From 527bfa7bfe9484e69bc1134a1e785004df828180 Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 18 Jul 2024 13:06:47 +0000 Subject: [PATCH 01/45] first round of updates --- package.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/package.json b/package.json index 94509529..a0a0b2bf 100644 --- a/package.json +++ b/package.json @@ -14,8 +14,7 @@ "@bufbuild/buf": "^1.30.0", "@bufbuild/protobuf": "^1.8.0", "@bufbuild/protoc-gen-es": "^1.8.0", - "@microsoft/ccf-app": "^5.0.0-dev6", - "express": "^4.19.2", + "@microsoft/ccf-app": "5.0.0", "i": "^0.3.7", "js-base64": "^3.5.2", "jsrsasign": "^11.0.0", @@ -31,9 +30,9 @@ "@babel/preset-env": "^7.20.2", "@babel/preset-typescript": "^7.22.15", "@jest/globals": "^29.7.0", - "@rollup/plugin-commonjs": "^17.1.0", - "@rollup/plugin-node-resolve": "^11.2.1", - "@rollup/plugin-typescript": "^8.2.0", + "@rollup/plugin-commonjs": "^26.0.1", + "@rollup/plugin-node-resolve": "15.2.3", + "@rollup/plugin-typescript": "11.1.6", "@types/jasmine": "^4.3.0", "@types/jest": "^29.5.5", "@types/jsrsasign": "^8.0.7", @@ -42,19 +41,20 @@ "axios": "^1.5.0", "babel-jest": "^29.3.1", "del-cli": "^5.0.0", + "express": "^4.19.2", "http-server": "^0.13.0", "inquirer": "9.1.4", - "jest": "^29.7.0", - "js-crypto-key-utils": "^1.0.7", - "js-crypto-rsa": "^1.0.7", - "jsonwebtoken": "^9.0.0", - "node-fetch": "^3.3.2", - "rollup": "^2.79.1", - "ts-jest": "^29.1.5", - "ts-node": "^10.9.2", - "tslib": "^2.0.1", - "typescript": "^5.4.5", - "uglify-js": "^3.17.4" + "jest": "29.7.0", + "js-crypto-key-utils": "1.0.7", + "js-crypto-rsa": "1.0.7", + "jsonwebtoken": "9.0.2", + "node-fetch": "3.3.2", + "rollup": "4.18.1", + "ts-jest": "29.2.2", + "ts-node": "10.9.2", + "tslib": "^2.6.3", + "typescript": "5.5.3", + "uglify-js": "3.19.0" }, "jest": { "preset": "ts-jest/presets/default-esm", From ca68fd1dae41cd2f0f79ceef6285db90a062292f Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 18 Jul 2024 13:21:28 +0000 Subject: [PATCH 02/45] update package.json incrementally --- Makefile | 4 +++- package.json | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 2679c2fd..ee216664 100755 --- a/Makefile +++ b/Makefile @@ -126,4 +126,6 @@ lint: ## ๐Ÿ” Lint the code base (but don't fix) clean: ## ๐Ÿงน Clean the working folders created during build/demo @rm -rf .venv_ccf_sandbox @rm -rf ${KMS_WORKSPACE} - @rm -rf dist \ No newline at end of file + @rm -rf dist + @rm -rf node_modules + @rm -f package-lock.json \ No newline at end of file diff --git a/package.json b/package.json index a0a0b2bf..0967e0ba 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,6 @@ "@bufbuild/protobuf": "^1.8.0", "@bufbuild/protoc-gen-es": "^1.8.0", "@microsoft/ccf-app": "5.0.0", - "i": "^0.3.7", "js-base64": "^3.5.2", "jsrsasign": "^11.0.0", "jsrsasign-util": "^1.0.2", From cb842c7a0b911294fb7a714bc4804e6792770af5 Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 18 Jul 2024 13:50:20 +0000 Subject: [PATCH 03/45] add global rollup --- .devcontainer/install_nodejs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/install_nodejs.sh b/.devcontainer/install_nodejs.sh index dd6eb417..6364aca5 100755 --- a/.devcontainer/install_nodejs.sh +++ b/.devcontainer/install_nodejs.sh @@ -15,4 +15,4 @@ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash && nvm use node . $NVM_DIR/nvm.sh \ - && npm install -g npm@latest + && npm install -g npm@latest rollup@4.18.1 From 0267e886ff2adfa5f666edcaa408339e70df0656 Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 18 Jul 2024 14:25:11 +0000 Subject: [PATCH 04/45] change order in dockerfile --- .devcontainer/Dockerfile.devcontainer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index 85612258..841070d7 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -12,6 +12,6 @@ ENV NVM_DIR /root/.nvm ENV TINKEY_VERSION=tinkey-1.10.1 COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ -RUN /src/install_packages.sh RUN /src/install_nodejs.sh +RUN /src/install_packages.sh RUN /src/setup_tinkey.sh From 827f6fb3bce8ac009e34f8e4778c8159ea4a9217 Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 18 Jul 2024 14:59:22 +0000 Subject: [PATCH 05/45] update docker container --- .devcontainer/Dockerfile.devcontainer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index 841070d7..dbdfe538 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -1,7 +1,7 @@ # Base container image which is built nightly # Used as a starting point to make building other containers fast -ARG BASE_CCF_IMAGE=5.0.0-dev10-virtual +ARG BASE_CCF_IMAGE=5.0.0-rc0-virtual ARG ENVIRONMENT=devcontainer # ignore this hadolint error as BASE_IMAGE contains an image tag From 1a60c53b3c2efbafd34a8360de88d5b62a2948a2 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 05:51:08 +0000 Subject: [PATCH 06/45] update docker --- .github/Dockerfile.ci | 9 +++++---- .github/devcontainer.json | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/Dockerfile.ci b/.github/Dockerfile.ci index 3c7a166b..8012cc99 100644 --- a/.github/Dockerfile.ci +++ b/.github/Dockerfile.ci @@ -8,8 +8,12 @@ ARG ENVIRONMENT=ci # hadolint ignore=DL3006 FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base +# Install Node.js +RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash - + # Custom Deps RUN apt-get update && apt-get install -y \ + nodejs \ python3-pip \ openssh-client \ make \ @@ -18,11 +22,8 @@ RUN apt-get update && apt-get install -y \ lsof \ sudo \ tar \ - default-jre + default-jre -# Install Node.js -RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash - -RUN apt-get install -y nodejs RUN pip install --upgrade pip setuptools RUN apt-get -y autoremove \ diff --git a/.github/devcontainer.json b/.github/devcontainer.json index 7075c2b4..f20338a8 100644 --- a/.github/devcontainer.json +++ b/.github/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.ci", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm -g npm@latest rollup@4.18.1 && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From 70162fc86612001530851da1a08ab3acc9ae946a Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 06:26:17 +0000 Subject: [PATCH 07/45] update dockerfile --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a456f577..b63cb9dc 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.devcontainer", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm -g npm@latest rollup@4.18.1 && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From da78e538abd523f18188886c4a39e8939fa6ef2f Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 06:54:26 +0000 Subject: [PATCH 08/45] update dockerfile --- .devcontainer/Dockerfile.devcontainer | 2 ++ .devcontainer/install_nodejs.sh | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index dbdfe538..86435663 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -12,6 +12,8 @@ ENV NVM_DIR /root/.nvm ENV TINKEY_VERSION=tinkey-1.10.1 COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ +RUN echo "Install necessary packages." RUN /src/install_nodejs.sh RUN /src/install_packages.sh RUN /src/setup_tinkey.sh +RUN echo "All necessary packages and tinkey setup completed." \ No newline at end of file diff --git a/.devcontainer/install_nodejs.sh b/.devcontainer/install_nodejs.sh index 6364aca5..71cba3b6 100755 --- a/.devcontainer/install_nodejs.sh +++ b/.devcontainer/install_nodejs.sh @@ -14,5 +14,5 @@ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash && nvm install node \ && nvm use node -. $NVM_DIR/nvm.sh \ - && npm install -g npm@latest rollup@4.18.1 +echo "Install rollup" +npm install -g npm@latest rollup@4.18.1 From 9887104140e41bd43aa5ff1077ee5afcf4aa4c52 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 08:21:08 +0000 Subject: [PATCH 09/45] remove devcontainer change --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b63cb9dc..a456f577 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.devcontainer", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm -g npm@latest rollup@4.18.1 && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From f81c46c8d805ac18afb8b85baf072fbc084f6ad2 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 08:27:03 +0000 Subject: [PATCH 10/45] fix install rollup --- .devcontainer/install_nodejs.sh | 2 +- .github/devcontainer.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.devcontainer/install_nodejs.sh b/.devcontainer/install_nodejs.sh index 71cba3b6..cbff7504 100755 --- a/.devcontainer/install_nodejs.sh +++ b/.devcontainer/install_nodejs.sh @@ -15,4 +15,4 @@ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash && nvm use node echo "Install rollup" -npm install -g npm@latest rollup@4.18.1 +npm install -g rollup@4.18.1 diff --git a/.github/devcontainer.json b/.github/devcontainer.json index f20338a8..6ebf367c 100644 --- a/.github/devcontainer.json +++ b/.github/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.ci", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm -g npm@latest rollup@4.18.1 && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm install -g rollup@4.18.1 && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From e1d9e354324c8f46dac92a407f40ca8a548c7cb7 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 08:59:33 +0000 Subject: [PATCH 11/45] fix docker creation --- .devcontainer/Dockerfile.devcontainer | 2 +- .devcontainer/devcontainer.json | 2 +- .github/devcontainer.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index 86435663..fce72c87 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -10,7 +10,7 @@ FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base ENV NVM_DIR /root/.nvm ENV TINKEY_VERSION=tinkey-1.10.1 -COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ +COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh requirements.txt /src/ RUN echo "Install necessary packages." RUN /src/install_nodejs.sh diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a456f577..8622b478 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -28,5 +28,5 @@ "editor.defaultFormatter": "ms-python.black-formatter" } }, - "postStartCommand": "pip install -r .devcontainer/requirements.txt && pre-commit install" + "postStartCommand": "pip install -r /src/requirements.txt" } diff --git a/.github/devcontainer.json b/.github/devcontainer.json index 6ebf367c..7075c2b4 100644 --- a/.github/devcontainer.json +++ b/.github/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.ci", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && npm install -g rollup@4.18.1 && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From 4a0996fe93397992e5f0e2fddbcd98946da0507e Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 09:57:42 +0000 Subject: [PATCH 12/45] update packages --- .devcontainer/Dockerfile.devcontainer | 2 +- .devcontainer/devcontainer.json | 5 ++--- .github/Dockerfile.ci | 2 +- Makefile | 4 +--- package.json | 18 +++++------------- 5 files changed, 10 insertions(+), 21 deletions(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index fce72c87..86435663 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -10,7 +10,7 @@ FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base ENV NVM_DIR /root/.nvm ENV TINKEY_VERSION=tinkey-1.10.1 -COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh requirements.txt /src/ +COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ RUN echo "Install necessary packages." RUN /src/install_nodejs.sh diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 8622b478..9f0f64cb 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.devcontainer", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && scripts/set_python_env.sh && npm i && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", @@ -27,6 +27,5 @@ "settings": { "editor.defaultFormatter": "ms-python.black-formatter" } - }, - "postStartCommand": "pip install -r /src/requirements.txt" + } } diff --git a/.github/Dockerfile.ci b/.github/Dockerfile.ci index 8012cc99..7f42da5e 100644 --- a/.github/Dockerfile.ci +++ b/.github/Dockerfile.ci @@ -1,7 +1,7 @@ # Base container image which is built nightly # Used as a starting point to make building other containers fast -ARG BASE_CCF_IMAGE=5.0.0-dev10-virtual +ARG BASE_CCF_IMAGE=5.0.0-rc0-virtual ARG ENVIRONMENT=ci # ignore this hadolint error as BASE_IMAGE contains an image tag diff --git a/Makefile b/Makefile index ee216664..27bd43ee 100755 --- a/Makefile +++ b/Makefile @@ -124,8 +124,6 @@ lint: ## ๐Ÿ” Lint the code base (but don't fix) # Keep this at the bottom. clean: ## ๐Ÿงน Clean the working folders created during build/demo - @rm -rf .venv_ccf_sandbox + @rm -rf ${PYTHON_VENV} @rm -rf ${KMS_WORKSPACE} @rm -rf dist - @rm -rf node_modules - @rm -f package-lock.json \ No newline at end of file diff --git a/package.json b/package.json index 0967e0ba..fdfebfd8 100644 --- a/package.json +++ b/package.json @@ -11,18 +11,12 @@ "node": ">=16" }, "dependencies": { - "@bufbuild/buf": "^1.30.0", - "@bufbuild/protobuf": "^1.8.0", - "@bufbuild/protoc-gen-es": "^1.8.0", + "@bufbuild/protobuf": "1.10.0", "@microsoft/ccf-app": "5.0.0", - "js-base64": "^3.5.2", - "jsrsasign": "^11.0.0", - "jsrsasign-util": "^1.0.2", - "jwt-decode": "^3.0.0", - "lodash-es": "^4.17.15", - "node-forge": "^1.3.1", - "npm": "^10.5.0", - "pem-jwk": "^2.0.0" + "js-base64": "3.7.7", + "node-forge": "1.3.1", + "npm": "10.8.2", + "pem-jwk": "2.0.0" }, "devDependencies": { "@babel/core": "^7.20.5", @@ -34,8 +28,6 @@ "@rollup/plugin-typescript": "11.1.6", "@types/jasmine": "^4.3.0", "@types/jest": "^29.5.5", - "@types/jsrsasign": "^8.0.7", - "@types/lodash-es": "^4.17.3", "@types/node": "^18.18.13", "axios": "^1.5.0", "babel-jest": "^29.3.1", From 1989e235204b1d9cbefd88da686d01f87a12d9ff Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 10:15:05 +0000 Subject: [PATCH 13/45] fix packages --- package.json | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index fdfebfd8..88ccb6f3 100644 --- a/package.json +++ b/package.json @@ -19,21 +19,19 @@ "pem-jwk": "2.0.0" }, "devDependencies": { - "@babel/core": "^7.20.5", - "@babel/preset-env": "^7.20.2", - "@babel/preset-typescript": "^7.22.15", - "@jest/globals": "^29.7.0", - "@rollup/plugin-commonjs": "^26.0.1", + "@babel/core": "7.24.9", + "@babel/preset-env": "7.24.8", + "@babel/preset-typescript": "7.24.7", + "@jest/globals": "29.7.0", + "@rollup/plugin-commonjs": "26.0.1", "@rollup/plugin-node-resolve": "15.2.3", "@rollup/plugin-typescript": "11.1.6", - "@types/jasmine": "^4.3.0", - "@types/jest": "^29.5.5", - "@types/node": "^18.18.13", - "axios": "^1.5.0", - "babel-jest": "^29.3.1", - "del-cli": "^5.0.0", - "express": "^4.19.2", - "http-server": "^0.13.0", + "@types/jasmine": "5.1.4", + "@types/jest": "29.5.12", + "@types/node": "20.14.11", + "axios": "1.7.2", + "babel-jest": "29.7.0", + "express": "4.19.2", "inquirer": "9.1.4", "jest": "29.7.0", "js-crypto-key-utils": "1.0.7", @@ -43,7 +41,7 @@ "rollup": "4.18.1", "ts-jest": "29.2.2", "ts-node": "10.9.2", - "tslib": "^2.6.3", + "tslib": "2.6.3", "typescript": "5.5.3", "uglify-js": "3.19.0" }, From 68f766f208b631eec83196692511fd8c9f3dc37c Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 13:17:02 +0000 Subject: [PATCH 14/45] remove echo in dockerfile --- .devcontainer/Dockerfile.devcontainer | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index 86435663..024e7b6b 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -12,8 +12,8 @@ ENV NVM_DIR /root/.nvm ENV TINKEY_VERSION=tinkey-1.10.1 COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ -RUN echo "Install necessary packages." +# "Install necessary packages." RUN /src/install_nodejs.sh RUN /src/install_packages.sh RUN /src/setup_tinkey.sh -RUN echo "All necessary packages and tinkey setup completed." \ No newline at end of file +# "All necessary packages and tinkey setup completed." \ No newline at end of file From 34fd0f0e2b223801c54cbb91d7c6000f8c689c36 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 13:23:38 +0000 Subject: [PATCH 15/45] sync ci and devcontainer --- .github/Dockerfile.ci | 33 ++++++--------------------------- 1 file changed, 6 insertions(+), 27 deletions(-) diff --git a/.github/Dockerfile.ci b/.github/Dockerfile.ci index 7f42da5e..0d2ed68f 100644 --- a/.github/Dockerfile.ci +++ b/.github/Dockerfile.ci @@ -8,31 +8,10 @@ ARG ENVIRONMENT=ci # hadolint ignore=DL3006 FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base -# Install Node.js -RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash - +COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ -# Custom Deps -RUN apt-get update && apt-get install -y \ - nodejs \ - python3-pip \ - openssh-client \ - make \ - libuv1 \ - jq \ - lsof \ - sudo \ - tar \ - default-jre - -RUN pip install --upgrade pip setuptools - -RUN apt-get -y autoremove \ - && apt-get -y clean - -# Setup tinkey -ENV TINKEY_VERSION=tinkey-1.10.1 -RUN curl -O https://storage.googleapis.com/tinkey/$TINKEY_VERSION.tar.gz -RUN tar -xzvf $TINKEY_VERSION.tar.gz -RUN cp tinkey /usr/bin/ -RUN cp tinkey_deploy.jar /usr/bin/ -RUN rm tinkey tinkey_deploy.jar tinkey.bat $TINKEY_VERSION.tar.gz +# "Install necessary packages." +RUN /src/install_nodejs.sh +RUN /src/install_packages.sh +RUN /src/setup_tinkey.sh +# "All necessary packages and tinkey setup completed." \ No newline at end of file From 5d5dce93e8cef14ed4f8bc15770f1443a5ce2364 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 13:40:24 +0000 Subject: [PATCH 16/45] fix ci failure --- .github/Dockerfile.ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/Dockerfile.ci b/.github/Dockerfile.ci index 0d2ed68f..0034276b 100644 --- a/.github/Dockerfile.ci +++ b/.github/Dockerfile.ci @@ -11,7 +11,7 @@ FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ # "Install necessary packages." -RUN /src/install_nodejs.sh RUN /src/install_packages.sh +RUN /src/install_nodejs.sh RUN /src/setup_tinkey.sh # "All necessary packages and tinkey setup completed." \ No newline at end of file From 4ad9d8b9ebe6997d8ef1a137a49eb66f2bfa7b52 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 13:49:34 +0000 Subject: [PATCH 17/45] fix ci container --- .github/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/devcontainer.json b/.github/devcontainer.json index 7075c2b4..99f4da21 100644 --- a/.github/devcontainer.json +++ b/.github/devcontainer.json @@ -4,7 +4,7 @@ "dockerfile": "Dockerfile.ci", "context": ".." }, - "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build", + "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && scripts/set_python_env.sh && npm i && make build", "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": { "version": "latest", From 00be9de83a15ec6dfc0203ae3c90a75822511159 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 14:11:03 +0000 Subject: [PATCH 18/45] incremental cleanup3 AuthenticationService --- src/authorization/AuthenticationService.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/authorization/AuthenticationService.ts b/src/authorization/AuthenticationService.ts index b75893eb..91351d3f 100644 --- a/src/authorization/AuthenticationService.ts +++ b/src/authorization/AuthenticationService.ts @@ -47,8 +47,11 @@ export class AuthenticationService implements IAuthenticationService { */ public isAuthenticated( request: ccfapp.Request, - ): [ccfapp.AuthnIdentityCommon, ServiceResult] { - let caller: ccfapp.AuthnIdentityCommon; + ): [ + ccfapp.AuthnIdentityCommon | undefined, + ServiceResult | undefined, + ] { + let caller: ccfapp.AuthnIdentityCommon | undefined = undefined; try { const caller = request.caller as unknown as ccfapp.AuthnIdentityCommon; if (!caller) { @@ -61,7 +64,7 @@ export class AuthenticationService implements IAuthenticationService { const validator = this.validators.get( caller.policy, ); - return [caller, validator.validate(request)]; + return [caller, validator?.validate(request)]; } catch (ex) { return [ caller, @@ -72,4 +75,4 @@ export class AuthenticationService implements IAuthenticationService { ]; } } -} +} \ No newline at end of file From 4316745bb207ed488571404aca6362e78f9ddfd5 Mon Sep 17 00:00:00 2001 From: beejones Date: Fri, 19 Jul 2024 14:26:52 +0000 Subject: [PATCH 19/45] sync ci and devcontainer --- .devcontainer/Dockerfile.devcontainer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile.devcontainer b/.devcontainer/Dockerfile.devcontainer index 024e7b6b..6dd8358c 100644 --- a/.devcontainer/Dockerfile.devcontainer +++ b/.devcontainer/Dockerfile.devcontainer @@ -13,7 +13,7 @@ ENV TINKEY_VERSION=tinkey-1.10.1 COPY .devcontainer/install_packages.sh .devcontainer/install_nodejs.sh .devcontainer/setup_tinkey.sh /src/ # "Install necessary packages." -RUN /src/install_nodejs.sh RUN /src/install_packages.sh +RUN /src/install_nodejs.sh RUN /src/setup_tinkey.sh # "All necessary packages and tinkey setup completed." \ No newline at end of file From 6123373cc19808502fb6498a0859b49879eeb02f Mon Sep 17 00:00:00 2001 From: beejones Date: Sat, 20 Jul 2024 06:16:39 +0000 Subject: [PATCH 20/45] incremental cleanup IAuthenticationService --- src/authorization/IAuthenticationService.