policy match, client timeout config value validation (#135)

Author: kmanisai

.github/workflows/onmergerelease.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.8.10'
+          python-version: '3.9'
 
       - name: Install Poetry
         run: pip install poetry==1.7.1

README.md

@@ -25,7 +25,7 @@ The Python client currently supports the following TEEs:
 
 ## System requirement
 
-- Python 3.8 or newer.
+- Python 3.9 or newer.
 - Ubuntu 22.04 with *kernel 6.7 or later,* or Ubuntu 24.04. Support for the ConfigFS-TSM subsystem is required for Intel TDX attestation.
 
 ## Installation

inteltrustauthorityclient/cli/README.md

@@ -13,7 +13,7 @@ For more information, see [GPU Remote Attestation](https://docs.trustauthority.i
 
 The following prerequisites must be installed on the CVM (Confidential VM with Intel TDX):
 
-- Use **Python 3.8 or newer**.
+- Use **Python 3.9 or newer**.
 - Ubuntu 22.04 with *kernel 6.7 or later,* or Ubuntu 24.04. Support for the ConfigFS-TSM subsystem is required for Intel TDX attestation.
 - NVIDIA H100 GPU
 - [NVIDIA Attestation SDK v1.4.0](https://github.com/NVIDIA/nvtrust/releases/tag/v1.4.0) installed in the guest TD. NVIDIA Attestation SDK v2.x is _not_ supported. 

inteltrustauthorityclient/connector/config.py

@@ -139,3 +139,13 @@ def validate_apikey(api_key):
         return True
     except binascii.Error as exc:
         log.error(f"Error in apikey validation :{exc}, API key must be a valid Base64 Encoded string")
+
+def validate_policymustmatch(policy_must_match):
+    # policy_must_match should be a boolean value
+    if policy_must_match is None:
+        return False
+    if isinstance(policy_must_match, str):
+        if policy_must_match.lower() in {"true", "false"}:
+            return True if policy_must_match.lower() == "true" else False
+    log.error("Unsupported Policy Must Match value provided, supported values are true/false")
+    return -1

inteltrustauthorityclient/examples/sgx_sample_app/README.md

@@ -160,7 +160,7 @@ Begin by copying the Intel Trust Authority Client for Python repository to a loc
 
 #### Prerequisites
 
-- Python 3.8 or later
+- Python 3.9 or later
 - Poetry. You can install **poetry** using the command `pip3 install --no-cache-dir poetry`.
 - An Intel SGX host with the Intel SGX driver.
 - A subscription to Intel Trust Authority. If you don't have a subscription, you can find out how to get one at [Intel Trust Authority](https://trustauthority.intel.com).

inteltrustauthorityclient/examples/sgx_sample_app/sgx_sample_app.py

@@ -155,11 +155,17 @@ def main():
             "CLIENT_TIMEOUT_SEC is not provided. Hence, setting to default value."
         )
         timeout_second = const.DEFAULT_CLIENT_TIMEOUT_SEC
+    else:
+        if not timeout_second.isnumeric():
+            log.error("Invalid CLIENT_TIMEOUT_SEC format: CLIENT_TIMEOUT_SEC must be an Integer.")
+            exit(1)
 
     token_signing_algorithm = os.getenv("TOKEN_SIGNING_ALGORITHM")
     policy_must_match = os.getenv("POLICY_MUST_MATCH")
-    if policy_must_match is not None and policy_must_match.lower() in {"true", "false"}:
-        policy_must_match = True if policy_must_match.lower() == "true" else False
+    policy_must_match = config.validate_policymustmatch(policy_must_match)
+    if policy_must_match == -1:
+        exit(1)
+    
     # enclave related work
     enclave_path = "./minimal-enclave/enclave.signed.so"
     eid = create_sgx_enclave(enclave_path)

inteltrustauthorityclient/examples/tdx_sample_app/README.md

@@ -158,7 +158,7 @@ If the sample application runs successfully, the attestation token returned from
 
 #### Prerequisites
 
-- Python 3.8 or later
+- Python 3.9 or later
 - Poetry. Install **poetry** using the command `pip3 install --no-cache-dir poetry`.
 - An Intel TDX TD VM running on a local Intel TDX host or as a confidential VM in the cloud. 
 - A subscription to Intel Trust Authority. If you don't have a subscription, you can find out how to get one at [Intel Trust Authority](https://trustauthority.intel.com).

inteltrustauthorityclient/examples/tdx_sample_app/tdx_sample_app.py

@@ -101,11 +101,16 @@ def main():
             "CLIENT_TIMEOUT_SEC is not provided. Hence, setting to default value."
         )
         timeout_second = const.DEFAULT_CLIENT_TIMEOUT_SEC
+    else:
+        if not timeout_second.isnumeric():
+            log.error("Invalid CLIENT_TIMEOUT_SEC format: CLIENT_TIMEOUT_SEC must be an Integer.")
+            exit(1)
 
     token_signing_algorithm = os.getenv("TOKEN_SIGNING_ALGORITHM")
     policy_must_match = os.getenv("POLICY_MUST_MATCH")
-    if policy_must_match is not None and policy_must_match.lower() in {"true", "false"}:
-        policy_must_match = True if policy_must_match.lower() == "true" else False
+    policy_must_match = config.validate_policymustmatch(policy_must_match)
+    if policy_must_match == -1:
+        exit(1)
 
     try:
         # Populate config object

inteltrustauthorityclient/nvgpu/README.md

@@ -14,7 +14,7 @@ For more information, see [GPU Remote Attestation](https://docs.trustauthority.i
 
 The following prerequisites must be installed on the CVM (Confidential VM with Intel TDX):
 
-- Use **Python 3.8 or newer**.
+- Use **Python 3.9 or newer**.
 - Ubuntu 22.04 with *kernel 6.7 or later,* or Ubuntu 24.04. Support for the ConfigFS-TSM subsystem is required for Intel TDX attestation.
 - NVIDIA H100 GPU
 - NVIDIA Management Library (NVML). Install NVML by running the following command on the CVM after Python is installed: `pip install nvidia-ml-py`.