Merge pull request #402 from IABTechLab/mkc-UID2-4963-remove-azure-cc-aks-attestation

Revert "UID2-4808 Add AKS protocol for `AzureCCCoreAttestationService`" (#374)

Author: mcollins-ttd

src/main/java/com/uid2/shared/secure/AzureCCCoreAttestationService.java

@@ -25,38 +25,34 @@ public class AzureCCCoreAttestationService implements ICoreAttestationService {
 
     private final IPolicyValidator policyValidator;
 
-    private final String azureCcProtocol;
-
-    public AzureCCCoreAttestationService(String maaServerBaseUrl, String attestationUrl, String azureCcProtocol) {
-        this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator(attestationUrl), azureCcProtocol);
+    public AzureCCCoreAttestationService(String maaServerBaseUrl, String attestationUrl) {
+        this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator(attestationUrl));
     }
 
     // used in UT
-    protected AzureCCCoreAttestationService(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator, String azureCcProtocol) {
+    protected AzureCCCoreAttestationService(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator) {
         this.tokenSignatureValidator = tokenSignatureValidator;
         this.policyValidator = policyValidator;
-        this.azureCcProtocol = azureCcProtocol;
     }
 
     @Override
     public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncResult<AttestationResult>> handler) {
         try {
             var tokenString = new String(attestationRequest, StandardCharsets.US_ASCII);
 
-            log.debug("Attesting for {} operator...", azureCcProtocol);
             log.debug("Validating signature...");
-            var tokenPayload = tokenSignatureValidator.validate(tokenString, azureCcProtocol);
+            var tokenPayload = tokenSignatureValidator.validate(tokenString);
 
             log.debug("Validating policy...");
             var encodedPublicKey = Utils.toBase64String(publicKey);
 
             var enclaveId = policyValidator.validate(tokenPayload, encodedPublicKey);
 
             if (allowedEnclaveIds.contains(enclaveId)) {
-                log.info("Successfully attested {} against registered enclaves, enclave id: {}", azureCcProtocol, enclaveId);
+                log.info("Successfully attested azure-cc against registered enclaves, enclave id: {}", enclaveId);
                 handler.handle(Future.succeededFuture(new AttestationResult(publicKey, enclaveId)));
             } else {
-                log.warn("Got unsupported {} enclave id: {}", azureCcProtocol, enclaveId);
+                log.warn("Got unsupported azure-cc enclave id: {}", enclaveId);
                 handler.handle(Future.succeededFuture(new AttestationResult(AttestationFailure.FORBIDDEN_ENCLAVE)));
             }
         }

src/main/java/com/uid2/shared/secure/azurecc/IMaaTokenSignatureValidator.java

@@ -10,5 +10,5 @@ public interface IMaaTokenSignatureValidator {
      * @return Parsed token payload.
      * @throws AttestationException
      */
-    MaaTokenPayload validate(String tokenString, String protocol) throws AttestationException;
+    MaaTokenPayload validate(String tokenString) throws AttestationException;
 }

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenPayload.java

@@ -1,23 +1,14 @@
 package com.uid2.shared.secure.azurecc;
 
-import com.uid2.shared.secure.AttestationClientException;
-import com.uid2.shared.secure.AttestationException;
-import com.uid2.shared.secure.AttestationFailure;
 import lombok.Builder;
 import lombok.Value;
 
 @Value
 @Builder(toBuilder = true)
 public class MaaTokenPayload {
     public static final String SEV_SNP_VM_TYPE = "sevsnpvm";
-    public static final String AZURE_CC_ACI_PROTOCOL = "azure-cc";
-    public static final String AZURE_CC_AKS_PROTOCOL = "azure-cc-aks";
-    // the `x-ms-compliance-status` value for ACI CC
     public static final String AZURE_COMPLIANT_UVM = "azure-compliant-uvm";
-    // the `x-ms-compliance-status` value for AKS CC
-    public static final String AZURE_COMPLIANT_UVM_AKS = "azure-signed-katacc-uvm";
 
