Renamed IAttestationProvider to ICoreAttestationService

thomasm-ttd · thomasm-ttd · commit e9e6e5f7dfc2 · 2024-02-19T16:00:20.000+11:00
Removes the duplication of IAttestationProvider interface
diff --git a/src/main/java/com/uid2/shared/secure/AzureCCCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/AzureCCCoreAttestationService.java
@@ -17,20 +17,20 @@
 
 // CC stands for Confidential Container
 @Slf4j
-public class AzureCCAttestationProvider implements IAttestationProvider {
+public class AzureCCCoreAttestationService implements ICoreAttestationService {
 
     private final Set<String> allowedEnclaveIds = new HashSet<>();
 
     private final IMaaTokenSignatureValidator tokenSignatureValidator;
 
     private final IPolicyValidator policyValidator;
 
-    public AzureCCAttestationProvider(String maaServerBaseUrl) {
+    public AzureCCCoreAttestationService(String maaServerBaseUrl) {
         this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator());
     }
 
     // used in UT
-    protected AzureCCAttestationProvider(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator) {
+    protected AzureCCCoreAttestationService(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator) {
         this.tokenSignatureValidator = tokenSignatureValidator;
         this.policyValidator = policyValidator;
     }
diff --git a/src/main/java/com/uid2/shared/secure/GcpOidcCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/GcpOidcCoreAttestationService.java
@@ -10,21 +10,21 @@
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 
-public class GcpOidcAttestationProvider implements IAttestationProvider{
-    private static final Logger LOGGER = LoggerFactory.getLogger(GcpOidcAttestationProvider.class);
+public class GcpOidcCoreAttestationService implements ICoreAttestationService {
+    private static final Logger LOGGER = LoggerFactory.getLogger(GcpOidcCoreAttestationService.class);
 
     private final ITokenSignatureValidator tokenSignatureValidator;
 
     private final List<IPolicyValidator> supportedPolicyValidators;
 
     private final Set<String> allowedEnclaveIds = new HashSet<>();
 
-    public GcpOidcAttestationProvider(){
+    public GcpOidcCoreAttestationService(){
         this(new TokenSignatureValidator(), Arrays.asList(new PolicyValidator()));
     }
 
     // used in UT
-    protected GcpOidcAttestationProvider(ITokenSignatureValidator tokenSignatureValidator, List<IPolicyValidator> supportedPolicyValidators){
+    protected GcpOidcCoreAttestationService(ITokenSignatureValidator tokenSignatureValidator, List<IPolicyValidator> supportedPolicyValidators){
         this.tokenSignatureValidator = tokenSignatureValidator;
         this.supportedPolicyValidators = supportedPolicyValidators;
     }
diff --git a/src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java
@@ -17,14 +17,14 @@
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 
-public class GcpVmidAttestationProvider implements IAttestationProvider {
-    private static final Logger LOGGER = LoggerFactory.getLogger(GcpVmidAttestationProvider.class);
+public class GcpVmidCoreAttestationService implements ICoreAttestationService {
+    private static final Logger LOGGER = LoggerFactory.getLogger(GcpVmidCoreAttestationService.class);
 
     private final InstanceDocumentVerifier idVerifier = new InstanceDocumentVerifier();
     private final VmConfigVerifier vmConfigVerifier;
     private final Set<String> allowedVmConfigIds = new HashSet<>();
 
-    public GcpVmidAttestationProvider(GoogleCredentials credentials, Set<String> enclaveParams) throws Exception {
+    public GcpVmidCoreAttestationService(GoogleCredentials credentials, Set<String> enclaveParams) throws Exception {
         LoadBalancerRegistry.getDefaultRegistry().register(new PickFirstLoadBalancerProvider());
         this.vmConfigVerifier = new VmConfigVerifier(credentials, enclaveParams);
         LOGGER.info("Using Google Service Account: " + credentials.toString());
diff --git a/src/main/java/com/uid2/shared/secure/ICoreAttestationService.java b/src/main/java/com/uid2/shared/secure/ICoreAttestationService.java
@@ -1,14 +1,11 @@
 package com.uid2.shared.secure;
 
-import com.uid2.shared.secure.AttestationException;
-import com.uid2.shared.secure.AttestationResult;
-
 import java.util.Collection;
 
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Handler;
 
