diff --git a/src/Attestation/Attestation.Test/ScenarioTests/AttstationPolicyTests.ps1 b/src/Attestation/Attestation.Test/ScenarioTests/AttstationPolicyTests.ps1 index b37b50edb03c..7512f0b42e01 100644 --- a/src/Attestation/Attestation.Test/ScenarioTests/AttstationPolicyTests.ps1 +++ b/src/Attestation/Attestation.Test/ScenarioTests/AttstationPolicyTests.ps1 @@ -37,7 +37,11 @@ function Test-GetAttestationPolicy Assert-NotNull $attestationCreated.Status $getPolicy = Get-AzAttestationPolicy -Name $attestationProviderName -ResourceGroupName $rgName.ResourceGroupName -Tee $teeType - Assert-NotNull $getPolicy + Assert-NotNull $getPolicy.Jwt + Assert-NotNull $getPolicy.Text + Assert-AreEqual "none" $getPolicy.Algorithm + Assert-True { $getPolicy.JwtLength -gt 0 } + Assert-True { $getPolicy.TextLength -gt 0 } } finally @@ -93,7 +97,8 @@ function Test-SetAttestationPolicy $attestationProviderName = getAssetName $location = "East US" $teeType = "SgxEnclave" - $policyDocument = "eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJ7XHJcbiAgICBcIiR2ZXJzaW9uXCI6IDEsXHJcbiAgICBcIiRhbGxvdy1kZWJ1Z2dhYmxlXCIgOiB0cnVlLFxyXG4gICAgXCIkY2xhaW1zXCI6W1xyXG4gICAgICAgIFwiaXMtZGVidWdnYWJsZVwiICxcclxuICAgICAgICBcInNneC1tcnNpZ25lclwiLFxyXG4gICAgICAgIFwic2d4LW1yZW5jbGF2ZVwiLFxyXG4gICAgICAgIFwicHJvZHVjdC1pZFwiLFxyXG4gICAgICAgIFwic3ZuXCIsXHJcbiAgICAgICAgXCJ0ZWVcIixcclxuICAgICAgICBcIk5vdERlYnVnZ2FibGVcIlxyXG4gICAgXSxcclxuICAgIFwiTm90RGVidWdnYWJsZVwiOiB7XCJ5ZXNcIjp7XCIkaXMtZGVidWdnYWJsZVwiOnRydWUsIFwiJG1hbmRhdG9yeVwiOnRydWUsIFwiJHZpc2libGVcIjpmYWxzZX19LFxyXG4gICAgXCJpcy1kZWJ1Z2dhYmxlXCIgOiBcIiRpcy1kZWJ1Z2dhYmxlXCIsXHJcbiAgICBcInNneC1tcnNpZ25lclwiIDogXCIkc2d4LW1yc2lnbmVyXCIsXHJcbiAgICBcInNneC1tcmVuY2xhdmVcIiA6IFwiJHNneC1tcmVuY2xhdmVcIixcclxuICAgIFwicHJvZHVjdC1pZFwiIDogXCIkcHJvZHVjdC1pZFwiLFxyXG4gICAgXCJzdm5cIiA6IFwiJHN2blwiLFxyXG4gICAgXCJ0ZWVcIiA6IFwiJHRlZVwiXHJcbn0ifQ." + $policyJwt = "eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJ7XHJcbiAgICBcIiR2ZXJzaW9uXCI6IDEsXHJcbiAgICBcIiRhbGxvdy1kZWJ1Z2dhYmxlXCIgOiB0cnVlLFxyXG4gICAgXCIkY2xhaW1zXCI6W1xyXG4gICAgICAgIFwiaXMtZGVidWdnYWJsZVwiICxcclxuICAgICAgICBcInNneC1tcnNpZ25lclwiLFxyXG4gICAgICAgIFwic2d4LW1yZW5jbGF2ZVwiLFxyXG4gICAgICAgIFwicHJvZHVjdC1pZFwiLFxyXG4gICAgICAgIFwic3ZuXCIsXHJcbiAgICAgICAgXCJ0ZWVcIixcclxuICAgICAgICBcIk5vdERlYnVnZ2FibGVcIlxyXG4gICAgXSxcclxuICAgIFwiTm90RGVidWdnYWJsZVwiOiB7XCJ5ZXNcIjp7XCIkaXMtZGVidWdnYWJsZVwiOnRydWUsIFwiJG1hbmRhdG9yeVwiOnRydWUsIFwiJHZpc2libGVcIjpmYWxzZX19LFxyXG4gICAgXCJpcy1kZWJ1Z2dhYmxlXCIgOiBcIiRpcy1kZWJ1Z2dhYmxlXCIsXHJcbiAgICBcInNneC1tcnNpZ25lclwiIDogXCIkc2d4LW1yc2lnbmVyXCIsXHJcbiAgICBcInNneC1tcmVuY2xhdmVcIiA6IFwiJHNneC1tcmVuY2xhdmVcIixcclxuICAgIFwicHJvZHVjdC1pZFwiIDogXCIkcHJvZHVjdC1pZFwiLFxyXG4gICAgXCJzdm5cIiA6IFwiJHN2blwiLFxyXG4gICAgXCJ0ZWVcIiA6IFwiJHRlZVwiXHJcbn0ifQ." + $policyText = 'version= 1.0;authorizationrules{c:[type=="$is-debuggable"] => permit();};issuancerules{c:[type=="$is-debuggable"] => issue(type="is-debuggable", value=c.value);c:[type=="$sgx-mrsigner"] => issue(type="sgx-mrsigner", value=c.value);c:[type=="$sgx-mrenclave"] => issue(type="sgx-mrenclave", value=c.value);c:[type=="$product-id"] => issue(type="product-id", value=c.value);c:[type=="$svn"] => issue(type="svn", value=c.value);c:[type=="$tee"] => issue(type="tee", value=c.value);c:[type=="$tee-future"] => issue(type="tee-future", value=c.value);};' # Prevent