Merge branch 'main' into text_encoder

.snpcc_canary

@@ -1,4 +1,4 @@
   ___         ___    ___
  (. =)     Y (0 0)  (x X)    Y
    O     \     o      |    /
-/-xXx--//-----x=x--/-xXx--/---x---->>>--
+/-xXx--//-----x=x--/-xXx--/---x---->>>--/

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.0.0-dev10]
+
+[5.0.0-dev10]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev10
+
+- The `url` field in `snp_endorsements_servers` can now contain environment variables that will be resolved at startup, such as "$Fabric_NodeIPOrFQDN:2377" (#5862).
+
 ## [5.0.0-dev9]
 
 [5.0.0-dev9]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev9

include/ccf/ds/nonstd.h

@@ -238,4 +238,22 @@ namespace nonstd
       tuple_for_each<I + 1>(t, f);
     }
   }
+
+  static inline std::string expand_envvar(const std::string& str)
+  {
+    if (str.empty() || str[0] != '$')
+    {
+      return str;
+    }
+
+    char* e = std::getenv(str.c_str() + 1);
+    if (e == nullptr)
+    {
+      return str;
+    }
+    else
+    {
+      return std::string(e);
+    }
+  }
 }

include/ccf/pal/attestation_sev_snp_endorsements.h

@@ -46,6 +46,7 @@ namespace ccf::pal::snp
       bool response_is_der = false;
       bool response_is_thim_json = false;
       std::map<std::string, std::string> headers = {};
+      bool tls = true;
 
       bool operator==(const EndpointInfo&) const = default;
     };
@@ -152,13 +153,36 @@ namespace ccf::pal::snp
     std::map<std::string, std::string> params;
     params["tcbVersion"] = reported_tcb;
     params["platformId"] = chip_id_hex;
-    return {
-      {endpoint.host,
-       endpoint.port,
-       "/metadata/THIM/amd/certification",
-       params,
-       false, // Not DER
-       true, // But THIM JSON
-       {{"Metadata", "true"}}}};
+    return {{
+      endpoint.host,
+      endpoint.port,
+      "/metadata/THIM/amd/certification",
+      params,
+      false, // Not DER
+      true, // But THIM JSON
+      {{"Metadata", "true"}},
+      false // No TLS
+    }};
+  }
+}
+
+FMT_BEGIN_NAMESPACE
+template <>
+struct formatter<ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo>
+{
+  template <typename ParseContext>
+  constexpr auto parse(ParseContext& ctx)
+  {
+    return ctx.begin();
+  }
+
+  template <typename FormatContext>
+  auto format(
+    const ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo& e,
+    FormatContext& ctx) const
+  {
+    return format_to(
+      ctx.out(), "http{}://{}:{}", e.tls ? "s" : "", e.host, e.port);
   }
-}
+};
+FMT_END_NAMESPACE

scripts/azure_deployment/arm_aci.py

@@ -44,6 +44,7 @@ def append_envvar_to_well_known_file(envvar):
         append_envvar_to_well_known_file("UVM_REFERENCE_INFO"),
         append_envvar_to_well_known_file("UVM_HOST_AMD_CERTIFICATE"),
         append_envvar_to_well_known_file("UVM_SECURITY_CONTEXT_DIR"),
+        append_envvar_to_well_known_file("Fabric_NodeIPOrFQDN"),
     ]
 
 

src/ds/test/nonstd.cpp

@@ -5,6 +5,7 @@
 
 #include <algorithm>
 #include <doctest/doctest.h>
+#include <stdlib.h>
 #include <string>
 
 TEST_CASE("split" * doctest::test_suite("nonstd"))
@@ -258,4 +259,23 @@ TEST_CASE("rsplit" * doctest::test_suite("nonstd"))
       }
     }
   }
+}
+
+TEST_CASE("envvars" * doctest::test_suite("nonstd"))
+{
+  {
+    INFO("Expand environment variable");
+
+    std::string test_value("test_value");
+    ::setenv("TEST_ENV_VAR", test_value.c_str(), 1);
+
+    REQUIRE("" == nonstd::expand_envvar(""));
+    REQUIRE("not an env var" == nonstd::expand_envvar("not an env var"));
+    REQUIRE("$ENV_VAR_NOT_SET" == nonstd::expand_envvar("$ENV_VAR_NOT_SET"));
+    REQUIRE(test_value == nonstd::expand_envvar("$TEST_ENV_VAR"));
+
+    // ${} syntax is not supported
+    REQUIRE(
+      "${ENV_VAR_NOT_SET}" == nonstd::expand_envvar("${ENV_VAR_NOT_SET}"));
+  }
 }

src/host/main.cpp

@@ -542,6 +542,36 @@ int main(int argc, char** argv)
           fs::path(dir) / fs::path(report_endorsements_filename));
     }
 
