2022-09-05 09:06:08 +02:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2022-08-31 20:10:49 +02:00
|
|
|
package snp
|
2022-03-22 16:03:15 +01:00
|
|
|
|
|
|
|
import (
|
2022-08-19 12:26:29 +02:00
|
|
|
"context"
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"io"
|
2023-08-18 16:16:46 +02:00
|
|
|
"os"
|
2022-03-22 16:03:15 +01:00
|
|
|
"testing"
|
|
|
|
|
2023-03-09 15:23:42 +01:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
|
2023-03-21 12:46:49 +01:00
|
|
|
"github.com/edgelesssys/go-azguestattestation/maa"
|
2022-10-04 16:44:44 +02:00
|
|
|
tpmclient "github.com/google/go-tpm-tools/client"
|
2023-07-07 13:17:58 +02:00
|
|
|
"github.com/google/go-tpm/legacy/tpm2"
|
2022-03-22 16:03:15 +01:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestGetSNPAttestation(t *testing.T) {
|
|
|
|
testCases := map[string]struct {
|
2023-03-21 12:46:49 +01:00
|
|
|
maaURL string
|
|
|
|
maaToken string
|
2022-08-19 12:26:29 +02:00
|
|
|
apiError error
|
2023-03-21 12:46:49 +01:00
|
|
|
tokenErr error
|
|
|
|
paramsErr error
|
2022-08-19 12:26:29 +02:00
|
|
|
wantErr bool
|
2022-03-22 16:03:15 +01:00
|
|
|
}{
|
2023-03-21 12:46:49 +01:00
|
|
|
"success without maa": {
|
|
|
|
wantErr: false,
|
2022-08-19 12:26:29 +02:00
|
|
|
},
|
2023-03-21 12:46:49 +01:00
|
|
|
"success with maa": {
|
|
|
|
maaURL: "maaurl",
|
|
|
|
maaToken: "maatoken",
|
|
|
|
wantErr: false,
|
2022-08-19 12:26:29 +02:00
|
|
|
},
|
2023-03-21 12:46:49 +01:00
|
|
|
"api fails": {
|
2022-08-19 12:26:29 +02:00
|
|
|
apiError: errors.New(""),
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
2023-03-21 12:46:49 +01:00
|
|
|
"createToken fails": {
|
|
|
|
maaURL: "maaurl",
|
|
|
|
tokenErr: errors.New(""),
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
"newParameters fails": {
|
|
|
|
paramsErr: errors.New(""),
|
|
|
|
wantErr: true,
|
|
|
|
},
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
require := require.New(t)
|
|
|
|
|
2022-08-19 12:26:29 +02:00
|
|
|
imdsClient := stubImdsClient{
|
2023-03-21 12:46:49 +01:00
|
|
|
maaURL: tc.maaURL,
|
|
|
|
apiError: tc.apiError,
|
|
|
|
}
|
|
|
|
|
|
|
|
params := maa.Parameters{
|
|
|
|
SNPReport: []byte("snpreport"),
|
|
|
|
RuntimeData: []byte("runtimedata"),
|
|
|
|
VcekCert: []byte("vcekcert"),
|
|
|
|
VcekChain: []byte("vcekchain"),
|
|
|
|
}
|
|
|
|
|
|
|
|
maa := &stubMaaTokenCreator{
|
|
|
|
token: tc.maaToken,
|
|
|
|
tokenErr: tc.tokenErr,
|
|
|
|
params: params,
|
|
|
|
paramsErr: tc.paramsErr,
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|
2023-03-21 12:46:49 +01:00
|
|
|
|
|
|
|
issuer := Issuer{
|
|
|
|
imds: imdsClient,
|
|
|
|
maa: maa,
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|
2022-08-31 20:10:49 +02:00
|
|
|
|
2023-03-21 12:46:49 +01:00
|
|
|
data := []byte("data")
|
|
|
|
|
|
|
|
attestationJSON, err := issuer.getInstanceInfo(context.Background(), nil, data)
|
2022-04-26 16:54:05 +02:00
|
|
|
if tc.wantErr {
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.Error(err)
|
2022-08-19 12:26:29 +02:00
|
|
|
return
|
|
|
|
}
|
2023-03-21 12:46:49 +01:00
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
assert.Equal(data, maa.gotParamsData)
|
|
|
|
if tc.maaURL == "" {
|
|
|
|
assert.Empty(maa.gotTokenData)
|
|
|
|
} else {
|
|
|
|
assert.Equal(data, maa.gotTokenData)
|
|
|
|
}
|
2022-08-19 12:26:29 +02:00
|
|
|
|
|
|
|
var instanceInfo azureInstanceInfo
|
2022-10-05 15:02:46 +02:00
|
|
|
err = json.Unmarshal(attestationJSON, &instanceInfo)
|
2023-03-21 12:46:49 +01:00
|
|
|
require.NoError(err)
|
2022-08-19 12:26:29 +02:00
|
|
|
|
2023-09-21 14:08:00 +02:00
|
|
|
assert.Equal(params.VcekCert, instanceInfo.VCEK)
|
2023-03-21 12:46:49 +01:00
|
|
|
assert.Equal(params.VcekChain, instanceInfo.CertChain)
|
|
|
|
assert.Equal(params.SNPReport, instanceInfo.AttestationReport)
|
|
|
|
assert.Equal(params.RuntimeData, instanceInfo.RuntimeData)
|
|
|
|
assert.Equal(tc.maaToken, instanceInfo.MAAToken)
|
2022-03-22 16:03:15 +01:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2022-08-19 12:26:29 +02:00
|
|
|
|
|
|
|
// TestGetHCLAttestationKey is a basic smoke test that only checks if getAkPub can be run error free.
