constellation/internal/attestation/measurements/measurement-generator/generate.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package main

import (
	"bytes"
	"context"
	"encoding/base64"
	"fmt"
	"go/ast"
	"go/parser"
	"go/printer"
	"go/token"
	"log"
	"net/http"
	"net/url"
	"os"
	"path"
	"sort"
	"strings"

	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
	"github.com/edgelesssys/constellation/v2/internal/config"
	"github.com/edgelesssys/constellation/v2/internal/constants"
	"github.com/edgelesssys/constellation/v2/internal/sigstore"
	"github.com/edgelesssys/constellation/v2/internal/versionsapi"
	"golang.org/x/tools/go/ast/astutil"
)

// this tool is used to generate hardcoded measurements for the enterprise build.
// Measurements are embedded in the constellation cli.

func main() {
	defaultConf := config.Default()
	log.Printf("Generating measurements for %s\n", defaultConf.Image)

	const filePath = "./measurements_enterprise.go"

	ctx := context.Background()
	fset := token.NewFileSet()
	file, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)
	if err != nil {
		log.Fatal(err)
	}
	rekor, err := sigstore.NewRekor()
	if err != nil {
		log.Fatal(err)
	}

	var returnStmtCtr int

	newFile := astutil.Apply(file, func(cursor *astutil.Cursor) bool {
		n := cursor.Node()

		// find all switch cases for the CSPs of the form:
		// switch provider {
		// case cloudprovider.XYZ:
		// 	return M{...}

		if clause, ok := n.(*ast.CaseClause); ok && len(clause.List) > 0 && len(clause.Body) > 0 {
			sel, ok := clause.List[0].(*ast.SelectorExpr)
			if !ok {
				return true
			}
			returnStmt, ok := clause.Body[0].(*ast.ReturnStmt)
			if !ok || len(returnStmt.Results) == 0 {
				return true
			}

			provider := cloudprovider.FromString(sel.Sel.Name)
			if provider == cloudprovider.Unknown {
				log.Fatalf("unknown provider %s", sel.Sel.Name)
			}
			log.Println("Found", provider)
			returnStmtCtr++
			// retrieve and validate measurements for the given CSP and image
			measuremnts := mustGetMeasurements(ctx, rekor, []byte(constants.CosignPublicKey), http.DefaultClient, provider, defaultConf.Image)
			// replace the return statement with a composite literal containing the validated measurements
			returnStmt.Results[0] = measurementsCompositeLiteral(measuremnts)
		}
		return true
	}, nil,
	)

	if returnStmtCtr == 0 {
		log.Fatal("no measurements updated")
	}

	var buf bytes.Buffer
	printConfig := printer.Config{Mode: printer.UseSpaces | printer.TabIndent, Tabwidth: 8}

	if err = printConfig.Fprint(&buf, fset, newFile); err != nil {
		log.Fatalf("error formatting file %s: %s", filePath, err)
	}
	if err := os.WriteFile(filePath, buf.Bytes(), 0o644); err != nil {
		log.Fatalf("error writing file %s: %s", filePath, err)
	}
	log.Println("Successfully generated hashes.")
}

// mustGetMeasurements fetches the measurements for the given image and CSP and verifies them.
func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, cosignPublicKey []byte, client *http.Client, provider cloudprovider.Provider, image string) measurements.M {
	measurementsURL, err := measurementURL(provider, image, "measurements.json")
	if err != nil {
		panic(err)
	}
	signatureURL, err := measurementURL(provider, image, "measurements.json.sig")
	if err != nil {
		panic(err)
	}

	log.Println("Fetching measurements from", measurementsURL, "and signature from", signatureURL)
	var fetchedMeasurements measurements.M
	hash, err := fetchedMeasurements.FetchAndVerify(
		ctx, client,
		measurementsURL,
		signatureURL,
		cosignPublicKey,
		measurements.WithMetadata{
			CSP:   provider,
			Image: image,
		},
	)
	if err != nil {
		panic(err)
	}
	if err := verifyWithRekor(ctx, verifier, hash); err != nil {
		panic(err)
	}
	return fetchedMeasurements
}

// measurementURL returns the URL for the measurements file for the given image and CSP.
func measurementURL(provider cloudprovider.Provider, image, file string) (*url.URL, error) {
	version, err := versionsapi.NewVersionFromShortPath(image, versionsapi.VersionKindImage)
	if err != nil {
		return nil, fmt.Errorf("parsing image name: %w", err)
	}

	return url.Parse(
		version.ArtifactsURL() + path.Join("/image", "csp", strings.ToLower(provider.String()), file),
	)
}

