2022-09-05 09:06:08 +02:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"context"
|
2022-11-24 10:57:58 +01:00
|
|
|
"encoding/hex"
|
2022-07-01 10:57:29 +02:00
|
|
|
"encoding/json"
|
2022-07-05 14:14:11 +02:00
|
|
|
"errors"
|
2023-05-30 11:47:36 +00:00
|
|
|
"io"
|
2022-06-21 17:59:12 +02:00
|
|
|
"net"
|
2022-03-22 16:03:15 +01:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2022-09-21 13:47:57 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
|
2022-10-11 12:24:33 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
|
2023-05-03 11:11:53 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
2022-11-15 15:40:49 +01:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
2023-06-09 15:41:02 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
2022-09-21 13:47:57 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
2022-11-09 14:43:48 +01:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
|
2022-09-21 13:47:57 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
|
2023-03-02 15:08:31 +01:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
2022-09-21 13:47:57 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/license"
|
2023-01-04 09:46:29 +00:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
2023-03-02 15:08:31 +01:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/versions"
|
2022-03-22 16:03:15 +01:00
|
|
|
"github.com/spf13/afero"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
2022-06-21 17:59:12 +02:00
|
|
|
"google.golang.org/grpc"
|
2022-03-22 16:03:15 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestInitArgumentValidation(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
|
2022-06-08 08:14:28 +02:00
|
|
|
cmd := NewInitCmd()
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.NoError(cmd.ValidateArgs(nil))
|
|
|
|
assert.Error(cmd.ValidateArgs([]string{"something"}))
|
|
|
|
assert.Error(cmd.ValidateArgs([]string{"sth", "sth"}))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestInitialize(t *testing.T) {
|
2022-08-23 17:49:55 +02:00
|
|
|
gcpServiceAccKey := &gcpshared.ServiceAccountKey{
|
|
|
|
Type: "service_account",
|
|
|
|
}
|
2023-05-30 11:47:36 +00:00
|
|
|
testInitResp := &initproto.InitSuccessResponse{
|
2022-06-21 17:59:12 +02:00
|
|
|
Kubeconfig: []byte("kubeconfig"),
|
|
|
|
OwnerId: []byte("ownerID"),
|
|
|
|
ClusterId: []byte("clusterID"),
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
2022-08-23 17:49:55 +02:00
|
|
|
serviceAccPath := "/test/service-account.json"
|
2022-07-05 14:14:11 +02:00
|
|
|
someErr := errors.New("failed")
|
2022-03-22 16:03:15 +01:00
|
|
|
|
|
|
|
testCases := map[string]struct {
|
2022-10-11 12:24:33 +02:00
|
|
|
provider cloudprovider.Provider
|
|
|
|
idFile *clusterid.File
|
2022-08-31 13:57:59 +02:00
|
|
|
configMutator func(*config.Config)
|
|
|
|
serviceAccKey *gcpshared.ServiceAccountKey
|
|
|
|
initServerAPI *stubInitServer
|
2022-11-25 10:02:12 +01:00
|
|
|
retriable bool
|
2022-08-31 13:57:59 +02:00
|
|
|
masterSecretShouldExist bool
|
|
|
|
wantErr bool
|
2022-03-22 16:03:15 +01:00
|
|
|
}{
|
|
|
|
"initialize some gcp instances": {
|
2022-10-11 12:24:33 +02:00
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
2022-08-25 15:12:08 +02:00
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-05-30 11:47:36 +00:00
|
|
|
initServerAPI: &stubInitServer{res: &initproto.InitResponse{Kind: &initproto.InitResponse_InitSuccess{InitSuccess: testInitResp}}},
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"initialize some azure instances": {
|
2022-10-11 12:24:33 +02:00
|
|
|
