Address comment

.pipelines/build.yaml

@@ -36,6 +36,48 @@ jobs:
     workingDirectory: '$(System.DefaultWorkingDirectory)'
     displayName: 'Build'
 
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2
+    displayName: 'Sign Files'
+    inputs:
+      ConnectedServiceName: 'akshci_esrp'
+      FolderPath: '$(System.DefaultWorkingDirectory)/bin'
+      Pattern: '*.dll'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "keyCode": "CP-230012",
+            "operationSetCode": "SigntoolSign",
+            "parameters": [
+              {
+                "parameterName": "OpusName",
+                "parameterValue": "Microsoft"
+              },
+              {
+                "parameterName": "OpusInfo",
+                "parameterValue": "http://www.microsoft.com"
+              },
+              {
+                "parameterName": "PageHash",
+                "parameterValue": "/NPH"
+              },
+              {
+                "parameterName": "FileDigest",
+                "parameterValue": "/fd sha256"
+              },
+              {
+                "parameterName": "TimeStamp",
+                "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              }
+            ],
+            "toolName": "signtool.exe",
+            "toolVersion": "6.2.9304.0"
+          }
+        ]
+      SessionTimeout: '60'
+      MaxConcurrency: '50'
+      MaxRetryAttempts: '5'
+
   - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
     displayName: 'SBOM Generation'
     inputs:

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Azure/go-autorest/autorest v0.9.0
 	github.com/Azure/go-autorest/autorest/date v0.2.0
 	github.com/google/uuid v1.3.0
-	github.com/microsoft/moc v0.11.0-alpha.5
+	github.com/microsoft/moc v0.11.0-alpha.13
 	google.golang.org/grpc v1.54.0
 	k8s.io/klog v1.0.0
 )

pkg/constant/constant.go

@@ -11,4 +11,5 @@ const (
 	DefaultServerContextTimeout          = 10 * time.Minute
 	CertificateValidityThreshold float64 = (30.0 / 100.0)
 	RenewalBackoff               float64 = (2.0 / 100.0)
+	OsRegistrationStatus         string  = "osRegistrationStatus"
 )

services/admin/health/client.go

@@ -15,6 +15,7 @@ import (
 type Service interface {
 	CheckHealth(ctx context.Context, timeoutSeconds uint32) error
 	GetAgentInfo(context.Context) (*common.NodeInfo, error)
+	GetDeploymentId(ctx context.Context) (string, error)
 }
 
 // Client structure
@@ -37,3 +38,20 @@ func (c *HealthClient) CheckHealth(ctx context.Context, timeoutSeconds uint32) e
 func (c *HealthClient) GetAgentInfo(ctx context.Context) (*common.NodeInfo, error) {
 	return c.internal.GetAgentInfo(ctx)
 }
+
+var deploymentId = ""
+
+// GetDeploymentId
+func (c *HealthClient) GetDeploymentId(ctx context.Context) (string, error) {
+	//if deploymentId is cached, directly return it
+	if len(deploymentId) != 0 {
+		return deploymentId, nil
+	}
+	id, err := c.internal.GetDeploymentId(ctx)
+	if err != nil {
+		deploymentId = ""
+		return "", err
+	}
+	deploymentId = id
+	return id, err
+}

services/admin/health/internal/moc.go

@@ -40,3 +40,12 @@ func (c *client) GetAgentInfo(ctx context.Context) (*common.NodeInfo, error) {
 	}
 	return response.Node, nil
 }
+
+// GetDeploymentId
+func (c *client) GetDeploymentId(ctx context.Context) (string, error) {
+	response, err := c.HealthAgentClient.GetAgentInfo(ctx, &emptypb.Empty{})
+	if err != nil {
+		return "", err
+	}
+	return response.DeploymentId, nil
+}

services/cloud/node/node.go

@@ -4,6 +4,9 @@
 package node
 
 import (
+	"strconv"
+
+	"github.com/microsoft/moc-sdk-for-go/pkg/constant"
 	"github.com/microsoft/moc-sdk-for-go/services/cloud"
 
 	"github.com/microsoft/moc/pkg/convert"
@@ -65,6 +68,7 @@ func getNode(nd *wssdcloud.Node) *cloud.Node {
 			Statuses:       getNodeStatuses(nd),
 		},
 		Version: &nd.Status.Version.Number,
+		Tags:    generateNodeTags(nd),
 	}
 }
 
