cli: fix Azure SEV-SNP latest version logic (#2343)

2025-05-02 14:26:23 -04:00 · 2023-09-25 11:53:02 +02:00 · 2023-09-25 11:53:02 +02:00 · 118f789c2f
commit 118f789c2f
parent 2776e40df7
26 changed files with 547 additions and 245 deletions
--- a/internal/api/attestationconfigapi/cli/BUILD.bazel
+++ b/internal/api/attestationconfigapi/cli/BUILD.bazel
@ -21,6 +21,9 @@ go_library(
        "//internal/constants",
        "//internal/logger",
        "//internal/staticupload",
+        "@com_github_aws_aws_sdk_go//aws",
+        "@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
+        "@com_github_aws_aws_sdk_go_v2_service_s3//types",
        "@com_github_spf13_cobra//:cobra",
        "@org_uber_go_zap//:zap",
    ],
@ -28,13 +31,9 @@ go_library(

 go_test(
    name = "cli_test",
-    srcs = [
-        "delete_test.go",
-        "main_test.go",
-    ],
+    srcs = ["delete_test.go"],
    embed = [":cli_lib"],
    deps = [
-        "//internal/api/attestationconfigapi",
        "@com_github_stretchr_testify//assert",
        "@com_github_stretchr_testify//require",
    ],
--- a/internal/api/attestationconfigapi/cli/delete.go
+++ b/internal/api/attestationconfigapi/cli/delete.go
@ -10,6 +10,9 @@ import (
 	"errors"
 	"fmt"

+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/staticupload"
@ -27,6 +30,13 @@ func newDeleteCmd() *cobra.Command {
 	}
 	cmd.Flags().StringP("version", "v", "", "Name of the version to delete (without .json suffix)")
 	must(cmd.MarkFlagRequired("version"))
+
+	recursivelyCmd := &cobra.Command{
+		Use:   "recursive",
+		Short: "delete all objects from the API path",
+		RunE:  runRecursiveDelete,
+	}
+	cmd.AddCommand(recursivelyCmd)
 	return cmd
 }

@ -59,17 +69,19 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) {
 		return fmt.Errorf("getting bucket: %w", err)
 	}

-	distribution, err := cmd.Flags().GetString("distribution")
+	testing, err := cmd.Flags().GetBool("testing")
 	if err != nil {
-		return fmt.Errorf("getting distribution: %w", err)
+		return fmt.Errorf("getting testing flag: %w", err)
 	}
+	_, distribution := getEnvironment(testing)

 	cfg := staticupload.Config{
 		Bucket:         bucket,
 		Region:         region,
 		DistributionID: distribution,
 	}
-	client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg, []byte(cosignPwd), []byte(privateKey), false, log)
+	client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg,
+		[]byte(cosignPwd), []byte(privateKey), false, 1, log)
 	if err != nil {
 		return fmt.Errorf("create attestation client: %w", err)
 	}
@ -85,3 +97,64 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) {
 	}
 	return deleteCmd.delete(cmd)
 }
+
+func runRecursiveDelete(cmd *cobra.Command, _ []string) (retErr error) {
+	region, err := cmd.Flags().GetString("region")
+	if err != nil {
+		return fmt.Errorf("getting region: %w", err)
+	}
+
+	bucket, err := cmd.Flags().GetString("bucket")
+	if err != nil {
+		return fmt.Errorf("getting bucket: %w", err)
+	}
+
+	testing, err := cmd.Flags().GetBool("testing")
+	if err != nil {
+		return fmt.Errorf("getting testing flag: %w", err)
+	}
+	_, distribution := getEnvironment(testing)
+
+	log := logger.New(logger.PlainLog, zap.DebugLevel).Named("attestationconfigapi")
+	client, closeFn, err := staticupload.New(cmd.Context(), staticupload.Config{
+		Bucket:         bucket,
+		Region:         region,
+		DistributionID: distribution,
+	}, log)
+	if err != nil {
+		return fmt.Errorf("create static upload client: %w", err)
+	}
+	defer func() {
+		err := closeFn(cmd.Context())
+		if err != nil {
+			retErr = errors.Join(retErr, fmt.Errorf("failed to close client: %w", err))
+		}
+	}()
+	path := "constellation/v1/attestation/azure-sev-snp"
+	resp, err := client.ListObjectsV2(cmd.Context(), &s3.ListObjectsV2Input{
+		Bucket: aws.String(bucket),
+		Prefix: aws.String(path),
+	})
+	if err != nil {
+		return err
+	}
+
+	// Delete all objects in the path.
+	objIDs := make([]s3types.ObjectIdentifier, len(resp.Contents))
+	for i, obj := range resp.Contents {
+		objIDs[i] = s3types.ObjectIdentifier{Key: obj.Key}
+	}
+	if len(objIDs) > 0 {
+		_, err = client.DeleteObjects(cmd.Context(), &s3.DeleteObjectsInput{
+			Bucket: aws.String(bucket),
+			Delete: &s3types.Delete{
+				Objects: objIDs,
+				Quiet:   true,
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/internal/api/attestationconfigapi/cli/e2e/test.sh.in
+++ b/internal/api/attestationconfigapi/cli/e2e/test.sh.in
@ -17,58 +17,123 @@ fi

