Bump Coco Attestation Service Version (#59)

Bumps attestation service version from e52be89 to 1fdd67d, attestation agent bumped to a compatible version.

crates/enclave-server/Cargo.toml

@@ -14,8 +14,9 @@ name = "seismic_enclave_server"
 path = "src/lib.rs"
 
 [dependencies]
-attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["az-tdx-vtpm-attester"] }
-attestation-service = { git = "https://github.com/confidential-containers/trustee"}
+# attestation-service depends on attestation-agent, ensure versions are compatible when updating
+attestation-service = { git = "https://github.com/confidential-containers/trustee", features = ["all-verifier"], rev="1fdd67d"}
+attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["az-tdx-vtpm-attester"], rev="e6999a3"}
 seismic-enclave = { path = "../enclave" }
 
 aes-gcm.workspace = true

crates/enclave-server/src/coco_aa/handlers.rs

@@ -88,7 +88,7 @@ mod tests {
         let res: Response<Body> = attestation_get_evidence_handler(req).await.unwrap();
 
         // Check that the response status is 200 OK
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
 
         // Parse and check the response body
         let body = hyper::body::to_bytes(res.into_body()).await.unwrap();

crates/enclave-server/src/coco_as/handlers.rs

@@ -72,6 +72,7 @@ pub async fn attestation_eval_evidence_handler(
         evaluate_request.policy_ids,
     )
     .await;
+    println!("eval_result.is_err(): {:?}", eval_result.is_err());
 
     let as_token: String = match eval_result {
         Ok(as_token) => as_token,
@@ -80,6 +81,9 @@ pub async fn attestation_eval_evidence_handler(
         }
     };
 
+    // println!("{as_token}");
+    // assert!(false);
+
     let claims: ASCoreTokenClaims = parse_as_token_claims(&as_token)
         .map_err(|e| format!("Error while parsing AS token: {:?}", e))
         .unwrap();
@@ -110,19 +114,20 @@ mod tests {
             Ok(path) => println!("Current directory: {}", path.display()),
             Err(e) => eprintln!("Error getting current directory: {}", e),
         }
-        let ex_token_path = "../../examples/as_token.txt";
+        let ex_token_path = "../../examples/as_token.txt"; // assumes tests are run from enclaver-server dir
         let ex_token = std::fs::read_to_string(ex_token_path).unwrap();
 
         let claims = parse_as_token_claims(&ex_token).unwrap();
 
         assert_eq!(claims.tee, "aztdxvtpm");
         let evaluation_reports = serde_json::to_string(&claims.evaluation_reports).unwrap();
-        assert_eq!(evaluation_reports, "[{\"policy-hash\":\"61792a819cb38c3bda3026ddcc0300685e01bfb9e77eee0122af0064cd4880a6475c9a9fb6001cca2fcaddcea24bb1bf\",\"policy-id\":\"allow_any\"}]");
+        assert_eq!(evaluation_reports, "[{\"policy-hash\":\"b3b555df21b9e952384aec5e81e03e53ca82741da3c5d055ccdb6ba5a85dcc2e6fd1196819dc3c26d09471735275b30a\",\"policy-id\":\"yocto\"}]");
+        let tcb_status_map: serde_json::Map<String, Value> =
+            serde_json::from_str(&claims.tcb_status).unwrap();
         assert_eq!(
-            claims.tcb_status.get("aztdxvtpm.quote.body.mr_td"),
+            tcb_status_map.get("aztdxvtpm.quote.body.mr_td"),
             Some(&Value::String("bb379f8e734a755832509f61403f99db2258a70a01e1172a499d6d364101b0675455b4e372a35c1f006541f2de0d7154".to_string()))
         );
-        assert!(claims.reference_data.is_empty());
         assert_eq!(claims.customized_claims.init_data, Value::Null);
         assert_eq!(claims.customized_claims.runtime_data, Value::Null);
     }
@@ -191,7 +196,7 @@ mod tests {
         let res: Response<Body> = attestation_eval_evidence_handler(req).await.unwrap();
 
         // Check that the response status is 200 OK
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
 
