e2e: Ensure compute policy rejects registation (POC)

martintomazic · martintomazic · commit d217ddf0564b · 2026-03-30T13:44:12.000+02:00
See if we can trigger real quote verification. This will still
get rejected at local verification instead of consensus.
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -262,9 +262,12 @@ steps:
         --scenario e2e/runtime/rofl
         --scenario e2e/runtime/trust-root/.+
         --scenario e2e/runtime/keymanager-.+
+        --scenario e2e/runtime/compute-policy
+        --scenario e2e/runtime/compute-policy-rejects
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      # OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       TEST_BASE_DIR: /tmp
@@ -358,7 +361,6 @@ steps:
       - .buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh
       - .buildkite/scripts/test_e2e.sh --timeout 20m
         --scenario e2e/runtime/runtime-encryption
-        --scenario e2e/runtime/compute-policy
 
     env:
       OASIS_TEE_HARDWARE: intel-sgx
diff --git a/go/oasis-test-runner/scenario/e2e/runtime/compute_policy_rejects.go b/go/oasis-test-runner/scenario/e2e/runtime/compute_policy_rejects.go
@@ -0,0 +1,57 @@
+package runtime
+
+import (
+	"context"
+
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/pcs"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/scenario"
+)
+
+// ComputePolicy is the compute runtime quote policy e2e test scenario.
+// It tests compute runtime quote policy is applied for compute/observer nodes,
+// by setting impossible compute policy to satisfy and ensuring registration fails.
+var ComputePolicyRejects scenario.Scenario = newComputePolicyRejectsImpl()
+
+type computePolicyImplRejects struct {
+	Scenario
+}
+
+func newComputePolicyRejectsImpl() scenario.Scenario {
+	return &computePolicyImplRejects{
+		Scenario: *NewScenario("compute-policy-rejects", NewTestClient().WithScenario(SimpleScenario)),
+	}
+}
+
+func (sc *computePolicyImplRejects) Clone() scenario.Scenario {
+	return &computePolicyImplRejects{
+		Scenario: *sc.Scenario.Clone().(*Scenario),
+	}
+}
+
+func (sc *computePolicyImplRejects) Fixture() (*oasis.NetworkFixture, error) {
+	f, err := sc.Scenario.Fixture()
+	if err != nil {
+		return nil, err
+	}
+
+	f.Runtimes[1].ComputePolicy = &quote.Policy{
+		PCS: &pcs.QuotePolicy{
+			TCBValidityPeriod:          90,
+			MinTCBEvaluationDataNumber: 12,
+			FMSPCWhitelist:             []string{"invalidFMSCP"},
+		},
+	}
+
+	return f, nil
+}
+
+func (sc *computePolicyImplRejects) Run(ctx context.Context, childEnv *env.Env) error {
+	if err := sc.StartNetworkAndTestClient(ctx, childEnv); err != nil {
+		return err
+	}
+
+	return sc.WaitTestClientAndCheckLogs()
+}
diff --git a/go/oasis-test-runner/scenario/e2e/runtime/scenario.go b/go/oasis-test-runner/scenario/e2e/runtime/scenario.go
@@ -421,6 +421,7 @@ func RegisterScenarios() error {
 		TxSourceMultiShortSGX,
 		// SGXConstraints tests.
 		ComputePolicy,
+		ComputePolicyRejects,
 	} {
 		if err := cmd.RegisterNondefault(s); err != nil {
 			return err