 configapi_cli=$(realpath @@CONFIGAPI_CLI@@)
 stat "${configapi_cli}" >> /dev/null
-
+configapi_cli="${configapi_cli} --testing"
 ###### script body ######

 readonly region="eu-west-1"
 readonly bucket="resource-api-testing"
-readonly distribution="ETZGUP1CWRC2P"

 tmpdir=$(mktemp -d)
 readonly tmpdir
 registerExitHandler "rm -rf $tmpdir"

+# empty the bucket version state
+${configapi_cli} delete recursive --region "$region" --bucket "$bucket"
+
+# the high version numbers ensure that it's newer than the current latest value
+readonly current_claim_path="$tmpdir/currentMaaClaim.json"
+cat << EOF > "$current_claim_path"
+{
+  "x-ms-isolation-tee": {
+    "x-ms-sevsnpvm-tee-svn": 1,
+    "x-ms-sevsnpvm-snpfw-svn": 1,
+    "x-ms-sevsnpvm-microcode-svn": 1,
+    "x-ms-sevsnpvm-bootloader-svn": 1
+  }
+}
+EOF
+# upload a fake latest version for the fetcher
+${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"
+
+# the high version numbers ensure that it's newer than the current latest value
 readonly claim_path="$tmpdir/maaClaim.json"
 cat << EOF > "$claim_path"
 {
  "x-ms-isolation-tee": {
-    "x-ms-sevsnpvm-tee-svn": 1,
-    "x-ms-sevsnpvm-snpfw-svn": 9,
-    "x-ms-sevsnpvm-microcode-svn": 116,
-    "x-ms-sevsnpvm-bootloader-svn": 4
+    "x-ms-sevsnpvm-tee-svn": 255,
+    "x-ms-sevsnpvm-snpfw-svn": 255,
+    "x-ms-sevsnpvm-microcode-svn": 255,
+    "x-ms-sevsnpvm-bootloader-svn": 255
  }
 }
 EOF

-readonly date="2023-02-02-03-04"
-${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --distribution "$distribution"
+# has an older version
+readonly older_claim_path="$tmpdir/maaClaimOld.json"
+cat << EOF > "$older_claim_path"
+{
+  "x-ms-isolation-tee": {
+    "x-ms-sevsnpvm-tee-svn": 255,
+    "x-ms-sevsnpvm-snpfw-svn": 255,
+    "x-ms-sevsnpvm-microcode-svn": 254,
+    "x-ms-sevsnpvm-bootloader-svn": 255
+  }
+}
+EOF

