Added e2e test for CoCo-AS using SNP evidence

.github/workflows/as-e2e.yml

@@ -0,0 +1,68 @@
+name: CoCo-AS e2e
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+# Self-hosted runners do not set -o pipefail otherwise
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  e2e-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+         # TODO: Add real HW-TEE test
+         # See https://github.com/confidential-containers/kbs/issues/223
+          # - runner: self-hosted
+          #   generate_evidence: true
+          #   grpc_tee_enum: 3
+          #   restful_tee_enum: tdx
+          - runner: ubuntu-22.04
+            generate_evidence: false
+            grpc_tee_enum: 2
+            restful_tee_enum: snp
+    name: TEE=${{ matrix.restful_tee_enum }} Generate Evidence Dynamically=${{ matrix.generate_evidence }}
+    runs-on: ${{ matrix.runner }}
+    env:
+      GRPC_TEE_ENUM: ${{ matrix.grpc_tee_enum }}
+      RESTFUL_TEE_ENUM: ${{ matrix.restful_tee_enum }}
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions-rs/toolchain@v1
+      with:
+        profile: minimal
+        toolchain: stable
+
+    - uses: actions/setup-go@v5
+      with:
+        go-version: stable
+
+    - name: Set up rust build cache
+      uses: actions/cache@v3
+      continue-on-error: false
+      with:
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          target/
+        key: rust-${{ hashFiles('./Cargo.lock') }}
+
+    - name: Install dependencies
+      if: ${{ matrix.runner == 'ubuntu-22.04' }}
+      working-directory: attestation-service/tests/e2e
+      run: |
+        make install-dependencies
+        go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
+
+    - name: Run e2e test (gRPC)
+      working-directory: attestation-service/tests/e2e
+      run: make e2e-grpc-test
+
+    - name: Run e2e test (RESTful)
+      working-directory: attestation-service/tests/e2e
+      run: make e2e-restful-test

attestation-service/.gitignore

@@ -4,5 +4,6 @@ target
 # Local Fs tempfile
 reference_values
 
-test_data/*_output.txt
-test_data/opa/
+# Temporary files generated by e2e test
+tests/e2e/grpc-request.json
+tests/e2e/restful-request.json

