diff --git a/pom.xml b/pom.xml
index 32852007..161ffea2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -169,35 +169,20 @@
sts
- com.google.api-client
- google-api-client
- 2.6.0
+ com.google.http-client
+ google-http-client
+ 1.45.0
- com.google.apis
- google-api-services-compute
- v1-rev20221205-2.0.0
+ com.google.http-client
+ google-http-client-gson
+ 1.45.0
com.google.auth
google-auth-library-oauth2-http
1.30.0
-
- com.google.auth
- google-auth-library-credentials
- 1.30.0
-
-
- com.google.cloud
- google-cloud-logging
- 3.15.12
-
-
- com.google.protobuf
- protobuf-java
- 3.25.5
-
com.azure
azure-security-attestation
diff --git a/src/main/java/com/uid2/shared/Const.java b/src/main/java/com/uid2/shared/Const.java
index e9d6bd48..0eb55c3e 100644
--- a/src/main/java/com/uid2/shared/Const.java
+++ b/src/main/java/com/uid2/shared/Const.java
@@ -32,10 +32,6 @@ public static class Config {
public static final String UidInstanceIdPrefixProp = "uid_instance_id_prefix";
- // GCP
- public static final String GoogleCredentialsProp = "google_credentials";
- public static final String GcpEnclaveParamsProp = "gcp_enclave_params";
-
// Azure
public static final String MaaServerBaseUrlProp = "maa_server_base_url";
diff --git a/src/main/java/com/uid2/shared/attest/AttestationFactory.java b/src/main/java/com/uid2/shared/attest/AttestationFactory.java
index 4fc47b0b..94129d84 100644
--- a/src/main/java/com/uid2/shared/attest/AttestationFactory.java
+++ b/src/main/java/com/uid2/shared/attest/AttestationFactory.java
@@ -12,12 +12,6 @@ public static IAttestationProvider getNitroAttestation() throws Exception {
return (IAttestationProvider) c.newInstance();
}
- public static IAttestationProvider getGcpVmidAttestation() throws Exception {
- Class cls = Class.forName("com.uid2.attestation.gcp.VmidAttestationProvider");
- Constructor c = cls.getConstructor();
- return (IAttestationProvider) c.newInstance();
- }
-
public static IAttestationProvider getGcpOidcAttestation() throws Exception {
Class cls = Class.forName("com.uid2.attestation.gcp.OidcAttestationProvider");
Constructor c = cls.getConstructor();
diff --git a/src/main/java/com/uid2/shared/cloud/CloudUtils.java b/src/main/java/com/uid2/shared/cloud/CloudUtils.java
index 667b5081..81d890d4 100644
--- a/src/main/java/com/uid2/shared/cloud/CloudUtils.java
+++ b/src/main/java/com/uid2/shared/cloud/CloudUtils.java
@@ -1,17 +1,12 @@
package com.uid2.shared.cloud;
-import com.google.api.services.compute.ComputeScopes;
-import com.google.auth.oauth2.GoogleCredentials;
import com.uid2.shared.Const;
-import com.uid2.shared.Utils;
import io.vertx.core.json.JsonObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.io.ByteArrayInputStream;
import java.net.*;
import java.nio.file.Path;
-import java.util.Collections;
public class CloudUtils {
private static final Logger LOGGER = LoggerFactory.getLogger(CloudUtils.class);
@@ -49,42 +44,6 @@ public static TaggableCloudStorage createStorage(String cloudBucket) {
);
}
- public static GoogleCredentials getGoogleCredentialsFromConfig(JsonObject jsonConfig) {
- GoogleCredentials credentials = getGoogleCredentialsFromConfigInternal(jsonConfig);
- if (credentials != null && credentials.createScopedRequired()) {
- // only needs compute readonly scope
- LOGGER.info("Requesting scope: " + ComputeScopes.COMPUTE_READONLY);
- credentials.createScoped(Collections.singletonList(ComputeScopes.COMPUTE_READONLY));
- }
- return credentials;
- }
-
- private static GoogleCredentials getGoogleCredentialsFromConfigInternal(JsonObject jsonConfig) {
- if (System.getenv("GOOGLE_APPLICATION_CREDENTIALS") != null) {
- try {
- GoogleCredentials ret = GoogleCredentials.getApplicationDefault();
- LOGGER.info("Using GOOGLE_APPLICATION_CREDENTIALS from environment");
- return ret;
-
- } catch (Exception ex) {
- LOGGER.error("Unable to read google credentials " + ex.getMessage(), ex);
