2022-03-22 16:03:15 +01:00
|
|
|
package gcp
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/rsa"
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"testing"
|
|
|
|
|
2022-06-01 15:08:42 +02:00
|
|
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
2022-03-22 16:03:15 +01:00
|
|
|
"github.com/google/go-tpm-tools/proto/attest"
|
|
|
|
"github.com/googleapis/gax-go/v2"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"google.golang.org/api/option"
|
|
|
|
computepb "google.golang.org/genproto/googleapis/cloud/compute/v1"
|
|
|
|
"google.golang.org/protobuf/proto"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestGceNonHostInfoEvent(t *testing.T) {
|
|
|
|
testCases := map[string]struct {
|
2022-04-26 16:54:05 +02:00
|
|
|
attDoc vtpm.AttestationDocument
|
|
|
|
wantErr bool
|
2022-03-22 16:03:15 +01:00
|
|
|
}{
|
|
|
|
"is cvm": {
|
|
|
|
attDoc: vtpm.AttestationDocument{
|
|
|
|
Attestation: &attest.Attestation{
|
|
|
|
EventLog: []byte("\x00\x00\x00GCE NonHostInfo\x00\x01\x00\x00"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"attestation is nil": {
|
|
|
|
attDoc: vtpm.AttestationDocument{
|
|
|
|
Attestation: nil,
|
|
|
|
},
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"missing GCE Non-Host info event": {
|
|
|
|
attDoc: vtpm.AttestationDocument{
|
|
|
|
Attestation: &attest.Attestation{
|
|
|
|
EventLog: []byte("No GCE Event"),
|
|
|
|
},
|
|
|
|
},
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"not a cvm": {
|
|
|
|
attDoc: vtpm.AttestationDocument{
|
|
|
|
Attestation: &attest.Attestation{
|
|
|
|
EventLog: []byte("\x00\x00\x00GCE NonHostInfo\x00\x00\x00\x00"),
|
|
|
|
},
|
|
|
|
},
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
err := gceNonHostInfoEvent(tc.attDoc)
|
2022-04-26 16:54:05 +02:00
|
|
|
if tc.wantErr {
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.Error(err)
|
|
|
|
} else {
|
|
|
|
assert.NoError(err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTrustedKeyFromGCEAPI(t *testing.T) {
|
|
|
|
testPubK := `-----BEGIN PUBLIC KEY-----
|
|
|
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu+OepfHCTiTi27nkTGke
|
|
|
|
dn+AIkiM1AIWWDwqfqG85aNulcj60mGQGXIYV8LoEVkyKOhYBIUmJUaVczB4ltqq
|
|
|
|
ZhR7l46RQw2vnv+XiUmfK555d4ZDInyjTusO69hE6tkuYKdXLlG1HzcrhJ254LE2
|
|
|
|
wXtE1Yf9DygOsWet+S32gmpfH2whUY1mRTdwW4zoY4c3qtmmWImhVVNr6qR8Z95X
|
|
|
|
Y49EteCoNIomQNEZH7EnMlBsh34L7doOsckh1aTvQcrJorQSrBkWKbdV6kvuBKZp
|
|
|
|
fLK0DZiOh9BwZCZANtOqgH3V+AuNk338iON8eKCFRjoiQ40YGM6xKH3E6PHVnuKt
|
|
|
|
uIO0MPvE0qdV8Lvs+nCCrvwP5sJKZuciM40ioEO1pV1y3491xIxYhx3OfN4gg2h8
|
|
|
|
cgdKob/R8qwxqTrfceO36FBFb1vXCUApsm5oy6WxmUtIUgoYhK+6JYpVWDyOJYwP
|
|
|
|
iMJhdJA65n2ZliN8NxEhsaFoMgw76BOiD0wkt/CKPmNbOm5MGS3/fiZCt6A6u3cn
|
|
|
|
Ubhn4tvjy/q5XzVqZtBeoseW2TyyrsAN53LBkSqag5tG/264CQDigQ6Y/OADOE2x
|
|
|
|
n08MyrFHIL/wFMscOvJo7c2Eo4EW1yXkEkAy5tF5PZgnfRObakj4gdqPeq18FNzc
|
|
|
|
Y+t5OxL3kL15VzY1Ob0d5cMCAwEAAQ==
|
|
|
|
-----END PUBLIC KEY-----`
|
|
|
|
|
|
|
|
testCases := map[string]struct {
|
|
|
|
instanceInfo []byte
|
|
|
|
getClient func(ctx context.Context, opts ...option.ClientOption) (gcpRestClient, error)
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr bool
|
2022-03-22 16:03:15 +01:00
|
|
|
}{
|
|
|
|
"success": {
|
|
|
|
instanceInfo: mustMarshal(attest.GCEInstanceInfo{}, require.New(t)),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{
|
|
|
|
SigningKey: &computepb.ShieldedInstanceIdentityEntry{