-    private String azureProtocol;
     private String attestationType;
     private String complianceStatus;
     private boolean vmDebuggable;
@@ -29,13 +20,7 @@ public boolean isSevSnpVM(){
         return SEV_SNP_VM_TYPE.equalsIgnoreCase(attestationType);
     }
 
-    public boolean isUtilityVMCompliant() throws AttestationClientException {
-        if (azureProtocol == AZURE_CC_ACI_PROTOCOL) {
-            return AZURE_COMPLIANT_UVM.equalsIgnoreCase(complianceStatus);
-        } else if (azureProtocol == AZURE_CC_AKS_PROTOCOL) {
-            return AZURE_COMPLIANT_UVM_AKS.equalsIgnoreCase(complianceStatus);
-        } else {
-            throw new AttestationClientException(String.format("Azure protocol: %s not supported", azureProtocol), AttestationFailure.INVALID_PROTOCOL);
-        }
+    public boolean isUtilityVMCompliant(){
+        return AZURE_COMPLIANT_UVM.equalsIgnoreCase(complianceStatus);
     }
 }

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -15,6 +15,7 @@
 import static com.uid2.shared.secure.JwtUtils.tryGetField;
 
 public class MaaTokenSignatureValidator implements IMaaTokenSignatureValidator {
+
     // set to true to facilitate local test.
     public static final boolean BYPASS_SIGNATURE_CHECK = false;
 
@@ -51,7 +52,7 @@ private TokenVerifier buildTokenVerifier(String kid) throws AttestationException
     }
 
     @Override
-    public MaaTokenPayload validate(String tokenString, String protocol) throws AttestationException {
+    public MaaTokenPayload validate(String tokenString) throws AttestationException {
         if (Strings.isNullOrEmpty(tokenString)) {
             throw new IllegalArgumentException("tokenString can not be null or empty");
         }
@@ -76,7 +77,6 @@ public MaaTokenPayload validate(String tokenString, String protocol) throws Atte
 
         var tokenPayloadBuilder = MaaTokenPayload.builder();
 
-        tokenPayloadBuilder.azureProtocol(protocol);
         tokenPayloadBuilder.attestationType(tryGetField(rawPayload, "x-ms-attestation-type", String.class));
         tokenPayloadBuilder.complianceStatus(tryGetField(rawPayload, "x-ms-compliance-status", String.class));
         tokenPayloadBuilder.vmDebuggable(tryGetField(rawPayload, "x-ms-sevsnpvm-is-debuggable", Boolean.class));

src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java

@@ -9,10 +9,6 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.Arguments;
-import org.junit.jupiter.params.provider.MethodSource;
-import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.mockito.junit.jupiter.MockitoSettings;
@@ -22,7 +18,6 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Base64;
-import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
@@ -60,27 +55,25 @@ private static byte[] encodeStringUnicodeAttestationEndpoint(String data) {
 
     @BeforeEach
     public void setup() throws AttestationException {
-        when(alwaysPassTokenValidator.validate(any(), any())).thenReturn(VALID_TOKEN_PAYLOAD);
+        when(alwaysPassTokenValidator.validate(any())).thenReturn(VALID_TOKEN_PAYLOAD);
         when(alwaysPassPolicyValidator.validate(any(), any())).thenReturn(ENCLAVE_ID);
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testHappyPath(String azureProtocol) throws AttestationException {
-        var provider = new AzureCCCoreAttestationService(alwaysPassTokenValidator, alwaysPassPolicyValidator, azureProtocol);
+    @Test
+    public void testHappyPath() throws AttestationException {
+        var provider = new AzureCCCoreAttestationService(alwaysPassTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
             assertTrue(ar.result().isSuccess());
         });
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testSignatureCheckFailed_ClientError(String azureProtocol) throws AttestationException {
+    @Test
+    public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "token signature validation failed";
-        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
-        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator, azureProtocol);
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -89,24 +82,22 @@ public void testSignatureCheckFailed_ClientError(String azureProtocol) throws At
         });
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testSignatureCheckFailed_ServerError(String azureProtocol) throws AttestationException {
-        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator, azureProtocol);
+    @Test
+    public void testSignatureCheckFailed_ServerError() throws AttestationException {
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationException("unknown server error"));
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
             assertTrue(ar.cause() instanceof AttestationException);
         });
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testPolicyCheckSuccess_ClientError(String azureProtocol) throws AttestationException {
+    @Test
+    public void testPolicyCheckSuccess_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
         when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
-        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator, azureProtocol);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -115,22 +106,20 @@ public void testPolicyCheckSuccess_ClientError(String azureProtocol) throws Atte
         });
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testPolicyCheckFailed_ServerError(String azureProtocol) throws AttestationException {
+    @Test
+    public void testPolicyCheckFailed_ServerError() throws AttestationException {
         when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator, azureProtocol);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
             assertTrue(ar.cause() instanceof AttestationException);
         });
     }
 
