Add attester-specific option support to MockTSM

MockTSM now takes the support of options, only privilege_level is
supported at this time. The schema is defined as the following:

mocktsm:{"privilege_level": "$level"}. Replace $level with number 0-3

Signed-off-by: Ian Chin Wang <[email protected]>

Author: cowbon

attesters/mocktsm/mocktsm.go

@@ -3,7 +3,9 @@
 package mocktsm
 
 import (
+	"encoding/json"
 	"fmt"
+	"strconv"
 
 	"github.com/google/go-configfs-tsm/configfs/configfsi"
 	"github.com/google/go-configfs-tsm/configfs/faketsm"
@@ -67,12 +69,31 @@ func (m *MockPlugin) GetEvidence(in *compositor.EvidenceIn) *compositor.Evidence
 		return getEvidenceError(errMsg)
 	}
 
+	options := make(map[string]string)
+	if len(in.Options) > 0 {
+		if err := json.Unmarshal([]byte(in.Options), &options); err != nil {
+			errMsg := fmt.Errorf(
+				"failed to parse %s: %v", in.Options, err)
+			return getEvidenceError(errMsg)
+		}
+	}
+
 	if in.ContentType == mediaType {
 		req := &report.Request{
 			InBlob:     in.Nonce,
 			GetAuxBlob: true,
 		}
 
+		if privlevel, ok := options["privilege_level"]; ok {
+			level, err := strconv.Atoi(privlevel)
+			if err != nil || level < 0 {
+				errMsg := fmt.Errorf("privilege_level %s is invalid",
+					privlevel)
+				return getEvidenceError(errMsg)
+			}
+			req.Privilege = &report.Privilege{Level: uint(level)}
+		}
+
 		resp, err := report.Get(m.client, req)
 		if err != nil {
 			errMsg := fmt.Errorf("failed to get mock TSM report: %v", err)

attesters/mocktsm/mocktsm_test.go

@@ -74,7 +74,7 @@ func Test_GetEvidence_invalid_format(t *testing.T) {
 	assert.Equal(t, expected, p.GetEvidence(in))
 }
 
-func Test_GetEvidence(t *testing.T) {
+func Test_GetEvidence_No_Options(t *testing.T) {
 	inblob := []byte(validNonceStr)
 	in := &compositor.EvidenceIn{
 		ContentType: string(mediaType),
@@ -97,3 +97,58 @@ func Test_GetEvidence(t *testing.T) {
 
 	assert.Equal(t, expected, p.GetEvidence(in))
 }
+
+func TestGetEvidence_With_Invalid_Options(t *testing.T) {
+	tests := []struct{name, params, msg string} {
+		{"privilege level not integer", "{\"privilege_level\": \"invalid\"}",
+		"privilege_level invalid is invalid"},
+		{"privilege level less than zero", "{\"privilege_level\": \"-20\"}",
+		"privilege_level -20 is invalid"},
+		{"invalid json", "{\"privilege_level\"}",
+		"failed to parse {\"privilege_level\"}: invalid character '}' after object key"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			inblob := []byte(validNonceStr)
+			in := &compositor.EvidenceIn{
+				ContentType: string(mediaType),
+				Nonce:       inblob,
+				Options:     tt.params,
+			}
+
+			expected := &compositor.EvidenceOut{
+				Status: &compositor.Status{
+					Result: false,
+					Error:  tt.msg,
+				},
+			}
+
+			assert.Equal(t, expected, p.GetEvidence(in))
+		})
+	}
+}
+
+func Test_GetEvidence_With_Valid_Privilege_level(t *testing.T) {
+	inblob := []byte(validNonceStr)
+	in := &compositor.EvidenceIn{
+		ContentType: string(mediaType),
+		Nonce:       inblob,
+		Options:     "{\"privilege_level\": \"1\"}",
+	}
+
+	expectedOutblob := fmt.Sprintf("privlevel: 1\ninblob: %s", hex.EncodeToString(inblob))
+	out := &tokens.TSMReport {
+		Provider: "fake\n",
+		OutBlob:  []byte(expectedOutblob),
+		AuxBlob:  []byte("auxblob"),
+	}
+
+	outEncoded, _ := out.ToJSON()
+
+	expected := &compositor.EvidenceOut{
+		Status:   statusSucceeded,
+		Evidence: outEncoded,
+	}
+
+	assert.Equal(t, expected, p.GetEvidence(in))
+}