Added AttestationFailure to the AttesationClientException

Author: thomasm-ttd

src/main/java/com/uid2/shared/secure/AttestationClientException.java

@@ -2,11 +2,19 @@
 
 public class AttestationClientException extends AttestationException
 {
+    private final AttestationFailure attestationFailure;
+
     public AttestationClientException(Throwable cause) {
         super(cause, true);
+        this.attestationFailure = AttestationFailure.UNKNOWN;
     }
 
-    public AttestationClientException(String message) {
+    public AttestationClientException(String message, AttestationFailure attestationFailure) {
         super(message, true);
+        this.attestationFailure = attestationFailure;
+    }
+
+    public AttestationFailure getAttestationFailure() {
+        return this.attestationFailure;
     }
 }

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -7,6 +7,7 @@
 import com.google.common.base.Strings;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 
 import java.io.IOException;
 import java.util.Map;
@@ -66,7 +67,7 @@ public MaaTokenPayload validate(String tokenString) throws AttestationException
                 tokenVerifier.verify(tokenString);
             }
         } catch (TokenVerifier.VerificationException e) {
-            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage());
+            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
         } catch (IOException e) {
             throw new AttestationException("Fail to parse token, error: " + e.getMessage());
         }

src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java

@@ -3,6 +3,7 @@
 import com.google.common.base.Strings;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 
 public class PolicyValidator implements IPolicyValidator{
     private static final String LOCATION_CHINA = "china";
@@ -17,39 +18,40 @@ public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws
 
     private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
         if(Strings.isNullOrEmpty(publicKey)){
-            throw new AttestationClientException("public key to check is null or empty");
+            throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
         }
         var runtimePublicKey = maaTokenPayload.getRuntimeData().getPublicKey();
         if(!publicKey.equals(runtimePublicKey)){
             throw new AttestationClientException(
                     String.format("Public key in payload is not match expected value. More info: runtime(%s), expected(%s)",
                             runtimePublicKey,
                             publicKey
-                    ));
+                    ),
+                    AttestationFailure.BAD_FORMAT);
         }
     }
 
     private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationException {
         if(!maaTokenPayload.isSevSnpVM()){
-            throw new AttestationClientException("Not in SevSnp VM");
+            throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
         }
         if(!maaTokenPayload.isUtilityVMCompliant()){
-            throw new AttestationClientException("Not run in Azure Compliance Utility VM");
+            throw new AttestationClientException("Not run in Azure Compliance Utility VM", AttestationFailure.BAD_FORMAT);
         }
         if(maaTokenPayload.isVmDebuggable()){
-            throw new AttestationClientException("The underlying hardware should not run in debug mode");
+            throw new AttestationClientException("The underlying hardware should not run in debug mode", AttestationFailure.BAD_FORMAT);
         }
     }
 
     private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationException {
         var location = maaTokenPayload.getRuntimeData().getLocation();
         if(Strings.isNullOrEmpty(location)){
-            throw new AttestationClientException("Location is not specified.");
+            throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);
         }
         var lowerCaseLocation = location.toLowerCase();
         if(lowerCaseLocation.contains(LOCATION_CHINA) ||
            lowerCaseLocation.contains(LOCATION_EU)){
-            throw new AttestationClientException("Location is not supported. Value: " + location);
+            throw new AttestationClientException("Location is not supported. Value: " + location, AttestationFailure.BAD_PAYLOAD);
         }
     }
 }

src/main/java/com/uid2/shared/secure/gcpoidc/PolicyValidator.java

@@ -6,6 +6,7 @@
 import com.uid2.shared.Utils;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 import com.uid2.shared.util.UrlEquivalenceValidator;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.MapUtils;
@@ -67,18 +68,18 @@ public String validate(TokenPayload payload) throws AttestationException {
 
     private static boolean checkConfidentialSpace(TokenPayload payload) throws AttestationException{
         if(!payload.isConfidentialSpaceSW()){
-            throw new AttestationClientException("Unexpected SW_NAME: " + payload.getSwName());
+            throw new AttestationClientException("Unexpected SW_NAME: " + payload.getSwName(), AttestationFailure.BAD_FORMAT);
         }
         var isDebugMode = payload.isDebugMode();
         if(!isDebugMode && !payload.isStableVersion()){
-            throw new AttestationClientException("Confidential space image version is not stable.");
+            throw new AttestationClientException("Confidential space image version is not stable.", AttestationFailure.BAD_FORMAT);
         }
         return isDebugMode;
     }
 
     private static String checkWorkload(TokenPayload payload) throws AttestationException{
         if(!payload.isRestartPolicyNever()){
-            throw new AttestationClientException("Restart policy is not set to Never. Value: " + payload.getRestartPolicy());
+            throw new AttestationClientException("Restart policy is not set to Never. Value: " + payload.getRestartPolicy(), AttestationFailure.BAD_FORMAT);
         }
         return payload.getWorkloadImageDigest();
     }
@@ -89,35 +90,35 @@ private static String checkWorkload(TokenPayload payload) throws AttestationExce
     private static String checkRegion(TokenPayload payload) throws AttestationException{
         var region = payload.getGceZone();
         if(Strings.isNullOrEmpty(region) || region.startsWith(EU_REGION_PREFIX)){
-            throw new AttestationClientException("Region is not supported. Value: " + region);
+            throw new AttestationClientException("Region is not supported. Value: " + region, AttestationFailure.BAD_FORMAT);
         }
         return region;
     }
 
     private static void checkCmdOverrides(TokenPayload payload) throws AttestationException{
         if(!CollectionUtils.isEmpty(payload.getCmdOverrides())){
-            throw new AttestationClientException("Payload should not have cmd overrides");
+            throw new AttestationClientException("Payload should not have cmd overrides", AttestationFailure.BAD_FORMAT);
         }
     }
 
     private Environment checkEnvOverrides(TokenPayload payload) throws AttestationException{
         var envOverrides = payload.getEnvOverrides();
         if(MapUtils.isEmpty(envOverrides)){
-            throw new AttestationClientException("env overrides should not be empty");
+            throw new AttestationClientException("env overrides should not be empty", AttestationFailure.BAD_FORMAT);
         }
         HashMap<String, String> envOverridesCopy = new HashMap(envOverrides);
 
         // check all required env overrides
         for(var envKey: REQUIRED_ENV_OVERRIDES){
             if(Strings.isNullOrEmpty(envOverridesCopy.get(envKey))){
-                throw new AttestationClientException("Required env override is missing. key: " + envKey);
+                throw new AttestationClientException("Required env override is missing. key: " + envKey, AttestationFailure.BAD_FORMAT);
             }
         }
 
         // env could be parsed
         var env = Environment.fromString(envOverridesCopy.get(ENV_ENVIRONMENT));
         if(env == null){
-            throw new AttestationClientException("Environment can not be parsed. " + envOverridesCopy.get(ENV_ENVIRONMENT));
+            throw new AttestationClientException("Environment can not be parsed. " + envOverridesCopy.get(ENV_ENVIRONMENT), AttestationFailure.BAD_FORMAT);
         }
 
         // make sure there's no unexpected overrides
@@ -134,7 +135,7 @@ private Environment checkEnvOverrides(TokenPayload payload) throws AttestationEx
         checkAttestationUrl(new HashMap<>(envOverrides));
 
         if(!envOverridesCopy.isEmpty()){
-            throw new AttestationClientException("More env overrides than allowed. " + envOverridesCopy);
+            throw new AttestationClientException("More env overrides than allowed. " + envOverridesCopy, AttestationFailure.BAD_FORMAT);
         }
 
         return env;
@@ -144,7 +145,7 @@ private void checkAttestationUrl(HashMap<String, String> optionalEnvOverrides) t
         if (!Strings.isNullOrEmpty(optionalEnvOverrides.get(ENV_CORE_ENDPOINT))) {
             String givenAttestationUrl = optionalEnvOverrides.get(ENV_CORE_ENDPOINT);
             if (!UrlEquivalenceValidator.areUrlsEquivalent(givenAttestationUrl, this.attestationUrl, LOGGER)) {
-                throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + givenAttestationUrl);
+                throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + givenAttestationUrl, AttestationFailure.UNKNOWN_ATTESTATION_URL);
             }
         }
     }

src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java

@@ -60,7 +60,7 @@ public void testHappyPath() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "token signature validation failed";
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
@@ -84,7 +84,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
-        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {

src/test/java/com/uid2/shared/secure/GcpOidcCoreAttestationServiceTest.java

@@ -67,7 +67,7 @@ public void testHappyPath() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "signature validation failed";
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new GcpOidcCoreAttestationService(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
@@ -91,7 +91,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
-        when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {

src/test/java/com/uid2/shared/secure/gcpoidc/PolicyValidatorTest.java

@@ -1,7 +1,11 @@
 package com.uid2.shared.secure.gcpoidc;
 
+import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 import org.junit.jupiter.api.Test;
+import static org.junit.Assert.assertThat;
+import static org.hamcrest.CoreMatchers.instanceOf;
 
 import java.util.HashMap;
 import java.util.List;
@@ -28,7 +32,9 @@ public void testValidationFailure_MissRequiredEnvProd() {
         var newPayload = payload.toBuilder()
                 .envOverrides(envOverrides)
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        assertThat(e, instanceOf(AttestationClientException.class));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -40,7 +46,8 @@ public void testValidationFailure_UnknownEnv() {
         var newPayload = payload.toBuilder()
                 .envOverrides(envOverrides)
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -66,7 +73,8 @@ public void testValidationFailure_ExtraEnvOverride(){
         var newPayload = payload.toBuilder()
                 .envOverrides(envOverrides)
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(newPayload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -75,7 +83,8 @@ public void testValidationFailure_NotConfidentialSpace(){
         var payload = generateBasicPayload().toBuilder()
                 .swName("dummy")
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -84,7 +93,8 @@ public void testValidationFailure_EURegion(){
         var payload = generateBasicPayload().toBuilder()
                 .gceZone("europe-north1-a")
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -93,7 +103,8 @@ public void testValidationFailure_NotStableConfidentialSpace(){
         var payload = generateBasicPayload().toBuilder()
                 .csSupportedAttributes(null)
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -102,7 +113,8 @@ public void testValidationFailure_NoRestartPolicy(){
         var payload = generateBasicPayload().toBuilder()
                 .restartPolicy("")
                 .build();
-        assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        var e = assertThrows(AttestationException.class, ()-> validator.validate(payload));
+        assertEquals(AttestationFailure.BAD_FORMAT, ((AttestationClientException)e).getAttestationFailure());
     }
 
     @Test
@@ -155,6 +167,8 @@ public void testValidationFailure_DifferentAttestationUrl() {
         var payload = generateBasicPayload();
         Throwable t = assertThrows(AttestationException.class, ()-> validator.validate(payload));
         assertEquals("The given attestation URL is unknown. Given URL: " + attestationUrl, t.getMessage());
+        assertEquals(AttestationFailure.UNKNOWN_ATTESTATION_URL, ((AttestationClientException)t).getAttestationFailure());
+
     }
 
     @Test