def test_isolated_set_policy_secured(
            self, attestation_isolated_url, attestation_isolated_signing_key,
            attestation_isolated_signing_certificate, **kwargs):
        attestation_policy = (
            u"version=1.0; authorizationrules{=> permit();}; issuancerules{};")

        signing_certificate = pem_from_base64(
            attestation_isolated_signing_certificate, "CERTIFICATE")
        key = pem_from_base64(attestation_isolated_signing_key, "PRIVATE KEY")

        attest_client = self.create_admin_client(attestation_isolated_url)
        policy_set_response, _ = attest_client.set_policy(
            kwargs.pop("attestation_type"),
            attestation_policy,
            signing_key=key,
            signing_certificate=signing_certificate,
        )
        new_policy, _ = attest_client.get_policy(AttestationType.SGX_ENCLAVE)
        assert new_policy == attestation_policy

        expected_policy = AttestationPolicyToken(
            attestation_policy,
            signing_key=key,
            signing_certificate=signing_certificate,
        )
        hasher = hashes.Hash(hashes.SHA256(), backend=default_backend())
        hasher.update(expected_policy.to_jwt_string().encode("utf-8"))
        expected_hash = hasher.finalize()

        assert expected_hash == policy_set_response.policy_token_hash
    def test_isolated_reset_policy_secured(
            self, attestation_aad_url, attestation_isolated_signing_key,
            attestation_isolated_signing_certificate, **kwargs):
        signing_certificate = pem_from_base64(
            attestation_isolated_signing_certificate, "CERTIFICATE")
        key = pem_from_base64(attestation_isolated_signing_key, "PRIVATE KEY")

        attest_client = self.create_admin_client(attestation_aad_url)
        policy_set_response, _ = attest_client.reset_policy(
            kwargs.pop("attestation_type"),
            signing_key=key,
            signing_certificate=signing_certificate,
        )

        assert policy_set_response.policy_token_hash is None
        assert policy_set_response.policy_resolution == PolicyModification.REMOVED
 def test_get_policy_management_certificates(self, **kwargs):
     instance_url = kwargs.pop("instance_url")
     expected_certificate = None
     if self.is_isolated_url(instance_url, **kwargs):
         expected_certificate = pem_from_base64(
             kwargs.get("attestation_isolated_signing_certificate"),
             "CERTIFICATE")
     self._test_get_policy_management_certificates(instance_url,
                                                   expected_certificate)
    async def test_aad_reset_policy_secured(
            self, attestation_aad_url, attestation_policy_signing_key0,
            attestation_policy_signing_certificate0, **kwargs):
        signing_certificate = pem_from_base64(
            attestation_policy_signing_certificate0, "CERTIFICATE")
        key = pem_from_base64(attestation_policy_signing_key0, "PRIVATE KEY")
        attestation_type = kwargs.pop("attestation_type",
                                      AttestationType.SGX_ENCLAVE)

        attest_client = self.create_admin_client(attestation_aad_url)
        policy_set_response, _ = await attest_client.reset_policy(
            attestation_type,
            signing_key=key,
            signing_certificate=signing_certificate,
        )

        assert None == policy_set_response.policy_token_hash
        assert policy_set_response.policy_resolution == PolicyModification.REMOVED
    def test_add_remove_policy_certificate(
        self,
        attestation_isolated_url,
        attestation_isolated_signing_certificate,
        attestation_isolated_signing_key,
        attestation_policy_signing_key0,
        attestation_policy_signing_certificate0,
    ):
        # type: (str, str, str, str, str, str) -> None

        pem_signing_cert = pem_from_base64(
            attestation_isolated_signing_certificate, "CERTIFICATE")
        pem_signing_key = pem_from_base64(attestation_isolated_signing_key,
                                          "PRIVATE KEY")

        pem_certificate_to_add = pem_from_base64(
            attestation_policy_signing_certificate0, "CERTIFICATE")

        admin_client = self.create_admin_client(
            attestation_isolated_url,
            signing_key=pem_signing_key,
            signing_certificate=pem_signing_cert,
        )

        # Test 0 positional parameters, should throw.
        with pytest.raises(TypeError):
            admin_client.add_policy_management_certificate()

        # And test more than one positional parameter. Should also throw.
        with pytest.raises(TypeError):
            admin_client.add_policy_management_certificate(
                pem_certificate_to_add, pem_certificate_to_add)

        # Now let's do something meaningful :). Add a new certificate, using
        # the key and cert specified when the admin client was created.
        result, _ = admin_client.add_policy_management_certificate(
            pem_certificate_to_add)
        assert result.certificate_resolution == CertificateModification.IS_PRESENT

        # Add it again - this should be ok.
        result, _ = admin_client.add_policy_management_certificate(
            pem_certificate_to_add,
            signing_key=pem_signing_key,
            signing_certificate=pem_signing_cert,
        )
        assert result.certificate_resolution == CertificateModification.IS_PRESENT

        # Ensure that the new certificate is present.
        # We'll leverage the get certificates test to validate this.
        self._test_get_policy_management_certificates(attestation_isolated_url,
                                                      pem_certificate_to_add)

        # Now remove the certificate we just added.
        result, _ = admin_client.remove_policy_management_certificate(
            pem_certificate_to_add)
        assert result.certificate_resolution == CertificateModification.IS_ABSENT

        # Remove it again, this should be ok.
        result, _ = admin_client.remove_policy_management_certificate(
            pem_certificate_to_add)
        assert result.certificate_resolution == CertificateModification.IS_ABSENT

        # The set of certificates should now just contain the original isolated certificate.
        self._test_get_policy_management_certificates(attestation_isolated_url,
                                                      pem_signing_cert)