A CLI tool for Tenants to use and access services provided by Intel Trust Authority.

Ubuntu LTS 20.04

1. Installing make and makeself

   • Run the following command:

   apt -y install make makeself

2. Installing golang

   • Supported golang version is 1.21.0
   • Go through the following link to install golang: https://go.dev/doc/install

3. Add the local binary path, namely $HOME/.local/bin/, to your PATH environment variable if not already present

• git clone https://github.com/intel/trustauthority-cli.git trustauthority-cli
• cd trustauthority-cli and run "make installer"
• copy the binary installer trustauthorityctl-{version}.bin to the system where it needs to be deployed
• create an env file trustauthorityctl.env in your home directory and add the following mandatory contents:
  a. TRUSTAUTHORITY_URL=< URL for Intel Trust Authority >
  b. TRUSTAUTHORITY_API_KEY="< Admin API Key of the Tenant >"
  
• run "./trustauthorityctl-{version}.bin". This will install the CLI to your system.
• use the CLI: trustauthorityctl < command > < resource >

All files are stored in user's home directory. Following are the details:

• Configuration: $HOME/.config/trustauthorityctl/config.yaml
• Logs: $HOME/.config/trustauthorityctl/logs/trustauthorityctl.log
• Bin: $HOME/.local/bin/trustauthorityctl

Note: If you cannot access the command, add the binary path to the PATH env variable

Note: Request ID could be a randomly generated string of at most 128 bytes which can work as a unique identifier for each CRUD operation. This can be provided as an optional parameter to all the CRUD commands only.

• trustauthorityctl uninstall

• trustauthorityctl config -v < env file path >

• trustauthorityctl completion

• trustauthorityctl version

trustauthorityctl create user -q < request id > -e < email Id> -r < Role (Tenant Admin/User) >

trustauthorityctl list user -q < request id >

trustauthorityctl list user -q < request id > -e

trustauthorityctl update user role -q < request id > -u < user id > -r < Role (Tenant Admin/User) >

trustauthorityctl delete user -q < request id > -u < user id >

trustauthorityctl delete tag -q < request id > -t < tag id >

trustauthorityctl list serviceOffer

trustauthorityctl list plan -q < request id > -r < service offer id >

trustauthorityctl list plan -q < request id > -r < service offer id > -p < plan id >

trustauthorityctl list product -q < request id > -r < service offer id >

trustauthorityctl list service -q < request id >

trustauthorityctl list service -q < request id > -r < service Id >

trustauthorityctl create apiClient -q < request id > -r < service id > -p < product id > -n < api client name > -i "comma separated policy Ids" -v "tag-key1:tag-value1,tag-key2:tag-value2"

trustauthorityctl update apiClient -q < request id > -r < service id > -p < product id > -c < api client id > -i "comma separated policy Ids" -v "tag-key1:tag-value1,tag-key2:tag-value2" -s < Active/Inactive/Cancelled >

trustauthorityctl list apiClient -q < request id > -r < service id >

trustauthorityctl list apiClient -q < request id > -r < service id > -c < api client id >

trustauthorityctl delete apiClient -q < request id > -r < service id > -c < api client id >

trustauthorityctl create tag -q < request id > -n < tag name >

trustauthorityctl list tag -q < request id >

trustauthorityctl list apiClient policy -q < request id > -r < service id > -c < api client id >

trustauthorityctl list apiClient tag -q < request id > -r < service id > -c < api client id >

trustauthorityctl update tenant-settings -q < request id > -e < email id >

trustauthorityctl update tenant-settings -q < request id > -d

trustauthorityctl list tenant-settings -q < request id >

trustauthorityctl create policy -q < request id > -n < name of policy > -t < policy type > -a < attestation type > -r < service offer id > -f < rego policy file path > Note: Policy file size should be <= 10KB

trustauthorityctl list policy -q < request id >

trustauthorityctl list policy -q < request id > -p < policy id >

trustauthorityctl delete policy -q < request id > -p < policy id >

trustauthorityctl update policy -q < request id > -i < policy id > -n < name of policy > -f < rego policy file path > Note: Policy file size should be <= 10KB

• Sample rego policy for create/update policy command:

default matches_sgx_policy = false 
matches_sgx_policy = true 
{  input.sgx_is_debuggable == false 
   input.sgx_isvsvn == 0 
   input.sgx_isvprodid == 0 
   input.sgx_mrsigner ==  \"d412a4f07ef83892a5915fb2ab584be31e186e5a4f95ab5f6950fd4eb8694d7b\" 
   input.sgx_mrenclave == \"bab91f200038076ac25f87de0ca67472443c2ebe17ed9ba95314e609038f51ab\" 
} 

trustauthorityctl create policy-jwt -q < request id > -f < rego policy file path > -p < signing key path > -c < cert path > -a < algorithm > -s

Create self signed key and certificate for policy JWT token creation:

• Generate key and cert files for -algorithm (PS384 | RS384) (Recommend)

openssl req -x509 -nodes -days 365 -newkey rsa:3072 -keyout ta-jwt.key -out ta-jwt.crt

• Generate key and cert files for -algorithm (PS256 | RS256)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ta-jwt.key -out ta-jwt.crt

1. Signed policy token could be self verified at jwt.io
2. Output file name of this command is input policy file name suffixed with ".signed.current_timestamp.txt" extension
3. Policy payload for Trust Authority uses rego format which is different from Azure MAA
4. Supported signing algorithms are "RS256", "PS256", "RS384", "PS384", default algorithm is PS384
5. The signing algorithm needs to match the certificate algorithm

• Azure MAA:
  • https://learn.microsoft.com/en-us/azure/attestation/policy-examples
  • https://docs.microsoft.com/en-us/azure/attestation/author-sign-policy
• JWS RFC7515:
  • https://www.rfc-editor.org/rfc/rfc7515