AzureSDKAutomation
diff --git a/‎eng/code-quality-reports/src/main/resources/checkstyle/checkstyle-suppressions.xml‎
Lines changed: 7 additions & 0 deletions b/‎eng/code-quality-reports/src/main/resources/checkstyle/checkstyle-suppressions.xml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎eng/code-quality-reports/src/main/resources/spotbugs/spotbugs-exclude.xml‎
Lines changed: 6 additions & 0 deletions b/‎eng/code-quality-reports/src/main/resources/spotbugs/spotbugs-exclude.xml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎eng/versioning/version_client.txt‎
Lines changed: 1 addition & 0 deletions b/‎eng/versioning/version_client.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pom.xml‎
Lines changed: 4 additions & 0 deletions b/‎pom.xml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎sdk/attestation/azure-security-attestation/CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions b/‎sdk/attestation/azure-security-attestation/CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎sdk/attestation/azure-security-attestation/README.md‎
Lines changed: 180 additions & 0 deletions b/‎sdk/attestation/azure-security-attestation/README.md‎
Lines changed: 180 additions & 0 deletions
diff --git a/‎sdk/attestation/azure-security-attestation/pom.xml‎
Lines changed: 122 additions & 0 deletions b/‎sdk/attestation/azure-security-attestation/pom.xml‎
Lines changed: 122 additions & 0 deletions
@@ -573,4 +573,11 @@ the main ServiceBusClientBuilder. -->
   <!-- Suppress checks in azure-core-experimental -->
   <suppress checks="com.azure.tools.checkstyle.checks.ExternalDependencyExposedCheck"
             files="com.azure.core.experimental.jsonpatch.(JsonPatchDocumentSerializer|JsonPatchOperationSerializer).java"/>
+
+  <!-- Suppress checks on AutoRest generated Attestation service code -->
+  <suppress checks="(MissingJavadocMethod|EnforceFinalFields)"
+            files=".*[/\\]azure[/\\]security[/\\]attestation[/\\]AttestationClientBuilder.java"/>
+  <suppress checks="WhitespaceAround|ThrowFromClientLogger"
+            files="com.azure.security.attestation.models.*\.java"/>
+
 </suppressions>
@@ -2477,4 +2477,10 @@
     <Field name="data"/>
     <Bug pattern="EI_EXPOSE_REP"/>
   </Match>
+
+  <!-- Machine generated classes for MAA service generate spotBugs errors -->
+  <Match>
+    <Class name="~com.azure.security.attestation.models\.[\w]+"/>
+    <Bug pattern="PZLA_PREFER_ZERO_LENGTH_ARRAYS"/>
+  </Match>
 </FindBugsFilter>
@@ -86,6 +86,7 @@ com.azure:azure-opentelemetry-exporter-azuremonitor;1.0.0-beta.2;1.0.0-beta.3
 com.azure:azure-quantum-jobs;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-search-documents;11.1.3;11.2.0-beta.4
 com.azure:azure-search-perf;1.0.0-beta.1;1.0.0-beta.1
+com.azure:azure-security-attestation;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-security-keyvault-administration;4.0.0-beta.3;4.0.0-beta.4
 com.azure:azure-security-keyvault-certificates;4.1.4;4.2.0-beta.3
 com.azure:azure-security-keyvault-keys;4.2.4;4.3.0-beta.4
 
@@ -17,6 +17,9 @@
         <!-- App Configuration -->
         <module>sdk/appconfiguration/azure-data-appconfiguration</module>
 
+        <!-- Attestation -->
+        <module>sdk/attestation/azure-security-attestation</module>
+
         <!-- Azure Communication Service -->
         <module>sdk/communication/azure-communication-administration</module>
         <module>sdk/communication/azure-communication-chat</module>
@@ -555,6 +558,7 @@
         <module>eng/jacoco-test-coverage</module>
         <module>sdk/anomalydetector</module>
         <module>sdk/appconfiguration</module>
+        <module>sdk/attestation</module>
         <module>sdk/authorization</module>
         <module>sdk/batch</module>
         <module>sdk/boms</module>
 
@@ -0,0 +1,5 @@
+# Release History
+
+## 1.0.0-beta.1 (Unreleased)
+
+- Initial release. Please see the README and wiki for information on the new design.
