2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
2022-06-28 11:03:28 -04:00
|
|
|
"bytes"
|
|
|
|
"context"
|
2022-03-22 11:03:15 -04:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2022-06-28 11:03:28 -04:00
|
|
|
"net"
|
2022-07-29 02:24:13 -04:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2022-06-08 02:26:08 -04:00
|
|
|
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
2022-06-28 11:03:28 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/atls"
|
2022-06-07 05:08:44 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
2022-05-04 02:50:50 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/constants"
|
2022-07-26 04:58:39 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/crypto"
|
2022-05-16 11:32:00 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/file"
|
2022-06-28 11:03:28 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
|
|
|
"github.com/edgelesssys/constellation/verify/verifyproto"
|
2022-04-27 05:17:41 -04:00
|
|
|
"github.com/spf13/afero"
|
2022-03-22 11:03:15 -04:00
|
|
|
"github.com/spf13/cobra"
|
2022-06-28 11:03:28 -04:00
|
|
|
"google.golang.org/grpc"
|
2022-03-22 11:03:15 -04:00
|
|
|
)
|
|
|
|
|
2022-06-08 02:14:28 -04:00
|
|
|
// NewVerifyCmd returns a new cobra.Command for the verify command.
|
|
|
|
func NewVerifyCmd() *cobra.Command {
|
2022-03-22 11:03:15 -04:00
|
|
|
cmd := &cobra.Command{
|
2022-05-04 02:50:50 -04:00
|
|
|
Use: "verify {aws|azure|gcp}",
|
2022-05-09 11:02:47 -04:00
|
|
|
Short: "Verify the confidential properties of a Constellation cluster",
|
2022-07-01 04:57:29 -04:00
|
|
|
Long: `Verify the confidential properties of a Constellation cluster.
|
|
|
|
|
2022-07-05 07:52:36 -04:00
|
|
|
If arguments aren't specified, values are read from ` + "`" + constants.ClusterIDsFileName + "`.",
|
2022-04-27 05:17:41 -04:00
|
|
|
Args: cobra.MatchAll(
|
2022-05-04 02:50:50 -04:00
|
|
|
cobra.ExactArgs(1),
|
2022-04-27 05:17:41 -04:00
|
|
|
isCloudProvider(0),
|
2022-05-04 02:50:50 -04:00
|
|
|
warnAWS(0),
|
2022-04-27 05:17:41 -04:00
|
|
|
),
|
|
|
|
RunE: runVerify,
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2022-05-06 11:51:41 -04:00
|
|
|
cmd.Flags().String("owner-id", "", "verify using the owner identity derived from the master secret")
|
2022-07-27 10:10:50 -04:00
|
|
|
cmd.Flags().String("cluster-id", "", "verify using Constellation's cluster identifier")
|
2022-07-01 04:57:29 -04:00
|
|
|
cmd.Flags().StringP("node-endpoint", "e", "", "endpoint of the node to verify, passed as HOST[:PORT]")
|
2022-03-22 11:03:15 -04:00
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
2022-04-27 05:17:41 -04:00
|
|
|
func runVerify(cmd *cobra.Command, args []string) error {
|
|
|
|
provider := cloudprovider.FromString(args[0])
|
|
|
|
fileHandler := file.NewHandler(afero.NewOsFs())
|
2022-06-28 11:03:28 -04:00
|
|
|
verifyClient := &constellationVerifier{dialer: dialer.New(nil, nil, &net.Dialer{})}
|
|
|
|
return verify(cmd, provider, fileHandler, verifyClient)
|
2022-04-27 05:17:41 -04:00
|
|
|
}
|
|
|
|
|
2022-06-28 11:03:28 -04:00
|
|
|
func verify(
|
|
|
|
cmd *cobra.Command, provider cloudprovider.Provider, fileHandler file.Handler, verifyClient verifyClient,
|
|
|
|
) error {
|
2022-07-01 04:57:29 -04:00
|
|
|
flags, err := parseVerifyFlags(cmd, fileHandler)
|
2022-04-27 05:17:41 -04:00
|
|
|
if err != nil {
|
2022-03-22 11:03:15 -04:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-05-23 09:01:39 -04:00
|
|
|
config, err := readConfig(cmd.OutOrStdout(), fileHandler, flags.configPath, provider)
|
2022-04-27 05:17:41 -04:00
|
|
|
if err != nil {
|
2022-06-09 10:10:42 -04:00
|
|
|