- return null;
- }
- }
-
- try {
- String encodedCreds = jsonConfig.getString(Const.Config.GoogleCredentialsProp);
- if (encodedCreds == null) return null;
- byte[] credentials = Utils.decodeBase64String(encodedCreds);
- if (credentials == null) return null;
- GoogleCredentials ret = GoogleCredentials.fromStream(new ByteArrayInputStream(credentials));
- LOGGER.info("Using google_credentials provided through vertx-config (env or config)");
- return ret;
- } catch (Exception ex) {
- LOGGER.error("Unable to read google credentials " + ex.getMessage(), ex);
- return null;
- }
- }
public static String normalizeFilePath(Path path) {
return normalizFilePath(path.toString());
diff --git a/src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java
deleted file mode 100644
index bba7cc7c..00000000
--- a/src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java
+++ /dev/null
@@ -1,125 +0,0 @@
-package com.uid2.shared.secure;
-
-import com.google.auth.oauth2.GoogleCredentials;
-import com.uid2.shared.Utils;
-import com.uid2.shared.secure.gcp.VmConfigId;
-import com.uid2.shared.secure.gcp.VmConfigVerifier;
-import com.uid2.shared.secure.gcp.InstanceDocument;
-import com.uid2.shared.secure.gcp.InstanceDocumentVerifier;
-import io.grpc.LoadBalancerRegistry;
-import io.grpc.internal.PickFirstLoadBalancerProvider;
-import io.vertx.core.AsyncResult;
-import io.vertx.core.Future;
-import io.vertx.core.Handler;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.nio.charset.StandardCharsets;
-import java.util.*;
-
-public class GcpVmidCoreAttestationService implements ICoreAttestationService {
- private static final Logger LOGGER = LoggerFactory.getLogger(GcpVmidCoreAttestationService.class);
-
- private final InstanceDocumentVerifier idVerifier = new InstanceDocumentVerifier();
- private final VmConfigVerifier vmConfigVerifier;
- private final Set allowedVmConfigIds = new HashSet<>();
-
- public GcpVmidCoreAttestationService(GoogleCredentials credentials, Set enclaveParams) throws Exception {
- LoadBalancerRegistry.getDefaultRegistry().register(new PickFirstLoadBalancerProvider());
- this.vmConfigVerifier = new VmConfigVerifier(credentials, enclaveParams);
- LOGGER.info("Using Google Service Account: " + credentials.toString());
- }
-
- @Override
- public void attest(byte[] attestationRequest, byte[] publicKey, Handler> handler) {
- // check instance document
- final InstanceDocument vmid;
- try {
- String request = new String(attestationRequest, StandardCharsets.US_ASCII);
- vmid = idVerifier.verify(request);
- }
- catch (Exception ex) {
- handler.handle(Future.failedFuture(new AttestationException(ex)));
- return;
- }
-
- LOGGER.debug("Validating Instance Confidentiality...");
- if (!vmid.getInstanceConfidentiality()) {
- // return attestation failure for non-confidential-vm
- handler.handle(Future.failedFuture(new AttestationException("not on confidential vm")));
- return;
- }
-
- LOGGER.debug("Validating client public key...");
- // check client public key matches audience in instance document
- try {
- byte[] signedPubKey = Utils.decodeBase64String(vmid.getAudience());
- if (!Arrays.equals(signedPubKey, publicKey)) {
- handler.handle(Future.failedFuture(new AttestationException("Invalid or mismatched client public key")));
- return;
- }
- }
- catch (Exception ex) {
- handler.handle(Future.failedFuture(new AttestationException(ex)));
- return;
- }
-
- // extract vmConfigId using information from instance document
- LOGGER.debug("Validating VmConfig...");
- final VmConfigId vmConfigId;
- try {
- vmConfigId = vmConfigVerifier.getVmConfigId(vmid);
- }
- catch (Exception ex) {
- handler.handle(Future.failedFuture(new AttestationException(ex)));
- return;
- }
-
- // check if vmConfigId is approved/allowed
- if (!vmConfigId.isValid()) {
- final String errorMessage = vmConfigId.getProjectId() == null ?
