Skip to content

Commit bccca2e

Browse files
TaowyooTaowyoo
authored
Merge pull request fortanix#778 from fortanix/yx/fix-ci-for-3rd-party
Fix CI for 3rd party
2 parents 44823d2 + 6612558 commit bccca2e

File tree

3 files changed

+161
-44
lines changed

3 files changed

+161
-44
lines changed

.github/workflows/build.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,14 +26,20 @@ jobs:
2626
runs-on: ubuntu-24.04
2727

2828
env:
29-
# PCS_API_KEY: Raoul Strackx' personal access key. Only used here, and only provides access to the Intel PCS service, which is public anyway
30-
PCS_API_KEY: ${{ secrets.PCS_API_KEY }}
31-
PCCS_URL: ${{ vars.PCCS_URL }}
3229
CMAKE_POLICY_VERSION_MINIMUM: 3.5
3330

3431
steps:
3532
- uses: actions/checkout@v4
3633

34+
- name: Conditionally export PCS_API_KEY and PCCS_URL
35+
run: |
36+
if [ -n "${{ secrets.PCS_API_KEY }}" ]; then
37+
echo "PCS_API_KEY=${{ secrets.PCS_API_KEY }}" >> $GITHUB_ENV
38+
fi
39+
if [ -n "${{ vars.PCCS_URL }}" ]; then
40+
echo "PCCS_URL=${{ vars.PCCS_URL }}" >> $GITHUB_ENV
41+
fi
42+
3743
- name: Install additional dependencies
3844
run: |
3945
# install gpg

intel-sgx/dcap-artifact-retrieval/src/provisioning_client/intel.rs

Lines changed: 113 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -573,7 +573,10 @@ mod tests {
573573
use std::path::PathBuf;
574574
use std::time::Duration;
575575

576-
use pcs::{DcapArtifactIssuer, EnclaveIdentity, Fmspc, PckID, Platform, TcbEvaluationDataNumbers, RawTcbEvaluationDataNumbers};
576+
use pcs::{
577+
DcapArtifactIssuer, EnclaveIdentity, Fmspc, PckID, Platform, RawTcbEvaluationDataNumbers,
578+
TcbEvaluationDataNumbers,
579+
};
577580

578581
use crate::provisioning_client::{
579582
test_helpers, IntelProvisioningClientBuilder, PcsVersion, ProvisioningClient,
@@ -585,10 +588,12 @@ mod tests {
585588
const OUTPUT_TEST_DIR: &str = "./tests/data/";
586589
const TIME_RETRY_TIMEOUT: Duration = Duration::from_secs(180);
587590

588-
fn pcs_api_key() -> String {
589-
let api_key = std::env::var("PCS_API_KEY").expect("PCS_API_KEY must be set");
591+
fn pcs_api_key() -> Option<String> {
592+
let api_key_option = std::env::var("PCS_API_KEY").ok();
593+
if let Some(api_key) = api_key_option.as_ref() {
590594
assert!(!api_key.is_empty(), "Empty string in PCS_API_KEY");
591-
api_key
595+
}
596+
api_key_option
592597
}
593598

594599
#[test]
@@ -597,7 +602,13 @@ mod tests {
597602
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
598603
.set_retry_timeout(TIME_RETRY_TIMEOUT);
599604
if api_version == PcsVersion::V3 {
600-
intel_builder.set_api_key(pcs_api_key());
605+
if let Some(pcs_api_key) = pcs_api_key() {
606+
intel_builder.set_api_key(pcs_api_key);
607+
} else {
608+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
609+
// So we no longer force to test it.
610+
continue;
611+
}
601612
}
602613
let client = intel_builder.build(reqwest_client());
603614

@@ -624,7 +635,13 @@ mod tests {
624635
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
625636
.set_retry_timeout(TIME_RETRY_TIMEOUT);
626637
if api_version == PcsVersion::V3 {
627-
intel_builder.set_api_key(pcs_api_key());
638+
if let Some(pcs_api_key) = pcs_api_key() {
639+
intel_builder.set_api_key(pcs_api_key);
640+
} else {
641+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
642+
// So we no longer force to test it.
643+
continue;
644+
}
628645
}
629646
let client = intel_builder.build(reqwest_client());
630647

