engines/instance_verification/README.md from SUSE/rmt

engines/instance_verification/README.md
Summary

Maintainability

Test Coverage

Issues
# InstanceVerification

This plugin implements a framework for additional client validation.
It hooks into the API endpoints:

* `Api::Connect::V3::Subscriptions::SystemsController#announce_system`
  (initial storing of provided system instance data)
* `Api::Connect::V3::Systems::ProductsController#activate`,
  `Api::Connect::V3::Systems::ProductsController#upgrade`
  (verify that the system has access to the product during product activation)

After successful verification, the combination ip-system-product is added to a Rails cache
for 20 minutes. This cache is also used by the `zypper_auth` engine.

How to verify the instance data is provider-specific, see `lib/instance_verification/providers/example.rb` for an example implementation.

## Instance metadata

Depending on the CSP the metadata can look more or less like this

```json
{
  "accountId" : "1234",
  "architecture" : "some-arch",
  "availabilityZone" : "some-zone",
  "billingProducts" : [ "billing-info" ],
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : null,
  "imageId" : "ami-1234",
  "instanceId" : "i-1234",
  "instanceType" : "instance-type",
  "kernelId" : null,
  "pendingTime" : "yyyy-mm-ddThh:mm:ssZ",
  "privateIp" : "some-ip",
  "ramdiskId" : null,
  "region" : "some-region",
  "version" : "2017-09-30"
}
```
 or
```json
{
  "billingTag": "some-billing-tag",
  "attestedData": {
    "signature": {
      "licenseType":"license",
      "nonce":"1234",
      "plan": {
        "name":"",
        "product":"",
        "publisher":""
      },
      "sku":"sku",
      "subscriptionId":
      "1234",
      "timeStamp": {
        "createdOn":"yyyy-mm-ddThh:mm:ssZ",
        "expiresOn":"yyyy-mm-ddThh:mm:ssZ"
      },
      "vmId":"1234"
    }
  },
  "subscriptionId": "some-subscription"
}
```
or
```
{
  "instance_creation_timestamp"=>1234,
  "instance_id"=>"1234",
  "instance_name"=>"foo",
  "project_id"=>"some_name",
  "project_number"=>1234,
  "zone"=>"zone_name"
}
```
for more info check [AWS IMDS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html) 
[Azure IMDS](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=linux)
or [GCE IMDS](https://cloud.google.com/compute/docs/metadata/querying-metadata)

The value from that info to use as a `system_token` is `instance_id` or `vmId`,
depending on CSP.