refactor(vts): extract (reusable) appraisal logic into separate function

Extract (most) of the appraisal logic from GRPC::GetAttestation() into
GRPC::getAttestation() so that it can be reused from other RPC service
endpoints, e.g., when appraising composite evidence.

Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>

Author: thomas-fossati

vts/appraisal/appraisal.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 Contributors to the Veraison project.
+// Copyright 2022-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package appraisal
@@ -12,16 +12,17 @@ import (
 	"github.com/veraison/services/config"
 	"github.com/veraison/services/policy"
 	"github.com/veraison/services/proto"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 // Appraisal provides an appraisal context internally within the VTS (e.g. for
-// policy evaluation). It is the analog of proto.AppraisalContext, but with a
-// deserialized AttestationResult.
+// policy evaluation).
 type Appraisal struct {
 	Scheme          string
 	EvidenceContext *proto.EvidenceContext
 	Result          *ear.AttestationResult
 	SignedEAR       []byte
+	Endorsements    []string
 }
 
 func New(tenantID string, nonce []byte, scheme string) *Appraisal {
@@ -33,31 +34,56 @@ func New(tenantID string, nonce []byte, scheme string) *Appraisal {
 		Result: ear.NewAttestationResult(scheme, config.Version, config.Developer),
 	}
 
-	encodedNonce := base64.URLEncoding.EncodeToString(nonce)
-	appraisal.Result.Nonce = &encodedNonce
-
-	appraisal.Result.VerifierID.Build = &config.Version
-	appraisal.Result.VerifierID.Developer = &config.Developer
-
+	appraisal.setResultNonce(nonce)
 	appraisal.InitPolicyID()
 
 	return &appraisal
 }
 
+func (o *Appraisal) setResultNonce(v []byte) {
+	encodedNonce := base64.URLEncoding.EncodeToString(v)
+	o.Result.Nonce = &encodedNonce
+}
+
+func (o *Appraisal) SetTrustAnchorIDs(v []string) {
+	o.EvidenceContext.TrustAnchorIds = v
+}
+
+func (o *Appraisal) SetReferenceIDs(v []string) {
+	o.EvidenceContext.ReferenceIds = v
+}
+
+func (o Appraisal) GetReferenceIDs() []string {
+	return o.EvidenceContext.ReferenceIds
+}
+
+func (o *Appraisal) SetEvidenceClaims(v *structpb.Struct) {
+	o.EvidenceContext.Evidence = v
+}
+
+func (o *Appraisal) SetEndorsements(v []string) {
+	o.Endorsements = v
+}
+
+func (o *Appraisal) SetResultWithNonce(result *ear.AttestationResult, nonce []byte) {
+	o.Result = result
+	o.setResultNonce(nonce)
+}
+
 func (o Appraisal) GetContext() *proto.AppraisalContext {
 	return &proto.AppraisalContext{
 		Evidence: o.EvidenceContext,
 		Result:   o.SignedEAR,
 	}
 }
 
-func (o Appraisal) SetAllClaims(claim ear.TrustClaim) {
+func (o *Appraisal) SetAllClaims(claim ear.TrustClaim) {
 	for _, submod := range o.Result.Submods {
 		submod.TrustVector.SetAll(claim)
 	}
 }
 
-func (o Appraisal) AddPolicyClaim(name, claim string) {
+func (o *Appraisal) AddPolicyClaim(name, claim string) {
 	for _, submod := range o.Result.Submods {
 		if submod.AppraisalExtensions.VeraisonPolicyClaims == nil {
 			claimsMap := make(map[string]interface{})
@@ -82,6 +108,8 @@ func (o *Appraisal) UpdatePolicyID(pol *policy.Policy) error {
 	return nil
 }
 
+// InitPolicyID must be called before sending the appraisal to policy manager
+// for evaluation.
 func (o *Appraisal) InitPolicyID() {
 	for _, submod := range o.Result.Submods {
 		policyID := fmt.Sprintf("policy:%s", o.Scheme)

vts/policymanager/ipolicymanager.go

@@ -0,0 +1,13 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package policymanager
+
+import (
+	"context"
+
+	"github.com/veraison/services/vts/appraisal"
+)
+
+type IPolicyManager interface {
+	Evaluate(ctx context.Context, appraisal *appraisal.Appraisal) error
+}

vts/policymanager/policymanager.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 Contributors to the Veraison project.
+// Copyright 2022-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package policymanager
 
@@ -32,13 +32,12 @@ func New(v *viper.Viper, store *policy.Store, logger *zap.SugaredLogger) (*Polic
 	return pm, nil
 }
 
+// XXX(tho) revisit coupling between appraisal and policy manager
 func (o *PolicyManager) Evaluate(
 	ctx context.Context,
-	scheme string,
 	appraisal *appraisal.Appraisal,
-	endorsements []string,
 ) error {
-	policyKey := o.getPolicyKey(appraisal)
+	policyKey := o.getPolicyKey(appraisal.EvidenceContext.TenantId, appraisal.Scheme)
 
 	pol, err := o.getPolicy(policyKey)
 	if err != nil {
@@ -58,12 +57,12 @@ func (o *PolicyManager) Evaluate(
 		evaluated, err := o.Agent.Evaluate(
 			ctx,
 			appraisalContext,
-			scheme,
+			appraisal.Scheme,
 			pol,
 			submod,
 			submodAppraisal,
 			appraisal.EvidenceContext,
-			endorsements,
+			appraisal.Endorsements,
 		)
 		if err != nil {
 			return err
@@ -77,10 +76,10 @@ func (o *PolicyManager) Evaluate(
 	return nil
 }
 