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/authorization/IAuthenticationService.ts b/src/authorization/IAuthenticationService.ts index 2d381941..f3a59fc7 100644 --- a/src/authorization/IAuthenticationService.ts +++ b/src/authorization/IAuthenticationService.ts @@ -12,5 +12,8 @@ export interface IAuthenticationService { */ isAuthenticated( request: ccfapp.Request, - ): [ccfapp.AuthnIdentityCommon, ServiceResult]; -} + ): [ + ccfapp.AuthnIdentityCommon | undefined, + ServiceResult | undefined, + ]; +} \ No newline at end of file From af7341b8e178720ffbf6d19ab1114c05c341c94c Mon Sep 17 00:00:00 2001 From: beejones Date: Sat, 20 Jul 2024 10:46:27 +0000 Subject: [PATCH 21/45] incremental cleanup authorization --- src/authorization/IValidationService.ts | 2 +- src/authorization/certs/MemberCertValidator.ts | 16 +++++++++++----- src/authorization/certs/UserCertValidator.ts | 2 +- src/authorization/jwt/DemoJwtProvider.ts | 2 +- src/authorization/jwt/IJwtIdentityProvider.ts | 2 +- src/authorization/jwt/JwtIdentityProviderEnum.ts | 2 +- src/authorization/jwt/JwtValidationPolicyMap.ts | 10 ++++++++-- src/authorization/jwt/JwtValidator.ts | 2 +- src/authorization/jwt/MsJwtProvider.ts | 4 ++-- 9 files changed, 27 insertions(+), 15 deletions(-) diff --git a/src/authorization/IValidationService.ts b/src/authorization/IValidationService.ts index 7e8a4e7d..cc8f6e9e 100644 --- a/src/authorization/IValidationService.ts +++ b/src/authorization/IValidationService.ts @@ -10,4 +10,4 @@ import { ServiceResult } from "../utils/ServiceResult"; export interface IValidatorService { validate(request: ccfapp.Request): ServiceResult; -} +} \ No newline at end of file diff --git a/src/authorization/certs/MemberCertValidator.ts b/src/authorization/certs/MemberCertValidator.ts index 5a45d40a..0ab1bef1 100644 --- a/src/authorization/certs/MemberCertValidator.ts +++ b/src/authorization/certs/MemberCertValidator.ts @@ -51,9 +51,15 @@ export class MemberCertValidator implements IValidatorService { ); const memberInfoBuf = membersInfo.get(ccf.strToBuf(memberId)); - const memberInfo = ccf.bufToJsonCompatible(memberInfoBuf) as CCFMember; - const isActiveMember = memberInfo && memberInfo.status === "Active"; - - return ServiceResult.Succeeded(isActiveMember && isMember); + if (memberInfoBuf !== undefined) { + const memberInfo = ccf.bufToJsonCompatible(memberInfoBuf) as CCFMember; + const isActiveMember = memberInfo && memberInfo.status === "Active"; + return ServiceResult.Succeeded(isActiveMember && isMember); + } else { + // memberInfoBuf is undefined + return ServiceResult.Failed({ + errorMessage: "Member information is undefined.", + }); + } } -} +} \ No newline at end of file diff --git a/src/authorization/certs/UserCertValidator.ts b/src/authorization/certs/UserCertValidator.ts index 24dd0764..03083b74 100644 --- a/src/authorization/certs/UserCertValidator.ts +++ b/src/authorization/certs/UserCertValidator.ts @@ -59,4 +59,4 @@ export class UserCertValidator implements IValidatorService { const result = usersCerts.has(ccf.strToBuf(userId)); return ServiceResult.Succeeded(result); } -} +} \ No newline at end of file diff --git a/src/authorization/jwt/DemoJwtProvider.ts b/src/authorization/jwt/DemoJwtProvider.ts index 2ca6bbdf..ef0de085 100644 --- a/src/authorization/jwt/DemoJwtProvider.ts +++ b/src/authorization/jwt/DemoJwtProvider.ts @@ -37,4 +37,4 @@ export class DemoJwtProvider implements IJwtIdentityProvider { Logger.debug(`JWT validation succeeded: ${identityId}`); return ServiceResult.Succeeded(identityId); } -} +} \ No newline at end of file diff --git a/src/authorization/jwt/IJwtIdentityProvider.ts b/src/authorization/jwt/IJwtIdentityProvider.ts index dcbee6b1..f2f4bea9 100644 --- a/src/authorization/jwt/IJwtIdentityProvider.ts +++ b/src/authorization/jwt/IJwtIdentityProvider.ts @@ -7,4 +7,4 @@ import { ServiceResult } from "../../utils/ServiceResult"; export interface IJwtIdentityProvider { isValidJwtToken(identity: ccfapp.JwtAuthnIdentity): ServiceResult; name: string; -} +} \ No newline at end of file diff --git a/src/authorization/jwt/JwtIdentityProviderEnum.ts b/src/authorization/jwt/JwtIdentityProviderEnum.ts index 363bdfd7..5cb2419d 100644 --- a/src/authorization/jwt/JwtIdentityProviderEnum.ts +++ b/src/authorization/jwt/JwtIdentityProviderEnum.ts @@ -7,4 +7,4 @@ export enum JwtIdentityProviderEnum { MS_AAD = "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", Demo = "http://Demo-jwt-issuer", -} +} \ No newline at end of file diff --git a/src/authorization/jwt/JwtValidationPolicyMap.ts b/src/authorization/jwt/JwtValidationPolicyMap.ts index bf7d646b..a555ed9a 100644 --- a/src/authorization/jwt/JwtValidationPolicyMap.ts +++ b/src/authorization/jwt/JwtValidationPolicyMap.ts @@ -19,8 +19,14 @@ export class JwtValidationPolicyMap { return undefined; } - const policy = ccf.bufToStr(ccf.kv[validationPolicyMapName].get(keyBuf)); + const policyBuf = ccf.kv[validationPolicyMapName].get(keyBuf); + if (policyBuf === undefined) { + Logger.error(`Policy buffer is undefined for issuer: ${issuer}`); + return undefined; + } + + const policy = ccf.bufToStr(policyBuf); Logger.info(`JWT validation: Policy: ${policy} for issuer: ${issuer}`); return JSON.parse(policy); } -} +} \ No newline at end of file diff --git a/src/authorization/jwt/JwtValidator.ts b/src/authorization/jwt/JwtValidator.ts index b8f1b484..edd3a73f 100644 --- a/src/authorization/jwt/JwtValidator.ts +++ b/src/authorization/jwt/JwtValidator.ts @@ -50,4 +50,4 @@ export class JwtValidator implements IValidatorService { ); return isValidJwtToken; } -} +} \ No newline at end of file diff --git a/src/authorization/jwt/MsJwtProvider.ts b/src/authorization/jwt/MsJwtProvider.ts index 306063b4..ebfa5eed 100644 --- a/src/authorization/jwt/MsJwtProvider.ts +++ b/src/authorization/jwt/MsJwtProvider.ts @@ -18,7 +18,7 @@ export const authorizeJwt = ( issuer: string, identity: ccfapp.JwtAuthnIdentity, ): ServiceResult => { - const policy = JwtValidationPolicyMap.read(issuer); + const policy = JwtValidationPolicyMap.read(issuer) || {}; const keys = Object.keys(policy); for (let inx = 0; inx < keys.length; inx++) { @@ -70,4 +70,4 @@ export class MsJwtProvider implements IJwtIdentityProvider { const identityId = identity?.jwt?.payload?.sub; return ServiceResult.Succeeded(identityId); } -} +} \ No newline at end of file From 7e6712de53e10ad75fe20130ae82fbed78c59ed4 Mon Sep 17 00:00:00 2001 From: beejones Date: Sat, 20 Jul 2024 12:41:47 +0000 Subject: [PATCH 22/45] incremental cleanup attestation --- src/attestation/AttestationValidation.ts | 2 +- src/attestation/ISnpAttestation.ts | 1 + src/attestation/ISnpAttestationReport.ts | 2 +- src/attestation/SnpAttestationClaims.ts | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/attestation/AttestationValidation.ts b/src/attestation/AttestationValidation.ts index 06c05148..f837d95f 100644 --- a/src/attestation/AttestationValidation.ts +++ b/src/attestation/AttestationValidation.ts @@ -173,4 +173,4 @@ export const validateAttestation = ( 500, ); } -}; +}; \ No newline at end of file diff --git a/src/attestation/ISnpAttestation.ts b/src/attestation/ISnpAttestation.ts index c386692d..b642bc5f 100644 --- a/src/attestation/ISnpAttestation.ts +++ b/src/attestation/ISnpAttestation.ts @@ -1,3 +1,4 @@ + // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. diff --git a/src/attestation/ISnpAttestationReport.ts b/src/attestation/ISnpAttestationReport.ts index 6f3726ed..d835e6ea 100644 --- a/src/attestation/ISnpAttestationReport.ts +++ b/src/attestation/ISnpAttestationReport.ts @@ -32,4 +32,4 @@ export interface IAttestationReport { "uvm_endorsements-did"?: string; "uvm_endorsements-feed"?: string; "uvm_endorsements-svn"?: string; -} +} \ No newline at end of file diff --git a/src/attestation/SnpAttestationClaims.ts b/src/attestation/SnpAttestationClaims.ts index 879828f0..a516b331 100644 --- a/src/attestation/SnpAttestationClaims.ts +++ b/src/attestation/SnpAttestationClaims.ts @@ -112,4 +112,4 @@ export class SnpAttestationClaims { return reportClaims; } -} +} \ No newline at end of file From 9f856dfd9fc2a5fe0231904498e3c3bf9c014e89 Mon Sep 17 00:00:00 2001 From: beejones Date: Sat, 20 Jul 2024 13:41:51 +0000 Subject: [PATCH 23/45] missing attestation change --- src/attestation/SnpAttestationClaims.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/attestation/SnpAttestationClaims.ts b/src/attestation/SnpAttestationClaims.ts index a516b331..4013720e 100644 --- a/src/attestation/SnpAttestationClaims.ts +++ b/src/attestation/SnpAttestationClaims.ts @@ -83,7 +83,7 @@ export class SnpAttestationClaims { // report_id_ma // reported_tcb // chip_id - // committed_tcb + // committed_tcbx` // current_minor // current_build // committed_minor From 2a57d67945ee947e7bc2bc18863fbbca8e7ace96 Mon Sep 17 00:00:00 2001 From: beejones Date: Sun, 21 Jul 2024 12:14:15 +0000 Subject: [PATCH 24/45] incremental cleanup policies --- src/policies/IKeyReleasePolicy.ts | 2 +- src/policies/IKeyReleasePolicyProps.ts | 2 +- src/policies/IPolicy.ts | 2 +- src/policies/KeyReleasePolicy.ts | 2 +- src/policies/LoadPolicy.ts | 2 +- src/policies/Policy.ts | 5 +++-- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/policies/IKeyReleasePolicy.ts b/src/policies/IKeyReleasePolicy.ts index ce4a14df..758719d3 100644 --- a/src/policies/IKeyReleasePolicy.ts +++ b/src/policies/IKeyReleasePolicy.ts @@ -6,4 +6,4 @@ import { IKeyReleasePolicyProps } from ".."; export interface IKeyReleasePolicy { type: string; claims: IKeyReleasePolicyProps; -} +} \ No newline at end of file diff --git a/src/policies/IKeyReleasePolicyProps.ts b/src/policies/IKeyReleasePolicyProps.ts index 8d1f9b11..d5535c0b 100644 --- a/src/policies/IKeyReleasePolicyProps.ts +++ b/src/policies/IKeyReleasePolicyProps.ts @@ -27,4 +27,4 @@ export interface IKeyReleasePolicyProps { "x-ms-sevsnpvm-tee-svn"?: number[]; "x-ms-sevsnpvm-vmpl"?: number[]; "x-ms-ver"?: string[]; -} +} \ No newline at end of file diff --git a/src/policies/IPolicy.ts b/src/policies/IPolicy.ts index 4ebcc620..6c9e918b 100644 --- a/src/policies/IPolicy.ts +++ b/src/policies/IPolicy.ts @@ -3,4 +3,4 @@ export interface IPolicy { type: string; -} +} \ No newline at end of file diff --git a/src/policies/KeyReleasePolicy.ts b/src/policies/KeyReleasePolicy.ts index 1ac448b3..6b830654 100644 --- a/src/policies/KeyReleasePolicy.ts +++ b/src/policies/KeyReleasePolicy.ts @@ -8,4 +8,4 @@ export class KeyReleasePolicy implements IKeyReleasePolicy { public claims = { "x-ms-attestation-type": ["snp"], }; -} +} \ No newline at end of file diff --git a/src/policies/LoadPolicy.ts b/src/policies/LoadPolicy.ts index c960878a..a6cd466f 100644 --- a/src/policies/LoadPolicy.ts +++ b/src/policies/LoadPolicy.ts @@ -88,4 +88,4 @@ export class LoadPolicy { } return undefined; } -} +} \ No newline at end of file diff --git a/src/policies/Policy.ts b/src/policies/Policy.ts index 632d6804..03a5cc6d 100644 --- a/src/policies/Policy.ts +++ b/src/policies/Policy.ts @@ -1,3 +1,4 @@ + // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. @@ -5,14 +6,14 @@ import { IPolicy } from "./IPolicy"; import { KeyReleasePolicy } from "./KeyReleasePolicy"; export class Policy { - private policy: T; + private policy: T | undefined; constructor(public name: string) { if (name === "key_release_policy") { this.policy = (new KeyReleasePolicy()); } } - public latestItem(): T { + public latestItem(): T | undefined { return this.policy; } } From 41fe7bb1ee3fe300f2d7aad37a230944a0e23c76 Mon Sep 17 00:00:00 2001 From: beejones Date: Sun, 21 Jul 2024 13:24:12 +0000 Subject: [PATCH 25/45] incremental cleanup REPOSITORIES --- src/repositories/KeyStore.ts | 3 ++- src/repositories/LastestItemStore.ts | 4 ++-- src/repositories/Maps.ts | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/repositories/KeyStore.ts b/src/repositories/KeyStore.ts index 7e10570c..f92383ef 100644 --- a/src/repositories/KeyStore.ts +++ b/src/repositories/KeyStore.ts @@ -1,3 +1,4 @@ + // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. @@ -46,7 +47,7 @@ export class KeyStore { return identifier; }; - const version = this.store.getVersionOfPreviousWrite(id); + const version = this.store.getVersionOfPreviousWrite(id) || 0; Logger.debug(`version for id ${id}: ${JSON.stringify(version)}`); const states = ccf.historical.getStateRange( diff --git a/src/repositories/LastestItemStore.ts b/src/repositories/LastestItemStore.ts index f5242603..01247a7a 100644 --- a/src/repositories/LastestItemStore.ts +++ b/src/repositories/LastestItemStore.ts @@ -45,7 +45,7 @@ export class LastestItemStore { } public receipt(id: K) { - const version = this.store.getVersionOfPreviousWrite(id); + const version = this.store.getVersionOfPreviousWrite(id) || 0; Logger.debug(`version for id ${id}: ${JSON.stringify(version)}`); const states = ccf.historical.getStateRange(id, version, version, 1800); if (states !