The AttestationAdministrationClient implements the functionality required by the "Administration" family of attestation service APIs. More...

#include <attestation_administration_client.hpp>

Public Member Functions
	AttestationAdministrationClient (AttestationAdministrationClient const &attestationClient)=default
	Construct a new Attestation Administration Client object from another attestation administration client. More...

virtual	~AttestationAdministrationClient ()=default
	Destructor. More...

std::string const	Endpoint () const
	Returns the Endpoint which the client is communicating with. More...

Response< Models::AttestationToken< std::string > >	GetAttestationPolicy (Models::AttestationType const &attestationType, GetPolicyOptions const &options=GetPolicyOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Retrieves an Attestation Policy from the service. More...

Response< Models::AttestationToken< Models::PolicyResult > >	SetAttestationPolicy (Models::AttestationType const &attestationType, std::string const &policyToSet, SetPolicyOptions const &options=SetPolicyOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Sets the attestation policy for the specified AttestationType. More...

Response< Models::AttestationToken< Models::PolicyResult > >	ResetAttestationPolicy (Models::AttestationType const &attestationType, SetPolicyOptions const &options=SetPolicyOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Resets the attestation policy for the specified AttestationType to its default. More...

Models::AttestationToken< void >	CreateAttestationPolicyToken (Azure::Nullable< std::string > const &policyToSet, Azure::Nullable< AttestationSigningKey > const &signingKey={}) const
	Returns an Attestation Token object which would be sent to the attestation service to set or reset an attestation policy. More...

Response< Models::AttestationToken< Models::IsolatedModeCertificateListResult > >	GetIsolatedModeCertificates (GetIsolatedModeCertificatesOptions const &options=GetIsolatedModeCertificatesOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Retrieves the list of isolated mode management certificates. More...

Response< Models::AttestationToken< Models::IsolatedModeCertificateModificationResult > >	AddIsolatedModeCertificate (std::string const &pemEncodedCertificateToAdd, AttestationSigningKey const &signerForRequest, AddIsolatedModeCertificateOptions const &options=AddIsolatedModeCertificateOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Adds a new certificate to the list of policy management certificates. More...

Response< Models::AttestationToken< Models::IsolatedModeCertificateModificationResult > >	RemoveIsolatedModeCertificate (std::string const &pemEncodedCertificateToAdd, AttestationSigningKey const &signerForRequest, RemoveIsolatedModeCertificateOptions const &options=RemoveIsolatedModeCertificateOptions{}, Azure::Core::Context const &context=Azure::Core::Context{}) const
	Removes a certificate from the list of policy management certificates for the instance. More...

Static Public Member Functions
static AttestationAdministrationClient	Create (std::string const &endpoint, std::shared_ptr< Core::Credentials::TokenCredential const > credential, AttestationAdministrationClientOptions const &options=AttestationAdministrationClientOptions{}, Azure::Core::Context const &context=Azure::Core::Context{})
	Construct a new Attestation Administration Client object. More...

Detailed Description

Note: : Attestation administration APIs cannot be used on shared attestation service instances.

The Administration family of APIs provide APIs to manage:

Attestation policies.
Attestation policy management certificates (Isolated attestation service instances only).

There are three flavors of attestation service instances:

Shared Mode
AAD Mode
Isolated Mode

Shared mode attestation service instances do not allow any administration actions at all. They exist to allow customers to perform attestation operations without requiring any customizations.

AAD Mode instances allow customers to modify attestation policies. When the attestation instance is in AAD mode, the creator of the instance indicates that they trust ARM RBAC and Microsoft AAD to validate client connections to the service. As such, additional proof of authorization is not required for administrative operations.

Constructor & Destructor Documentation

◆ AttestationAdministrationClient()

Azure::Security::Attestation::AttestationAdministrationClient::AttestationAdministrationClient ( AttestationAdministrationClient const & attestationClient )

default

Parameters

attestationClient An existing attestation client.

