AA/kbs_protocol: fix the RCAR handshake unit test

There are some changes upon KBS side. https://github.com/confidential-containers/kbs/pull/265/files#diff-88f80dee1e5f367cb319573b2d524906c5631100a0a3ce6cc62bf2ebf62fb251L95 replaces token type to a token config, and we do not have a default token config builder thus we need to explicitly add the attestation_token_config. Also, the commit confidential-containers/trustee@43d56f3 will block the sample_attester by the default policy of KBS when verifying the CoCoAS token. This is due to security. But in this test, we leverage sample-attester, so we need a policy that allows this. The commit confidential-containers@006e1ff enables sample_attester without setting environment variable. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 · Jan 18, 2024 · 2a91bb2 · 2a91bb2
1 parent cf5716d
commit 2a91bb2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@@ -302,8 +302,10 @@ mod test {
         // a start script
         let mut start_kbs_script = env::current_dir().expect("get cwd");
         let mut kbs_config = start_kbs_script.clone();
+        let mut policy = start_kbs_script.clone();
         start_kbs_script.push("test/start_kbs.sh");
         kbs_config.push("test/kbs-config.toml");
+        policy.push("test/policy.rego");
 
         let image = GenericImage::new(
             "ghcr.io/confidential-containers/staged-images/kbs",
@@ -322,14 +324,17 @@ mod test {
             kbs_config.into_os_string().to_string_lossy(),
             "/etc/kbs-config.toml",
         )
+        .with_volume(
+            policy.into_os_string().to_string_lossy(),
+            "/opa/confidential-containers/kbs/policy.rego",
+        )
         .with_entrypoint("/usr/local/bin/start_kbs.sh");
         let kbs = docker.run(image);
 
         tokio::time::sleep(Duration::from_secs(10)).await;
         let port = kbs.get_host_port_ipv4(8085);
         let kbs_host_url = format!("http://127.0.0.1:{port}");
 
-        env::set_var("AA_SAMPLE_ATTESTER_TEST", "1");
         let evidence_provider = Box::new(NativeEvidenceProvider::new().unwrap());
         let mut client = KbsClientBuilder::with_evidence_provider(evidence_provider, &kbs_host_url)
             .build()

diff --git a/attestation-agent/kbs_protocol/test/kbs-config.toml b/attestation-agent/kbs_protocol/test/kbs-config.toml
@@ -1,3 +1,6 @@
 insecure_http = true
 insecure_api = true
 sockets = ["0.0.0.0:8085"]
+
+[attestation_token_config]
+attestation_token_type = "CoCo"
diff --git a/attestation-agent/kbs_protocol/test/policy.rego b/attestation-agent/kbs_protocol/test/policy.rego
@@ -0,0 +1,7 @@
+package policy
+
+default allow = false
+
+allow {
+	input["tee"] == "sample"
+}