AthenZ · havetisyan · Jan 8, 2025 · Jan 3, 2025
diff --git a/libs/go/sia/Makefile b/libs/go/sia/Makefile
@@ -12,7 +12,7 @@ ifneq ($(patsubst %$(SIA_DIR),,$(lastword $(ATHENZ_DIR))),)
 	ATHENZ_DIR = $(PWD)/$(SIA_DIR)
 endif
 
-SUBDIRS = access/config access/tokens agent aws/agent aws/attestation aws/doc aws/lambda aws/meta \
+SUBDIRS = access/config access/tokens agent aws/attestation aws/doc aws/lambda aws/meta \
 	aws/options aws/stssession file futil gcp/attestation gcp/meta gcp/functions \
 	host/hostdoc host/ip host/provider host/signature host/utils logutil options pki/cert \
 	sds ssh/hostcert ssh/hostkey util verify

diff --git a/libs/go/sia/agent/agent.go b/libs/go/sia/agent/agent.go
@@ -36,6 +36,7 @@ import (
 	"github.com/AthenZ/athenz/libs/go/sia/access/config"
 	"github.com/AthenZ/athenz/libs/go/sia/access/tokens"
 	sc "github.com/AthenZ/athenz/libs/go/sia/config"
+	"github.com/AthenZ/athenz/libs/go/sia/host/provider"
 	"github.com/AthenZ/athenz/libs/go/sia/options"
 	"github.com/AthenZ/athenz/libs/go/sia/sds"
 	"github.com/AthenZ/athenz/libs/go/sia/ssh/hostkey"
@@ -278,7 +279,7 @@ func registerSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 	if err != nil {
 		return err
 	}
-	attestData, err := opts.Provider.CloudAttestationData(opts.MetaEndPoint, svc.Name, ztsUrl)
+	attestData, err := opts.Provider.CloudAttestationData(setUpAttestationRequest(opts, svc.Name, ztsUrl))
 	if err != nil {
 		log.Printf("Failed to get attestation data to prove the identity, err:%v\n", err)
 		return err
@@ -350,6 +351,21 @@ func registerSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 	return nil
 }
 
+func setUpAttestationRequest(opts *sc.Options, service, ztsUrl string) *provider.AttestationRequest {
+	return &provider.AttestationRequest{
+		MetaEndPoint:   opts.MetaEndPoint,
+		Domain:         opts.Domain,
+		Service:        service,
+		ZTSUrl:         ztsUrl,
+		Account:        opts.Account,
+		Region:         opts.Region,
+		OmitDomain:     opts.OmitDomain,
+		UseRegionalSTS: opts.UseRegionalSTS,
+		EC2Document:    opts.EC2Document,
+		EC2Signature:   opts.EC2Signature,
+	}
+}
+
 func refreshSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 
 	keyFile := util.GetSvcKeyFileName(opts.KeyDir, svc.KeyFilename, opts.Domain, svc.Name)
@@ -399,7 +415,7 @@ func refreshSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 		return err
 	}
 
-	attestData, err := opts.Provider.CloudAttestationData(opts.MetaEndPoint, svc.Name, ztsUrl)
+	attestData, err := opts.Provider.CloudAttestationData(setUpAttestationRequest(opts, svc.Name, ztsUrl))
 	if err != nil {
 		log.Printf("Failed to get attestation data to prove the identity, err:%v\n", err)
 		return err
@@ -637,10 +653,6 @@ func runAgentCommand(siaCmd, ztsUrl string, opts *sc.Options) {
 	//server and role certs are valid for 30 days by default
 	rotationInterval := time.Duration(opts.RefreshInterval) * time.Minute
 
-	//data, err := opts.Provider.CloudAttestationData(opts)
-	//if err != nil {
-	//	log.Fatalf("Cannot determine identity to run as, err:%v\n", err)
-	//}
 	svcs := options.GetSvcNames(opts.Services)
 
 	tokenOpts, err := tokenOptions(opts, ztsUrl)

diff --git a/libs/go/sia/agent/agent_test.go b/libs/go/sia/agent/agent_test.go
@@ -28,16 +28,16 @@ import (
 	"testing"
 	"time"
 
