-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated and add samples for Attestation service. (#3448)
* Moved samples around to meet new recommendations; added a couple of additional tests. * Reworked attestation to include RetrieveAttestationValidationCollateral * Attestation sample readme updates * TPM doesn't need to retrieve response validation collateral * Added cautionary warning about the dangers of overriding the TearDown method from inside a test case * Added attestation team members to codeowners for attestation SDK * Remove CODEOWNERS from cspell checks * Don't hold a lock across retrieving the signers over the network * Updated snippets in readme; clang-format
- Loading branch information
1 parent
d7536a2
commit af7281e
Showing
108 changed files
with
3,754 additions
and
1,151 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
"version": "0.2", | ||
"language": "en", | ||
"languageId": "cpp", | ||
"dictionaries": [ | ||
"powershell", | ||
"cpp" | ||
], | ||
"ignorePaths": [ | ||
"**/test/ut/recordings/*.json" | ||
], | ||
"words": [ | ||
"ECDS", | ||
"jwks", | ||
"jwk", | ||
"mrenclave", | ||
"mrsigner", | ||
"shareduks", | ||
"attestsgxenclave", | ||
"attestsgxenclavewithruntimejson", | ||
"attestsgxenclavewithruntimebinary", | ||
"getopenidmetadata" | ||
|
||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
sdk/attestation/azure-security-attestation/samples/attestation/CMakeLists.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# SPDX-License-Identifier: MIT | ||
|
||
cmake_minimum_required (VERSION 3.13) | ||
|
||
project (attestation-attestation LANGUAGES CXX) | ||
set(CMAKE_CXX_STANDARD 14) | ||
set(CMAKE_CXX_STANDARD_REQUIRED True) | ||
|
||
macro (define_sample samplename) | ||
add_executable ( | ||
attestation-${samplename} | ||
${samplename}.cpp | ||
attestation_collateral.cpp | ||
attestation_collateral.hpp) | ||
|
||
CREATE_PER_SERVICE_TARGET_BUILD_FOR_SAMPLE(attestation attestation-${samplename}) | ||
|
||
target_link_libraries(attestation-${samplename} PRIVATE azure-security-attestation get-env-helper) | ||
|
||
endmacro() | ||
|
||
|
||
define_sample(attestsgxenclave) | ||
define_sample(attestsgxenclavewithruntimejson) | ||
define_sample(attestsgxenclavewithruntimebinary) | ||
define_sample(attestopenenclavewithdraftpolicy) | ||
define_sample(attestopenenclaveshared) | ||
|
87 changes: 87 additions & 0 deletions
87
sdk/attestation/azure-security-attestation/samples/attestation/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
--- | ||
page_type: sample | ||
languages: | ||
- C++ | ||
products: | ||
- azure | ||
- azure-attestation | ||
urlFragment: attestation-samples | ||
|
||
--- | ||
|
||
# Attestation Samples for the Microsoft Azure Attestation client library for C++ | ||
|
||
These code samples show common scenario operations for the Attestation APIs within the Azure Attestation client library. | ||
|
||
## Sample Requirements | ||
|
||
These samples are written with the assumption that the following environment | ||
variables have been set by the user: | ||
|
||
* ATTESTATION_AAD_URL - the base URL for an attestation service instance in AAD mode. | ||
* ATTESTATION_ISOLATED_URL - the base URL for an attestation service instance in Isolated mode. | ||
* ATTESTATION_LOCATION_SHORT_NAME - the short name for the region in which the | ||
sample should be run - used to interact with the shared endpoint for that | ||
region. | ||
|
||
## Samples descriptions | ||
|
||
The samples are structured as separate source files, one per scenario. The are: | ||
Sample | What it tests | Notes | ||
-----|-----|----- | ||
AttestSgxEnclave | The simplest usage of the AttestSgxEnclave API | | ||
AttestOpenEnclaveShared | Attest an OpenEnclave report using the shared attestation instance | | ||
AttestSgxEnclaveWithRuntimeBinary | Calling AttestSgxEnclave with RuntimeData sent to the service which should be interpreted as binary data | | ||
AttestSgxEnclaveWithRuntimeJson | Calling AttestSgxEnclave with RuntimeData sent to the service which should be interpreted as JSON data | | ||
AttestOpenEnclaveWithDraftPolicy | Calling AttestOpenEnclave with a draft attestation policy which can be used to test attestation policies to determine their effect | | ||
|
||
## Additional Information | ||
|
||
### Attestation Policy | ||
|
||
An attestation policy is a document which defines authorization and claim generation | ||
rules for attestation operations. | ||
|
||
The following is an example of an attestation policy document for an SGX enclave: | ||
|
||
```text | ||
version= 1.0; | ||
authorizationrules | ||
{ | ||
[ type=="x-ms-sgx-is-debuggable", value==false ] && | ||
[ type=="x-ms-sgx-product-id", value==<product-id> ] && | ||
[ type=="x-ms-sgx-svn", value>= 0 ] && | ||
[ type=="x-ms-sgx-mrsigner", value=="<mrsigner>"] | ||
=> permit(); | ||
}; | ||
issuancerules { | ||
c:[type=="x-ms-sgx-mrsigner"] => issue(type="<custom-name>", value=c.value); | ||
}; | ||
``` | ||
|
||
There are two sections to the document: `authorizationrules` and `issuancerules`. | ||
`authorizationrules` are rules which control whether an attestation token | ||
should be issued. `issuancerules` are rules which cause claims to be issued in an | ||
attestation token. | ||
|
||
In the example, the attestation service will issue an attestation token if and only if | ||
the SGX enclave is configured as follows: | ||
|
||
* Not-Debuggable | ||
* Enclave product ID: `<product-id>`. | ||
* Enclave SVN: `<svn value>` greater or equal to zero. | ||
* Enclave signer: matches `<mrsigner>`. | ||
|
||
Assuming a token is issued, this policy will cause a claim named `<custom-name>` | ||
to be issued with a value which matches the `x-ms-sgx-mrsigner` claim. | ||
|
||
For more information on authoring attestation policy documents, see: [Authoring an attestation policy](https://docs.microsoft.com/azure/attestation/author-sign-policy) | ||
|
||
## Next Steps | ||
|
||
For more information about the Microsoft Azure Attestation service, please see our [documentation page](https://docs.microsoft.com/azure/attestation/) . | ||
|
||
<!-- LINKS --> | ||
<!-- links are known to be broken, they will be fixed after this initial pull | ||
request completes. --> | ||
[readme_md]: https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/attestation/azure-security-attestation/README.md |
File renamed without changes.
File renamed without changes.
Oops, something went wrong.