fix: add dynamic lookup of policy rules

Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
veraison · Sep 26, 2024 · 9392a64 · 9392a64
1 parent 4e84d33
commit 9392a64
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 10 deletions.
diff --git a/rust-keybroker/keybroker-server/src/policy.rs b/rust-keybroker/keybroker-server/src/policy.rs
@@ -5,13 +5,18 @@ use crate::error::Result;
 use phf::{phf_map, Map};
 use regorus::{self, Value};
 
-pub static MEDIATYPES_TO_POLICY: Map<&'static str, &'static str> = phf_map! {
-    r#"application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0""# => include_str!("arm-cca.rego"),
+pub static MEDIATYPES_TO_POLICY: Map<&'static str, (&'static str, &'static str)> = phf_map! {
+    r#"application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0""# => ( include_str!("arm-cca.rego"), "data.arm_cca.allow" ),
     // Other, future mappings
 };
 
 // Evaluate an EAR claims-set against the appraisal policy and known-good RIM values
-pub(crate) fn rego_eval(policy: &str, reference_values: &str, ear_claims: &str) -> Result<Value> {
+pub(crate) fn rego_eval(
+    policy: &str,
+    policy_rule: &str,
+    reference_values: &str,
+    ear_claims: &str,
+) -> Result<Value> {
     // Create engine.
     let mut engine = regorus::Engine::new();
 
@@ -27,7 +32,7 @@ pub(crate) fn rego_eval(policy: &str, reference_values: &str, ear_claims: &str)
     // Set the EAR claims-set to be appraised
     engine.set_input(Value::from_json_str(ear_claims)?);
 
-    let results = engine.eval_rule("data.arm_cca.allow".to_string())?;
+    let results = engine.eval_rule(policy_rule.to_string())?;
 
     Ok(results)
 }
@@ -41,8 +46,13 @@ mod tests {
         let ear_claims = include_str!("../../../testdata/ear-claims-ok.json");
         let reference_values = stringify_testdata_path("rims-matching.json");
 
-        let results = rego_eval(include_str!("arm-cca.rego"), &reference_values, ear_claims)
-            .expect("successful eval");
+        let results = rego_eval(
+            include_str!("arm-cca.rego"),
+            "data.arm_cca.allow",
+            &reference_values,
+            ear_claims,
+        )
+        .expect("successful eval");
 
         assert_eq!(results.to_string(), "true");
     }
@@ -52,8 +62,13 @@ mod tests {
         let ear_claims = include_str!("../../../testdata/ear-claims-ok.json");
         let reference_values = stringify_testdata_path("rims-not-matching.json");
 
-        let results = rego_eval(include_str!("arm-cca.rego"), &reference_values, ear_claims)
-            .expect("successful eval");
+        let results = rego_eval(
+            include_str!("arm-cca.rego"),
+            "data.arm_cca.allow",
+            &reference_values,
+            ear_claims,
+        )
+        .expect("successful eval");
 
         assert_eq!(results.to_string(), "false");
     }

diff --git a/rust-keybroker/keybroker-server/src/verifier.rs b/rust-keybroker/keybroker-server/src/verifier.rs
@@ -64,15 +64,15 @@ pub fn verify_with_veraison_instance(
 
     let ear_claims = serde_json::to_string(&ear)?;
 
-    let policy = policy::MEDIATYPES_TO_POLICY
+    let (policy, policy_rule) = policy::MEDIATYPES_TO_POLICY
         .get(media_type)
         .ok_or(VerificationErrorKind::PolicyNotFound)?;
 
     // Appraise the received EAR using the embedded policy (see ./policy.rego)
     // unless a custom one has been provided on the command line.  The default
     // policy also wants to match the RIM value reported by the CCA token with
     // the known-good RIM values supplied on the command line.
-    let results = policy::rego_eval(policy, reference_values, &ear_claims)?;
+    let results = policy::rego_eval(policy, policy_rule, reference_values, &ear_claims)?;
 
     Ok(results.to_string() == "true")
 }