Merge pull request #194 from IABTechLab/tjm-UID2-2810-validate-attestation-url-gcp

Shared changes to validate attestation URL for GCP

Author: thomasm-ttd

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-shared</artifactId>
-    <version>7.0.4-7b2bf15eae</version>
+    <version>7.0.5-SNAPSHOT</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Library for all the shared uid2 operations</description>
     <url>https://github.com/IABTechLab/uid2docs</url>

src/main/java/com/uid2/shared/secure/AttestationClientException.java

@@ -2,11 +2,19 @@
 
 public class AttestationClientException extends AttestationException
 {
+    private final AttestationFailure attestationFailure;
+
     public AttestationClientException(Throwable cause) {
         super(cause, true);
+        this.attestationFailure = AttestationFailure.UNKNOWN;
     }
 
-    public AttestationClientException(String message) {
+    public AttestationClientException(String message, AttestationFailure attestationFailure) {
         super(message, true);
+        this.attestationFailure = attestationFailure;
+    }
+
+    public AttestationFailure getAttestationFailure() {
+        return this.attestationFailure;
     }
 }

src/main/java/com/uid2/shared/secure/GcpOidcCoreAttestationService.java

@@ -19,8 +19,8 @@ public class GcpOidcCoreAttestationService implements ICoreAttestationService {
 
     private final Set<String> allowedEnclaveIds = new HashSet<>();
 
-    public GcpOidcCoreAttestationService(){
-        this(new TokenSignatureValidator(), Arrays.asList(new PolicyValidator()));
+    public GcpOidcCoreAttestationService(String attestationUrl){
+        this(new TokenSignatureValidator(), Arrays.asList(new PolicyValidator(attestationUrl)));
     }
 
     // used in UT

src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java

@@ -57,7 +57,7 @@ private AttestationResult attestInternal(byte[] publicKey, AttestationRequest aR
 
         String givenAttestationUrl = aDoc.getUserDataString();
         if (givenAttestationUrl != null && !givenAttestationUrl.isEmpty()) {
-            if (!UrlEquivalenceValidator.areUrlsEquivalent(this.attestationUrl, givenAttestationUrl, LOGGER)) {
+            if (!UrlEquivalenceValidator.areUrlsEquivalent(this.attestationUrl, givenAttestationUrl)) {
                 return new AttestationResult(AttestationFailure.UNKNOWN_ATTESTATION_URL);
             }
         }

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -7,6 +7,7 @@
 import com.google.common.base.Strings;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 
 import java.io.IOException;
 import java.util.Map;
@@ -66,7 +67,7 @@ public MaaTokenPayload validate(String tokenString) throws AttestationException
                 tokenVerifier.verify(tokenString);
             }
         } catch (TokenVerifier.VerificationException e) {
-            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage());
+            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
         } catch (IOException e) {
             throw new AttestationException("Fail to parse token, error: " + e.getMessage());
         }

src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java

@@ -3,6 +3,7 @@
 import com.google.common.base.Strings;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 
 public class PolicyValidator implements IPolicyValidator{
     private static final String LOCATION_CHINA = "china";
@@ -17,39 +18,40 @@ public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws
 
     private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
         if(Strings.isNullOrEmpty(publicKey)){
-            throw new AttestationClientException("public key to check is null or empty");
+            throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
         }
         var runtimePublicKey = maaTokenPayload.getRuntimeData().getPublicKey();
         if(!publicKey.equals(runtimePublicKey)){
             throw new AttestationClientException(
                     String.format("Public key in payload is not match expected value. More info: runtime(%s), expected(%s)",
                             runtimePublicKey,
                             publicKey
-                    ));
+                    ),
+                    AttestationFailure.BAD_FORMAT);
         }
     }
 
     private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationException {
         if(!maaTokenPayload.isSevSnpVM()){
-            throw new AttestationClientException("Not in SevSnp VM");
+            throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
         }
         if(!maaTokenPayload.isUtilityVMCompliant()){
-            throw new AttestationClientException("Not run in Azure Compliance Utility VM");
+            throw new AttestationClientException("Not run in Azure Compliance Utility VM", AttestationFailure.BAD_FORMAT);
         }
         if(maaTokenPayload.isVmDebuggable()){
-            throw new AttestationClientException("The underlying hardware should not run in debug mode");
+            throw new AttestationClientException("The underlying hardware should not run in debug mode", AttestationFailure.BAD_FORMAT);
         }
     }
 