return fmt.Errorf("reading and validating config: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
2022-08-09 08:04:40 -04:00
|
|
|
validators, err := cloudcmd.NewValidator(provider, config)
|
2022-03-22 11:03:15 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-04-27 05:17:41 -04:00
|
|
|
if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-07-26 04:58:39 -04:00
|
|
|
nonce, err := crypto.GenerateRandomBytes(32)
|
2022-06-28 11:03:28 -04:00
|
|
|
if err != nil {
|
2022-04-27 05:17:41 -04:00
|
|
|
return err
|
|
|
|
}
|
2022-07-26 04:58:39 -04:00
|
|
|
userData, err := crypto.GenerateRandomBytes(32)
|
2022-06-28 11:03:28 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := verifyClient.Verify(
|
|
|
|
cmd.Context(),
|
|
|
|
flags.endpoint,
|
|
|
|
&verifyproto.GetAttestationRequest{
|
|
|
|
Nonce: nonce,
|
|
|
|
UserData: userData,
|
|
|
|
},
|
2022-08-12 09:59:45 -04:00
|
|
|
validators.V(cmd),
|
2022-06-28 11:03:28 -04:00
|
|
|
); err != nil {
|
2022-03-22 11:03:15 -04:00
|
|
|
return err
|
|
|
|
}
|
2022-04-27 05:17:41 -04:00
|
|
|
|
|
|
|
cmd.Println("OK")
|
2022-03-22 11:03:15 -04:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-07-01 04:57:29 -04:00
|
|
|
func parseVerifyFlags(cmd *cobra.Command, fileHandler file.Handler) (verifyFlags, error) {
|
|
|
|
configPath, err := cmd.Flags().GetString("config")
|
|
|
|
if err != nil {
|
|
|
|
return verifyFlags{}, fmt.Errorf("parsing config path argument: %w", err)
|
|
|
|
}
|
2022-03-22 11:03:15 -04:00
|
|
|
ownerID, err := cmd.Flags().GetString("owner-id")
|
|
|
|
if err != nil {
|
2022-06-09 10:10:42 -04:00
|
|
|
return verifyFlags{}, fmt.Errorf("parsing owner-id argument: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2022-07-26 04:58:39 -04:00
|
|
|
clusterID, err := cmd.Flags().GetString("cluster-id")
|
2022-03-22 11:03:15 -04:00
|
|
|
if err != nil {
|
2022-07-26 04:58:39 -04:00
|
|
|
return verifyFlags{}, fmt.Errorf("parsing cluster-id argument: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2022-05-04 02:50:50 -04:00
|
|
|
endpoint, err := cmd.Flags().GetString("node-endpoint")
|
|
|
|
if err != nil {
|
2022-06-09 10:10:42 -04:00
|
|
|
return verifyFlags{}, fmt.Errorf("parsing node-endpoint argument: %w", err)
|
2022-05-04 02:50:50 -04:00
|
|
|
}
|
|
|
|
|
2022-07-01 04:57:29 -04:00
|
|
|
emptyEndpoint := endpoint == ""
|
|
|
|
emptyIDs := ownerID == "" && clusterID == ""
|
2022-07-29 02:24:13 -04:00
|
|
|
|
|
|
|
var idFile clusterIDsFile
|
|
|
|
if emptyEndpoint || emptyIDs { // Get empty values from ID file
|
|
|
|
if err := fileHandler.ReadJSON(constants.ClusterIDsFileName, &idFile); err != nil {
|
|
|
|
return verifyFlags{}, fmt.Errorf("reading cluster ID file: %w", err)
|
2022-07-01 04:57:29 -04:00
|
|
|
}
|
|
|
|
}
|
2022-07-29 02:24:13 -04:00
|
|
|
if emptyEndpoint {
|
|
|
|
cmd.Printf("Using endpoint from %q. Specify --node-endpoint to override this.\n", constants.ClusterIDsFileName)
|
|
|
|
endpoint = idFile.IP
|
|
|
|
}
|
|
|
|
if emptyIDs {
|
|
|
|
cmd.Printf("Using IDs from %q. Specify --owner-id and/or --cluster-id to override this.\n", constants.ClusterIDsFileName)
|
|
|
|
ownerID = idFile.OwnerID
|
|
|
|
clusterID = idFile.ClusterID
|
|
|
|
}
|
2022-07-01 04:57:29 -04:00
|
|
|
|
|
|
|
// Validate
|
|
|
|
if ownerID == "" && clusterID == "" {
|
2022-07-26 04:58:39 -04:00
|
|
|
return verifyFlags{}, errors.New("neither owner-id nor cluster-id provided to verify the cluster")
|
2022-07-01 04:57:29 -04:00
|
|
|
}
|
2022-07-29 02:24:13 -04:00
|
|
|
endpoint, err = addPortIfMissing(endpoint, constants.VerifyServiceNodePortGRPC)
|
2022-03-22 11:03:15 -04:00
|
|
|
if err != nil {
|
