constellation/internal/api/attestationconfigapi/cli/e2e/test.sh.in

#!/usr/bin/env bash

# Try to upload a file to S3 and then delete it using the configapi cli.
# Check the file exists after uploading it.
# Check the file does not exist after deleting it.

###### script header ######

lib=$(realpath @@BASE_LIB@@) || exit 1
stat "${lib}" >> /dev/null || exit 1

# shellcheck source=../../../../../bazel/sh/lib.bash
if ! source "${lib}"; then
  echo "Error: could not find import"
  exit 1
fi

configapi_cli=$(realpath @@CONFIGAPI_CLI@@)
stat "${configapi_cli}" >> /dev/null
configapi_cli="${configapi_cli} --testing"
###### script body ######
function variant() {
  if [[ $1 == "aws" ]]; then
    echo "aws-sev-snp"
    return 0
  elif [[ $1 == "azure" ]]; then
    echo "azure-sev-snp"
    return 0
  elif [[ $1 == "gcp" ]]; then
    echo "gcp-sev-snp"
    return 0
  else
    echo "Unknown CSP: $1"
    exit 1
  fi
}

csp=$1
readonly csp
attestationType=$(variant "$csp")

readonly region="eu-west-1"
readonly bucket="resource-api-testing"

tmpdir=$(mktemp -d)
readonly tmpdir
registerExitHandler "rm -rf $tmpdir"

# empty the bucket version state
${configapi_cli} delete recursive "$csp" --region "$region" --bucket "$bucket"

# the high version numbers ensure that it's newer than the current latest value
readonly current_report_path="$tmpdir/currentSnpReport.json"
cat << EOF > "$current_report_path"
{
  "snp_report": {
    "reported_tcb": {
      "bootloader": 1,
      "tee": 1,
      "snp": 1,
      "microcode": 1
    },
    "committed_tcb": {
      "bootloader": 1,
      "tee": 1,
      "snp": 1,
      "microcode": 1
    },
    "launch_tcb": {
      "bootloader": 1,
      "tee": 1,
      "snp": 1,
      "microcode": 1
    }
  }
}
EOF
# upload a fake latest version for the fetcher
${configapi_cli} upload "$csp" snp-report "$current_report_path" --force --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"

# the high version numbers ensure that it's newer than the current latest value
readonly report_path="$tmpdir/snpReport.json"
cat << EOF > "$report_path"
{
  "snp_report": {
    "reported_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 255
    },
    "committed_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 255
    },
    "launch_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 255
    }
  }
}
EOF

# has an older version
readonly older_report_path="$tmpdir/snpReportOld.json"
cat << EOF > "$older_report_path"
{
  "snp_report": {
    "reported_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 254
    },
    "committed_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 254
    },
    "launch_tcb": {
      "bootloader": 255,
      "tee": 255,
      "snp": 255,
      "microcode": 254
    }
  }
}
EOF

# report 3 versions with different dates to fill the reporter cache
readonly date_oldest="2023-02-01-03-04"
${configapi_cli} upload "$csp" snp-report "$older_report_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3
readonly date_older="2023-02-02-03-04"
${configapi_cli} upload "$csp" snp-report "$older_report_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3
readonly date="2023-02-03-03-04"
${configapi_cli} upload "$csp" snp-report "$report_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3

# expect that $date_oldest is served as latest version
basepath="constellation/v1/attestation/${attestationType}"
baseurl="https://d33dzgxuwsgbpw.cloudfront.net/${basepath}"
if ! curl -fsSL "${baseurl}"/${date_oldest}.json > version.json; then
  echo "Checking for uploaded version file ${basepath}/${date_oldest}.json: request returned ${?}"
  exit 1
fi
# check that version values are equal to expected
if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then
  echo "The version content:"
  cat version.json
  echo " is not equal to the expected version content:"
  echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}'
  exit 1
fi
if ! curl -fsSL "${baseurl}"/${date_oldest}.json.sig > /dev/null; then
  echo "Checking for uploaded version signature file ${basepath}/${date_oldest}.json.sig: request returned ${?}"
  exit 1
fi
# check list endpoint
if ! curl -fsSL "${baseurl}"/list > list.json; then
  echo "Checking for uploaded list file ${basepath}/list: request returned ${?}"
  exit 1
fi
# check that version values are equal to expected
if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then
  echo "The list content:"
  cat list.json
  echo " is not equal to the expected version content:"
  echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]'
  exit 1
fi

# check that the other versions are not uploaded
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_older}.json)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: ${basepath}/${date_older}.json, but got ${http_code}"
  exit 1
fi
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date}.json.sig)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: ${basepath}/${date}.json, but got ${http_code}"
  exit 1
fi

${configapi_cli} delete "$csp" snp-report "$date_oldest" --region "$region" --bucket "$bucket"

# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_oldest}.json)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"
  exit 1
fi
# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_oldest}.json.sig)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"
  exit 1
fi
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`#!/usr/bin/env bash`

			`# Try to upload a file to S3 and then delete it using the configapi cli.`
			`# Check the file exists after uploading it.`
			`# Check the file does not exist after deleting it.`

			`###### script header ######`

			`lib=$(realpath @@BASE_LIB@@) \|\| exit 1`
			`stat "${lib}" >> /dev/null \|\| exit 1`

api: move hack/configapi into internal/api The tool has an e2e test and is part of our production pipeline. 2023-08-31 04:46:50 -04:00			`# shellcheck source=../../../../../bazel/sh/lib.bash`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`if ! source "${lib}"; then`
			`echo "Error: could not find import"`
			`exit 1`
			`fi`