provider: cloudprovider.Azure,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
2023-05-30 11:47:36 +00:00
|
|
|
initServerAPI: &stubInitServer{res: &initproto.InitResponse{Kind: &initproto.InitResponse_InitSuccess{InitSuccess: testInitResp}}},
|
2022-04-12 14:20:46 +02:00
|
|
|
},
|
2022-05-02 10:54:54 +02:00
|
|
|
"initialize some qemu instances": {
|
2022-10-11 12:24:33 +02:00
|
|
|
provider: cloudprovider.QEMU,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
2023-05-30 11:47:36 +00:00
|
|
|
initServerAPI: &stubInitServer{res: &initproto.InitResponse{Kind: &initproto.InitResponse_InitSuccess{InitSuccess: testInitResp}}},
|
2022-06-21 17:59:12 +02:00
|
|
|
},
|
2022-11-25 10:02:12 +01:00
|
|
|
"non retriable error": {
|
|
|
|
provider: cloudprovider.QEMU,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
|
|
|
initServerAPI: &stubInitServer{initErr: &nonRetriableError{someErr}},
|
|
|
|
retriable: false,
|
|
|
|
masterSecretShouldExist: true,
|
|
|
|
wantErr: true,
|
|
|
|
},
|
2022-10-11 12:24:33 +02:00
|
|
|
"empty id file": {
|
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
idFile: &clusterid.File{},
|
2022-08-25 15:12:08 +02:00
|
|
|
initServerAPI: &stubInitServer{},
|
2022-11-25 10:02:12 +01:00
|
|
|
retriable: true,
|
2022-08-25 15:12:08 +02:00
|
|
|
wantErr: true,
|
2022-07-29 10:01:10 +02:00
|
|
|
},
|
2022-10-11 12:24:33 +02:00
|
|
|
"no id file": {
|
2022-11-25 10:02:12 +01:00
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
retriable: true,
|
|
|
|
wantErr: true,
|
2022-07-05 14:14:11 +02:00
|
|
|
},
|
|
|
|
"init call fails": {
|
2022-10-11 12:24:33 +02:00
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
2022-08-25 15:12:08 +02:00
|
|
|
initServerAPI: &stubInitServer{initErr: someErr},
|
2022-11-25 10:02:12 +01:00
|
|
|
retriable: true,
|
2022-08-25 15:12:08 +02:00
|
|
|
wantErr: true,
|
2022-07-05 14:14:11 +02:00
|
|
|
},
|
2023-02-13 11:54:38 +01:00
|
|
|
"k8s version without v works": {
|
|
|
|
provider: cloudprovider.Azure,
|
|
|
|
idFile: &clusterid.File{IP: "192.0.2.1"},
|
2023-05-30 11:47:36 +00:00
|
|
|
initServerAPI: &stubInitServer{res: &initproto.InitResponse{Kind: &initproto.InitResponse_InitSuccess{InitSuccess: testInitResp}}},
|
2023-02-13 11:54:38 +01:00
|
|
|
configMutator: func(c *config.Config) { c.KubernetesVersion = strings.TrimPrefix(string(versions.Default), "v") },
|
|
|
|
},
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
require := require.New(t)
|
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
// Networking
|
2022-06-21 17:59:12 +02:00
|
|
|
netDialer := testdialer.NewBufconnDialer()
|
2023-05-03 11:11:53 +02:00
|
|
|
newDialer := func(atls.Validator) *dialer.Dialer {
|
2022-08-09 14:04:40 +02:00
|
|
|
return dialer.New(nil, nil, netDialer)
|
|
|
|
}
|
2022-06-21 17:59:12 +02:00
|
|
|
serverCreds := atlscredentials.New(nil, nil)
|
|
|
|
initServer := grpc.NewServer(grpc.Creds(serverCreds))
|
|
|
|
initproto.RegisterAPIServer(initServer, tc.initServerAPI)
|
2022-06-29 15:26:29 +02:00
|
|
|
port := strconv.Itoa(constants.BootstrapperPort)
|
2022-06-21 17:59:12 +02:00
|
|
|
listener := netDialer.GetListener(net.JoinHostPort("192.0.2.1", port))
|
|
|
|
go initServer.Serve(listener)
|
|
|
|
defer initServer.GracefulStop()
|
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
// Command
|
2022-06-08 08:14:28 +02:00
|
|
|
cmd := NewInitCmd()
|
2022-03-22 16:03:15 +01:00
|
|
|
var out bytes.Buffer
|
|
|
|
cmd.SetOut(&out)
|
|
|
|
var errOut bytes.Buffer
|
|
|
|
cmd.SetErr(&errOut)
|
2022-08-12 15:59:45 +02:00
