Fix UT

Author: cYKatherine

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenPayload.java

@@ -7,8 +7,14 @@
 @Builder(toBuilder = true)
 public class MaaTokenPayload {
     public static final String SEV_SNP_VM_TYPE = "sevsnpvm";
+    public static final String AZURE_CC_PROTOCOL = "azure-cc";
+    public static final String AZURE_CC_AKS_PROTOCOL = "azure-cc-aks";
+    // the `x-ms-compliance-status` value for ACI CC
+    public static final String AZURE_COMPLIANT_UVM = "azure-compliant-uvm";
+    // the `x-ms-compliance-status` value for AKS CC
+    public static final String AZURE_COMPLIANT_UVM_AKS = "azure-signed-katacc-uvm";
 
-    private String azure_compliant_uvm;
+    private String azureProtocol;
     private String attestationType;
     private String complianceStatus;
     private boolean vmDebuggable;
@@ -21,6 +27,11 @@ public boolean isSevSnpVM(){
     }
 
     public boolean isUtilityVMCompliant(){
-        return azure_compliant_uvm.equalsIgnoreCase(complianceStatus);
+        if (azureProtocol == AZURE_CC_PROTOCOL) {
+            return AZURE_COMPLIANT_UVM.equalsIgnoreCase(complianceStatus);
+        } else if (azureProtocol == AZURE_CC_AKS_PROTOCOL) {
+            return AZURE_COMPLIANT_UVM_AKS.equalsIgnoreCase(complianceStatus);
+        }
+        return false;
     }
 }

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -15,12 +15,6 @@
 import static com.uid2.shared.secure.JwtUtils.tryGetField;
 
 public class MaaTokenSignatureValidator implements IMaaTokenSignatureValidator {
-    // the `x-ms-compliance-status` value for ACI CC
-    public static final String AZURE_COMPLIANT_UVM = "azure-compliant-uvm";
-
-    // the `x-ms-compliance-status` value for AKS CC
-    public static final String AZURE_COMPLIANT_UVM_AKS = "azure-signed-katacc-uvm";
-
     // set to true to facilitate local test.
     public static final boolean BYPASS_SIGNATURE_CHECK = false;
 
@@ -82,12 +76,7 @@ public MaaTokenPayload validate(String tokenString, String protocol) throws Atte
 
         var tokenPayloadBuilder = MaaTokenPayload.builder();
 
-        if (protocol == "azure-cc") {
-            tokenPayloadBuilder.azure_compliant_uvm(AZURE_COMPLIANT_UVM);
-        } else if(protocol == "azure-cc-aks") {
-            tokenPayloadBuilder.azure_compliant_uvm(AZURE_COMPLIANT_UVM_AKS);
-        }
-
+        tokenPayloadBuilder.azureProtocol(protocol);
         tokenPayloadBuilder.attestationType(tryGetField(rawPayload, "x-ms-attestation-type", String.class));
         tokenPayloadBuilder.complianceStatus(tryGetField(rawPayload, "x-ms-compliance-status", String.class));
         tokenPayloadBuilder.vmDebuggable(tryGetField(rawPayload, "x-ms-sevsnpvm-is-debuggable", Boolean.class));

