feat: fetches validator attestation type from measurments, removes flag

Author: fnerdman

cmd/proxy-client/main.go

@@ -25,11 +25,6 @@ var flags []cli.Flag = []cli.Flag{
 		Value: "https://localhost:80",
 		Usage: "address to proxy requests to",
 	},
-	&cli.StringFlag{
-		Name:  "server-attestation-type",
-		Value: string(proxy.AttestationAzureTDX),
-		Usage: "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
-	},
 	&cli.StringFlag{
 		Name:  "server-measurements",
 		Usage: "optional path to JSON measurements enforced on the server",
@@ -96,9 +91,9 @@ func runClient(cCtx *cli.Context) error {
 		Version: common.Version,
 	})
 
-	if cCtx.String("server-attestation-type") != "none" && verifyTLS {
-		log.Error("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
-		return errors.New("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
+	if serverMeasurements != nil && verifyTLS {
+		log.Error("invalid combination of --verify-tls and --server-measurements passed (cannot add server measurements and verify default TLS at the same time)")
+		return errors.New("invalid combination of --verify-tls and --server-measurements passed (cannot add server measurements and verify default TLS at the same time)")
 	}
 
 	// Auto-detect client attestation type if not specified
@@ -126,9 +121,9 @@ func runClient(cCtx *cli.Context) error {
 		return err
 	}
 
-	validators, err := proxy.CreateAttestationValidators(log, serverAttestationType, serverMeasurements)
+	validators, err = proxy.CreateAttestationValidatorsFromFile(log, serverMeasurements)
 	if err != nil {
-		log.Error("could not create attestation validators", "err", err)
+		log.Error("could not create attestation validators from file", "err", err)
 		return err
 	}
 

cmd/proxy-server/main.go

@@ -53,12 +53,6 @@ var flags []cli.Flag = []cli.Flag{
 		EnvVars: []string{"TLS_PRIVATE_KEY_PATH"},
 		Usage:   "Path to private key file for the certificate. Only valid with --tls-certificate-path",
 	},
-	&cli.StringFlag{
-		Name:    "client-attestation-type",
-		EnvVars: []string{"CLIENT_ATTESTATION_TYPE"},
-		Value:   string(proxy.AttestationNone),
-		Usage:   "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
-	},
 	&cli.StringFlag{
 		Name:    "client-measurements",
 		EnvVars: []string{"CLIENT_MEASUREMENTS"},
@@ -145,15 +139,9 @@ func runServer(cCtx *cli.Context) error {
 		}
 	}
 
-	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
-	if err != nil {
-		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
-		return err
-	}
-
-	validators, err := proxy.CreateAttestationValidators(log, clientAttestationType, clientMeasurements)
+	validators, err = proxy.CreateAttestationValidatorsFromFile(log, clientMeasurements)
 	if err != nil {
-		log.Error("could not create attestation validators", "err", err)
+		log.Error("could not create attestation validators from file", "err", err)
 		return err
 	}
 

proxy/atls_config.go

@@ -75,8 +75,8 @@ func CreateAttestationIssuer(log *slog.Logger, attestationType AttestationType)
 	}
 }
 
-func CreateAttestationValidators(log *slog.Logger, attestationType AttestationType, jsonMeasurementsPath string) ([]atls.Validator, error) {
-	if attestationType == AttestationNone {
+func CreateAttestationValidatorsFromFile(log *slog.Logger, jsonMeasurementsPath string) ([]atls.Validator, error) {
+	if jsonMeasurementsPath == "" {
 		return nil, nil
 	}
 
@@ -91,26 +91,42 @@ func CreateAttestationValidators(log *slog.Logger, attestationType AttestationTy
 		return nil, err
 	}
 
-	switch attestationType {
-	case AttestationAzureTDX:
-		validators := []atls.Validator{}
-		for _, measurement := range parsedMeasurements {
+	// Group validators by attestation type
+	validatorsByType := make(map[AttestationType][]atls.Validator)
+
+	for _, measurement := range parsedMeasurements {
+		attestationType, err := ParseAttestationType(measurement.AttestationType)
+		if err != nil {
+			return nil, fmt.Errorf("invalid attestation type %s in measurements file", measurement.AttestationType)
+		}
+
+		switch attestationType {
+		case AttestationAzureTDX:
 			attConfig := config.DefaultForAzureTDX()
 			attConfig.SetMeasurements(measurement.Measurements)
-			validators = append(validators, azure_tdx.NewValidator(attConfig, AttestationLogger{Log: log}))
-		}
-		return []atls.Validator{NewMultiValidator(validators)}, nil
-	case AttestationDCAPTDX:
-		validators := []atls.Validator{}
-		for _, measurement := range parsedMeasurements {
+			validatorsByType[attestationType] = append(
+				validatorsByType[attestationType],
+				azure_tdx.NewValidator(attConfig, AttestationLogger{Log: log}),
+			)
+		case AttestationDCAPTDX:
 			attConfig := &config.QEMUTDX{Measurements: measurements.DefaultsFor(cloudprovider.QEMU, variant.QEMUTDX{})}
 			attConfig.SetMeasurements(measurement.Measurements)
-			validators = append(validators, dcap_tdx.NewValidator(attConfig, AttestationLogger{Log: log}))
+			validatorsByType[attestationType] = append(
+				validatorsByType[attestationType],
+				dcap_tdx.NewValidator(attConfig, AttestationLogger{Log: log}),
+			)
+		default:
+			return nil, fmt.Errorf("unsupported attestation type %s in measurements file", measurement.AttestationType)
 		}
-		return []atls.Validator{NewMultiValidator(validators)}, nil
-	default:
-		return nil, errors.New("invalid attestation-type passed in")
 	}
+
+	// Create a MultiValidator for each attestation type
+	var validators []atls.Validator
+		for _, typeValidators := range validatorsByType {
+		validators = append(validators, NewMultiValidator(typeValidators))
+	}
+
+	return validators, nil
 }
 
 func ExtractMeasurementsFromExtension(ext *pkix.Extension, v variant.Variant) (map[uint32][]byte, error) {