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
// Flags
|
|
|
|
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
2023-01-31 11:45:31 +01:00
|
|
|
cmd.Flags().Bool("force", true, "") // register persistent flag manually
|
2022-04-12 14:20:46 +02:00
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
// File system preparation
|
|
|
|
fs := afero.NewMemMapFs()
|
|
|
|
fileHandler := file.NewHandler(fs)
|
2022-10-11 12:24:33 +02:00
|
|
|
config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
|
2022-08-23 17:49:55 +02:00
|
|
|
if tc.configMutator != nil {
|
|
|
|
tc.configMutator(config)
|
|
|
|
}
|
|
|
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config, file.OptNone))
|
2022-08-25 15:12:08 +02:00
|
|
|
if tc.idFile != nil {
|
2022-10-11 12:24:33 +02:00
|
|
|
tc.idFile.CloudProvider = tc.provider
|
2022-08-25 15:12:08 +02:00
|
|
|
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
|
2022-08-23 17:49:55 +02:00
|
|
|
}
|
|
|
|
if tc.serviceAccKey != nil {
|
|
|
|
require.NoError(fileHandler.WriteJSON(serviceAccPath, tc.serviceAccKey, file.OptNone))
|
|
|
|
}
|
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
ctx := context.Background()
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
|
|
|
|
defer cancel()
|
2022-06-28 11:19:03 +02:00
|
|
|
cmd.SetContext(ctx)
|
2023-03-20 12:42:48 +01:00
|
|
|
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
|
2023-06-06 10:32:22 +02:00
|
|
|
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, stubAttestationFetcher{})
|
2022-03-22 16:03:15 +01:00
|
|
|
|
2022-04-26 16:54:05 +02:00
|
|
|
if tc.wantErr {
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.Error(err)
|
2022-11-25 10:02:12 +01:00
|
|
|
if !tc.retriable {
|
|
|
|
assert.Contains(errOut.String(), "This error is not recoverable")
|
|
|
|
} else {
|
|
|
|
assert.Empty(errOut.String())
|
|
|
|
}
|
2022-08-31 13:57:59 +02:00
|
|
|
if !tc.masterSecretShouldExist {
|
|
|
|
_, err = fileHandler.Stat(constants.MasterSecretFilename)
|
|
|
|
assert.Error(err)
|
|
|
|
}
|
2022-06-21 17:59:12 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
require.NoError(err)
|
2022-07-26 10:58:39 +02:00
|
|
|
// assert.Contains(out.String(), base64.StdEncoding.EncodeToString([]byte("ownerID")))
|
2022-11-24 10:57:58 +01:00
|
|
|
assert.Contains(out.String(), hex.EncodeToString([]byte("clusterID")))
|
2023-03-02 15:08:31 +01:00
|
|
|
var secret uri.MasterSecret
|
2022-08-31 13:57:59 +02:00
|
|
|
assert.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &secret))
|
|
|
|
assert.NotEmpty(secret.Key)
|
|
|
|
assert.NotEmpty(secret.Salt)
|
2022-03-22 16:03:15 +01:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-05-30 11:47:36 +00:00
|
|
|
func TestGetLogs(t *testing.T) {
|
|
|
|
someErr := errors.New("failed")
|
|
|
|
|
|
|
|
testCases := map[string]struct {
|
|
|
|
resp initproto.API_InitClient
|
|
|
|
fh file.Handler
|
|
|
|
wantedOutput []byte
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
"success": {
|
|
|
|
resp: stubInitClient{res: bytes.NewReader([]byte("asdf"))},
|
|
|
|
fh: file.NewHandler(afero.NewMemMapFs()),
|
|
|
|
wantedOutput: []byte("asdf"),
|
|
|
|
},
|
|
|
|
"receive error": {
|
|
|
|
resp: stubInitClient{err: someErr},
|
|
|
|
fh: file.NewHandler(afero.NewMemMapFs()),
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
"nil log": {
|
|
|
|
resp: stubInitClient{res: bytes.NewReader([]byte{1}), setResNil: true},
|
|
|
|
fh: file.NewHandler(afero.NewMemMapFs()),
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
"failed write": {
|
|
|
|
resp: stubInitClient{res: bytes.NewReader([]byte("asdf"))},