@@ -0,0 +1,180 @@
+# Azure Attestation client library for Java
+
+Microsoft Azure Attestation (preview) is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel® Software Guard Extensions (SGX) enclaves and Virtualization-based Security (VBS) enclaves.
+
+Attestation is a process for demonstrating that software binaries were properly instantiated on a trusted platform. Remote relying parties can then gain confidence that only such intended software is running on trusted hardware. Azure Attestation is a unified customer-facing service and framework for attestation.
+
+Azure Attestation enables cutting-edge security paradigms such as Azure Confidential computing and Intelligent Edge protection. Customers have been requesting the ability to independently verify the location of a machine, the posture of a virtual machine (VM) on that machine, and the environment within which enclaves are running on that VM. Azure Attestation will empower these and many additional customer requests.
+
+Azure Attestation receives evidence from compute entities, turns them into a set of claims, validates them against configurable policies, and produces cryptographic proofs for claims-based applications (for example, relying parties and auditing authorities).
+
+> NOTE: This is a preliminary SDK for the Microsoft Azure Attestation service. It provides all the essential functionality to access the Azure Attestation service, but requires a significant amount of infrastructure to work correctly.
+
+
+## Getting started
+### Adding the package to your project
+Maven dependency for the Azure Attestation  library. Add it to your project's POM file.
+
+[//]: # ({x-version-update-start;com.azure:azure-security-attestation;current})
+```xml
+<!-- Install the Azure Attestation SDK -->
+<dependency>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-security-attestation</artifactId>
+    <version>1.0.0-beta.1</version>
+</dependency>
+```
+[//]: # ({x-version-update-end})
+
+### Prerequisites
+- A [Java Development Kit (JDK)][jdk_link], version 8 or later.
+- [Azure Subscription][azure_subscription]
+- An existing [Azure Attestation][azure_attestation]. If you need to create an attestation instance, you can use the [Azure Cloud Shell][azure_cloud_shell] to create one with this Azure CLI command. Replace `<your-resource-group-name>` and `<your-instance-name>` with your own, unique names:
+
+    ```bash
+    az attestation create --resource-group <your-resource-group-name> --name <your-key-vault-name>
+    ```
+
+### Authenticate the client
+In order to interact with the Azure Attestation service, your client must present an Azure Active Directory bearer token to the service.
+
+The simplest way of providing a bearer token is to use the  `DefaultAzureCredential` authentication method by providing client secret credentials is being used in this getting started section but you can find more ways to authenticate with [azure-identity][azure_identity].
+
+
+## Key concepts
+
+The Microsoft Azure Attestation service runs in two separate modes: "Isolated" and "AAD". When the service is running in "Isolated" mode, the customer needs to 
+provide additional information beyond their authentication credentials to verify that they are authorized to modify the state of an attestation instance.
+
+There are four major client types provided in this preview SDK: 
+- [SGX and TPM enclave attestation.](#attestation)
+- [MAA Attestation Token signing certificate discovery and validation.](#attestation-token-signing-certificate-discovery-and-validation)  
+- [Attestation Policy management.](#policy-management)
+- [Attestation policy management certificate management](#policy-management-certificate-management) (yes, policy management management).
+
+Each attestation instance operates in one of two separate modes of operation:
+* AAD mode.
+* Isolated mode
+
+In "AAD" mode, access to the service is controlled solely by Azure Role Based Access Control.  In "Isolated" mode, 
+the client is expected to provide additional evidence to prove that the client is authorized
+to modify the service.
+
+Finally, each region in which the Microsoft Azure Attestation service is available supports a "shared" instance, which
+can be used to attest SGX enclaves which only need verification against the azure baseline (there are no policies applied to the shared instance). TPM attestation is not available in the shared instance.
+While the shared instance requires AAD authentication, it does not have any RBAC policies - any customer with a valid AAD bearer token can attest using the shared instance. 