- vmConfigId.getFailedReason() :
- vmConfigId.getProjectId() + " @ " + vmConfigId.getFailedReason();
- handler.handle(Future.failedFuture(new AttestationException(errorMessage)));
- return;
- }
-
- LOGGER.debug("VmConfigId = " + vmConfigId + ", validating against " + allowedVmConfigIds.size() + " registered enclaves");
- if (VmConfigVerifier.VALIDATE_VMCONFIG && !allowedVmConfigIds.contains(vmConfigId.getValue())) {
- handler.handle(Future.failedFuture(new AttestationException("unauthorized vmConfigId")));
- return;
- } else if (!VmConfigVerifier.VALIDATE_VMCONFIG) {
- LOGGER.error("Skip VmConfig validation (VALIDATE_VMCONFIG off)...");
- }
-
- LOGGER.debug("Successfully attested VmConfigId against registered enclaves");
-
- // return successful attestation with public key if all above checks pass
- AttestationResult result = new AttestationResult(publicKey, vmConfigId.getValue());
- handler.handle(Future.succeededFuture(result));
- }
-
- @Override
- public void registerEnclave(String vmConfigId) throws AttestationException {
- try {
- allowedVmConfigIds.add(vmConfigId);
- } catch (Exception e) {
- LOGGER.error("registerEnclave", e);
- throw new AttestationException(e);
- }
- }
-
- @Override
- public void unregisterEnclave(String vmConfigId) throws AttestationException {
- try {
- allowedVmConfigIds.remove(vmConfigId);
- } catch (Exception e) {
- throw new AttestationException(e);
- }
- }
-
- @Override
- public Collection getEnclaveAllowlist() {
- return allowedVmConfigIds;
- }
-}
diff --git a/src/main/java/com/uid2/shared/secure/gcp/InstanceDocument.java b/src/main/java/com/uid2/shared/secure/gcp/InstanceDocument.java
deleted file mode 100644
index 4de87560..00000000
--- a/src/main/java/com/uid2/shared/secure/gcp/InstanceDocument.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.util.ArrayMap;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.math.BigDecimal;
-import java.time.Instant;
-
-public class InstanceDocument {
- private static final Logger LOGGER = LoggerFactory.getLogger(InstanceDocument.class);
-
- private String audience;
- private Instant issuedAt;
- private Instant expiredAt;
- private String subject;
- private boolean instanceConfidentiality;
- private Instant instanceCreatedAt;
- private String instanceId;
- private String projectId;
- private String zone;
-
- public InstanceDocument(GoogleIdToken vmInstanceDocument) {
- GoogleIdToken.Payload payload = vmInstanceDocument.getPayload();
- this.audience = (String)payload.getAudience();
- this.issuedAt = Instant.ofEpochSecond(payload.getIssuedAtTimeSeconds());
- this.expiredAt = Instant.ofEpochSecond(payload.getExpirationTimeSeconds());
- this.subject = payload.getSubject();
- ArrayMap googleMap = (ArrayMap)payload.get("google");
- ArrayMap computeEngineMap = (ArrayMap)googleMap.get("compute_engine");
- if (computeEngineMap.containsKey("instance_confidentiality")) {
- BigDecimal isConfidential = (BigDecimal) computeEngineMap.get("instance_confidentiality");
- this.instanceConfidentiality = isConfidential.equals(BigDecimal.ONE);
- } else {
- this.instanceConfidentiality = false;
- }
- long createdAt = ((BigDecimal)computeEngineMap.get("instance_creation_timestamp")).longValue();
- this.instanceCreatedAt = Instant.ofEpochSecond(createdAt);
- this.instanceId = (String)computeEngineMap.get("instance_id");
- this.projectId = (String)computeEngineMap.get("project_id");
