Include the policy evaluation report in the Attestation Results Token

Signed-off-by: Jiale Zhang <[email protected]>

attestation-service/src/lib.rs

@@ -23,7 +23,7 @@ pub mod verifier;
 
 use crate::token::AttestationTokenBroker;
 
-use anyhow::{anyhow, bail, Context, Result};
+use anyhow::{anyhow, Context, Result};
 use as_types::SetPolicyInput;
 use config::Config;
 pub use kbs_types::{Attestation, Tee};
@@ -129,18 +129,16 @@ impl AttestationService {
             .map_err(|e| anyhow!("Generate reference data failed{:?}", e))?;
 
         // Now only support using default policy to evaluate
-        let (result, policy_engine_output) = self
+        let evaluation_report = self
             .policy_engine
             .evaluate(reference_data_map, tcb.clone(), None)
-            .await?;
-
-        if !result {
-            bail!("Policy Engine verification failed: {policy_engine_output}");
-        }
+            .await
+            .map_err(|e| anyhow!("Policy Engine evaluation failed: {e}"))?;
 
         let token_claims = json!({
             "tee-pubkey": attestation.tee_pubkey.clone(),
-            "tcb-status": flattened_claims
+            "tcb-status": flattened_claims,
+            "evaluation-report": evaluation_report,
         });
         let attestation_results_token = self.token_broker.issue(token_claims)?;
 

attestation-service/src/policy_engine/mod.rs

@@ -36,7 +36,7 @@ pub trait PolicyEngine {
         reference_data_map: HashMap<String, Vec<String>>,
         input: String,
         policy_id: Option<String>,
-    ) -> Result<(bool, String)>;
+    ) -> Result<String>;
 
     async fn set_policy(&mut self, input: SetPolicyInput) -> Result<()>;
 }

attestation-service/src/policy_engine/opa/mod.rs

@@ -62,7 +62,7 @@ impl PolicyEngine for OPA {
         reference_data_map: HashMap<String, Vec<String>>,
         input: String,
         policy_id: Option<String>,
-    ) -> Result<(bool, String)> {
+    ) -> Result<String> {
         let policy_file_path = format!(
             "{}/{}.rego",
             self.policy_dir_path
@@ -100,9 +100,16 @@ impl PolicyEngine for OPA {
             return Err(anyhow!(res));
         }
 
+        // If a clear approval opinion is given in the evaluation report,
+        // the rejection information will be reflected in the evaluation failure return value.
         let res_kv: Value = serde_json::from_str(&res)?;
+        if let Some(allow) = res_kv["allow"].as_bool() {
+            if !allow {
+                bail!("Untrusted TEE evidence")
+            }
+        }
 
-        Ok((res_kv["allow"].as_bool().unwrap_or(false), res))
+        Ok(res)
     }
 
     async fn set_policy(&mut self, input: SetPolicyInput) -> Result<()> {