Add negative tests and fix issues with attestaion verification

Author: ameba23

src/attestation/mod.rs

@@ -145,9 +145,9 @@ pub struct AttestationVerifier {
     ///
     /// If this is empty, anything will be accepted - but measurements are always injected into HTTP
     /// headers, so that they can be verified upstream
-    accepted_measurements: Vec<MeasurementRecord>,
+    pub accepted_measurements: Vec<MeasurementRecord>,
     /// A PCCS service to use - defaults to Intel PCS
-    pccs_url: Option<String>,
+    pub pccs_url: Option<String>,
 }
 
 impl AttestationVerifier {
@@ -202,6 +202,9 @@ impl AttestationVerifier {
                 .await?
             }
             AttestationType::None => {
+                if self.has_remote_attestion() {
+                    return Err(AttestationError::AttestationTypeNotAccepted);
+                }
                 if attestation_payload.attestation.is_empty() {
                     return Ok(None);
                 } else {
@@ -216,7 +219,8 @@ impl AttestationVerifier {
         // look through all our accepted measurements
         self.accepted_measurements
             .iter()
-            .find(|a| a.attestation_type == attestation_type && a.measurements == measurements);
+            .find(|a| a.attestation_type == attestation_type && a.measurements == measurements)
+            .ok_or(AttestationError::MeasurementsNotAccepted)?;
 
         Ok(Some(measurements))
     }
@@ -409,4 +413,8 @@ pub enum AttestationError {
     QuoteParse(#[from] QuoteParseError),
     #[error("Attestation type not supported")]
     AttestationTypeNotSupported,
+    #[error("Attestation type not accepted")]
+    AttestationTypeNotAccepted,
+    #[error("Measurements not accepted")]
+    MeasurementsNotAccepted,
 }

src/lib.rs

@@ -329,6 +329,7 @@ fn full<T: Into<Bytes>>(chunk: T) -> BoxBody<Bytes, hyper::Error> {
 }
 
 /// A proxy client which forwards http traffic to a proxy-server
+#[derive(Debug)]
 pub struct ProxyClient {
     /// The underlying TCP listener
     listener: TcpListener,
@@ -817,6 +818,10 @@ where
 
 #[cfg(test)]
 mod tests {
+    use crate::attestation::measurements::{
+        CvmImageMeasurements, MeasurementRecord, PlatformMeasurements,
+    };
+
     use super::*;
     use test_helpers::{
         default_measurements, example_http_service, example_service, generate_certificate_chain,
@@ -1115,4 +1120,109 @@ mod tests {
 
         assert_eq!(retrieved_chain, cert_chain);
     }
+
+    // Negative test - server does not provide attestation but client requires it
+    // Server has no attestaion, client has no attestation and no client auth
+    #[tokio::test]
+    async fn fails_on_no_attestation_when_expected() {
+        let target_addr = example_http_service().await;
+
+        let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
+        let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
+
+        let proxy_server = ProxyServer::new_with_tls_config(
+            cert_chain,
+            server_config,
+            "127.0.0.1:0",
+            target_addr,
+            Arc::new(NoQuoteGenerator),
+            AttestationVerifier::do_not_verify(),
+        )
+        .await
+        .unwrap();
+
+        let proxy_addr = proxy_server.local_addr().unwrap();
+
+        tokio::spawn(async move {
+            proxy_server.accept().await.unwrap();
+        });
+
+        let proxy_client_result = ProxyClient::new_with_tls_config(
+            client_config,
+            "127.0.0.1:0".to_string(),
+            proxy_addr.to_string(),
+            Arc::new(NoQuoteGenerator),
+            AttestationVerifier::mock(),
+            None,
+        )
+        .await;
+
+        assert!(matches!(
+            proxy_client_result.unwrap_err(),
+            ProxyError::Attestation(AttestationError::AttestationTypeNotAccepted)
+        ));
+    }
+
+    // Negative test - server does not provide attestation but client requires it
+    // Server has no attestaion, client has no attestation and no client auth
+    #[tokio::test]
+    async fn fails_on_bad_measurements() {
+        let target_addr = example_http_service().await;
+
+        let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
+        let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
+
+        let proxy_server = ProxyServer::new_with_tls_config(
+            cert_chain,
+            server_config,
+            "127.0.0.1:0",
+            target_addr,
+            Arc::new(DcapTdxQuoteGenerator {
+                attestation_type: AttestationType::DcapTdx,
+            }),
+            AttestationVerifier::do_not_verify(),
+        )
+        .await
+        .unwrap();
+
+        let proxy_addr = proxy_server.local_addr().unwrap();
+
+        tokio::spawn(async move {
+            proxy_server.accept().await.unwrap();
+        });
+
+        let attestation_verifier = AttestationVerifier {
+            accepted_measurements: vec![MeasurementRecord {
+                attestation_type: AttestationType::DcapTdx,
+                measurement_id: "test".to_string(),
+                measurements: Measurements {
+                    platform: PlatformMeasurements {
+                        mrtd: [0; 48],
+                        rtmr0: [0; 48],
+                    },
+                    cvm_image: CvmImageMeasurements {
+                        rtmr1: [1; 48], // This differs from the mock measurements given
+                        rtmr2: [0; 48],
+                        rtmr3: [0; 48],
+                    },
+                },
+            }],
+            pccs_url: None,
+        };
+
+        let proxy_client_result = ProxyClient::new_with_tls_config(
+            client_config,
+            "127.0.0.1:0".to_string(),
+            proxy_addr.to_string(),
+            Arc::new(NoQuoteGenerator),
+            attestation_verifier,
+            None,
+        )
+        .await;
+
+        assert!(matches!(
+            proxy_client_result.unwrap_err(),
+            ProxyError::Attestation(AttestationError::MeasurementsNotAccepted)
+        ));
+    }
 }