go/oasis-test-runner: Add e2e test for compute runtime kma_policy

Author: martintomazic

.buildkite/code.pipeline.yml

@@ -357,7 +357,10 @@ steps:
     command:
       - trap 'buildkite-agent artifact upload "coverage-merged-e2e-*.txt;/tmp/e2e/**/*.log;/tmp/e2e/**/genesis.json;/tmp/e2e/**/runtime_genesis.json"' EXIT
       - .buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh
-      - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption
+      - .buildkite/scripts/test_e2e.sh --timeout 20m
+        --scenario e2e/runtime/runtime-encryption
+        --scenario e2e/runtime/keymanager-access-policy
+
     env:
       OASIS_TEE_HARDWARE: intel-sgx
       OASIS_UNSAFE_MOCK_TEE: "1"

go/oasis-test-runner/oasis/fixture.go

@@ -10,6 +10,7 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/signature"
 	"github.com/oasisprotocol/oasis-core/go/common/node"
 	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
 	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/config"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/log"
@@ -256,6 +257,9 @@ type RuntimeFixture struct {
 
 	GovernanceModel registry.RuntimeGovernanceModel `json:"governance_model"`
 
+	// KeyManagerAccessPolicy is an optional key manager access policy.
+	KeyManagerAccessPolicy *quote.Policy `json:"kma_policy,omitempty"`
+
 	Pruner RuntimePrunerCfg `json:"pruner,omitempty"`
 
 	ExcludeFromGenesis bool `json:"exclude_from_genesis,omitempty"`
@@ -286,24 +290,25 @@ func (f *RuntimeFixture) Create(netFixture *NetworkFixture, net *Network) (*Runt
 	}
 
 	return net.NewRuntime(&RuntimeCfg{
-		ID:                 f.ID,
-		Kind:               f.Kind,
-		Entity:             entity,
-		Keymanager:         km,
-		TEEHardware:        netFixture.TEE.Hardware,
-		MrSigner:           netFixture.TEE.MrSigner,
-		Executor:           f.Executor,
-		TxnScheduler:       f.TxnScheduler,
-		Storage:            f.Storage,
-		AdmissionPolicy:    admissionPolicy,
-		Staking:            f.Staking,
-		GenesisRound:       f.GenesisRound,
-		GenesisStateRoot:   f.GenesisStateRoot,
-		Pruner:             f.Pruner,
-		ExcludeFromGenesis: f.ExcludeFromGenesis,
-		KeepBundles:        f.KeepBundles,
-		GovernanceModel:    f.GovernanceModel,
-		Deployments:        f.Deployments,
+		ID:                     f.ID,
+		Kind:                   f.Kind,
+		Entity:                 entity,
+		Keymanager:             km,
+		TEEHardware:            netFixture.TEE.Hardware,
+		MrSigner:               netFixture.TEE.MrSigner,
+		KeyManagerAccessPolicy: f.KeyManagerAccessPolicy,
+		Executor:               f.Executor,
+		TxnScheduler:           f.TxnScheduler,
+		Storage:                f.Storage,
+		AdmissionPolicy:        admissionPolicy,
+		Staking:                f.Staking,
+		GenesisRound:           f.GenesisRound,
+		GenesisStateRoot:       f.GenesisStateRoot,
+		Pruner:                 f.Pruner,
+		ExcludeFromGenesis:     f.ExcludeFromGenesis,
+		KeepBundles:            f.KeepBundles,
+		GovernanceModel:        f.GovernanceModel,
+		Deployments:            f.Deployments,
 	})
 }
 

go/oasis-test-runner/oasis/runtime.go

@@ -14,6 +14,7 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 	"github.com/oasisprotocol/oasis-core/go/common/node"
 	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
 	"github.com/oasisprotocol/oasis-core/go/common/version"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
 	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
@@ -48,8 +49,9 @@ type Runtime struct {
 	// of this file is discouraged (if not entirely forbidden).
 	cfgSave runtimeCfgSave
 
-	teeHardware node.TEEHardware
-	mrSigner    *sgx.MrSigner
+	teeHardware            node.TEEHardware
+	mrSigner               *sgx.MrSigner
+	keyManagerAccessPolicy *quote.Policy
 
 	pruner RuntimePrunerCfg
 
@@ -59,12 +61,13 @@ type Runtime struct {
 
 // RuntimeCfg is the Oasis runtime provisioning configuration.
 type RuntimeCfg struct {
-	ID          common.Namespace
-	Kind        registry.RuntimeKind
-	Entity      *Entity
-	Keymanager  *Runtime
-	TEEHardware node.TEEHardware
-	MrSigner    *sgx.MrSigner
+	ID                     common.Namespace
+	Kind                   registry.RuntimeKind
+	Entity                 *Entity
+	Keymanager             *Runtime
+	TEEHardware            node.TEEHardware
+	MrSigner               *sgx.MrSigner
+	KeyManagerAccessPolicy *quote.Policy
 
