constellation/cli/internal/cloudcmd/validators.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package cloudcmd

import (
	"crypto/sha256"
	"encoding/base64"
	"encoding/hex"
	"fmt"

	"github.com/edgelesssys/constellation/v2/internal/atls"
	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
	"github.com/edgelesssys/constellation/v2/internal/config"
	"github.com/spf13/cobra"
)

// NewValidator creates a new Validator.
func NewValidator(cmd *cobra.Command, config config.AttestationCfg, log debugLog) (atls.Validator, error) {
	return choose.Validator(config, warnLogger{cmd: cmd, log: log})
}

// UpdateInitPCRs sets the owner and cluster PCR values.
func UpdateInitPCRs(config config.AttestationCfg, ownerID, clusterID string) error {
	m := config.GetMeasurements()
	if err := updatePCR(m, uint32(measurements.PCRIndexOwnerID), ownerID); err != nil {
		return err
	}
	return updatePCR(m, uint32(measurements.PCRIndexClusterID), clusterID)
}

// updatePCR adds a new entry to the measurements of v, or removes the key if the input is an empty string.
//
// When adding, the input is first decoded from hex or base64.
// We then calculate the expected PCR by hashing the input using SHA256,
// appending expected PCR for initialization, and then hashing once more.
func updatePCR(m measurements.M, pcrIndex uint32, encoded string) error {
	if encoded == "" {
		delete(m, pcrIndex)
		return nil
	}

	// decode from hex or base64
	decoded, err := hex.DecodeString(encoded)
	if err != nil {
		hexErr := err
		decoded, err = base64.StdEncoding.DecodeString(encoded)
		if err != nil {
			return fmt.Errorf("input [%s] could neither be hex decoded (%w) nor base64 decoded (%w)", encoded, hexErr, err)
		}
	}
	// new_pcr_value := hash(old_pcr_value || data_to_extend)
	// Since we use the TPM2_PCR_Event call to extend the PCR, data_to_extend is the hash of our input
	hashedInput := sha256.Sum256(decoded)
	oldExpected := m[pcrIndex].Expected
	expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))
	m[pcrIndex] = measurements.Measurement{
		Expected:      expectedPcr,
		ValidationOpt: m[pcrIndex].ValidationOpt,
	}
	return nil
}

// warnLogger implements logging of warnings for validators.
type warnLogger struct {
	cmd *cobra.Command
	log debugLog
}

// Infof messages are reduced to debug messages, since we don't want
// the extra info when using the CLI without setting the debug flag.
func (wl warnLogger) Infof(fmtStr string, args ...any) {
	wl.log.Debugf(fmtStr, args...)
}

// Warnf prints a formatted warning from the validator.
func (wl warnLogger) Warnf(fmtStr string, args ...any) {
	wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
}

type debugLog interface {
	Debugf(format string, args ...any)
	Sync()
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 03:06:08 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

Move validators to cloudcmd 2022-04-19 11:02:02 -04:00			`package cloudcmd`

			`import (`
Refactor verify command 2022-04-27 05:17:41 -04:00			`"crypto/sha256"`
			`"encoding/base64"`
AB#2350: Configurably enforce idkeydigest on Azure * Add join-config entry for "enforceIdKeyDigest" bool * Add join-config entry for "idkeydigest" * Initially filled with TPM value from bootstrapper * Add config entries for idkeydigest and enforceIdKeyDigest * Extend azure attestation validator to check idkeydigest, if configured. * Update unittests * Add logger to NewValidator for all CSPs * Add csp to Updateable type Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-08-29 10:41:09 -04:00			`"encoding/hex"`
Move validators to cloudcmd 2022-04-19 11:02:02 -04:00			`"fmt"`

Upgrade go module to v2 2022-09-21 07:47:57 -04:00			`"github.com/edgelesssys/constellation/v2/internal/atls"`
config: add attestation variant (#1413) * Add attestation type to config (optional for now) * Get attestation variant from config in CLI * Set attestation variant for Constellation services in helm deployments * Remove AzureCVM variable from helm deployments --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-14 06:46:27 -04:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/choose"`
AB#2512 Config secrets via env var & config refactoring (#544) * refactor measurements to use consistent types and less byte pushing * refactor: only rely on a single multierr dependency * extend config creation with envar support * document changes Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-11-15 09:40:49 -05:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"`
Upgrade go module to v2 2022-09-21 07:47:57 -04:00			`"github.com/edgelesssys/constellation/v2/internal/config"`
AB#2316 Configurable enforced PCRs (#361) * Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-08-12 09:59:45 -04:00			`"github.com/spf13/cobra"`
Move validators to cloudcmd 2022-04-19 11:02:02 -04:00			`)`

Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net> 2022-11-09 09:57:54 -05:00			`// NewValidator creates a new Validator.`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`func NewValidator(cmd *cobra.Command, config config.AttestationCfg, log debugLog) (atls.Validator, error) {`
			`return choose.Validator(config, warnLogger{cmd: cmd, log: log})`
Refactor verify command 2022-04-27 05:17:41 -04:00			`}`

Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net> 2022-11-09 09:57:54 -05:00			`// UpdateInitPCRs sets the owner and cluster PCR values.`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`func UpdateInitPCRs(config config.AttestationCfg, ownerID, clusterID string) error {`
			`m := config.GetMeasurements()`
			`if err := updatePCR(m, uint32(measurements.PCRIndexOwnerID), ownerID); err != nil {`
Refactor verify command 2022-04-27 05:17:41 -04:00			`return err`
			`}`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`return updatePCR(m, uint32(measurements.PCRIndexClusterID), clusterID)`
Refactor verify command 2022-04-27 05:17:41 -04:00			`}`

Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`// updatePCR adds a new entry to the measurements of v, or removes the key if the input is an empty string.`
Refactor verify command 2022-04-27 05:17:41 -04:00			`//`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`// When adding, the input is first decoded from hex or base64.`
Refactor verify command 2022-04-27 05:17:41 -04:00			`// We then calculate the expected PCR by hashing the input using SHA256,`
			`// appending expected PCR for initialization, and then hashing once more.`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`func updatePCR(m measurements.M, pcrIndex uint32, encoded string) error {`
Refactor verify command 2022-04-27 05:17:41 -04:00			`if encoded == "" {`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`delete(m, pcrIndex)`
Refactor verify command 2022-04-27 05:17:41 -04:00			`return nil`
			`}`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00
			`// decode from hex or base64`
			`decoded, err := hex.DecodeString(encoded)`
Refactor verify command 2022-04-27 05:17:41 -04:00			`if err != nil {`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`hexErr := err`
			`decoded, err = base64.StdEncoding.DecodeString(encoded)`
			`if err != nil {`
deps: replace multierr with native errors.Join Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-02-07 06:56:25 -05:00			`return fmt.Errorf("input [%s] could neither be hex decoded (%w) nor base64 decoded (%w)", encoded, hexErr, err)`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`}`
Refactor verify command 2022-04-27 05:17:41 -04:00			`}`
			`// new_pcr_value := hash(old_pcr_value \|\| data_to_extend)`
			`// Since we use the TPM2_PCR_Event call to extend the PCR, data_to_extend is the hash of our input`
			`hashedInput := sha256.Sum256(decoded)`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`oldExpected := m[pcrIndex].Expected`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`m[pcrIndex] = measurements.Measurement{`
measurements: refactor validation option (#1462) Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-22 06:47:39 -04:00			`Expected: expectedPcr,`
config: add separate option for handling attestation parameters (#1623) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-03 05:11:53 -04:00			`ValidationOpt: m[pcrIndex].ValidationOpt,`
Refactor enforced/expected PCRs (#553) * Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-11-24 04:57:58 -05:00			`}`
Refactor verify command 2022-04-27 05:17:41 -04:00			`return nil`
			`}`

AB#2316 Configurable enforced PCRs (#361) * Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-08-12 09:59:45 -04:00			`// warnLogger implements logging of warnings for validators.`
			`type warnLogger struct {`
			`cmd *cobra.Command`
cli: attestation validator debug output (#1262) * Wrote->Written * Add Validator info logs to debug output --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-03 10:50:25 -05:00			`log debugLog`
fix ci-lint issues (#287) Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-07-20 10:44:41 -04:00			`}`

cli: attestation validator debug output (#1262) * Wrote->Written * Add Validator info logs to debug output --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-03 10:50:25 -05:00			`// Infof messages are reduced to debug messages, since we don't want`
			`// the extra info when using the CLI without setting the debug flag.`
			`func (wl warnLogger) Infof(fmtStr string, args ...any) {`
			`wl.log.Debugf(fmtStr, args...)`
			`}`
Attestation logging (#275) * Add section for checking joinservice logs * Add logging for attestation validation Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-10-14 10:29:21 -04:00
AB#2316 Configurable enforced PCRs (#361) * Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-08-12 09:59:45 -04:00			`// Warnf prints a formatted warning from the validator.`
Replace interface{} -> any (#370) 2022-10-25 09:51:23 -04:00			`func (wl warnLogger) Warnf(fmtStr string, args ...any) {`
AB#2316 Configurable enforced PCRs (#361) * Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-08-12 09:59:45 -04:00			`wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))`
Move validators to cloudcmd 2022-04-19 11:02:02 -04:00			`}`
cli: add kubernetes pkg to interface with cluster Previously the content of files status and upgrade within the cloudcmd pkg did not fit cloudcmd's pkg description. This patch introduces a separate pkg to fix that. 2023-03-30 10:13:14 -04:00
			`type debugLog interface {`
			`Debugf(format string, args ...any)`
			`Sync()`
			`}`