@@ -74,3 +78,19 @@ func getNodeStatuses(node *wssdcloud.Node) map[string]*string {
 	statuses["Info"] = convert.ToStringPtr(node.GetInfo().String())
 	return statuses
 }
+
+func generateNodeTags(node *wssdcloud.Node) map[string]*string {
+	tags := make(map[string]*string)
+	populateOsRegistrationStatusTag(tags, node)
+	if len(tags) > 0 {
+		return tags
+	}
+	return nil
+}
+
+func populateOsRegistrationStatusTag(tags map[string]*string, node *wssdcloud.Node) {
+	if node.Info != nil && node.Info.OsInfo != nil && node.Info.OsInfo.OsRegistrationStatus != nil {
+		osRegistrationStatus := strconv.Itoa(int(node.Info.OsInfo.OsRegistrationStatus.Status))
+		tags[constant.OsRegistrationStatus] = &osRegistrationStatus
+	}
+}

services/compute/compute.go

@@ -259,11 +259,21 @@ type UefiSettings struct {
 	// SecureBootEnabled - Specifies whether secure boot should be enabled on the virtual machine.
 	SecureBootEnabled *bool `json:"secureBootEnabled,omitempty"`
 }
+type SecurityTypes string
+
+// possible values of security type string
+const (
+	TrustedLaunch  SecurityTypes = "TrustedLaunch"
+	ConfidentialVM SecurityTypes = "ConfidentialVM"
+)
 
 type SecurityProfile struct {
 	EnableTPM *bool `json:"enableTPM,omitempty"`
 	//Security related configuration used while creating the virtual machine.
 	UefiSettings *UefiSettings `json:"uefiSettings,omitempty"`
+	// SecurityType - Specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings.
+	// Default: UefiSettings will not be enabled unless this property is set. Possible values include: 'TrustedLaunch', 'ConfidentialVM'
+	SecurityType SecurityTypes `json:"securityType,omitempty"`
 }
 
 // Plan specifies information about the marketplace image used to create the virtual machine. This element

services/compute/virtualmachine/virtualmachine.go

@@ -203,6 +203,7 @@ func (c *client) getWssdVirtualMachineSecurityConfiguration(vm *compute.VirtualM
 	enableTPM := false
 	var uefiSettings *wssdcloudcompute.UefiSettings
 	uefiSettings = nil
+	securityType := wssdcommon.SecurityType_NOTCONFIGURED
 	if vm.SecurityProfile != nil {
 		if vm.SecurityProfile.EnableTPM != nil {
 			enableTPM = *vm.SecurityProfile.EnableTPM
@@ -212,11 +213,18 @@ func (c *client) getWssdVirtualMachineSecurityConfiguration(vm *compute.VirtualM
 				SecureBootEnabled: *vm.SecurityProfile.UefiSettings.SecureBootEnabled,
 			}
 		}
+		switch vm.SecurityProfile.SecurityType {
+		case compute.TrustedLaunch:
+			securityType = wssdcommon.SecurityType_TRUSTEDLAUNCH
+		case compute.ConfidentialVM:
+			securityType = wssdcommon.SecurityType_CONFIDENTIALVM
+		}
 	}
 
 	wssdsecurity := &wssdcloudcompute.SecurityConfiguration{
 		EnableTPM:    enableTPM,
 		UefiSettings: uefiSettings,
+		SecurityType: securityType,
 	}
 	return wssdsecurity, nil
 }
@@ -518,6 +526,8 @@ func (c *client) getVirtualMachineSecurityProfile(vm *wssdcloudcompute.VirtualMa
 	enableTPM := false
 	var uefiSettings *compute.UefiSettings
 	uefiSettings = nil
+	var securityType compute.SecurityTypes
+
 	if vm.Security != nil {
 		enableTPM = vm.Security.EnableTPM
 		if vm.Security.UefiSettings != nil {
@@ -525,12 +535,20 @@ func (c *client) getVirtualMachineSecurityProfile(vm *wssdcloudcompute.VirtualMa
 				SecureBootEnabled: &vm.Security.UefiSettings.SecureBootEnabled,
 			}
 		}
+		switch vm.Security.SecurityType {
+		case wssdcommon.SecurityType_TRUSTEDLAUNCH:
+			securityType = compute.TrustedLaunch
+		case wssdcommon.SecurityType_CONFIDENTIALVM:
+			securityType = compute.ConfidentialVM
+		}
 	}
 