         // Parse and check the response body
         let body = hyper::body::to_bytes(res.into_body()).await.unwrap();
@@ -201,7 +206,9 @@ mod tests {
         assert!(eval_evidence_response.eval);
         let claims = eval_evidence_response.claims.unwrap();
         assert_eq!(claims.tee, "sample");
-        assert_eq!(claims.tcb_status["report_data"], "bm9uY2U=");
+        let tcb_status_map: serde_json::Map<String, Value> =
+            serde_json::from_str(&claims.tcb_status).unwrap();
+        assert_eq!(tcb_status_map["report_data"], "bm9uY2U=");
     }
 
     #[tokio::test]
@@ -248,7 +255,7 @@ mod tests {
         let res: Response<Body> = attestation_eval_evidence_handler(req).await.unwrap();
 
         // Check that the response status is 200 OK
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
 
         // Parse and check the response body
         let body = hyper::body::to_bytes(res.into_body()).await.unwrap();
@@ -261,11 +268,12 @@ mod tests {
         assert_eq!(claims.tee, "aztdxvtpm");
         let evaluation_reports = serde_json::to_string(&claims.evaluation_reports).unwrap();
         assert_eq!(evaluation_reports, "[{\"policy-hash\":\"fbb1cf91bb453d7c89b04cbc8d727dc142c47d84c5c9c2012b8c86d4d1892874743a63f7448e592ca6bee9cfeb286732\",\"policy-id\":\"allow\"}]");
+        let tcb_status_map: serde_json::Map<String, Value> =
+            serde_json::from_str(&claims.tcb_status).unwrap();
         assert_eq!(
-            claims.tcb_status.get("aztdxvtpm.quote.body.mr_td"),
+            tcb_status_map.get("aztdxvtpm.quote.body.mr_td"),
             Some(&Value::String("bb379f8e734a755832509f61403f99db2258a70a01e1172a499d6d364101b0675455b4e372a35c1f006541f2de0d7154".to_string()))
         );
-        assert!(claims.reference_data.is_empty());
         assert_eq!(claims.customized_claims.init_data, Value::Null);
         assert_eq!(claims.customized_claims.runtime_data, Value::Null);
     }
@@ -317,6 +325,7 @@ mod tests {
     #[tokio::test]
     #[serial(attestation_service)]
     async fn test_eval_evidence_az_tdx_tpm_pcr04() {
+        println!("starting test_eval_evidence_az_tdx_tpm_pcr04");
         // handle set up permissions
         if !is_sudo() {
             eprintln!("test_eval_evidence_az_tdx_tpm_pcr04: skipped (requires sudo privileges)");
@@ -329,17 +338,18 @@ mod tests {
 
         // Make a passing request to validate using a policy that checks mr_td, mr_seam, and pcr04
         let az_tdx_evidence: Vec<u8> =
-            read_vector_txt("../../examples/yocto_20241023223507.txt".to_string()).unwrap();
+            read_vector_txt("../../examples/yocto_20241023223507.txt".to_string()).unwrap(); // assumes tests are run from enclaver-server dir
         let runtime_data_bytes = vec![
             240, 30, 194, 3, 67, 143, 162, 40, 249, 35, 238, 193, 59, 140, 203, 3, 98, 144, 105,
             221, 209, 34, 207, 229, 52, 61, 58, 14, 102, 234, 146, 8,
         ];
+        let test_policy_id = "yocto".to_string();
         let tdx_eval_request = AttestationEvalEvidenceRequest {
             evidence: az_tdx_evidence,
             tee: Tee::AzTdxVtpm,
             runtime_data: Some(Data::Raw(runtime_data_bytes)),
             runtime_data_hash_algorithm: None,
-            policy_ids: vec!["yocto".to_string()],
+            policy_ids: vec![test_policy_id.clone()],
         };
 
         let payload_json = serde_json::to_string(&tdx_eval_request).unwrap();
@@ -380,6 +390,10 @@ mod tests {
         assert_eq!(res.status(), StatusCode::BAD_REQUEST, "{res:?}");
         let body = hyper::body::to_bytes(res.into_body()).await.unwrap();
         let body_str = String::from_utf8_lossy(&body);
-        assert!(body_str.contains("Policy evaluation denied"));
+        let expected_err_msg = format!("Reject by policy {test_policy_id}");
+        assert!(
+            body_str.contains(&expected_err_msg),
+            "Response does not contain expected message. Expected to see: \"{expected_err_msg}\", Was: {body_str}"
+        );
     }
 }

crates/enclave-server/src/genesis/handlers.rs

@@ -60,7 +60,7 @@ mod tests {
         let res: Response<Body> = genesis_get_data_handler(req).await.unwrap();
 
