mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 23:49:37 -05:00
add cryptsetup wrapper to core
Signed-off-by: Malte Poll <mp@edgeless.systems>
This commit is contained in:
parent
bb56b46e21
commit
1b6ecf27ee
@ -17,6 +17,7 @@ import (
|
|||||||
gcpcloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/gcp"
|
gcpcloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/gcp"
|
||||||
"github.com/edgelesssys/constellation/coordinator/config"
|
"github.com/edgelesssys/constellation/coordinator/config"
|
||||||
"github.com/edgelesssys/constellation/coordinator/core"
|
"github.com/edgelesssys/constellation/coordinator/core"
|
||||||
|
"github.com/edgelesssys/constellation/coordinator/diskencryption"
|
||||||
"github.com/edgelesssys/constellation/coordinator/kubernetes"
|
"github.com/edgelesssys/constellation/coordinator/kubernetes"
|
||||||
"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi"
|
"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi"
|
||||||
"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi/kubectl"
|
"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi/kubectl"
|
||||||
@ -41,6 +42,7 @@ func main() {
|
|||||||
var cloudControllerManager core.CloudControllerManager
|
var cloudControllerManager core.CloudControllerManager
|
||||||
var cloudNodeManager core.CloudNodeManager
|
var cloudNodeManager core.CloudNodeManager
|
||||||
var autoscaler core.ClusterAutoscaler
|
var autoscaler core.ClusterAutoscaler
|
||||||
|
var encryptedDisk core.EncryptedDisk
|
||||||
cfg := zap.NewDevelopmentConfig()
|
cfg := zap.NewDevelopmentConfig()
|
||||||
|
|
||||||
logLevelUser := flag.Bool("debug", false, "enables gRPC debug output")
|
logLevelUser := flag.Bool("debug", false, "enables gRPC debug output")
|
||||||
@ -99,6 +101,7 @@ func main() {
|
|||||||
cloudControllerManager = &gcpcloud.CloudControllerManager{}
|
cloudControllerManager = &gcpcloud.CloudControllerManager{}
|
||||||
cloudNodeManager = &gcpcloud.CloudNodeManager{}
|
cloudNodeManager = &gcpcloud.CloudNodeManager{}
|
||||||
autoscaler = &gcpcloud.Autoscaler{}
|
autoscaler = &gcpcloud.Autoscaler{}
|
||||||
|
encryptedDisk = diskencryption.New()
|
||||||
bindIP = defaultIP
|
bindIP = defaultIP
|
||||||
bindPort = defaultPort
|
bindPort = defaultPort
|
||||||
etcdEndpoint = defaultEtcdEndpoint
|
etcdEndpoint = defaultEtcdEndpoint
|
||||||
@ -122,6 +125,7 @@ func main() {
|
|||||||
cloudControllerManager = &azurecloud.CloudControllerManager{}
|
cloudControllerManager = &azurecloud.CloudControllerManager{}
|
||||||
cloudNodeManager = &azurecloud.CloudNodeManager{}
|
cloudNodeManager = &azurecloud.CloudNodeManager{}
|
||||||
autoscaler = &azurecloud.Autoscaler{}
|
autoscaler = &azurecloud.Autoscaler{}
|
||||||
|
encryptedDisk = diskencryption.New()
|
||||||
bindIP = defaultIP
|
bindIP = defaultIP
|
||||||
bindPort = defaultPort
|
bindPort = defaultPort
|
||||||
etcdEndpoint = defaultEtcdEndpoint
|
etcdEndpoint = defaultEtcdEndpoint
|
||||||
@ -136,6 +140,7 @@ func main() {
|
|||||||
cloudControllerManager = &core.CloudControllerManagerFake{}
|
cloudControllerManager = &core.CloudControllerManagerFake{}
|
||||||
cloudNodeManager = &core.CloudNodeManagerFake{}
|
cloudNodeManager = &core.CloudNodeManagerFake{}