 	return &compute.SecurityProfile{
 		EnableTPM:    &enableTPM,
 		UefiSettings: uefiSettings,
+		SecurityType: securityType,
 	}
+
 }
 
 func (c *client) getVirtualMachineHostDescription(vm *wssdcloudcompute.VirtualMachine) *compute.SubResource {

services/network/networkinterface/networkinterface.go

@@ -126,6 +126,9 @@ func getWssdNetworkInterfaceIPConfig(ipConfig *network.InterfaceIPConfiguration)
 	if ipConfig.Gateway != nil {
 		wssdipconfig.Gateway = *ipConfig.Gateway
 	}
+	if ipConfig.Primary != nil {
+		wssdipconfig.Primary = *ipConfig.Primary
+	}
 	ipAllocationMethodSdkToProtobuf(ipConfig, wssdipconfig)
 
 	if ipConfig.LoadBalancerBackendAddressPools != nil {
@@ -182,6 +185,7 @@ func getNetworkIpConfig(wssdcloudipconfig *wssdcloudnetwork.IpConfiguration) *ne
 			Subnet:           &network.APIEntityReference{ID: &wssdcloudipconfig.Subnetid},
 			Gateway:          &wssdcloudipconfig.Gateway,
 			PrefixLength:     &wssdcloudipconfig.Prefixlength,
+			Primary:          &wssdcloudipconfig.Primary,
 		},
 	}
 

services/security/keyvault/key/key.go

@@ -305,6 +305,10 @@ func GetMOCKeyWrappingAlgorithm(algo keyvault.KeyWrappingAlgorithm) (wrappingAlg
 	switch algo {
 	case keyvault.CKM_RSA_AES_KEY_WRAP:
 		wrappingAlgo = wssdcloudcommon.KeyWrappingAlgorithm_CKM_RSA_AES_KEY_WRAP
+	case keyvault.RSA_AES_KEY_WRAP_256:
+		wrappingAlgo = wssdcloudcommon.KeyWrappingAlgorithm_RSA_AES_KEY_WRAP_256
+	case keyvault.RSA_AES_KEY_WRAP_384:
+		wrappingAlgo = wssdcloudcommon.KeyWrappingAlgorithm_RSA_AES_KEY_WRAP_384
 	default:
 		err = errors.Wrapf(errors.InvalidInput, "Invalid Algorithm [%s]", algo)
 	}
@@ -315,6 +319,10 @@ func GetKeyWrappingAlgorithm(algo wssdcloudcommon.KeyWrappingAlgorithm) (wrappin
 	switch algo {
 	case wssdcloudcommon.KeyWrappingAlgorithm_CKM_RSA_AES_KEY_WRAP:
 		wrappingAlgo = keyvault.CKM_RSA_AES_KEY_WRAP
+	case wssdcloudcommon.KeyWrappingAlgorithm_RSA_AES_KEY_WRAP_256:
+		wrappingAlgo = keyvault.RSA_AES_KEY_WRAP_256
+	case wssdcloudcommon.KeyWrappingAlgorithm_RSA_AES_KEY_WRAP_384:
+		wrappingAlgo = keyvault.RSA_AES_KEY_WRAP_384
 	default:
 		err = errors.Wrapf(errors.Failed, "Invalid Algorithm [%s]", algo)
 	}

services/security/keyvault/keyvault.go

@@ -208,6 +208,10 @@ type KeyWrappingAlgorithm string
 const (
 	// CKM_RSA_AES_KEY_WRAP
 	CKM_RSA_AES_KEY_WRAP KeyWrappingAlgorithm = "CKM_RSA_AES_KEY_WRAP"
+	//RSA_AES_KEY_WRAP_256
+	RSA_AES_KEY_WRAP_256 KeyWrappingAlgorithm = "RSA_AES_KEY_WRAP_256"
+	//RSA_AES_KEY_WRAP_384
+	RSA_AES_KEY_WRAP_384 KeyWrappingAlgorithm = "RSA_AES_KEY_WRAP_384"
 	// NO_KEY_WRAP
 	NO_KEY_WRAP KeyWrappingAlgorithm = "NO_KEY_WRAP"
 )