Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-26 15:27:53 -05:00
Code Issues Packages Projects Releases Wiki Activity
constellation/internal/api/attestationconfigapi/cli/client/client.go

191 lines
6.0 KiB
Go
Raw Normal View History

config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
/*
package client contains code to manage CVM versions in Constellation's CDN API.
It is used to upload and delete "latest" versions for AMD SEV-SNP and Intel TDX.
*/
package client
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
import (
"context"
cli: fix Azure SEV-SNP latest version logic (#2343)
2023-09-25 11:53:02 +02:00
"errors"
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
"fmt"
deps: convert zap to slog (#2825)
2024-02-08 14:20:01 +00:00
"log/slog"
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
"time"
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
apiclient "github.com/edgelesssys/constellation/v2/internal/api/client"
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
"github.com/edgelesssys/constellation/v2/internal/sigstore"
cli: fix Azure SEV-SNP latest version logic (#2343)
2023-09-25 11:53:02 +02:00
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
"github.com/edgelesssys/constellation/v2/internal/staticupload"
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
)
config: fix fetcher parse azure sev-snp version (#1911)
2023-06-12 16:04:54 +02:00
// VersionFormat is the format of the version name in the S3 bucket.
const VersionFormat = "2006-01-02-15-04"
api: restructure api pkg (#1851) * api: rename AttestationVersionRepo to Client * api: move client into separate subpkg for clearer import paths. * api: rename configapi -> attestationconfig * api: rename versionsapi -> versions * api: rename sut to client * api: split versionsapi client and make it public * api: split versionapi fetcher and make it public * config: move attestationversion type to config * api: fix attestationconfig client test Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
// Client manages (modifies) the version information for the attestation variants.
type Client struct {
cli: fix Azure SEV-SNP latest version logic (#2343)
2023-09-25 11:53:02 +02:00
s3Client *apiclient.Client
s3ClientClose func(ctx context.Context) error
bucketID string
signer sigstore.Signer
cacheWindowSize int
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
// New returns a new Client.
func New(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []byte, dryRun bool, versionWindowSize int, log *slog.Logger) (*Client, apiclient.CloseFunc, error) {
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
s3Client, clientClose, err := apiclient.NewClient(ctx, cfg.Region, cfg.Bucket, cfg.DistributionID, dryRun, log)
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
if err != nil {
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
return nil, nil, fmt.Errorf("failed to create s3 storage: %w", err)
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
repo := &Client{
cli: fix Azure SEV-SNP latest version logic (#2343)
2023-09-25 11:53:02 +02:00
s3Client: s3Client,
s3ClientClose: clientClose,
signer: sigstore.NewSigner(cosignPwd, privateKey),
bucketID: cfg.Bucket,
cacheWindowSize: versionWindowSize,
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
return repo, clientClose, nil
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
}
Support SEV-SNP on GCP (#3011) * terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
// uploadSEVSNPVersion uploads the latest version numbers of the SEVSNP. Then version name is the UTC timestamp of the date. The /list entry stores the version name + .json suffix.
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
func (a Client) uploadSEVSNPVersion(ctx context.Context, attestation variant.Variant, version attestationconfigapi.SEVSNPVersion, date time.Time) error {
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
versions, err := a.List(ctx, attestation)
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
if err != nil {
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
return fmt.Errorf("fetch version list: %w", err)
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
ops := a.constructUploadCmd(attestation, version, versions, date)
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
return executeAllCmds(ctx, a.s3Client, ops)
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
// DeleteSEVSNPVersion deletes the given version (without .json suffix) from the API.
func (a Client) DeleteSEVSNPVersion(ctx context.Context, attestation variant.Variant, versionStr string) error {
versions, err := a.List(ctx, attestation)
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
if err != nil {
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
return fmt.Errorf("fetch version list: %w", err)
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
ops, err := a.deleteSEVSNPVersion(versions, versionStr)
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
if err != nil {
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
return err
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
return executeAllCmds(ctx, a.s3Client, ops)
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
Use term "attestation variant" consistently
2023-06-25 23:32:39 +02:00
// List returns the list of versions for the given attestation variant.