2022-07-01 04:57:29 -04:00
|
|
|
return verifyFlags{}, fmt.Errorf("validating endpoint argument: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
2022-04-27 05:17:41 -04:00
|
|
|
return verifyFlags{
|
2022-05-13 05:56:43 -04:00
|
|
|
endpoint: endpoint,
|
|
|
|
configPath: configPath,
|
|
|
|
ownerID: ownerID,
|
|
|
|
clusterID: clusterID,
|
2022-04-27 05:17:41 -04:00
|
|
|
}, nil
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
2022-04-27 05:17:41 -04:00
|
|
|
type verifyFlags struct {
|
2022-05-13 05:56:43 -04:00
|
|
|
endpoint string
|
|
|
|
ownerID string
|
|
|
|
clusterID string
|
|
|
|
configPath string
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
2022-07-29 02:24:13 -04:00
|
|
|
func addPortIfMissing(endpoint string, defaultPort int) (string, error) {
|
|
|
|
if endpoint == "" {
|
|
|
|
return "", errors.New("endpoint is empty")
|
|
|
|
}
|
|
|
|
|
|
|
|
_, _, err := net.SplitHostPort(endpoint)
|
|
|
|
if err == nil {
|
|
|
|
return endpoint, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.Contains(err.Error(), "missing port in address") {
|
|
|
|
return net.JoinHostPort(endpoint, strconv.Itoa(defaultPort)), nil
|
2022-07-01 04:57:29 -04:00
|
|
|
}
|
2022-07-29 02:24:13 -04:00
|
|
|
|
|
|
|
return "", err
|
2022-07-01 04:57:29 -04:00
|
|
|
}
|
|
|
|
|
2022-06-28 11:03:28 -04:00
|
|
|
// verifyCompletion handles the completion of CLI arguments. It is frequently called
|
2022-03-22 11:03:15 -04:00
|
|
|
// while the user types arguments of the command to suggest completion.
|
2022-07-20 10:44:41 -04:00
|
|
|
func verifyCompletion(_ *cobra.Command, args []string, _ string) ([]string, cobra.ShellCompDirective) {
|
2022-03-22 11:03:15 -04:00
|
|
|
switch len(args) {
|
2022-04-27 05:17:41 -04:00
|
|
|
case 0:
|
|
|
|
return []string{"gcp", "azure"}, cobra.ShellCompDirectiveNoFileComp
|
2022-03-22 11:03:15 -04:00
|
|
|
default:
|
|
|
|
return []string{}, cobra.ShellCompDirectiveError
|
|
|
|
}
|
|
|
|
}
|
2022-06-28 11:03:28 -04:00
|
|
|
|
|
|
|
type constellationVerifier struct {
|
2022-06-28 12:33:27 -04:00
|
|
|
dialer grpcInsecureDialer
|
2022-06-28 11:03:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify retrieves an attestation statement from the Constellation and verifies it using the validator.
|
|
|
|
func (v *constellationVerifier) Verify(
|
|
|
|
ctx context.Context, endpoint string, req *verifyproto.GetAttestationRequest, validator atls.Validator,
|
|
|
|
) error {
|
|
|
|
conn, err := v.dialer.DialInsecure(ctx, endpoint)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("dialing init server: %w", err)
|
|
|
|
}
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
|
|
client := verifyproto.NewAPIClient(conn)
|
|
|
|
|
|
|
|
resp, err := client.GetAttestation(ctx, req)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("getting attestation: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
signedData, err := validator.Validate(resp.Attestation, req.Nonce)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("validating attestation: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !bytes.Equal(signedData, req.UserData) {
|
|
|
|
return errors.New("signed data in attestation does not match provided user data")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type verifyClient interface {
|
|
|
|
Verify(ctx context.Context, endpoint string, req *verifyproto.GetAttestationRequest, validator atls.Validator) error
|
|
|
|
}
|
|
|
|
|
2022-06-28 12:33:27 -04:00
|
|
|
type grpcInsecureDialer interface {
|
2022-06-28 11:03:28 -04:00
|
|
|
DialInsecure(ctx context.Context, endpoint string) (conn *grpc.ClientConn, err error)
|
|
|
|
}
|