-public interface IAttestationProvider {
+public interface ICoreAttestationService {
     void attest(
         byte[] attestationRequest,
         byte[] publicKey,
diff --git a/src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java
@@ -3,8 +3,6 @@
 import com.uid2.shared.secure.nitro.AttestationDocument;
 import com.uid2.shared.secure.nitro.AttestationRequest;
 
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collection;
@@ -19,15 +17,15 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class NitroAttestationProvider implements IAttestationProvider {
+public class NitroCoreAttestationService implements ICoreAttestationService {
 
     private final String attestationUrl;
     private Set<NitroEnclaveIdentifier> allowedEnclaveIds;
     private final ICertificateProvider certificateProvider;
 
-    private static final Logger LOGGER = LoggerFactory.getLogger(NitroAttestationProvider.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(NitroCoreAttestationService.class);
 
-    public NitroAttestationProvider(ICertificateProvider certificateProvider, String attestationUrl) {
+    public NitroCoreAttestationService(ICertificateProvider certificateProvider, String attestationUrl) {
         this.attestationUrl = attestationUrl;
         this.allowedEnclaveIds = new HashSet<>();
         this.certificateProvider = certificateProvider;
diff --git a/src/main/java/com/uid2/shared/secure/TrustedCoreAttestationService.java b/src/main/java/com/uid2/shared/secure/TrustedCoreAttestationService.java
@@ -7,8 +7,8 @@
 import java.util.Collection;
 import java.util.Collections;
 
-public class TrustedAttestationProvider implements IAttestationProvider {
-    public TrustedAttestationProvider() {}
+public class TrustedCoreAttestationService implements ICoreAttestationService {
+    public TrustedCoreAttestationService() {}
 
     @Override
     public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncResult<AttestationResult>> handler) {
diff --git a/src/main/java/com/uid2/shared/secure/gcpoidc/PolicyValidator.java b/src/main/java/com/uid2/shared/secure/gcpoidc/PolicyValidator.java
@@ -30,11 +30,13 @@ public class PolicyValidator implements IPolicyValidator {
 
     private static final List<String> REQUIRED_ENV_OVERRIDES = ImmutableList.of(
             ENV_ENVIRONMENT,
-            ENV_OPERATOR_API_KEY_SECRET_NAME
+            ENV_OPERATOR_API_KEY_SECRET_NAME,
+            ENV_CORE_ENDPOINT,
+            ENV_OPT_OUT_ENDPOINT
     );
 
     private static final Map<Environment, List<String>> OPTIONAL_ENV_OVERRIDES_MAP = ImmutableMap.of(
-            Environment.Integration, ImmutableList.of(ENV_CORE_ENDPOINT, ENV_OPT_OUT_ENDPOINT)
+            Environment.Integration, ImmutableList.of()
     );
 
     @Override
diff --git a/src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java b/src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java
@@ -21,7 +21,7 @@
 
 @ExtendWith(MockitoExtension.class)
 @MockitoSettings(strictness = Strictness.LENIENT)
-class AzureCCAttestationProviderTest {
+class AzureCCCoreAttestationServiceTest {
     private static final String ATTESTATION_REQUEST = "test-attestation-request";
 
     private static final String PUBLIC_KEY = "test-public-key";
@@ -49,7 +49,7 @@ public void setup() throws AttestationException {
 
     @Test
     public void testHappyPath() throws AttestationException {
-        var provider = new AzureCCAttestationProvider(alwaysPassTokenValidator, alwaysPassPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysPassTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -61,7 +61,7 @@ public void testHappyPath() throws AttestationException {
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "token signature validation failed";
         when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
-        var provider = new AzureCCAttestationProvider(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -73,7 +73,7 @@ public void testSignatureCheckFailed_ClientError() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ServerError() throws AttestationException {
         when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new AzureCCAttestationProvider(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
@@ -85,7 +85,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
         when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr));
-        var provider = new AzureCCAttestationProvider(alwaysFailTokenValidator, alwaysFailPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -97,7 +97,7 @@ public void testPolicyCheckFailed_ClientError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ServerError() throws AttestationException {
         when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new AzureCCAttestationProvider(alwaysFailTokenValidator, alwaysFailPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);
         provider.registerEnclave(ENCLAVE_ID);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
@@ -107,15 +107,15 @@ public void testPolicyCheckFailed_ServerError() throws AttestationException {
 