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testEnclaveNotRegistered(String azureProtocol) throws AttestationException {
-        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator, azureProtocol);
+    @Test
+    public void testEnclaveNotRegistered() throws AttestationException {
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
             assertFalse(ar.result().isSuccess());
@@ -144,11 +133,4 @@ private static void attest(ICoreAttestationService provider, Handler<AsyncResult
                 PUBLIC_KEY.getBytes(StandardCharsets.UTF_8),
                 handler);
     }
-
-    static Stream<Arguments> argumentProvider() {
-        return Stream.of(
-                Arguments.of(MaaTokenPayload.AZURE_CC_ACI_PROTOCOL),
-                Arguments.of(MaaTokenPayload.AZURE_CC_AKS_PROTOCOL)
-        );
-    }
 }

src/test/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidatorTest.java

@@ -3,21 +3,17 @@
 import com.uid2.shared.secure.AttestationException;
 import com.uid2.shared.secure.TestClock;
 import org.junit.jupiter.api.Disabled;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.Arguments;
-import org.junit.jupiter.params.provider.MethodSource;
-
-import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
 
 import static com.uid2.shared.secure.TestUtils.loadFromJson;
 import static com.uid2.shared.secure.azurecc.MaaTokenUtils.validateAndParseToken;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 public class MaaTokenSignatureValidatorTest {
-    @ParameterizedTest
-    @MethodSource("argumentProvider")
-    public void testPayload(String payloadPath, String protocol) throws Exception {
+    @Test
+    public void testPayload() throws Exception {
         // expire at 1695313895
+        var payloadPath = "/com.uid2.shared/test/secure/azurecc/jwt_payload.json";
         var payload = loadFromJson(payloadPath);
         var clock = new TestClock();
         clock.setCurrentTimeMs(1695313893000L);
@@ -26,7 +22,7 @@ public void testPayload(String payloadPath, String protocol) throws Exception {
         var expectedLocation = "East US";
         var expectedPublicKey = "abc";
 
-        var tokenPayload = validateAndParseToken(payload, clock, protocol);
+        var tokenPayload = validateAndParseToken(payload, clock);
         assertEquals(true, tokenPayload.isSevSnpVM());
         assertEquals(true, tokenPayload.isUtilityVMCompliant());
         assertEquals(false, tokenPayload.isVmDebuggable());
@@ -41,13 +37,6 @@ public void testE2E() throws AttestationException {
         var maaToken = "<Placeholder>";
         var maaServerUrl = "https://sharedeus.eus.attest.azure.net";
         var validator = new MaaTokenSignatureValidator(maaServerUrl);
-        var token = validator.validate(maaToken, MaaTokenPayload.AZURE_CC_ACI_PROTOCOL);
-    }
-
-    static Stream<Arguments> argumentProvider() {
-        return Stream.of(
-                Arguments.of("/com.uid2.shared/test/secure/azurecc/jwt_payload_aci.json", MaaTokenPayload.AZURE_CC_ACI_PROTOCOL),
-                Arguments.of("/com.uid2.shared/test/secure/azurecc/jwt_payload_aks.json", MaaTokenPayload.AZURE_CC_AKS_PROTOCOL)
-        );
+        var token = validator.validate(maaToken);
     }
 }

src/test/java/com/uid2/shared/secure/azurecc/MaaTokenUtils.java

@@ -14,7 +14,7 @@
 public class MaaTokenUtils {
     public static final String MAA_BASE_URL = "https://sharedeus.eus.attest.azure.net";
 
