diff --git a/doc/audit/builtin_maps.rst b/doc/audit/builtin_maps.rst index ac54b9130662..615038354d32 100644 --- a/doc/audit/builtin_maps.rst +++ b/doc/audit/builtin_maps.rst @@ -382,7 +382,7 @@ JWT signing key to Issuer mapping, used until 5.0. **Value** JWT issuer URL, represented as a string. ``jwt.public_signing_keys_metadata`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JWT signing keys. diff --git a/doc/build_apps/api.rst b/doc/build_apps/api.rst index 7b944c5ede28..0bd0ea9004eb 100644 --- a/doc/build_apps/api.rst +++ b/doc/build_apps/api.rst @@ -72,7 +72,7 @@ Policies .. doxygenvariable:: ccf::jwt_auth_policy :project: CCF -.. doxygenvariable:: ccf::TypedUserCOSESign1AuthnPolicy +.. doxygenclass:: ccf::TypedUserCOSESign1AuthnPolicy :project: CCF Identities diff --git a/doc/build_apps/auth/jwt.rst b/doc/build_apps/auth/jwt.rst index dd3cab7e3799..ffa9c8be491c 100644 --- a/doc/build_apps/auth/jwt.rst +++ b/doc/build_apps/auth/jwt.rst @@ -186,4 +186,4 @@ CCF tracks JWT key auto-refresh attempts and successes. This can be used to identify errors, for example when the number of attempts doesn't match the number of successes. For each issuer that has auto-refresh enabled, CCF tracks an attempt for each try, and eventually a success, if the update completes. -Operators can query those numbers via the :http:GET:`/node/jwt_metrics` endpoint. +Operators can query those numbers via the :http:GET:`/node/jwt_keys/refresh/metrics` endpoint. diff --git a/doc/build_apps/build_app.rst b/doc/build_apps/build_app.rst index 69b20682c319..700fc4a8543f 100644 --- a/doc/build_apps/build_app.rst +++ b/doc/build_apps/build_app.rst @@ -7,7 +7,7 @@ Once an application is complete, it needs to be built into a shared object, and Using ``cmake``, an application can be built and then signed using the functions provided by CCF's ``cmake/ccf_app.cmake``. For example, for the ``js_generic`` JavaScript application: -.. literalinclude:: ../../cmake/common.cmake +.. literalinclude:: ../../CMakeLists.txt :language: cmake :start-after: SNIPPET_START: JS generic application :end-before: SNIPPET_END: JS generic application diff --git a/doc/build_apps/example_rpc_api.rst b/doc/build_apps/example_rpc_api.rst index 25da66761d86..30b3c8edb00f 100644 --- a/doc/build_apps/example_rpc_api.rst +++ b/doc/build_apps/example_rpc_api.rst @@ -2,7 +2,6 @@ Example app RPC API =================== .. openapi:: ../schemas/app_openapi.json - :examples: :include: /app/log/.* diff --git a/doc/build_apps/install_bin.rst b/doc/build_apps/install_bin.rst index bafadf4e82b8..7f5b5d06a899 100644 --- a/doc/build_apps/install_bin.rst +++ b/doc/build_apps/install_bin.rst @@ -41,6 +41,8 @@ The dependencies required to build and run CCF apps can be conveniently installe This will install the latest release of CCF, but a specific release can also be specified with ``--extra-vars "ccf_ver=X.Y.Z"`` if desired. +.. _Install: + Installation from .deb ---------------------- diff --git a/doc/generate_config_rst.py b/doc/generate_config_rst.py index d8380c482e8f..880f5e81a2a7 100644 --- a/doc/generate_config_rst.py +++ b/doc/generate_config_rst.py @@ -43,7 +43,9 @@ def _start_header_section(self, text): def start_section(self, header, prefix=""): if prefix: prefix = f"`{prefix}`" - self._start_header_section(f"{prefix}\ {header}") + self._start_header_section(f"{prefix}\ {header}") + else: + self._start_header_section(header) self._depth += 1 def end_section(self): @@ -111,8 +113,10 @@ def dump_property( t = obj.get("type") - if has_subobjs(obj): - output.start_section(f"``{prefix}{property_name}``") + if has_subobjs(obj) or len(path) == 0: + section_title = f"``{prefix}{property_name}``" + + output.start_section(section_title) for condition in conditions: output.add_line(condition) @@ -212,8 +216,9 @@ def gather_properties(obj, **kwargs): extra_conditions = [] for k, cond in if_el["properties"].items(): assert "const" in cond, "Only 'const' conditions supported" + goal_s = monospace_literal(cond["const"]) extra_conditions.append( - f"(Only