|
|
|
|
fh: file.NewHandler(afero.NewReadOnlyFs(afero.NewMemMapFs())),
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
|
|
|
|
doer := initDoer{
|
|
|
|
fh: tc.fh,
|
|
|
|
log: logger.NewTest(t),
|
|
|
|
}
|
|
|
|
|
|
|
|
err := doer.getLogs(tc.resp)
|
|
|
|
|
|
|
|
if tc.wantErr {
|
|
|
|
assert.Error(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
text, err := tc.fh.Read(constants.ErrorLog)
|
|
|
|
|
|
|
|
if tc.wantedOutput == nil {
|
|
|
|
assert.Error(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
assert.Equal(tc.wantedOutput, text)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
func TestWriteOutput(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
2023-02-10 14:59:44 +01:00
|
|
|
require := require.New(t)
|
2022-03-22 16:03:15 +01:00
|
|
|
|
2022-06-21 17:59:12 +02:00
|
|
|
resp := &initproto.InitResponse{
|
2023-05-30 11:47:36 +00:00
|
|
|
Kind: &initproto.InitResponse_InitSuccess{
|
|
|
|
InitSuccess: &initproto.InitSuccessResponse{
|
|
|
|
OwnerId: []byte("ownerID"),
|
|
|
|
ClusterId: []byte("clusterID"),
|
|
|
|
Kubeconfig: []byte("kubeconfig"),
|
|
|
|
},
|
|
|
|
},
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
2022-07-01 10:57:29 +02:00
|
|
|
|
2023-05-30 11:47:36 +00:00
|
|
|
ownerID := hex.EncodeToString(resp.GetInitSuccess().GetOwnerId())
|
|
|
|
clusterID := hex.EncodeToString(resp.GetInitSuccess().GetClusterId())
|
2022-07-05 14:14:11 +02:00
|
|
|
|
2022-10-11 12:24:33 +02:00
|
|
|
expectedIDFile := clusterid.File{
|
2022-07-05 14:14:11 +02:00
|
|
|
ClusterID: clusterID,
|
|
|
|
OwnerID: ownerID,
|
2022-07-29 08:24:13 +02:00
|
|
|
IP: "cluster-ip",
|
2022-10-11 12:24:33 +02:00
|
|
|
UID: "test-uid",
|
2022-07-01 10:57:29 +02:00
|
|
|
}
|
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
var out bytes.Buffer
|
|
|
|
testFs := afero.NewMemMapFs()
|
|
|
|
fileHandler := file.NewHandler(testFs)
|
|
|
|
|
2022-10-11 12:24:33 +02:00
|
|
|
idFile := clusterid.File{
|
|
|
|
UID: "test-uid",
|
|
|
|
IP: "cluster-ip",
|
|
|
|
}
|
2023-02-10 14:59:44 +01:00
|
|
|
i := &initCmd{
|
|
|
|
log: logger.NewTest(t),
|
|
|
|
merger: &stubMerger{},
|
|
|
|
}
|
2023-05-30 11:47:36 +00:00
|
|
|
err := i.writeOutput(idFile, resp.GetInitSuccess(), false, &out, fileHandler)
|
2023-02-10 14:59:44 +01:00
|
|
|
require.NoError(err)
|
2022-07-26 10:58:39 +02:00
|
|
|
// assert.Contains(out.String(), ownerID)
|
2022-07-05 14:14:11 +02:00
|
|
|
assert.Contains(out.String(), clusterID)
|
2022-06-21 17:59:12 +02:00
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
2022-03-22 16:03:15 +01:00
|
|
|
|
|
|
|
afs := afero.Afero{Fs: testFs}
|
2022-04-06 10:36:58 +02:00
|
|
|
adminConf, err := afs.ReadFile(constants.AdminConfFilename)
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.NoError(err)
|
2023-05-30 11:47:36 +00:00
|
|
|
assert.Equal(string(resp.GetInitSuccess().GetKubeconfig()), string(adminConf))
|
2022-07-01 10:57:29 +02:00
|
|
|
|
2022-07-05 13:52:36 +02:00
|
|
|
idsFile, err := afs.ReadFile(constants.ClusterIDsFileName)
|
2022-07-01 10:57:29 +02:00
|
|
|
assert.NoError(err)
|
2022-10-11 12:24:33 +02:00
|
|
|
var testIDFile clusterid.File
|
2022-07-08 10:59:59 +02:00
|
|
|
err = json.Unmarshal(idsFile, &testIDFile)
|
2022-07-01 10:57:29 +02:00
|
|
|
assert.NoError(err)
|
2022-07-08 10:59:59 +02:00
|
|
|
assert.Equal(expectedIDFile, testIDFile)
|
2023-02-10 14:59:44 +01:00
|
|
|
|
|
|
|
// test config merging
|
|
|
|
out.Reset()
|
|
|
|
require.NoError(afs.Remove(constants.AdminConfFilename))
|
2023-05-30 11:47:36 +00:00
|
|
|
