Merge pull request #420 from Ruide/cloud-logging

add log replay comparisons in fake cloud logging server

cmd/fake_attestation_server.go

@@ -5,13 +5,14 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"time"
 
 	"github.com/golang-jwt/jwt/v4"
 	"golang.org/x/net/http2"
 )
 
 const fakeAsHostEnv = "GOOGLE_APPLICATION_CREDENTIALS"
+const fakeChallengeUUID = "947b4f7b-e6d4-4cfe-971c-39ffe00268ba"
+const fakeTpmNonce = "R29vZ0F0dGVzdFYxeGtJUGlRejFPOFRfTzg4QTRjdjRpQQ=="
 
 // attestationServer provides fake implementation for the GCE attestation server.
 type attestationServer struct {
@@ -38,23 +39,23 @@ func newMockAttestationServer() (*attestationServer, error) {
 		}
 		challengePath := locationPath + "-1/challenges"
 		if r.URL.Path == challengePath {
-			challenge := "{\n  \"name\": \"projects/test-project/locations/us-central-1/challenges/947b4f7b-e6d4-4cfe-971c-39ffe00268ba\",\n  \"createTime\": \"2023-09-21T01:04:48.230111757Z\",\n  \"expireTime\": \"2023-09-21T02:04:48.230111757Z\",\n  \"tpmNonce\": \"R29vZ0F0dGVzdFYxeGtJUGlRejFPOFRfTzg4QTRjdjRpQQ==\"\n}\n"
+			challenge := "{\n  \"name\": \"projects/test-project/locations/us-central-1/challenges/947b4f7b-e6d4-4cfe-971c-39ffe00268ba\",\n  \"createTime\": \"2023-09-21T01:04:48.230111757Z\",\n  \"expireTime\": \"2023-09-21T02:04:48.230111757Z\",\n  \"tpmNonce\": \"" + fakeTpmNonce + "\"\n}\n"
 			w.Write([]byte(challenge))
 		}
 		challengeNonce := "/947b4f7b-e6d4-4cfe-971c-39ffe00268ba"
 		verifyAttestationPath := challengePath + challengeNonce + ":verifyAttestation"
 		if r.URL.Path == verifyAttestationPath {
 			payload := &fakeOidcTokenPayload{
 				Audience:  "test",
-				IssuedAt:  time.Now().Unix(),
-				ExpiredAt: time.Now().Add(time.Minute).Unix(),
+				IssuedAt:  1709752525,
+				ExpiredAt: 1919752525,
 			}
 			jwtTokenUnsigned := jwt.NewWithClaims(jwt.SigningMethodHS256, payload)
-			jwtToken, err := jwtTokenUnsigned.SignedString([]byte("kcxjxnalpraetgccnnwhpnfwocxscaih"))
+			fakeJwtToken, err := jwtTokenUnsigned.SignedString([]byte("kcxjxnalpraetgccnnwhpnfwocxscaih"))
 			if err != nil {
 				fmt.Print("error creating test OIDC token")
 			}
-			w.Write([]byte("{\n  \"oidcClaimsToken\": \"" + jwtToken + "\"\n}\n"))
+			w.Write([]byte("{\n  \"oidcClaimsToken\": \"" + fakeJwtToken + "\"\n}\n"))
 		}
 	})
 	httpServer := httptest.NewUnstartedServer(handler)

cmd/fake_cloudlogging_server.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
@@ -120,6 +121,28 @@ func (h *loggingHandler) WriteLogEntries(_ context.Context, req *logpb.WriteLogE
 		// Store by log name.
 		h.logs[e.LogName] = append(h.logs[e.LogName], e)
 	}
+
+	var logEntryPayload []map[string]interface{}
+	logEntryPayload = append(logEntryPayload, map[string]interface{}{"aud": "test", "iat": float64(1709752525), "exp": float64(1919752525)})
+	logEntryPayload = append(logEntryPayload, map[string]interface{}{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0IiwiaWF0IjoxNzA5NzUyNTI1LCJleHAiOjE5MTk3NTI1MjV9.EBLA2zX3c-Fu0l--J9Gey6LIXMO1TFRCoe3bzuPGc1k"})
+	logEntryPayload = append(logEntryPayload, map[string]interface{}{"Name": "projects/test-project/locations/us-central-1/challenges/" + fakeChallengeUUID, "Nonce": fakeTpmNonce, "ConnID": ""})
+	attestationMapFields := []string{"TeeAttestation", "ak_pub", "quotes", "event_log", "ak_cert"}
+	for _, entry := range h.logs["projects/"+TestProjectID+"/logs/"+toolName] {
+		payload := entry.GetJsonPayload().AsMap()
+		foundMatch := false
+		for _, m := range logEntryPayload {
+			if reflect.DeepEqual(m, payload) {
+				foundMatch = true
+			}
+		}
+		if !foundMatch {
+			for _, field := range attestationMapFields {
+				if _, keyFound := payload[field]; !keyFound {
+					return nil, fmt.Errorf("wrong log: %q", entry.GetJsonPayload().String())
+				}
+			}
+		}
+	}
 	return &logpb.WriteLogEntriesResponse{}, nil
 }