feat(verification): add discovery client

Signed-off-by: Thomas Fossati <[email protected]>

Author: thomas-fossati

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moogar0880/problems v0.1.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/veraison/cmw v0.2.0
 	golang.org/x/oauth2 v0.11.0
 )
@@ -17,7 +17,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -17,16 +17,16 @@ github.com/moogar0880/problems v0.1.1 h1:bktLhq8NDG/czU2ZziYNigBFksx13RaYe5AVdNm
 github.com/moogar0880/problems v0.1.1/go.mod h1:5Dxrk2sD7BfBAgnOzQ1yaTiuCYdGPUh49L8Vhfky62c=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/veraison/cmw v0.2.0 h1:BWEvwZnD4nn5osq6XwQpTRcGxwV+Su4t6ytdAbVXAJY=
 github.com/veraison/cmw v0.2.0/go.mod h1:OiYKk1t6/Fmmg30ZpSMzi4nKr5kt3374sNTkgxC5BDs=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
 golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

verification/discovery.go

@@ -0,0 +1,156 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package verification
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/veraison/apiclient/common"
+)
+
+var discoveryMediaType = "application/vnd.veraison.discovery+json"
+
+// DiscoveryConfig holds the configuration for one or more retrievals from the discovery endpoint.
+type DiscoveryConfig struct {
+	caCerts      []string       // paths to CA certs to be used in addition to system certs for TLS connections
+	discoveryURI string         // URI of the discovery endpoint
+	client       *common.Client // HTTP(s) client connection configuration
+	useTLS       bool           // use TLS for server connections
+	isInsecure   bool           // allow insecure server connections (only matters when UseTLS is true)
+}
+
+type DiscoveryObject struct {
+	PublicKey    json.RawMessage   `json:"ear-verification-key,omitempty"`
+	MediaTypes   []string          `json:"media-types,omitempty"`
+	Schemes      []string          `json:"attestation-schemes,omitempty"`
+	Version      string            `json:"version"`
+	ServiceState string            `json:"service-state"`
+	ApiEndpoints map[string]string `json:"api-endpoints"`
+}
+
+// SetDiscoveryURI sets the discovery URI supplied by the user
+func (cfg *DiscoveryConfig) SetDiscoveryURI(uri string) error {
+	u, err := url.Parse(uri)
+	if err != nil {
+		return fmt.Errorf("malformed discovery URI: %w", err)
+	}
+	if !u.IsAbs() {
+		return errors.New("the supplied discovery URI is not absolute")
+	}
+	cfg.useTLS = u.Scheme == "https"
+	cfg.discoveryURI = uri
+	return nil
+}
+
+// SetIsInsecure sets the flag to allow insecure server connections
+func (cfg *DiscoveryConfig) SetIsInsecure() {
+	cfg.isInsecure = true
+}
+
+// SetCerts sets the CA certificates to the specified paths
+func (cfg *DiscoveryConfig) SetCerts(paths []string) error {
+	if paths == nil || len(paths) == 0 {
+		return errors.New("no CA certificate paths supplied")
+	}
+	cfg.caCerts = paths
+	return nil
+}
+
+// SetClient sets the HTTP(s) client connection configuration
+func (cfg *DiscoveryConfig) SetClient(client *common.Client) error {
+	if client == nil {
+		return errors.New("no client supplied")
+	}
+	cfg.client = client
+	return nil
+}
+
+// Run retrieves the discovery document from the configured endpoint.
+// On success, the decoded discovery document is returned.
+func (cfg *DiscoveryConfig) Run() (*DiscoveryObject, error) {
+	if err := cfg.check(); err != nil {
+		return nil, err
+	}
+
+	// Attach the default client if the user hasn't supplied one
+	if err := cfg.initClient(); err != nil {
+		return nil, err
+	}
+
+	res, err := cfg.discovery()
+	if err != nil {
+		return nil, fmt.Errorf("discovery failed: %w", err)
+	}
+
+	j := DiscoveryObject{}
+
+	err = common.DecodeJSONBody(res, &j)
+	if err != nil {
+		return nil, fmt.Errorf("failure JSON decoding response body: %w", err)
+	}
+
+	return &j, nil
+}
+
+// discovery creates the GET request to the discovery endpoint and returns the response
+func (cfg DiscoveryConfig) discovery() (*http.Response, error) {
+	req, err := http.NewRequest("GET", cfg.discoveryURI, http.NoBody)
+	if err != nil {
+		return nil, fmt.Errorf("building discovery request: %w", err)
+	}
+
+	// add the Accept header
+	req.Header.Set("Accept", discoveryMediaType)
+
+	hc := &cfg.client.HTTPClient
+
+	res, err := hc.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("discovery request failed: %w", err)
+	}
+
+	return res, nil
+}
+
+// check makes sure that the config object is in good shape
+func (cfg DiscoveryConfig) check() error {
+	if cfg.discoveryURI == "" {
+		return errors.New("bad configuration: no discovery URI")
+	}
+
+	// It's OK if we don't have a client at this point in time; if needed we
+	// will instantiate the default one later.
+
+	return nil
+}
+
+func (cfg *DiscoveryConfig) initClient() error {
+	if cfg.client != nil {
+		return nil // client already initialized
+	}
+
+	if !cfg.useTLS {
+		// Use a nil authenticator.
+		// The (reasonable) assumption is that the discovery endpoint is always
+		// unauthenticated.
+		cfg.client = common.NewClient(nil)
+		return nil
+	}
+
+	if cfg.isInsecure {
+		// Ditto about the nil authenticator.
+		cfg.client = common.NewInsecureTLSClient(nil)
+		return nil
+	}
+
+	var err error
+
+	cfg.client, err = common.NewTLSClient(nil, cfg.caCerts)
+
+	return err
+}