attestation-service/tests/e2e/Makefile

@@ -0,0 +1,108 @@
+OS := $(shell lsb_release -si)
+RELEASE := $(shell lsb_release -sr)
+SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu
+MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+PROJECT_DIR := $(MAKEFILE_DIR)/../..
+RESTFUL_BIN := /usr/local/bin/restful-as
+GRPC_BIN := /usr/local/bin/grpc-as
+AS_CACHE_PATH := /opt/confidential-containers/attestation-service
+BOLD := $(shell tput bold)
+SGR0 := $(shell tput sgr0)
+EVIDENCE_FILE ?= $(MAKEFILE_DIR)/evidence.json
+RAW_RUNTIME_DATA_FILE ?= $(MAKEFILE_DIR)/raw-runtime-data
+
+RAW_RUNTIME_DATA := $(shell cat $(RAW_RUNTIME_DATA_FILE) | base64 -w0 | tr -d '=' | sed -e "s/+/-/g" -e "s/\//_/g")
+EVIDENCE := $(shell cat $(EVIDENCE_FILE) | base64 -w0 | tr -d '=' | sed -e "s/+/-/g" -e "s/\//_/g")
+
+GRPC_TEE_ENUM ?= 2
+GRPC_REQUEST := $(MAKEFILE_DIR)/grpc-request.json
+
+RESTFUL_TEE_ENUM ?= snp
+RESTFUL_REQUEST := $(MAKEFILE_DIR)/restful-request.json
+
+.PHONY: install-dependencies
+install-dependencies:
+	curl -L "$(SGX_REPO_URL)/intel-sgx-deb.key" | sudo apt-key add - && \
+	echo "deb [arch=amd64] $(SGX_REPO_URL) jammy main" \
+		| sudo tee /etc/apt/sources.list.d/intel-sgx.list && \
+	sudo apt-get update && \
+	sudo apt-get install -y \
+		protobuf-compiler \
+		clang \
+		libtss2-dev \
+		libtdx-attest-dev \
+		libsgx-dcap-quote-verify-dev \
+		libsgx-dcap-default-qpl
+
+$(RESTFUL_BIN) $(GRPC_BIN):
+	cd $(PROJECT_DIR) && $(MAKE) build && $(MAKE) install
+
+restful.pid: $(RESTFUL_BIN)
+	@printf "${BOLD}start restful-coco-as${SGR0}\n"
+	{ \
+		RUST_LOG=info \
+		$(RESTFUL_BIN) --socket 127.0.0.1:8080 \
+		& echo $$! > $@; \
+	} && \
+	sleep 2
+
+grpc.pid: $(GRPC_BIN)
+	@printf "${BOLD}start grpc-coco-as${SGR0}\n"
+	{ \
+		RUST_LOG=info \
+		$(GRPC_BIN) --socket 127.0.0.1:50004 \
+		& echo $$! > $@; \
+	} && \
+	sleep 2
+
+$(RESTFUL_REQUEST): $(RESTFUL_REQUEST).template
+	sed -e "s/%RESTFUL_TEE_ENUM%/$(RESTFUL_TEE_ENUM)/g" \
+		-e "s/%RUNTIME_DATA%/$(RAW_RUNTIME_DATA)/g" \
+		-e "s/%EVIDENCE%/$(EVIDENCE)/g" \
+		$(RESTFUL_REQUEST).template > $(RESTFUL_REQUEST)
+
+.PHONY: restful-test
+restful-test: restful.pid $(RESTFUL_REQUEST)
+	curl -k -X POST http://127.0.0.1:8080/attestation \
+     -i \
+     -H 'Content-Type: application/json' \
+     -d @$(RESTFUL_REQUEST)
+
+$(GRPC_REQUEST): $(GRPC_REQUEST).template
+	sed -e "s/%GRPC_TEE_ENUM%/$(GRPC_TEE_ENUM)/g" \
+		-e "s/%RUNTIME_DATA%/$(RAW_RUNTIME_DATA)/g" \
+		-e "s/%EVIDENCE%/$(EVIDENCE)/g" \
+		$(GRPC_REQUEST).template > $(GRPC_REQUEST)
+
+.PHONY: grpc-test
+grpc-test: grpc.pid $(GRPC_REQUEST)
+	echo $$(cat $(GRPC_REQUEST)) \
+	| grpcurl -plaintext -import-path ../../protos -proto ../../protos/attestation.proto -d @ 127.0.0.1:50004 attestation.AttestationService/AttestationEvaluate
+
+.PHONY: stop-restful-as
+stop-restful-as: restful.pid
+	@printf "${BOLD}stop restful-as${SGR0}\n"
+	kill $$(cat $<) && rm $<
+	rm -rf $(AS_CACHE_PATH)
+
+.PHONY: stop-grpc-as
+stop-grpc-as: grpc.pid
+	@printf "${BOLD}stop grpc-as${SGR0}\n"
+	kill $$(cat $<) && rm $<
+	rm -rf $(AS_CACHE_PATH)
+
+.PHONY: e2e-restful-test
+e2e-restful-test: restful-test stop-restful-as
+
+.PHONY: e2e-grpc-test
+e2e-grpc-test: grpc-test stop-grpc-as
+
+.PHONY: clean
+clean:
+	rm -f \
+		$(RESTFUL_BIN) \
+		$(GRPC_BIN) \
+		grpc.pid \
+		restful.pid \
+		$(RESTFUL_REQUEST) \
+		$(GRPC_REQUEST)