     private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationException {
         var location = maaTokenPayload.getRuntimeData().getLocation();
         if(Strings.isNullOrEmpty(location)){
-            throw new AttestationClientException("Location is not specified.");
+            throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);
         }
         var lowerCaseLocation = location.toLowerCase();
         if(lowerCaseLocation.contains(LOCATION_CHINA) ||
            lowerCaseLocation.contains(LOCATION_EU)){
-            throw new AttestationClientException("Location is not supported. Value: " + location);
+            throw new AttestationClientException("Location is not supported. Value: " + location, AttestationFailure.BAD_PAYLOAD);
         }
     }
 }

src/main/java/com/uid2/shared/secure/gcpoidc/PolicyValidator.java

@@ -6,6 +6,8 @@
 import com.uid2.shared.Utils;
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
+import com.uid2.shared.util.UrlEquivalenceValidator;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.MapUtils;
 import org.slf4j.Logger;
@@ -30,14 +32,24 @@ public class PolicyValidator implements IPolicyValidator {
 
     private static final List<String> REQUIRED_ENV_OVERRIDES = ImmutableList.of(
             ENV_ENVIRONMENT,
-            ENV_OPERATOR_API_KEY_SECRET_NAME,
-            ENV_CORE_ENDPOINT,
-            ENV_OPT_OUT_ENDPOINT
+            ENV_OPERATOR_API_KEY_SECRET_NAME
     );
 
     private static final Map<Environment, List<String>> OPTIONAL_ENV_OVERRIDES_MAP = ImmutableMap.of(
-            Environment.Integration, ImmutableList.of()
+            Environment.Production, ImmutableList.of(
+                    ENV_CORE_ENDPOINT,
+                    ENV_OPT_OUT_ENDPOINT
+            ),
+            Environment.Integration, ImmutableList.of(
+                    ENV_CORE_ENDPOINT,
+                    ENV_OPT_OUT_ENDPOINT
+            )
     );
+    private final String attestationUrl;
+
+    public PolicyValidator(String attestationUrl) {
+        this.attestationUrl = attestationUrl;
+    }
 
     @Override
     public String getVersion() {
@@ -56,18 +68,18 @@ public String validate(TokenPayload payload) throws AttestationException {
 
     private static boolean checkConfidentialSpace(TokenPayload payload) throws AttestationException{
         if(!payload.isConfidentialSpaceSW()){
-            throw new AttestationClientException("Unexpected SW_NAME: " + payload.getSwName());
+            throw new AttestationClientException("Unexpected SW_NAME: " + payload.getSwName(), AttestationFailure.BAD_FORMAT);
         }
         var isDebugMode = payload.isDebugMode();
         if(!isDebugMode && !payload.isStableVersion()){
-            throw new AttestationClientException("Confidential space image version is not stable.");
+            throw new AttestationClientException("Confidential space image version is not stable.", AttestationFailure.BAD_FORMAT);
         }
         return isDebugMode;
     }
 
     private static String checkWorkload(TokenPayload payload) throws AttestationException{
         if(!payload.isRestartPolicyNever()){
-            throw new AttestationClientException("Restart policy is not set to Never. Value: " + payload.getRestartPolicy());
+            throw new AttestationClientException("Restart policy is not set to Never. Value: " + payload.getRestartPolicy(), AttestationFailure.BAD_FORMAT);
         }
         return payload.getWorkloadImageDigest();
     }
@@ -78,35 +90,35 @@ private static String checkWorkload(TokenPayload payload) throws AttestationExce
     private static String checkRegion(TokenPayload payload) throws AttestationException{
         var region = payload.getGceZone();
         if(Strings.isNullOrEmpty(region) || region.startsWith(EU_REGION_PREFIX)){
-            throw new AttestationClientException("Region is not supported. Value: " + region);
+            throw new AttestationClientException("Region is not supported. Value: " + region, AttestationFailure.BAD_FORMAT);
         }
         return region;
     }
 
     private static void checkCmdOverrides(TokenPayload payload) throws AttestationException{
         if(!CollectionUtils.isEmpty(payload.getCmdOverrides())){
-            throw new AttestationClientException("Payload should not have cmd overrides");
+            throw new AttestationClientException("Payload should not have cmd overrides", AttestationFailure.BAD_FORMAT);
         }
     }
 
     private Environment checkEnvOverrides(TokenPayload payload) throws AttestationException{
         var envOverrides = payload.getEnvOverrides();
         if(MapUtils.isEmpty(envOverrides)){
-            throw new AttestationClientException("env overrides should not be empty");
+            throw new AttestationClientException("env overrides should not be empty", AttestationFailure.BAD_FORMAT);
         }
         HashMap<String, String> envOverridesCopy = new HashMap(envOverrides);
 
