Merge pull request confidential-containers#620 from fitzthum/remove-p…

…roductid ear: remove productId from default policy
mkulke · Dec 11, 2024 · cadfd2f · cadfd2f
2 parents aee59e7 + 0d81afb
commit cadfd2f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 16 deletions.
diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs
@@ -208,21 +208,19 @@ mod tests {
         "sourced_data",
     ];
 
-    fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String {
+    fn dummy_reference(svn: u64, launch_digest: String) -> String {
         json!({
             "reference": {
-                "productId": [product_id.to_string()],
                 "svn": [svn.to_string()],
                 "launch_digest": [launch_digest]
             }
         })
         .to_string()
     }
 
-    fn dummy_input(product_id: u64, svn: u64, launch_digest: String) -> String {
+    fn dummy_input(svn: u64, launch_digest: String) -> String {
         json!({
             "sample": {
-                "productId": product_id.to_string(),
                 "svn": svn.to_string(),
                 "launch_digest": launch_digest
             }
@@ -231,14 +229,12 @@ mod tests {
     }
 
     #[rstest]
-    #[case(5,5,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)]
-    #[case(5,4,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)]
-    #[case(5,5,1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)]
-    #[case(5,5,2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)]
+    #[case(1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)]
+    #[case(2,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)]
+    #[case(1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)]
+    #[case(2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)]
     #[tokio::test]
     async fn test_evaluate(
-        #[case] pid_a: u64,
-        #[case] pid_b: u64,
         #[case] svn_a: u64,
         #[case] svn_b: u64,
         #[case] digest_a: String,
@@ -253,8 +249,8 @@ mod tests {
 
         let output = opa
             .evaluate(
-                &dummy_reference(pid_a, svn_a, digest_a),
-                &dummy_input(pid_b, svn_b, digest_b),
+                &dummy_reference(svn_a, digest_a),
+                &dummy_input(svn_b, digest_b),
                 &default_policy_id,
                 &EAR_RULES,
             )

diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego
@@ -78,10 +78,6 @@ sample_executables := 3 if {
 #  verifications needed to demonstrate that these are genuine/
 #  supported.
 sample_hardware := 2 if {
-	# The sample attester does not report any productId.
-	# This is an exmple of how a real platform might identify the hardware
-	# that is running.
-	input.sample.productId in data.reference.productId
 	input.sample.svn in data.reference.svn
 }