◆ ~AttestationAdministrationClient()

virtual Azure::Security::Attestation::AttestationAdministrationClient::~AttestationAdministrationClient ( )

virtualdefault

Member Function Documentation

◆ AddIsolatedModeCertificate()

Azure::Response< Models::AttestationToken< Models::IsolatedModeCertificateModificationResult > > AttestationAdministrationClient::AddIsolatedModeCertificate	(	std::string const &	pemEncodedCertificateToAdd,
		AttestationSigningKey const &	signerForRequest,
		AddIsolatedModeCertificateOptions const &	options = `AddIsolatedModeCertificateOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

When the attestation service is running in "Isolated" mode, the service maintains a set of X.509 certificates which must be used to sign all policy operations. The AddIsolatedModeCertificates API adds a new certificate to the list of certificates which are used for this attestation service instance.

Note: The signerForRequest certificate MUST be one of the policy management certificates returned by GetIsolatedModeCertificates.

Parameters

pemEncodedCertificateToAdd	The X.509 certificate to add to the service.
signerForRequest	Private key and certificate pair to be used to sign the request to the service.
options	Options to be set when adding the new certificate.
context	Call context for the operation.

Returns: Response<Models::AttestationToken<Models::PolicyCertificateListResult>> Return value from the operation.

◆ Create()

AttestationAdministrationClient AttestationAdministrationClient::Create	(	std::string const &	endpoint,
		std::shared_ptr< Core::Credentials::TokenCredential const >	credential,
		AttestationAdministrationClientOptions const &	options = `AttestationAdministrationClientOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)

static

Parameters

endpoint	The URL address where the client will send the requests to.
credential	The authentication token to use.
options	The options to customize the client behavior.

Returns: The newly created client.

◆ CreateAttestationPolicyToken()

Models::AttestationToken< void > AttestationAdministrationClient::CreateAttestationPolicyToken	(	Azure::Nullable< std::string > const &	policyToSet,
		Azure::Nullable< AttestationSigningKey > const &	signingKey = `{}`
	)		const

To verify that the attestation service received the attestation policy, the service returns the SHA256 hash of the policy token which was sent ot the service. To simplify the customer experience of interacting with the SetAttestationPolicy and ResetAttestationPolicy APIs, CreateSetAttestationPolicyToken API will generate the same token that would be send to the service.

To ensure that the token which was sent from the client matches the token which was received by the attestation service, the customer can call CreateSetAttestationPolicyToken and then generate the SHA256 of that token and compare it with the value returned by the service - the two hash values should be identical.

Parameters

policyToSet	The policy document to set.
signingKey	Optional Attestation Signing Key to be used to sign the policy.

Returns: Models::AttestationToken<void> Attestation token which would be sent to the attestation service based on this signing key.

Note: : If policyToSet is null, then this generates a policy reset token.

◆ Endpoint()

std::string const Azure::Security::Attestation::AttestationAdministrationClient::Endpoint ( ) const

inline

Returns: The remote endpoint used when communicating with the attestation service.

◆ GetAttestationPolicy()

Azure::Response< Models::AttestationToken< std::string > > AttestationAdministrationClient::GetAttestationPolicy	(	Models::AttestationType const &	attestationType,
		GetPolicyOptions const &	options = `GetPolicyOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

Parameters

attestationType	Attestation type to be used when retrieving the policy.
options	Options to be used when retrieving the policy.
context	User defined context for the operation.

Returns: Response<Models::AttestationToken<std::string>> The returned policy from the service.

◆ GetIsolatedModeCertificates()

Azure::Response< Models::AttestationToken< IsolatedModeCertificateListResult > > AttestationAdministrationClient::GetIsolatedModeCertificates	(	GetIsolatedModeCertificatesOptions const &	options = `GetIsolatedModeCertificatesOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

When the attestation service is running in "Isolated" mode, the service maintains a set of X.509 certificates which must be used to sign all policy operations. The GetIsolatedModeCertificates API returns the list of certificates which are used for this attestation service instance.

