sdk: require opt-in for insecure deployments.

For verifying an insecure deployment, an SDK user must now instantiate
the client `.WithInsecure`, aligning it to the CLI behavior.

Author: msanft

sdk/verify.go

@@ -37,6 +37,11 @@ type Client struct {
 
 	log *slog.Logger
 
+	// allowInsecure must be set to true to allow verification of manifests
+	// that contain insecure (non-CC) reference values. Without this, ValidateAttestation
+	// will return an error if the manifest allows insecure platforms.
+	allowInsecure bool
+
 	// validatorsFromManifestOverride is used by tests to replace the validators.
 	validatorsFromManifestOverride func(*certcache.CachedHTTPSGetter, *manifest.Manifest, *slog.Logger) ([]atls.Validator, error)
 }
@@ -80,6 +85,15 @@ func (c *Client) WithHTTPClient(httpClient *http.Client) *Client {
 	return c
 }
 
+// WithInsecure allows the Client to verify manifests containing insecure (non-CC) reference values.
+//
+// By default, [Client.ValidateAttestation] will return an error if the manifest allows insecure
+// platforms. This method opts in to accepting such manifests.
+func (c *Client) WithInsecure() *Client {
+	c.allowInsecure = true
+	return c
+}
+
 // GetAttestation requests attestation evidence from the Coordinator's HTTP API.
 //
 // The URL needs to map to the http://coordinator:1314/attest endpoint, but can be reverse-proxied
@@ -159,6 +173,10 @@ func (c Client) ValidateAttestation(ctx context.Context, nonce []byte, attestati
 		return nil, fmt.Errorf("validating latest manifest: %w", err)
 	}
 
+	if latestManifest.AllowInsecure() && !c.allowInsecure {
+		return nil, fmt.Errorf("manifest contains insecure platforms: use WithInsecure() to allow verification of insecure deployments")
+	}
+
 	kdsGetter := certcache.NewCachedHTTPSGetter(c.fsstore, certcache.NeverGCTicker, c.log.WithGroup("kds-getter"))
 	validatorsFromManifest := ValidatorsFromManifest
 	if c.validatorsFromManifestOverride != nil {

sdk/verify_test.go

@@ -107,10 +107,11 @@ func TestGetAttestation(t *testing.T) {
 func TestValidateAttestation(t *testing.T) {
 	testNonce := make([]byte, 32)
 	for name, tc := range map[string]struct {
-		nonce       []byte
-		resp        *httpapi.AttestationResponse
-		validateErr error
-		wantErr     string
+		nonce         []byte
+		resp          *httpapi.AttestationResponse
+		validateErr   error
+		allowInsecure bool
+		wantErr       string
 	}{
 		"success": {
 			nonce: testNonce,
@@ -143,6 +144,26 @@ func TestValidateAttestation(t *testing.T) {
 			validateErr: assert.AnError,
 			wantErr:     assert.AnError.Error(),
 		},
+		"insecure manifest without opt-in": {
+			nonce: testNonce,
+			resp: &httpapi.AttestationResponse{
+				RawAttestationDoc: testNonce,
+				CoordinatorState: httpapi.CoordinatorState{
+					Manifests: [][]byte{testInsecureManifest},
+				},
+			},
+			wantErr: "WithInsecure",
+		},
+		"insecure manifest with opt-in": {
+			nonce:          testNonce,
+			allowInsecure: true,
+			resp: &httpapi.AttestationResponse{
+				RawAttestationDoc: testNonce,
+				CoordinatorState: httpapi.CoordinatorState{
+					Manifests: [][]byte{testInsecureManifest},
+				},
+			},
+		},
 	} {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)
@@ -152,6 +173,9 @@ func TestValidateAttestation(t *testing.T) {
 			require.NoError(err)
 
 			c := New()
+			if tc.allowInsecure {
+				c = c.WithInsecure()
+			}
 
 			c.validatorsFromManifestOverride = func(*certcache.CachedHTTPSGetter, *manifest.Manifest, *slog.Logger) ([]atls.Validator, error) {
 				return []atls.Validator{&stubValidator{err: tc.validateErr}}, nil
@@ -224,6 +248,25 @@ var testManifest = []byte(`
 }
 `)
 
+var testInsecureManifest = []byte(`
+{
+  "Policies": {
+    "ef27c1c91a0ce044c67f0ec10d7c66ea9f178453dc96a233e97f0675578042f2": {
+      "SANs": ["coordinator"],
+      "WorkloadSecretID": "apps/v1/StatefulSet/default/coordinator",
+      "Role": "coordinator"
+    }
+  },
+  "ReferenceValues": {
+    "snp": [
+      {
+        "Platform": "metal-qemu-snp-insecure"
+      }
+	]
+  }
+}
+`)
+
 type stubValidator struct {
 	atls.Validator