constellation/cli/internal/cmd/maapatch.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package cmd

import (
	"context"
	"fmt"
	"net/url"

	"github.com/edgelesssys/constellation/v2/internal/maa"
	"github.com/spf13/cobra"
)

// NewMaaPatchCmd returns a new cobra.Command for the maa-patch command.
func NewMaaPatchCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "maa-patch <attestation-url>",
		Short: "Patch the MAA's attestation policy",
		Long:  "Patch the MAA's attestation policy.",
		Args: cobra.MatchAll(
			cobra.ExactArgs(1),
			func(cmd *cobra.Command, args []string) error {
				if _, err := url.Parse(args[0]); err != nil {
					return fmt.Errorf("argument %s is not a valid URL: %w", args[0], err)
				}
				return nil
			},
		),
		RunE:   runPatchMAA,
		Hidden: true, // we don't want to show this command to the user directly.
	}

	return cmd
}

type maaPatchCmd struct {
	log     debugLog
	patcher patcher
}

func runPatchMAA(cmd *cobra.Command, args []string) error {
	log, err := newCLILogger(cmd)
	if err != nil {
		return fmt.Errorf("creating logger: %w", err)
	}
	defer log.Sync()

	p := maa.NewAzurePolicyPatcher()

	c := &maaPatchCmd{log: log, patcher: p}

	return c.patchMAA(cmd, args[0])
}

func (c *maaPatchCmd) patchMAA(cmd *cobra.Command, attestationURL string) error {
	c.log.Debugf("Using attestation URL %s", attestationURL)

	if err := c.patcher.Patch(cmd.Context(), attestationURL); err != nil {
		return fmt.Errorf("patching MAA attestation policy: %w", err)
	}

	return nil
}

type patcher interface {
	Patch(ctx context.Context, attestationURL string) error
}
terraform: add Terraform module for Azure (#2566) * add Azure Terraform module * add maa-patching command to cli * refactor release process * factor out image fetching to own action * add CI * generate * fix some unnecessary changes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use `constellation maa-patch` in ci * insecure flag when using debug image Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only update maa url if existing Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make node group zone optional on aws and gcp Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] register updated workflow Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Revert "[remove] register updated workflow" This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace. * create MAA Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make maa-patching only run on azure Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add comment Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * require node group zone for GCP and AWS * remove unnecessary bazel action * stamp version to correct file * refer to `maa-patch` command in docs * run Azure test in weekly e2e * comment / naming improvements * remove sa_account resource * disable spellcheck ot use "URL" * `create_maa` variable * don't write maa url to config Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * default to nightly image * use input ref and stream * fix command check * don't set region in weekly e2e call * patch maa if url is not empty Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove `create_maa` variable * remove binaries Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove undefined input * replace invalid attestation URL error message Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix punctuation Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * skip hidden commands in clidocgen Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * enable spellcheck before code block * move spellcheck trigger out of info block Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix workflow dependencies * let image default to CLI version --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> 2023-11-13 12:46:20 -05:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package cmd`

			`import (`
			`"context"`
			`"fmt"`
			`"net/url"`

			`"github.com/edgelesssys/constellation/v2/internal/maa"`
			`"github.com/spf13/cobra"`
			`)`

			`// NewMaaPatchCmd returns a new cobra.Command for the maa-patch command.`
			`func NewMaaPatchCmd() *cobra.Command {`
			`cmd := &cobra.Command{`
			`Use: "maa-patch <attestation-url>",`
			`Short: "Patch the MAA's attestation policy",`
			`Long: "Patch the MAA's attestation policy.",`
			`Args: cobra.MatchAll(`
			`cobra.ExactArgs(1),`
			`func(cmd *cobra.Command, args []string) error {`
			`if _, err := url.Parse(args[0]); err != nil {`
			`return fmt.Errorf("argument %s is not a valid URL: %w", args[0], err)`
			`}`
			`return nil`
			`},`
			`),`
			`RunE: runPatchMAA,`
			`Hidden: true, // we don't want to show this command to the user directly.`
			`}`

			`return cmd`
			`}`

			`type maaPatchCmd struct {`
			`log debugLog`
			`patcher patcher`
			`}`

			`func runPatchMAA(cmd *cobra.Command, args []string) error {`
			`log, err := newCLILogger(cmd)`
			`if err != nil {`
			`return fmt.Errorf("creating logger: %w", err)`
			`}`
			`defer log.Sync()`

			`p := maa.NewAzurePolicyPatcher()`

			`c := &maaPatchCmd{log: log, patcher: p}`

			`return c.patchMAA(cmd, args[0])`
			`}`

			`func (c maaPatchCmd) patchMAA(cmd cobra.Command, attestationURL string) error {`
			`c.log.Debugf("Using attestation URL %s", attestationURL)`

			`if err := c.patcher.Patch(cmd.Context(), attestationURL); err != nil {`
			`return fmt.Errorf("patching MAA attestation policy: %w", err)`
			`}`

			`return nil`
			`}`

			`type patcher interface {`
			`Patch(ctx context.Context, attestationURL string) error`
			`}`