Merge pull request #55 from lmilleri/attestation-policy

Added attestation policy to integration tests
confidential-containers · Nov 14, 2024 · 8c52a84 · 8c52a84
2 parents b71d3a3 + e2eb23b
commit 8c52a84
Show file tree

Hide file tree

Showing 11 changed files with 92 additions and 20 deletions.
diff --git a/tests/e2e/sample-attester/04-resource-policy.yaml b/tests/e2e/sample-attester/04-resource-policy.yaml
@@ -7,7 +7,4 @@ data:
   policy.rego: |
     package policy
 
-    default allow = false
-    allow {
-            input["tcb-status"]["sample.svn"] == "1"
-    }
+    default allow = true
diff --git a/tests/e2e/sample-attester/06-assert.yaml b/tests/e2e/sample-attester/06-assert.yaml
diff --git a/tests/e2e/sample-attester/06-attestation-policy.yaml b/tests/e2e/sample-attester/06-attestation-policy.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: attestation-policy
+  namespace: trustee-operator-system
+data:
+  default.rego: |
+    package policy
+
+    import future.keywords.every
+
+    default allow = false
+
+    allow {
+      every k, v in input {
+        # `judge_field`: Traverse each key value pair in the input and make policy judgments on it.
+        #
+        # For each key value pair:
+        #	* If there isn't a corresponding key in the reference:
+        #		It is considered that the current key value pair has passed the verification.
+        #	* If there is a corresponding key in the reference:
+        #		Call `match_value` to further judge the value in input with the value in reference.
+        judge_field(k, v)
+      }
+    }
+
+    judge_field(input_key, input_value) {
+      has_key(data.reference, input_key)
+      reference_value := data.reference[input_key]
+
+      # `match_value`: judge the value in input with the value in reference.
+      #
+      # * If the type of reference value is not array:
+      #		Judge whether input value and reference value are equal。
+      # * If the type of reference value is array:
+      #		Call `array_include` to further judge the input value with the values in the array.
+      match_value(reference_value, input_value)
+    }
+
+    judge_field(input_key, input_value) {
+      not has_key(data.reference, input_key)
+    }
+
+    match_value(reference_value, input_value) {
+      not is_array(reference_value)
+      input_value == reference_value
+    }
+
+    match_value(reference_value, input_value) {
+      is_array(reference_value)
+
+      # `array_include`: judge the input value with the values in the array.
+      #
+      # * If the reference value array is empty:
+      #		It is considered that the current input value has passed the verification.
+      # * If the reference value array is not empty:
+      #		Judge whether there is a value equal to input value in the reference value array.
+      array_include(reference_value, input_value)
+    }
+
+    array_include(reference_value_array, input_value) {
+      reference_value_array == []
+    }
+
+    array_include(reference_value_array, input_value) {
+      reference_value_array != []
+      some i
+      reference_value_array[i] == input_value
+    }
+
+    has_key(m, k) {
+      _ = m[k]
+    }
diff --git a/tests/e2e/sample-attester/07-assert.yaml b/tests/e2e/sample-attester/07-assert.yaml
@@ -1,8 +1,7 @@
-apiVersion: v1
-kind: Pod
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: kbs-client
+  name: trustee-deployment
   namespace: trustee-operator-system
 status:
-  containerStatuses:
-  - ready: true
+  readyReplicas: 1
diff --git a/.../sample-attester/06-kbsconfig_sample.yaml → .../sample-attester/07-kbsconfig_sample.yaml b/.../sample-attester/06-kbsconfig_sample.yaml → .../sample-attester/07-kbsconfig_sample.yaml
@@ -15,6 +15,7 @@ spec:
   kbsDeploymentType: AllInOneDeployment
   kbsRvpsRefValuesConfigMapName: rvps-reference-values
   kbsResourcePolicyConfigMapName: resource-policy
+  kbsAttestationPolicyConfigMapName: attestation-policy
   kbsSecretResources:
     - "kbsres1"
   KbsEnvVars: 

diff --git a/tests/e2e/sample-attester/08-assert.yaml b/tests/e2e/sample-attester/08-assert.yaml
@@ -1,5 +1,8 @@
 apiVersion: v1
-kind: Secret
+kind: Pod
 metadata:
-  name: trustee-secret
+  name: kbs-client
   namespace: trustee-operator-system
+status:
+  containerStatuses:
+  - ready: true
diff --git a/tests/e2e/sample-attester/07-client.yaml → tests/e2e/sample-attester/08-client.yaml b/tests/e2e/sample-attester/07-client.yaml → tests/e2e/sample-attester/08-client.yaml
diff --git a/tests/e2e/sample-attester/09-assert.yaml b/tests/e2e/sample-attester/09-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: trustee-secret
+  namespace: trustee-operator-system
diff --git a/tests/e2e/sample-attester/08-get-secret.yaml → tests/e2e/sample-attester/09-get-secret.yaml b/tests/e2e/sample-attester/08-get-secret.yaml → tests/e2e/sample-attester/09-get-secret.yaml
diff --git a/tests/e2e/sample-attester/create-other-secret.sh b/tests/e2e/sample-attester/create-other-secret.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
 
-kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-literal key2=res1val2 -n trustee-operator-system
+kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-literal key2=res1val2 -n trustee-operator-system
+
diff --git a/tests/e2e/sample-attester/install-operator.sh b/tests/e2e/sample-attester/install-operator.sh
@@ -21,5 +21,5 @@ make build-installer
 kubectl apply -f dist/install.yaml
 
 pushd tests/e2e/sample-attester
-kustomize edit set image $CLIENT_IMAGE_NAME
+kustomize edit set image quay.io/confidential-containers/kbs-client=$CLIENT_IMAGE_NAME
 popd