src/test/java/com/uid2/shared/secure/AzureCCAksCoreAttestationServiceTest.java

@@ -0,0 +1,136 @@
+package com.uid2.shared.secure;
+
+import com.uid2.shared.secure.azurecc.IMaaTokenSignatureValidator;
+import com.uid2.shared.secure.azurecc.IPolicyValidator;
+import com.uid2.shared.secure.azurecc.MaaTokenPayload;
+import com.uid2.shared.secure.azurecc.RuntimeData;
+import io.vertx.core.AsyncResult;
+import io.vertx.core.Handler;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
+
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Base64;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
+class AzureCCAksCoreAttestationServiceTest {
+    private static byte[] encodeStringUnicodeAttestationEndpoint(String data) {
+        // buffer.array() may include extra empty bytes at the end. This returns only the bytes that have data
+        ByteBuffer buffer = StandardCharsets.UTF_8.encode(data);
+        return Arrays.copyOf(buffer.array(), buffer.limit());
+    }
+    private static final String ATTESTATION_REQUEST = "test-attestation-request";
+
+    private static final String PUBLIC_KEY = "test-public-key";
+
+    private static final String ENCLAVE_ID = "test-enclave";
+    private static final String ATTESTATION_URL = "https://example.com";
+    private static final String ENCODED_ATTESTATION_URL = Base64.getEncoder().encodeToString(encodeStringUnicodeAttestationEndpoint(ATTESTATION_URL));
+    private static final RuntimeData RUNTIME_DATA = RuntimeData.builder().attestationUrl(ENCODED_ATTESTATION_URL).build();
+
+    private static final MaaTokenPayload VALID_TOKEN_PAYLOAD = MaaTokenPayload.builder().runtimeData(RUNTIME_DATA).build();
+    @Mock
+    private IMaaTokenSignatureValidator alwaysPassTokenValidator;
+
+    @Mock
+    private IMaaTokenSignatureValidator alwaysFailTokenValidator;
+
+    @Mock
+    private IPolicyValidator alwaysPassPolicyValidator;
+
+    @Mock
+    private IPolicyValidator alwaysFailPolicyValidator;
+
+    @BeforeEach
+    public void setup() throws AttestationException {
+        when(alwaysPassTokenValidator.validate(any(), any())).thenReturn(VALID_TOKEN_PAYLOAD);
+        when(alwaysPassPolicyValidator.validate(any(), any())).thenReturn(ENCLAVE_ID);
+    }
+
+    @Test
+    public void testHappyPath() throws AttestationException {
+        var provider = new AzureCCAksCoreAttestationService(alwaysPassTokenValidator, alwaysPassPolicyValidator);
+        provider.registerEnclave(ENCLAVE_ID);
+        attest(provider, ar -> {
+            assertTrue(ar.succeeded());
+            assertTrue(ar.result().isSuccess());
+        });
+    }
+
+    @Test
+    public void testSignatureCheckFailed_ClientError() throws AttestationException {
+        var errorStr = "token signature validation failed";
+        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
+        var provider = new AzureCCAksCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        provider.registerEnclave(ENCLAVE_ID);
+        attest(provider, ar -> {
+            assertTrue(ar.succeeded());
+            assertFalse(ar.result().isSuccess());
+            assertEquals(errorStr, ar.result().getReason());
+        });
+    }
+
+    @Test
+    public void testSignatureCheckFailed_ServerError() throws AttestationException {
+        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
+        var provider = new AzureCCAksCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        provider.registerEnclave(ENCLAVE_ID);
+        attest(provider, ar -> {
+            assertFalse(ar.succeeded());
+            assertTrue(ar.cause() instanceof AttestationException);
+        });
+    }
+
+    @Test
+    public void testPolicyCheckSuccess_ClientError() throws AttestationException {
+        var errorStr = "policy validation failed";
+        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
+        var provider = new AzureCCAksCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
+        provider.registerEnclave(ENCLAVE_ID);
+        attest(provider, ar -> {
+            assertTrue(ar.succeeded());
+            assertFalse(ar.result().isSuccess());
+            assertEquals(errorStr, ar.result().getReason());
+        });
+    }
+
+    @Test
+    public void testPolicyCheckFailed_ServerError() throws AttestationException {
+        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
+        var provider = new AzureCCAksCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
+        provider.registerEnclave(ENCLAVE_ID);
+        attest(provider, ar -> {
+            assertFalse(ar.succeeded());
+            assertTrue(ar.cause() instanceof AttestationException);
+        });
+    }
+
+    @Test
+    public void testEnclaveNotRegistered() throws AttestationException {
+        var provider = new AzureCCAksCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        attest(provider, ar -> {
+            assertTrue(ar.succeeded());
+            assertFalse(ar.result().isSuccess());
+            assertEquals(AttestationFailure.FORBIDDEN_ENCLAVE, ar.result().getFailure());
+        });
+    }
+
+    private static void attest(ICoreAttestationService provider, Handler<AsyncResult<AttestationResult>> handler) {
+        provider.attest(
+                ATTESTATION_REQUEST.getBytes(StandardCharsets.UTF_8),
+                PUBLIC_KEY.getBytes(StandardCharsets.UTF_8),
+                handler);
+    }
+}

src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java

@@ -55,7 +55,7 @@ private static byte[] encodeStringUnicodeAttestationEndpoint(String data) {
 