attestation-service/tests/e2e/evidence.json

@@ -0,0 +1 @@
+{"attestation_report":{"version":2,"guest_svn":4,"policy":196639,"family_id":[1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"image_id":[2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"vmpl":0,"sig_algo":1,"current_tcb":{"bootloader":3,"tee":0,"_reserved":[0,0,0,0],"snp":8,"microcode":206},"plat_info":1,"_author_key_en":0,"_reserved_0":0,"report_data":[236,108,82,215,83,60,194,196,244,91,231,132,156,241,18,171,130,178,0,159,231,189,67,231,30,208,140,20,64,10,215,226,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"measurement":[161,243,147,4,19,36,123,179,140,252,23,21,121,234,60,18,213,254,73,1,240,199,146,246,63,215,93,152,241,239,130,124,35,80,6,68,224,230,146,230,190,145,127,144,80,211,211,140],"host_data":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"id_key_digest":[3,86,33,88,130,168,37,39,154,133,179,0,176,183,66,147,29,17,59,247,227,45,222,46,80,255,222,126,199,67,202,73,30,205,215,243,54,220,40,166,224,178,187,87,175,122,68,163],"author_key_digest":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"report_id":[56,94,186,129,33,109,228,119,101,72,252,184,111,142,173,3,193,235,201,43,98,7,243,33,13,156,206,187,137,201,144,5],"report_id_ma":[255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255],"reported_tcb":{"bootloader":3,"tee":0,"_reserved":[0,0,0,0],"snp":8,"microcode":115},"_reserved_1":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"chip_id":[195,132,39,163,13,76,122,249,217,111,122,21,185,114,105,130,90,100,203,118,162,53,47,253,93,24,17,93,137,173,71,63,142,140,11,205,154,93,146,134,97,43,173,74,173,251,68,38,32,90,59,158,79,234,130,48,17,53,161,112,228,119,82,78],"committed_tcb":{"bootloader":3,"tee":0,"_reserved":[0,0,0,0],"snp":8,"microcode":115},"current_build":4,"current_minor":52,"current_major":1,"_reserved_2":0,"committed_build":4,"committed_minor":52,"committed_major":1,"_reserved_3":0,"launch_tcb":{"bootloader":3,"tee":0,"_reserved":[0,0,0,0],"snp":8,"microcode":115},"_reserved_4":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"signature":{"r":[6,235,220,79,78,65,67,204,98,254,21,185,242,209,236,45,84,212,171,23,102,158,81,40,34,22,22,94,179,27,95,89,225,98,1,170,220,164,251,220,217,65,241,50,104,57,8,80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s":[64,99,120,212,26,38,98,60,91,173,154,184,206,152,214,205,49,67,144,43,145,107,199,163,52,188,209,106,129,214,199,20,161,48,86,167,146,20,181,188,85,112,249,181,20,93,207,228,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"_reserved":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}},"cert_chain":[{"cert_type":"VCEK","data":[48,130,5,76,48,130,2,251,160,3,2,1,2,2,1,0,48,70,6,9,42,134,72,134,247,13,1,1,10,48,57,160,15,48,13,6,9,96,134,72,1,101,3,4,2,2,5,0,161,28,48,26,6,9,42,134,72,134,247,13,1,1,8,48,13,6,9,96,134,72,1,101,3,4,2,2,5,0,162,3,2,1,48,163,3,2,1,1,48,123,49,20,48,18,6,3,85,4,11,12,11,69,110,103,105,110,101,101,114,105,110,103,49,11,48,9,6,3,85,4,6,19,2,85,83,49,20,48,18,6,3,85,4,7,12,11,83,97,110,116,97,32,67,108,97,114,97,49,11,48,9,6,3,85,4,8,12,2,67,65,49,31,48,29,6,3,85,4,10,12,22,65,100,118,97,110,99,101,100,32,77,105,99,114,111,32,68,101,118,105,99,101,115,49,18,48,16,6,3,85,4,3,12,9,83,69,86,45,77,105,108,97,110,48,30,23,13,50,51,48,49,50,52,49,55,53,56,50,54,90,23,13,51,48,48,49,50,52,49,55,53,56,50,54,90,48,122,49,20,48,18,6,3,85,4,11,12,11,69,110,103,105,110,101,101,114,105,110,103,49,11,48,9,6,3,85,4,6,19,2,85,83,49,20,48,18,6,3,85,4,7,12,11,83,97,110,116,97,32,67,108,97,114,97,49,11,48,9,6,3,85,4,8,12,2,67,65,49,31,48,29,6,3,85,4,10,12,22,65,100,118,97,110,99,101,100,32,77,105,99,114,111,32,68,101,118,105,99,101,115,49,17,48,15,