Merge Attestation-Service and KBS

.github/dependabot.yml

@@ -14,3 +14,8 @@ updates:
     schedule:
       interval: "weekly"
 
+  - package-ecosystem: "gomod"
+    directory: "/attestation-service/attestation-service/src/cgo" # Location of go.mod
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 1

.github/workflows/as-basic.yml

@@ -0,0 +1,89 @@
+name: attestation-service basic build and unit tests
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - 'attestation-service/**'
+      - '.github/workflows/as_basic.yml'
+      - 'Cargo.toml'
+  pull_request:
+    paths:
+      - 'attestation-service/**'
+      - '.github/workflows/as_basic.yml'
+      - 'Cargo.toml'
+  create:
+
+jobs:
+  basic_ci:
+    if: github.event_name == 'pull_request' || github.event_name == 'push'
+    name: Check
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        rust:
+          - stable
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Install OPA command line tool
+        run: |
+          curl -L -o opa https://openpolicyagent.org/downloads/v0.42.2/opa_linux_amd64_static
+          chmod 755 ./opa && cp opa /usr/local/bin
+
+      - name: OPA policy.rego fmt and check
+        run: |
+          opa fmt -d ./attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w <path_to_rego>` to fix this"; exit 1 } }'
+          opa check ./attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego
+
+      - name: Install protoc
+        run: |
+          sudo apt-get update && sudo apt-get install -y protobuf-compiler libprotobuf-dev
+
+      - name: Install TPM build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libtss2-dev
+
+      - name: Install TDX build dependencies
+        run: |
+          sudo curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+          sudo echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
+          sudo apt-get update
+          sudo apt-get install -y libsgx-dcap-quote-verify-dev
+
+      - name: Install Rust toolchain (${{ matrix.rust }})
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: ${{ matrix.rust }}
+          override: true
+          components: rustfmt, clippy
+
+      - name: Build
+        working-directory: attestation-service
+        run: |
+          make
+
+      - name: Run cargo test
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: -p attestation-service -p as-types -p grpc-as -p rvps -p rvps-client
+
+      - name: Run cargo fmt check
+        uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: -p attestation-service -p as-types -p grpc-as -p rvps -p rvps-client --check
+
+      - name: Run rust lint check
+        uses: actions-rs/cargo@v1
+        with:
+          command: clippy
+          # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now
+          args: -p attestation-service -p as-types -p grpc-as -p rvps -p rvps-client -- -D warnings -A clippy::derive_partial_eq_without_eq

.github/workflows/as-dockerbuild.yml

@@ -0,0 +1,35 @@
+name: AS & RVPS Container image build test
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - 'attestation-service/**'
+      - '.github/workflows/as-dockerbuild.yml'
+      - 'Cargo.toml'
+  pull_request:
+    paths:
+      - 'attestation-service/**'
+      - '.github/workflows/as-dockerbuild.yml'
+      - 'Cargo.toml'
+  create:
+
+jobs:
+  basic_ci:
+    if: github.event_name == 'pull_request' || github.event_name == 'push'
+    name: Check
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Code checkout
+      uses: actions/checkout@v4
+
+    - name: Build gRPC AS Container Image
+      run: |
+        DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/Dockerfile.as
+
+    - name: Build RVPS Container Image
+      run: |
+        Docker_BUILDKIT=1 docker build -t rvps:latest . -f attestation-service/Dockerfile.rvps

.github/workflows/docker-build.yml → .github/workflows/kbs-docker-build.yml

@@ -12,8 +12,8 @@ jobs:
     - name: Code checkout
       uses: actions/checkout@v4
 
-    - name: Build Container Image
+    - name: Build KBS Container Image
       run: |
-        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f docker/Dockerfile; \
-        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-openssl --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f docker/Dockerfile; \
-        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f docker/Dockerfile.coco-as-grpc
+        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f kbs/docker/Dockerfile; \
+        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-openssl --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile; \
+        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/Dockerfile.coco-as-grpc

.github/workflows/e2e.yaml → .github/workflows/kbs-e2e.yaml

@@ -1,4 +1,4 @@
-name: e2e
+name: KBS e2e
 
 on:
   pull_request:
@@ -42,17 +42,17 @@ jobs:
         key: rust-${{ hashFiles('./Cargo.lock') }}
 
     - name: Install dependencies
-      working-directory: test
+      working-directory: kbs/test
       run: sudo make install-dependencies
 