this script from inadvertantly running in Record or Playback modes try @@ -121,7 +126,10 @@ function Test-SetAttestationPolicy Assert-NotNull $attestationCreated.Status # NOTE: Set-AzAttestionPolicy does not work in recording/playback mode because the recorded JWT token expires and then fails validation - $setPolicyResponse = Set-AzAttestationPolicy -Name $attestationProviderName -ResourceGroupName $rgName.ResourceGroupName -Tee $teeType -Policy $policyDocument -PassThru + $setPolicyResponse = Set-AzAttestationPolicy -Name $attestationProviderName -ResourceGroupName $rgName.ResourceGroupName -Tee $teeType -Policy $policyJwt -PolicyFormat Jwt -PassThru + Assert-AreEqual $setPolicyResponse $true + + $setPolicyResponse = Set-AzAttestationPolicy -Name $attestationProviderName -ResourceGroupName $rgName.ResourceGroupName -Tee $teeType -Policy $policyText -PassThru Assert-AreEqual $setPolicyResponse $true } diff --git a/src/Attestation/Attestation/ChangeLog.md b/src/Attestation/Attestation/ChangeLog.md index 517f736ba4db..081eff30acb5 100644 --- a/src/Attestation/Attestation/ChangeLog.md +++ b/src/Attestation/Attestation/ChangeLog.md @@ -20,6 +20,7 @@ ## Upcoming Release +* Added text based policy support to policy cmdlets ## Version 0.1.6 * Improved error messages for server response codes 400 and 401 diff --git a/src/Attestation/Attestation/Commands/GetAzureAttestationPolicy.cs b/src/Attestation/Attestation/Commands/GetAzureAttestationPolicy.cs index 7108ee50a02e..6bb02ba0c7c1 100644 --- a/src/Attestation/Attestation/Commands/GetAzureAttestationPolicy.cs +++ b/src/Attestation/Attestation/Commands/GetAzureAttestationPolicy.cs @@ -23,7 +23,7 @@ namespace Microsoft.Azure.Commands.Attestation /// Get AttestationPolicy. /// [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AttestationPolicy", SupportsShouldProcess = true)] - [OutputType(typeof(String))] + [OutputType(typeof(PSPolicy))] public class GetAzureAttestationPolicy : AttestationDataServiceCmdletBase { #region Input Parameter Definitions @@ -79,7 +79,7 @@ public class GetAzureAttestationPolicy : AttestationDataServiceCmdletBase public override void ExecuteCmdlet() { String policy = AttestationDataPlaneClient.GetPolicy(Name, ResourceGroupName, ResourceId, Tee); - WriteObject(policy); + WriteObject(new PSPolicy(policy)); } } } diff --git a/src/Attestation/Attestation/Commands/SetAzureAttestationPolicy.cs b/src/Attestation/Attestation/Commands/SetAzureAttestationPolicy.cs index dee7587b7311..9a11825049c4 100644 --- a/src/Attestation/Attestation/Commands/SetAzureAttestationPolicy.cs +++ b/src/Attestation/Attestation/Commands/SetAzureAttestationPolicy.cs @@ -68,22 +68,33 @@ public class SetAzureAttestationPolicy : AttestationDataServiceCmdletBase /// [Parameter(Mandatory = true, HelpMessage = - "Specifies a type of Trusted Execution Environment. We support four types of environment: SgxEnclave, OpenEnclave, CyResComponent and VBSEnclave." + "Specifies a type of Trusted Execution