6,3,85,4,3,12,8,83,69,86,45,86,67,69,75,48,118,48,16,6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,34,3,98,0,4,198,97,181,101,187,168,1,2,189,221,68,145,201,148,28,179,42,27,125,182,128,18,130,132,16,183,255,140,173,253,112,229,73,183,91,120,179,205,214,92,205,235,168,134,210,238,161,212,29,12,63,20,108,142,189,214,132,82,206,126,195,12,105,9,103,195,158,98,76,1,15,156,182,6,106,128,49,10,135,83,106,148,235,174,41,194,170,217,128,22,19,151,19,31,187,7,163,130,1,22,48,130,1,18,48,16,6,9,43,6,1,4,1,156,120,1,1,4,3,2,1,0,48,23,6,9,43,6,1,4,1,156,120,1,2,4,10,22,8,77,105,108,97,110,45,66,48,48,17,6,10,43,6,1,4,1,156,120,1,3,1,4,3,2,1,3,48,17,6,10,43,6,1,4,1,156,120,1,3,2,4,3,2,1,0,48,17,6,10,43,6,1,4,1,156,120,1,3,4,4,3,2,1,0,48,17,6,10,43,6,1,4,1,156,120,1,3,5,4,3,2,1,0,48,17,6,10,43,6,1,4,1,156,120,1,3,6,4,3,2,1,0,48,17,6,10,43,6,1,4,1,156,120,1,3,7,4,3,2,1,0,48,17,6,10,43,6,1,4,1,156,120,1,3,3,4,3,2,1,8,48,17,6,10,43,6,1,4,1,156,120,1,3,8,4,3,2,1,115,48,77,6,9,43,6,1,4,1,156,120,1,4,4,64,195,132,39,163,13,76,122,249,217,111,122,21,185,114,105,130,90,100,203,118,162,53,47,253,93,24,17,93,137,173,71,63,142,140,11,205,154,93,146,134,97,43,173,74,173,251,68,38,32,90,59,158,79,234,130,48,17,53,161,112,228,119,82,78,48,70,6,9,42,134,72,134,247,13,1,1,10,48,57,160,15,48,13,6,9,96,134,72,1,101,3,4,2,2,5,0,161,28,48,26,6,9,42,134,72,134,247,13,1,1,8,48,13,6,9,96,134,72,1,101,3,4,2,2,5,0,162,3,2,1,48,163,3,2,1,1,3,130,2,1,0,2,128,38,162,247,31,3,1,108,215,255,98,30,148,213,166,138,219,132,5,40,170,244,47,94,14,112,68,114,68,24,138,64,33,61,171,31,106,9,232,88,80,45,42,239,217,89,50,135,139,224,76,110,18,176,179,0,82,241,109,6,215,44,34,113,69,134,151,56,160,35,139,93,199,23,245,96,18,114,10,132,210,54,203,18,108,169,136,135,152,222,152,23,235,188,128,104,215,33,29,249,238,122,100,147,29,132,223,30,251,21,148,110,250,47,80,45,191,236,57,123,233,252,192,104,0,139,74,138,217,82,254,87,60,156,10,95,1,14,30,142,197,33,196,68,142,134,103,249,242,163,37,57,230,117,119,30,208,176,250,245,17,235,250,191,156,123,33,59,246,9,138,223,86,200,244,54,34,38,130,248,45,225,157,93,157,224,48,229,67,71,83,167,14,139,57,148,224,92,87,234,174,39,162,110,142,152,7,119,216,55,73,174,195,187,186,110,176,63,69,117,170,125,242,135,25,178,84,95,22,49,98,255,253,152,117,83,56,48,166,234,232,140,41,96,208,126,216,240,132,40,208,187,73,246,206,54,6,88,38,227,217,156,207,240,86,33,18,253,195,251,49,147,73,212,165,10,4,143,114,135,164,230,149,43,25,100,231,37,24,155,235,58,192,89,138,100,215,164,4,227,116,211,45,114,91,138,194,160,20,83,54,16,153,78,219,127,100,204,116,229,242,3,216,135,231,2,41,143,89,22,24,77,85,184,80,3,76,162,11,145,55,58,47,50,243,57,96,168,124,188,95,162,120,83,181,32,237,204,139,255,185,233,121,227,177,153,170,175,171,85,27,230,34,39,132,184,75,195,17,60,46,162,137,31,87,170,174,220,63,253,42,228,171,247,24,179,158,97,32,199,41,238,119,247,249,219,152,233,164,147,28,15,250,31,109,12,84,102,225,138,189,189,223,223,60,190,104,188,106,137,218,23,238,7,26,217,119,125,143,37,50,229,143,252,223,230,77,111,62,15,103,31,53,80,156,215,84,143,64,4,72,124,255,24,165,1,56,117,103,19,158,61,48,73,140,222,229,130,189,37,94,210,152,141,95,248,223,44,177,129,70,43,92,214,82,160,180,134,217,210,194,43,217,163,142,182,143,141,171,183,225]}]}

attestation-service/tests/e2e/grpc-request.json.template

@@ -0,0 +1,6 @@
+{
+    "tee": "%GRPC_TEE_ENUM%",
+    "evidence": "%EVIDENCE%",
+    "raw_runtime_data": "%RUNTIME_DATA%",
+    "policy_ids": []
+}

attestation-service/tests/e2e/restful-request.json.template

@@ -0,0 +1,8 @@
+{
+    "tee": "%RESTFUL_TEE_ENUM%",
+    "evidence": "%EVIDENCE%",
+    "runtime_data": {
+        "raw": "%RUNTIME_DATA%"
+    },
+    "policy_ids": []
+}