err = i.writeOutput(idFile, resp.GetInitSuccess(), true, &out, fileHandler)
|
2023-02-10 14:59:44 +01:00
|
|
|
require.NoError(err)
|
|
|
|
// assert.Contains(out.String(), ownerID)
|
|
|
|
assert.Contains(out.String(), clusterID)
|
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
|
|
|
assert.Contains(out.String(), "Constellation kubeconfig merged with default config")
|
|
|
|
assert.Contains(out.String(), "You can now connect to your cluster")
|
|
|
|
|
|
|
|
// test config merging with env vars set
|
|
|
|
i.merger = &stubMerger{envVar: "/some/path/to/kubeconfig"}
|
|
|
|
out.Reset()
|
|
|
|
require.NoError(afs.Remove(constants.AdminConfFilename))
|
2023-05-30 11:47:36 +00:00
|
|
|
err = i.writeOutput(idFile, resp.GetInitSuccess(), true, &out, fileHandler)
|
2023-02-10 14:59:44 +01:00
|
|
|
require.NoError(err)
|
|
|
|
// assert.Contains(out.String(), ownerID)
|
|
|
|
assert.Contains(out.String(), clusterID)
|
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
|
|
|
assert.Contains(out.String(), "Constellation kubeconfig merged with default config")
|
|
|
|
assert.Contains(out.String(), "Warning: KUBECONFIG environment variable is set")
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-08-31 13:57:59 +02:00
|
|
|
func TestReadOrGenerateMasterSecret(t *testing.T) {
|
2022-03-22 16:03:15 +01:00
|
|
|
testCases := map[string]struct {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename string
|
|
|
|
createFileFunc func(handler file.Handler) error
|
|
|
|
fs func() afero.Fs
|
|
|
|
wantErr bool
|
2022-03-22 16:03:15 +01:00
|
|
|
}{
|
|
|
|
"file with secret exists": {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename: "someSecret",
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
return handler.WriteJSON(
|
|
|
|
"someSecret",
|
2023-03-02 15:08:31 +01:00
|
|
|
uri.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
|
2022-07-29 09:52:47 +02:00
|
|
|
file.OptNone,
|
|
|
|
)
|
|
|
|
},
|
|
|
|
wantErr: false,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"no file given": {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename: "",
|
|
|
|
createFileFunc: func(handler file.Handler) error { return nil },
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: false,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"file does not exist": {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename: "nonExistingSecret",
|
|
|
|
createFileFunc: func(handler file.Handler) error { return nil },
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"file is empty": {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename: "emptySecret",
|
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
return handler.Write("emptySecret", []byte{}, file.OptNone)
|
|
|
|
},
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
2022-07-29 09:52:47 +02:00
|
|
|
"salt too short": {
|
|
|
|
filename: "shortSecret",
|
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
return handler.WriteJSON(
|
|
|
|
"shortSecret",
|
2023-03-02 15:08:31 +01:00
|
|
|
uri.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("short")},
|
2022-07-29 09:52:47 +02:00
|
|
|
file.OptNone,
|
|
|
|
)
|
|
|
|
},
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
2022-07-29 09:52:47 +02:00
|
|
|
"key too short": {
|
|
|
|
filename: "shortSecret",
|
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
return handler.WriteJSON(
|
|
|
|
"shortSecret",
|
2023-03-02 15:08:31 +01:00
|
|
|
uri.MasterSecret{Key: []byte("short"), Salt: []byte("constellation-32Byte-length-salt")},
|
2022-07-29 09:52:47 +02:00
|
|
|
file.OptNone,
