e2e: test disallowed PIIDs

Author: burgerdev

e2e/attestation/attestation_test.go

@@ -53,6 +53,41 @@ func TestAttestation(t *testing.T) {
 		}), "contrast set should fail due to non-allowed chip ID")
 	})
 
+	// Same as above, but for TDX PIIDs.
+	t.Run("allowed-piids", func(t *testing.T) {
+		platform, err := platforms.FromString(contrasttest.Flags.PlatformStr)
+		require.NoError(t, err)
+		if !platforms.IsTDX(platform) {
+			t.Skip()
+		}
+
+		require := require.New(t)
+		ct := contrasttest.New(t)
+
+		runtimeHandler, err := manifest.RuntimeHandler(platform)
+		require.NoError(err)
+		resources := kuberesource.CoordinatorBundle()
+		resources = kuberesource.PatchRuntimeHandlers(resources, runtimeHandler)
+		resources = kuberesource.AddPortForwarders(resources)
+		ct.Init(t, resources)
+
+		require.True(t.Run("generate", ct.Generate), "contrast generate needs to succeed for subsequent tests")
+		require.True(t.Run("apply", ct.Apply), "Kubernetes resources need to be applied for subsequent tests")
+
+		ct.PatchManifest(t, func(m manifest.Manifest) manifest.Manifest {
+			for i := range m.ReferenceValues.TDX {
+				m.ReferenceValues.TDX[i].AllowedPIIDs = []manifest.HexString{
+					"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+				}
+			}
+			return m
+		})
+		require.True(t.Run("set", func(t *testing.T) {
+			err := ct.RunSet(t.Context())
+			require.ErrorContains(err, "not in allowed PIIDs")
+		}), "contrast set should fail due to non-allowed PIID")
+	})
+
 	// Test that it is okay to have failing validators as long as one validator passes.
 	t.Run("non-matching-validators", func(t *testing.T) {
 		platform, err := platforms.FromString(contrasttest.Flags.PlatformStr)