diff --git a/launcher/agent/agent.go b/launcher/agent/agent.go index 4f02f531..72a2360b 100644 --- a/launcher/agent/agent.go +++ b/launcher/agent/agent.go @@ -44,9 +44,7 @@ type agent struct { // attestation using the machine's (v)TPM to GCE's Attestation Service. // - tpm is a handle to the TPM on the instance // - akFetcher is a func to fetch an attestation key: see go-tpm-tools/client. -// - conn is a client connection to the attestation service, typically created -// -// `grpc.Dial`. It is the client's responsibility to close the connection. +// - principalFetcher is a func to fetch GCE principal tokens for a given audience. func CreateAttestationAgent(tpm io.ReadWriteCloser, akFetcher tpmKeyFetcher, verifierClient verifier.Client, principalFetcher principalIDTokenFetcher) AttestationAgent { return &agent{ tpm: tpm, diff --git a/launcher/container_runner.go b/launcher/container_runner.go index f5f71236..a1c2d2b3 100644 --- a/launcher/container_runner.go +++ b/launcher/container_runner.go @@ -10,7 +10,6 @@ import ( "net/url" "os" "path" - "strings" "time" "cloud.google.com/go/compute/metadata" @@ -25,7 +24,6 @@ import ( "github.com/google/go-tpm-tools/launcher/agent" "github.com/google/go-tpm-tools/launcher/spec" "github.com/google/go-tpm-tools/launcher/verifier" - "github.com/google/go-tpm-tools/launcher/verifier/grpcclient" "github.com/google/go-tpm-tools/launcher/verifier/rest" v1 "github.com/opencontainers/image-spec/specs-go/v1" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -33,15 +31,12 @@ import ( "golang.org/x/oauth2/google" "google.golang.org/api/impersonate" "google.golang.org/api/option" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials/insecure" ) // ContainerRunner contains information about the container settings type ContainerRunner struct { container containerd.Container launchSpec spec.LaunchSpec - attestConn *grpc.ClientConn attestAgent agent.AttestationAgent logger *log.Logger } @@ -196,40 +191,19 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To } asAddr := launchSpec.AttestationServiceAddr - var verifierClient verifier.Client - var conn *grpc.ClientConn - // Temporary support for both gRPC and REST-based attestation verifier. - // Use REST when empty flag or the presence of http in the addr, else gRPC. - // TODO: remove once fully migrated to the REST-based verifier. - if asAddr == "" || strings.Contains(asAddr, "http") { - verifierClient, err = getRESTClient(ctx, asAddr, launchSpec) - } else { - verifierClient, conn, err = getGRPCClient(asAddr, logger) - } + verifierClient, err := getRESTClient(ctx, asAddr, launchSpec) if err != nil { - return nil, fmt.Errorf("failed to create verifier client: %v", err) + return nil, fmt.Errorf("failed to create REST verifier client: %v", err) } return &ContainerRunner{ container, launchSpec, - conn, agent.CreateAttestationAgent(tpm, client.GceAttestationKeyECC, verifierClient, principalFetcher), logger, }, nil } -// getGRPCClient returns a gRPC verifier.Client pointing to the given address. -// It also returns a grpc.ClientConn for closing out the connection. -func getGRPCClient(asAddr string, logger *log.Logger) (verifier.Client, *grpc.ClientConn, error) { - opt := grpc.WithTransportCredentials(insecure.NewCredentials()) - conn, err := grpc.Dial(asAddr, opt) - if err != nil { - return nil, nil, fmt.Errorf("failed to open connection to gRPC attestation service: %v", err) - } - return grpcclient.NewClient(conn, logger), conn, nil -} - // getRESTClient returns a REST verifier.Client that points to the given address. // It defaults to the Attestation Verifier instance at // https://confidentialcomputing.googleapis.com. @@ -502,7 +476,4 @@ func (r *ContainerRunner) Close(ctx context.Context) { // Exit gracefully: // Delete container and close connection to attestation service. r.container.Delete(ctx, containerd.WithSnapshotCleanup) - if r.attestConn != nil { - r.attestConn.Close() - } } diff --git a/launcher/verifier/grpcclient/grpc_client.go b/launcher/verifier/grpcclient/grpc_client.go deleted file mode 100644 index ebda0784..00000000 --- a/launcher/verifier/grpcclient/grpc_client.go +++ /dev/null @@ -1,74 +0,0 @@ -// Package grpcclient contains the verifier.Client implementation for a gRPC -// attestation verifier. -package grpcclient - -import ( - "context" - "errors" - "fmt" - "log" - - "github.com/google/go-tpm-tools/launcher/verifier" - servpb "github.com/google/go-tpm-tools/launcher/verifier/grpcclient/proto/attestation_verifier/v0" - "google.golang.org/grpc" -) - -type grpcClient struct { - pbClient servpb.AttestationVerifierClient - logger *log.Logger -} - -// NewClient returns a verifier.Client which connects to the prototype service -// via gRPC. Its gRPC definition is at: -// github.com/google/go-tpm-tools/launcher/verifier/grpcclient/proto/attestation_verifier/v0. -func NewClient(conn *grpc.ClientConn, logger *log.Logger) verifier.Client { - return &grpcClient{ - pbClient: servpb.NewAttestationVerifierClient(conn), - logger: logger, - } -} - -// CreateChallenge returns a Challenge. This challenge contains an audience -// used when generating the optional GcpCredentials, a nonce for TPM2_Quote, -// and a service-specific connection ID used when calling Verify. -func (c *grpcClient) CreateChallenge(ctx context.Context) (*verifier.Challenge, error) { - params, err := c.pbClient.GetParams(ctx, &servpb.GetParamsRequest{}) - c.logger.Println("Calling gRPC attestation verifier GetParams") - if err != nil { - return nil, fmt.Errorf("failed GetParams call: %v", err) - } - c.logger.Println(params.String()) - - return &verifier.Challenge{ - Name: params.GetAudience(), - Nonce: params.GetNonce(), - ConnID: params.GetConnId(), - }, nil -} - -// VerifyAttestation verifies an attestation generated using the challenge. -// The verifier expects the optional GcpCredentials to have an audience -// with the Challenge.Name and the attestation quote to use the Challenge.Nonce. -// VerifyAttestation also uses the Challenge.connId to reference the original -// connection ID of CreateChallenge. -func (c *grpcClient) VerifyAttestation(ctx context.Context, request verifier.VerifyAttestationRequest) (*verifier.VerifyAttestationResponse, error) { - if request.Challenge == nil { - return nil, errors.New("failed VerifyAttestation: VerifyAttestationRequest did not contain Challenge") - } - if request.Attestation == nil { - return nil, errors.New("failed VerifyAttestation: VerifyAttestationRequest did not contain Attestation") - } - req := &servpb.VerifyRequest{ - ConnId: request.Challenge.ConnID, - Attestation: request.Attestation, - PrincipalIdTokens: request.GcpCredentials, - } - c.logger.Println("Calling gRPC attestation verifier Verify") - resp, err := c.pbClient.Verify(ctx, req) - if err != nil { - return nil, fmt.Errorf("failed Verify call: %v", err) - } - return &verifier.VerifyAttestationResponse{ - ClaimsToken: resp.GetClaimsToken(), - }, nil -} diff --git a/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service.pb.go b/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service.pb.go deleted file mode 100644 index 87d63b03..00000000 --- a/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service.pb.go +++ /dev/null @@ -1,422 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc v3.12.4 -// source: service.proto - -package v0 - -import ( - attest "github.com/google/go-tpm-tools/proto/attest" - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type GetParamsRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields -} - -func (x *GetParamsRequest) Reset() { - *x = GetParamsRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_service_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetParamsRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetParamsRequest) ProtoMessage() {} - -func (x *GetParamsRequest) ProtoReflect() protoreflect.Message { - mi := &file_service_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetParamsRequest.ProtoReflect.Descriptor instead. -func (*GetParamsRequest) Descriptor() ([]byte, []int) { - return file_service_proto_rawDescGZIP(), []int{0} -} - -type GetParamsResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Connection ID to be used with a subsequent VerifyRequest. Required. - ConnId string `protobuf:"bytes,1,opt,name=conn_id,json=connId,proto3" json:"conn_id,omitempty"` - // Nonce that should be used when generating the attestation sent with a - // VerifyRequest. Required. - Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"` - // Audience that should be used when generating Service Account ID Tokens sent - // with a subsequent VerifyRequest. Required. - // - // Format: https://www.googleapis.com/attestation_verifier/v0/conn_id/12345 - Audience string `protobuf:"bytes,3,opt,name=audience,proto3" json:"audience,omitempty"` -} - -func (x *GetParamsResponse) Reset() { - *x = GetParamsResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_service_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetParamsResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetParamsResponse) ProtoMessage() {} - -func (x *GetParamsResponse) ProtoReflect() protoreflect.Message { - mi := &file_service_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetParamsResponse.ProtoReflect.Descriptor instead. -func (*GetParamsResponse) Descriptor() ([]byte, []int) { - return file_service_proto_rawDescGZIP(), []int{1} -} - -func (x *GetParamsResponse) GetConnId() string { - if x != nil { - return x.ConnId - } - return "" -} - -func (x *GetParamsResponse) GetNonce() []byte { - if x != nil { - return x.Nonce - } - return nil -} - -func (x *GetParamsResponse) GetAudience() string { - if x != nil { - return x.Audience - } - return "" -} - -type VerifyRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Connection ID from a previous GetParamsResponse. Required. - ConnId string `protobuf:"bytes,1,opt,name=conn_id,json=connId,proto3" json:"conn_id,omitempty"` - // go-tpm-tools attestation that will be verified by the server, which must - // use the nonce received in a previous GetParamsResponse. Required. - Attestation *attest.Attestation `protobuf:"bytes,2,opt,name=attestation,proto3" json:"attestation,omitempty"` - // The Google ID Token for the principal running in the VM. Generated from the - // Metadata Server with the requested `audience`. Optional. - PrincipalIdTokens [][]byte `protobuf:"bytes,3,rep,name=principal_id_tokens,json=principalIdTokens,proto3" json:"principal_id_tokens,omitempty"` -} - -func (x *VerifyRequest) Reset() { - *x = VerifyRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_service_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *VerifyRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*VerifyRequest) ProtoMessage() {} - -func (x *VerifyRequest) ProtoReflect() protoreflect.Message { - mi := &file_service_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use VerifyRequest.ProtoReflect.Descriptor instead. -func (*VerifyRequest) Descriptor() ([]byte, []int) { - return file_service_proto_rawDescGZIP(), []int{2} -} - -func (x *VerifyRequest) GetConnId() string { - if x != nil { - return x.ConnId - } - return "" -} - -func (x *VerifyRequest) GetAttestation() *attest.Attestation { - if x != nil { - return x.Attestation - } - return nil -} - -func (x *VerifyRequest) GetPrincipalIdTokens() [][]byte { - if x != nil { - return x.PrincipalIdTokens - } - return nil -} - -type VerifyResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // OIDC ID token containing the claims created by the server. Required. - ClaimsToken []byte `protobuf:"bytes,1,opt,name=claims_token,json=claimsToken,proto3" json:"claims_token,omitempty"` -} - -func (x *VerifyResponse) Reset() { - *x = VerifyResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_service_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *VerifyResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*VerifyResponse) ProtoMessage() {} - -func (x *VerifyResponse) ProtoReflect() protoreflect.Message { - mi := &file_service_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use VerifyResponse.ProtoReflect.Descriptor instead. -func (*VerifyResponse) Descriptor() ([]byte, []int) { - return file_service_proto_rawDescGZIP(), []int{3} -} - -func (x *VerifyResponse) GetClaimsToken() []byte { - if x != nil { - return x.ClaimsToken - } - return nil -} - -var File_service_proto protoreflect.FileDescriptor - -var file_service_proto_rawDesc = []byte{ - 0x0a, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, - 0x17, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x65, 0x72, - 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x76, 0x30, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x0c, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, - 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x5e, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x50, - 0x61, 0x72, 0x61, 0x6d, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x17, 0x0a, - 0x07, 0x63, 0x6f, 0x6e, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, - 0x63, 0x6f, 0x6e, 0x6e, 0x49, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08, - 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x8f, 0x01, 0x0a, 0x0d, 0x56, 0x65, 0x72, - 0x69, 0x66, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x63, 0x6f, - 0x6e, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x63, 0x6f, 0x6e, - 0x6e, 0x49, 0x64, 0x12, 0x35, 0x0a, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x61, 0x74, 0x74, 0x65, 0x73, - 0x74, 0x2e, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x61, - 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x13, 0x70, 0x72, - 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, - 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x11, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, - 0x61, 0x6c, 0x49, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x22, 0x33, 0x0a, 0x0e, 0x56, 0x65, - 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, - 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x0b, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x32, - 0x85, 0x02, 0x0a, 0x13, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, - 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x7c, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x50, 0x61, - 0x72, 0x61, 0x6d, 0x73, 0x12, 0x29, 0x2e, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x76, 0x30, 0x2e, 0x47, - 0x65, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x2a, 0x2e, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x76, 0x30, 0x2e, 0x47, 0x65, 0x74, 0x50, 0x61, 0x72, - 0x61, 0x6d, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x18, 0x82, 0xd3, 0xe4, - 0x93, 0x02, 0x12, 0x22, 0x0d, 0x2f, 0x76, 0x30, 0x2f, 0x67, 0x65, 0x74, 0x50, 0x61, 0x72, 0x61, - 0x6d, 0x73, 0x3a, 0x01, 0x2a, 0x12, 0x70, 0x0a, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x12, - 0x26, 0x2e, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x76, 0x30, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x27, 0x2e, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x76, - 0x30, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0x15, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x0f, 0x22, 0x0a, 0x2f, 0x76, 0x30, 0x2f, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x79, 0x3a, 0x01, 0x2a, 0x42, 0x59, 0x5a, 0x57, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x67, 0x6f, 0x2d, - 0x74, 0x70, 0x6d, 0x2d, 0x74, 0x6f, 0x6f, 0x6c, 0x73, 0x2f, 0x6c, 0x61, 0x75, 0x6e, 0x63, 0x68, - 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x65, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x61, 0x74, 0x74, 0x65, 0x73, - 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2f, - 0x76, 0x30, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_service_proto_rawDescOnce sync.Once - file_service_proto_rawDescData = file_service_proto_rawDesc -) - -func file_service_proto_rawDescGZIP() []byte { - file_service_proto_rawDescOnce.Do(func() { - file_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_service_proto_rawDescData) - }) - return file_service_proto_rawDescData -} - -var file_service_proto_msgTypes = make([]protoimpl.MessageInfo, 4) -var file_service_proto_goTypes = []interface{}{ - (*GetParamsRequest)(nil), // 0: attestation_verifier.v0.GetParamsRequest - (*GetParamsResponse)(nil), // 1: attestation_verifier.v0.GetParamsResponse - (*VerifyRequest)(nil), // 2: attestation_verifier.v0.VerifyRequest - (*VerifyResponse)(nil), // 3: attestation_verifier.v0.VerifyResponse - (*attest.Attestation)(nil), // 4: attest.Attestation -} -var file_service_proto_depIdxs = []int32{ - 4, // 0: attestation_verifier.v0.VerifyRequest.attestation:type_name -> attest.Attestation - 0, // 1: attestation_verifier.v0.AttestationVerifier.GetParams:input_type -> attestation_verifier.v0.GetParamsRequest - 2, // 2: attestation_verifier.v0.AttestationVerifier.Verify:input_type -> attestation_verifier.v0.VerifyRequest - 1, // 3: attestation_verifier.v0.AttestationVerifier.GetParams:output_type -> attestation_verifier.v0.GetParamsResponse - 3, // 4: attestation_verifier.v0.AttestationVerifier.Verify:output_type -> attestation_verifier.v0.VerifyResponse - 3, // [3:5] is the sub-list for method output_type - 1, // [1:3] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 1, // [1:1] is the sub-list for extension extendee - 0, // [0:1] is the sub-list for field type_name -} - -func init() { file_service_proto_init() } -func file_service_proto_init() { - if File_service_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetParamsRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetParamsResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*VerifyRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_service_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*VerifyResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_service_proto_rawDesc, - NumEnums: 0, - NumMessages: 4, - NumExtensions: 0, - NumServices: 1, - }, - GoTypes: file_service_proto_goTypes, - DependencyIndexes: file_service_proto_depIdxs, - MessageInfos: file_service_proto_msgTypes, - }.Build() - File_service_proto = out.File - file_service_proto_rawDesc = nil - file_service_proto_goTypes = nil - file_service_proto_depIdxs = nil -} diff --git a/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service_grpc.pb.go b/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service_grpc.pb.go deleted file mode 100644 index 564f5576..00000000 --- a/launcher/verifier/grpcclient/proto/attestation_verifier/v0/service_grpc.pb.go +++ /dev/null @@ -1,143 +0,0 @@ -// Code generated by protoc-gen-go-grpc. DO NOT EDIT. -// versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v3.12.4 -// source: service.proto - -package v0 - -import ( - context "context" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" -) - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -// Requires gRPC-Go v1.32.0 or later. -const _ = grpc.SupportPackageIsVersion7 - -// AttestationVerifierClient is the client API for AttestationVerifier service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type AttestationVerifierClient interface { - // Endpoint to request attestation parameters (including nonce and audience). - GetParams(ctx context.Context, in *GetParamsRequest, opts ...grpc.CallOption) (*GetParamsResponse, error) - // Endpoint to verify the attestation and return an OIDC/JWT token. - Verify(ctx context.Context, in *VerifyRequest, opts ...grpc.CallOption) (*VerifyResponse, error) -} - -type attestationVerifierClient struct { - cc grpc.ClientConnInterface -} - -func NewAttestationVerifierClient(cc grpc.ClientConnInterface) AttestationVerifierClient { - return &attestationVerifierClient{cc} -} - -func (c *attestationVerifierClient) GetParams(ctx context.Context, in *GetParamsRequest, opts ...grpc.CallOption) (*GetParamsResponse, error) { - out := new(GetParamsResponse) - err := c.cc.Invoke(ctx, "/attestation_verifier.v0.AttestationVerifier/GetParams", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *attestationVerifierClient) Verify(ctx context.Context, in *VerifyRequest, opts ...grpc.CallOption) (*VerifyResponse, error) { - out := new(VerifyResponse) - err := c.cc.Invoke(ctx, "/attestation_verifier.v0.AttestationVerifier/Verify", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// AttestationVerifierServer is the server API for AttestationVerifier service. -// All implementations should embed UnimplementedAttestationVerifierServer -// for forward compatibility -type AttestationVerifierServer interface { - // Endpoint to request attestation parameters (including nonce and audience). - GetParams(context.Context, *GetParamsRequest) (*GetParamsResponse, error) - // Endpoint to verify the attestation and return an OIDC/JWT token. - Verify(context.Context, *VerifyRequest) (*VerifyResponse, error) -} - -// UnimplementedAttestationVerifierServer should be embedded to have forward compatible implementations. -type UnimplementedAttestationVerifierServer struct { -} - -func (UnimplementedAttestationVerifierServer) GetParams(context.Context, *GetParamsRequest) (*GetParamsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetParams not implemented") -} -func (UnimplementedAttestationVerifierServer) Verify(context.Context, *VerifyRequest) (*VerifyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method Verify not implemented") -} - -// UnsafeAttestationVerifierServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to AttestationVerifierServer will -// result in compilation errors. -type UnsafeAttestationVerifierServer interface { - mustEmbedUnimplementedAttestationVerifierServer() -} - -func RegisterAttestationVerifierServer(s grpc.ServiceRegistrar, srv AttestationVerifierServer) { - s.RegisterService(&AttestationVerifier_ServiceDesc, srv) -} - -func _AttestationVerifier_GetParams_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(GetParamsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(AttestationVerifierServer).GetParams(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/attestation_verifier.v0.AttestationVerifier/GetParams", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(AttestationVerifierServer).GetParams(ctx, req.(*GetParamsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _AttestationVerifier_Verify_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(VerifyRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(AttestationVerifierServer).Verify(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/attestation_verifier.v0.AttestationVerifier/Verify", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(AttestationVerifierServer).Verify(ctx, req.(*VerifyRequest)) - } - return interceptor(ctx, in, info, handler) -} - -// AttestationVerifier_ServiceDesc is the grpc.ServiceDesc for AttestationVerifier service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var AttestationVerifier_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "attestation_verifier.v0.AttestationVerifier", - HandlerType: (*AttestationVerifierServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "GetParams", - Handler: _AttestationVerifier_GetParams_Handler, - }, - { - MethodName: "Verify", - Handler: _AttestationVerifier_Verify_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "service.proto", -} diff --git a/launcher/verifier/grpcclient/proto/doc.go b/launcher/verifier/grpcclient/proto/doc.go deleted file mode 100644 index d7437959..00000000 --- a/launcher/verifier/grpcclient/proto/doc.go +++ /dev/null @@ -1,39 +0,0 @@ -// Package proto contains protocol buffers for the attestation. -// -// # Generating Protocol Buffer Code -// -// Anytime the Protocol Buffer definitions change, the generated Go code must be -// regenerated. This can be done with "go generate". Just run: -// -// go generate ./... -// -// in the ./launcher directory. Or if using Go 1.18 or later, you can just run -// -// go generate ./launcher/... -// -// in the root directory. -// -// Upstream documentation: -// https://developers.google.com/protocol-buffers/docs/reference/go-generated -// -// # Code Generation Dependencies -// -// google/api/annotations.proto is copied from -// https://github.com/googleapis/googleapis/blob/master/google/api/annotations.proto -// -// google/api/http.proto is copied from -// https://github.com/googleapis/googleapis/blob/master/google/api/http.proto -// -// To generate the Go code, your system must have "protoc" installed. See: -// https://github.com/protocolbuffers/protobuf#protocol-compiler-installation -// -// The "protoc-gen-go" tool must also be installed. To install it, run: -// -// go install google.golang.org/protobuf/cmd/protoc-gen-go -// -// Then, install "protoc-gen-go-grpc" plugin, run: -// -// go install google.golang.org/grpc/cmd/protoc-gen-go-grpc -package proto - -//go:generate protoc -I=../../../../proto -I=. --go_out=. --go-grpc_out=require_unimplemented_servers=false,module=github.com/google/go-tpm-tools/launcher/internal/verifier/proto:. --go_opt=module=github.com/google/go-tpm-tools/launcher/internal/verifier/proto service.proto diff --git a/launcher/verifier/grpcclient/proto/google/api/annotations.proto b/launcher/verifier/grpcclient/proto/google/api/annotations.proto deleted file mode 100644 index d11b0413..00000000 --- a/launcher/verifier/grpcclient/proto/google/api/annotations.proto +++ /dev/null @@ -1,33 +0,0 @@ - - -// Copyright 2015 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.api; - -import "google/api/http.proto"; -import "google/protobuf/descriptor.proto"; - -option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations"; -option java_multiple_files = true; -option java_outer_classname = "AnnotationsProto"; -option java_package = "com.google.api"; -option objc_class_prefix = "GAPI"; - -extend google.protobuf.MethodOptions { - // See `HttpRule`. - HttpRule http = 72295728; -} \ No newline at end of file diff --git a/launcher/verifier/grpcclient/proto/google/api/http.proto b/launcher/verifier/grpcclient/proto/google/api/http.proto deleted file mode 100644 index 7d0b228c..00000000 --- a/launcher/verifier/grpcclient/proto/google/api/http.proto +++ /dev/null @@ -1,375 +0,0 @@ -// Copyright 2015 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.api; - -option cc_enable_arenas = true; -option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations"; -option java_multiple_files = true; -option java_outer_classname = "HttpProto"; -option java_package = "com.google.api"; -option objc_class_prefix = "GAPI"; - -// Defines the HTTP configuration for an API service. It contains a list of -// [HttpRule][google.api.HttpRule], each specifying the mapping of an RPC method -// to one or more HTTP REST API methods. -message Http { - // A list of HTTP configuration rules that apply to individual API methods. - // - // **NOTE:** All service configuration rules follow "last one wins" order. - repeated HttpRule rules = 1; - - // When set to true, URL path parameters will be fully URI-decoded except in - // cases of single segment matches in reserved expansion, where "%2F" will be - // left encoded. - // - // The default behavior is to not decode RFC 6570 reserved characters in multi - // segment matches. - bool fully_decode_reserved_expansion = 2; -} - -// # gRPC Transcoding -// -// gRPC Transcoding is a feature for mapping between a gRPC method and one or -// more HTTP REST endpoints. It allows developers to build a single API service -// that supports both gRPC APIs and REST APIs. Many systems, including [Google -// APIs](https://github.com/googleapis/googleapis), -// [Cloud Endpoints](https://cloud.google.com/endpoints), [gRPC -// Gateway](https://github.com/grpc-ecosystem/grpc-gateway), -// and [Envoy](https://github.com/envoyproxy/envoy) proxy support this feature -// and use it for large scale production services. -// -// `HttpRule` defines the schema of the gRPC/REST mapping. The mapping specifies -// how different portions of the gRPC request message are mapped to the URL -// path, URL query parameters, and HTTP request body. It also controls how the -// gRPC response message is mapped to the HTTP response body. `HttpRule` is -// typically specified as an `google.api.http` annotation on the gRPC method. -// -// Each mapping specifies a URL path template and an HTTP method. The path -// template may refer to one or more fields in the gRPC request message, as long -// as each field is a non-repeated field with a primitive (non-message) type. -// The path template controls how fields of the request message are mapped to -// the URL path. -// -// Example: -// -// service Messaging { -// rpc GetMessage(GetMessageRequest) returns (Message) { -// option (google.api.http) = { -// get: "/v1/{name=messages/*}" -// }; -// } -// } -// message GetMessageRequest { -// string name = 1; // Mapped to URL path. -// } -// message Message { -// string text = 1; // The resource content. -// } -// -// This enables an HTTP REST to gRPC mapping as below: -// -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456` | `GetMessage(name: "messages/123456")` -// -// Any fields in the request message which are not bound by the path template -// automatically become HTTP query parameters if there is no HTTP request body. -// For example: -// -// service Messaging { -// rpc GetMessage(GetMessageRequest) returns (Message) { -// option (google.api.http) = { -// get:"/v1/messages/{message_id}" -// }; -// } -// } -// message GetMessageRequest { -// message SubMessage { -// string subfield = 1; -// } -// string message_id = 1; // Mapped to URL path. -// int64 revision = 2; // Mapped to URL query parameter `revision`. -// SubMessage sub = 3; // Mapped to URL query parameter `sub.subfield`. -// } -// -// This enables a HTTP JSON to RPC mapping as below: -// -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456?revision=2&sub.subfield=foo` | -// `GetMessage(message_id: "123456" revision: 2 sub: SubMessage(subfield: -// "foo"))` -// -// Note that fields which are mapped to URL query parameters must have a -// primitive type or a repeated primitive type or a non-repeated message type. -// In the case of a repeated type, the parameter can be repeated in the URL -// as `...?param=A¶m=B`. In the case of a message type, each field of the -// message is mapped to a separate parameter, such as -// `...?foo.a=A&foo.b=B&foo.c=C`. -// -// For HTTP methods that allow a request body, the `body` field -// specifies the mapping. Consider a REST update method on the -// message resource collection: -// -// service Messaging { -// rpc UpdateMessage(UpdateMessageRequest) returns (Message) { -// option (google.api.http) = { -// patch: "/v1/messages/{message_id}" -// body: "message" -// }; -// } -// } -// message UpdateMessageRequest { -// string message_id = 1; // mapped to the URL -// Message message = 2; // mapped to the body -// } -// -// The following HTTP JSON to RPC mapping is enabled, where the -// representation of the JSON in the request body is determined by -// protos JSON encoding: -// -// HTTP | gRPC -// -----|----- -// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: -// "123456" message { text: "Hi!" })` -// -// The special name `*` can be used in the body mapping to define that -// every field not bound by the path template should be mapped to the -// request body. This enables the following alternative definition of -// the update method: -// -// service Messaging { -// rpc UpdateMessage(Message) returns (Message) { -// option (google.api.http) = { -// patch: "/v1/messages/{message_id}" -// body: "*" -// }; -// } -// } -// message Message { -// string message_id = 1; -// string text = 2; -// } -// -// -// The following HTTP JSON to RPC mapping is enabled: -// -// HTTP | gRPC -// -----|----- -// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: -// "123456" text: "Hi!")