-	"k8s.io/utils/strings/slices"
-
 	"github.com/AthenZ/athenz/libs/go/sia/access/config"
 	"github.com/AthenZ/athenz/libs/go/sia/agent/devel/ztsmock"
 	sc "github.com/AthenZ/athenz/libs/go/sia/config"
 	"github.com/AthenZ/athenz/libs/go/sia/host/ip"
+	"github.com/AthenZ/athenz/libs/go/sia/host/provider"
 	"github.com/AthenZ/athenz/libs/go/sia/host/signature"
 	"github.com/AthenZ/athenz/libs/go/sia/ssh/hostkey"
 	"github.com/AthenZ/athenz/libs/go/sia/util"
 	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/strings/slices"
 )
 
 func setup() {
@@ -105,7 +105,7 @@ func (tp TestProvider) GetSuffixes() []string {
 	return []string{}
 }
 
-func (tp TestProvider) CloudAttestationData(string, string, string) (string, error) {
+func (tp TestProvider) CloudAttestationData(*provider.AttestationRequest) (string, error) {
 	return "abc", nil
 }
 
@@ -211,7 +211,7 @@ func TestRegisterInstance(test *testing.T) {
 		KeyDir:           siaDir,
 		CertDir:          siaDir,
 		AthenzCACertFile: caCertFile,
-		ZTSAWSDomains:    []string{"zts-aws-cloud"},
+		ZTSCloudDomains:  []string{"zts-aws-cloud"},
 		Region:           "us-west-2",
 		InstanceId:       "pod-1234",
 		Provider:         tp,
@@ -288,7 +288,7 @@ func refreshServiceCertSetup(test *testing.T) (*sc.Options, string) {
 		CertDir:          siaDir,
 		AthenzCACertFile: caCertFile,
 		Provider:         tp,
-		ZTSAWSDomains:    []string{"zts-aws-cloud"},
+		ZTSCloudDomains:  []string{"zts-aws-cloud"},
 		Region:           "us-west-2",
 		InstanceId:       "pod-1234",
 	}
@@ -366,7 +366,7 @@ func TestRoleCertificateRequest(test *testing.T) {
 		KeyDir:           siaDir,
 		CertDir:          siaDir,
 		AthenzCACertFile: caCertFile,
-		ZTSAWSDomains:    []string{"zts-aws-cloud"},
+		ZTSCloudDomains:  []string{"zts-aws-cloud"},
 		Provider:         tp,
 	}
 
@@ -621,7 +621,7 @@ func TestGenerateSshRequest(test *testing.T) {
 	// ssh enabled with primary service and key type is rsa - null cert request but valid csr
 	opts.SshPubKeyFile = "devel/data/cert.pem"
 	opts.Domain = "athenz"
-	opts.ZTSAWSDomains = []string{"athenz.io"}
+	opts.ZTSCloudDomains = []string{"athenz.io"}
 	opts.SshHostKeyType = hostkey.Rsa
 	sshReq, sshCsr, err = generateSshRequest(&opts, "api", "hostname.athenz.io")
 	assert.Nil(test, sshReq)
@@ -631,21 +631,23 @@ func TestGenerateSshRequest(test *testing.T) {
 	opts.SshHostKeyType = hostkey.Ecdsa
 	sshReq, sshCsr, err = generateSshRequest(&opts, "api", "hostname.athenz.io")
 	assert.NotNil(test, sshReq)
-	assert.Equal(test, 3, len(sshReq.CertRequestData.Principals))
+	assert.Equal(test, 4, len(sshReq.CertRequestData.Principals))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "my-vm"))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "my-instance-id"))
+	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "api.athenz.athenz.io"))
 	assert.Empty(test, sshCsr)
 	assert.Nil(test, err)
 	// ssh enabled with primary service and key type is ecdsa - empty csr but not-nil cert request, opts defines sshPrincipals
 	opts.SshHostKeyType = hostkey.Ecdsa
 	opts.SshPrincipals = "cname.athenz.io"
 	sshReq, sshCsr, err = generateSshRequest(&opts, "api", "hostname.athenz.io")
 	assert.NotNil(test, sshReq)
-	assert.Equal(test, 4, len(sshReq.CertRequestData.Principals))
+	assert.Equal(test, 5, len(sshReq.CertRequestData.Principals))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "hostname.athenz.io"))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "cname.athenz.io"))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "my-vm"))
 	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "my-instance-id"))
+	assert.True(test, slices.Contains(sshReq.CertRequestData.Principals, "api.athenz.athenz.io"))
 	assert.Empty(test, sshCsr)
 	assert.Nil(test, err)
 }