- this.zone = (String)computeEngineMap.get("zone");
-
- LOGGER.debug("Received instance document { " + projectId + ", " + zone + ", " + instanceId + " }");
- }
-
- public String getAudience() {
- return audience;
- }
-
- public Instant getIssuedAt() {
- return issuedAt;
- }
-
- public Instant getExpiredAt() {
- return expiredAt;
- }
-
- public String getSubject() {
- return subject;
- }
-
- public boolean getInstanceConfidentiality() {
- return instanceConfidentiality;
- }
-
- public Instant getInstanceCreatedAt() {
- return instanceCreatedAt;
- }
-
- public String getInstanceId() {
- return instanceId;
- }
-
- public String getProjectId() {
- return projectId;
- }
-
- public String getZone() {
- return zone;
- }
-}
diff --git a/src/main/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifier.java b/src/main/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifier.java
deleted file mode 100644
index 2c583c03..00000000
--- a/src/main/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifier.java
+++ /dev/null
@@ -1,32 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import com.uid2.shared.secure.AttestationException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class InstanceDocumentVerifier {
- private static final Logger LOGGER = LoggerFactory.getLogger(InstanceDocumentVerifier.class);
-
- public static final boolean VERIFY_SIGNATURE = true;
-
- private GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier
- .Builder(new NetHttpTransport(), GsonFactory.getDefaultInstance())
- .build();
-
- public InstanceDocument verify(String token) throws Exception {
- GoogleIdToken googleId = GoogleIdToken.parse(verifier.getJsonFactory(), token);
- if (!VERIFY_SIGNATURE) {
- LOGGER.error("InstanceDocumentVerifier signature verification is ignored" );
- } else {
- if (!verifier.verify(googleId)) {
- throw new AttestationException("Unable to verify GCP VM's instance document");
- }
- }
- InstanceDocument id = new InstanceDocument(googleId);
- return id;
- }
-}
diff --git a/src/main/java/com/uid2/shared/secure/gcp/VmConfigId.java b/src/main/java/com/uid2/shared/secure/gcp/VmConfigId.java
deleted file mode 100644
index ec531fcf..00000000
--- a/src/main/java/com/uid2/shared/secure/gcp/VmConfigId.java
+++ /dev/null
@@ -1,57 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-public class VmConfigId {
- private final String idString;
- private final String failedReason;
- private final boolean isValid;
-
- // for troubleshooting purposes
- private final String projectId;
- public static VmConfigId success(String idString, String projectId) {
- return new VmConfigId(true, idString, null, projectId);
- }
- public static VmConfigId failure(String reason, String projectId) {
- return new VmConfigId(false, null, reason, projectId);
- }
-
- private VmConfigId(boolean success, String idString, String reason, String projectId) {
- this.isValid = success;
- this.idString = idString;
- this.failedReason = reason;
- this.projectId = projectId;
- }
-
- public boolean isValid() {
- return this.isValid;
- }
-
- /**
- * Get string representation of the vmConfigId
- * @return vmConfigId string, null if the value is inValid. Check isValid() before calling.
- */
- public String getValue() {
- return idString;
- }
-
- /**
- * Get why we did not create a vmConfigId successfully
- * @return reason it failed, null if we have a valid vmConfigId. Check isValid() before calling.