     @BeforeEach
     public void setup() throws AttestationException {
-        when(alwaysPassTokenValidator.validate(any())).thenReturn(VALID_TOKEN_PAYLOAD);
+        when(alwaysPassTokenValidator.validate(any(), any())).thenReturn(VALID_TOKEN_PAYLOAD);
         when(alwaysPassPolicyValidator.validate(any(), any())).thenReturn(ENCLAVE_ID);
     }
 
@@ -72,7 +72,7 @@ public void testHappyPath() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "token signature validation failed";
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
+        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
@@ -84,7 +84,7 @@ public void testSignatureCheckFailed_ClientError() throws AttestationException {
 
     @Test
     public void testSignatureCheckFailed_ServerError() throws AttestationException {
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationException("unknown server error"));
+        when(alwaysFailTokenValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {

src/test/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidatorTest.java

@@ -22,7 +22,28 @@ public void testPayload() throws Exception {
         var expectedLocation = "East US";
         var expectedPublicKey = "abc";
 
-        var tokenPayload = validateAndParseToken(payload, clock);
+        var tokenPayload = validateAndParseToken(payload, clock, "azure-cc");
+        assertEquals(true, tokenPayload.isSevSnpVM());
+        assertEquals(true, tokenPayload.isUtilityVMCompliant());
+        assertEquals(false, tokenPayload.isVmDebuggable());
+        assertEquals(expectedCcePolicy, tokenPayload.getCcePolicyDigest());
+        assertEquals(expectedLocation, tokenPayload.getRuntimeData().getLocation());
+        assertEquals(expectedPublicKey, tokenPayload.getRuntimeData().getPublicKey());
+    }
+
+    @Test
+    public void testAksPayload() throws Exception {
+        // expire at 1695313895
+        var payloadPath = "/com.uid2.shared/test/secure/azurecc/jwt_payload_aks.json";
+        var payload = loadFromJson(payloadPath);
+        var clock = new TestClock();
+        clock.setCurrentTimeMs(1695313893000L);
+
+        var expectedCcePolicy = "fef932e0103f6132437e8a1223f32efc4bea63342f893b5124645224ef29ba73";
+        var expectedLocation = "East US";
+        var expectedPublicKey = "abc";
+
+        var tokenPayload = validateAndParseToken(payload, clock, "azure-cc-aks");
         assertEquals(true, tokenPayload.isSevSnpVM());
         assertEquals(true, tokenPayload.isUtilityVMCompliant());
         assertEquals(false, tokenPayload.isVmDebuggable());
@@ -37,6 +58,6 @@ public void testE2E() throws AttestationException {
         var maaToken = "<Placeholder>";
         var maaServerUrl = "https://sharedeus.eus.attest.azure.net";
         var validator = new MaaTokenSignatureValidator(maaServerUrl);
-        var token = validator.validate(maaToken);
+        var token = validator.validate(maaToken, "azure-cc");
     }
 }

src/test/java/com/uid2/shared/secure/azurecc/MaaTokenUtils.java

@@ -14,7 +14,7 @@
 public class MaaTokenUtils {
     public static final String MAA_BASE_URL = "https://sharedeus.eus.attest.azure.net";
 