+
+
+### Attestation
+SGX or TPM attestation is the process of validating evidence collected from 
+a trusted execution environment to ensure that it meets both the Azure baseline for that environment and customer defined policies applied to that environment.
+
+### Attestation token signing certificate discovery and validation
+Most responses from the MAA service are expressed in the form of a JSON Web Token. This token will be signed by a signing certificate
+issued by the MAA service for the specified instance. If the MAA service instance is running in a region where the service runs in an SGX enclave, then
+the certificate issued by the server can be verified using the [oe_verify_attestation_certificate() API](https://openenclave.github.io/openenclave/api/enclave_8h_a3b75c5638360adca181a0d945b45ad86.html). 
+
+### Policy Management
+Each attestation service instance has a policy applied to it which defines additional criteria which the customer has defined.
+
+For more information on attestation policies, see [Attestation Policy](https://docs.microsoft.com/azure/attestation/author-sign-policy)
+
+### Policy Management certificate management.
+When an attestation instance is running in "Isolated" mode, the customer who created the instance will have provided
+a policy management certificate at the time the instance is created. All policy modification operations require that the customer sign
+the policy data with one of the existing policy management certificates. The Policy Management Certificate Management APIs enable 
+clients to "roll" the policy management certificates.
+
+
+## Examples
+
+* [Attest an SGX enclave](#attest-sgx-enclave)
+* [Get attestation policy](#get-attestation-policy)
+* [Retrieve token validation certificates](#retrieve-token-certificates)
+
+### Attest SGX Enclave
+
+Use the `attestSgxEnclave` method to attest an SGX enclave.
+<!-- embedme src\samples\com\azure\security\attestation\ReadmeSamples.java#L36-L44 -->
+```java
+AttestSgxEnclaveRequest request = new AttestSgxEnclaveRequest();
+request.setQuote(decodedSgxQuote);
+RuntimeData runtimeData = new RuntimeData();
+runtimeData.setDataType(DataType.BINARY);
+runtimeData.setData(decodedRuntimeData);
+request.setRuntimeData(runtimeData);
+AttestationResponse response = client.attestSgxEnclave(request);
+
+JWTClaimsSet claims = null;
+```
+
+### Get attestation policy
+
+The `attestationPolicyClient.get` method retrieves the attestation policy from the service.
+Attestation Policies are instanced on a per-attestation type basis, the `AttestationType` parameter defines the type to retrieve. 
+The response to an attestation policy get is a JSON Web Token signed by the attestation service.
+The token contains an `x-ms-policy` claim, which in turn contains the secured (or unsecured) attestation policy document which was 
+set by the customer. 
+
+The attestation policy document is a JSON Web Signature object, with a single field named `AttestationPolicy`, whose value is the actual policy document encoded in Base64Url.
+
+<!-- embedme src\samples\com\azure\security\attestation\ReadmeSamples.java#L59-L84 -->
+```java
+
+sponse policyResponse = client.get(AttestationType.SGX_ENCLAVE);
+testationToken(httpClient, clientUri, policyResponse.getToken())
+scribe(claims -> {
+if (claims != null) {
+
+    String policyDocument = claims.getClaims().get("x-ms-policy").toString();
+
+    JOSEObject policyJose = null;
+    try {
+        policyJose = JOSEObject.parse(policyDocument);
+    } catch (ParseException e) {
+        throw logger.logExceptionAsError(new RuntimeException(e.toString()));
+    }
+    assert policyJose != null;
+    Map<String, Object> jsonObject = policyJose.getPayload().toJSONObject();
+    if (jsonObject != null) {
+        assertTrue(jsonObject.containsKey("AttestationPolicy"));
+        String base64urlPolicy = jsonObject.get("AttestationPolicy").toString();
+
+        byte[] attestationPolicyUtf8 = Base64.getUrlDecoder().decode(base64urlPolicy);
+        String attestationPolicy;
+        attestationPolicy = new String(attestationPolicyUtf8, StandardCharsets.UTF_8);
+        // Inspect the retrieved policy.