// verifyWithRekor verifies that the given hash is present in rekor and is valid.
func verifyWithRekor(ctx context.Context, verifier rekorVerifier, hash string) error {
	uuids, err := verifier.SearchByHash(ctx, hash)
	if err != nil {
		return fmt.Errorf("searching Rekor for hash: %w", err)
	}

	if len(uuids) == 0 {
		return fmt.Errorf("no matching entries in Rekor")
	}

	// We expect the first entry in Rekor to be our original entry.
	// SHA256 should ensure there is no entry with the same hash.
	// Any subsequent hashes are treated as potential attacks and are ignored.
	// Attacks on Rekor will be monitored from other backend services.
	artifactUUID := uuids[0]

	return verifier.VerifyEntry(
		ctx, artifactUUID,
		base64.StdEncoding.EncodeToString([]byte(constants.CosignPublicKey)),
	)
}

// byteArrayCompositeLit returns a *ast.CompositeLit representing a byte array literal.
// The returned literal is of the form:
// []byte{ 0x01, 0x02, 0x03, ... }.
func byteArrayCompositeLit(hex []byte) *ast.CompositeLit {
	var elts []ast.Expr
	// create list of byte literals
	for _, b := range hex {
		elts = append(elts, &ast.BasicLit{
			Kind:  token.INT,
			Value: fmt.Sprintf("0x%02x", b),
		})
	}
	// create the composite literal
	// containing the byte literals as part of an []byte slice
	return &ast.CompositeLit{
		Type: &ast.ArrayType{
			Elt: ast.NewIdent("byte"),
		},
		Elts: elts,
	}
}

// measurementsEntryKeyValueExpr returns a *ast.KeyValueExpr representing a measurements.Measurement entry.
// The returned expression is of the form:
//
//	0: {
//		  Expected: []byte{ 0x01, 0x02, 0x03, ... },
//		  WarnOnly: false,
//	},
func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measurement) *ast.KeyValueExpr {
	key := fmt.Sprintf("%d", pcr)

	var validationOptString string
	if measuremnt.ValidationOpt {
		validationOptString = "WarnOnly"
	} else {
		validationOptString = "Enforce"
	}

	return &ast.KeyValueExpr{
		Key: &ast.BasicLit{
			Kind:  token.INT,
			Value: key,
		},
		Value: &ast.CompositeLit{
			Elts: []ast.Expr{
				&ast.KeyValueExpr{
					Key:   &ast.Ident{Name: "Expected"},
					Value: byteArrayCompositeLit(measuremnt.Expected),
				},
				&ast.KeyValueExpr{
					Key:   &ast.Ident{Name: "ValidationOpt"},
					Value: &ast.Ident{Name: validationOptString},
				},
			},
		},
	}
}

// measurementsCompositeLiteral returns a *ast.CompositeLit representing a measurements.M literal.
// The returned literal is of the form:
//
//	M{
//		0: {
//			Expected: []byte{ 0x01, 0x02, 0x03, ... },
//			WarnOnly: false,
//		},
//		1: {
//			Expected: []byte{ 0x01, 0x02, 0x03, ... },
//			WarnOnly: false,
//		},
//		...
//	}
func measurementsCompositeLiteral(measurements measurements.M) *ast.CompositeLit {
	var elts []ast.Expr
	pcrs := make([]uint32, 0, len(measurements))
	for pcr := range measurements {
		pcrs = append(pcrs, pcr)
	}
	sort.Slice(pcrs, func(i, j int) bool { return pcrs[i] < pcrs[j] })
	for _, pcr := range pcrs {
		kvExpr := measurementsEntryKeyValueExpr(pcr, measurements[pcr])
		elts = append(elts, kvExpr)
	}
	return &ast.CompositeLit{
		Type: &ast.Ident{
			Name: "M",
		},
		Elts: elts,
	}
}

type rekorVerifier interface {
	SearchByHash(context.Context, string) ([]string, error)
	VerifyEntry(context.Context, string, string) error
}
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`
bazel: improve script template resilience Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-29 08:13:26 -04:00
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package main`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/base64"`
			`"fmt"`
			`"go/ast"`
			`"go/parser"`
			`"go/printer"`
			`"go/token"`
			`"log"`
			`"net/http"`
			`"net/url"`
			`"os"`
			`"path"`
			`"sort"`
			`"strings"`

			`"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"`
			`"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"`
			`"github.com/edgelesssys/constellation/v2/internal/config"`
			`"github.com/edgelesssys/constellation/v2/internal/constants"`
			`"github.com/edgelesssys/constellation/v2/internal/sigstore"`
			`"github.com/edgelesssys/constellation/v2/internal/versionsapi"`
			`"golang.org/x/tools/go/ast/astutil"`
			`)`

			`// this tool is used to generate hardcoded measurements for the enterprise build.`
			`// Measurements are embedded in the constellation cli.`