- */
- public String getFailedReason() {
- return failedReason;
- }
-
- /**
- * get project ID for troubleshooting
- * @return (nullable) projectId
- */
- public String getProjectId() {
- return projectId;
- }
-
- @Override
- public String toString() {
- return String.format("[success=%b, idString=%s, reason=%s, projectId=%s]",
- isValid, idString, failedReason, projectId);
- }
-}
diff --git a/src/main/java/com/uid2/shared/secure/gcp/VmConfigVerifier.java b/src/main/java/com/uid2/shared/secure/gcp/VmConfigVerifier.java
deleted file mode 100644
index a67814fc..00000000
--- a/src/main/java/com/uid2/shared/secure/gcp/VmConfigVerifier.java
+++ /dev/null
@@ -1,234 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.http.HttpRequestInitializer;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import com.google.api.gax.paging.Page;
-import com.google.api.services.compute.Compute;
-import com.google.api.services.compute.model.AttachedDisk;
-import com.google.api.services.compute.model.Disk;
-import com.google.api.services.compute.model.Instance;
-import com.google.api.services.compute.model.Metadata;
-import com.google.auth.http.HttpCredentialsAdapter;
-import com.google.auth.oauth2.GoogleCredentials;
-import com.google.cloud.audit.AuditLog;
-import com.google.cloud.logging.LogEntry;
-import com.google.cloud.logging.Logging;
-import com.google.cloud.logging.LoggingOptions;
-import com.google.protobuf.Any;
-import com.google.protobuf.InvalidProtocolBufferException;
-import com.uid2.shared.Utils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.regex.Pattern;
-
-public class VmConfigVerifier {
- private static final Logger LOGGER = LoggerFactory.getLogger(VmConfigVerifier.class);
- private static final String ENCLAVE_PARAM_PREFIX = "UID2_ENCLAVE_";
-
- private final GoogleCredentials credentials;
- public static final boolean VALIDATE_AUDITLOGS = true;
- public static final boolean VALIDATE_VMCONFIG = true;
-
- private final Set enclaveParams;
- private final Set allowedMethodsFromInstanceAuditLogs =
- new HashSet(Collections.singletonList("v1.compute.instances.insert"));
-
- private final Set forbiddenMetadataKeys =
- new HashSet(Arrays.asList(
- "startup-script",
- "startup-script-url",
- "shutdown-script",
- "shutdown-script-url",
- "sysprep-specialize-script-ps1",
- "sysprep-specialize-script-cmd",
- "sysprep-specialize-script-bat",
- "sysprep-specialize-script-url",
- "windows-startup-script-ps1",
- "windows-startup-script-cmd",
- "windows-startup-script-bat",
- "windows-startup-script-url",
- "windows-shutdown-script-cmd"));
-
- private final Compute computeApi;
- private final Logging loggingApi;
-
- public VmConfigVerifier(GoogleCredentials credentials, Set enclaveParams) throws Exception {
- this.credentials = credentials;
- if (this.credentials != null) {
- LOGGER.info("Using Using Google Service Account: " + credentials.toString());
- final HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
- final GsonFactory jsonFactory = GsonFactory.getDefaultInstance();
- final HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(credentials);
-
- computeApi = new Compute.Builder(httpTransport, jsonFactory, requestInitializer)
- .setApplicationName("UID-Operator/2.0")
- .build();
-
- loggingApi = LoggingOptions.newBuilder()
- .setCredentials(credentials)
- .build()
- .getService();
- } else {
- computeApi = null;
- loggingApi = null;
- }
-
- this.enclaveParams = enclaveParams;
- if (this.enclaveParams != null) {
- for (String enclaveParam : this.enclaveParams) {
