Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli: add maa token to the output of verify command #2172

Merged
merged 1 commit into from
Aug 8, 2023
Merged

cli: add maa token to the output of verify command #2172

merged 1 commit into from
Aug 8, 2023

Conversation

katexochen
Copy link
Member

Proposed change(s)

  • Adding the parsed Microsoft Azure Attestation token to the output of verify command. This is especially interesting to validate that the IDKeyDigest from the SEV-SNP report with the MAA.
  • This is the first step to transition the SNP reporter from the current custom runner based workflow to a simpler verify based workflow in the CI.

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?

@katexochen katexochen added the feature This introduces new functionality label Aug 4, 2023
@katexochen katexochen added this to the v2.10.0 milestone Aug 4, 2023
@katexochen katexochen requested a review from malt3 as a code owner August 4, 2023 17:58
@edgelesssys edgelesssys deleted a comment from netlify bot Aug 4, 2023
@thomasten
Copy link
Member

I didn't look to deep in it yet, but this seems to re-implement things we do in go-azguestattestation with another library. Maybe we can just do this

constellation/internal/attestation/azure/snp/maa.go

Lines 51 to 55 in ee0adfe

keySet, err := maa.GetKeySet(ctx, maaURL, m.client)
if err != nil {
return fmt.Errorf("getting key set from MAA: %w", err)
}
claims, err := maa.ValidateToken(token, keySet)

and print the returned claims?

malt3
malt3 approved these changes Aug 7, 2023
View reviewed changes
Copy link
Contributor

@malt3 malt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only reviewed the changes to CLI logic and did not review possible code overlap with go-azguestattestation

@katexochen
Copy link
Member Author

I've added validation for the JKU from the token against the URL from the ID/config file.

I didn't look to deep in it yet, but this seems to re-implement things we do in go-azguestattestation with another library. Maybe we can just do this

constellation/internal/attestation/azure/snp/maa.go

Lines 51 to 55 in ee0adfe

keySet, err := maa.GetKeySet(ctx, maaURL, m.client)
if err != nil {
return fmt.Errorf("getting key set from MAA: %w", err)
}
claims, err := maa.ValidateToken(token, keySet)

and print the returned claims?

The library isn't that versatile. Especially claims are only parsed as map of string, but the JWT is a nested struct, so sub-structs would still need to be parsed afterwards.

We could use maa.GetKeySet, but not sure it's worth the import.

thomasten
thomasten reviewed Aug 7, 2023
View reviewed changes
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
@katexochen katexochen merged commit e97b2af into main Aug 8, 2023
4 checks passed
@katexochen katexochen deleted the feat/verify/print-maa branch August 8, 2023 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasten thomasten thomasten approved these changes

@malt3 malt3 malt3 approved these changes

@derpsteb derpsteb Awaiting requested review from derpsteb

Assignees
No one assigned
Labels
feature This introduces new functionality
Projects
None yet
Milestone
v2.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@katexochen @thomasten @malt3