|
|
|
|
// Testing anything else will only verify that the simulator works as expected, since getAkPub
|
|
|
|
// only retrieves the attestation key from the TPM.
|
|
|
|
func TestGetHCLAttestationKey(t *testing.T) {
|
2023-08-18 16:16:46 +02:00
|
|
|
cgo := os.Getenv("CGO_ENABLED")
|
|
|
|
if cgo == "0" {
|
|
|
|
t.Skip("skipping test because CGO is disabled and tpm simulator requires it")
|
|
|
|
}
|
2022-10-04 16:44:44 +02:00
|
|
|
require := require.New(t)
|
2022-08-19 12:26:29 +02:00
|
|
|
assert := assert.New(t)
|
|
|
|
|
2023-03-09 15:23:42 +01:00
|
|
|
tpm, err := simulator.OpenSimulatedTPM()
|
2022-10-04 16:44:44 +02:00
|
|
|
require.NoError(err)
|
2022-08-19 12:26:29 +02:00
|
|
|
defer tpm.Close()
|
|
|
|
|
2022-10-04 16:44:44 +02:00
|
|
|
// we should receive an error if no key was saved at index `tpmAkIdx`
|
|
|
|
_, err = getAttestationKey(tpm)
|
|
|
|
assert.Error(err)
|
|
|
|
|
|
|
|
// create a key at the index
|
|
|
|
tpmAk, err := tpmclient.NewCachedKey(tpm, tpm2.HandleOwner, tpm2.Public{
|
|
|
|
Type: tpm2.AlgRSA,
|
|
|
|
NameAlg: tpm2.AlgSHA256,
|
|
|
|
Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin | tpm2.FlagUserWithAuth | tpm2.FlagNoDA | tpm2.FlagRestricted | tpm2.FlagSign,
|
|
|
|
RSAParameters: &tpm2.RSAParams{
|
|
|
|
Sign: &tpm2.SigScheme{
|
|
|
|
Alg: tpm2.AlgRSASSA,
|
|
|
|
Hash: tpm2.AlgSHA256,
|
|
|
|
},
|
|
|
|
KeyBits: 2048,
|
|
|
|
},
|
|
|
|
}, tpmAkIdx)
|
|
|
|
require.NoError(err)
|
|
|
|
defer tpmAk.Close()
|
|
|
|
|
|
|
|
// we should now be able to retrieve the key
|
2022-08-31 20:10:49 +02:00
|
|
|
_, err = getAttestationKey(tpm)
|
2022-08-19 12:26:29 +02:00
|
|
|
assert.NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
type stubImdsClient struct {
|
2023-03-21 12:46:49 +01:00
|
|
|
maaURL string
|
|
|
|
apiError error
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|
|
|
|
|
2023-03-21 12:46:49 +01:00
|
|
|
func (c stubImdsClient) getMAAURL(_ context.Context) (string, error) {
|
|
|
|
return c.maaURL, c.apiError
|
|
|
|
}
|
2022-08-19 12:26:29 +02:00
|
|
|
|
2023-03-21 12:46:49 +01:00
|
|
|
type stubMaaTokenCreator struct {
|
|
|
|
token string
|
|
|
|
tokenErr error
|
|
|
|
gotTokenData []byte
|
|
|
|
|
|
|
|
params maa.Parameters
|
|
|
|
paramsErr error
|
|
|
|
gotParamsData []byte
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|
|
|
|
|
2023-03-21 12:46:49 +01:00
|
|
|
func (s *stubMaaTokenCreator) newParameters(_ context.Context, data []byte, _ io.ReadWriter) (maa.Parameters, error) {
|
|
|
|
s.gotParamsData = data
|
|
|
|
return s.params, s.paramsErr
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|
|
|
|
|
2023-03-21 12:46:49 +01:00
|
|
|
func (s *stubMaaTokenCreator) createToken(_ context.Context, _ io.ReadWriter, _ string, data []byte, _ maa.Parameters) (string, error) {
|
|
|
|
s.gotTokenData = data
|
|
|
|
return s.token, s.tokenErr
|
2022-08-19 12:26:29 +02:00
|
|
|
}
|