|
|
|
|
)
|
|
|
|
},
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
"invalid file content": {
|
|
|
|
filename: "unencodedSecret",
|
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
return handler.Write("unencodedSecret", []byte("invalid-constellation-master-secret"), file.OptNone)
|
|
|
|
},
|
|
|
|
fs: afero.NewMemMapFs,
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"file not writeable": {
|
2022-07-29 09:52:47 +02:00
|
|
|
filename: "",
|
|
|
|
createFileFunc: func(handler file.Handler) error { return nil },
|
|
|
|
fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) },
|
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
require := require.New(t)
|
|
|
|
|
|
|
|
fileHandler := file.NewHandler(tc.fs())
|
2022-07-29 09:52:47 +02:00
|
|
|
require.NoError(tc.createFileFunc(fileHandler))
|
2022-03-22 16:03:15 +01:00
|
|
|
|
|
|
|
var out bytes.Buffer
|
2023-01-04 09:46:29 +00:00
|
|
|
i := &initCmd{log: logger.NewTest(t)}
|
|
|
|
secret, err := i.readOrGenerateMasterSecret(&out, fileHandler, tc.filename)
|
2022-03-22 16:03:15 +01:00
|
|
|
|
2022-04-26 16:54:05 +02:00
|
|
|
if tc.wantErr {
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.Error(err)
|
|
|
|
} else {
|
|
|
|
assert.NoError(err)
|
|
|
|
|
|
|
|
if tc.filename == "" {
|
2022-04-06 10:36:58 +02:00
|
|
|
require.Contains(out.String(), constants.MasterSecretFilename)
|
2022-03-22 16:03:15 +01:00
|
|
|
filename := strings.Split(out.String(), "./")
|
|
|
|
tc.filename = strings.Trim(filename[1], "\n")
|
|
|
|
}
|
|
|
|
|
2023-03-02 15:08:31 +01:00
|
|
|
var masterSecret uri.MasterSecret
|
2022-07-29 09:52:47 +02:00
|
|
|
require.NoError(fileHandler.ReadJSON(tc.filename, &masterSecret))
|
|
|
|
assert.Equal(masterSecret.Key, secret.Key)
|
|
|
|
assert.Equal(masterSecret.Salt, secret.Salt)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-09 14:04:40 +02:00
|
|
|
func TestAttestation(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
require := require.New(t)
|
|
|
|
|
2023-05-30 11:47:36 +00:00
|
|
|
initServerAPI := &stubInitServer{res: &initproto.InitResponse{
|
|
|
|
Kind: &initproto.InitResponse_InitSuccess{
|
|
|
|
InitSuccess: &initproto.InitSuccessResponse{
|
|
|
|
Kubeconfig: []byte("kubeconfig"),
|
|
|
|
OwnerId: []byte("ownerID"),
|
|
|
|
ClusterId: []byte("clusterID"),
|
|
|
|
},
|
|
|
|
},
|
2022-08-09 14:04:40 +02:00
|
|
|
}}
|
2022-10-11 12:24:33 +02:00
|
|
|
existingIDFile := &clusterid.File{IP: "192.0.2.4", CloudProvider: cloudprovider.QEMU}
|
2022-08-09 14:04:40 +02:00
|
|
|
|
|
|
|
netDialer := testdialer.NewBufconnDialer()
|
|
|
|
|
|
|
|
issuer := &testIssuer{
|
2023-03-29 09:30:13 +02:00
|
|
|
Getter: variant.QEMUVTPM{},
|
2022-11-24 10:57:58 +01:00
|
|
|
pcrs: map[uint32][]byte{
|
|
|
|
0: bytes.Repeat([]byte{0xFF}, 32),
|
|
|
|
1: bytes.Repeat([]byte{0xFF}, 32),
|
|
|
|
2: bytes.Repeat([]byte{0xFF}, 32),
|
|
|
|
3: bytes.Repeat([]byte{0xFF}, 32),
|
2022-08-09 14:04:40 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
serverCreds := atlscredentials.New(issuer, nil)
|
|
|
|
initServer := grpc.NewServer(grpc.Creds(serverCreds))
|
|
|
|
initproto.RegisterAPIServer(initServer, initServerAPI)
|
|
|
|
port := strconv.Itoa(constants.BootstrapperPort)
|
2022-07-29 10:01:10 +02:00
|
|
|
listener := netDialer.GetListener(net.JoinHostPort("192.0.2.4", port))
|
2022-08-09 14:04:40 +02:00
|
|
|
go initServer.Serve(listener)
|
|
|
|
defer initServer.GracefulStop()
|
|
|
|
|
|
|
|
cmd := NewInitCmd()
|
|
|
|
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
2023-01-31 11:45:31 +01:00
|
|
|