+    }
+}
+```
+
+### Retrieve Token Certificates
+
+Use `SigningCertificatesClient.get` to retrieve the certificates which can be used to validate the token returned from the attestation service.
+
+<!-- embedme src\samples\com\azure\security\attestation\ReadmeSamples.java#L89-L92 -->
+```java
+
+AttestationClientBuilder attestationBuilder = getBuilder(httpClient, clientUri);
+
+JsonWebKeySet certs = attestationBuilder.buildSigningCertificatesClient().get();
+```
+
+## Troubleshooting
+
+Troubleshooting information for the MAA service can be found [here](https://docs.microsoft.com/azure/attestation/troubleshoot-guide)
+## Next steps
+For more information about the Microsoft Azure Attestation service, please see our [documentation page](https://docs.microsoft.com/azure/attestation/). 
+
+## Contributing
+This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct][microsoft_code_of_conduct]. For more information see the Code of Conduct FAQ or contact <opencode@microsoft.com> with any additional questions or comments.
+
+
+<!-- LINKS -->
+[style-guide-msft]: https://docs.microsoft.com/style-guide/capitalization
+
+![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-java%2Fsdk%2Fattestation%2Fazure-security-attestation%2FREADME.png)
@@ -0,0 +1,122 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-client-sdk-parent</artifactId>
+    <version>1.7.0</version> <!-- {x-version-update;com.azure:azure-client-sdk-parent;current} -->
+    <relativePath>../../parents/azure-client-sdk-parent</relativePath>
+  </parent>
+
+  <groupId>com.azure</groupId>
+  <artifactId>azure-security-attestation</artifactId>
+  <version>1.0.0-beta.1</version> <!-- {x-version-update;com.azure:azure-security-attestation;current} -->
+
+  <name>Microsoft Azure SDK for Attestation</name>
+  <description>This package contains Microsoft Azure SDK for the Microsoft Azure Attestation service.</description>
+
+  <distributionManagement>
+    <site>
+      <id>azure-java-build-docs</id>
+      <url>${site.url}/site/${project.artifactId}</url>
+    </site>
+  </distributionManagement>
+
+  <scm>
+    <url>https://github.com/Azure/azure-sdk-for-java</url>
+  </scm>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core</artifactId>
+      <version>1.12.0</version> <!-- {x-version-update;com.azure:azure-core;dependency} -->
+    </dependency>
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <version>5.6.3</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-api;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <version>5.6.3</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-engine;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+      <version>5.6.3</version> <!-- {x-version-update;org.junit.jupiter:junit-jupiter-params;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core-test</artifactId>
+      <version>1.5.2</version> <!-- {x-version-update;com.azure:azure-core-test;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core-http-okhttp</artifactId>
+      <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-core-http-okhttp;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-identity</artifactId>
+      <version>1.2.2</version> <!-- {x-version-update;com.azure:azure-identity;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>8.19</version>  <!-- {x-version-update;com.nimbusds:nimbus-jose-jwt;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <properties>
+    <jacoco.min.linecoverage>0.10</jacoco.min.linecoverage>
+    <jacoco.min.branchcoverage>0.10</jacoco.min.branchcoverage>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <version>0.8.5</version> <!-- {x-version-update;org.jacoco:jacoco-maven-plugin;external_dependency} -->
+        <configuration>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+  <profiles>
+    <profile>
+      <id>java-lts</id>
+      <activation>
+        <jdk>[11,)</jdk>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <!-- Needed to prevent a java.lang.reflect error from fasterxml -->
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <version>3.0.0-M3</version> <!-- {x-version-update;org.apache.maven.plugins:maven-surefire-plugin;external_dependency} -->
+            <configuration>
+              <argLine>
+                --add-opens com.azure.security.attestation/com.azure.security.attestation=ALL-UNNAMED
+                --add-opens com.azure.security.attestation/com.azure.security.attestation.models=ALL-UNNAMED
+                --add-opens com.azure.security.attestation/com.azure.security.attestation.models=com.fasterxml.jackson.databind
+              </argLine>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+</project>