` -// -// Note that when using `*` in the body mapping, it is not possible to -// have HTTP parameters, as all fields not bound by the path end in -// the body. This makes this option more rarely used in practice when -// defining REST APIs. The common usage of `*` is in custom methods -// which don't use the URL at all for transferring data. -// -// It is possible to define multiple HTTP methods for one RPC by using -// the `additional_bindings` option. Example: -// -// service Messaging { -// rpc GetMessage(GetMessageRequest) returns (Message) { -// option (google.api.http) = { -// get: "/v1/messages/{message_id}" -// additional_bindings { -// get: "/v1/users/{user_id}/messages/{message_id}" -// } -// }; -// } -// } -// message GetMessageRequest { -// string message_id = 1; -// string user_id = 2; -// } -// -// This enables the following two alternative HTTP JSON to RPC mappings: -// -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456` | `GetMessage(message_id: "123456")` -// `GET /v1/users/me/messages/123456` | `GetMessage(user_id: "me" message_id: -// "123456")` -// -// ## Rules for HTTP mapping -// -// 1. Leaf request fields (recursive expansion nested messages in the request -// message) are classified into three categories: -// - Fields referred by the path template. They are passed via the URL path. -// - Fields referred by the [HttpRule.body][google.api.HttpRule.body]. They are passed via the HTTP -// request body. -// - All other fields are passed via the URL query parameters, and the -// parameter name is the field path in the request message. A repeated -// field can be represented as multiple query parameters under the same -// name. -// 2. If [HttpRule.body][google.api.HttpRule.body] is "*", there is no URL query parameter, all fields -// are passed via URL path and HTTP request body. -// 3. If [HttpRule.body][google.api.HttpRule.body] is omitted, there is no HTTP request body, all -// fields are passed via URL path and URL query parameters. -// -// ### Path template syntax -// -// Template = "/" Segments [ Verb ] ; -// Segments = Segment { "/" Segment } ; -// Segment = "*" | "**" | LITERAL | Variable ; -// Variable = "{" FieldPath [ "=" Segments ] "}" ; -// FieldPath = IDENT { "." IDENT } ; -// Verb = ":" LITERAL ; -// -// The syntax `*` matches a single URL path segment. The syntax `**` matches -// zero or more URL path segments, which must be the last part of the URL path -// except the `Verb`. -// -// The syntax `Variable` matches part of the URL path as specified by its -// template. A variable template must not contain other variables. If a variable -// matches a single path segment, its template may be omitted, e.g. `{var}` -// is equivalent to `{var=*}`. -// -// The syntax `LITERAL` matches literal text in the URL path. If the `LITERAL` -// contains any reserved character, such characters should be percent-encoded -// before the matching. -// -// If a variable contains exactly one path segment, such as `"{var}"` or -// `"{var=*}"`, when such a variable is expanded into a URL path on the client -// side, all characters except `[-_.~0-9a-zA-Z]` are percent-encoded. The -// server side does the reverse decoding. Such variables show up in the -// [Discovery -// Document](https://developers.google.com/discovery/v1/reference/apis) as -// `{var}`. -// -// If a variable contains multiple path segments, such as `"{var=foo/*}"` -// or `"{var=**}"`, when such a variable is expanded into a URL path on the -// client side, all characters except `[-_.~/0-9a-zA-Z]` are percent-encoded. -// The server side does the reverse decoding, except "%2F" and "%2f" are left -// unchanged. Such variables show up in the -// [Discovery -// Document](https://developers.google.com/discovery/v1/reference/apis) as -// `{+var}`. -// -// ## Using gRPC API Service Configuration -// -// gRPC API Service Configuration (service config) is a configuration language -// for configuring a gRPC service to become a user-facing product. The -// service config is simply the YAML representation of the `google.api.Service` -// proto message. -// -// As an alternative to annotating your proto file, you can configure gRPC -// transcoding in your service config YAML files. You do this by specifying a -// `HttpRule` that maps the gRPC method to a REST endpoint, achieving the same -// effect as the proto annotation. This can be particularly useful if you -// have a proto that is reused in multiple services. Note that any transcoding -// specified in the service config will override any matching transcoding -// configuration in the proto. -// -// Example: -// -// http: -// rules: -// # Selects a gRPC method and applies HttpRule to it. -// - selector: example.v1.Messaging.GetMessage -// get: /v1/messages/{message_id}/{sub.subfield} -// -// ## Special notes -// -// When gRPC Transcoding is used to map a gRPC to JSON REST endpoints, the -// proto to JSON conversion must follow the [proto3 -// specification](https://developers.google.com/protocol-buffers/docs/proto3#json). -// -// While the single segment variable follows the semantics of -// [RFC 6570](https://tools.ietf.org/html/rfc6570) Section 3.2.2 Simple String -// Expansion, the multi segment variable **does not** follow RFC 6570 Section -// 3.2.3 Reserved Expansion. The reason is that the Reserved Expansion -// does not expand special characters like `?