constellation/internal/attestation/choose/choose.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package choose

import (
	"fmt"

	"github.com/edgelesssys/constellation/v2/internal/atls"
	"github.com/edgelesssys/constellation/v2/internal/attestation"
	"github.com/edgelesssys/constellation/v2/internal/attestation/aws/nitrotpm"
	awssnp "github.com/edgelesssys/constellation/v2/internal/attestation/aws/snp"
	azuresnp "github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
	"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
	"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
	"github.com/edgelesssys/constellation/v2/internal/attestation/tdx"
	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
	"github.com/edgelesssys/constellation/v2/internal/config"
)

// Issuer returns the issuer for the given variant.
func Issuer(attestationVariant variant.Variant, log attestation.Logger) (atls.Issuer, error) {
	switch attestationVariant {
	case variant.AWSSEVSNP{}:
		return awssnp.NewIssuer(log), nil
	case variant.AWSNitroTPM{}:
		return nitrotpm.NewIssuer(log), nil
	case variant.AzureTrustedLaunch{}:
		return trustedlaunch.NewIssuer(log), nil
	case variant.AzureSEVSNP{}:
		return azuresnp.NewIssuer(log), nil
	case variant.GCPSEVES{}:
		return gcp.NewIssuer(log), nil
	case variant.QEMUVTPM{}:
		return qemu.NewIssuer(log), nil
	case variant.QEMUTDX{}:
		return tdx.NewIssuer(log), nil
	case variant.Dummy{}:
		return atls.NewFakeIssuer(variant.Dummy{}), nil
	default:
		return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant)
	}
}

// Validator returns the validator for the given variant.
func Validator(cfg config.AttestationCfg, log attestation.Logger) (atls.Validator, error) {
	switch cfg := cfg.(type) {
	case *config.AWSSEVSNP:
		return awssnp.NewValidator(cfg, log), nil
	case *config.AWSNitroTPM:
		return nitrotpm.NewValidator(cfg, log), nil
	case *config.AzureTrustedLaunch:
		return trustedlaunch.NewValidator(cfg, log), nil
	case *config.AzureSEVSNP:
		return azuresnp.NewValidator(cfg, log), nil
	case *config.GCPSEVES:
		return gcp.NewValidator(cfg, log), nil
	case *config.QEMUVTPM:
		return qemu.NewValidator(cfg, log), nil
	case *config.QEMUTDX:
		return tdx.NewValidator(cfg, log), nil
	case *config.DummyCfg:
		return atls.NewFakeValidator(variant.Dummy{}), nil
	default:
		return nil, fmt.Errorf("unknown attestation variant: %s", cfg.GetVariant())
	}
}
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package choose`

			`import (`
			`"fmt"`

			`"github.com/edgelesssys/constellation/v2/internal/atls"`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`"github.com/edgelesssys/constellation/v2/internal/attestation"`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/aws/nitrotpm"`
			`awssnp "github.com/edgelesssys/constellation/v2/internal/attestation/aws/snp"`
			`azuresnp "github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"`
			`"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"`
			`"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/tdx"`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/variant"`
internal: use config to create attestation validators (#1561) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-04-06 15:00:56 +00:00			`"github.com/edgelesssys/constellation/v2/internal/config"`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`)`

			`// Issuer returns the issuer for the given variant.`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`func Issuer(attestationVariant variant.Variant, log attestation.Logger) (atls.Issuer, error) {`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`switch attestationVariant {`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`case variant.AWSSEVSNP{}:`
			`return awssnp.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.AWSNitroTPM{}:`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`return nitrotpm.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.AzureTrustedLaunch{}:`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`return trustedlaunch.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.AzureSEVSNP{}:`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`return azuresnp.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.GCPSEVES{}:`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`return gcp.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.QEMUVTPM{}:`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`return qemu.NewIssuer(log), nil`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`case variant.QEMUTDX{}:`
			`return tdx.NewIssuer(log), nil`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`case variant.Dummy{}:`
			`return atls.NewFakeIssuer(variant.Dummy{}), nil`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`default:`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant)`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`}`
			`}`

			`// Validator returns the validator for the given variant.`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`func Validator(cfg config.AttestationCfg, log attestation.Logger) (atls.Validator, error) {`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 09:11:53 +00:00			`switch cfg := cfg.(type) {`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`case *config.AWSSEVSNP:`
			`return awssnp.NewValidator(cfg, log), nil`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 09:11:53 +00:00			`case *config.AWSNitroTPM:`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`return nitrotpm.NewValidator(cfg, log), nil`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 09:11:53 +00:00			`case *config.AzureTrustedLaunch:`
			`return trustedlaunch.NewValidator(cfg, log), nil`
			`case *config.AzureSEVSNP:`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 13:41:02 +00:00			`return azuresnp.NewValidator(cfg, log), nil`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 09:11:53 +00:00			`case *config.GCPSEVES:`
			`return gcp.NewValidator(cfg, log), nil`
			`case *config.QEMUVTPM:`
			`return qemu.NewValidator(cfg, log), nil`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 13:13:57 +00:00			`case *config.QEMUTDX:`
			`return tdx.NewValidator(cfg, log), nil`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 09:11:53 +00:00			`case *config.DummyCfg:`
internal: refactor oid package to variant package (#1538) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-29 07:30:13 +00:00			`return atls.NewFakeValidator(variant.Dummy{}), nil`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`default:`
joinservice: cache certificates for Azure SEV-SNP attestation (#2336) * add ASK caching in joinservice Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use cached ASK in Azure SEV-SNP attestation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update test charts Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typ Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make caching mechanism less provider-specific Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add `omitempty` flag Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * frontload certificate getter Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * rename frontloaded function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * pass cached certificates to constructor Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix race condition Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix marshalling of empty certs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator usage Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [wip] add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unused fields in validator Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate precedence Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use separate context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Remove unnecessary comment Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * use background context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Use error format directive Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * `azure` -> `Azure` Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * improve error messages Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add x509 -> PEM util function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use crypto util functions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate replacement logic Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only require ASK from certcache Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix comment typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> 2023-09-29 12:29:50 +00:00			`return nil, fmt.Errorf("unknown attestation variant: %s", cfg.GetVariant())`
attestation: create issuer based on kernel cmd line (#1355) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-09 08:47:28 +00:00			`}`
			`}`