verification/discovery_test.go

@@ -0,0 +1,169 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package verification
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/apiclient/common"
+)
+
+var (
+	testDiscoveryObject = &DiscoveryObject{
+		PublicKey: []byte(`{ "alg": "ES256", "crv": "P-256", "kty": "EC", "x": "usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8", "y": "IBOL-C3BttVivg-lSreASjpkttcsz-1rb7btKLv8EX4" }`),
+		MediaTypes: []string{
+			"application/vnd.enacttrust.tpm-evidence",
+			"application/vnd.parallaxsecond.key-attestation.tpm",
+			"application/eat+cwt; eat_profile=\"tag:psacertified.org,2023:psa#tfm\"",
+			"application/vnd.veraison.tsm-report+cbor",
+			"application/vnd.veraison.configfs-tsm+json",
+			"application/vnd.parallaxsecond.key-attestation.cca",
+			"application/psa-attestation-token",
+			"application/eat-cwt; profile=\"http://arm.com/psa/2.0.0\"",
+			"application/eat+cwt; eat_profile=\"tag:psacertified.org,2019:psa#legacy\"",
+			"application/pem-certificate-chain",
+			"application/eat-collection; profile=\"http://arm.com/CCA-SSD/1.0.0\"",
+			"application/eat+cwt; eat_profile=\"tag:github.com,2025:veraison/ratsd/cmw\"",
+		},
+		Version:      "0.0.2511+f1ccf18",
+		ServiceState: "READY",
+		ApiEndpoints: map[string]string{
+			"newChallengeResponseSession": "/challenge-response/v1/newSession",
+		},
+	}
+
+	testDiscoveryObjectJSON = `{
+  "ear-verification-key": { "alg": "ES256", "crv": "P-256", "kty": "EC", "x": "usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8", "y": "IBOL-C3BttVivg-lSreASjpkttcsz-1rb7btKLv8EX4" },
+  "media-types": [
+    "application/vnd.enacttrust.tpm-evidence",
+    "application/vnd.parallaxsecond.key-attestation.tpm",
+    "application/eat+cwt; eat_profile=\"tag:psacertified.org,2023:psa#tfm\"",
+    "application/vnd.veraison.tsm-report+cbor",
+    "application/vnd.veraison.configfs-tsm+json",
+    "application/vnd.parallaxsecond.key-attestation.cca",
+    "application/psa-attestation-token",
+    "application/eat-cwt; profile=\"http://arm.com/psa/2.0.0\"",
+    "application/eat+cwt; eat_profile=\"tag:psacertified.org,2019:psa#legacy\"",
+    "application/pem-certificate-chain",
+    "application/eat-collection; profile=\"http://arm.com/CCA-SSD/1.0.0\"",
+    "application/eat+cwt; eat_profile=\"tag:github.com,2025:veraison/ratsd/cmw\""
+  ],
+  "version": "0.0.2511+f1ccf18",
+  "service-state": "READY",
+  "api-endpoints": {
+    "newChallengeResponseSession": "/challenge-response/v1/newSession"
+  }
+}`
+	testDiscoveryURI      = "http://discovery.example.com/.well-known/verification"
+	testDiscoveryURIHTTPS = "https://discovery.example.com/.well-known/verification"