			`func main() {`
			`defaultConf := config.Default()`
			`log.Printf("Generating measurements for %s\n", defaultConf.Image)`

			`const filePath = "./measurements_enterprise.go"`

			`ctx := context.Background()`
			`fset := token.NewFileSet()`
			`file, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`rekor, err := sigstore.NewRekor()`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`var returnStmtCtr int`

			`newFile := astutil.Apply(file, func(cursor *astutil.Cursor) bool {`
			`n := cursor.Node()`

			`// find all switch cases for the CSPs of the form:`
			`// switch provider {`
			`// case cloudprovider.XYZ:`
			`// return M{...}`

			`if clause, ok := n.(*ast.CaseClause); ok && len(clause.List) > 0 && len(clause.Body) > 0 {`
			`sel, ok := clause.List[0].(*ast.SelectorExpr)`
			`if !ok {`
			`return true`
			`}`
			`returnStmt, ok := clause.Body[0].(*ast.ReturnStmt)`
			`if !ok \|\| len(returnStmt.Results) == 0 {`
			`return true`
			`}`

			`provider := cloudprovider.FromString(sel.Sel.Name)`
			`if provider == cloudprovider.Unknown {`
			`log.Fatalf("unknown provider %s", sel.Sel.Name)`
			`}`
			`log.Println("Found", provider)`
			`returnStmtCtr++`
			`// retrieve and validate measurements for the given CSP and image`
			`measuremnts := mustGetMeasurements(ctx, rekor, []byte(constants.CosignPublicKey), http.DefaultClient, provider, defaultConf.Image)`
			`// replace the return statement with a composite literal containing the validated measurements`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`returnStmt.Results[0] = measurementsCompositeLiteral(measuremnts)`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`}`
			`return true`
			`}, nil,`
			`)`

			`if returnStmtCtr == 0 {`
			`log.Fatal("no measurements updated")`
			`}`

			`var buf bytes.Buffer`
			`printConfig := printer.Config{Mode: printer.UseSpaces \| printer.TabIndent, Tabwidth: 8}`

			`if err = printConfig.Fprint(&buf, fset, newFile); err != nil {`
			`log.Fatalf("error formatting file %s: %s", filePath, err)`
			`}`
			`if err := os.WriteFile(filePath, buf.Bytes(), 0o644); err != nil {`
			`log.Fatalf("error writing file %s: %s", filePath, err)`
			`}`
			`log.Println("Successfully generated hashes.")`
			`}`

			`// mustGetMeasurements fetches the measurements for the given image and CSP and verifies them.`
			`func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, cosignPublicKey []byte, client *http.Client, provider cloudprovider.Provider, image string) measurements.M {`
			`measurementsURL, err := measurementURL(provider, image, "measurements.json")`
			`if err != nil {`
			`panic(err)`
			`}`
			`signatureURL, err := measurementURL(provider, image, "measurements.json.sig")`
			`if err != nil {`
			`panic(err)`
			`}`

			`log.Println("Fetching measurements from", measurementsURL, "and signature from", signatureURL)`
			`var fetchedMeasurements measurements.M`
			`hash, err := fetchedMeasurements.FetchAndVerify(`
			`ctx, client,`
			`measurementsURL,`
			`signatureURL,`
			`cosignPublicKey,`
			`measurements.WithMetadata{`
			`CSP: provider,`
			`Image: image,`
			`},`
			`)`
			`if err != nil {`
			`panic(err)`
			`}`
			`if err := verifyWithRekor(ctx, verifier, hash); err != nil {`
			`panic(err)`
			`}`
			`return fetchedMeasurements`
			`}`

			`// measurementURL returns the URL for the measurements file for the given image and CSP.`
			`func measurementURL(provider cloudprovider.Provider, image, file string) (*url.URL, error) {`
			`version, err := versionsapi.NewVersionFromShortPath(image, versionsapi.VersionKindImage)`
			`if err != nil {`
			`return nil, fmt.Errorf("parsing image name: %w", err)`
			`}`

			`return url.Parse(`
ci: add e2e-upgrade test The test is implemented as a go test. It can be executed as a bazel target. The general workflow is to setup a cluster, point the test to the workspace in which to find the kubeconfig and the constellation config and specify a target image, k8s and service version. The test will succeed if it detects all target versions in the cluster within the configured timeout. The CI automates the above steps. A separate workflow is introduced as there are multiple input fields to the test. Adding all of these to the manual e2e test seemed confusing. Co-authored-by: Fabian Kammel <fk@edgeless.systems> 2023-02-03 05:05:42 -05:00			`version.ArtifactsURL() + path.Join("/image", "csp", strings.ToLower(provider.String()), file),`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`)`
			`}`

