Azure · LarryOsterman · May 23, 2022 · May 17, 2022 · May 17, 2022 · May 18, 2022
@@ -69,9 +69,10 @@ int main()
 
     // Attestation
     std::cout << "Creating Attestation Clients" << std::endl;
-    AttestationClient attestationClient(AttestationClient::Create(smokeUrl));
-    AttestationAdministrationClient attestationAdminClient(
-        AttestationAdministrationClient::Create(smokeUrl, credential));
+    std::unique_ptr<AttestationClient> attestationClient(
+        AttestationClientFactory::Create(std::getenv("ATTESTATION_AAD_URL")));
+    std::unique_ptr<AttestationAdministrationClient> attestationAdminClient(
+        AttestationAdministrationClientFactory::Create(std::getenv("ATTESTATION_AAD_URL"), credential));
 
     std::cout << "Successfully Created the Clients" << std::endl;
   }

@@ -5,6 +5,14 @@
 ### Features Added
 
 ### Breaking Changes
+- `ValueToSend` field in `TpmAttestationOptions` becomes `Payload`.
+- `AddIsolatedModeCertificatesOptions` becomes `AddIsolatedModeCertificateOptions`
+- `RemoveIsolatedModeCertificatesOptions` becomes `RemoveIsolatedModeCertificateOptions`
+- Renamed `AttestEnclaveOptions` to `AttestSgxEnclaveOptions` and `AttestOpenEnclaveOptions`.
+- Split out `AttestationClient::Create` into its own factory class `AttestationClientFactory`.
+    - Note that the `AttestationClientFactory::Create` method returns a `std::unique_ptr` to the client object.
+- Split out `AttestationAdministrationClient::Create` into its own factory class `AttestationAdministrationClientFactory`.
+    - Note that the `AttestationAdministrationClientFactory::Create` method returns a `std::unique_ptr` to the client object.
 
 ### Bugs Fixed
 

@@ -206,11 +206,11 @@ Isolated Mode Certificate Management APIs enable clients to add, remove or enume
 
 #### Create an attestation client
 
-The `AttestationClient::Create` method is used to create instances of the attestation client:
+The `AttestationClientFactory::Create` method is used to create instances of the attestation client:
 
 ```cpp
     std::string endpoint = std::getenv("ATTESTATION_AAD_URL");
-    return Azure::Security::Attestation::AttestationClient::CreatePointer(m_endpoint);
+    return Azure::Security::Attestation::AttestationClientFactory::CreatePointer(m_endpoint);
 ```
 
 If the attestation APIs require authentication, use the following (note that unlike the previous example, 
@@ -221,7 +221,7 @@ std::string endpoint = std::getenv("ATTESTATION_AAD_URL");
 std::shared_ptr<Azure::Core::Credentials::TokenCredential> credential
     = std::make_shared<Azure::Identity::ClientSecretCredential>(
       std::getenv("AZURE_TENANT_ID"), std::getenv("AZURE_CLIENT_ID"), std::getenv("AZURE_CLIENT_SECRET"));
-return Azure::Security::Attestation::AttestationClient::Create(m_endpoint, credential);
+return Azure::Security::Attestation::AttestationClientFactory::Create(m_endpoint, credential);
 ```
 
 The same pattern is used to create an `Azure::Security::Attestation::AttestationAdministrationClient`.
@@ -267,17 +267,14 @@ std::string endpoint = std::getenv("ATTESTATION_AAD_URL");
 std::shared_ptr<Azure::Core::Credentials::TokenCredential> credential
       = std::make_shared<Azure::Identity::ClientSecretCredential>(
           std::getenv("AZURE_TENANT_ID"), std::getenv("AZURE_CLIENT_ID"), std::getenv("AZURE_CLIENT_SECRET"));
-AttestationAdministrationClient adminClient(m_endpoint, credential);
+AttestationAdministrationClient adminClient(AttestationAdministrationClientFactory::Create(m_endpoint, credential));
 ```
 
 #### Retrieve current attestation policy for OpenEnclave
 
 Use the `GetAttestationPolicy` API to retrieve the current attestation policy for a given TEE.
 
 ```cpp
-    // Retrieve attestation response validation collateral before calling into the service.
-    adminClient.RetrieveResponseValidationCollateral();
-
     // Retrieve the SGX Attestation Policy from this attestation service instance.
     Azure::Response<AttestationToken<std::string>> const sgxPolicy
         = adminClient.GetAttestationPolicy(AttestationType::SgxEnclave);
@@ -291,9 +288,6 @@ When an attestation instance is in AAD mode, the caller can use a convenience me
 policy on the instance.
 
