feat: configure the SMS with a list of Azure attestation servers (#306)

Author: jbern0rd

src/main/java/com/iexec/sms/tee/session/scone/AzureAttestationServer.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2025 IEXEC BLOCKCHAIN TECH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.iexec.sms.tee.session.scone;
+
+import feign.RequestLine;
+
+public interface AzureAttestationServer {
+    @RequestLine("GET .well-known/openid-configuration")
+    String canFetchOpenIdMetadata();
+}

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionMakerService.java

@@ -16,6 +16,7 @@
 
 package com.iexec.sms.tee.session.scone;
 
+import com.iexec.common.utils.FeignBuilder;
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.sms.tee.ConditionalOnTeeFramework;
 import com.iexec.sms.tee.session.base.SecretEnclaveBase;
@@ -30,24 +31,34 @@
 import com.iexec.sms.tee.session.scone.cas.SconeSession.Image.Volume;
 import com.iexec.sms.tee.session.scone.cas.SconeSession.Security;
 import com.iexec.sms.tee.session.scone.cas.SconeSession.Volumes;
+import feign.Logger;
 import lombok.NonNull;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
+import java.net.URL;
 import java.util.*;
+import java.util.stream.Collectors;
 
 //TODO Rename and move
+@Slf4j
 @Service
 @ConditionalOnTeeFramework(frameworks = TeeFramework.SCONE)
 public class SconeSessionMakerService {
 
     private final SecretSessionBaseService secretSessionBaseService;
     private final SconeSessionSecurityConfig attestationSecurityConfig;
+    private final Map<URL, AzureAttestationServer> azureAttestationServersMap;
 
-    public SconeSessionMakerService(
-            SecretSessionBaseService secretSessionBaseService,
-            SconeSessionSecurityConfig attestationSecurityConfig) {
+    public SconeSessionMakerService(final SecretSessionBaseService secretSessionBaseService,
+                                    final SconeSessionSecurityConfig attestationSecurityConfig) {
         this.secretSessionBaseService = secretSessionBaseService;
         this.attestationSecurityConfig = attestationSecurityConfig;
+        azureAttestationServersMap = attestationSecurityConfig.getUrls().stream()
+                .collect(Collectors.toMap(
+                        url -> url,
+                        url -> FeignBuilder.createBuilder(Logger.Level.BASIC).target(AzureAttestationServer.class, url.toString())
+                ));
     }
 
     /**
@@ -62,21 +73,19 @@ public SconeSessionMakerService(
      * @return session config in yaml string format
      */
     @NonNull
-    public SconeSession generateSession(TeeSessionRequest request)
-            throws TeeSessionGenerationException {
-        Volume iexecInVolume = new Volume("iexec_in", "/iexec_in");
-        Volume iexecOutVolume = new Volume("iexec_out", "/iexec_out");
-        Volume postComputeTmpVolume = new Volume("post-compute-tmp",
-                "/post-compute-tmp");
-        List<SconeEnclave> services = new ArrayList<>();
-        List<Image> images = new ArrayList<>();
+    public SconeSession generateSession(final TeeSessionRequest request) throws TeeSessionGenerationException {
+        final Volume iexecInVolume = new Volume("iexec_in", "/iexec_in");
+        final Volume iexecOutVolume = new Volume("iexec_out", "/iexec_out");
+        final Volume postComputeTmpVolume = new Volume("post-compute-tmp", "/post-compute-tmp");
+        final List<SconeEnclave> services = new ArrayList<>();
+        final List<Image> images = new ArrayList<>();
 
-        SecretSessionBase baseSession = secretSessionBaseService
+        final SecretSessionBase baseSession = secretSessionBaseService
                 .getSecretsTokens(request);
 
         // pre (optional)
         if (baseSession.getPreCompute() != null) {
-            SconeEnclave sconePreEnclave = toSconeEnclave(
+            final SconeEnclave sconePreEnclave = toSconeEnclave(
                     baseSession.getPreCompute(),
                     request.getTeeServicesProperties().getPreComputeProperties().getEntrypoint(),
                     true);
@@ -86,7 +95,7 @@ public SconeSession generateSession(TeeSessionRequest request)
                     List.of(iexecInVolume)));
         }
         // app
-        SconeEnclave sconeAppEnclave = toSconeEnclave(
+        final SconeEnclave sconeAppEnclave = toSconeEnclave(
                 baseSession.getAppCompute(),
                 request.getTaskDescription().getAppCommand(),
                 false);
@@ -95,7 +104,7 @@ public SconeSession generateSession(TeeSessionRequest request)
                 sconeAppEnclave.getImageName(),
                 List.of(iexecInVolume, iexecOutVolume)));
         // post
-        SconeEnclave sconePostEnclave = toSconeEnclave(
+        final SconeEnclave sconePostEnclave = toSconeEnclave(
                 baseSession.getPostCompute(),
                 request.getTeeServicesProperties().getPostComputeProperties().getEntrypoint(),
                 true);
@@ -104,6 +113,8 @@ public SconeSession generateSession(TeeSessionRequest request)
                 sconePostEnclave.getImageName(),
                 List.of(iexecOutVolume, postComputeTmpVolume)));
 