== null) { @@ -60,4 +60,4 @@ export class LastestItemStore { public getVersionOfPreviousWrite(id: K) { return this.store.getVersionOfPreviousWrite(id); } -} +} \ No newline at end of file diff --git a/src/repositories/Maps.ts b/src/repositories/Maps.ts index 8e63414f..8d67d34e 100644 --- a/src/repositories/Maps.ts +++ b/src/repositories/Maps.ts @@ -11,4 +11,4 @@ export const hpkeKeysMap = new KeyStore("HpkeKeys"); export const hpkeKeyIdMap = new LastestItemStore("HpkeKeyids"); export const keyReleaseMapName = "public:ccf.gov.policies.key_release"; export const keyReleasePolicyMap = ccf.kv[keyReleaseMapName]; -//#endregion +//#endregion \ No newline at end of file From 3df654b6aa0c32bc140686ede588c3c435d878d7 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 05:26:36 +0000 Subject: [PATCH 26/45] incremental cleanup utils --- src/utils/Logger.ts | 2 +- src/utils/ServiceRequest.ts | 9 +++++++-- src/utils/ServiceResult.ts | 14 +++++++------- src/utils/Tooling.ts | 2 +- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/src/utils/Logger.ts b/src/utils/Logger.ts index 2cd5053a..98440191 100644 --- a/src/utils/Logger.ts +++ b/src/utils/Logger.ts @@ -95,4 +95,4 @@ export class Logger { static secret(message: string, ...args: any[]): boolean { return this.debug(message, ...args); } -} +} \ No newline at end of file diff --git a/src/utils/ServiceRequest.ts b/src/utils/ServiceRequest.ts index 1348738c..bb10f63a 100644 --- a/src/utils/ServiceRequest.ts +++ b/src/utils/ServiceRequest.ts @@ -49,14 +49,19 @@ export class ServiceRequest { * @returns {boolean} Returns true if the API is authenticated, otherwise false. */ public isAuthenticated(): [ - ccfapp.AuthnIdentityCommon, + ccfapp.AuthnIdentityCommon | undefined, ServiceResult, ] { const [policy, isValidIdentity] = new AuthenticationService().isAuthenticated(this.request); + + if (isValidIdentity === undefined) { + throw new Error("Could not retrieve validation provider"); + } + Logger.debug( `${this.name} Authorization: isAuthenticated-> ${JSON.stringify(isValidIdentity)}`, ); return [policy, isValidIdentity]; } -} +} \ No newline at end of file diff --git a/src/utils/ServiceResult.ts b/src/utils/ServiceResult.ts index 4406761b..21ee5003 100644 --- a/src/utils/ServiceResult.ts +++ b/src/utils/ServiceResult.ts @@ -19,13 +19,13 @@ export class ServiceResult { public readonly failure: boolean; public readonly statusCode: number; public readonly status: string; - public readonly body: T | null; - public readonly error: ErrorResponse | null; + public readonly body: T | undefined; + public readonly error: ErrorResponse | undefined; public readonly headers?: { [key: string]: string | number }; private constructor( - body: T | null, - error: ErrorResponse | null, + body: T | undefined, + error: ErrorResponse | undefined, success: boolean = false, statusCode: number, headers?: { [key: string]: string | number }, @@ -48,12 +48,12 @@ export class ServiceResult { Logger.debug("Response headers: ", headers); } - return new ServiceResult(body, null, true, 200, headers); + return new ServiceResult(body, undefined, true, 200, headers); } public static Accepted(): ServiceResult { Logger.debug("Response Accepted"); - return new ServiceResult(undefined, null, true, 202, { + return new ServiceResult(undefined, undefined, true, 202, { "retry-after": 3, }); } @@ -65,4 +65,4 @@ export class ServiceResult { Logger.error(`Failed result: ${statusCode}, `, error); return new ServiceResult(undefined, error, false, statusCode); } -} +} \ No newline at end of file diff --git a/src/utils/Tooling.ts b/src/utils/Tooling.ts index fe0d7aec..72210023 100644 --- a/src/utils/Tooling.ts +++ b/src/utils/Tooling.ts @@ -130,4 +130,4 @@ export const aToHex = (buf: ArrayBuffer) => { return Array.from(new Uint8Array(buf)) .map((n) => n.toString(16).padStart(2, "0")) .join(""); -}; +}; \ No newline at end of file From 12923d09c65f7f247c6747b289007253deeb20ca Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 06:20:59 +0000 Subject: [PATCH 27/45] incremental cleanup e2etest --- test/e2e-test/src/api.ts | 14 +++++++------- test/e2e-test/src/index.ts | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/e2e-test/src/api.ts b/test/e2e-test/src/api.ts index 895d50bf..dcb79a49 100644 --- a/test/e2e-test/src/api.ts +++ b/test/e2e-test/src/api.ts @@ -128,7 +128,7 @@ export default class Api { response = await Api.responsePromise(req); console.log("Status:", response.statusCode); console.log("Response data:", response.data); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done @@ -174,7 +174,7 @@ export default class Api { response = await Api.responsePromise(req); console.log("Status:", response.statusCode); console.log("Response data:", response.data); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done @@ -260,7 +260,7 @@ export default class Api { ]; } console.log("Response data:", response.data); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done @@ -348,7 +348,7 @@ export default class Api { response.data ? JSON.parse(response.data) : undefined, ]; } - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); throw new Error(error.message); } finally { @@ -427,7 +427,7 @@ export default class Api { response = await Api.responsePromise(req); console.log("Status:", response.statusCode); console.log("Response data:", response.data); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done @@ -479,7 +479,7 @@ export default class Api { response = await Api.responsePromise(req); console.log("Status:", response.statusCode); console.log("Response data:", response.data); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done @@ -526,7 +526,7 @@ export default class Api { console.log("Status:", response.statusCode); console.log("Response data:", response.data); console.log("Response headers:", response.headers); - } catch (error) { + } catch (error: any) { console.error("Error:", error.message); } finally { // Close the client session when done diff --git a/test/e2e-test/src/index.ts b/test/e2e-test/src/index.ts index 820e0052..34d82487 100644 --- a/test/e2e-test/src/index.ts +++ b/test/e2e-test/src/index.ts @@ -15,7 +15,7 @@ const readJSON = async (filePath: string): Promise => { try { const fileContents = fs.readFileSync(filePath, "utf-8"); return JSON.parse(fileContents); - } catch (error) { + } catch (error: any) { throw new Error(`Error reading JSON file: ${error.message}`); } }; @@ -347,7 +347,7 @@ class Demo { keyResponse.wrappedKid, attestation, private_wrapping_key, - undefined, + undefined, false, this.createHttpsAgent(member.id, AuthKinds.JWT), access_token, From 5eaf0b8a1647cadb0f690c18f5cab03d3046c600 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 07:14:02 +0000 Subject: [PATCH 28/45] incremental cleanup IKeyItems, KeyGeneration --- src/endpoints/IKeyItem.ts | 9 +++++++-- src/endpoints/KeyGeneration.ts | 5 ++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/endpoints/IKeyItem.ts b/src/endpoints/IKeyItem.ts index 9dd0e5c9..935cd2f4 100644 --- a/src/endpoints/IKeyItem.ts +++ b/src/endpoints/IKeyItem.ts @@ -3,14 +3,19 @@ import { CryptoKeyPair, - JsonWebKeyEdDSAPrivate, + JsonWebKeyEdDSAPublic, } from "@microsoft/ccf-app/global"; +import { enableEndpoint } from "../utils/Tooling"; + +// Enable the endpoint +enableEndpoint(); // Define the interface for storing keys -export interface IKeyItem extends JsonWebKeyEdDSAPrivate { +export interface IKeyItem extends JsonWebKeyEdDSAPublic { timestamp?: number; receipt?: string; id?: number; + d?: string; } // Define an interface for a wrap key diff --git a/src/endpoints/KeyGeneration.ts b/src/endpoints/KeyGeneration.ts index 201bb5cd..727c4003 100644 --- a/src/endpoints/KeyGeneration.ts +++ b/src/endpoints/KeyGeneration.ts @@ -5,9 +5,12 @@ import * as ccfcrypto from "@microsoft/ccf-app/crypto"; import { ccf } from "@microsoft/ccf-app/global"; import { Base64 } from "js-base64"; import { IKeyItem } from "./IKeyItem"; -import { arrayBufferToHex } from "../utils/Tooling"; +import { arrayBufferToHex, enableEndpoint } from "../utils/Tooling"; import { Logger } from "../utils/Logger"; +// Enable the endpoint +enableEndpoint(); + export class KeyGeneration { // Calculate a sha2 digest public static calculateHash = (data: ArrayBuffer): Uint8Array => { From 0359673b2fe39bda31e3b6a51f8bda1b6124a35e Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 07:58:25 +0000 Subject: [PATCH 29/45] lint --- src/attestation/AttestationValidation.ts | 2 +- src/attestation/ISnpAttestation.ts | 1 - src/attestation/ISnpAttestationReport.ts | 2 +- src/attestation/SnpAttestationClaims.ts | 2 +- src/authorization/AuthenticationService.ts | 2 +- src/authorization/IAuthenticationService.ts | 2 +- src/authorization/IValidationService.ts | 2 +- src/authorization/certs/MemberCertValidator.ts | 2 +- src/authorization/certs/UserCertValidator.ts | 2 +- src/authorization/jwt/DemoJwtProvider.ts | 2 +- src/authorization/jwt/IJwtIdentityProvider.ts | 2 +- src/authorization/jwt/JwtIdentityProviderEnum.ts | 2 +- src/authorization/jwt/JwtValidationPolicyMap.ts | 2 +- src/authorization/jwt/JwtValidator.ts | 2 +- src/authorization/jwt/MsJwtProvider.ts | 2 +- src/policies/IKeyReleasePolicy.ts | 2 +- src/policies/IKeyReleasePolicyProps.ts | 2 +- src/policies/IPolicy.ts | 2 +- src/policies/KeyReleasePolicy.ts | 2 +- src/policies/LoadPolicy.ts | 2 +- src/policies/Policy.ts | 1 - src/repositories/KeyStore.ts | 1 - src/repositories/LastestItemStore.ts | 2 +- src/repositories/Maps.ts | 2 +- src/utils/Logger.ts | 2 +- src/utils/ServiceRequest.ts | 2 +- src/utils/ServiceResult.ts | 2 +- src/utils/Tooling.ts | 2 +- 28 files changed, 25 insertions(+), 28 deletions(-) diff --git a/src/attestation/AttestationValidation.ts b/src/attestation/AttestationValidation.ts index f837d95f..06c05148 100644 --- a/src/attestation/AttestationValidation.ts +++ b/src/attestation/AttestationValidation.ts @@ -173,4 +173,4 @@ export const validateAttestation = ( 500, ); } -}; \ No newline at end of file +}; diff --git a/src/attestation/ISnpAttestation.ts b/src/attestation/ISnpAttestation.ts index b642bc5f..c386692d 100644 --- a/src/attestation/ISnpAttestation.ts +++ b/src/attestation/ISnpAttestation.ts @@ -1,4 +1,3 @@ - // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. diff --git a/src/attestation/ISnpAttestationReport.ts b/src/attestation/ISnpAttestationReport.ts index d835e6ea..6f3726ed 100644 --- a/src/attestation/ISnpAttestationReport.ts +++ b/src/attestation/ISnpAttestationReport.ts @@ -32,4 +32,4 @@ export interface IAttestationReport { "uvm_endorsements-did"?: string; "uvm_endorsements-feed"?: string; "uvm_endorsements-svn"?: string; -} \ No newline at end of file +} diff --git a/src/attestation/SnpAttestationClaims.ts b/src/attestation/SnpAttestationClaims.ts index 4013720e..2a070ea4 100644 --- a/src/attestation/SnpAttestationClaims.ts +++ b/src/attestation/SnpAttestationClaims.ts @@ -112,4 +112,4 @@ export class SnpAttestationClaims { return reportClaims; } -} \ No newline at end of file +} diff --git a/src/authorization/AuthenticationService.ts b/src/authorization/AuthenticationService.ts index 91351d3f..bcbee0e7 100644 --- a/src/authorization/AuthenticationService.ts +++ b/src/authorization/AuthenticationService.ts @@ -75,4 +75,4 @@ export class AuthenticationService implements IAuthenticationService { ]; } } -} \ No newline at end of file +} diff --git a/src/authorization/IAuthenticationService.ts b/src/authorization/IAuthenticationService.ts index f3a59fc7..859ac6fc 100644 --- a/src/authorization/IAuthenticationService.ts +++ b/src/authorization/IAuthenticationService.ts @@ -16,4 +16,4 @@ export interface IAuthenticationService { ccfapp.AuthnIdentityCommon | undefined, ServiceResult | undefined, ]; -} \ No newline at end of file +} diff --git a/src/authorization/IValidationService.ts b/src/authorization/IValidationService.ts index cc8f6e9e..7e8a4e7d 100644 --- a/src/authorization/IValidationService.ts +++ b/src/authorization/IValidationService.ts @@ -10,4 +10,4 @@ import { ServiceResult } from "../utils/ServiceResult"; export interface IValidatorService { validate(request: ccfapp.Request): ServiceResult; -} \ No newline at end of file +} diff --git a/src/authorization/certs/MemberCertValidator.ts b/src/authorization/certs/MemberCertValidator.ts index 0ab1bef1..4de0ee3a 100644 --- a/src/authorization/certs/MemberCertValidator.ts +++ b/src/authorization/certs/MemberCertValidator.ts @@ -62,4 +62,4 @@ export class MemberCertValidator implements IValidatorService { }); } } -} \ No newline at end of file +} diff --git a/src/authorization/certs/UserCertValidator.ts b/src/authorization/certs/UserCertValidator.ts index 03083b74..24dd0764 100644 --- a/src/authorization/certs/UserCertValidator.ts +++ b/src/authorization/certs/UserCertValidator.ts @@ -59,4 +59,4 @@ export class UserCertValidator implements IValidatorService { const result = usersCerts.has(ccf.strToBuf(userId)); return ServiceResult.Succeeded(result); } -} \ No newline at end of file +} diff --git a/src/authorization/jwt/DemoJwtProvider.ts b/src/authorization/jwt/DemoJwtProvider.ts index ef0de085..2ca6bbdf 100644 --- a/src/authorization/jwt/DemoJwtProvider.ts +++ b/src/authorization/jwt/DemoJwtProvider.ts @@ -37,4 +37,4 @@ export class DemoJwtProvider implements IJwtIdentityProvider { Logger.debug(`JWT validation succeeded: ${identityId}`); return ServiceResult.Succeeded(identityId); } -} \ No newline at end of file +} diff --git a/src/authorization/jwt/IJwtIdentityProvider.ts b/src/authorization/jwt/IJwtIdentityProvider.ts index f2f4bea9..dcbee6b1 100644 --- a/src/authorization/jwt/IJwtIdentityProvider.ts +++ b/src/authorization/jwt/IJwtIdentityProvider.ts @@ -7,4 +7,4 @@ import { ServiceResult } from "../../utils/ServiceResult"; export interface IJwtIdentityProvider { isValidJwtToken(identity: ccfapp.JwtAuthnIdentity): ServiceResult; name: string; -} \ No newline at end of file +} diff --git a/src/authorization/jwt/JwtIdentityProviderEnum.ts b/src/authorization/jwt/JwtIdentityProviderEnum.ts index 5cb2419d..363bdfd7 100644 --- a/src/authorization/jwt/JwtIdentityProviderEnum.ts +++ b/src/authorization/jwt/JwtIdentityProviderEnum.ts @@ -7,4 +7,4 @@ export enum JwtIdentityProviderEnum { MS_AAD = "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", Demo = "http://Demo-jwt-issuer", -} \ No newline at end of file +} diff --git a/src/authorization/jwt/JwtValidationPolicyMap.ts b/src/authorization/jwt/JwtValidationPolicyMap.ts index a555ed9a..6d4f3396 100644 --- a/src/authorization/jwt/JwtValidationPolicyMap.ts +++ b/src/authorization/jwt/JwtValidationPolicyMap.ts @@ -29,4 +29,4 @@ export class JwtValidationPolicyMap { Logger.info(`JWT validation: Policy: ${policy} for issuer: ${issuer}`); return JSON.parse(policy); } -} \ No newline at end of file +} diff --git a/src/authorization/jwt/JwtValidator.ts b/src/authorization/jwt/JwtValidator.ts index edd3a73f..b8f1b484 100644 --- a/src/authorization/jwt/JwtValidator.ts +++ b/src/authorization/jwt/JwtValidator.ts @@ -50,4 +50,4 @@ export class JwtValidator implements IValidatorService { ); return isValidJwtToken; } -} \ No newline at end of file +} diff --git a/src/authorization/jwt/MsJwtProvider.ts b/src/authorization/jwt/MsJwtProvider.ts index ebfa5eed..8c7551b5 100644 --- a/src/authorization/jwt/MsJwtProvider.ts +++ b/src/authorization/jwt/MsJwtProvider.ts @@ -70,4 +70,4 @@ export class MsJwtProvider implements IJwtIdentityProvider { const identityId = identity?.jwt?.payload?.sub; return ServiceResult.Succeeded(identityId); } -} \ No newline at end of file +} diff --git a/src/policies/IKeyReleasePolicy.ts b/src/policies/IKeyReleasePolicy.ts index 758719d3..ce4a14df 100644 --- a/src/policies/IKeyReleasePolicy.ts +++ b/src/policies/IKeyReleasePolicy.ts @@ -6,4 +6,4 @@ import { IKeyReleasePolicyProps } from ".."; export interface IKeyReleasePolicy { type: string; claims: IKeyReleasePolicyProps; -} \ No newline at end of file +} diff --git a/src/policies/IKeyReleasePolicyProps.ts b/src/policies/IKeyReleasePolicyProps.ts index d5535c0b..8d1f9b11 100644 --- a/src/policies/IKeyReleasePolicyProps.ts +++ b/src/policies/IKeyReleasePolicyProps.ts @@ -27,4 +27,4 @@ export interface IKeyReleasePolicyProps { "x-ms-sevsnpvm-tee-svn"?: number[]; "x-ms-sevsnpvm-vmpl"?: number[]; "x-ms-ver"?: string[]; -} \ No newline at end of file +} diff --git a/src/policies/IPolicy.ts b/src/policies/IPolicy.ts index 6c9e918b..4ebcc620 100644 --- a/src/policies/IPolicy.ts +++ b/src/policies/IPolicy.ts @@ -3,4 +3,4 @@ export interface IPolicy { type: string; -} \ No newline at end of file +} diff --git a/src/policies/KeyReleasePolicy.ts b/src/policies/KeyReleasePolicy.ts index 6b830654..1ac448b3 100644 --- a/src/policies/KeyReleasePolicy.ts +++ b/src/policies/KeyReleasePolicy.ts @@ -8,4 +8,4 @@ export class KeyReleasePolicy implements IKeyReleasePolicy { public claims = { "x-ms-attestation-type": ["snp"], }; -} \ No newline at end of file +} diff --git a/src/policies/LoadPolicy.ts b/src/policies/LoadPolicy.ts index a6cd466f..c960878a 100644 --- a/src/policies/LoadPolicy.ts +++ b/src/policies/LoadPolicy.ts @@ -88,4 +88,4 @@ export class LoadPolicy { } return undefined; } -} \ No newline at end of file +} diff --git a/src/policies/Policy.ts b/src/policies/Policy.ts index 03a5cc6d..be054f48 100644 --- a/src/policies/Policy.ts +++ b/src/policies/Policy.ts @@ -1,4 +1,3 @@ - // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. diff --git a/src/repositories/KeyStore.ts b/src/repositories/KeyStore.ts index f92383ef..7a19a688 100644 --- a/src/repositories/KeyStore.ts +++ b/src/repositories/KeyStore.ts @@ -1,4 +1,3 @@ - // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. diff --git a/src/repositories/LastestItemStore.ts b/src/repositories/LastestItemStore.ts index 01247a7a..ace387ed 100644 --- a/src/repositories/LastestItemStore.ts +++ b/src/repositories/LastestItemStore.ts @@ -60,4 +60,4 @@ export class LastestItemStore { public getVersionOfPreviousWrite(id: K) { return this.store.getVersionOfPreviousWrite(id); } -} \ No newline at end of file +} diff --git a/src/repositories/Maps.ts b/src/repositories/Maps.ts index 8d67d34e..8e63414f 100644 --- a/src/repositories/Maps.ts +++ b/src/repositories/Maps.ts @@ -11,4 +11,4 @@ export const hpkeKeysMap = new KeyStore("HpkeKeys"); export const hpkeKeyIdMap = new LastestItemStore("HpkeKeyids"); export const keyReleaseMapName = "public:ccf.gov.policies.key_release"; export const keyReleasePolicyMap = ccf.kv[keyReleaseMapName]; -//#endregion \ No newline at end of file +//#endregion diff --git a/src/utils/Logger.ts b/src/utils/Logger.ts index 98440191..2cd5053a 100644 --- a/src/utils/Logger.ts +++ b/src/utils/Logger.ts @@ -95,4 +95,4 @@ export class Logger { static secret(message: string, ...args: any[]): boolean { return this.debug(message, ...args); } -} \ No newline at end of file +} diff --git a/src/utils/ServiceRequest.ts b/src/utils/ServiceRequest.ts index bb10f63a..5c2173fc 100644 --- a/src/utils/ServiceRequest.ts +++ b/src/utils/ServiceRequest.ts @@ -64,4 +64,4 @@ export class ServiceRequest { ); return [policy, isValidIdentity]; } -} \ No newline at end of file +} diff --git a/src/utils/ServiceResult.ts b/src/utils/ServiceResult.ts index 21ee5003..de820126 100644 --- a/src/utils/ServiceResult.ts +++ b/src/utils/ServiceResult.ts @@ -65,4 +65,4 @@ export class ServiceResult { Logger.error(`Failed result: ${statusCode}, `, error); return new ServiceResult(undefined, error, false, statusCode); } -} \ No newline at end of file +} diff --git a/src/utils/Tooling.ts b/src/utils/Tooling.ts index 72210023..fe0d7aec 100644 --- a/src/utils/Tooling.ts +++ b/src/utils/Tooling.ts @@ -130,4 +130,4 @@ export const aToHex = (buf: ArrayBuffer) => { return Array.from(new Uint8Array(buf)) .map((n) => n.toString(16).padStart(2, "0")) .join(""); -}; \ No newline at end of file +}; From d21e7777304df7ef888169af4f7089a597f97458 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 08:21:07 +0000 Subject: [PATCH 30/45] undo changes to KeyGeneration --- src/endpoints/KeyGeneration.ts | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/endpoints/KeyGeneration.ts b/src/endpoints/KeyGeneration.ts index 727c4003..201bb5cd 100644 --- a/src/endpoints/KeyGeneration.ts +++ b/src/endpoints/KeyGeneration.ts @@ -5,12 +5,9 @@ import * as ccfcrypto from "@microsoft/ccf-app/crypto"; import { ccf } from "@microsoft/ccf-app/global"; import { Base64 } from "js-base64"; import { IKeyItem } from "./IKeyItem"; -import { arrayBufferToHex, enableEndpoint } from "../utils/Tooling"; +import { arrayBufferToHex } from "../utils/Tooling"; import { Logger } from "../utils/Logger"; -// Enable the endpoint -enableEndpoint(); - export class KeyGeneration { // Calculate a sha2 digest public static calculateHash = (data: ArrayBuffer): Uint8Array => { From cd86a3f1c06eebe4a13bb6299e35af6a68fe15a9 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 09:15:14 +0000 Subject: [PATCH 31/45] incremental cleanup KeyWrapper --- src/endpoints/KeyWrapper.