+# report 3 versions with different dates to fill the reporter cache
+readonly date_oldest="2023-02-01-03-04"
+${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3
+readonly date_older="2023-02-02-03-04"
+${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3
+readonly date="2023-02-03-03-04"
+${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3
+
+# expect that $date_oldest is served as latest version
 baseurl="https://d33dzgxuwsgbpw.cloudfront.net/constellation/v1/attestation/azure-sev-snp"
-if ! curl -fsSL ${baseurl}/${date}.json > /dev/null; then
-  echo "Checking for uploaded version file constellation/v1/attestation/azure-sev-snp/${date}.json: request returned ${?}"
+if ! curl -fsSL ${baseurl}/${date_oldest}.json > version.json; then
+  echo "Checking for uploaded version file constellation/v1/attestation/azure-sev-snp/${date_oldest}.json: request returned ${?}"
  exit 1
 fi
-
-if ! curl -fsSL ${baseurl}/${date}.json.sig > /dev/null; then
-  echo "Checking for uploaded version signature file constellation/v1/attestation/azure-sev-snp/${date}.json.sig: request returned ${?}"
+# check that version values are equal to expected
+if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then
+  echo "The version content:"
+  cat version.json
+  echo " is not equal to the expected version content:"
+  echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}'
  exit 1
 fi
-
-if ! curl -fsSL ${baseurl}/list > /dev/null; then
+if ! curl -fsSL ${baseurl}/${date_oldest}.json.sig > /dev/null; then
+  echo "Checking for uploaded version signature file constellation/v1/attestation/azure-sev-snp/${date_oldest}.json.sig: request returned ${?}"
+  exit 1
+fi
+# check list endpoint
+if ! curl -fsSL ${baseurl}/list > list.json; then
  echo "Checking for uploaded list file constellation/v1/attestation/azure-sev-snp/list: request returned ${?}"
  exit 1
 fi
-${configapi_cli} delete --version "$date" --region "$region" --bucket "$bucket" --distribution "$distribution"
-
-# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
-http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date}.json)
-if [[ $http_code -ne 404 ]]; then
-  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date}.json, but got ${http_code}"
+# check that version values are equal to expected
+if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then
+  echo "The list content:"
+  cat list.json
+  echo " is not equal to the expected version content:"
+  echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]'
+  exit 1
+fi
+
+# check that the other versions are not uploaded
+http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_older}.json)
+if [[ $http_code -ne 404 ]]; then
+  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_older}.json, but got ${http_code}"
  exit 1
 fi
-# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
 http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date}.json.sig)
 if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date}.json, but got ${http_code}"
  exit 1
 fi
+
+${configapi_cli} delete --version "$date_oldest" --region "$region" --bucket "$bucket"
+
+# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
+http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_oldest}.json)
+if [[ $http_code -ne 404 ]]; then
+  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_oldest}.json, but got ${http_code}"
+  exit 1
+fi
+# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
+http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_oldest}.json.sig)
+if [[ $http_code -ne 404 ]]; then
+  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_oldest}.json, but got ${http_code}"
+  exit 1
+fi
--- a/internal/api/attestationconfigapi/cli/main.go
+++ b/internal/api/attestationconfigapi/cli/main.go
@ -8,8 +8,9 @@ SPDX-License-Identifier: AGPL-3.0-only
 This package provides a CLI to interact with the Attestationconfig API, a sub API of the Resource API.

 You can execute an e2e test by running: `bazel run //internal/api/attestationconfigapi:configapi_e2e_test`.
-The CLI is used in the CI pipeline. Actions that change the bucket's data shouldn't be executed manually.
-Notice that there is no synchronization on API operations.
+The CLI is used in the CI pipeline. Manual actions that change the bucket's data shouldn't be necessary.
+The reporter CLI caches the observed version values in a dedicated caching directory and derives the latest API version from it.
+Any version update is then pushed to the API.
 */
 package main