` and `#`, which would lead -// to invalid URLs. As the result, gRPC Transcoding uses a custom encoding -// for multi segment variables. -// -// The path variables **must not** refer to any repeated or mapped field, -// because client libraries are not capable of handling such variable expansion. -// -// The path variables **must not** capture the leading "/" character. The reason -// is that the most common use case "{var}" does not capture the leading "/" -// character. For consistency, all path variables must share the same behavior. -// -// Repeated message fields must not be mapped to URL query parameters, because -// no client library can support such complicated mapping. -// -// If an API needs to use a JSON array for request or response body, it can map -// the request or response body to a repeated field. However, some gRPC -// Transcoding implementations may not support this feature. -message HttpRule { - // Selects a method to which this rule applies. - // - // Refer to [selector][google.api.DocumentationRule.selector] for syntax details. - string selector = 1; - - // Determines the URL pattern is matched by this rules. This pattern can be - // used with any of the {get|put|post|delete|patch} methods. A custom method - // can be defined using the 'custom' field. - oneof pattern { - // Maps to HTTP GET. Used for listing and getting information about - // resources. - string get = 2; - - // Maps to HTTP PUT. Used for replacing a resource. - string put = 3; - - // Maps to HTTP POST. Used for creating a resource or performing an action. - string post = 4; - - // Maps to HTTP DELETE. Used for deleting a resource. - string delete = 5; - - // Maps to HTTP PATCH. Used for updating a resource. - string patch = 6; - - // The custom pattern is used for specifying an HTTP method that is not - // included in the `pattern` field, such as HEAD, or "*" to leave the - // HTTP method unspecified for this rule. The wild-card rule is useful - // for services that provide content to Web (HTML) clients. - CustomHttpPattern custom = 8; - } - - // The name of the request field whose value is mapped to the HTTP request - // body, or `*` for mapping all request fields not captured by the path - // pattern to the HTTP body, or omitted for not having any HTTP request body. - // - // NOTE: the referred field must be present at the top-level of the request - // message type. - string body = 7; - - // Optional. The name of the response field whose value is mapped to the HTTP - // response body. When omitted, the entire response message will be used - // as the HTTP response body. - // - // NOTE: The referred field must be present at the top-level of the response - // message type. - string response_body = 12; - - // Additional HTTP bindings for the selector. Nested bindings must - // not contain an `additional_bindings` field themselves (that is, - // the nesting may only be one level deep). - repeated HttpRule additional_bindings = 11; -} - -// A custom pattern is used for defining custom HTTP verb. -message CustomHttpPattern { - // The name of this custom HTTP verb. - string kind = 1; - - // The path matched by this custom verb. - string path = 2; -} \ No newline at end of file diff --git a/launcher/verifier/grpcclient/proto/service.proto b/launcher/verifier/grpcclient/proto/service.proto deleted file mode 100644 index 5fe92d56..00000000 --- a/launcher/verifier/grpcclient/proto/service.proto +++ /dev/null @@ -1,75 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package attestation_verifier.v0; - -import "google/api/annotations.proto"; -import "attest.proto"; - -option go_package = "github.com/google/go-tpm-tools/launcher/internal/verifier/proto/attestation_verifier/v0"; - -message GetParamsRequest {} - -message GetParamsResponse { - // Connection ID to be used with a subsequent VerifyRequest. Required. - string conn_id = 1; - - // Nonce that should be used when generating the attestation sent with a - // VerifyRequest. Required. - bytes nonce = 2; - - // Audience that should be used when generating Service Account ID Tokens sent - // with a subsequent VerifyRequest. Required. - // - // Format: https://www.googleapis.com/attestation_verifier/v0/conn_id/12345 - string audience = 3; -} - -message VerifyRequest { - // Connection ID from a previous GetParamsResponse. Required. - string conn_id = 1; - - // go-tpm-tools attestation that will be verified by the server, which must - // use the nonce received in a previous GetParamsResponse. Required. - attest.Attestation attestation = 2; - - // The Google ID Token for the principal running in the VM. Generated from the - // Metadata Server with the requested `audience`. Optional. - repeated bytes principal_id_tokens = 3; -} - -message VerifyResponse { - // OIDC ID token containing the claims created by the server. Required. - bytes claims_token = 1; -} - -service AttestationVerifier { - // Endpoint to request attestation parameters (including nonce and audience). - rpc GetParams(GetParamsRequest) returns (GetParamsResponse) { - option (google.api.http) = { - post: "/v0/getParams" - body: "*" - }; - } - - // Endpoint to verify the attestation and return an OIDC/JWT token. - rpc Verify(VerifyRequest) returns (VerifyResponse) { - option (google.api.http) = { - post: "/v0/verify" - body: "*" - }; - } -}