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/endpoints/KeyWrapper.ts b/src/endpoints/KeyWrapper.ts index d81f73bc..99943893 100644 --- a/src/endpoints/KeyWrapper.ts +++ b/src/endpoints/KeyWrapper.ts @@ -114,7 +114,12 @@ export class KeyWrapper { payload: IKeyItem, ): string => { let tinkHpkeKey = new hpke.HpkePrivateKey(); - tinkHpkeKey.privateKey = Base64.toUint8Array(payload.d); + if (typeof payload.d === "string") { + tinkHpkeKey.privateKey = Base64.toUint8Array(payload.d); + } else { + throw new Error("payload.d is undefined or not a string"); + } + // TODO: check if we need to set tinkHpkeKey.publicKey. Based on tink.proto, it's optional though. // From the tink code, you can see currently version=0 is the only option tinkHpkeKey.version = 0; @@ -212,7 +217,7 @@ export class KeyWrapper { private static getEncryptedKeyMaterial( wrappingKey: ArrayBuffer | undefined, payload: IKeyItem, - ): [string, string] { + ): [string, string | undefined] { Logger.debug(`getEncryptedKeyMaterial: `, payload); const receipt = payload.receipt; delete payload.receipt; From c1be619a256a3a83b3be2d3e9133b04bb4e80c7b Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 11:41:39 +0000 Subject: [PATCH 32/45] incremental cleanup TinkKey --- src/endpoints/TinkKey.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/endpoints/TinkKey.ts b/src/endpoints/TinkKey.ts index 7df6ffad..a089e265 100644 --- a/src/endpoints/TinkKey.ts +++ b/src/endpoints/TinkKey.ts @@ -101,7 +101,10 @@ export class TinkKey { } // Get id of key - const primaryKeyId = this.keyItem[0].id; + const primaryKeyId = this.keyItem[0]?.id; + if (typeof primaryKeyId !== "number") { + throw new Error("primaryKeyId is undefined or not a number"); + } const tinkKeySet: ITinkKeySet = { primaryKeyId, From 4470daa4a9a85d0b9fdc7b82dcc2ac787e4aca35 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 12:33:05 +0000 Subject: [PATCH 33/45] incremental cleanup keyEndpoint --- src/endpoints/keyEndpoint.ts | 39 ++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/src/endpoints/keyEndpoint.ts b/src/endpoints/keyEndpoint.ts index 08be9140..b8088f5d 100644 --- a/src/endpoints/keyEndpoint.ts +++ b/src/endpoints/keyEndpoint.ts @@ -15,6 +15,9 @@ import { hpkeKeyIdMap, hpkeKeysMap } from "../repositories/Maps"; import { ServiceRequest } from "../utils/ServiceRequest"; import { Logger } from "../utils/Logger"; +// Enable the endpoint +enableEndpoint(); + //#region Key endpoints interface export interface IKeyRequest { attestation: ISnpAttestation; @@ -39,9 +42,6 @@ export interface IUnwrapResponse { } //#endregion -// Enable the endpoint -enableEndpoint(); - /** * Checks if the request has a wrapping key and returns the wrapping key and its hash. * @param body - The request body containing the wrapping key. @@ -94,8 +94,10 @@ export const key = ( ): ServiceResult => { const name = "key"; const serviceRequest = new ServiceRequest(name, request); - let attestation: ISnpAttestation; - if (serviceRequest.body["attestation"]) { + let attestation: ISnpAttestation | undefined = undefined; + + // Check if serviceRequest.body is defined before accessing "attestation" + if (serviceRequest.body && serviceRequest.body["attestation"]) { attestation = serviceRequest.body["attestation"]; } @@ -113,8 +115,8 @@ export const key = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let kid: string; - let id: number; + let kid: string | undefined = undefined; + let id: number | undefined; if (serviceRequest.query && serviceRequest.query["kid"]) { kid = serviceRequest.query["kid"]; } else { @@ -142,7 +144,7 @@ export const key = ( validateAttestationResult = validateAttestation(attestation); if (!validateAttestationResult.success) { return ServiceResult.Failed( - validateAttestationResult.error, + validateAttestationResult.error!, validateAttestationResult.statusCode, ); } @@ -215,8 +217,15 @@ export const unwrapKey = ( const name = "unwrapKey"; const serviceRequest = new ServiceRequest(name, request); - let attestation: ISnpAttestation; - if (serviceRequest.body["attestation"]) { + let attestation: ISnpAttestation | undefined = undefined; + + // Check if serviceRequest.body is defined before accessing "attestation" + if (serviceRequest.body && serviceRequest.body["attestation"]) { + attestation = serviceRequest.body["attestation"]; + } + + // Repeat the check wherever serviceRequest.body["attestation"] is accessed + if (serviceRequest.body && serviceRequest.body["attestation"]) { attestation = serviceRequest.body["attestation"]; } @@ -251,12 +260,12 @@ export const unwrapKey = ( if (wrappingKeyFromRequest.success === false) { // WrappingKey has errors return ServiceResult.Failed( - wrappingKeyFromRequest.error, + wrappingKeyFromRequest.error!, wrappingKeyFromRequest.statusCode, ); } - const wrappingKeyBuf = wrappingKeyFromRequest.body.wrappingKey; + const wrappingKeyBuf = wrappingKeyFromRequest.body!.wrappingKey; const wrappingKeyHash = KeyGeneration.calculateHexHash(wrappingKeyBuf); Logger.debug(`unwrapKey->wrapping key hash: ${wrappingKeyHash}`); @@ -276,7 +285,7 @@ export const unwrapKey = ( validateAttestationResult = validateAttestation(attestation); if (!validateAttestationResult.success) { return ServiceResult.Failed( - validateAttestationResult.error, + validateAttestationResult.error!, validateAttestationResult.statusCode, ); } @@ -291,13 +300,13 @@ export const unwrapKey = ( // Check if wrapping key match attestation if ( - !validateAttestationResult.body["x-ms-sevsnpvm-reportdata"].startsWith( + !validateAttestationResult.body!["x-ms-sevsnpvm-reportdata"].startsWith( wrappingKeyHash, ) ) { return ServiceResult.Failed( { - errorMessage: `${name}:wrapping key hash ${validateAttestationResult.body["x-ms-sevsnpvm-reportdata"]} does not match wrappingKey`, + errorMessage: `${name}:wrapping key hash ${validateAttestationResult.body!["x-ms-sevsnpvm-reportdata"]} does not match wrappingKey`, }, 400, ); From e6399186613471fe32b0f4a47730e4fde6754500 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 13:28:40 +0000 Subject: [PATCH 34/45] incremental cleanup kms, publickeyendpoint --- src/endpoints/kms.ts | 2 +- src/endpoints/publickeyEndpoint.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/endpoints/kms.ts b/src/endpoints/kms.ts index d2daad6e..e98788f9 100644 --- a/src/endpoints/kms.ts +++ b/src/endpoints/kms.ts @@ -25,5 +25,5 @@ export const hearthbeat = ( const [policy, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - return ServiceResult.Succeeded(policy); + return ServiceResult.Succeeded(policy!); }; diff --git a/src/endpoints/publickeyEndpoint.ts b/src/endpoints/publickeyEndpoint.ts index c05218aa..4942ff91 100644 --- a/src/endpoints/publickeyEndpoint.ts +++ b/src/endpoints/publickeyEndpoint.ts @@ -68,9 +68,9 @@ export const pubkey = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let id: number; + let id: number | undefined; try { - let kid: string; + let kid: string | undefined; if (serviceRequest.query && serviceRequest.query["kid"]) { kid = serviceRequest.query["kid"]; } else { From 54a38bb301e43bb02190909710a7c8a89d62afda Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 14:12:25 +0000 Subject: [PATCH 35/45] undo publicEndpoint --- src/endpoints/publickeyEndpoint.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/endpoints/publickeyEndpoint.ts b/src/endpoints/publickeyEndpoint.ts index 4942ff91..c05218aa 100644 --- a/src/endpoints/publickeyEndpoint.ts +++ b/src/endpoints/publickeyEndpoint.ts @@ -68,9 +68,9 @@ export const pubkey = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let id: number | undefined; + let id: number; try { - let kid: string | undefined; + let kid: string; if (serviceRequest.query && serviceRequest.query["kid"]) { kid = serviceRequest.query["kid"]; } else { From 12ac057e239cc16846c50419e0b9d31334b54adb Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 15:28:54 +0000 Subject: [PATCH 36/45] Update to key endpoints --- src/endpoints/keyEndpoint.ts | 6 ++---- src/endpoints/publickeyEndpoint.ts | 12 +++++------- tsconfig.json | 6 ++++++ 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/src/endpoints/keyEndpoint.ts b/src/endpoints/keyEndpoint.ts index b8088f5d..af685c09 100644 --- a/src/endpoints/keyEndpoint.ts +++ b/src/endpoints/keyEndpoint.ts @@ -115,11 +115,9 @@ export const key = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let kid: string | undefined = undefined; + let kid = serviceRequest.query?.["kid"]; let id: number | undefined; - if (serviceRequest.query && serviceRequest.query["kid"]) { - kid = serviceRequest.query["kid"]; - } else { + if (kid === undefined) { [id, kid] = hpkeKeyIdMap.latestItem(); if (kid === undefined) { return ServiceResult.Failed( diff --git a/src/endpoints/publickeyEndpoint.ts b/src/endpoints/publickeyEndpoint.ts index c05218aa..46b30a71 100644 --- a/src/endpoints/publickeyEndpoint.ts +++ b/src/endpoints/publickeyEndpoint.ts @@ -68,12 +68,10 @@ export const pubkey = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let id: number; + let id: number | undefined; try { - let kid: string; - if (serviceRequest.query && serviceRequest.query["kid"]) { - kid = serviceRequest.query["kid"]; - } else { + let kid = serviceRequest.query?.["kid"]; + if (kid === undefined) { [id, kid] = hpkeKeyIdMap.latestItem(); if (kid === undefined) { return ServiceResult.Failed( @@ -95,7 +93,7 @@ export const pubkey = ( } Logger.debug(`Get key with kid ${kid}`); - const keyItem = hpkeKeysMap.store.get(kid) as IKeyItem; + const keyItem = hpkeKeysMap.store.get(kid!) as IKeyItem; if (keyItem === undefined) { return ServiceResult.Failed( { @@ -106,7 +104,7 @@ export const pubkey = ( } // Get receipt if available - const receipt = hpkeKeysMap.receipt(kid); + const receipt = hpkeKeysMap.receipt(kid!); if (receipt !