@ -35,6 +36,8 @@ const (
 	distributionID      = constants.CDNDefaultDistributionID
 	envCosignPwd        = "COSIGN_PASSWORD"
 	envCosignPrivateKey = "COSIGN_PRIVATE_KEY"
+	// versionWindowSize defines the number of versions to be considered for the latest version. Each week 5 versions are uploaded for each node of the verify cluster.
+	versionWindowSize = 15
 )

 var (
@ -53,10 +56,10 @@ func main() {
 // newRootCmd creates the root command.
 func newRootCmd() *cobra.Command {
 	rootCmd := &cobra.Command{
-		Use:   "COSIGN_PASSWORD=$CPWD COSIGN_PRIVATE_KEY=$CKEY upload --version-file $FILE",
+		Use:   "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY upload --version-file $FILE",
 		Short: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api.",

-		Long: fmt.Sprintf("Upload a set of versions specific to the azure-sev-snp attestation variant to the config api."+
+		Long: fmt.Sprintf("The CLI uploads an observed version number specific to the azure-sev-snp attestation variant to a cache directory. The CLI then determines the lowest version within the cache-window present in the cache and writes that value to the config api if necessary. "+
 			"Please authenticate with AWS through your preferred method (e.g. environment variables, CLI)"+
 			"to be able to upload to S3. Set the %s and %s environment variables to authenticate with cosign.",
 			envCosignPrivateKey, envCosignPwd,
@ -66,9 +69,12 @@ func newRootCmd() *cobra.Command {
 	}
 	rootCmd.Flags().StringP("maa-claims-path", "t", "", "File path to a json file containing the MAA claims.")
 	rootCmd.Flags().StringP("upload-date", "d", "", "upload a version with this date as version name.")
+	rootCmd.Flags().BoolP("force", "f", false, "Use force to manually push a new latest version."+
+		" The version gets saved to the cache but the version selection logic is skipped.")
+	rootCmd.Flags().IntP("cache-window-size", "s", versionWindowSize, "Number of versions to be considered for the latest version.")
 	rootCmd.PersistentFlags().StringP("region", "r", awsRegion, "region of the targeted bucket.")
 	rootCmd.PersistentFlags().StringP("bucket", "b", awsBucket, "bucket targeted by all operations.")
-	rootCmd.PersistentFlags().StringP("distribution", "i", distributionID, "cloudflare distribution used.")
+	rootCmd.PersistentFlags().Bool("testing", false, "upload to S3 test bucket.")
 	must(rootCmd.MarkFlagRequired("maa-claims-path"))
 	rootCmd.AddCommand(newDeleteCmd())
 	return rootCmd
@ -110,23 +116,8 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
 	inputVersion := maaTCB.ToAzureSEVSNPVersion()
 	log.Infof("Input version: %+v", inputVersion)

-	latestAPIVersionAPI, err := attestationconfigapi.NewFetcher().FetchAzureSEVSNPVersionLatest(ctx, flags.uploadDate)
-	if err != nil {
-		return fmt.Errorf("fetching latest version: %w", err)
-	}
-	latestAPIVersion := latestAPIVersionAPI.AzureSEVSNPVersion
-
-	isNewer, err := isInputNewerThanLatestAPI(inputVersion, latestAPIVersion)
-	if err != nil {
-		return fmt.Errorf("comparing versions: %w", err)
-	}
-	if !isNewer {
-		log.Infof("Input version: %+v is not newer than latest API version: %+v", inputVersion, latestAPIVersion)
-		return nil
-	}
-	log.Infof("Input version: %+v is newer than latest API version: %+v", inputVersion, latestAPIVersion)
-
-	client, clientClose, err := attestationconfigapi.NewClient(ctx, cfg, []byte(cosignPwd), []byte(privateKey), false, log)
+	client, clientClose, err := attestationconfigapi.NewClient(ctx, cfg,
+		[]byte(cosignPwd), []byte(privateKey), false, flags.cacheWindowSize, log)
 	defer func() {
 		err := clientClose(cmd.Context())
 		if err != nil {
@ -138,64 +129,98 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
 		return fmt.Errorf("creating client: %w", err)
 	}