applies if {''.join(path)}{k} is {monospace_literal(cond['const'])})" + f"(Only applies if {''.join(path)}{k} is {goal_s})" ) gather_properties(obj["then"], conditions=conditions + extra_conditions) diff --git a/doc/governance/gov_api_schemas/classic.rst b/doc/governance/gov_api_schemas/classic.rst index 490497171b20..34d1387a7f59 100644 --- a/doc/governance/gov_api_schemas/classic.rst +++ b/doc/governance/gov_api_schemas/classic.rst @@ -8,4 +8,3 @@ Any request calling a path with a ``/gov`` prefix which does not include the ``a .. warning:: This API is deprecated, and will be removed in a future release. See :doc:`/governance/gov_api_schemas/upgrading_from_classic` for a guide to upgrading to a more recent version. .. openapi:: ../../schemas/gov_openapi.json - :examples: diff --git a/doc/governance/gov_api_schemas/upgrading_from_classic.rst b/doc/governance/gov_api_schemas/upgrading_from_classic.rst index 7739f5f5a989..082381832c3c 100644 --- a/doc/governance/gov_api_schemas/upgrading_from_classic.rst +++ b/doc/governance/gov_api_schemas/upgrading_from_classic.rst @@ -246,7 +246,7 @@ Service State - Read details of accepted JWKs and their issuers * - Classic - | :http:GET:`/gov/kv/jwt/issuers` - | :http:GET:`/gov/kv/jwt/public_signing_keys` + | ``GET /gov/kv/jwt/public_signing_keys`` * - Replacement - :http:GET:`/gov/service/jwk` * - Notes diff --git a/doc/operations/network.rst b/doc/operations/network.rst index d8a4863a0126..2ad80a0b0ed4 100644 --- a/doc/operations/network.rst +++ b/doc/operations/network.rst @@ -4,13 +4,13 @@ Networking HTTP ---- -All RPC interfaces for a given node (see :ref:`operations/configuration:``rpc_interfaces```) currently support HTTP/1.1. A specific RPC interface can also support HTTP/2 by setting the ``"app_protocol"`` configuration entry to ``"HTTP2"`` for that interface. +All RPC interfaces for a given node (see :ref:`operations/configuration:``network.rpc_interfaces```) currently support HTTP/1.1. A specific RPC interface can also support HTTP/2 by setting the ``"app_protocol"`` configuration entry to ``"HTTP2"`` for that interface. .. warning:: HTTP/2 interfaces do not currently support client requests forwarding. Client requests that require forwarding to the primary node will return a `501 `_ HTTP error. Configuration ~~~~~~~~~~~~~ -Operators can cap the size of client HTTP requests (body and header) for each RPC interface in the :ref:`operations/configuration:``http_configuration``` configuration section. These configuration entries are optional and have sensible default values. +Operators can cap the size of client HTTP requests (body and header) for each RPC interface in the :ref:`operations/configuration:``network.rpc_interfaces.[name].http_configuration``` configuration section. These configuration entries are optional and have sensible default values. If a client HTTP request breaches any of these values, the client is returned a `413 `_ or `431 `_ HTTP error and the session is automatically closed by the CCF node. diff --git a/doc/operations/operator_rpc_api.rst b/doc/operations/operator_rpc_api.rst index 12745b3c7612..bbdf94b8146e 100644 --- a/doc/operations/operator_rpc_api.rst +++ b/doc/operations/operator_rpc_api.rst @@ -3,5 +3,4 @@ Operator RPC API Operator RPCs are exposed under ``/node`` and do not require authentication. -.. openapi:: ../schemas/node_openapi.json - :examples: \ No newline at end of file +.. openapi:: ../schemas/node_openapi.json \ No newline at end of file diff --git a/doc/operations/platforms/snp.rst b/doc/operations/platforms/snp.rst index 938a1b6546b1..1f253b1e2344 100644 --- a/doc/operations/platforms/snp.rst +++ b/doc/operations/platforms/snp.rst @@ -16,7 +16,7 @@ SNP attestation provide several fields needed to establish trust. Several deploy Confidential Azure Container Instance (ACI) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. note:: See `here `_ and `here `_ for more information on the deployment of confidential containers in Azure. +.. note:: See `here `__ and `here `__ for more information on the deployment of confidential containers in Azure. Azure Confidential ACI provides a security context directory containing the following files. @@ -32,7 +32,7 @@ AMD endorsements must be fetched, preferably from the THIM service, but configur Confidential Azure Kubernetes Service (AKS) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. note:: See `here `_ for more information on the deployment of confidential containers in Azure. +.. note:: See `here `__ for more information on the deployment of confidential containers in Azure. Confidential AKS provides a security context directory containing the following file. @@ -48,7 +48,7 @@ AMD endorsements must be fetched, preferably from the THIM service, but configur Non-Azure Deployment ~~~~~~~~~~~~~~~~~~~~ -For non-Azure deployments, the certificate chain for VCEK will need to be retrieved from an endorsement server, as specified in the :ref:`operations/configuration:``snp_endorsements_servers``` configuration section. For example, for the `well-known AMD endorsement server `_, the value should be set to: +For non-Azure deployments, the certificate chain for VCEK will need to be retrieved from an endorsement server, as specified in the :ref:`operations/configuration:``attestation.snp_endorsements_servers``` configuration section. For example, for the `well-known AMD endorsement server `_, the value should be set to: .. code-block:: json diff --git a/doc/operations/start_network.rst b/doc/operations/start_network.rst index 806c6d28a6a7..60101740859b 100644 --- a/doc/operations/start_network.rst +++ b/doc/operations/start_network.rst @@ -29,7 +29,7 @@ When starting up, the node generates its own key pair and outputs the unendorsed .. note:: The service certificate should be distributed to users and members to be used as the certificate authority (CA) when establishing a TLS connection with any of the nodes part of the CCF network. When using ``curl``, this is passed as the ``--cacert`` argument. -The initial constitution scripts, member certificates, public encryption keys and data files as well as the initial service configuration should be set in the :ref:`operations/configuration:``start``` section of the JSON configuration. +The initial constitution scripts, member certificates, public encryption keys and data files as well as the initial service configuration should be set in the :ref:`operations/configuration:``command.start``` section of the JSON configuration. Once the first node is started, the network will be in its opening state and new nodes can join the network. @@ -52,7 +52,7 @@ To add a new node to an existing opening network, other nodes should be started The joining node takes the certificate of the existing network to join via ``service_certificate_file`` configuration entry and initiates an enclave-to-enclave TLS connection to an existing node of the network as specified by ``join.target_rpc_address`` configuration entry. -The join configuration option should be set in the :ref:`operations/configuration:``join``` section of the JSON configuration. +The join configuration option should be set in the :ref:`operations/configuration:``command.join``` section of the JSON configuration. A new node can only join an existing CCF network if its SGX quote is valid [#remote_attestation]_. and runs an enclave application that is :ref:`trusted by the consortium `. diff --git a/doc/use_apps/rpc_api.rst b/doc/use_apps/rpc_api.rst index 95d75cb83926..e9c22461c059 100644 --- a/doc/use_apps/rpc_api.rst +++ b/doc/use_apps/rpc_api.rst @@ -10,7 +10,6 @@ Built-ins By default, CCF will also add some built-in endpoints: .. openapi:: ../schemas/app_openapi.json - :examples: :include: /app/api /app/tx diff --git a/js/ccf-app/typedoc.json b/js/ccf-app/typedoc.json index 2e5a6aea315f..aaba162a581f 100644 --- a/js/ccf-app/typedoc.json +++ b/js/ccf-app/typedoc.json @@ -9,7 +9,6 @@ "src/historical.ts", "src/kv.ts", "src/polyfill.ts", - "src/openenclave.ts", "src/snp_attestation.ts" ], "out": "html",