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
func (a Client) List(ctx context.Context, attestation variant.Variant) (attestationconfigapi.SEVSNPVersionList, error) {
Support SEV-SNP on GCP (#3011) * terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
if !attestation.Equal(variant.AzureSEVSNP{}) &&
!attestation.Equal(variant.AWSSEVSNP{}) &&
!attestation.Equal(variant.GCPSEVSNP{}) {
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
return attestationconfigapi.SEVSNPVersionList{}, fmt.Errorf("unsupported attestation variant: %s", attestation)
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
versions, err := apiclient.Fetch(ctx, a.s3Client, attestationconfigapi.SEVSNPVersionList{Variant: attestation})
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
if err != nil {
var notFoundErr *apiclient.NotFoundError
if errors.As(err, &notFoundErr) {
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
return attestationconfigapi.SEVSNPVersionList{Variant: attestation}, nil
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
return attestationconfigapi.SEVSNPVersionList{}, err
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
}
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
versions.Variant = attestation
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
return versions, nil
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
func (a Client) deleteSEVSNPVersion(versions attestationconfigapi.SEVSNPVersionList, versionStr string) (ops []crudCmd, err error) {
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
versionStr = versionStr + ".json"
ops = append(ops, deleteCmd{
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
apiObject: attestationconfigapi.SEVSNPVersionAPI{
Variant: versions.Variant,
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
Version: versionStr,
},
})
removedVersions, err := removeVersion(versions, versionStr)
if err != nil {
return nil, err
}
ops = append(ops, putCmd{
apiObject: removedVersions,
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
signer: a.signer,
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
})
return ops, nil
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
func (a Client) constructUploadCmd(attestation variant.Variant, version attestationconfigapi.SEVSNPVersion, versionNames attestationconfigapi.SEVSNPVersionList, date time.Time) []crudCmd {
if !attestation.Equal(versionNames.Variant) {
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
return nil
}
config: fix fetcher parse azure sev-snp version (#1911)
2023-06-12 16:04:54 +02:00
dateStr := date.Format(VersionFormat) + ".json"
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
var res []crudCmd
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
res = append(res, putCmd{
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
apiObject: attestationconfigapi.SEVSNPVersionAPI{Version: dateStr, Variant: attestation, SEVSNPVersion: version},
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
signer: a.signer,
})
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
versionNames.AddVersion(dateStr)
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
res = append(res, putCmd{
api: refactor attestationconfigapi client/fetcher There is now one SEVSNPVersions type that has a variant property. That property is used to build the correct JSON path. The surrounding methods handling the version objects are also updated to receive a variant argument and work for multiple variants. This simplifies adding AWS support.
2023-11-14 10:03:01 +01:00
apiObject: versionNames,
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
signer: a.signer,
})
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
return res
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
func removeVersion(list attestationconfigapi.SEVSNPVersionList, versionStr string) (removedVersions attestationconfigapi.SEVSNPVersionList, err error) {
versions := list.List
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
for i, v := range versions {
if v == versionStr {
if i == len(versions)-1 {
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
removedVersions = attestationconfigapi.SEVSNPVersionList{List: versions[:i], Variant: list.Variant}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
} else {
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
removedVersions = attestationconfigapi.SEVSNPVersionList{List: append(versions[:i], versions[i+1:]...), Variant: list.Variant}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
return removedVersions, nil
}
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
Move upload/delete code to its own package Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-11 14:50:38 +02:00
return attestationconfigapi.SEVSNPVersionList{}, fmt.Errorf("version %s not found in list %v", versionStr, versions)
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
}
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
type crudCmd interface {
Execute(ctx context.Context, c *apiclient.Client) error
}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
type deleteCmd struct {
apiObject apiclient.APIObject
}
func (d deleteCmd) Execute(ctx context.Context, c *apiclient.Client) error {
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
return apiclient.DeleteWithSignature(ctx, c, d.apiObject)
config: dynamic attestation configuration through S3 backed API (#1808)
2023-05-25 17:43:44 +01:00
}
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
type putCmd struct {
apiObject apiclient.APIObject
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
signer sigstore.Signer
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839)
2023-06-02 11:20:01 +02:00
}
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
func (p putCmd) Execute(ctx context.Context, c *apiclient.Client) error {
api: use new signature type for Azure SNP versions * Remove signature checks from unittests. Would need to export signature from client/fetcher (unwanted). Can't figure out a better way. e2e test completes in ~4sec and runs automatically. So seems like a acceptable tradeoff. * list object is now signed, but not verified. If we start to verify the list we will have to adapt the e2e test to restore the previous list. Otherwise there could be conflicts between dev and release keys.
2023-08-25 15:10:24 +02:00
return apiclient.SignAndUpdate(ctx, c, p.apiObject, p.signer)
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
api: use new signature JSON format (#1872) * use new impl for client.UploadAzureSEVSNP * fix: fetcher must parse new signature format * version-file is not persistentflag * fix fetcher tests
2023-06-05 16:10:44 +02:00
func executeAllCmds(ctx context.Context, client *apiclient.Client, cmds []crudCmd) error {
for _, cmd := range cmds {
if err := cmd.Execute(ctx, client); err != nil {
return fmt.Errorf("execute operation %+v: %w", cmd, err)
}
}
return nil
config: Azure SNP tool can delete specific version from attestation API (#1863) * client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
}
Reference in New Issue Copy Permalink