cmd.Flags().Bool("force", true, "") // register persistent flag manually
|
2022-08-09 14:04:40 +02:00
|
|
|
var out bytes.Buffer
|
|
|
|
cmd.SetOut(&out)
|
|
|
|
var errOut bytes.Buffer
|
|
|
|
cmd.SetErr(&errOut)
|
|
|
|
|
|
|
|
fs := afero.NewMemMapFs()
|
|
|
|
fileHandler := file.NewHandler(fs)
|
2022-07-29 10:01:10 +02:00
|
|
|
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, existingIDFile, file.OptNone))
|
2022-08-09 14:04:40 +02:00
|
|
|
|
|
|
|
cfg := config.Default()
|
2023-06-27 18:24:35 +02:00
|
|
|
cfg.Image = "v0.0.0" // is the default version of the the CLI (before build injects the real version)
|
2023-05-17 16:53:56 +02:00
|
|
|
cfg.RemoveProviderAndAttestationExcept(cloudprovider.QEMU)
|
2023-03-10 11:33:06 +01:00
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2022-08-09 14:04:40 +02:00
|
|
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
|
|
|
|
|
2023-05-03 11:11:53 +02:00
|
|
|
newDialer := func(v atls.Validator) *dialer.Dialer {
|
|
|
|
validator := &testValidator{
|
|
|
|
Getter: variant.QEMUVTPM{},
|
|
|
|
pcrs: cfg.GetAttestationConfig().GetMeasurements(),
|
|
|
|
}
|
|
|
|
return dialer.New(nil, validator, netDialer)
|
|
|
|
}
|
|
|
|
|
2022-08-09 14:04:40 +02:00
|
|
|
ctx := context.Background()
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
cmd.SetContext(ctx)
|
|
|
|
|
2023-03-20 12:42:48 +01:00
|
|
|
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
|
2023-06-06 10:32:22 +02:00
|
|
|
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, stubAttestationFetcher{})
|
2022-08-09 14:04:40 +02:00
|
|
|
assert.Error(err)
|
|
|
|
// make sure the error is actually a TLS handshake error
|
|
|
|
assert.Contains(err.Error(), "transport: authentication handshake failed")
|
|
|
|
}
|
|
|
|
|
|
|
|
type testValidator struct {
|
2023-03-29 09:30:13 +02:00
|
|
|
variant.Getter
|
2022-11-15 15:40:49 +01:00
|
|
|
pcrs measurements.M
|
2022-08-09 14:04:40 +02:00
|
|
|
}
|
|
|
|
|
2023-03-29 09:06:10 +02:00
|
|
|
func (v *testValidator) Validate(_ context.Context, attDoc []byte, _ []byte) ([]byte, error) {
|
2022-08-09 14:04:40 +02:00
|
|
|
var attestation struct {
|
|
|
|
UserData []byte
|
2022-11-24 10:57:58 +01:00
|
|
|
PCRs map[uint32][]byte
|
2022-08-09 14:04:40 +02:00
|
|
|
}
|
|
|
|
if err := json.Unmarshal(attDoc, &attestation); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for k, pcr := range v.pcrs {
|
2022-11-24 10:57:58 +01:00
|
|
|
if !bytes.Equal(attestation.PCRs[k], pcr.Expected[:]) {
|
2022-08-09 14:04:40 +02:00
|
|
|
return nil, errors.New("invalid PCR value")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return attestation.UserData, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type testIssuer struct {
|
2023-03-29 09:30:13 +02:00
|
|
|
variant.Getter
|
2022-11-24 10:57:58 +01:00
|
|
|
pcrs map[uint32][]byte
|
2022-08-09 14:04:40 +02:00
|
|
|
}
|
|
|
|
|
2023-03-29 09:06:10 +02:00
|
|
|
func (i *testIssuer) Issue(_ context.Context, userData []byte, _ []byte) ([]byte, error) {
|
2022-08-09 14:04:40 +02:00
|
|
|
return json.Marshal(
|
|
|
|
struct {
|
|
|
|
UserData []byte
|
2022-11-24 10:57:58 +01:00
|
|
|
PCRs map[uint32][]byte
|
2022-08-09 14:04:40 +02:00
|
|
|
}{
|
|
|
|
UserData: userData,
|
|
|
|
PCRs: i.pcrs,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2022-06-21 17:59:12 +02:00
|
|
|
type stubInitServer struct {
|
2023-05-30 11:47:36 +00:00
|
|
|
res *initproto.InitResponse
|
|
|
|
initErr error
|
2022-03-22 16:03:15 +01:00
|
|
|
|
2022-06-21 17:59:12 +02:00
|
|
|
initproto.UnimplementedAPIServer