== undefined) { keyItem.receipt = receipt; Logger.debug(`pubkey->Receipt: ${receipt}`); diff --git a/tsconfig.json b/tsconfig.json index 0d5a326d..6f1765f2 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,6 +11,12 @@ "sourceMap": false, "resolveJsonModule": true, "types": ["@types/node"], + "strictNullChecks": true, + "noImplicitReturns": true, + "noFallthroughCasesInSwitch": true, + "forceConsistentCasingInFileNames": true, + "esModuleInterop": true, + "skipLibCheck": true, "noUnusedLocals": true }, "include": ["src/**/*", "test/**/*"] From c53018534aeca3cef32480fe005697dcfbf8ff93 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 15:57:07 +0000 Subject: [PATCH 37/45] fix pip packages --- requirements.txt | 164 +++++++++++++++++++++++++++++++------- scripts/set_python_env.sh | 1 + 2 files changed, 135 insertions(+), 30 deletions(-) diff --git a/requirements.txt b/requirements.txt index e7fda43c..09f7a92e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,31 +1,135 @@ -ccf +adtk==0.6.2 +anyio==4.4.0 +asn1crypto==1.5.1 +attrs==23.2.0 +azure-core==1.30.2 +azure-storage-blob==12.21.0 +bcrypt==4.1.3 +better-exceptions==0.3.3 +blinker==1.8.2 +Brotli==1.1.0 +cbor2==5.6.4 +ccf==5.0.0 +certifi==2024.7.4 +certvalidator==0.11.1 +cffi==1.16.0 +cfgv==3.4.0 +charset-normalizer==3.3.2 +cimetrics==0.3.15 +click==8.1.7 +colorama==0.4.6 +Columnar==1.4.1 +ConfigArgParse==1.7 +contourpy==1.1.1 +cramjam==2.8.3 +cryptography==42.0.8 +cycler==0.12.1 +detect-secrets==1.5.0 +distlib==0.3.8 +dnspython==2.6.1 +docker==7.1.0 +docutils==0.20.1 +ecdsa==0.19.0 +exceptiongroup==1.2.2 +fastparquet==2023.10.1 +filelock==3.15.4 +flask==3.0.3 +Flask-Cors==4.0.1 +Flask-Login==0.6.3 +fonttools==4.53.1 +fsspec==2024.6.1 +gevent==24.2.1 +geventhttpclient==2.0.12 +gitdb==4.0.11 +GitPython==3.1.43 +greenlet==3.0.3 +grpcio==1.65.1 +grpcio-tools==1.44.0 +h11==0.14.0 +h2==4.1.0 +hpack==4.0.0 +httpcore==0.16.3 +httpx==0.23.3 +hyperframe==6.0.1 +identify==2.6.0 +idna==3.7 +importlib-metadata==8.0.0 +importlib-resources==6.4.0 +isodate==0.6.1 +itsdangerous==2.2.0 +jinja2==3.1.4 +joblib==1.4.2 +jsonschema==4.23.0 +jsonschema-path==0.3.3 +jsonschema-specifications==2023.12.1 +jwcrypto==1.5.6 +kiwisolver==1.4.5 +lazy-object-proxy==1.10.0 +locust==2.25.0 +loguru==0.7.2 +markdown-it-py==3.0.0 +MarkupSafe==2.1.5 +matplotlib==3.7.5 +mdurl==0.1.2 +msgpack==1.0.8 +nodeenv==1.9.1 +numpy==1.24.4 +openapi-schema-validator==0.6.2 +openapi-spec-validator==0.7.1 +oscrypto==1.3.0 +packaging==24.1 +pandas==2.0.3 +paramiko==3.4.0 +pathable==0.4.3 +patsy==0.5.6 +pillow==10.4.0 +pkgutil-resolve-name==1.3.10 +platformdirs==4.2.2 +plotext==5.2.8 +polars==1.2.1 +pre-commit==3.5.0 +prettytable==3.10.2 +protobuf==3.20.3 +psutil==6.0.0 +py-spy==0.3.14 +pyasn1==0.6.0 +pycose==1.1.0 +pycparser==2.22 +pygments==2.18.0 +PyJWT==2.8.0 +pymongo==4.8.0 +PyNaCl==1.5.0 +pyOpenSSL==24.2.1 +pyparsing==2.4.7 +python-dateutil==2.9.0.post0 +python-iptables==1.0.1 +pytz==2024.1 +PyYAML==6.0.1 +pyzmq==26.0.3 referencing==0.31.0 -wheel -paramiko -loguru -psutil -cimetrics>=0.2.1 -openapi-spec-validator -PyJWT -docutils -python-iptables -py-spy -GitPython -docker -better_exceptions -pyasn1 -Jinja2 -httpx[http2] == 0.23.* -locust -pyOpenSSL -grpcio-tools == 1.44.0 # Pin to a working version for SNP platform -JWCrypto == 1.5.* -pycose -rich -# Piccolo dependencies -fastparquet==2023.* -prettytable==3.* -polars -plotext -pre-commit -detect-secrets \ No newline at end of file +requests==2.32.3 +rfc3339-validator==0.1.4 +rfc3986==1.5.0 +rich==13.7.1 +roundrobin==0.0.4 +rpds-py==0.19.0 +scikit-learn==1.3.2 +scipy==1.10.1 +six==1.16.0 +smmap==5.0.1 +sniffio==1.3.1 +statsmodels==0.14.1 +string-color==1.2.3 +tabulate==0.9.0 +threadpoolctl==3.5.0 +tomli==2.0.1 +toolz==0.12.1 +typing-extensions==4.12.2 +tzdata==2024.1 +urllib3==2.2.2 +virtualenv==20.26.3 +wcwidth==0.2.13 +werkzeug==3.0.3 +zipp==3.19.2 +zope.event==5.0 +zope.interface==6.4.post2 diff --git a/scripts/set_python_env.sh b/scripts/set_python_env.sh index 555a160b..c126de01 100755 --- a/scripts/set_python_env.sh +++ b/scripts/set_python_env.sh @@ -11,6 +11,7 @@ if [ ! -d "$PYTHON_VENV" ]; then python3.8 -m venv $PYTHON_VENV echo "Activating virtual environment and installing dependencies..." source $PYTHON_VENV/bin/activate + pip install wheel pip install -U -r ./requirements.txt else echo "Activating existing virtual environment..." From 9e04db8c3bf6f8e6c20db008768557c3877375c1 Mon Sep 17 00:00:00 2001 From: beejones Date: Mon, 22 Jul 2024 16:18:58 +0000 Subject: [PATCH 38/45] undo public key change --- src/endpoints/publickeyEndpoint.ts | 12 +++++++----- tsconfig.json | 6 ------ 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/src/endpoints/publickeyEndpoint.ts b/src/endpoints/publickeyEndpoint.ts index 46b30a71..c05218aa 100644 --- a/src/endpoints/publickeyEndpoint.ts +++ b/src/endpoints/publickeyEndpoint.ts @@ -68,10 +68,12 @@ export const pubkey = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let id: number | undefined; + let id: number; try { - let kid = serviceRequest.query?.["kid"]; - if (kid === undefined) { + let kid: string; + if (serviceRequest.query && serviceRequest.query["kid"]) { + kid = serviceRequest.query["kid"]; + } else { [id, kid] = hpkeKeyIdMap.latestItem(); if (kid === undefined) { return ServiceResult.Failed( @@ -93,7 +95,7 @@ export const pubkey = ( } Logger.debug(`Get key with kid ${kid}`); - const keyItem = hpkeKeysMap.store.get(kid!) as IKeyItem; + const keyItem = hpkeKeysMap.store.get(kid) as IKeyItem; if (keyItem === undefined) { return ServiceResult.Failed( { @@ -104,7 +106,7 @@ export const pubkey = ( } // Get receipt if available - const receipt = hpkeKeysMap.receipt(kid!); + const receipt = hpkeKeysMap.receipt(kid); if (receipt !== undefined) { keyItem.receipt = receipt; Logger.debug(`pubkey->Receipt: ${receipt}`); diff --git a/tsconfig.json b/tsconfig.json index 6f1765f2..0d5a326d 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,12 +11,6 @@ "sourceMap": false, "resolveJsonModule": true, "types": ["@types/node"], - "strictNullChecks": true, - "noImplicitReturns": true, - "noFallthroughCasesInSwitch": true, - "forceConsistentCasingInFileNames": true, - "esModuleInterop": true, - "skipLibCheck": true, "noUnusedLocals": true }, "include": ["src/**/*", "test/**/*"] From 4dedc76eb23ce52864fbde106cc02fdc85c75c6b Mon Sep 17 00:00:00 2001 From: beejones Date: Tue, 23 Jul 2024 07:30:07 +0000 Subject: [PATCH 39/45] Add strict tsconfig --- src/endpoints/publickeyEndpoint.ts | 4 ++-- tsconfig.json | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/endpoints/publickeyEndpoint.ts b/src/endpoints/publickeyEndpoint.ts index c05218aa..4942ff91 100644 --- a/src/endpoints/publickeyEndpoint.ts +++ b/src/endpoints/publickeyEndpoint.ts @@ -68,9 +68,9 @@ export const pubkey = ( const [_, isValidIdentity] = serviceRequest.isAuthenticated(); if (isValidIdentity.failure) return isValidIdentity; - let id: number; + let id: number | undefined; try { - let kid: string; + let kid: string | undefined; if (serviceRequest.query && serviceRequest.query["kid"]) { kid = serviceRequest.query["kid"]; } else { diff --git a/tsconfig.json b/tsconfig.json index 0d5a326d..6845793d 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,6 +11,7 @@ "sourceMap": false, "resolveJsonModule": true, "types": ["@types/node"], + "strict": true, "noUnusedLocals": true }, "include": ["src/**/*", "test/**/*"] From f577deac84ad3b58b18d777f881f28e803b0eb22 Mon Sep 17 00:00:00 2001 From: beejones Date: Tue, 23 Jul 2024 08:20:37 +0000 Subject: [PATCH 40/45] remove strict --- tsconfig.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tsconfig.json b/tsconfig.json index 6845793d..664b645a 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,7 +11,7 @@ "sourceMap": false, "resolveJsonModule": true, "types": ["@types/node"], - "strict": true, + "strict": false, "noUnusedLocals": true }, "include": ["src/**/*", "test/**/*"] From 589a49727907712d529844a967ab11862a2d66a2 Mon Sep 17 00:00:00 2001 From: beejones Date: Tue, 23 Jul 2024 09:24:00 +0000 Subject: [PATCH 41/45] switch back to strict mode --- tsconfig.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tsconfig.json b/tsconfig.json index 664b645a..6845793d 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,7 +11,7 @@ "sourceMap": false, "resolveJsonModule": true, "types": ["@types/node"], - "strict": false, + "strict": true, "noUnusedLocals": true }, "include": ["src/**/*", "test/**/*"] From 7234b5f772c5aeb04d46f5179e86ac355a871a55 Mon Sep 17 00:00:00 2001 From: beejones Date: Wed, 24 Jul 2024 08:22:08 +0000 Subject: [PATCH 42/45] Addressing review comments --- scripts/set_python_env.sh | 2 +- src/attestation/SnpAttestationClaims.ts | 2 +- src/authorization/AuthenticationService.ts | 18 +++++++++++++----- src/authorization/IAuthenticationService.ts | 5 +---- src/authorization/jwt/MsJwtProvider.ts | 11 ++++++++++- src/repositories/KeyStore.ts | 8 +++++++- src/repositories/LastestItemStore.ts | 9 ++++++++- src/utils/ServiceRequest.ts | 4 ---- 8 files changed, 41 insertions(+), 18 deletions(-) diff --git a/scripts/set_python_env.sh b/scripts/set_python_env.sh index c126de01..e42de592 100755 --- a/scripts/set_python_env.sh +++ b/scripts/set_python_env.sh @@ -11,7 +11,7 @@ if [ ! -d "$PYTHON_VENV" ]; then python3.8 -m venv $PYTHON_VENV echo "Activating virtual environment and installing dependencies..." source $PYTHON_VENV/bin/activate - pip install wheel + pip install wheel==0.43.0 pip install -U -r ./requirements.txt else echo "Activating existing virtual environment..." diff --git a/src/attestation/SnpAttestationClaims.ts b/src/attestation/SnpAttestationClaims.ts index 2a070ea4..879828f0 100644 --- a/src/attestation/SnpAttestationClaims.ts +++ b/src/attestation/SnpAttestationClaims.ts @@ -83,7 +83,7 @@ export class SnpAttestationClaims { // report_id_ma // reported_tcb // chip_id - // committed_tcbx` + // committed_tcb // current_minor // current_build // committed_minor diff --git a/src/authorization/AuthenticationService.ts b/src/authorization/AuthenticationService.ts index bcbee0e7..270a93b7 100644 --- a/src/authorization/AuthenticationService.ts +++ b/src/authorization/AuthenticationService.ts @@ -47,10 +47,7 @@ export class AuthenticationService implements IAuthenticationService { */ public isAuthenticated( request: ccfapp.Request, - ): [ - ccfapp.AuthnIdentityCommon | undefined, - ServiceResult | undefined, - ] { + ): [ccfapp.AuthnIdentityCommon | undefined, ServiceResult] { let caller: ccfapp.AuthnIdentityCommon | undefined = undefined; try { const caller = request.caller as unknown as ccfapp.AuthnIdentityCommon; @@ -64,7 +61,18 @@ export class AuthenticationService implements IAuthenticationService { const validator = this.validators.get( caller.policy, ); - return [caller, validator?.validate(request)]; + + if (!validator === undefined) { + return [ + caller, + ServiceResult.Failed({ + errorMessage: `Error: invalid caller identity (AuthenticationService)-> ${caller.policy}`, + errorType: "AuthenticationError", + }), + ]; + } + + return [caller, validator!.validate(request)]; } catch (ex) { return [ caller, diff --git a/src/authorization/IAuthenticationService.ts b/src/authorization/IAuthenticationService.ts index 859ac6fc..ee339fe4 100644 --- a/src/authorization/IAuthenticationService.ts +++ b/src/authorization/IAuthenticationService.ts @@ -12,8 +12,5 @@ export interface IAuthenticationService { */ isAuthenticated( request: ccfapp.Request, - ): [ - ccfapp.AuthnIdentityCommon | undefined, - ServiceResult | undefined, - ]; + ): [ccfapp.AuthnIdentityCommon | undefined, ServiceResult]; } diff --git a/src/authorization/jwt/MsJwtProvider.ts b/src/authorization/jwt/MsJwtProvider.ts index 8c7551b5..238683cb 100644 --- a/src/authorization/jwt/MsJwtProvider.ts +++ b/src/authorization/jwt/MsJwtProvider.ts @@ -18,7 +18,16 @@ export const authorizeJwt = ( issuer: string, identity: ccfapp.JwtAuthnIdentity, ): ServiceResult => { - const policy = JwtValidationPolicyMap.read(issuer) || {}; + const policy = JwtValidationPolicyMap.read(issuer); + if (policy === undefined) { + return ServiceResult.Failed( + { + errorMessage: `issuer ${issuer} is not defined in the policy`, + errorType: "AuthenticationError", + }, + 500, + ); + } const keys = Object.keys(policy); for (let inx = 0; inx < keys.length; inx++) { diff --git a/src/repositories/KeyStore.ts b/src/repositories/KeyStore.ts index 7a19a688..4f5ae4b9 100644 --- a/src/repositories/KeyStore.ts +++ b/src/repositories/KeyStore.ts @@ -46,7 +46,13 @@ export class KeyStore { return identifier; }; - const version = this.store.getVersionOfPreviousWrite(id) || 0; + const version = this.store.getVersionOfPreviousWrite(id); + if (version === undefined) { + Logger.debug( + `version for id ${id} is undefined: ${JSON.stringify(version)}`, + ); + return undefined; + } Logger.debug(`version for id ${id}: ${JSON.stringify(version)}`); const states = ccf.historical.getStateRange( diff --git a/src/repositories/LastestItemStore.ts b/src/repositories/LastestItemStore.ts index ace387ed..69e771f6 100644 --- a/src/repositories/LastestItemStore.ts +++ b/src/repositories/LastestItemStore.ts @@ -45,7 +45,14 @@ export class LastestItemStore { } public receipt(id: K) { - const version = this.store.getVersionOfPreviousWrite(id) || 0; + const version = this.store.getVersionOfPreviousWrite(id); + if (version === undefined) { + Logger.debug( + `version for id ${id} is undefined: ${JSON.stringify(version)}`, + ); + return undefined; + } + Logger.debug(`version for id ${id}: ${JSON.stringify(version)}`); const states = ccf.historical.getStateRange(id, version, version, 1800); if (states !