         // Check that the response status is 200 OK
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
 
         // Parse and check the response body
         let body_bytes = hyper::body::to_bytes(res.into_body()).await.unwrap();
@@ -95,7 +95,7 @@ mod tests {
             .body(Body::empty())
             .unwrap();
         let res: Response<Body> = genesis_get_data_handler(req).await.unwrap();
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
         let body_bytes = hyper::body::to_bytes(res.into_body()).await.unwrap();
         let genesis_data_response: GenesisDataResponse =
             serde_json::from_slice(&body_bytes).unwrap();
@@ -121,7 +121,7 @@ mod tests {
         let res: Response<Body> = attestation_eval_evidence_handler(req).await.unwrap();
 
         // Check that the eval evidence response
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
         // Parse and check the response body
         let body = hyper::body::to_bytes(res.into_body()).await.unwrap();
         let eval_evidence_response: AttestationEvalEvidenceResponse =

crates/enclave-server/src/lib.rs

@@ -51,7 +51,19 @@ pub async fn init_coco_as(config: Option<Config>) -> Result<()> {
         return Ok(());
     }
 
-    let config = config.unwrap_or_default();
+    let mut config = config.unwrap_or_default();
+
+    // set stuff for attestation token broker
+    use attestation_service::token::AttestationTokenConfig;
+    // use attestation_service::token::ear_broker;
+    use attestation_service::token::simple;
+    config.attestation_token_broker =
+        AttestationTokenConfig::Simple(simple::Configuration::default());
+    println!(
+        "attestation token broker: {:?}",
+        config.attestation_token_broker
+    );
+    // done
 
     // Initialize the AttestationService
     let coco_as = AttestationService::new(config)

crates/enclave-server/src/snapsync/handlers.rs

@@ -138,7 +138,7 @@ mod tests {
             .body(Body::from(payload_json))
             .unwrap();
         let res: Response<Body> = provide_snapsync_handler(req).await.unwrap();
-        assert_eq!(res.status(), StatusCode::OK);
+        assert_eq!(res.status(), StatusCode::OK, "{res:?}");
 
         let body_bytes = hyper::body::to_bytes(res.into_body()).await.unwrap();
         let snapsync_response: SnapSyncResponse = serde_json::from_slice(&body_bytes).unwrap();

crates/enclave-server/src/utils/runners.rs

@@ -1,6 +1,7 @@
 //! This file has cargo tests so I can
 //! one click run them and see the output
 //! They are for dev convenience only
+//! and should be ignored in automated testing workflows
 
 use super::tdx_evidence_helpers::get_tdx_evidence_claims;
 use anyhow::Ok;

crates/enclave/src/request_types/coco_as.rs

@@ -2,9 +2,7 @@ use kbs_types::Tee;
 use serde::de::{self, MapAccess, Visitor};
 use serde::ser::SerializeStruct;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
-use serde_json::Map;
 use serde_json::Value;
-use std::collections::HashMap;
 use std::fmt;
 use std::str::FromStr;
 use strum::{AsRefStr, Display, EnumString};
@@ -101,10 +99,7 @@ pub struct ASCoreTokenClaims {
     pub evaluation_reports: Vec<Value>,
 
     #[serde(rename = "tcb-status")]
-    pub tcb_status: Map<String, Value>,
-
-    #[serde(rename = "reference-data")]
-    pub reference_data: HashMap<String, Vec<String>>,
+    pub tcb_status: String,
 
     pub customized_claims: ASCustomizedClaims,
 }