+)
+
+func TestDiscoveryConfig_Run_ok(t *testing.T) {
+	var err error
+
+	expectedBody := testDiscoveryObject
+
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", discoveryMediaType)
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(testDiscoveryObjectJSON))
+	})
+
+	client, teardown := common.NewTestingHTTPClient(h)
+	defer teardown()
+
+	var cfg DiscoveryConfig
+
+	err = cfg.SetDiscoveryURI(testDiscoveryURI)
+	require.NoError(t, err)
+
+	err = cfg.SetClient(client)
+	require.NoError(t, err)
+
+	actualBody, err := cfg.Run()
+	assert.NoError(t, err)
+	assert.Equal(t, expectedBody, actualBody)
+}
+
+func TestDiscoveryConfig_Run_fail_bad_object(t *testing.T) {
+	var err error
+
+	badObject := []byte(`[ "deadbeef" ]`)
+
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", discoveryMediaType)
+		w.WriteHeader(http.StatusOK)
+		w.Write(badObject)
+	})
+
+	client, teardown := common.NewTestingHTTPClient(h)
+	defer teardown()
+
+	var cfg DiscoveryConfig
+
+	err = cfg.SetDiscoveryURI(testDiscoveryURI)
+	require.NoError(t, err)
+
+	err = cfg.SetClient(client)
+	require.NoError(t, err)
+
+	_, err = cfg.Run()
+	assert.ErrorContains(t, err, "failure JSON decoding response body")
+}
+
+func TestDiscoveryConfig_Run_fail_configuration(t *testing.T) {
+	var err error
+	var cfg DiscoveryConfig
+
+	_, err = cfg.Run()
+	assert.ErrorContains(t, err, "bad configuration: no discovery URI")
+}
+
+func TestDiscoveryConfig_Run_fail_init_tls_with_nonexistent_certs(t *testing.T) {
+	var err error
+	var cfg DiscoveryConfig
+
+	err = cfg.SetDiscoveryURI(testDiscoveryURIHTTPS)
+	require.NoError(t, err)
+
+	err = cfg.SetCerts([]string{"/path/to/nonexistent/cert.pem"})
+	require.NoError(t, err)
+
+	_, err = cfg.Run()
+	assert.ErrorContains(t, err, "could not read cert")
+}
+
+func TestDiscoveryConfig_Setters_fail_misc(t *testing.T) {
+	var err error
+	var cfg DiscoveryConfig
+
+	err = cfg.SetDiscoveryURI("http://[::1]:namedport")
+	assert.ErrorContains(t, err, "malformed discovery URI")
+
+	err = cfg.SetDiscoveryURI("relative/path")
+	assert.ErrorContains(t, err, "the supplied discovery URI is not absolute")
+
+	err = cfg.SetCerts(nil)
+	assert.ErrorContains(t, err, "no CA certificate paths supplied")
+
+	err = cfg.SetClient(nil)
+	assert.ErrorContains(t, err, "no client supplied")
+}
+
+func TestDiscoveryConfig_Setters_ok_misc(t *testing.T) {
+	var err error
+	var cfg DiscoveryConfig
+
+	err = cfg.SetDiscoveryURI(testDiscoveryURIHTTPS)
+	assert.NoError(t, err)
+
+	err = cfg.SetCerts([]string{"/path/to/cert1.pem", "/path/to/cert2.pem"})
+	assert.NoError(t, err)
+
+	err = cfg.SetClient(common.NewClient(nil))
+	assert.NoError(t, err)
+}