To handle nested claims. #10
Conversation
|
This is the current test key release policy caught from the debug endpoint: There are two node-policy-identity claims with different values. This policy will not release a key because this claim is not present in your test token: |
| "x-ms-azurevm-os-provisioning": { | ||
| "node-policy-identity": { | ||
| "eventVersion": "number", | ||
| "policyId": "string", |
There was a problem hiding this comment.
where are these claims tested when they appear in a KRP?
There was a problem hiding this comment.
I believe this will eventually become very confusing. E.g. policyId is a claim that we want to compare on value while eventVersion is typically a gte check.
If we use flattened claims it will be clearer and we can easily check if these claim is allowed in CLAIMS:
"x-ms-azurevm-os-provisioning.node-policy-identity.eventVersion"
"x-ms-azurevm-os-provisioning.node-policy-identity.policyId"
| "x-ms-azurevm-os-provisioning": { | ||
| "node-policy-identity": { | ||
| "eventVersion": "number", | ||
| "policyId": "string", |
There was a problem hiding this comment.
I believe this will eventually become very confusing. E.g. policyId is a claim that we want to compare on value while eventVersion is typically a gte check.
If we use flattened claims it will be clearer and we can easily check if these claim is allowed in CLAIMS:
"x-ms-azurevm-os-provisioning.node-policy-identity.eventVersion"
"x-ms-azurevm-os-provisioning.node-policy-identity.policyId"
| @@ -173,7 +197,7 @@ actions.set( | |||
| item.forEach((i) => { | |||
There was a problem hiding this comment.
in the non-flattened model we should test if the key represents an object and than drill down in the object to check presence in CLAIMS. Way harder than using flattened claims.
| @@ -11,4 +11,5 @@ export enum JwtIdentityProviderEnum { | |||
| MAA_NoSecureBootTyFu = "https://maanosecureboottestyfu.eus.attest.azure.net", | |||
| MAA_NoSecureBootWeu = "https://accnosecurebootmaawesteu.weu.attest.azure.net", | |||
| MAA_NoSecureBootEus = "https://accnosecurebootmaa.eus2.attest.azure.net", | |||
| MAA_NoSecureBootInteTest = "https://confinfermaaeus2test.eus2.test.attest.azure.net", | |||
There was a problem hiding this comment.
I have removed the necessity to add an issuer in code. This will not scale. I will sync my changes so we do no longer need this
| this.identityProviders.set( | ||
| JwtIdentityProviderEnum.MAA_NoSecureBootIntgTest, | ||
| new MsJwtProvider("JwtMaaProvider", this.logContext), | ||
| ); |
|
I am having build errors doing make build |
It should be OR instead of AND, similar to this case: "x-ms-azurevm-osversion-major": [22,23]. So, the token should be valid. |
Claims are in nested and in the following format:
"x-ms-azurevm-os-provisioning": {
"node-policy-identity": {
"eventVersion": "1",
"policyId": "openai-whisper",
"signer": "8fe6e7a314b8695b21710cebf0265e8d7bbaabde26f431c407faf16fcbd6b924",
"svn": "1"
},
"os-image-identity": {
"diskId": "singularity.ubuntu-22.04",
"eventVersion": "1",
"signer": "f9cce5b7bdc2aaacfc4c78cb2b7515459aded8149287b74667bb2f178b0cf7b9",
"svn": "1"
}