-    public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock clock) throws Exception{
+    public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock clock, String protocol) throws Exception{
         var gen = KeyPairGenerator.getInstance(Const.Name.AsymetricEncryptionKeyClass);
         gen.initialize(2048, new SecureRandom());
         var keyPair = gen.generateKeyPair();
@@ -30,7 +30,7 @@ public static MaaTokenPayload validateAndParseToken(JsonObject payload, Clock cl
         var tokenVerifier = new MaaTokenSignatureValidator(MAA_BASE_URL, keyProvider, clock);
 
         // validate token
-        return tokenVerifier.validate(token);
+        return tokenVerifier.validate(token, protocol);
     }
 
     private static class MockKeyProvider implements IPublicKeyProvider {

src/test/java/com/uid2/shared/secure/azurecc/PolicyValidatorTest.java

@@ -97,6 +97,7 @@ private MaaTokenPayload generateBasicPayload() {
                 .vmDebuggable(false)
                 .runtimeData(generateBasicRuntimeData())
                 .ccePolicyDigest(CCE_POLICY_DIGEST)
+                .azureProtocol("azure-cc")
                 .build();
     }
 

src/test/resources/com.uid2.shared/test/secure/azurecc/jwt_payload_aks.json

@@ -0,0 +1,41 @@
+{
+  "exp": 1695313895,
+  "iat": 1695285095,
+  "iss": "https://sharedeus.eus.attest.azure.net",
+  "jti": "3b16f2ab4492417aae4cc9a5e6506ca2519659c0d8fdc2bf442fe01aa9b8e46c",
+  "nbf": 1695285095,
+  "nonce": "7394904505194784658",
+  "x-ms-attestation-type": "sevsnpvm",
+  "x-ms-compliance-status": "azure-signed-katacc-uvm",
+  "x-ms-policy-hash": "9NY0VnTQ-IiBriBplVUpFbczcDaEBUwsiFYAzHu_gco",
+  "x-ms-runtime": {
+    "location": "East US",
+    "publicKey": "abc"
+  },
+  "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  "x-ms-sevsnpvm-bootloader-svn": 3,
+  "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
+  "x-ms-sevsnpvm-guestsvn": 2,
+  "x-ms-sevsnpvm-hostdata": "fef932e0103f6132437e8a1223f32efc4bea63342f893b5124645224ef29ba73",
+  "x-ms-sevsnpvm-idkeydigest": "ebeeeabce075eeaba3d9ea24d8495137a2877c0d20ac6ea73fc6d2f8aeb50de132150e0a0752664919bcebbf2e8c5807",
+  "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
+  "x-ms-sevsnpvm-is-debuggable": false,
+  "x-ms-sevsnpvm-launchmeasurement": "03fea02823189b25d0623a5c81f97c8ba4d2fbc48c914a55ce525f90454ddcec303743dac2fc013f0846912d1412f6df",
+  "x-ms-sevsnpvm-microcode-svn": 115,
+  "x-ms-sevsnpvm-migration-allowed": false,
+  "x-ms-sevsnpvm-reportdata": "4e7d4a413745ddea79f05d20d9ac7add3659ac783ef24684127bbbb3e50fc63c0000000000000000000000000000000000000000000000000000000000000000",
+  "x-ms-sevsnpvm-reportid": "d137a83c2d42d81dd42d39ad95ef9023de63216ddaaf2c368a8c41a636ddb2a9",
+  "x-ms-sevsnpvm-smt-allowed": true,
+  "x-ms-sevsnpvm-snpfw-svn": 8,
+  "x-ms-sevsnpvm-tee-svn": 0,
+  "x-ms-sevsnpvm-uvm-endorsement": {
+    "x-ms-sevsnpvm-guestsvn": "100",
+    "x-ms-sevsnpvm-launchmeasurement": "03fea02823189b25d0623a5c81f97c8ba4d2fbc48c914a55ce525f90454ddcec303743dac2fc013f0846912d1412f6df"
+  },
+  "x-ms-sevsnpvm-uvm-endorsement-headers": {
+    "feed": "ContainerPlat-AMD-UVM",
+    "iss": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.2"
+  },
+  "x-ms-sevsnpvm-vmpl": 0,
+  "x-ms-ver": "1.0"
+}