-func (o *PolicyManager) getPolicyKey(a *appraisal.Appraisal) policy.PolicyKey {
+func (o *PolicyManager) getPolicyKey(tenantID string, scheme string) policy.PolicyKey {
 	return policy.PolicyKey{
-		TenantId: a.EvidenceContext.TenantId,
-		Scheme:   a.Scheme,
+		TenantId: tenantID,
+		Scheme:   scheme,
 		Name:     o.Agent.GetBackendName(),
 	}
 }

vts/policymanager/policymanager_test.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 Contributors to the Veraison project.
+// Copyright 2022-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package policymanager
 
@@ -48,7 +48,7 @@ func TestPolicyMgr_getPolicy_not_found(t *testing.T) {
 	pm := &PolicyManager{Store: &policy.Store{KVStore: store, Logger: log.Named("test")},
 		Agent: agent}
 
-	polKey := pm.getPolicyKey(appraisal)
+	polKey := pm.getPolicyKey(appraisal.EvidenceContext.TenantId, appraisal.Scheme)
 	assert.Equal(t, "0:TPM_ENACTTRUST:opa", polKey.String())
 
 	pol, err := pm.getPolicy(polKey)
@@ -82,7 +82,7 @@ func TestPolicyMgr_getPolicy_OK(t *testing.T) {
 
 	pm := &PolicyManager{Store: &policy.Store{KVStore: store}, Agent: agent}
 
-	polKey := pm.getPolicyKey(appraisal)
+	polKey := pm.getPolicyKey(appraisal.EvidenceContext.TenantId, appraisal.Scheme)
 	assert.Equal(t, "0:TPM_ENACTTRUST:opa", polKey.String())
 
 	_, err = pm.getPolicy(polKey)
@@ -129,6 +129,7 @@ func TestPolicyMgr_Evaluate_OK(t *testing.T) {
 	endorsements := []string{"h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc="}
 	ar := ear.NewAttestationResult("test", "test", "test")
 	ap := &appraisal.Appraisal{EvidenceContext: ec, Result: ar, Scheme: "TPM_ENACTTRUST"}
+	ap.Endorsements = endorsements
 
 	polID := "policy:TPM_ENACTTRUST"
 	tier := ear.TrustTierAffirming
@@ -140,7 +141,7 @@ func TestPolicyMgr_Evaluate_OK(t *testing.T) {
 		Evaluate(
 			context.TODO(),
 			gomock.Any(),
-			"test",
+			"TPM_ENACTTRUST",
 			gomock.Any(),
 			gomock.Any(),
 			ar.Submods["test"],
@@ -153,7 +154,7 @@ func TestPolicyMgr_Evaluate_OK(t *testing.T) {
 		Agent:  agent,
 		logger: log.Named("manager"),
 	}
-	err := pm.Evaluate(context.TODO(), "test", ap, endorsements)
+	err := pm.Evaluate(context.TODO(), ap)
 	require.NoError(t, err)
 }
 
@@ -174,17 +175,17 @@ func TestPolicyMgr_Evaluate_NOK(t *testing.T) {
 	}
 	endorsements := []string{"h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc="}
 	ar := ear.NewAttestationResult("test", "test", "test")
-	ap := &appraisal.Appraisal{EvidenceContext: ec, Result: ar, Scheme: "TPM_ENACTTRUST"}
+	ap := &appraisal.Appraisal{EvidenceContext: ec, Result: ar, Scheme: "TPM_ENACTTRUST", Endorsements: endorsements}
 	expectedErr := errors.New("could not evaluate policy: policy returned bad update")
 	agent := mock_deps.NewMockIAgent(ctrl)
 	agent.EXPECT().GetBackendName().Return("opa")
-	agent.EXPECT().Evaluate(context.TODO(), gomock.Any(), "test", gomock.Any(), gomock.Any(), ar.Submods["test"], ec, endorsements).Return(nil, expectedErr)
+	agent.EXPECT().Evaluate(context.TODO(), gomock.Any(), "TPM_ENACTTRUST", gomock.Any(), gomock.Any(), ar.Submods["test"], ec, endorsements).Return(nil, expectedErr)
 	pm := &PolicyManager{
 		Store:  &policy.Store{KVStore: store, Logger: log.Named("store")},
 		Agent:  agent,
 		logger: log.Named("manager"),
 	}
-	err := pm.Evaluate(context.TODO(), "test", ap, endorsements)
+	err := pm.Evaluate(context.TODO(), ap)
 	assert.ErrorIs(t, err, expectedErr)
 
 }

vts/trustedservices/Makefile

@@ -3,7 +3,17 @@
 
 GOPKG := github.com/veraison/services/vts/trustedservices
 
-all-hook-pre test-hook-pre lint-hook-pre:
+INTERFACES += ../../plugin/imanager.go
+INTERFACES += ../../plugin/ipluggable.go
+INTERFACES += ../earsigner/iearsigner.go
+INTERFACES += ../../handler/ievidencehandler.go
+INTERFACES += ../../handler/istorehandler.go
+INTERFACES += ../../kvstore/ikvstore.go
+INTERFACES += ../policymanager/ipolicymanager.go
+
+MOCKPKG := mocks
+
+all-hook-pre test-hook-pre lint-hook-pre: _mocks
 	$(MAKE) -C ../../proto protogen
 
 include ../../mk/common.mk