 ```cpp
-    // Retrieve attestation response validation collateral before calling into the service.
-    adminClient.RetrieveResponseValidationCollateral();
-
     // Set the attestation policy on this attestation instance.
     // Note that because this is an AAD mode instance, the caller does not need to sign the policy
     // being set.
@@ -368,9 +362,6 @@ the policy management tokens. This interaction ensures that the client is in pos
 one of the policy management certificates and is thus authorized to perform the operation.
 
 ```cpp
-// Retrieve attestation response validation collateral before calling into the service.
-adminClient.RetrieveResponseValidationCollateral();
-
 // Retrieve the SGX Attestation Policy from this attestation service instance.
 Azure::Response<AttestationToken<IsolatedModeCertificateListResult>> const policyCertificates
         = adminClient.GetIsolatedModeCertificates();
@@ -396,9 +387,6 @@ ignored (this possibly surprising behavior is there because retries could cause
 
     AttestationSigningKey const requestSigner{pemSigningKey, pemSigningCert};
 
-    // Retrieve attestation response validation collateral before calling into the service.
-    adminClient.RetrieveResponseValidationCollateral();
-
     // We start this sample by adding a new certificate to the set of policy management
     // certificates.
     {

@@ -44,6 +44,8 @@ namespace Azure { namespace Security { namespace Attestation {
    *
    */
   class AttestationAdministrationClient final {
+    friend class AttestationAdministrationClientFactory;
+
   public:
     /**
      * @brief Construct a new Attestation Administration Client object from another attestation
@@ -84,7 +86,7 @@ namespace Azure { namespace Security { namespace Attestation {
      */
     Response<Models::AttestationToken<std::string>> GetAttestationPolicy(
         Models::AttestationType const& attestationType,
-        GetPolicyOptions const& options = GetPolicyOptions(),
+        GetPolicyOptions const& options = GetPolicyOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -121,7 +123,7 @@ namespace Azure { namespace Security { namespace Attestation {
     Response<Models::AttestationToken<Models::PolicyResult>> SetAttestationPolicy(
         Models::AttestationType const& attestationType,
         std::string const& policyToSet,
-        SetPolicyOptions const& options = SetPolicyOptions(),
+        SetPolicyOptions const& options = SetPolicyOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -139,7 +141,7 @@ namespace Azure { namespace Security { namespace Attestation {
      */
     Response<Models::AttestationToken<Models::PolicyResult>> ResetAttestationPolicy(
         Models::AttestationType const& attestationType,
-        SetPolicyOptions const& options = SetPolicyOptions(),
+        SetPolicyOptions const& options = SetPolicyOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -213,7 +215,7 @@ namespace Azure { namespace Security { namespace Attestation {
     AddIsolatedModeCertificate(
         std::string const& pemEncodedCertificateToAdd,
         AttestationSigningKey const& signerForRequest,
-        AddIsolatedModeCertificatesOptions const& options = AddIsolatedModeCertificatesOptions{},
+        AddIsolatedModeCertificateOptions const& options = AddIsolatedModeCertificateOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -240,49 +242,18 @@ namespace Azure { namespace Security { namespace Attestation {
     RemoveIsolatedModeCertificate(
         std::string const& pemEncodedCertificateToAdd,
         AttestationSigningKey const& signerForRequest,
-        AddIsolatedModeCertificatesOptions const& options = AddIsolatedModeCertificatesOptions{},
+        RemoveIsolatedModeCertificateOptions const& options
+        = RemoveIsolatedModeCertificateOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
-    /**
-     * @brief Construct a new Attestation Administration Client object.
-     *
-     * @param endpoint The URL address where the client will send the requests to.
-     * @param credential The authentication token to use.
-     * @param options The options to customize the client behavior.
-     * @return std::unique_ptr<AttestationAdministrationClient> The newly created client.
-     */
-    static AttestationAdministrationClient Create(
-        std::string const& endpoint,
-        std::shared_ptr<Core::Credentials::TokenCredential const> credential,
-        AttestationAdministrationClientOptions const& options
-        = AttestationAdministrationClientOptions(),
-        Azure::Core::Context const& context = Azure::Core::Context{});
-    /**
-     * @brief Construct a pointer to a new Attestation Administration Client object.
-     *
-     * @note It is the responsibility of the caller to manage the lifetime of the returned
-     * AttestationAdministrationClient object, typically by constructing a std::unique_ptr or
-     * std::shared_ptr from this pointer.
-     *
-     * @param endpoint The URL address where the client will send the requests to.
-     * @param credential The authentication token to use.
-     * @param options The options to customize the client behavior.