@@ -677,7 +694,13 @@ mod tests {
677694
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
678695
.set_retry_timeout(TIME_RETRY_TIMEOUT);
679696
if api_version == PcsVersion::V3 {
680-
intel_builder.set_api_key(pcs_api_key());
697+
if let Some(pcs_api_key) = pcs_api_key() {
698+
intel_builder.set_api_key(pcs_api_key);
699+
} else {
700+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
701+
// So we no longer force to test it.
702+
continue;
703+
}
681704
}
682705
let client = intel_builder.build(reqwest_client());
683706
for pckid in PckID::parse_file(&PathBuf::from(PCKID_TEST_FILE).as_path())
@@ -709,11 +732,25 @@ mod tests {
709732
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
710733
.set_retry_timeout(TIME_RETRY_TIMEOUT);
711734
if api_version == PcsVersion::V3 {
712-
intel_builder.set_api_key(pcs_api_key());
735+
if let Some(pcs_api_key) = pcs_api_key() {
736+
intel_builder.set_api_key(pcs_api_key);
737+
} else {
738+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
739+
// So we no longer force to test it.
740+
continue;
741+
}
713742
}
714743
let client = intel_builder.build(reqwest_client());
715-
let crl_processor = client.pckcrl(DcapArtifactIssuer::PCKProcessorCA).unwrap().crl_as_pem().to_owned();
716-
let crl_platform = client.pckcrl(DcapArtifactIssuer::PCKPlatformCA).unwrap().crl_as_pem().to_owned();
744+
let crl_processor = client
745+
.pckcrl(DcapArtifactIssuer::PCKProcessorCA)
746+
.unwrap()
747+
.crl_as_pem()
748+
.to_owned();
749+
let crl_platform = client
750+
.pckcrl(DcapArtifactIssuer::PCKPlatformCA)
751+
.unwrap()
752+
.crl_as_pem()
753+
.to_owned();
717754
for pckid in PckID::parse_file(&PathBuf::from(PCKID_TEST_FILE).as_path())
718755
.unwrap()
719756
.iter()
@@ -727,7 +764,9 @@ mod tests {
727764
None,
728765
)
729766
.unwrap();
730-
let pck = pck.clone().verify(&root_cas, Some(&crl_processor))
767+
let pck = pck
768+
.clone()
769+
.verify(&root_cas, Some(&crl_processor))
731770
.or(pck.clone().verify(&root_cas, Some(&crl_platform)))
732771
.unwrap();
733772

@@ -797,7 +836,13 @@ mod tests {
797836
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
798837
.set_retry_timeout(TIME_RETRY_TIMEOUT);
799838
if api_version == PcsVersion::V3 {
800-
intel_builder.set_api_key(pcs_api_key());
839+
if let Some(pcs_api_key) = pcs_api_key() {
840+
intel_builder.set_api_key(pcs_api_key);
841+
} else {
842+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
843+
// So we no longer force to test it.
844+
continue;
845+
}
801846
}
802847
let client = intel_builder.build(reqwest_client());
803848
for pckid in PckID::parse_file(&PathBuf::from(PCKID_TEST_FILE).as_path())
@@ -829,7 +874,11 @@ mod tests {
829874
.unwrap();
830875
let fmspc = pckcerts.fmspc().unwrap();
831876

832-
let evaluation_data_numbers = client.tcb_evaluation_data_numbers().unwrap().evaluation_data_numbers().unwrap();
877+
let evaluation_data_numbers = client
878+
.tcb_evaluation_data_numbers()
879+
.unwrap()
880+
.evaluation_data_numbers()
881+
.unwrap();
833882

834883
for number in evaluation_data_numbers.numbers() {
835884
assert!(client
@@ -846,7 +895,13 @@ mod tests {
846895
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
847896
.set_retry_timeout(TIME_RETRY_TIMEOUT);
848897
if api_version == PcsVersion::V3 {
849-
intel_builder.set_api_key(pcs_api_key());
898+
if let Some(pcs_api_key) = pcs_api_key() {
899+
intel_builder.set_api_key(pcs_api_key);
900+
} else {
901+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
902+
// So we no longer force to test it.
903+
continue;
904+
}
850905
}
851906
let client = intel_builder.build(reqwest_client());
852907
for pckid in PckID::parse_file(&PathBuf::from(PCKID_TEST_FILE).as_path())
@@ -867,7 +922,10 @@ mod tests {
867922

868923
let (cached_tcb_info, _) = {
869924
let mut hasher = DefaultHasher::new();
870-
let input = client.tcbinfo_service.pcs_service().build_input(&fmspc, None);
925+
let input = client
926+
.tcbinfo_service
927+
.pcs_service()
928+
.build_input(&fmspc, None);
871929
input.hash(&mut hasher);
872930