     - name: Build bins
-      working-directory: test
+      working-directory: kbs/test
       run: make bins
 
     - name: Set cc_kbc sample attester env
       if: matrix.tee == 'sample'
       run: echo "AA_SAMPLE_ATTESTER_TEST=1" >> "$GITHUB_ENV"
 
     - name: Run e2e test
-      working-directory: test
+      working-directory: kbs/test
       run: sudo -E make e2e-test

.github/workflows/release.yaml → .github/workflows/kbs-release.yaml

@@ -1,4 +1,4 @@
-name: Cut Release
+name: Cut KBS Release
 
 on:
   release:
@@ -23,7 +23,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: .
-          file: ./docker/Dockerfile
+          file: ./kbs/docker/Dockerfile
           platforms: linux/amd64
           push: true
           tags: ghcr.io/confidential-containers/key-broker-service:built-in-as-${{ github.ref_name }}
@@ -32,7 +32,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: .
-          file: ./docker/Dockerfile.coco-as-grpc
+          file: ./kbs/docker/Dockerfile.coco-as-grpc
           platforms: linux/amd64
           push: true
           tags: ghcr.io/confidential-containers/key-broker-service:${{ github.ref_name }}, ghcr.io/confidential-containers/key-broker-service:latest

.github/workflows/rust.yml → .github/workflows/kbs-rust.yml

@@ -1,10 +1,18 @@
-name: rust tests
+name: kbs rust tests
 
 on:
   push:
-    branches: [ "main" ]
+    branches:
+      - "main"
+    paths:
+      - 'kbs/**'
+      - '.github/workflows/kbs-rust.yml'
+      - 'Cargo.toml'
   pull_request:
-    branches: [ "main" ]
+    paths:
+      - 'kbs/**'
+      - '.github/workflows/kbs-rust.yml'
+      - 'Cargo.toml'
 
 env:
   CARGO_TERM_COLOR: always
@@ -53,22 +61,29 @@ jobs:
         sudo apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev
 
     - name: KBS Build [Default]
+      working-directory: kbs
       run: make
 
     - name: KBS Build [Built-in CoCo AS, OpenSSL]
+      working-directory: kbs
       run: make HTTPS_CRYPTO=openssl
 
     - name: KBS Build [gRPC CoCo AS, RustTLS]
+      working-directory: kbs
       run: make COCO_AS_INTEGRATE_TYPE=grpc
 
     - name: build KBS with amber AS mode
+      working-directory: kbs
       run: make AS_TYPE=amber-as
 
     - name: Lint
+      working-directory: kbs
       run: make lint
 
     - name: Format
+      working-directory: kbs
       run: make format
 
     - name: Test
+      working-directory: kbs
       run: make check

.github/workflows/link.yml

@@ -0,0 +1,28 @@
+name: check links
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  checklinks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Restore lychee cache
+        uses: actions/cache@v3
+        with:
+          path: .lycheecache
+          key: cache-lychee-${{ github.sha }}
+          restore-keys: cache-lychee-
+
+      - name: Check links
+        uses: lycheeverse/lychee-action@v1
+        with:
+          args: "--cache --max-cache-age 1d ."
+          fail: true

.github/workflows/release.yml

@@ -0,0 +1,38 @@
+name: Cut Attestation Service Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build-and-push-images:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      -
+        name: Build and push attestation-service
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./attestation-service/Dockerfile.as
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/confidential-containers/attestation-service:latest, ghcr.io/confidential-containers/attestation-service:${{ github.ref_name }}
+      -
+        name: Build and push reference-value-provider-service
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./attestation-service/Dockerfile.rvps
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/confidential-containers/reference-value-provider-service:latest, ghcr.io/confidential-containers/reference-value-provider-service:${{ github.ref_name }}

.gitignore

@@ -1,20 +1 @@
-# Generated by Cargo
-# will have compiled files and executables
-/target/
-
-# These are backup files generated by rustfmt
-**/*.rs.bk
-
-# Added by cargo
-
-/target
-
-data
-
-# test
-test/*
-!test/Makefile
-!test/data/
-
-config/private.key
-config/public.pub
+target

CODEOWNERS

@@ -1 +1,5 @@
-@kbs-maintainers
+# Global owner for changes not matched by more specific rules
+* @sameo
+
+/kbs/ @kbs-maintainers
+/attestation-service/ @attestation-service-maintainers