Parameters

options	Options to be set when retrieving the list of parameters.
context	Call context for the operation.

Returns: Response<Models::AttestationToken<Models::PolicyCertificateListResult>> Return value from the operation, a set of attestation signers. Attestation policy operations on isolated instances must be signed by one the private key associated with one of the listed certificates.

◆ RemoveIsolatedModeCertificate()

Azure::Response< Models::AttestationToken< Models::IsolatedModeCertificateModificationResult > > AttestationAdministrationClient::RemoveIsolatedModeCertificate	(	std::string const &	pemEncodedCertificateToAdd,
		AttestationSigningKey const &	signerForRequest,
		RemoveIsolatedModeCertificateOptions const &	options = `RemoveIsolatedModeCertificateOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

When the attestation service is running in "Isolated" mode, the service maintains a set of X.509 certificates which must be used to sign all policy operations. The #RemoveIsolatedModeCertificates API removes a certificate from the list of certificates which are used for this attestation service instance.

Note: The signerForRequest certificate MUST be one of the policy management certificates returned by GetIsolatedModeCertificates.

Parameters

pemEncodedCertificateToAdd	The X.509 certificate to remove from the service instance.
signerForRequest	Private key and certificate pair to be used to sign the request to the service.
options	Options to be set when adding the new certificate.
context	Call context for the operation.

Returns: Response<Models::AttestationToken<Models::PolicyCertificateListResult>> Return value from the operation.

◆ ResetAttestationPolicy()

Azure::Response< Models::AttestationToken< Models::PolicyResult > > AttestationAdministrationClient::ResetAttestationPolicy	(	Models::AttestationType const &	attestationType,
		SetPolicyOptions const &	options = `SetPolicyOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

Parameters

attestationType	Sets the policy on the specified AttestationType.
options	Options used when setting the policy, including signer.
context	User defined context for the operation.

Returns: Response<Models::AttestationToken<Models::PolicyResult>> The result of the reset policy operation.

◆ SetAttestationPolicy()

Azure::Response< Models::AttestationToken< Models::PolicyResult > > AttestationAdministrationClient::SetAttestationPolicy	(	Models::AttestationType const &	attestationType,
		std::string const &	policyToSet,
		SetPolicyOptions const &	options = `SetPolicyOptions{}`,
		Azure::Core::Context const &	context = `Azure::Core::Context{}`
	)		const

The SetAttestationPolicy API sets the attestation policy for the specified attestationType to the value specified.

The result of a SetAttestationPolicy API call is a PolicyResult object, which contains the result of the operation, the hash of the AttestationToken object sent to the service, and (if the SetPolicyOptions contains a SigningKey field) the certificate which was used to sign the attestation policy.

Note that the hash of the AttestationToken is not immediately derivable from the inputs to this function - the function calls the CreateAttestationPolicyToken to create the underlying token which will be sent to the service.

In order to verify that the attestation service correctly received the attestation policy sent by the client, the caller of the SetAttestationPolicy can also call CreateAttestationPolicyToken and calculate the SHA256 hash of the RawToken field and check to ensure that it matches the value returned by the service.

Parameters

attestationType	Sets the policy on the specified AttestationType.
policyToSet	The policy document to set.
options	Options used when setting the policy, including signer.
context	User defined context for the operation.

Returns: Response<Models::AttestationToken<Models::PolicyResult>> The result of the set policy operation.

The documentation for this class was generated from the following files:

inc/azure/attestation/attestation_administration_client.hpp
src/attestation_administration_client.cpp

Public Member Functions

Static Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ AttestationAdministrationClient()

◆ ~AttestationAdministrationClient()

Member Function Documentation

◆ AddIsolatedModeCertificate()

◆ Create()

◆ CreateAttestationPolicyToken()

◆ Endpoint()

◆ GetAttestationPolicy()

◆ GetIsolatedModeCertificates()

◆ RemoveIsolatedModeCertificate()

◆ ResetAttestationPolicy()

◆ SetAttestationPolicy()