873931
cache
@@ -889,12 +947,21 @@ mod tests {
889947

890948
#[test]
891949
pub fn pckcrl() {
892-
for ca in [DcapArtifactIssuer::PCKProcessorCA, DcapArtifactIssuer::PCKPlatformCA] {
950+
for ca in [
951+
DcapArtifactIssuer::PCKProcessorCA,
952+
DcapArtifactIssuer::PCKPlatformCA,
953+
] {
893954
for api_version in [PcsVersion::V3, PcsVersion::V4] {
894955
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
895956
.set_retry_timeout(TIME_RETRY_TIMEOUT);
896957
if api_version == PcsVersion::V3 {
897-
intel_builder.set_api_key(pcs_api_key());
958+
if let Some(pcs_api_key) = pcs_api_key() {
959+
intel_builder.set_api_key(pcs_api_key);
960+
} else {
961+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
962+
// So we no longer force to test it.
963+
continue;
964+
}
898965
}
899966
let client = intel_builder.build(reqwest_client());
900967
assert!(client
@@ -907,12 +974,21 @@ mod tests {
907974

908975
#[test]
909976
pub fn pckcrl_cached() {
910-
for ca in [DcapArtifactIssuer::PCKProcessorCA, DcapArtifactIssuer::PCKPlatformCA] {
977+
for ca in [
978+
DcapArtifactIssuer::PCKProcessorCA,
979+
DcapArtifactIssuer::PCKPlatformCA,
980+
] {
911981
for api_version in [PcsVersion::V3, PcsVersion::V4] {
912982
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
913983
.set_retry_timeout(TIME_RETRY_TIMEOUT);
914984
if api_version == PcsVersion::V3 {
915-
intel_builder.set_api_key(pcs_api_key());
985+
if let Some(pcs_api_key) = pcs_api_key() {
986+
intel_builder.set_api_key(pcs_api_key);
987+
} else {
988+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
989+
// So we no longer force to test it.
990+
continue;
991+
}
916992
}
917993
let client = intel_builder.build(reqwest_client());
918994
let pckcrl = client.pckcrl(ca).unwrap();
@@ -951,7 +1027,13 @@ mod tests {
9511027
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
9521028
.set_retry_timeout(TIME_RETRY_TIMEOUT);
9531029
if api_version == PcsVersion::V3 {
954-
intel_builder.set_api_key(pcs_api_key());
1030+
if let Some(pcs_api_key) = pcs_api_key() {
1031+
intel_builder.set_api_key(pcs_api_key);
1032+
} else {
1033+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
1034+
// So we no longer force to test it.
1035+
continue;
1036+
}
9551037
}
9561038
let client = intel_builder.build(reqwest_client());
9571039
let qe_id = client.qe_identity(None);
@@ -966,7 +1048,13 @@ mod tests {
9661048
let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
9671049
.set_retry_timeout(TIME_RETRY_TIMEOUT);
9681050
if api_version == PcsVersion::V3 {
969-
intel_builder.set_api_key(pcs_api_key());
1051+
if let Some(pcs_api_key) = pcs_api_key() {
1052+
intel_builder.set_api_key(pcs_api_key);
1053+
} else {
1054+
// Intel SGX PCS version 3 is scheduled to end of life not later than October 31, 2025.
1055+
// So we no longer force to test it.
1056+
continue;
1057+
}
9701058
}
9711059
let client = intel_builder.build(reqwest_client());
9721060
let qe_id = client.qe_identity(None).unwrap();
@@ -1013,9 +1101,11 @@ mod tests {
10131101
assert_eq!(eval_numbers, eval_numbers2);
10141102

10151103
let fmspc = Fmspc::try_from("90806f000000").unwrap();
1016-
let eval_numbers: TcbEvaluationDataNumbers = eval_numbers.verify(&root_cas, Platform::SGX).unwrap();
1104+
let eval_numbers: TcbEvaluationDataNumbers =
1105+
eval_numbers.verify(&root_cas, Platform::SGX).unwrap();
10171106
for number in eval_numbers.numbers().map(|n| n.number()) {
1018-
let qe_id = client.qe_identity(Some(number))
1107+
let qe_id = client
1108+
.qe_identity(Some(number))
10191109
.unwrap()
10201110
.verify(&root_cas, EnclaveIdentity::QE)
10211111
.unwrap();

0 commit comments

Comments
 (0)