-	if err := client.UploadAzureSEVSNPVersion(ctx, inputVersion, flags.uploadDate); err != nil {
-		return fmt.Errorf("uploading version: %w", err)
+	latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx)
+	if err != nil {
+		if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) {
+			log.Infof("No versions found in API, but assuming that we are uploading the first version.")
+		} else {
+			return fmt.Errorf("fetching latest version: %w", err)
+		}
+	}
+	latestAPIVersion := latestAPIVersionAPI.AzureSEVSNPVersion
+	if err := client.UploadAzureSEVSNPVersionLatest(ctx, inputVersion, latestAPIVersion, flags.uploadDate, flags.force); err != nil {
+		if errors.Is(err, attestationconfigapi.ErrNoNewerVersion) {
+			log.Infof("Input version: %+v is not newer than latest API version: %+v", inputVersion, latestAPIVersion)
+			return nil
+		}
+		return fmt.Errorf("updating latest version: %w", err)
 	}
-
-	cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", inputVersion)
 	return nil
 }

-type cliFlags struct {
-	maaFilePath  string
-	uploadDate   time.Time
-	region       string
-	bucket       string
-	distribution string
+type config struct {
+	maaFilePath     string
+	uploadDate      time.Time
+	region          string
+	bucket          string
+	distribution    string
+	url             string
+	force           bool
+	cacheWindowSize int
 }

-func parseCliFlags(cmd *cobra.Command) (cliFlags, error) {
+func parseCliFlags(cmd *cobra.Command) (config, error) {
 	maaFilePath, err := cmd.Flags().GetString("maa-claims-path")
 	if err != nil {
-		return cliFlags{}, fmt.Errorf("getting maa claims path: %w", err)
+		return config{}, fmt.Errorf("getting maa claims path: %w", err)
 	}

 	dateStr, err := cmd.Flags().GetString("upload-date")
 	if err != nil {
-		return cliFlags{}, fmt.Errorf("getting upload date: %w", err)
+		return config{}, fmt.Errorf("getting upload date: %w", err)
 	}
 	uploadDate := time.Now()
 	if dateStr != "" {
 		uploadDate, err = time.Parse(attestationconfigapi.VersionFormat, dateStr)
 		if err != nil {
-			return cliFlags{}, fmt.Errorf("parsing date: %w", err)
+			return config{}, fmt.Errorf("parsing date: %w", err)
 		}
 	}

 	region, err := cmd.Flags().GetString("region")
 	if err != nil {
-		return cliFlags{}, fmt.Errorf("getting region: %w", err)
+		return config{}, fmt.Errorf("getting region: %w", err)
 	}

 	bucket, err := cmd.Flags().GetString("bucket")
 	if err != nil {
-		return cliFlags{}, fmt.Errorf("getting bucket: %w", err)
+		return config{}, fmt.Errorf("getting bucket: %w", err)
 	}

-	distribution, err := cmd.Flags().GetString("distribution")
+	testing, err := cmd.Flags().GetBool("testing")
 	if err != nil {
-		return cliFlags{}, fmt.Errorf("getting distribution: %w", err)
+		return config{}, fmt.Errorf("getting testing flag: %w", err)
+	}
+	url, distribution := getEnvironment(testing)
+
+	force, err := cmd.Flags().GetBool("force")
+	if err != nil {
+		return config{}, fmt.Errorf("getting force: %w", err)
 	}

-	return cliFlags{
-		maaFilePath:  maaFilePath,
-		uploadDate:   uploadDate,
-		region:       region,
-		bucket:       bucket,
-		distribution: distribution,
+	cacheWindowSize, err := cmd.Flags().GetInt("cache-window-size")
+	if err != nil {
+		return config{}, fmt.Errorf("getting cache window size: %w", err)
+	}
+	return config{
+		maaFilePath:     maaFilePath,
+		uploadDate:      uploadDate,
+		region:          region,
+		bucket:          bucket,
+		url:             url,
+		distribution:    distribution,
+		force:           force,
+		cacheWindowSize: cacheWindowSize,
 	}, nil
 }