- LOGGER.info("Allowed Enclave Parameter: " + normalizeEnclaveParam(enclaveParam));
- }
- }
- }
-
- public VmConfigId getVmConfigId(InstanceDocument id) {
- try {
- LOGGER.debug("Issuing instance get request...");
- Instance instance = computeApi.instances()
- .get(id.getProjectId(), id.getZone(), id.getInstanceId())
- .execute();
-
- StringBuilder str = new StringBuilder();
- for (AttachedDisk disk : instance.getDisks()) {
- if (!disk.getAutoDelete()) return VmConfigId.failure("!disk.autodelete", id.getProjectId());
- if (!disk.getBoot()) return VmConfigId.failure("!disk.getboot", id.getProjectId());
-
- String diskSourceUrl = disk.getSource();
- String imageUrl = getDiskSourceImage(diskSourceUrl);
- str.append(getSha256Base64Encoded(imageUrl));
- }
-
- Metadata metadata = instance.getMetadata();
- for (Metadata.Items metadataItem : metadata.getItems()) {
- if (metadataItem.getKey().equals("user-data")) {
- String cloudInitConfig = metadataItem.getValue();
- String templatizedConfig = templatizeVmConfig(cloudInitConfig);
- str.append(getSha256Base64Encoded(templatizedConfig));
- } else if (forbiddenMetadataKeys.contains(metadataItem.getKey())) {
- LOGGER.debug("gcp-vmid attestation got forbidden metadata key: " + metadataItem.getKey());
- return VmConfigId.failure("forbidden metadata key: " + metadataItem.getKey(), id.getProjectId());
- }
- }
-
- String badAuditLog = findUnauthorizedAuditLog(id);
- if (badAuditLog != null) {
- LOGGER.debug("attestation failed because of audit log: " + badAuditLog);
- return VmConfigId.failure("bad audit log: " + badAuditLog, id.getProjectId());
- }
-
- // str is a concatenation of disk hashes and cloud-init hashes
- // configId is the SHA-256 output of str.toString()
- return VmConfigId.success(getSha256Base64Encoded(str.toString()), id.getProjectId());
- } catch (Exception e) {
- LOGGER.error("getVmConfigId error " + e.getMessage(), e);
- return VmConfigId.failure(e.getMessage(), id.getProjectId());
- }
- }
-
- public String templatizeVmConfig(String cloudInitConfig) {
- // return original value if no enclave parameter is specified
- if (this.enclaveParams == null) return cloudInitConfig;
-
- // If enclave param is `api_token`, we will look for the following line in the cloudInitConfig:
- // Environment="UID2_ENCLAVE_API_TOKEN=token_value"
- // and replace it with dummy value to templatize the cloud-init config
- // Environment="UID2_ENCLAVE_API_TOKEN=dummy"
- //
- // This is done so that the core don't need to approve different cloud-init that differs only in
- // the allowed enclave parameter values.
-
- for (String enclaveParam : this.enclaveParams) {
- String subRegex = String.format("^([ \t]*Environment=.%s)=.+?\"$", normalizeEnclaveParam(enclaveParam));
- Pattern pattern = Pattern.compile(subRegex, Pattern.MULTILINE );
- cloudInitConfig = pattern.matcher(cloudInitConfig).replaceAll("$1=dummy\"");
- }
-
- return cloudInitConfig;
- }
-
- private String getAuditLogFilter(InstanceDocument id) {
- return String.format("resource.type=gce_instance" +
- " AND (" +
- " logName=projects/%s/logs/cloudaudit.googleapis.com%%2Factivity" +
- " OR logName=projects/%s/logs/cloudaudit.googleapis.com%%2Fdata_access" +
- " )" +
- " AND protoPayload.\"@type\"=\"type.googleapis.com/google.cloud.audit.AuditLog\"" +
- " AND resource.labels.instance_id=%s",
- id.getProjectId(),
- id.getProjectId(),
- id.getInstanceId());
- }
-
- /**
- * Find the first unauthorized audit log and its reason.
- * @param id the instance document
- * @return reason the log is unauthorized, *null* if all passed or skipped.
