AS: Add API to set policy

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
confidential-containers · May 6, 2023 · ac87c04 · ac87c04
1 parent 7d0a822
commit ac87c04
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 1 deletion.
diff --git a/bin/grpc-as/proto/attestation.proto b/bin/grpc-as/proto/attestation.proto
@@ -19,7 +19,13 @@ message AttestationResponse {
     string attestation_results = 1;
 }
 
+message SetPolicyRequest {
+    string policy = 1;
+}
+message SetPolicyResponse {}
+
 service AttestationService {
     rpc AttestationEvaluate(AttestationRequest) returns (AttestationResponse) {};
+    rpc SetAttestationPolicy(SetPolicyRequest) returns (SetPolicyResponse) {};
     // Get the GetPolicyRequest.user and GetPolicyRequest.tee specified Policy(.rego)
 }
diff --git a/bin/grpc-as/src/server.rs b/bin/grpc-as/src/server.rs
@@ -7,7 +7,9 @@ use tonic::transport::Server;
 use tonic::{Request, Response, Status};
 
 use crate::as_api::attestation_service_server::{AttestationService, AttestationServiceServer};
-use crate::as_api::{AttestationRequest, AttestationResponse, Tee as GrpcTee};
+use crate::as_api::{
+    AttestationRequest, AttestationResponse, SetPolicyRequest, SetPolicyResponse, Tee as GrpcTee,
+};
 
 use crate::rvps_api::reference_value_provider_service_server::{
     ReferenceValueProviderService, ReferenceValueProviderServiceServer,
@@ -61,6 +63,23 @@ impl AttestationServer {
 
 #[tonic::async_trait]
 impl AttestationService for Arc<RwLock<AttestationServer>> {
+    async fn set_attestation_policy(
+        &self,
+        request: Request<SetPolicyRequest>,
+    ) -> Result<Response<SetPolicyResponse>, Status> {
+        let request: SetPolicyRequest = request.into_inner();
+
+        debug!("Policy: {}", &request.policy);
+
+        self.write()
+            .await
+            .attestation_service
+            .set_policy(request.policy)
+            .map_err(|e| Status::aborted(format!("Set Attestation Policy Failed: {e}")))?;
+
+        Ok(Response::new(SetPolicyResponse {}))
+    }
+
     async fn attestation_evaluate(
         &self,
         request: Request<AttestationRequest>,

diff --git a/src/lib.rs b/src/lib.rs
@@ -84,6 +84,11 @@ impl AttestationService {
         })
     }
 
+    /// Set Attestation Verification Policy.
+    pub fn set_policy(&mut self, policy_base64_string: String) -> Result<()> {
+        self.policy_engine.set_policy(policy_base64_string)
+    }
+
     /// Evaluate Attestation Evidence.
     pub async fn evaluate(
         &self,

diff --git a/src/policy_engine/mod.rs b/src/policy_engine/mod.rs
@@ -27,4 +27,6 @@ pub trait PolicyEngine {
         reference_data_map: HashMap<String, Vec<String>>,
         input: String,
     ) -> Result<(bool, String)>;
+
+    fn set_policy(&mut self, policy_base64_string: String) -> Result<()>;
 }
diff --git a/src/policy_engine/opa/mod.rs b/src/policy_engine/opa/mod.rs
@@ -85,6 +85,13 @@ impl PolicyEngine for OPA {
 
         Ok((res_kv["allow"].as_bool().unwrap_or(false), res))
     }
+
+    fn set_policy(&mut self, policy: String) -> Result<()> {
+        let policy_bytes = base64::decode_config(policy, base64::URL_SAFE_NO_PAD)
+            .map_err(|_| anyhow!("Base64 decode OPA policy string failed"))?;
+        fs::write(&self.policy_file_path, policy_bytes)
+            .map_err(|e| anyhow!("Write OPA policy to file failed: {:?}", e))
+    }
 }
 
 #[cfg(test)]