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
2022-03-29 11:38:14 +02:00
|
|
|
|
2023-05-30 11:47:36 +00:00
|
|
|
func (s *stubInitServer) Init(_ *initproto.InitRequest, stream initproto.API_InitServer) error {
|
|
|
|
_ = stream.Send(s.res)
|
|
|
|
return s.initErr
|
2022-03-29 11:38:14 +02:00
|
|
|
}
|
2022-08-12 15:59:45 +02:00
|
|
|
|
2023-02-10 14:59:44 +01:00
|
|
|
type stubMerger struct {
|
|
|
|
envVar string
|
|
|
|
mergeErr error
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *stubMerger) mergeConfigs(string, file.Handler) error {
|
|
|
|
return m.mergeErr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *stubMerger) kubeconfigEnvVar() string {
|
|
|
|
return m.envVar
|
|
|
|
}
|
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, csp cloudprovider.Provider) *config.Config {
|
2022-08-12 15:59:45 +02:00
|
|
|
t.Helper()
|
2022-08-23 17:49:55 +02:00
|
|
|
|
2023-03-09 15:23:42 +01:00
|
|
|
conf.Image = "v" + constants.VersionInfo()
|
2023-02-10 13:27:22 +01:00
|
|
|
conf.Name = "kubernetes"
|
2022-11-22 18:47:08 +01:00
|
|
|
|
2022-08-23 17:49:55 +02:00
|
|
|
switch csp {
|
|
|
|
case cloudprovider.Azure:
|
|
|
|
conf.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
|
|
|
conf.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
|
|
|
conf.Provider.Azure.Location = "test-location"
|
|
|
|
conf.Provider.Azure.UserAssignedIdentity = "test-identity"
|
2022-08-25 15:12:08 +02:00
|
|
|
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
2023-03-10 11:33:06 +01:00
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2022-08-23 17:49:55 +02:00
|
|
|
case cloudprovider.GCP:
|
|
|
|
conf.Provider.GCP.Region = "test-region"
|
|
|
|
conf.Provider.GCP.Project = "test-project"
|
|
|
|
conf.Provider.GCP.Zone = "test-zone"
|
2022-09-11 16:09:05 +02:00
|
|
|
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
|
2023-03-10 11:33:06 +01:00
|
|
|
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2022-08-23 17:49:55 +02:00
|
|
|
case cloudprovider.QEMU:
|
2023-03-10 11:33:06 +01:00
|
|
|
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2022-08-23 17:49:55 +02:00
|
|
|
}
|
|
|
|
|
2023-05-17 16:53:56 +02:00
|
|
|
conf.RemoveProviderAndAttestationExcept(csp)
|
2022-08-23 17:49:55 +02:00
|
|
|
return conf
|
2022-08-12 15:59:45 +02:00
|
|
|
}
|
2022-08-16 16:06:38 +02:00
|
|
|
|
|
|
|
type stubLicenseClient struct{}
|
|
|
|
|
2023-03-20 11:03:36 +01:00
|
|
|
func (c *stubLicenseClient) QuotaCheck(_ context.Context, _ license.QuotaCheckRequest) (license.QuotaCheckResponse, error) {
|
2022-08-25 14:06:29 +02:00
|
|
|
return license.QuotaCheckResponse{
|
|
|
|
Quota: 25,
|
2022-08-16 16:06:38 +02:00
|
|
|
}, nil
|
|
|
|
}
|
2023-05-30 11:47:36 +00:00
|
|
|
|
|
|
|
type stubInitClient struct {
|
|
|
|
res io.Reader
|
|
|
|
err error
|
|
|
|
setResNil bool
|
|
|
|
grpc.ClientStream
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c stubInitClient) Recv() (*initproto.InitResponse, error) {
|
|
|
|
if c.err != nil {
|
|
|
|
return &initproto.InitResponse{}, c.err
|
|
|
|
}
|
|
|
|
|
|
|
|
text := make([]byte, 1024)
|
|
|
|
n, err := c.res.Read(text)
|
|
|
|
text = text[:n]
|
|
|
|
|
|
|
|
res := &initproto.InitResponse{
|
|
|
|
Kind: &initproto.InitResponse_Log{
|
|
|
|
Log: &initproto.LogResponseType{
|
|
|
|
Log: text,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if c.setResNil {
|
|
|
|
res = &initproto.InitResponse{
|
|
|
|
Kind: &initproto.InitResponse_Log{
|
|
|
|
Log: &initproto.LogResponseType{
|
|
|
|
Log: nil,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return res, err
|
|
|
|
}
|