     @Test
     public void testEnclaveNotRegistered() throws AttestationException {
-        var provider = new AzureCCAttestationProvider(alwaysFailTokenValidator, alwaysPassPolicyValidator);
+        var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysPassPolicyValidator);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
             assertFalse(ar.result().isSuccess());
             assertEquals(AttestationFailure.FORBIDDEN_ENCLAVE, ar.result().getFailure());
         });
     }
 
-    private static void attest(IAttestationProvider provider, Handler<AsyncResult<AttestationResult>> handler) {
+    private static void attest(ICoreAttestationService provider, Handler<AsyncResult<AttestationResult>> handler) {
         provider.attest(
                 ATTESTATION_REQUEST.getBytes(StandardCharsets.UTF_8),
                 PUBLIC_KEY.getBytes(StandardCharsets.UTF_8),
diff --git a/src/test/java/com/uid2/shared/secure/GcpOidcCoreAttestationServiceTest.java b/src/test/java/com/uid2/shared/secure/GcpOidcCoreAttestationServiceTest.java
@@ -22,7 +22,7 @@
 
 @ExtendWith(MockitoExtension.class)
 @MockitoSettings(strictness = Strictness.LENIENT)
-public class GcpOidcAttestationProviderTest {
+public class GcpOidcCoreAttestationServiceTest {
     private static final String ATTESTATION_REQUEST = "test-attestation-request";
     private static final String PUBLIC_KEY = "test-public-key";
 
@@ -56,7 +56,7 @@ public void setup() throws AttestationException {
 
     @Test
     public void testHappyPath() throws AttestationException {
-        var provider = new GcpOidcAttestationProvider(alwaysPassTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
+        var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -68,7 +68,7 @@ public void testHappyPath() throws AttestationException {
     public void testSignatureCheckFailed_ClientError() throws AttestationException {
         var errorStr = "signature validation failed";
         when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
-        var provider = new GcpOidcAttestationProvider(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
+        var provider = new GcpOidcCoreAttestationService(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -80,7 +80,7 @@ public void testSignatureCheckFailed_ClientError() throws AttestationException {
     @Test
     public void testSignatureCheckFailed_ServerError() throws AttestationException {
         when(alwaysFailTokenValidator.validate(any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new GcpOidcAttestationProvider(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
+        var provider = new GcpOidcCoreAttestationService(alwaysFailTokenValidator, Arrays.asList(alwaysPassPolicyValidator1));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
@@ -92,7 +92,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     public void testPolicyCheckFailed_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
         when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationClientException(errorStr));
-        var provider = new GcpOidcAttestationProvider(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
+        var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -104,7 +104,7 @@ public void testPolicyCheckFailed_ClientError() throws AttestationException {
     @Test
     public void testPolicyCheckFailed_ServerError() throws AttestationException {
         when(alwaysFailPolicyValidator.validate(any())).thenThrow(new AttestationException("unknown server error"));
-        var provider = new GcpOidcAttestationProvider(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
+        var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysFailPolicyValidator));
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertFalse(ar.succeeded());
@@ -114,7 +114,7 @@ public void testPolicyCheckFailed_ServerError() throws AttestationException {
 
     @Test
     public void testNoPolicyConfigured() throws AttestationException {
-        var provider = new GcpOidcAttestationProvider(alwaysPassTokenValidator, Arrays.asList());
+        var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList());
         provider.registerEnclave(ENCLAVE_ID_1);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
@@ -125,15 +125,15 @@ public void testNoPolicyConfigured() throws AttestationException {
 
     @Test
     public void testMultiplePolicyValidators() throws AttestationException {
-        var provider = new GcpOidcAttestationProvider(alwaysPassTokenValidator, Arrays.asList(alwaysPassPolicyValidator1, alwaysFailPolicyValidator, alwaysPassPolicyValidator2));
+        var provider = new GcpOidcCoreAttestationService(alwaysPassTokenValidator, Arrays.asList(alwaysPassPolicyValidator1, alwaysFailPolicyValidator, alwaysPassPolicyValidator2));
         provider.registerEnclave(ENCLAVE_ID_2);
         attest(provider, ar -> {
             assertTrue(ar.succeeded());
             assertTrue(ar.result().isSuccess());
         });
     }
 
