diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md index a59807a1f..ee16b3c93 100644 --- a/attestation-service/docs/config.md +++ b/attestation-service/docs/config.md @@ -18,16 +18,16 @@ section: | `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` | | `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - | -| `attestation_token_broker` | String | Type of the attestation result token broker. Valid values: `Simple` | False | `Simple` | -| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | False | - | +| `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - | [1]: #attestationtokenconfig [2]: #rvps-configuration -#### AttestationTokenConfig +#### AttestationTokenBroker | Property | Type | Description | Required | Default | |----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` | | `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | | `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | @@ -97,8 +97,8 @@ Running with a built-in RVPS: "file_path": "/var/lib/attestation-service/reference-values" } }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } @@ -114,8 +114,8 @@ Running with a remote RVPS: "type": "GrpcRemote", "address": "127.0.0.1:50003" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } @@ -131,8 +131,8 @@ Configurations for token signer "type": "GrpcRemote", "address": "127.0.0.1:50003" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5, "issuer_name": "some-body", "signer": { diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index a2bd53016..48ac206fa 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -63,6 +63,7 @@ impl TryFrom<&Path> for Config { /// "remote_addr": "" /// }, /// "attestation_token_broker": { + /// "type": "Ear", /// "duration_min": 5 /// } /// } diff --git a/kbs/config/as-config.json b/kbs/config/as-config.json index 125e1dbb6..5918f5497 100644 --- a/kbs/config/as-config.json +++ b/kbs/config/as-config.json @@ -7,10 +7,6 @@ }, "attestation_token_broker": { "type": "Ear", - "duration_min": 5, - "signer": { - "key_path":"/opt/confidential-containers/attestation-service/keys/private_key.pem" - - } + "duration_min": 5 } -} \ No newline at end of file +} diff --git a/kbs/config/kubernetes/base/as-config.json b/kbs/config/kubernetes/base/as-config.json index 8935ffc9f..d725d179b 100644 --- a/kbs/config/kubernetes/base/as-config.json +++ b/kbs/config/kubernetes/base/as-config.json @@ -1,8 +1,7 @@ { "work_dir": "/opt/confidential-containers/attestation-service", - "policy_engine": "opa", - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 848995853..57b77d41e 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -86,17 +86,17 @@ When `type` is set to `coco_as_builtin`, the following properties can be set. | `work_dir` | String | The location for Attestation Service to store data. | First try from env `AS_WORK_DIR`. If no this env, then use `/opt/confidential-containers/attestation-service` | | `policy_engine` | String | Policy engine type. Valid values: `opa` | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | -| `attestation_token_broker` | String | Type of the attestation result token broker. | `Simple` | -| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | +| `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | [1]: #attestationtokenconfig [2]: #rvps-configuration -##### AttestationTokenConfig +##### AttestationTokenBroker | Property | Type | Description | Default | |----------------|-------------------------|------------------------------------------------------|----------| +| `type` | String | Type of token to generate (Ear or simple) | Ear | | `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 | | `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` | | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None | diff --git a/kbs/quickstart.md b/kbs/quickstart.md index 8e4ac535a..7dfaa2611 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -247,7 +247,7 @@ Adding the following content to the config file of Resource KBS to specify trust or JWK set which are used to verify the trustworthy of the Attestation Token: ```toml -[attestation_token_config] +[attestation_token_broker] # Path of root certificate used to verify the trustworthy of `x5c` extension in the JWT trusted_certs_paths = ["/path/to/trusted_cacert.pem"]