From 3e511b88de6f31ab9ca46a5ddce1a6810ea95155 Mon Sep 17 00:00:00 2001 From: Ruide Zhang Date: Wed, 6 Mar 2024 21:40:37 +0000 Subject: [PATCH] add log replay in fake cloud logging server --- cmd/fake_attestation_server.go | 13 +++++++------ cmd/fake_cloudlogging_server.go | 23 +++++++++++++++++++++++ 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/cmd/fake_attestation_server.go b/cmd/fake_attestation_server.go index df896983..6b550142 100644 --- a/cmd/fake_attestation_server.go +++ b/cmd/fake_attestation_server.go @@ -5,13 +5,14 @@ import ( "net/http" "net/http/httptest" "os" - "time" "github.com/golang-jwt/jwt/v4" "golang.org/x/net/http2" ) const fakeAsHostEnv = "GOOGLE_APPLICATION_CREDENTIALS" +const fakeChallengeUUID = "947b4f7b-e6d4-4cfe-971c-39ffe00268ba" +const fakeTpmNonce = "R29vZ0F0dGVzdFYxeGtJUGlRejFPOFRfTzg4QTRjdjRpQQ==" // attestationServer provides fake implementation for the GCE attestation server. type attestationServer struct { @@ -38,7 +39,7 @@ func newMockAttestationServer() (*attestationServer, error) { } challengePath := locationPath + "-1/challenges" if r.URL.Path == challengePath { - challenge := "{\n \"name\": \"projects/test-project/locations/us-central-1/challenges/947b4f7b-e6d4-4cfe-971c-39ffe00268ba\",\n \"createTime\": \"2023-09-21T01:04:48.230111757Z\",\n \"expireTime\": \"2023-09-21T02:04:48.230111757Z\",\n \"tpmNonce\": \"R29vZ0F0dGVzdFYxeGtJUGlRejFPOFRfTzg4QTRjdjRpQQ==\"\n}\n" + challenge := "{\n \"name\": \"projects/test-project/locations/us-central-1/challenges/947b4f7b-e6d4-4cfe-971c-39ffe00268ba\",\n \"createTime\": \"2023-09-21T01:04:48.230111757Z\",\n \"expireTime\": \"2023-09-21T02:04:48.230111757Z\",\n \"tpmNonce\": \"" + fakeTpmNonce + "\"\n}\n" w.Write([]byte(challenge)) } challengeNonce := "/947b4f7b-e6d4-4cfe-971c-39ffe00268ba" @@ -46,15 +47,15 @@ func newMockAttestationServer() (*attestationServer, error) { if r.URL.Path == verifyAttestationPath { payload := &fakeOidcTokenPayload{ Audience: "test", - IssuedAt: time.Now().Unix(), - ExpiredAt: time.Now().Add(time.Minute).Unix(), + IssuedAt: 1709752525, + ExpiredAt: 1919752525, } jwtTokenUnsigned := jwt.NewWithClaims(jwt.SigningMethodHS256, payload) - jwtToken, err := jwtTokenUnsigned.SignedString([]byte("kcxjxnalpraetgccnnwhpnfwocxscaih")) + fakeJwtToken, err := jwtTokenUnsigned.SignedString([]byte("kcxjxnalpraetgccnnwhpnfwocxscaih")) if err != nil { fmt.Print("error creating test OIDC token") } - w.Write([]byte("{\n \"oidcClaimsToken\": \"" + jwtToken + "\"\n}\n")) + w.Write([]byte("{\n \"oidcClaimsToken\": \"" + fakeJwtToken + "\"\n}\n")) } }) httpServer := httptest.NewUnstartedServer(handler) diff --git a/cmd/fake_cloudlogging_server.go b/cmd/fake_cloudlogging_server.go index 2f58a96c..25d2b1d8 100644 --- a/cmd/fake_cloudlogging_server.go +++ b/cmd/fake_cloudlogging_server.go @@ -5,6 +5,7 @@ import ( "fmt" "log" "net" + "reflect" "regexp" "strconv" "strings" @@ -120,6 +121,28 @@ func (h *loggingHandler) WriteLogEntries(_ context.Context, req *logpb.WriteLogE // Store by log name. h.logs[e.LogName] = append(h.logs[e.LogName], e) } + + var logEntryPayload []map[string]interface{} + logEntryPayload = append(logEntryPayload, map[string]interface{}{"aud": "test", "iat": float64(1709752525), "exp": float64(1919752525)}) + logEntryPayload = append(logEntryPayload, map[string]interface{}{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0IiwiaWF0IjoxNzA5NzUyNTI1LCJleHAiOjE5MTk3NTI1MjV9.EBLA2zX3c-Fu0l--J9Gey6LIXMO1TFRCoe3bzuPGc1k"}) + logEntryPayload = append(logEntryPayload, map[string]interface{}{"Name": "projects/test-project/locations/us-central-1/challenges/" + fakeChallengeUUID, "Nonce": fakeTpmNonce, "ConnID": ""}) + attestationMapFields := []string{"TeeAttestation", "ak_pub", "quotes", "event_log", "ak_cert"} + for _, entry := range h.logs["projects/"+TestProjectID+"/logs/"+toolName] { + payload := entry.GetJsonPayload().AsMap() + foundMatch := false + for _, m := range logEntryPayload { + if reflect.DeepEqual(m, payload) { + foundMatch = true + } + } + if !foundMatch { + for _, field := range attestationMapFields { + if _, keyFound := payload[field]; !keyFound { + return nil, fmt.Errorf("wrong log: %q", entry.GetJsonPayload().String()) + } + } + } + } return &logpb.WriteLogEntriesResponse{}, nil }