         // check all required env overrides
         for(var envKey: REQUIRED_ENV_OVERRIDES){
             if(Strings.isNullOrEmpty(envOverridesCopy.get(envKey))){
-                throw new AttestationClientException("Required env override is missing. key: " + envKey);
+                throw new AttestationClientException("Required env override is missing. key: " + envKey, AttestationFailure.BAD_FORMAT);
             }
         }
 
         // env could be parsed
         var env = Environment.fromString(envOverridesCopy.get(ENV_ENVIRONMENT));
         if(env == null){
-            throw new AttestationClientException("Environment can not be parsed. " + envOverridesCopy.get(ENV_ENVIRONMENT));
+            throw new AttestationClientException("Environment can not be parsed. " + envOverridesCopy.get(ENV_ENVIRONMENT), AttestationFailure.BAD_FORMAT);
         }
 
         // make sure there's no unexpected overrides
@@ -120,13 +132,24 @@ private Environment checkEnvOverrides(TokenPayload payload) throws AttestationEx
             }
         }
 
+        checkAttestationUrl(new HashMap<>(envOverrides));
+
         if(!envOverridesCopy.isEmpty()){
-            throw new AttestationClientException("More env overrides than allowed. " + envOverridesCopy);
+            throw new AttestationClientException("More env overrides than allowed. " + envOverridesCopy, AttestationFailure.BAD_FORMAT);
         }
 
         return env;
     }
 
+    private void checkAttestationUrl(HashMap<String, String> optionalEnvOverrides) throws AttestationException {
+        if (!Strings.isNullOrEmpty(optionalEnvOverrides.get(ENV_CORE_ENDPOINT))) {
+            String givenAttestationUrl = optionalEnvOverrides.get(ENV_CORE_ENDPOINT);
+            if (!UrlEquivalenceValidator.areUrlsEquivalent(givenAttestationUrl, this.attestationUrl)) {
+                throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + givenAttestationUrl, AttestationFailure.UNKNOWN_ATTESTATION_URL);
+            }
+        }
+    }
+
     private String generateEnclaveId(boolean isDebugMode, String imageDigest, Environment env) throws AttestationException {
         var str = String.format("%s,%s,%s", getVersion(), isDebugMode, imageDigest);
         LOGGER.info("Meta used to generate GCP EnclaveId: " + str);

src/main/java/com/uid2/shared/util/UrlEquivalenceValidator.java

@@ -1,29 +1,31 @@
 package com.uid2.shared.util;
 
 import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.MalformedURLException;
 import java.net.URL;
 
 public class UrlEquivalenceValidator {
+    private static final Logger LOGGER = LoggerFactory.getLogger(UrlEquivalenceValidator.class);
     private UrlEquivalenceValidator() {
 
     }
 
-    public static Boolean areUrlsEquivalent(String url1, String url2, Logger logger) {
-        logger.debug("Checking URLs equivalent: URL1: '{}', URL2: '{}'", url1, url2);
+    public static Boolean areUrlsEquivalent(String url1, String url2) {
+        LOGGER.debug("Checking URLs equivalent: URL1: '{}', URL2: '{}'", url1, url2);
         URL first;
         try {
             first = new URL(url1);
         } catch (MalformedURLException e) {
-            logger.error("URL could not be parsed to a valid URL. Given URL: " + url1, e);
+            LOGGER.error("URL could not be parsed to a valid URL. Given URL: " + url1, e);
             return false;
         }
         URL second;
         try {
             second = new URL(url2);
         } catch (MalformedURLException e) {
-            logger.error("URL could not be parsed to a valid URL. Given URL: " + url2, e);
+            LOGGER.error("URL could not be parsed to a valid URL. Given URL: " + url2, e);
             return false;
         }
 

src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java

@@ -60,7 +60,7 @@ public void testHappyPath() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "token signature validation failed";
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
@@ -84,7 +84,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
-        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {

src/test/java/com/uid2/shared/secure/GcpOidcCoreAttestationServiceTest.java

@@ -67,7 +67,7 @@ public void testHappyPath() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "signature validation failed";
-        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new GcpOidcCoreAttestationService(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
@@ -91,7 +91,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
-        when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
+        when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {

src/test/java/com/uid2/shared/secure/gcpoidc/OidcPayloadValidationTest.java

@@ -17,7 +17,7 @@ public void testE2EPolicyCheck() throws Exception {
         clock.setCurrentTimeMs(1688132563000L);
 
         var tokenPayload = validateAndParseToken(payload, clock);
-        var policyValidator = new PolicyValidator();
+        var policyValidator = new PolicyValidator("https://core-url.uidapi.com");
         var enclaveId = policyValidator.validate(tokenPayload);
     }
 }