-    private static void attest(IAttestationProvider provider, Handler<AsyncResult<AttestationResult>> handler) {
+    private static void attest(ICoreAttestationService provider, Handler<AsyncResult<AttestationResult>> handler) {
         provider.attest(
                 ATTESTATION_REQUEST.getBytes(StandardCharsets.UTF_8),
                 PUBLIC_KEY.getBytes(StandardCharsets.UTF_8),
diff --git a/src/test/java/com/uid2/shared/secure/gcpoidc/PolicyValidatorTest.java b/src/test/java/com/uid2/shared/secure/gcpoidc/PolicyValidatorTest.java
@@ -11,14 +11,14 @@
 
 public class PolicyValidatorTest {
     @Test
-    public void testValicationSuccess_FullProd() throws AttestationException {
+    public void testValidationSuccess_FullProd() throws AttestationException {
         var validator = new PolicyValidator();
         var payload = generateBasicPayload();
         var enclaveId = validator.validate(payload);
     }
 
     @Test
-    public void testValicationFailure_MissRequiredEnvProd() {
+    public void testValidationFailure_MissRequiredEnvProd() {
         var validator = new PolicyValidator();
         var payload = generateBasicPayload();
         var envOverrides = new HashMap<>(payload.getEnvOverrides());
@@ -30,7 +30,7 @@ public void testValicationFailure_MissRequiredEnvProd() {
     }
 
     @Test
-    public void testValicationFailure_UnknownEnv() {
+    public void testValidationFailure_UnknownEnv() {
         var validator = new PolicyValidator();
         var payload = generateBasicPayload();
         var envOverrides = new HashMap<>(payload.getEnvOverrides());
@@ -42,7 +42,7 @@ public void testValicationFailure_UnknownEnv() {
     }
 
     @Test
-    public void testValicationSuccess_IntegNoOptionalEnv() throws AttestationException {
+    public void testValidationSuccess_IntegNoOptionalEnv() throws AttestationException {
         var validator = new PolicyValidator();
         var payload = generateBasicPayload();
         var envOverrides = new HashMap<>(payload.getEnvOverrides());
@@ -53,19 +53,6 @@ public void testValicationSuccess_IntegNoOptionalEnv() throws AttestationExcepti
         var enclaveId = validator.validate(payload);
     }
 
-    @Test
-    public void testValicationSuccess_IntegHasOptionalEnv() throws AttestationException {
-        var validator = new PolicyValidator();
-        var payload = generateBasicPayload();
-        var envOverrides = new HashMap<>(payload.getEnvOverrides());
-        envOverrides.put(PolicyValidator.ENV_ENVIRONMENT, "integ");
-        envOverrides.put(PolicyValidator.ENV_CORE_ENDPOINT, "coreendpoint");
-        payload = payload.toBuilder()
-                .envOverrides(envOverrides)
-                .build();
-        var enclaveId = validator.validate(payload);
-    }
-
     @Test
     public void testValidationFailure_ExtraEnvOverride(){
         var validator = new PolicyValidator();
@@ -171,7 +158,9 @@ private TokenPayload generateBasicPayload(){
                 .restartPolicy("NEVER")
                 .envOverrides(Map.of(
                         PolicyValidator.ENV_ENVIRONMENT, "prod",
-                        PolicyValidator.ENV_OPERATOR_API_KEY_SECRET_NAME, "dummy_api_key"
+                        PolicyValidator.ENV_OPERATOR_API_KEY_SECRET_NAME, "dummy_api_key",
+                        PolicyValidator.ENV_CORE_ENDPOINT, "core_endpoint",
+                        PolicyValidator.ENV_OPT_OUT_ENDPOINT, "optout_endpoint"
                 ));
         return builder.build();
     }
diff --git a/src/test/resources/com.uid2.shared/test/secure/gcpoidc/jwt_payload_policy_valid.json b/src/test/resources/com.uid2.shared/test/secure/gcpoidc/jwt_payload_policy_valid.json
@@ -28,7 +28,9 @@
       "image_id": "sha256:5be33a19451733a45ea1bdb340fcb858a0fc733e91ca0a0d99638652f6dcabd0",
       "env_override": {
         "DEPLOYMENT_ENVIRONMENT": "prod",
-        "API_TOKEN_SECRET_NAME": "dummy"
+        "API_TOKEN_SECRET_NAME": "dummy",
+        "CORE_BASE_URL": "core-url",
+        "OPTOUT_BASE_URL": "optout-url"
       },
       "cmd_override": null,
       "env": {
