
There was a problem hiding this comment.
| return nil, fmt.Errorf("invalid svid cert chain: %v", err) | |
| return nil, fmt.Errorf("invalid SVID cert chain: %v", err) |
| } | ||
|
|
||
| var svid []*x509.Certificate | ||
| for _, rawCert := range r.GetResult().Svid.CertChain { |
There was a problem hiding this comment.
we have a function for this under x509util, i believe
pkg/agent/attestor/node/node.go
Outdated
| createNewAgentClient func(*grpc.ClientConn) agent.AgentClient | ||
| createNewBundleClient func(*grpc.ClientConn) bundle.BundleClient |
There was a problem hiding this comment.
this will need tweaking with the grpc update that just got merged (to swap *grpc.ClientConn for `grpc.ClientConnInterface)
…able-attest-agent
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
| CreateNewAgentClient: agent.NewAgentClient, | ||
| CreateNewBundleClient: bundle.NewBundleClient, |
There was a problem hiding this comment.
nit: one thing we can do to make this harder to misconfigure is to have the attestor default to agent.NewAgentClient and bundle.NewBundleClient if these functions are unset in the configuration.
…tions Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Pull Request check list
Affected functionality
Node attestation using the new experimental AttestAgent API.
Description of change
This PR adds the ability to use the new experimental AttestAgent API calling it from the agent. It's only used when the experimental
enable_apisetting is set to true.