-    public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock clock, String protocol) throws Exception{
+    public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock clock) throws Exception{
         var gen = KeyPairGenerator.getInstance(Const.Name.AsymetricEncryptionKeyClass);
         gen.initialize(2048, new SecureRandom());
         var keyPair = gen.generateKeyPair();
@@ -30,7 +30,7 @@ public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock cl
         var tokenVerifier = new MaaTokenSignatureValidator(MAA_BASE_URL, keyProvider, clock);
 
         // validate token
-        return tokenVerifier.validate(token, protocol);
+        return tokenVerifier.validate(token);
     }
 
     private static class MockKeyProvider implements IPublicKeyProvider {

src/test/java/com/uid2/shared/secure/azurecc/PolicyValidatorTest.java

@@ -97,7 +97,6 @@ private MaaTokenPayload generateBasicPayload() {
                 .vmDebuggable(false)
                 .runtimeData(generateBasicRuntimeData())
                 .ccePolicyDigest(CCE_POLICY_DIGEST)
-                .azureProtocol(MaaTokenPayload.AZURE_CC_ACI_PROTOCOL)
                 .build();
     }
 
@@ -126,53 +125,4 @@ public void testValidationFailure_DifferentAttestationUrl() {
         assertEquals(AttestationFailure.UNKNOWN_ATTESTATION_URL, ((AttestationClientException)t).getAttestationFailure());
 
     }
-
-    @Test
-    public void testValidationFailure_AzureCcWithOtherUvm() {
-        var validator = new PolicyValidator(ATTESTATION_URL);
-        var aksPayload = generateBasicPayload()
-                .toBuilder()
-                .complianceStatus("fake-compliance")
-                .build();
-        Throwable t = assertThrows(AttestationException.class, ()-> validator.validate(aksPayload, PUBLIC_KEY));
-        assertEquals("Not run in Azure Compliance Utility VM", t.getMessage());
-        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)t).getAttestationFailure());
-    }
-
-    @Test
-    public void testValidationSuccess_AksWithAzureSignedKataccUvm() throws AttestationClientException {
-        var validator = new PolicyValidator(ATTESTATION_URL);
-        var aksPayload = generateBasicPayload()
-                .toBuilder()
-                .complianceStatus("azure-signed-katacc-uvm")
-                .azureProtocol(MaaTokenPayload.AZURE_CC_AKS_PROTOCOL)
-                .build();
-        var enclaveId = validator.validate(aksPayload, PUBLIC_KEY);
-        assertEquals(CCE_POLICY_DIGEST, enclaveId);
-    }
-
-    @Test
-    public void testValidationFailure_AksWithOtherUvm() {
-        var validator = new PolicyValidator(ATTESTATION_URL);
-        var aksPayload = generateBasicPayload()
-                .toBuilder()
-                .complianceStatus("fake-compliance")
-                .azureProtocol(MaaTokenPayload.AZURE_CC_AKS_PROTOCOL)
-                .build();
-        Throwable t = assertThrows(AttestationException.class, ()-> validator.validate(aksPayload, PUBLIC_KEY));
-        assertEquals("Not run in Azure Compliance Utility VM", t.getMessage());
-        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)t).getAttestationFailure());
-    }
-
-    @Test
-    public void testValidationFailure_InvalidProtocol() {
-        var validator = new PolicyValidator(ATTESTATION_URL);
-        var aksPayload = generateBasicPayload()
-                .toBuilder()
-                .azureProtocol("fake-protocol")
-                .build();
-        Throwable t = assertThrows(AttestationException.class, ()-> validator.validate(aksPayload, PUBLIC_KEY));
-        assertEquals("Azure protocol: fake-protocol not supported", t.getMessage());
-        assertEquals(AttestationFailure.INVALID_PROTOCOL, ((AttestationClientException)t).getAttestationFailure());
-    }
 }