+func getEnvironment(testing bool) (url string, distributionID string) {
+	if testing {
+		return "https://d33dzgxuwsgbpw.cloudfront.net", "ETZGUP1CWRC2P"
+	}
+	return constants.CDNRepositoryURL, constants.CDNDefaultDistributionID
+}
+
 // maaTokenTCBClaims describes the TCB information in a MAA token.
 type maaTokenTCBClaims struct {
 	IsolationTEE struct {
@ -215,26 +240,6 @@ func (c maaTokenTCBClaims) ToAzureSEVSNPVersion() attestationconfigapi.AzureSEVS
 	}
 }

-// isInputNewerThanLatestAPI compares all version fields with the latest API version and returns true if any input field is newer.
-func isInputNewerThanLatestAPI(input, latest attestationconfigapi.AzureSEVSNPVersion) (bool, error) {
-	if input == latest {
-		return false, nil
-	}
-	if input.TEE < latest.TEE {
-		return false, fmt.Errorf("input TEE version: %d is older than latest API version: %d", input.TEE, latest.TEE)
-	}
-	if input.SNP < latest.SNP {
-		return false, fmt.Errorf("input SNP version: %d is older than latest API version: %d", input.SNP, latest.SNP)
-	}
-	if input.Microcode < latest.Microcode {
-		return false, fmt.Errorf("input Microcode version: %d is older than latest API version: %d", input.Microcode, latest.Microcode)
-	}
-	if input.Bootloader < latest.Bootloader {
-		return false, fmt.Errorf("input Bootloader version: %d is older than latest API version: %d", input.Bootloader, latest.Bootloader)
-	}
-	return true, nil
-}
-
 func must(err error) {
 	if err != nil {
 		panic(err)
--- a/internal/api/attestationconfigapi/cli/main_test.go
+++ b/internal/api/attestationconfigapi/cli/main_test.go
@ -1,77 +0,0 @@
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package main
-
-import (
-	"testing"
-
-	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestIsInputNewerThanLatestAPI(t *testing.T) {
-	newTestCfg := func() attestationconfigapi.AzureSEVSNPVersion {
-		return attestationconfigapi.AzureSEVSNPVersion{
-			Microcode:  93,
-			TEE:        0,
-			SNP:        6,
-			Bootloader: 2,
-		}
-	}
-
-	testCases := map[string]struct {
-		latest attestationconfigapi.AzureSEVSNPVersion
-		input  attestationconfigapi.AzureSEVSNPVersion
-		expect bool
-		errMsg string
-	}{
-		"input is older than latest": {
-			input: func(c attestationconfigapi.AzureSEVSNPVersion) attestationconfigapi.AzureSEVSNPVersion {
-				c.Microcode--
-				return c
-			}(newTestCfg()),
-			latest: newTestCfg(),
-			expect: false,
-			errMsg: "input Microcode version: 92 is older than latest API version: 93",
-		},
-		"input has greater and smaller version field than latest": {
-			input: func(c attestationconfigapi.AzureSEVSNPVersion) attestationconfigapi.AzureSEVSNPVersion {
-				c.Microcode++
-				c.Bootloader--
-				return c
-			}(newTestCfg()),
-			latest: newTestCfg(),
-			expect: false,
-			errMsg: "input Bootloader version: 1 is older than latest API version: 2",
-		},
-		"input is newer than latest": {
-			input: func(c attestationconfigapi.AzureSEVSNPVersion) attestationconfigapi.AzureSEVSNPVersion {
-				c.TEE++
-				return c
-			}(newTestCfg()),
-			latest: newTestCfg(),
-			expect: true,
-		},
-		"input is equal to latest": {
-			input:  newTestCfg(),
-			latest: newTestCfg(),
-			expect: false,
-		},
-	}
-	for name, tc := range testCases {
-		t.Run(name, func(t *testing.T) {
-			isNewer, err := isInputNewerThanLatestAPI(tc.input, tc.latest)
-			assert := assert.New(t)
-			if tc.errMsg != "" {
-				assert.EqualError(err, tc.errMsg)
-			} else {
-				assert.NoError(err)
-				assert.Equal(tc.expect, isNewer)
-			}
-		})
-	}
-}