- * @throws InvalidProtocolBufferException
- */
- private String findUnauthorizedAuditLog(InstanceDocument id) throws InvalidProtocolBufferException {
- if (!VALIDATE_AUDITLOGS) {
- LOGGER.error("Skip AuditLogs validation (VALIDATE_AUDITLOGS off)...");
- return null;
- }
-
- LOGGER.debug("Searching AuditLogs...");
- String logFilter = getAuditLogFilter(id);
- Page entries = loggingApi.listLogEntries(Logging.EntryListOption.filter(logFilter));
-
- do {
- for (LogEntry logEntry : entries.iterateAll()) {
- Any data = (Any)logEntry.getPayload().getData();
- AuditLog auditLog = AuditLog.parseFrom(data.getValue());
- if (!validateAuditLog(auditLog)) {
- return auditLog.getMethodName();
- }
- }
- entries = entries.getNextPage();
- } while (entries != null);
-
- return null;
- }
-
- private boolean validateAuditLog(AuditLog auditLog) {
- LOGGER.debug("Validating AuditLog for operation: " + auditLog.getMethodName());
- if (allowedMethodsFromInstanceAuditLogs.contains(auditLog.getMethodName())) {
- return true;
- } else {
- LOGGER.warn("gcp-vmid attestation receives unauthorized method: " + auditLog.getMethodName());
- return false;
- }
- }
-
- private String getDiskSourceImage(String diskSourceUrl) throws IOException {
- String[] splits = diskSourceUrl.split("/");
- String projectId = splits[6];
- String zone = splits[8];
- String diskId = splits[10];
-
- LOGGER.debug("Issuing disk get request for " + diskId + "...");
- Disk disk = computeApi.disks().get(projectId, zone, diskId).execute();
- return disk.getSourceImage();
- }
-
- private String getSha256Base64Encoded(String input) throws NoSuchAlgorithmException {
- MessageDigest md = MessageDigest.getInstance("SHA-256");
- // input should contain only US-ASCII chars
- md.update(input.getBytes(StandardCharsets.US_ASCII));
- return Utils.toBase64String(md.digest());
- }
-
- private static String normalizeEnclaveParam(String name) {
- return ENCLAVE_PARAM_PREFIX + name.toUpperCase();
- }
-}
diff --git a/src/test/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifierTest.java b/src/test/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifierTest.java
deleted file mode 100644
index 212f80be..00000000
--- a/src/test/java/com/uid2/shared/secure/gcp/InstanceDocumentVerifierTest.java
+++ /dev/null
@@ -1,37 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-import com.google.auth.oauth2.GoogleCredentials;
-import com.uid2.shared.Const;
-import com.uid2.shared.cloud.CloudUtils;
-import io.vertx.core.json.JsonObject;
-import org.junit.jupiter.api.Test;
-
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
-
-public class InstanceDocumentVerifierTest {
-
- private static final String GOOGLE_CREDENTIALS = "";
- private static final String INSTANCE_DOCUMENT = "";
-
- public static InstanceDocument getTestInstanceDocument() throws Exception {
- InstanceDocumentVerifier verifier = new InstanceDocumentVerifier();
- return verifier.verify(INSTANCE_DOCUMENT);
- }
-
- @Test
- public void verifyToken() throws Exception {
- assumeTrue(INSTANCE_DOCUMENT.length() > 20);
-
- InstanceDocument id = getTestInstanceDocument();
- }
-
- @Test
- public void loadEncodedCredentials() {
- assumeTrue(GOOGLE_CREDENTIALS.length() > 20);
-
- JsonObject config = new JsonObject();
- config.put(Const.Config.GoogleCredentialsProp, GOOGLE_CREDENTIALS);
-
- GoogleCredentials credentials = CloudUtils.getGoogleCredentialsFromConfig(config);
- }
-}
diff --git a/src/test/java/com/uid2/shared/secure/gcp/VmConfigVerifierTest.java b/src/test/java/com/uid2/shared/secure/gcp/VmConfigVerifierTest.java
deleted file mode 100644
index 13cf68d1..00000000
--- a/src/test/java/com/uid2/shared/secure/gcp/VmConfigVerifierTest.java
