From 2a91bb23a11d2e60aa5ee7024e765cf696c5cc45 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 18 Jan 2024 14:04:30 +0800 Subject: [PATCH] AA/kbs_protocol: fix the RCAR handshake unit test There are some changes upon KBS side. https://github.com/confidential-containers/kbs/pull/265/files#diff-88f80dee1e5f367cb319573b2d524906c5631100a0a3ce6cc62bf2ebf62fb251L95 replaces token type to a token config, and we do not have a default token config builder thus we need to explicitly add the attestation_token_config. Also, the commit https://github.com/confidential-containers/kbs/commit/43d56f3a4a92a1cc691f63a8e1311bcc0d2b3fc8 will block the sample_attester by the default policy of KBS when verifying the CoCoAS token. This is due to security. But in this test, we leverage sample-attester, so we need a policy that allows this. The commit https://github.com/confidential-containers/guest-components/pull/426/commits/006e1ffe69f2216c30eadb3094ee49fa209e6b2a enables sample_attester without setting environment variable. Signed-off-by: Xynnn007 --- attestation-agent/kbs_protocol/src/client/rcar_client.rs | 7 ++++++- attestation-agent/kbs_protocol/test/kbs-config.toml | 3 +++ attestation-agent/kbs_protocol/test/policy.rego | 7 +++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 attestation-agent/kbs_protocol/test/policy.rego diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs index 7ba4c6fe4..e68076b0e 100644 --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -302,8 +302,10 @@ mod test { // a start script let mut start_kbs_script = env::current_dir().expect("get cwd"); let mut kbs_config = start_kbs_script.clone(); + let mut policy = start_kbs_script.clone(); start_kbs_script.push("test/start_kbs.sh"); kbs_config.push("test/kbs-config.toml"); + policy.push("test/policy.rego"); let image = GenericImage::new( "ghcr.io/confidential-containers/staged-images/kbs", @@ -322,6 +324,10 @@ mod test { kbs_config.into_os_string().to_string_lossy(), "/etc/kbs-config.toml", ) + .with_volume( + policy.into_os_string().to_string_lossy(), + "/opa/confidential-containers/kbs/policy.rego", + ) .with_entrypoint("/usr/local/bin/start_kbs.sh"); let kbs = docker.run(image); @@ -329,7 +335,6 @@ mod test { let port = kbs.get_host_port_ipv4(8085); let kbs_host_url = format!("http://127.0.0.1:{port}"); - env::set_var("AA_SAMPLE_ATTESTER_TEST", "1"); let evidence_provider = Box::new(NativeEvidenceProvider::new().unwrap()); let mut client = KbsClientBuilder::with_evidence_provider(evidence_provider, &kbs_host_url) .build() diff --git a/attestation-agent/kbs_protocol/test/kbs-config.toml b/attestation-agent/kbs_protocol/test/kbs-config.toml index 067b129f9..8d021c0d0 100644 --- a/attestation-agent/kbs_protocol/test/kbs-config.toml +++ b/attestation-agent/kbs_protocol/test/kbs-config.toml @@ -1,3 +1,6 @@ insecure_http = true insecure_api = true sockets = ["0.0.0.0:8085"] + +[attestation_token_config] +attestation_token_type = "CoCo" \ No newline at end of file diff --git a/attestation-agent/kbs_protocol/test/policy.rego b/attestation-agent/kbs_protocol/test/policy.rego new file mode 100644 index 000000000..747c5fe82 --- /dev/null +++ b/attestation-agent/kbs_protocol/test/policy.rego @@ -0,0 +1,7 @@ +package policy + +default allow = false + +allow { + input["tee"] == "sample" +}