+        final URL validAttestationServer = resolveValidAttestationServer();
+
         return SconeSession.builder()
                 .name(request.getSessionId())
                 .version("0.3.10")
@@ -118,13 +129,31 @@ public SconeSession generateSession(TeeSessionRequest request)
                                 attestationSecurityConfig.getToleratedInsecureOptions(),
                                 attestationSecurityConfig.getIgnoredSgxAdvisories(),
                                 attestationSecurityConfig.getMode(),
-                                attestationSecurityConfig.getUrl()
+                                validAttestationServer
                         )
                 )
                 .build();
     }
 
-    private SconeEnclave toSconeEnclave(SecretEnclaveBase enclaveBase, String command, boolean addJavaEnvVars) {
+    private URL resolveValidAttestationServer() {
+        // The keys of the Map are shuffled to avoid always querying servers in the same order
+        final List<URL> urls = new ArrayList<>(azureAttestationServersMap.keySet());
+        Collections.shuffle(urls);
+        for (final URL attestationServerUrl : urls) {
+            try {
+                azureAttestationServersMap.get(attestationServerUrl).canFetchOpenIdMetadata();
+                log.debug("Resolved attestation server [url:{}]", attestationServerUrl);
+                return attestationServerUrl;
+            } catch (Exception e) {
+                log.error("Failed to check Azure attestation server liveness [url:{}]", attestationServerUrl, e);
+            }
+        }
+        return null;
+    }
+
+    private SconeEnclave toSconeEnclave(final SecretEnclaveBase enclaveBase,
+                                        final String command,
+                                        final boolean addJavaEnvVars) {
         final HashMap<String, Object> enclaveEnvironment = new HashMap<>(enclaveBase.getEnvironment());
         if (addJavaEnvVars) {
             enclaveEnvironment.putAll(

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionSecurityConfig.java

@@ -19,13 +19,17 @@
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.sms.tee.ConditionalOnTeeFramework;
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import lombok.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
+import org.springframework.validation.annotation.Validated;
 
 import java.net.URL;
 import java.util.List;
 
 @Value
+@Validated
 @ConfigurationProperties(prefix = "tee.scone.attestation")
 @ConditionalOnTeeFramework(frameworks = TeeFramework.SCONE)
 public class SconeSessionSecurityConfig {
@@ -34,14 +38,35 @@ public class SconeSessionSecurityConfig {
     @NotBlank
     String mode;
     URL url;
+    List<@NotNull URL> urls;
 
-    public SconeSessionSecurityConfig(List<String> toleratedInsecureOptions, List<String> ignoredSgxAdvisories, String mode, URL url) {
+    public SconeSessionSecurityConfig(final List<String> toleratedInsecureOptions,
+                                      final List<String> ignoredSgxAdvisories,
+                                      final String mode,
+                                      final URL url,
+                                      final List<URL> urls) {
         this.toleratedInsecureOptions = toleratedInsecureOptions;
         this.ignoredSgxAdvisories = ignoredSgxAdvisories;
         this.mode = mode;
         this.url = url;
-        if ("maa".equals(this.mode) && this.url == null) {
+        if (urls != null && !urls.isEmpty()) {
+            this.urls = urls;
+        } else if (url != null) {
+            this.urls = List.of(url);
+        } else {
+            this.urls = List.of();
+        }
+        if ("maa".equals(this.mode) && this.urls.isEmpty()) {
             throw new IllegalArgumentException("Attestation URL can not be null when scone session mode is 'maa'");
         }
     }
+
+    /**
+     * @deprecated use {@code tee.scone.attestation.urls} configuration property instead
+     */
+    @Deprecated(forRemoval = true)
+    @DeprecatedConfigurationProperty(replacement = "tee.scone.attestation.urls", reason = "replaced with a list")
+    public URL getUrl() {
+        return this.url;
+    }
 }

src/main/resources/application-scone.yml

@@ -35,3 +35,4 @@ tee:
       ignored-sgx-advisories: ${IEXEC_IGNORED_SGX_ADVISORIES:} # e.g.: INTEL-SA-00220,INTEL-SA-00270
       mode: maa
       url: https://sharedweu.weu.attest.azure.net
+      urls: [ https://sharedweu.weu.attest.azure.net ]