+    for (auto endorsement_servers_it =
+           startup_config.attestation.snp_endorsements_servers.begin();
+         endorsement_servers_it !=
+         startup_config.attestation.snp_endorsements_servers.end();
+         ++endorsement_servers_it)
+    {
+      LOG_DEBUG_FMT(
+        "Resolving snp_endorsements_server url: {}",
+        endorsement_servers_it->url.value());
+      if (endorsement_servers_it->url.has_value())
+      {
+        auto& url = endorsement_servers_it->url.value();
+        auto pos = url.find(':');
+        if (pos == std::string::npos)
+        {
+          endorsement_servers_it->url = nonstd::expand_envvar(url);
+        }
+        else
+        {
+          endorsement_servers_it->url = fmt::format(
+            "{}:{}",
+            nonstd::expand_envvar(url.substr(0, pos)),
+            nonstd::expand_envvar(url.substr(pos + 1)));
+        }
+        LOG_DEBUG_FMT(
+          "Resolved snp_endorsements_server url: {}",
+          endorsement_servers_it->url);
+      }
+    }
+
     if (config.node_data_json_file.has_value())
     {
       startup_config.node_data =

src/node/quote_endorsements_client.h

@@ -102,9 +102,8 @@ namespace ccf
         r.set_header(http::headers::HOST, endpoint.host);
 
         LOG_INFO_FMT(
-          "Fetching endorsements for attestation report at http{}://{}{}{}",
-          endpoint.port == "80" ? "" : "s",
-          endpoint.host,
+          "Fetching endorsements for attestation report at {}{}{}",
+          endpoint,
           r.get_path(),
           r.get_formatted_query());
         client->send_request(std::move(r));
@@ -122,8 +121,7 @@ namespace ccf
           if (msg->data.request_id >= msg->data.self->last_received_request_id)
           {
             LOG_FAIL_FMT(
-              "Timed out reaching endorsement server {}",
-              msg->data.endpoint.host);
+              "Timed out reaching endorsement server {}", msg->data.endpoint);
 
             auto& servers = msg->data.self->config.servers;
             msg->data.self->server_retries_count++;
@@ -217,8 +215,8 @@ namespace ccf
     {
       auto endpoint = server.front();
 
-      auto c = endpoint.port == "80" ? create_unencrypted_client() :
-                                       create_unauthenticated_client();
+      auto c = endpoint.tls ? create_unauthenticated_client() :
+                              create_unencrypted_client();
       c->connect(
         endpoint.host,
         endpoint.port,
@@ -266,18 +264,18 @@ namespace ccf
             LOG_INFO_FMT(
               "{} endorsements endpoint had too many requests. Retrying "
               "in {}s",
-              endpoint.host,
+              endpoint,
               retry_after_s);
 
             threading::ThreadMessaging::instance().add_task_after(
               std::move(msg), std::chrono::milliseconds(retry_after_s * 1000));
           }
           return;
         },
-        [host = endpoint.host](const std::string& error_msg) {
+        [endpoint](const std::string& error_msg) {
           LOG_FAIL_FMT(
             "TLS error when connecting to quote endorsements endpoint {}: {}",
-            host,
+            endpoint,
             error_msg);
         });
       send_request(c, endpoint);

tests/reconfiguration.py

@@ -259,6 +259,8 @@ def test_add_node_endorsements_endpoints(network, args):
         (["AMD:kdsintf.amd.com"], True),
         (["AMD:invalid.amd.com"], False),
         (["Azure:invalid.azure.com", "AMD:kdsintf.amd.com"], True),  # Fallback server
+        # Won't work yet, see #5852
+        # (["THIM:$Fabric_NodeIPOrFQDN:2377"], True),
     ]
 
     for servers, expected_result in test_vectors: