Merge pull request #624 from fitzthum/unhardcode-claims

token: avoid hard-coding ear claim names
confidential-containers · Dec 13, 2024 · 28698a9 · 28698a9
2 parents ce9a0a2 + fd18d7e
commit 28698a9
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 35 deletions.
diff --git a/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs
@@ -97,7 +97,7 @@ pub trait PolicyEngine: Send + Sync {
         data: &str,
         input: &str,
         policy_id: &str,
-        evaluation_rules: &[&str],
+        evaluation_rules: Vec<String>,
     ) -> Result<EvaluationResult, PolicyError>;
 
     async fn set_policy(&self, policy_id: String, policy: String) -> Result<(), PolicyError>;

diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs
@@ -55,7 +55,7 @@ impl PolicyEngine for OPA {
         data: &str,
         input: &str,
         policy_id: &str,
-        evaluation_rules: &[&str],
+        evaluation_rules: Vec<String>,
     ) -> Result<EvaluationResult, PolicyError> {
         let policy_dir_path = self
             .policy_dir_path
@@ -192,22 +192,12 @@ impl PolicyEngine for OPA {
 
 #[cfg(test)]
 mod tests {
+    use ear::TrustVector;
     use rstest::rstest;
     use serde_json::json;
 
     use super::*;
 
-    const EAR_RULES: [&str; 8] = [
-        "instance_identity",
-        "configuration",
-        "executables",
-        "file_system",
-        "hardware",
-        "runtime_opaque",
-        "storage_opaque",
-        "sourced_data",
-    ];
-
     fn dummy_reference(svn: u64, launch_digest: String) -> String {
         json!({
             "reference": {
@@ -247,12 +237,17 @@ mod tests {
         };
         let default_policy_id = "ear_default_policy".to_string();
 
+        let ear_rules = TrustVector::new()
+            .into_iter()
+            .map(|c| c.tag().to_string())
+            .collect();
+
         let output = opa
             .evaluate(
                 &dummy_reference(svn_a, digest_a),
                 &dummy_input(svn_b, digest_b),
                 &default_policy_id,
-                &EAR_RULES,
+                ear_rules,
             )
             .await
             .unwrap();

diff --git a/attestation-service/src/token/ear_broker.rs b/attestation-service/src/token/ear_broker.rs
@@ -8,7 +8,8 @@ use anyhow::*;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use base64::Engine;
 use ear::{
-    Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, VerifierID,
+    Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, TrustVector,
+    VerifierID,
 };
 use jsonwebtoken::jwk;
 use kbs_types::Tee;
@@ -39,17 +40,6 @@ pub const DEFAULT_DEVELOPER_NAME: &str = "https://confidentialcontainers.org";
 
 const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/ear/policies");
 
-const RULES: [&str; 8] = [
-    "instance_identity",
-    "configuration",
-    "executables",
-    "file_system",
-    "hardware",
-    "runtime_opaque",
-    "storage_opaque",
-    "sourced_data",
-];
-
 #[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct TokenSignerConfig {
     pub key_path: String,
@@ -244,14 +234,13 @@ impl AttestationTokenBroker for EarAttestationTokenBroker {
             bail!("No policy is given for EAR token generation.");
         }
 
+        let rules = TrustVector::new()
+            .into_iter()
+            .map(|c| c.tag().to_string())
+            .collect();
         let policy_results = self
             .policy_engine
-            .evaluate(
-                &reference_data,
-                &tcb_claims_json,
-                &policy_ids[0],
-                &RULES[..],
-            )
+            .evaluate(&reference_data, &tcb_claims_json, &policy_ids[0], rules)
             .await?;
 
         let mut appraisal = Appraisal::new();

diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs
@@ -40,8 +40,6 @@ const SIMPLE_TOKEN_ALG: &str = "RS384";
 
 const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/simple/policies");
 
-const RULES: &str = "allow";
-
 #[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct TokenSignerConfig {
     pub key_path: String,
@@ -221,11 +219,13 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
         let reference_data = serde_json::to_string(&reference_data)?;
         let tcb_claims = serde_json::to_string(&flattened_claims)?;
 
+        let rules = vec!["allow".to_string()];
+
         let mut policies = HashMap::new();
         for policy_id in policy_ids {
             let policy_results = self
                 .policy_engine
-                .evaluate(&reference_data, &tcb_claims, &policy_id, &[RULES])
+                .evaluate(&reference_data, &tcb_claims, &policy_id, rules.clone())
                 .await?;
 
             // TODO add policy allowlist