== null) { diff --git a/src/utils/ServiceRequest.ts b/src/utils/ServiceRequest.ts index 5c2173fc..b3338248 100644 --- a/src/utils/ServiceRequest.ts +++ b/src/utils/ServiceRequest.ts @@ -55,10 +55,6 @@ export class ServiceRequest { const [policy, isValidIdentity] = new AuthenticationService().isAuthenticated(this.request); - if (isValidIdentity === undefined) { - throw new Error("Could not retrieve validation provider"); - } - Logger.debug( `${this.name} Authorization: isAuthenticated-> ${JSON.stringify(isValidIdentity)}`, ); From 32b4ffa08d766411fc0d7e6c86c9664f165e9618 Mon Sep 17 00:00:00 2001 From: beejones Date: Wed, 24 Jul 2024 09:10:34 +0000 Subject: [PATCH 43/45] Remove seperate wheel install --- requirements.txt | 1 + scripts/set_python_env.sh | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 09f7a92e..2a07f81a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -130,6 +130,7 @@ urllib3==2.2.2 virtualenv==20.26.3 wcwidth==0.2.13 werkzeug==3.0.3 +wheel==0.43.0 zipp==3.19.2 zope.event==5.0 zope.interface==6.4.post2 diff --git a/scripts/set_python_env.sh b/scripts/set_python_env.sh index e42de592..555a160b 100755 --- a/scripts/set_python_env.sh +++ b/scripts/set_python_env.sh @@ -11,7 +11,6 @@ if [ ! -d "$PYTHON_VENV" ]; then python3.8 -m venv $PYTHON_VENV echo "Activating virtual environment and installing dependencies..." source $PYTHON_VENV/bin/activate - pip install wheel==0.43.0 pip install -U -r ./requirements.txt else echo "Activating existing virtual environment..." From 2fe6bdfbd0727a7a37cd77b920780764bf2a7166 Mon Sep 17 00:00:00 2001 From: beejones Date: Wed, 24 Jul 2024 15:24:25 +0000 Subject: [PATCH 44/45] Update JWT policy file to support arrays --- governance/constitution/kms_actions.js | 15 +++++-- ...t_jwt_demo_validation_policy_proposal.json | 2 +- src/authorization/jwt/MsJwtProvider.ts | 21 +++++++++- test/e2e-test/src/api.ts | 10 ++++- test/e2e-test/src/index.ts | 42 +++++++++++++++++++ 5 files changed, 82 insertions(+), 8 deletions(-) diff --git a/governance/constitution/kms_actions.js b/governance/constitution/kms_actions.js index 85e48231..b9433965 100644 --- a/governance/constitution/kms_actions.js +++ b/governance/constitution/kms_actions.js @@ -19,10 +19,17 @@ actions.set( // Check validation policy if (args.validation_policy) { Object.keys(args.validation_policy).forEach((key) => { - console.log( - `validation policy: key ${key} = ${args.validation_policy[key]}`, - ); - checkType(args.validation_policy[key], "string", key); + if (Array.isArray(args.validation_policy[key])) { + console.log( + `validation policy: key ${key} is array = `, + args.validation_policy[key], + ); + } else { + console.log( + `validation policy: key ${key} = ${args.validation_policy[key]}`, + ); + checkType(args.validation_policy[key], "string", key); + } }); } }, diff --git a/governance/jwt/set_jwt_demo_validation_policy_proposal.json b/governance/jwt/set_jwt_demo_validation_policy_proposal.json index d5d9cf1a..69b175db 100644 --- a/governance/jwt/set_jwt_demo_validation_policy_proposal.json +++ b/governance/jwt/set_jwt_demo_validation_policy_proposal.json @@ -6,7 +6,7 @@ "issuer": "http://Demo-jwt-issuer", "validation_policy": { "iss": "http://Demo-jwt-issuer", - "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b", + "sub": ["c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b", "some value"], "name": "Cool caller" } } diff --git a/src/authorization/jwt/MsJwtProvider.ts b/src/authorization/jwt/MsJwtProvider.ts index 238683cb..5af6cf03 100644 --- a/src/authorization/jwt/MsJwtProvider.ts +++ b/src/authorization/jwt/MsJwtProvider.ts @@ -14,6 +14,13 @@ export interface MSAccessToken { appid: string; ver: string; } + +/** + * Validate the JWT token + * @param issuer name of the issuer + * @param identity used to validate the JWT token + * @returns + */ export const authorizeJwt = ( issuer: string, identity: ccfapp.JwtAuthnIdentity, @@ -28,15 +35,27 @@ export const authorizeJwt = ( 500, ); } + const keys = Object.keys(policy); for (let inx = 0; inx < keys.length; inx++) { const key = keys[inx]; const jwtProp = identity?.jwt?.payload[key]; - const compliant = jwtProp === policy[key]; + let compliant = false; + + // Check if policy[key] is an array + if (Array.isArray(policy[key])) { + // Check if jwtProp is in the array + compliant = policy[key].includes(jwtProp); + } else { + // Perform the existing equality check + compliant = jwtProp === policy[key]; + } + Logger.debug( `isValidJwtToken: ${key}, expected: ${policy[key]}, found: ${jwtProp}, ${compliant}`, ); + if (!compliant) { const errorMessage = `The JWT has no valid ${key}, expected: ${policy[key]}, found: ${jwtProp}`; return ServiceResult.Failed( diff --git a/test/e2e-test/src/api.ts b/test/e2e-test/src/api.ts index dcb79a49..09b824be 100644 --- a/test/e2e-test/src/api.ts +++ b/test/e2e-test/src/api.ts @@ -206,6 +206,7 @@ export default class Api { privateWrapKey: string, publicWrapKey: string, tink: boolean, + kid: string | undefined, httpsAgent: https.Agent, authorizationHeader?: string, ): Promise< @@ -223,7 +224,12 @@ export default class Api { `${member.name} Get wrapped private key with receipt. tink: ${tink}:`, authorizationHeader, ); - const query = tink ? "?fmt=tink" : ""; + let query = tink ? "?fmt=tink" : ""; + if (kid) { + if (query === "") { + query = `?kid=${kid}`; + } else query = `${query}&kid=${kid}`; + } const reqProps: http2.OutgoingHttpHeaders = authorizationHeader ? { ":method": "POST", @@ -280,7 +286,7 @@ export default class Api { const resp = JSON.parse(response.data); console.log(`key returned: `, response.data); const receipt = resp.receipt; - console.log(`Key id: `, resp.wrappedKid); + console.log(`wrappedKid: `, resp.wrappedKid); console.log(`Receipt: `, resp.receipt); return [ diff --git a/test/e2e-test/src/index.ts b/test/e2e-test/src/index.ts index 34d82487..91953107 100644 --- a/test/e2e-test/src/index.ts +++ b/test/e2e-test/src/index.ts @@ -206,6 +206,7 @@ class Demo { private_wrapping_key, public_wrapping_key, false, + undefined, this.createHttpsAgent(member.id, AuthKinds.JWT), access_token, ).catch((error) => { @@ -227,6 +228,7 @@ class Demo { private_wrapping_key, public_wrapping_key, false, + undefined, this.createHttpsAgent(member.id, AuthKinds.MemberCerts), ).catch((error) => { console.log(`keyInitial error: `, error); @@ -242,6 +244,7 @@ class Demo { private_wrapping_key, public_wrapping_key, false, + undefined, this.createHttpsAgent(member.id, AuthKinds.NoAuth), ).catch((error) => { console.log(`keyInitial error: `, error); @@ -265,6 +268,7 @@ class Demo { private_wrapping_key, public_wrapping_key, false, + undefined, this.createHttpsAgent(member.id, AuthKinds.JWT), access_token, ).catch((error) => { @@ -288,6 +292,7 @@ class Demo { private_wrapping_key, public_wrapping_key, false, + undefined, this.createHttpsAgent(member.id, AuthKinds.JWT), access_token, )) as [{ [key: string]: string | number }, number, any]; @@ -302,6 +307,7 @@ class Demo { ); Demo.assertField(member.name, keyResponse, "receipt", notUndefinedString); //#endregion + //#region unwrap console.log(`๐Ÿ“ Get unwrapped key with JWT...`); let unwrapResponse; @@ -384,6 +390,7 @@ class Demo { private_wrapping_key, public_wrapping_key, true, + undefined, this.createHttpsAgent(member.id, AuthKinds.JWT), access_token, )) as [{ [key: string]: string | number }, number, any]; @@ -409,6 +416,41 @@ class Demo { const kid = wrapResponse.wrappedKid; console.log("kid: ", kid); + // Fetch with kid in jwt and tink + [headers, statusCode, wrapResponse] = (await Api.key( + this.demoProps, + member, + attestation, + private_wrapping_key, + public_wrapping_key, + false, + kid, + this.createHttpsAgent(member.id, AuthKinds.JWT), + access_token, + )) as [{ [key: string]: string | number }, number, any]; + Demo.assert("OK statusCode", statusCode === 200); + Demo.assert( + `keyResponse["wrappedKid"] === kid`, + keyResponse["wrappedKid"] === kid, + ); + + [headers, statusCode, wrapResponse] = (await Api.key( + this.demoProps, + member, + attestation, + private_wrapping_key, + public_wrapping_key, + true, + kid, + this.createHttpsAgent(member.id, AuthKinds.JWT), + access_token, + )) as [{ [key: string]: string | number }, number, any]; + Demo.assert("OK statusCode", statusCode === 200); + Demo.assert( + `keyResponse["wrappedKid"] === kid`, + keyResponse["wrappedKid"] === kid, + ); + console.log(`๐Ÿ“ Get private key with tink...`); [statusCode, unwrapResponse] = (await Api.unwrap( this.demoProps, From 58b24dac97a15529596dc64a69149110c0d89cef Mon Sep 17 00:00:00 2001 From: beejones Date: Thu, 25 Jul 2024 07:16:04 +0000 Subject: [PATCH 45/45] update jwt demo policy --- governance/jwt/set_jwt_demo_validation_policy_proposal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/governance/jwt/set_jwt_demo_validation_policy_proposal.json b/governance/jwt/set_jwt_demo_validation_policy_proposal.json index 69b175db..d5d9cf1a 100644 --- a/governance/jwt/set_jwt_demo_validation_policy_proposal.json +++ b/governance/jwt/set_jwt_demo_validation_policy_proposal.json @@ -6,7 +6,7 @@ "issuer": "http://Demo-jwt-issuer", "validation_policy": { "iss": "http://Demo-jwt-issuer", - "sub": ["c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b", "some value"], + "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b", "name": "Cool caller" } }