			`configapi_cli=$(realpath @@CONFIGAPI_CLI@@)`
			`stat "${configapi_cli}" >> /dev/null`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`configapi_cli="${configapi_cli} --testing"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`###### script body ######`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`function variant() {`
			`if [[ $1 == "aws" ]]; then`
			`echo "aws-sev-snp"`
			`return 0`
			`elif [[ $1 == "azure" ]]; then`
			`echo "azure-sev-snp"`
			`return 0`
Support SEV-SNP on GCP (#3011) * terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> 2024-04-16 12:13:47 -04:00			`elif [[ $1 == "gcp" ]]; then`
			`echo "gcp-sev-snp"`
			`return 0`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`else`
			`echo "Unknown CSP: $1"`
			`exit 1`
			`fi`
			`}`

			`csp=$1`
			`readonly csp`
			`attestationType=$(variant "$csp")`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00
			`readonly region="eu-west-1"`
			`readonly bucket="resource-api-testing"`

			`tmpdir=$(mktemp -d)`
			`readonly tmpdir`
			`registerExitHandler "rm -rf $tmpdir"`

cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# empty the bucket version state`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} delete recursive "$csp" --region "$region" --bucket "$bucket"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00
			`# the high version numbers ensure that it's newer than the current latest value`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`readonly current_report_path="$tmpdir/currentSnpReport.json"`
			`cat << EOF > "$current_report_path"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`{`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`"snp_report": {`
			`"reported_tcb": {`
			`"bootloader": 1,`
			`"tee": 1,`
			`"snp": 1,`
			`"microcode": 1`
			`},`
			`"committed_tcb": {`
			`"bootloader": 1,`
			`"tee": 1,`
			`"snp": 1,`
			`"microcode": 1`
			`},`
			`"launch_tcb": {`
			`"bootloader": 1,`
			`"tee": 1,`
			`"snp": 1,`
			`"microcode": 1`
			`}`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`}`
			`}`
			`EOF`
			`# upload a fake latest version for the fetcher`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} upload "$csp" snp-report "$current_report_path" --force --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00
			`# the high version numbers ensure that it's newer than the current latest value`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`readonly report_path="$tmpdir/snpReport.json"`
			`cat << EOF > "$report_path"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`{`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`"snp_report": {`
			`"reported_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 255`
			`},`
			`"committed_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 255`
			`},`
			`"launch_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 255`
			`}`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`}`
			`}`
			`EOF`

cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# has an older version`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`readonly older_report_path="$tmpdir/snpReportOld.json"`
			`cat << EOF > "$older_report_path"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`{`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`"snp_report": {`
			`"reported_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 254`
			`},`
			`"committed_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 254`
			`},`
			`"launch_tcb": {`
			`"bootloader": 255,`
			`"tee": 255,`
			`"snp": 255,`
			`"microcode": 254`
			`}`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`}`
			`}`
			`EOF`

			`# report 3 versions with different dates to fill the reporter cache`
			`readonly date_oldest="2023-02-01-03-04"`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} upload "$csp" snp-report "$older_report_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`readonly date_older="2023-02-02-03-04"`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} upload "$csp" snp-report "$older_report_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`readonly date="2023-02-03-03-04"`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} upload "$csp" snp-report "$report_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# expect that $date_oldest is served as latest version`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`basepath="constellation/v1/attestation/${attestationType}"`
			`baseurl="https://d33dzgxuwsgbpw.cloudfront.net/${basepath}"`
			`if ! curl -fsSL "${baseurl}"/${date_oldest}.json > version.json; then`
			`echo "Checking for uploaded version file ${basepath}/${date_oldest}.json: request returned ${?}"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`exit 1`
			`fi`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# check that version values are equal to expected`
			`if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then`
			`echo "The version content:"`
			`cat version.json`
			`echo " is not equal to the expected version content:"`
			`echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}'`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`exit 1`
			`fi`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`if ! curl -fsSL "${baseurl}"/${date_oldest}.json.sig > /dev/null; then`
			`echo "Checking for uploaded version signature file ${basepath}/${date_oldest}.json.sig: request returned ${?}"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`exit 1`
			`fi`
			`# check list endpoint`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`if ! curl -fsSL "${baseurl}"/list > list.json; then`
			`echo "Checking for uploaded list file ${basepath}/list: request returned ${?}"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`exit 1`
			`fi`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# check that version values are equal to expected`
			`if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then`
			`echo "The list content:"`
			`cat list.json`
			`echo " is not equal to the expected version content:"`
			`echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]'`
			`exit 1`
			`fi`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`# check that the other versions are not uploaded`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_older}.json)`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`if [[ $http_code -ne 404 ]]; then`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`echo "Expected HTTP code 404 for: ${basepath}/${date_older}.json, but got ${http_code}"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`exit 1`
			`fi`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date}.json.sig)`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`if [[ $http_code -ne 404 ]]; then`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`echo "Expected HTTP code 404 for: ${basepath}/${date}.json, but got ${http_code}"`
Configapi: pipeline to run e2e test for CLI Co-authored-by: Paul Meyer <pm@edgeless.systems> 2023-08-23 10:39:49 -04:00			`exit 1`
			`fi`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`${configapi_cli} delete "$csp" snp-report "$date_oldest" --region "$region" --bucket "$bucket"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00
			`# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_oldest}.json)`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`if [[ $http_code -ne 404 ]]; then`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`exit 1`
			`fi`
			`# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}"/${date_oldest}.json.sig)`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`if [[ $http_code -ne 404 ]]; then`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"`
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 05:53:02 -04:00			`exit 1`
			`fi`