Environment. Four types of environment are supported: SgxEnclave, OpenEnclave, CyResComponent and VBSEnclave." )] [PSArgumentCompleter("SgxEnclave", "OpenEnclave", "CyResComponent", "VBSEnclave")] [ValidateNotNullOrEmpty] public string Tee { get; set; } /// - /// JSON Web Token + /// Policy document /// [Parameter(Mandatory = true, HelpMessage = - "Specifies the JSON Web Token describing the policy document to set." + "Specifies the policy document to set. The policy format can be either Text or JSON Web Token (JWT)." )] [ValidateNotNullOrEmpty] public string Policy { get; set; } + /// + /// Format of the policy document + /// + [Parameter(Mandatory = false, + HelpMessage = + "Specifies the format for the policy, either Text or JWT (JSON Web Token). The default policy format is Text." + )] + [PSArgumentCompleter(TextPolicyFormat, JwtPolicyFormat)] + [PSDefaultValue(Value = TextPolicyFormat)] + public string PolicyFormat { get; set; } + [Parameter(Mandatory = false, HelpMessage = "This Cmdlet does not return an object by default. If this switch is specified, it returns true if successful.")] public SwitchParameter PassThru { get; set; } @@ -94,12 +105,15 @@ public override void ExecuteCmdlet() { if (ShouldProcess(Name, "SetAttestationPolicy")) { - AttestationDataPlaneClient.SetPolicy(Name, ResourceGroupName, ResourceId, Tee, Policy); + AttestationDataPlaneClient.SetPolicy(Name, ResourceGroupName, ResourceId, Tee, Policy, PolicyFormat); if (PassThru) { WriteObject(true); } } } + + internal const string JwtPolicyFormat = "JWT"; + internal const string TextPolicyFormat = "Text"; } } \ No newline at end of file diff --git a/src/Attestation/Attestation/Models/AttestationDataServiceClient.cs b/src/Attestation/Attestation/Models/AttestationDataServiceClient.cs index 130283b88d8b..dcf53888ab51 100644 --- a/src/Attestation/Attestation/Models/AttestationDataServiceClient.cs +++ b/src/Attestation/Attestation/Models/AttestationDataServiceClient.cs @@ -48,26 +48,29 @@ public AttestationDataServiceClient(IAuthenticationFactory authFactory, IAzureCo _attestationControlPlaneClient = AzureSession.Instance.ClientFactory.CreateArmClient(context, AzureEnvironment.Endpoint.ResourceManager); } - public void SetPolicy(string name, string resourceGroupName, string resourceId, string tee, string policyJwt) + public void SetPolicy(string name, string resourceGroupName, string resourceId, string tee, string userSpecifiedPolicy, string policyFormat) { ValidateCommonParameters(ref name, ref resourceGroupName, resourceId); if (string.IsNullOrEmpty(tee)) throw new ArgumentNullException(nameof(tee)); - if (string.IsNullOrEmpty(policyJwt)) - throw new ArgumentNullException(nameof(policyJwt)); + if (string.IsNullOrEmpty(userSpecifiedPolicy)) + throw new ArgumentNullException(nameof(userSpecifiedPolicy)); - // Step #1 - Ask service to prepare to set policy + // Step #1 - Convert text policy to JWT if necessary + var processedPolicy = GenerateJwtPolicyIfNeeded(policyFormat, userSpecifiedPolicy); + + // Step #2 - Ask service to prepare to set policy AzureOperationResponse serviceCallResult = RefreshUriCacheAndRetryOnFailure(name, resourceGroupName, (tenantUri) => - _attestationDataPlaneClient.Policy.PrepareToSetWithHttpMessagesAsync(tenantUri, tee, policyJwt).Result); + _attestationDataPlaneClient.Policy.PrepareToSetWithHttpMessagesAsync(tenantUri, tee, processedPolicy).Result); ThrowOn4xxErrors(serviceCallResult); - // Step #2 - Validate service response locally + // Step #3 - Validate service response locally string policyUpdateJwt = serviceCallResult.Body.ToString(); var validatedToken = PolicyValidationHelper.ValidateAttestationServiceToken(name, DataPlaneUriLookup[(name, resourceGroupName)], policyUpdateJwt); if (!validatedToken.IsValid) throw new ArgumentException("policyJwt is not valid"); - // Step #3 - Ask service to set policy + // Step #4 - Ask service to set policy serviceCallResult = RefreshUriCacheAndRetryOnFailure(name, resourceGroupName, (tenantUri) => _attestationDataPlaneClient.Policy.SetWithHttpMessagesAsync(tenantUri, tee, policyUpdateJwt).Result); ThrowOn4xxErrors(serviceCallResult); @@ -133,6 +136,36 @@ public string RemovePolicySigner(string name, string resourceGroupName, string r #region Private helper methods + private string GenerateJwtPolicyIfNeeded(string policyFormat, string userSpecifiedPolicy) + { + var processedPolicy = string.Empty; + if (string.IsNullOrEmpty(policyFormat) || + SetAzureAttestationPolicy.TextPolicyFormat.Equals(policyFormat, StringComparison.InvariantCultureIgnoreCase)) + { + processedPolicy = this.GenerateJwtPolicy(userSpecifiedPolicy); + } + else if (SetAzureAttestationPolicy.JwtPolicyFormat.Equals(policyFormat, StringComparison.InvariantCultureIgnoreCase)) + { + processedPolicy = userSpecifiedPolicy; + } + else + { + throw new ArgumentException(nameof(policyFormat)); + } + + return processedPolicy; + } + + private string GenerateJwtPolicy(string textPolicy) + { + var header = Base64Url.EncodeString("{\"alg\":\"none\"}"); + var encodedPolicy = Base64Url.EncodeString(textPolicy); + var bodyText = "{\"AttestationPolicy\": \"" + encodedPolicy + "\"}"; + var body = Base64Url.EncodeString(bodyText); + + return $"{header}.{body}."; + } + private void ValidateCommonParameters(ref string name, ref string resourceGroupName, string resourceId) { if (!string.IsNullOrEmpty(resourceId)) diff --git a/src/Attestation/Attestation/Models/Base64Url.cs b/src/Attestation/Attestation/Models/Base64Url.cs index 61d87eb7dda4..de87818354da 100644 --- a/src/Attestation/Attestation/Models/Base64Url.cs +++ b/src/Attestation/Attestation/Models/Base64Url.cs @@ -13,23 +13,40 @@ // ---------------------------------------------------------------------------------- using System; +using System.Text; namespace Microsoft.Azure.Commands.Attestation.Models { public static class Base64Url { + /// Encode a string as a Base64URL encoded string. + /// String input buffer. + /// The UTF8 bytes for the string, encoded as a Base64URL string. + public static string EncodeString(string value) + { + return EncodeBytes(UTF8Encoding.UTF8.GetBytes(value)); + } + /// Encode a byte array as a Base64URL encoded string. /// Raw byte input buffer. /// The bytes, encoded as a Base64URL string. - public static string Encode(byte[] bytes) + public static