def test_isolated_set_policy_secured(
self, attestation_isolated_url, attestation_isolated_signing_key,
attestation_isolated_signing_certificate, **kwargs):
attestation_policy = (
u"version=1.0; authorizationrules{=> permit();}; issuancerules{};")
signing_certificate = pem_from_base64(
attestation_isolated_signing_certificate, "CERTIFICATE")
key = pem_from_base64(attestation_isolated_signing_key, "PRIVATE KEY")
attest_client = self.create_admin_client(attestation_isolated_url)
policy_set_response, _ = attest_client.set_policy(
kwargs.pop("attestation_type"),
attestation_policy,
signing_key=key,
signing_certificate=signing_certificate,
)
new_policy, _ = attest_client.get_policy(AttestationType.SGX_ENCLAVE)
assert new_policy == attestation_policy
expected_policy = AttestationPolicyToken(
attestation_policy,
signing_key=key,
signing_certificate=signing_certificate,
)
hasher = hashes.Hash(hashes.SHA256(), backend=default_backend())
hasher.update(expected_policy.to_jwt_string().encode("utf-8"))
expected_hash = hasher.finalize()
assert expected_hash == policy_set_response.policy_token_hash
def test_isolated_reset_policy_secured(
self, attestation_aad_url, attestation_isolated_signing_key,
attestation_isolated_signing_certificate, **kwargs):
signing_certificate = pem_from_base64(
attestation_isolated_signing_certificate, "CERTIFICATE")
key = pem_from_base64(attestation_isolated_signing_key, "PRIVATE KEY")
attest_client = self.create_admin_client(attestation_aad_url)
policy_set_response, _ = attest_client.reset_policy(
kwargs.pop("attestation_type"),
signing_key=key,
signing_certificate=signing_certificate,
)
assert policy_set_response.policy_token_hash is None
assert policy_set_response.policy_resolution == PolicyModification.REMOVED
def test_get_policy_management_certificates(self, **kwargs):
instance_url = kwargs.pop("instance_url")
expected_certificate = None
if self.is_isolated_url(instance_url, **kwargs):
expected_certificate = pem_from_base64(
kwargs.get("attestation_isolated_signing_certificate"),
"CERTIFICATE")
self._test_get_policy_management_certificates(instance_url,
expected_certificate)
async def test_aad_reset_policy_secured(
self, attestation_aad_url, attestation_policy_signing_key0,
attestation_policy_signing_certificate0, **kwargs):
signing_certificate = pem_from_base64(
attestation_policy_signing_certificate0, "CERTIFICATE")
key = pem_from_base64(attestation_policy_signing_key0, "PRIVATE KEY")
attestation_type = kwargs.pop("attestation_type",
AttestationType.SGX_ENCLAVE)
attest_client = self.create_admin_client(attestation_aad_url)
policy_set_response, _ = await attest_client.reset_policy(
attestation_type,
signing_key=key,
signing_certificate=signing_certificate,
)
assert None == policy_set_response.policy_token_hash
assert policy_set_response.policy_resolution == PolicyModification.REMOVED
def test_add_remove_policy_certificate(
self,
attestation_isolated_url,
attestation_isolated_signing_certificate,
attestation_isolated_signing_key,
attestation_policy_signing_key0,
attestation_policy_signing_certificate0,
):
# type: (str, str, str, str, str, str) -> None
pem_signing_cert = pem_from_base64(
attestation_isolated_signing_certificate, "CERTIFICATE")
pem_signing_key = pem_from_base64(attestation_isolated_signing_key,
"PRIVATE KEY")
pem_certificate_to_add = pem_from_base64(
attestation_policy_signing_certificate0, "CERTIFICATE")
admin_client = self.create_admin_client(
attestation_isolated_url,
signing_key=pem_signing_key,
signing_certificate=pem_signing_cert,
)
# Test 0 positional parameters, should throw.
with pytest.raises(TypeError):
admin_client.add_policy_management_certificate()
# And test more than one positional parameter. Should also throw.
with pytest.raises(TypeError):
admin_client.add_policy_management_certificate(
pem_certificate_to_add, pem_certificate_to_add)
# Now let's do something meaningful :). Add a new certificate, using
# the key and cert specified when the admin client was created.
result, _ = admin_client.add_policy_management_certificate(
pem_certificate_to_add)
assert result.certificate_resolution == CertificateModification.IS_PRESENT
# Add it again - this should be ok.
result, _ = admin_client.add_policy_management_certificate(
pem_certificate_to_add,
signing_key=pem_signing_key,
signing_certificate=pem_signing_cert,
)
assert result.certificate_resolution == CertificateModification.IS_PRESENT
# Ensure that the new certificate is present.
# We'll leverage the get certificates test to validate this.
self._test_get_policy_management_certificates(attestation_isolated_url,
pem_certificate_to_add)
# Now remove the certificate we just added.
result, _ = admin_client.remove_policy_management_certificate(
pem_certificate_to_add)
assert result.certificate_resolution == CertificateModification.IS_ABSENT
# Remove it again, this should be ok.
result, _ = admin_client.remove_policy_management_certificate(
pem_certificate_to_add)
assert result.certificate_resolution == CertificateModification.IS_ABSENT
# The set of certificates should now just contain the original isolated certificate.
self._test_get_policy_management_certificates(attestation_isolated_url,
pem_signing_cert)