-     */
-    static std::unique_ptr<AttestationAdministrationClient> CreatePointer(
-        std::string const& endpoint,
-        std::shared_ptr<Core::Credentials::TokenCredential const> credential,
-        AttestationAdministrationClientOptions const& options
-        = AttestationAdministrationClientOptions(),
-        Azure::Core::Context const& context = Azure::Core::Context{});
-
   private:
     Azure::Core::Url m_endpoint;
     std::string m_apiVersion;
     std::shared_ptr<Azure::Core::Credentials::TokenCredential const> m_credentials;
     std::shared_ptr<Azure::Core::Http::_internal::HttpPipeline> m_pipeline;
     AttestationTokenValidationOptions m_tokenValidationOptions;
 
-    mutable std::vector<Models::AttestationSigner> m_attestationSigners;
+    std::vector<Models::AttestationSigner> m_attestationSigners;
 
     /**
      * @brief Construct a new Attestation Administration Client object.
@@ -295,7 +266,7 @@ namespace Azure { namespace Security { namespace Attestation {
         std::string const& endpoint,
         std::shared_ptr<Core::Credentials::TokenCredential const> credential,
         AttestationAdministrationClientOptions const& options
-        = AttestationAdministrationClientOptions());
+        = AttestationAdministrationClientOptions{});
 
     std::string CreateIsolatedModeModificationToken(
         std::string const& pemEncodedX509CertificateToAdd,
@@ -316,7 +287,31 @@ namespace Azure { namespace Security { namespace Attestation {
      * @param context Client context for the request to the service.
      */
     void RetrieveResponseValidationCollateral(
-        Azure::Core::Context const& context = Azure::Core::Context{}) const;
+        Azure::Core::Context const& context = Azure::Core::Context{});
+  };
+
+  /** @brief Construct a new AttestationAdministrationClient object.
+   *
+   * The AttestationAdministrationClientFactory class is a factory class for instantiating new
+   * AttestationAdministrationClient objects.
+   *
+   */
+  class AttestationAdministrationClientFactory final {
+  public:
+    /**
+     * @brief Construct a new Attestation Administration Client object.
+     *
+     * @param endpoint The URL address where the client will send the requests to.
+     * @param credential The authentication token to use.
+     * @param options The options to customize the client behavior.
+     * @return std::unique_ptr<AttestationAdministrationClient> The newly created client.
+     */
+    static std::unique_ptr<AttestationAdministrationClient> Create(
+        std::string const& endpoint,
+        std::shared_ptr<Core::Credentials::TokenCredential const> credential,
+        AttestationAdministrationClientOptions const& options
+        = AttestationAdministrationClientOptions{},
+        Azure::Core::Context const& context = Azure::Core::Context{});
   };
 
 }}} // namespace Azure::Security::Attestation
@@ -114,6 +114,9 @@ namespace Azure { namespace Security { namespace Attestation {
    */
 
   class AttestationClient final {
+    // Allow client factory to access private methods in the AttestationClient object.
+    friend class AttestationClientFactory;
+
   public:
     /**
      * @brief Destructor.
@@ -169,7 +172,7 @@ namespace Azure { namespace Security { namespace Attestation {
      */
     Response<Models::AttestationToken<Models::AttestationResult>> AttestSgxEnclave(
         std::vector<uint8_t> const& sgxQuoteToAttest,
-        AttestEnclaveOptions options = AttestEnclaveOptions(),
+        AttestSgxEnclaveOptions options = AttestSgxEnclaveOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -190,7 +193,7 @@ namespace Azure { namespace Security { namespace Attestation {
      */
     Response<Models::AttestationToken<Models::AttestationResult>> AttestOpenEnclave(
         std::vector<uint8_t> const& openEnclaveReportToAttest,
-        AttestEnclaveOptions options = AttestEnclaveOptions(),
+        AttestOpenEnclaveOptions options = AttestOpenEnclaveOptions{},
         Azure::Core::Context const& context = Azure::Core::Context{}) const;
 
     /**
@@ -214,34 +217,46 @@ namespace Azure { namespace Security { namespace Attestation {
      */
     Response<Models::TpmAttestationResult> AttestTpm(
         AttestTpmOptions const& options,
-        Azure::Core::Context const& context = Azure::Core::Context::ApplicationContext) const;
+        Azure::Core::Context const& context = Azure::Core::Context{}) const;
+
+  private:
+    Azure::Core::Url m_endpoint;
+    std::string m_apiVersion;
+    std::shared_ptr<Azure::Core::Credentials::TokenCredential const> m_credentials;
+    std::shared_ptr<Azure::Core::Http::_internal::HttpPipeline> m_pipeline;
+    AttestationTokenValidationOptions m_tokenValidationOptions;
+
+    std::vector<Models::AttestationSigner> m_attestationSigners;
 
     /** @brief Construct a new Attestation Client object
      *
      * @param endpoint The URL address where the client will send the requests to.
      * @param credential The authentication method to use (required for TPM attestation).
      * @param options The options to customize the client behavior.