string EncodeBytes(byte[] bytes) { return Convert.ToBase64String(bytes).TrimEnd('=').Replace('+', '-').Replace('/', '_'); } + /// Converts a Base64URL encoded string to a string + /// The Base64Url encoded string containing UTF8 bytes for a string + /// The string represented by the Base64URL encoded string + public static string DecodeString(string encoded) + { + return UTF8Encoding.UTF8.GetString(DecodeBytes(encoded)); + } + /// Converts a Base64URL encoded string to a byte array /// The Base64Url encoded string /// The byte array represented by the Base64URL encoded string - public static byte[] Decode(string encoded) + public static byte[] DecodeBytes(string encoded) { encoded = encoded.Replace('-', '+').Replace('_', '/'); encoded = FixPadding(encoded); diff --git a/src/Attestation/Attestation/Models/JoseHelper.cs b/src/Attestation/Attestation/Models/JoseHelper.cs new file mode 100644 index 000000000000..b6a1b21b386b --- /dev/null +++ b/src/Attestation/Attestation/Models/JoseHelper.cs @@ -0,0 +1,34 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using Newtonsoft.Json.Linq; + +namespace Microsoft.Azure.Commands.Attestation.Models +{ + internal class JoseHelper + { + public static JObject ExtractJosePart(string jwt, int partIndex) + { + string[] joseParts = jwt.Split('.'); + var decodedPart = Base64Url.DecodeString(joseParts[partIndex]); + JObject jsonPart = JObject.Parse(decodedPart); + return jsonPart; + } + public static JToken ExtractJosePartField(string jwt, int partIndex, string fieldName) + { + var part = ExtractJosePart(jwt, partIndex); + return part[fieldName]; + } + } +} diff --git a/src/Attestation/Attestation/Models/PSPolicy.cs b/src/Attestation/Attestation/Models/PSPolicy.cs new file mode 100644 index 000000000000..fc5bdfe122cb --- /dev/null +++ b/src/Attestation/Attestation/Models/PSPolicy.cs @@ -0,0 +1,82 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System; + +namespace Microsoft.Azure.Commands.Attestation.Models +{ + public class PSPolicy + { + public PSPolicy(string jwt) + { + Jwt = jwt; + JwtLength = Jwt?.Length ?? 0; + Text = ExtractPolicyText(Jwt); + TextLength = Text?.Length ?? 0; + Algorithm = ExtractAlgorithm(Jwt); + } + + public string Text { get; } + + public int TextLength { get; } + + public string Jwt { get; } + + public int JwtLength { get; } + + public string Algorithm { get; protected set; } + + private static string ExtractAlgorithm(string jwt) + { + var algorithm = string.Empty; + if (!string.IsNullOrEmpty(jwt)) + { + try + { + algorithm = JoseHelper.ExtractJosePartField(jwt, 0, "alg").ToString(); + } + catch (Exception) + { + // Ignore on purpose + } + } + return algorithm; + } + + private static string ExtractPolicyText(string jwt) + { + string parsedPolicy = string.Empty; + + if (!string.IsNullOrEmpty(jwt)) + { + try + { + parsedPolicy = JoseHelper.ExtractJosePartField(jwt, 1, "AttestationPolicy").ToString(); + + // Policy is optionally double base64 URL encoded. We will attempt + // to base64 URL decode a second time -- if this throws an exception, + // that's OK -- we should just use value as it stands now. + var doubleDecodedPolicy = Base64Url.DecodeString(parsedPolicy); + parsedPolicy = doubleDecodedPolicy; + } + catch (Exception) + { + // Ignore on purpose + } + } + + return parsedPolicy; + } + } +} \ No newline at end of file diff --git a/src/Attestation/Attestation/Models/PSPolicySigners.cs b/src/Attestation/Attestation/Models/PSPolicySigners.cs index c6216f1d0899..adcd51b4e7c8 100644 --- a/src/Attestation/Attestation/Models/PSPolicySigners.cs +++ b/src/Attestation/Attestation/Models/PSPolicySigners.cs @@ -12,6 +12,7 @@ // limitations under the License. // ---------------------------------------------------------------------------------- +using System; using System.Linq; using System.Reflection; using System.Text; @@ -39,36 +40,45 @@ public PSPolicySigners(string jwt) public string[] Certificates { get; protected set; } - private static JObject ExtractJosePart(string jwt, int partIndex) - { - string[] joseParts = jwt.Split('.'); - var decodedBody = Encoding.UTF8.GetString(Base64Url.Decode(joseParts[partIndex])); - JObject jsonBody = JObject.Parse(decodedBody); - return jsonBody; - } - private static (string algorithm, string jku) ExtractHeaders(string jwt) { var algorithm = ""; var jku = ""; if (!string.IsNullOrEmpty(jwt)) { - var parsedHeader = ExtractJosePart(jwt, 0); - algorithm = parsedHeader["alg"].ToString(); - jku = parsedHeader["jku"].ToString(); + try + { + var parsedHeader = JoseHelper.ExtractJosePart(jwt, 0); + algorithm = parsedHeader["alg"].ToString(); + jku = parsedHeader["jku"].ToString(); + } + catch (Exception) + { + // Ignore on purpose + } } return (algorithm, jku); } + private static string[] ExtractCertificates(string jwt) { - if (string.IsNullOrEmpty(jwt)) + string[] certificates = new string[0]; + + if (!string.IsNullOrEmpty(jwt)) { - return new string[0]; + try + { + var parsedBody = JoseHelper.ExtractJosePart(jwt, 1); + var parsedCertificates = parsedBody["aas-policyCertificates"]["keys"].ToArray(); + certificates = parsedCertificates.Select(c => c.ToString()).ToArray(); + } + catch (Exception) + { + // Ignore on purpose + } } - var parsedBody = ExtractJosePart(jwt, 1); - var parsedCertificates = parsedBody["aas-policyCertificates"]["keys"].ToArray(); - return parsedCertificates.Select(c => c.ToString()).ToArray(); + return certificates; } } } \ No newline at end of file diff --git a/src/Attestation/Attestation/Models/PolicyValidationHelper.cs b/src/Attestation/Attestation/Models/PolicyValidationHelper.cs index 84466259ae94..283778e4cf7c 100644 --- a/src/Attestation/Attestation/Models/PolicyValidationHelper.cs +++ b/src/Attestation/Attestation/Models/PolicyValidationHelper.cs @@ -88,7 +88,7 @@ private static JsonWebKeySet RetrieveTrustedSigningKeys(string policyJwt, string { // Parse attestation service trusted signing key discovery endpoint from JWT header jku field var jwt = new JsonWebToken(policyJwt); - var jsonHeaderBytes = Base64Url.Decode(jwt.EncodedHeader); + var jsonHeaderBytes = Base64Url.DecodeBytes(jwt.EncodedHeader); var jsonHeaderString = Encoding.UTF8.GetString(jsonHeaderBytes); var jsonHeader = JObject.Parse(jsonHeaderString); var jkuUri = jsonHeader.SelectToken("jku"); diff --git