2023-06-01 07:55:46 -04:00
/ *
Copyright ( c ) Edgeless Systems GmbH
SPDX - License - Identifier : AGPL - 3.0 - only
* /
package cmd
import (
"encoding/json"
"fmt"
"os"
2023-06-02 06:10:22 -04:00
"reflect"
2023-06-01 07:55:46 -04:00
"time"
2023-06-02 06:10:22 -04:00
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
2023-06-02 03:19:23 -04:00
attestationconfigclient "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/client"
2023-06-02 06:10:22 -04:00
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
2023-06-01 07:55:46 -04:00
"github.com/edgelesssys/constellation/v2/internal/staticupload"
"github.com/spf13/cobra"
)
const (
2023-06-02 06:10:22 -04:00
awsRegion = "eu-central-1"
awsBucket = "cdn-constellation-backend"
invalidDefault = 0
envAwsKeyID = "AWS_ACCESS_KEY_ID"
envAwsKey = "AWS_ACCESS_KEY"
envCosignPwd = "COSIGN_PASSWORD"
envCosignPrivateKey = "COSIGN_PRIVATE_KEY"
2023-06-01 07:55:46 -04:00
)
var (
versionFilePath string
// Cosign credentials.
2023-06-02 06:10:22 -04:00
cosignPwd string
privateKey string
2023-06-01 07:55:46 -04:00
)
// Execute executes the root command.
func Execute ( ) error {
return newRootCmd ( ) . Execute ( )
}
// newRootCmd creates the root command.
func newRootCmd ( ) * cobra . Command {
rootCmd := & cobra . Command {
2023-06-02 06:10:22 -04:00
Use : "COSIGN_PASSWORD=$CPWD COSIGN_PRIVATE_KEY=$CKEY AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload --version-file $FILE" ,
2023-06-01 07:55:46 -04:00
Short : "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api." ,
2023-06-02 06:10:22 -04:00
Long : fmt . Sprintf ( "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3. Set the %s and %s environment variables to authenticate with cosign." , envCosignPrivateKey , envCosignPwd ) ,
PreRunE : envCheck ,
RunE : runCmd ,
2023-06-01 07:55:46 -04:00
}
rootCmd . PersistentFlags ( ) . StringVarP ( & versionFilePath , "version-file" , "f" , "" , "File path to the version json file." )
2023-06-02 06:10:22 -04:00
must ( enforceRequiredFlags ( rootCmd , "version-file" ) )
2023-06-01 07:55:46 -04:00
return rootCmd
}
2023-06-02 06:10:22 -04:00
func envCheck ( _ * cobra . Command , _ [ ] string ) error {
if os . Getenv ( envCosignPrivateKey ) == "" || os . Getenv ( envCosignPwd ) == "" {
return fmt . Errorf ( "please set both %s and %s environment variables" , envCosignPrivateKey , envCosignPwd )
}
cosignPwd = os . Getenv ( envCosignPwd )
privateKey = os . Getenv ( envCosignPrivateKey )
return nil
}
2023-06-01 07:55:46 -04:00
func runCmd ( cmd * cobra . Command , _ [ ] string ) error {
ctx := cmd . Context ( )
cfg := staticupload . Config {
Bucket : awsBucket ,
Region : awsRegion ,
}
versionBytes , err := os . ReadFile ( versionFilePath )
if err != nil {
return fmt . Errorf ( "reading version file: %w" , err )
}
2023-06-02 06:10:22 -04:00
var inputVersion attestationconfig . AzureSEVSNPVersion
if err = json . Unmarshal ( versionBytes , & inputVersion ) ; err != nil {
2023-06-01 07:55:46 -04:00
return fmt . Errorf ( "unmarshalling version file: %w" , err )
}
2023-06-02 06:10:22 -04:00
latestAPIVersion , err := fetcher . New ( ) . FetchAzureSEVSNPVersionLatest ( ctx )
2023-06-01 07:55:46 -04:00
if err != nil {
2023-06-02 06:10:22 -04:00
return fmt . Errorf ( "fetching latest version: %w" , err )
2023-06-01 07:55:46 -04:00
}
2023-06-02 06:10:22 -04:00
isNewer , err := isInputNewerThanLatestAPI ( inputVersion , latestAPIVersion . AzureSEVSNPVersion )
if err != nil {
return fmt . Errorf ( "comparing versions: %w" , err )
}
if isNewer {
fmt . Printf ( "Input version: %+v is newer than latest API version: %+v\n" , inputVersion , latestAPIVersion )
sut , sutClose , err := attestationconfigclient . New ( ctx , cfg , [ ] byte ( cosignPwd ) , [ ] byte ( privateKey ) )
defer func ( ) {
if err := sutClose ( ctx ) ; err != nil {
fmt . Printf ( "closing repo: %v\n" , err )
}
} ( )
if err != nil {
return fmt . Errorf ( "creating repo: %w" , err )
2023-06-02 05:20:01 -04:00
}
2023-06-01 07:55:46 -04:00
2023-06-02 06:10:22 -04:00
if err := sut . UploadAzureSEVSNP ( ctx , inputVersion , time . Now ( ) ) ; err != nil {
return fmt . Errorf ( "uploading version: %w" , err )
}
cmd . Printf ( "Successfully uploaded new Azure SEV-SNP version: %+v\n" , inputVersion )
} else {
cmd . Printf ( "Input version: %+v is not newer than latest API version: %+v\n" , inputVersion , latestAPIVersion )
2023-06-01 07:55:46 -04:00
}
return nil
}
2023-06-02 06:10:22 -04:00
// isInputNewerThanLatestAPI compares all version fields with the latest API version and returns true if any input field is newer.
func isInputNewerThanLatestAPI ( input , latest attestationconfig . AzureSEVSNPVersion ) ( bool , error ) {
inputValues := reflect . ValueOf ( input )
latestValues := reflect . ValueOf ( latest )
fields := reflect . TypeOf ( input )
num := fields . NumField ( )
// validate that no input field is smaller than latest
for i := 0 ; i < num ; i ++ {
field := fields . Field ( i )
inputValue := inputValues . Field ( i ) . Uint ( )
latestValue := latestValues . Field ( i ) . Uint ( )
if inputValue < latestValue {
return false , fmt . Errorf ( "input %s version: %d is older than latest API version: %d" , field . Name , inputValue , latestValue )
} else if inputValue > latestValue {
return true , nil
}
}
// check if any input field is greater than latest
for i := 0 ; i < num ; i ++ {
inputValue := inputValues . Field ( i ) . Uint ( )
latestValue := latestValues . Field ( i ) . Uint ( )
if inputValue > latestValue {
return true , nil
}
}
return false , nil
}
2023-06-01 07:55:46 -04:00
func enforceRequiredFlags ( cmd * cobra . Command , flags ... string ) error {
for _ , flag := range flags {
if err := cmd . MarkPersistentFlagRequired ( flag ) ; err != nil {
return err
}
}
return nil
}
func must ( err error ) {
if err != nil {
panic ( err )
}
}