-     * @return AttestationClient The newly created client.
      */
-    static AttestationClient Create(
+    AttestationClient(
         std::string const& endpoint,
         std::shared_ptr<Core::Credentials::TokenCredential const> credential,
-        AttestationClientOptions options = AttestationClientOptions(),
-        Azure::Core::Context const& constext = Azure::Core::Context{});
+        AttestationClientOptions options = AttestationClientOptions{});
 
-    /** @brief Construct a new anonymous Attestation Client object
-     *
-     * @param endpoint The URL address where the client will send the requests to.
-     * @param options The options to customize the client behavior.
-     * @return AttestationClient The newly created client.
+    /**
+     * @brief Retrieves the information needed to validate a response from the attestation service.
      *
-     * @note TPM attestation requires an authenticated attestation client.
+     * @note: This method MUST be called before any calls to the attestation service which must be
+     * validated.
      */
-    static AttestationClient Create(
-        std::string const& endpoint,
-        AttestationClientOptions options = AttestationClientOptions(),
-        Azure::Core::Context const& constext = Azure::Core::Context{});
+    void RetrieveResponseValidationCollateral(
+        Azure::Core::Context const& context = Azure::Core::Context{});
+  };
 
+  /** @brief Construct a new AttestationClient object.
+   *
+   * The AttestationClientFactory class is a factory class for instantiating new AttestationClient
+   * objects.
+   *
+   */
+  class AttestationClientFactory final {
+  public:
     /** @brief Construct a new Attestation Client object
      *
      * @details Constructs a new attestation client. Follows the
@@ -254,10 +269,10 @@ namespace Azure { namespace Security { namespace Attestation {
      * @param options The options to customize the client behavior.
      * @return std::unique_ptr<AttestationClient> The newly created client.
      */
-    static std::unique_ptr<AttestationClient> CreatePointer(
+    static std::unique_ptr<AttestationClient> Create(
         std::string const& endpoint,
         std::shared_ptr<Core::Credentials::TokenCredential const> credential,
-        AttestationClientOptions options = AttestationClientOptions(),
+        AttestationClientOptions options = AttestationClientOptions{},
         Azure::Core::Context const& constext = Azure::Core::Context{});
 
     /** @brief Construct a new anonymous Attestation Client object
@@ -273,38 +288,10 @@ namespace Azure { namespace Security { namespace Attestation {
      * @note TPM attestation requires an authenticated attestation client.
      *
      */
-    static std::unique_ptr<AttestationClient> CreatePointer(
+    static std::unique_ptr<AttestationClient> Create(
         std::string const& endpoint,
-        AttestationClientOptions options = AttestationClientOptions(),
+        AttestationClientOptions options = AttestationClientOptions{},
         Azure::Core::Context const& constext = Azure::Core::Context{});
-
-  private:
-    Azure::Core::Url m_endpoint;
-    std::string m_apiVersion;
-    std::shared_ptr<Azure::Core::Credentials::TokenCredential const> m_credentials;
-    std::shared_ptr<Azure::Core::Http::_internal::HttpPipeline> m_pipeline;
-    AttestationTokenValidationOptions m_tokenValidationOptions;
-
-    mutable std::vector<Models::AttestationSigner> m_attestationSigners;
-    /** @brief Construct a new Attestation Client object
-     *
-     * @param endpoint The URL address where the client will send the requests to.
-     * @param credential The authentication method to use (required for TPM attestation).
-     * @param options The options to customize the client behavior.
-     */
-    AttestationClient(
-        std::string const& endpoint,
-        std::shared_ptr<Core::Credentials::TokenCredential const> credential,
-        AttestationClientOptions options = AttestationClientOptions());
-
-    /**
-     * @brief Retrieves the information needed to validate a response from the attestation service.
-     *
-     * @note: This method MUST be called before any calls to the attestation service which must be
-     * validated.
-     */
-    void RetrieveResponseValidationCollateral(
-        Azure::Core::Context const& context = Azure::Core::Context{}) const;
   };
 
 }}} // namespace Azure::Security::Attestation
@@ -265,7 +265,7 @@ namespace Azure { namespace Security { namespace Attestation { namespace Models
    * SHA256 hash of the policy document sent to the attestation service.
    *
    * In order to verify that the attestation service correctly received the attestation policy sent
-   * by the client, the AttestationAdministrationClient::CreateSetAttestationPolicyToken API can be
+   * by the client, the AttestationAdministrationClient::CreateAttestationPolicyToken API can be
    * used to create an AttestationToken object which is not specialized on any type
    * (`AttestationToken<>`). The RawToken field in that can be used to calculate the hash which was
    * sent to the service.