			`// verifyWithRekor verifies that the given hash is present in rekor and is valid.`
			`func verifyWithRekor(ctx context.Context, verifier rekorVerifier, hash string) error {`
			`uuids, err := verifier.SearchByHash(ctx, hash)`
			`if err != nil {`
			`return fmt.Errorf("searching Rekor for hash: %w", err)`
			`}`

			`if len(uuids) == 0 {`
			`return fmt.Errorf("no matching entries in Rekor")`
			`}`

			`// We expect the first entry in Rekor to be our original entry.`
			`// SHA256 should ensure there is no entry with the same hash.`
			`// Any subsequent hashes are treated as potential attacks and are ignored.`
			`// Attacks on Rekor will be monitored from other backend services.`
			`artifactUUID := uuids[0]`

			`return verifier.VerifyEntry(`
			`ctx, artifactUUID,`
			`base64.StdEncoding.EncodeToString([]byte(constants.CosignPublicKey)),`
			`)`
			`}`

			`// byteArrayCompositeLit returns a *ast.CompositeLit representing a byte array literal.`
			`// The returned literal is of the form:`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`// []byte{ 0x01, 0x02, 0x03, ... }.`
			`func byteArrayCompositeLit(hex []byte) *ast.CompositeLit {`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`var elts []ast.Expr`
			`// create list of byte literals`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`for _, b := range hex {`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`elts = append(elts, &ast.BasicLit{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Kind: token.INT,`
			`Value: fmt.Sprintf("0x%02x", b),`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`})`
			`}`
			`// create the composite literal`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`// containing the byte literals as part of an []byte slice`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`return &ast.CompositeLit{`
			`Type: &ast.ArrayType{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Elt: ast.NewIdent("byte"),`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`},`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Elts: elts,`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`}`
			`}`

			`// measurementsEntryKeyValueExpr returns a *ast.KeyValueExpr representing a measurements.Measurement entry.`
			`// The returned expression is of the form:`
			`//`
			`// 0: {`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`// Expected: []byte{ 0x01, 0x02, 0x03, ... },`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`// WarnOnly: false,`
			`// },`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measurement) *ast.KeyValueExpr {`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`key := fmt.Sprintf("%d", pcr)`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00
			`var validationOptString string`
measurements: refactor validation option (#1462) Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-22 06:47:39 -04:00			`if measuremnt.ValidationOpt {`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`validationOptString = "WarnOnly"`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`} else {`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`validationOptString = "Enforce"`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`}`

			`return &ast.KeyValueExpr{`
			`Key: &ast.BasicLit{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Kind: token.INT,`
			`Value: key,`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`},`
			`Value: &ast.CompositeLit{`
			`Elts: []ast.Expr{`
			`&ast.KeyValueExpr{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Key: &ast.Ident{Name: "Expected"},`
			`Value: byteArrayCompositeLit(measuremnt.Expected),`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`},`
			`&ast.KeyValueExpr{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Key: &ast.Ident{Name: "ValidationOpt"},`
			`Value: &ast.Ident{Name: validationOptString},`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`},`
			`},`
			`},`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`}`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`}`

			`// measurementsCompositeLiteral returns a *ast.CompositeLit representing a measurements.M literal.`
			`// The returned literal is of the form:`
			`//`
			`// M{`
			`// 0: {`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`// Expected: []byte{ 0x01, 0x02, 0x03, ... },`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`// WarnOnly: false,`
			`// },`
			`// 1: {`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`// Expected: []byte{ 0x01, 0x02, 0x03, ... },`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`// WarnOnly: false,`
			`// },`
			`// ...`
			`// }`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`func measurementsCompositeLiteral(measurements measurements.M) *ast.CompositeLit {`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`var elts []ast.Expr`
			`pcrs := make([]uint32, 0, len(measurements))`
			`for pcr := range measurements {`
			`pcrs = append(pcrs, pcr)`
			`}`
			`sort.Slice(pcrs, func(i, j int) bool { return pcrs[i] < pcrs[j] })`
			`for _, pcr := range pcrs {`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`kvExpr := measurementsEntryKeyValueExpr(pcr, measurements[pcr])`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`elts = append(elts, kvExpr)`
			`}`
			`return &ast.CompositeLit{`
			`Type: &ast.Ident{`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Name: "M",`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`},`
fix measurement generator (#1510) 2023-03-23 12:44:30 -04:00			`Elts: elts,`
attestation: codegen for hardcoded measurements in go 2023-01-05 03:49:44 -05:00			`}`
			`}`

			`type rekorVerifier interface {`
			`SearchByHash(context.Context, string) ([]string, error)`
			`VerifyEntry(context.Context, string, string) error`
			`}`