Skip to content

Commit

Permalink
kbs: ITA: Default behavior for policy_ids changed.
Browse files Browse the repository at this point in the history
State before changes:
- Policies are not causing attestation to fail by default. After setting policies in ITA they are allowed to be unmatched.
- Changing `allow_unmatched_policy` has no impact if `policy_ids` are not given.

This state leads to unpleasant user expierience.

State after changes:
- By default (if `policy_ids` are not given) or of `policy_ids =[]` -  all policies from ITA are going to be verified.
- `allow_unmatched_policy = false` results in verification of policies from ITA even if `policy_ids = []`.

Documentation of parameters updated.

Signed-off-by: Szymon Klimek <[email protected]>
  • Loading branch information
szymon-klimek committed Jan 23, 2025
1 parent ca5906d commit 058279c
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 12 deletions.
16 changes: 8 additions & 8 deletions kbs/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,14 +187,14 @@ attestation. The following properties can be set.

> Intel Trust Authority AS is available only when the `intel-trust-authority-as` feature is enabled.
| Property | Type | Description | Required | Default |
|--------------------------|--------------|------------------------------------------------------------------------------------------|----------|---------|
| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | No | 5 |
| `base_url` | String | Intel Trust Authority API URL. | Yes | - |
| `api_key` | String | Intel Trust Authority API key. | Yes | - |
| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - |
| `allow_unmatched_policy` | Boolean | If set and `policy_ids` specified, unset the `request.policy_must_match` setting | No | false |
| `policy_ids` | String array | List of one or more quoted and comma-separated policy IDs. | No | `[]` |
| Property | Type | Description | Required | Default |
|--------------------------|--------------|-----------------------------------------------------------------------------------------------------------|----------|---------|
| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | No | 5 |
| `base_url` | String | Intel Trust Authority API URL. | Yes | - |
| `api_key` | String | Intel Trust Authority API key. | Yes | - |
| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - |
| `allow_unmatched_policy` | Boolean | Ignore result of policy matching. | No | false |
| `policy_ids` | String array | List of one or more quoted and comma-separated policy IDs. If not set - all ITA policies will be checked. | No | `[]` |

Detailed [documentation](https://docs.trustauthority.intel.com).

Expand Down
5 changes: 1 addition & 4 deletions kbs/src/attestation/intel_trust_authority/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -106,10 +106,7 @@ impl Attest for IntelTrustAuthority {

let policy_ids = self.config.policy_ids.clone();

let policy_must_match = match policy_ids.is_empty() {
true => false,
false => !self.config.allow_unmatched_policy.unwrap_or_default(),
};
let policy_must_match = !self.config.allow_unmatched_policy.unwrap_or_default();

// construct attest request data and attestation url
let (req_data, att_url) = match tee {
Expand Down

0 comments on commit 058279c

Please sign in to comment.