a/src/Attestation/Attestation/help/Get-AzAttestationPolicy.md b/src/Attestation/Attestation/help/Get-AzAttestationPolicy.md index 95d731c61f8f..61557fa7f15e 100644 --- a/src/Attestation/Attestation/help/Get-AzAttestationPolicy.md +++ b/src/Attestation/Attestation/help/Get-AzAttestationPolicy.md @@ -31,8 +31,25 @@ The Get-AzAttestationPolicy cmdlet gets the policy from a tenant in Azure Attest ### Example 1 ```powershell -PS C:\> Get-AzAttestationPolicy -Name pshtest -ResourceGroupName psh-test-rg -Tee SgxEnclave -eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJkbVZ5YzJsdmJqMGdNUzR3TzJGMWRHaHZjbWw2WVhScGIyNXlkV3hsYzN0ak9sdDBlWEJsUFQwaUpHbHpMV1JsWW5WbloyRmliR1VpWFNBOVBpQndaWEp0YVhRb0tUdDlPMmx6YzNWaGJtTmxjblZzWlhON1l6cGJkSGx3WlQwOUlpUnBjeTFrWldKMVoyZGhZbXhsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYVhNdFpHVmlkV2RuWVdKc1pTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjMmQ0TFcxeWMybG5ibVZ5SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXljMmxuYm1WeUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN1l6cGJkSGx3WlQwOUlpUnpaM2d0YlhKbGJtTnNZWFpsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXlaVzVqYkdGMlpTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjSEp2WkhWamRDMXBaQ0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbkJ5YjJSMVkzUXRhV1FpTENCMllXeDFaVDFqTG5aaGJIVmxLVHRqT2x0MGVYQmxQVDBpSkhOMmJpSmRJRDAtSUdsemMzVmxLSFI1Y0dVOUluTjJiaUlzSUhaaGJIVmxQV011ZG1Gc2RXVXBPMk02VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ. +PS C:\> Get-AzAttestationPolicy -Name pshtest -ResourceGroupName psh-test-rg -Tee SgxEnclave +Text : version= 1.0; + authorizationrules{ + c:[type=="$is-debuggable"] => permit(); + }; + issuancerules{ + c:[type=="$is-debuggable"] => issue(type="is-debuggable", value=c.value); + c:[type=="$sgx-mrsigner"] => issue(type="sgx-mrsigner", value=c.value); + c:[type=="$sgx-mrenclave"] => issue(type="sgx-mrenclave", value=c.value); + c:[type=="$product-id"] => issue(type="product-id", value=c.value); + c:[type=="$svn"] => issue(type="svn", value=c.value); + c:[type=="$tee"] => issue(type="tee", value=c.value); + c:[type=="$tee-future"] => issue(type="tee-future", value=c.value); + }; + +TextLength : 604 +Jwt : eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJkbVZ5YzJsdmJqMGdNUzR3T3cwS1lYVjBhRzl5YVhwaGRHbHZibkoxYkdWemV3MEtJQ0FnSUdNNlczUjVjR1U5UFNJa2FYTXRaR1ZpZFdkbllXSnNaU0pkSUQwLUlIQmxjbTFwZENncE93MEtmVHNOQ21semMzVmhibU5sY25Wc1pYTjdEUW9nSUNBZ1l6cGJkSGx3WlQwOUlpUnBjeTFrWldKMVoyZGhZbXhsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYVhNdFpHVmlkV2RuWVdKc1pTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE93MEtJQ0FnSUdNNlczUjVjR1U5UFNJa2MyZDRMVzF5YzJsbmJtVnlJbDBnUFQ0Z2FYTnpkV1VvZEhsd1pUMGljMmQ0TFcxeWMybG5ibVZ5SWl3Z2RtRnNkV1U5WXk1MllXeDFaU2s3RFFvZ0lDQWdZenBiZEhsd1pUMDlJaVJ6WjNndGJYSmxibU5zWVhabElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWMyZDRMVzF5Wlc1amJHRjJaU0lzSUhaaGJIVmxQV011ZG1Gc2RXVXBPdzBLSUNBZ0lHTTZXM1I1Y0dVOVBTSWtjSEp2WkhWamRDMXBaQ0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbkJ5YjJSMVkzUXRhV1FpTENCMllXeDFaVDFqTG5aaGJIVmxLVHNOQ2lBZ0lDQmpPbHQwZVhCbFBUMGlKSE4yYmlKZElEMC1JR2x6YzNWbEtIUjVjR1U5SW5OMmJpSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE93MEtJQ0FnSUdNNlczUjVjR1U5UFNJa2RHVmxJbDBnUFQ0Z2FYTnpkV1VvZEhsd1pUMGlkR1ZsSWl3Z2RtRnNkV1U5WXk1MllXeDFaU2s3RFFvZ0lDQWdZenBiZEhsd1pUMDlJaVIwWldVdFpuVjBkWEpsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpZEdWbExXWjFkSFZ5WlNJc0lIWmhiSFZsUFdNdWRtRnNkV1VwT3cwS2ZUc05DZyJ9. +JwtLength : 1129 +Algorithm : none ``` Gets the policy for Attestation Provider *pshtest* for Tee type *SgxEnclave*. @@ -155,7 +172,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### System.String +### Microsoft.Azure.Commands.Attestation.Models.PSPolicy ## NOTES diff --git a/src/Attestation/Attestation/help/Set-AzAttestationPolicy.md b/src/Attestation/Attestation/help/Set-AzAttestationPolicy.md index 5e5feed35962..b3b1749279b5 100644 --- a/src/Attestation/Attestation/help/Set-AzAttestationPolicy.md +++ b/src/Attestation/Attestation/help/Set-AzAttestationPolicy.md @@ -15,13 +15,14 @@ Sets the policy from a tenant in Azure Attestationn. ### NameParameterSet ``` Set-AzAttestationPolicy [-Name] [-ResourceGroupName] -Tee -Policy - [-PassThru] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-PolicyFormat ] [-PassThru] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ### ResourceIdParameterSet ``` -Set-AzAttestationPolicy [-ResourceId] -Tee -Policy [-PassThru] - [-DefaultProfile ] [-WhatIf] [-Confirm] [] +Set-AzAttestationPolicy [-ResourceId] -Tee -Policy [-PolicyFormat ] + [-PassThru] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ## DESCRIPTION @@ -35,7 +36,15 @@ PS C:\> $policy = Get-Content -Path .\custom.sgx.policy.txt PS C:\> Set-AzAttestationPolicy -Name pshtest -ResourceGroupName psh-test-rg -Tee SgxEnclave -Policy $policy ``` -Sets the user defined policy for TEE type *SgxEnclave* for Attestation Provider *pshtest*. +Sets the user defined policy for TEE type *SgxEnclave* for Attestation Provider *pshtest* using a text policy format (default). + +### Example 2 +```powershell +PS C:\> $policyjwt = Get-Content -Path .\custom.sgx.policy.jwt.format.txt +PS C:\> Set-AzAttestationPolicy -Name pshtest -ResourceGroupName psh-test-rg -Tee SgxEnclave -Policy $policyjwt -PolicyFormat JWT +``` + +Sets the user defined policy for TEE type *SgxEnclave* for Attestation Provider *pshtest* using a JWT policy format. ## PARAMETERS @@ -87,7 +96,7 @@ Accept wildcard characters: False ``` ### -Policy -Specifies the JSON Web Token describing the policy document to set. +Specifies the policy document to set. The policy format can be either Text or JSON Web Token (JWT). ```yaml Type: System.String @@ -101,6 +110,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -PolicyFormat +Specifies the format for the policy, either Text or JWT (JSON Web Token). The default policy format is Text. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ResourceGroupName Specifies the resource group name of an attestation provider. @@ -133,7 +157,7 @@ Accept wildcard characters: False ### -Tee Specifies a type of Trusted Execution Environment. -We support four types of environment: SgxEnclave, OpenEnclave, CyResComponent and VBSEnclave. +Four types of environment are supported: SgxEnclave, OpenEnclave, CyResComponent and VBSEnclave. ```yaml Type: System.String