 	Deployments      []DeploymentCfg
 	GenesisRound     uint64
@@ -230,14 +233,19 @@ func (rt *Runtime) toRuntimeBundle(index int, cfg *deploymentCfg) (*bundle.Bundl
 			return fmt.Errorf("oasis/runtime: failed to derive MRENCLAVE: %w", err)
 		}
 
-		cfg.versionInfo.TEE = cbor.Marshal(node.SGXConstraints{
+		sc := node.SGXConstraints{
 			Enclaves: []sgx.EnclaveIdentity{
 				{
 					MrEnclave: *mrEnclave,
 					MrSigner:  *rt.mrSigner,
 				},
 			},
-		})
+		}
+		if rt.keyManagerAccessPolicy != nil {
+			sc.Versioned = cbor.NewVersioned(1)
+			sc.KeyManagerAccessPolicy = rt.keyManagerAccessPolicy
+		}
+		cfg.versionInfo.TEE = cbor.Marshal(sc)
 		cfg.mrEnclave = mrEnclave
 		return nil
 	}
@@ -368,12 +376,13 @@ func (net *Network) NewRuntime(cfg *RuntimeCfg) (*Runtime, error) {
 		cfgSave: runtimeCfgSave{
 			id: cfg.ID,
 		},
-		kind:               cfg.Kind,
-		teeHardware:        cfg.TEEHardware,
-		mrSigner:           cfg.MrSigner,
-		pruner:             cfg.Pruner,
-		excludeFromGenesis: cfg.ExcludeFromGenesis,
-		descriptor:         descriptor,
+		kind:                   cfg.Kind,
+		teeHardware:            cfg.TEEHardware,
+		mrSigner:               cfg.MrSigner,
+		keyManagerAccessPolicy: cfg.KeyManagerAccessPolicy,
+		pruner:                 cfg.Pruner,
+		excludeFromGenesis:     cfg.ExcludeFromGenesis,
+		descriptor:             descriptor,
 	}
 
 	for _, deployCfg := range cfg.Deployments {

go/oasis-test-runner/scenario/e2e/runtime/kma_policy.go

@@ -0,0 +1,54 @@
+package runtime
+
+import (
+	"context"
+
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/pcs"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/scenario"
+)
+
+// KeyManagerAccessPolicy is the key manager access policy e2e test scenario.
+var KeyManagerAccessPolicy scenario.Scenario = newKeyManagerAccessPolicyImpl()
+
+type keyManagerAccessPolicyImpl struct {
+	Scenario
+}
+
+func newKeyManagerAccessPolicyImpl() scenario.Scenario {
+	return &keyManagerAccessPolicyImpl{
+		Scenario: *NewScenario("keymanager-access-policy", NewTestClient().WithScenario(SimpleScenario)),
+	}
+}
+
+func (sc *keyManagerAccessPolicyImpl) Clone() scenario.Scenario {
+	return &keyManagerAccessPolicyImpl{
+		Scenario: *sc.Scenario.Clone().(*Scenario),
+	}
+}
+
+func (sc *keyManagerAccessPolicyImpl) Fixture() (*oasis.NetworkFixture, error) {
+	f, err := sc.Scenario.Fixture()
+	if err != nil {
+		return nil, err
+	}
+
+	f.Runtimes[1].KeyManagerAccessPolicy = &quote.Policy{
+		PCS: &pcs.QuotePolicy{
+			TCBValidityPeriod:          90,
+			MinTCBEvaluationDataNumber: 12,
+		},
+	}
+
+	return f, nil
+}
+
+func (sc *keyManagerAccessPolicyImpl) Run(ctx context.Context, childEnv *env.Env) error {
+	if err := sc.StartNetworkAndTestClient(ctx, childEnv); err != nil {
+		return err
+	}
+
+	return sc.WaitTestClientAndCheckLogs()
+}

go/oasis-test-runner/scenario/e2e/runtime/scenario.go

@@ -421,6 +421,8 @@ func RegisterScenarios() error {
 		TxSourceMultiShortSGX,
 		// Observer tests
 		ObserverMode,
+		// SGXConstraints tests.
+		KeyManagerAccessPolicy,
 	} {
 		if err := cmd.RegisterNondefault(s); err != nil {
 			return err