+++ /dev/null
@@ -1,96 +0,0 @@
-package com.uid2.shared.secure.gcp;
-
-import com.google.auth.oauth2.GoogleCredentials;
-import org.junit.jupiter.api.Test;
-
-import java.util.HashSet;
-import java.util.Set;
-import static org.junit.jupiter.api.Assertions.*;
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
-
-public class VmConfigVerifierTest {
-
- private static final String testVmConfig = " [Unit]\n" +
- " Description=Start UID 2.0 operator as docker container\n" +
- "\n" +
- " [Service]\n" +
- " Environment=\"UID2_ENCLAVE_API_TOKEN=test_value_1\"\n" +
- " Environment=\"UID2_ENCLAVE_IMAGE_ID=test_value_2\"";
-
- public static void requireCredential() {
- assumeTrue(System.getenv("GOOGLE_APPLICATION_CREDENTIALS") != null);
- Object defaultCredentials = null;
- try {
- defaultCredentials = GoogleCredentials.getApplicationDefault();
- } catch (Exception ex) {}
- assumeTrue(defaultCredentials != null);
- }
-
- @Test
- public void testInstancesAttest() throws Exception {
- VmConfigVerifierTest.requireCredential();
-
- InstanceDocument id = InstanceDocumentVerifierTest.getTestInstanceDocument();
- VmConfigVerifier vmConfigVerifier = new VmConfigVerifier(GoogleCredentials.getApplicationDefault(), null);
- VmConfigId vmConfigId = vmConfigVerifier.getVmConfigId(id);
- assertNotNull(vmConfigId);
- assertTrue(vmConfigId.isValid());
- }
-
- @Test
- public void testNullEnclaveParams() throws Exception {
- VmConfigVerifier vmConfigVerifier = new VmConfigVerifier(null, null);
- assertEquals("abc", vmConfigVerifier.templatizeVmConfig("abc"));
- assertEquals("#cloud-init\n", vmConfigVerifier.templatizeVmConfig("#cloud-init\n"));
- assertEquals(testVmConfig, vmConfigVerifier.templatizeVmConfig(testVmConfig));
- }
-
- @Test
- public void testEmptyEnclaveParams() throws Exception {
- Set emptySet = new HashSet<>();
- VmConfigVerifier vmConfigVerifier = new VmConfigVerifier(null, emptySet);
- assertEquals("abc", vmConfigVerifier.templatizeVmConfig("abc"));
- assertEquals("#cloud-init\n", vmConfigVerifier.templatizeVmConfig("#cloud-init\n"));
- assertEquals(testVmConfig, vmConfigVerifier.templatizeVmConfig(testVmConfig));
- }
-
- @Test
- public void testSingleEnclaveParam() throws Exception {
- {
- Set set1 = new HashSet<>();
- set1.add("api_token");
- VmConfigVerifier vmConfigVerifier1 = new VmConfigVerifier(null, set1);
- assertEquals("abc", vmConfigVerifier1.templatizeVmConfig("abc"));
- assertEquals("#cloud-init\n", vmConfigVerifier1.templatizeVmConfig("#cloud-init\n"));
-
- String expectedResult1 = testVmConfig.replace("test_value_1", "dummy");
- assertEquals(expectedResult1, vmConfigVerifier1.templatizeVmConfig(testVmConfig));
- }
-
- {
- Set set2 = new HashSet<>();
- set2.add("image_id");
- VmConfigVerifier vmConfigVerifier2 = new VmConfigVerifier(null, set2);
- assertEquals("abc", vmConfigVerifier2.templatizeVmConfig("abc"));
- assertEquals("#cloud-init\n", vmConfigVerifier2.templatizeVmConfig("#cloud-init\n"));
-
- String expectedResult2 = testVmConfig.replace("test_value_2", "dummy");
- assertEquals(expectedResult2, vmConfigVerifier2.templatizeVmConfig(testVmConfig));
- }
- }
-
- @Test
- public void testEnclaveParams() throws Exception {
- Set set = new HashSet<>();
- set.add("api_token");
- set.add("image_id");
- VmConfigVerifier vmConfigVerifier = new VmConfigVerifier(null, set);
- assertEquals("abc", vmConfigVerifier.templatizeVmConfig("abc"));
- assertEquals("#cloud-init\n", vmConfigVerifier.templatizeVmConfig("#cloud-init\n"));
-
- String expectedResult = testVmConfig.replace("test_value_1", "dummy")
- .replace("test_value_2", "dummy");
- assertEquals(expectedResult, vmConfigVerifier.templatizeVmConfig(testVmConfig));
-
- }
-}