|
|
|
|
EkPub: proto.String(testPubK),
|
|
|
|
},
|
|
|
|
}, nil, nil),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: false,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"Unmarshal error": {
|
|
|
|
instanceInfo: []byte("error"),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{
|
|
|
|
SigningKey: &computepb.ShieldedInstanceIdentityEntry{
|
|
|
|
EkPub: proto.String(testPubK),
|
|
|
|
},
|
|
|
|
}, nil, nil),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"empty signing key": {
|
|
|
|
instanceInfo: mustMarshal(attest.GCEInstanceInfo{}, require.New(t)),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{}, nil, nil),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"new client error": {
|
|
|
|
instanceInfo: mustMarshal(attest.GCEInstanceInfo{}, require.New(t)),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{
|
|
|
|
SigningKey: &computepb.ShieldedInstanceIdentityEntry{
|
|
|
|
EkPub: proto.String(testPubK),
|
|
|
|
},
|
|
|
|
}, errors.New("error"), nil),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"GetShieldedInstanceIdentity error": {
|
|
|
|
instanceInfo: mustMarshal(attest.GCEInstanceInfo{}, require.New(t)),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{
|
|
|
|
SigningKey: &computepb.ShieldedInstanceIdentityEntry{
|
|
|
|
EkPub: proto.String(testPubK),
|
|
|
|
},
|
|
|
|
}, nil, errors.New("error")),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
"Decode error": {
|
|
|
|
instanceInfo: mustMarshal(attest.GCEInstanceInfo{}, require.New(t)),
|
|
|
|
getClient: prepareFakeClient(&computepb.ShieldedInstanceIdentity{
|
|
|
|
SigningKey: &computepb.ShieldedInstanceIdentityEntry{
|
|
|
|
EkPub: proto.String("Not a public key"),
|
|
|
|
},
|
|
|
|
}, nil, nil),
|
2022-04-26 16:54:05 +02:00
|
|
|
wantErr: true,
|
2022-03-22 16:03:15 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
assert := assert.New(t)
|
|
|
|
|
|
|
|
out, err := trustedKeyFromGCEAPI(tc.getClient)(nil, tc.instanceInfo)
|
|
|
|
|
2022-04-26 16:54:05 +02:00
|
|
|
if tc.wantErr {
|
2022-03-22 16:03:15 +01:00
|
|
|
assert.Error(err)
|
|
|
|
} else {
|
|
|
|
assert.NoError(err)
|
|
|
|
_, ok := out.(*rsa.PublicKey)
|
|
|
|
assert.True(ok)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-28 10:28:28 +02:00
|
|
|
func mustMarshal(in any, require *require.Assertions) []byte {
|
2022-03-22 16:03:15 +01:00
|
|
|
out, err := json.Marshal(in)
|
|
|
|
require.NoError(err)
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
type fakeInstanceClient struct {
|
|
|
|
getIdentErr error
|
|
|
|
ident *computepb.ShieldedInstanceIdentity
|
|
|
|
}
|
|
|
|
|
|
|
|
func prepareFakeClient(ident *computepb.ShieldedInstanceIdentity, newErr, getIdentErr error) func(ctx context.Context, opts ...option.ClientOption) (gcpRestClient, error) {
|
|
|
|
return func(ctx context.Context, opts ...option.ClientOption) (gcpRestClient, error) {
|
|
|
|
return &fakeInstanceClient{
|
|
|
|
getIdentErr: getIdentErr,
|
|
|
|
ident: ident,
|
|
|
|
}, newErr
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *fakeInstanceClient) Close() error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *fakeInstanceClient) GetShieldedInstanceIdentity(ctx context.Context, req *computepb.GetShieldedInstanceIdentityInstanceRequest, opts ...gax.CallOption) (*computepb.ShieldedInstanceIdentity, error) {
|
|
|
|
return c.ident, c.getIdentErr
|
|
|
|
}
|