|
||||||
autoscaler = &core.ClusterAutoscalerFake{}
|
autoscaler = &core.ClusterAutoscalerFake{}
|
||||||
|
encryptedDisk = &core.EncryptedDiskFake{}
|
||||||
bindIP = defaultIP
|
bindIP = defaultIP
|
||||||
bindPort = defaultPort
|
bindPort = defaultPort
|
||||||
etcdEndpoint = "etcd-storage:2379"
|
etcdEndpoint = "etcd-storage:2379"
|
||||||
@ -149,5 +154,5 @@ func main() {
|
|||||||
fileHandler := file.NewHandler(fs)
|
fileHandler := file.NewHandler(fs)
|
||||||
dialer := &net.Dialer{}
|
dialer := &net.Dialer{}
|
||||||
run(validator, issuer, wg, openTPM, util.GetIPAddr, dialer, fileHandler, kube,
|
run(validator, issuer, wg, openTPM, util.GetIPAddr, dialer, fileHandler, kube,
|
||||||
metadata, cloudControllerManager, cloudNodeManager, autoscaler, etcdEndpoint, enforceEtcdTls, bindIP, bindPort, zapLoggerCore)
|
metadata, cloudControllerManager, cloudNodeManager, autoscaler, encryptedDisk, etcdEndpoint, enforceEtcdTls, bindIP, bindPort, zapLoggerCore)
|
||||||
}
|
}
|
||||||
|
@ -27,7 +27,7 @@ import (
|
|||||||
var version = "0.0.0"
|
var version = "0.0.0"
|
||||||
|
|
||||||
func run(validator core.QuoteValidator, issuer core.QuoteIssuer, vpn core.VPN, openTPM vtpm.TPMOpenFunc, getPublicIPAddr func() (string, error), dialer pubapi.Dialer, fileHandler file.Handler,
|
func run(validator core.QuoteValidator, issuer core.QuoteIssuer, vpn core.VPN, openTPM vtpm.TPMOpenFunc, getPublicIPAddr func() (string, error), dialer pubapi.Dialer, fileHandler file.Handler,
|
||||||
kube core.Cluster, metadata core.ProviderMetadata, cloudControllerManager core.CloudControllerManager, cloudNodeManager core.CloudNodeManager, clusterAutoscaler core.ClusterAutoscaler, etcdEndpoint string, etcdTLS bool, bindIP, bindPort string, zapLoggerCore *zap.Logger,
|
kube core.Cluster, metadata core.ProviderMetadata, cloudControllerManager core.CloudControllerManager, cloudNodeManager core.CloudNodeManager, clusterAutoscaler core.ClusterAutoscaler, encryptedDisk core.EncryptedDisk, etcdEndpoint string, etcdTLS bool, bindIP, bindPort string, zapLoggerCore *zap.Logger,
|
||||||
) {
|
) {
|
||||||
defer zapLoggerCore.Sync()
|
defer zapLoggerCore.Sync()
|
||||||
zapLoggerCore.Info("starting coordinator", zap.String("version", version))
|
zapLoggerCore.Info("starting coordinator", zap.String("version", version))
|
||||||
@ -42,7 +42,7 @@ func run(validator core.QuoteValidator, issuer core.QuoteIssuer, vpn core.VPN, o
|
|||||||
ForceTLS: etcdTLS,
|
ForceTLS: etcdTLS,
|
||||||
Logger: zapLoggerCore.WithOptions(zap.IncreaseLevel(zap.WarnLevel)).Named("etcd"),
|
Logger: zapLoggerCore.WithOptions(zap.IncreaseLevel(zap.WarnLevel)).Named("etcd"),
|
||||||
}
|
}
|
||||||
core, err := core.NewCore(vpn, kube, metadata, cloudControllerManager, cloudNodeManager, clusterAutoscaler, zapLoggerCore, openTPM, etcdStoreFactory, fileHandler)
|
core, err := core.NewCore(vpn, kube, metadata, cloudControllerManager, cloudNodeManager, clusterAutoscaler, encryptedDisk, zapLoggerCore, openTPM, etcdStoreFactory, fileHandler)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
zapLoggerCore.Fatal("failed to create core", zap.Error(err))
|
zapLoggerCore.Fatal("failed to create core", zap.Error(err))
|
||||||
}
|
}
|
||||||
|
@ -194,7 +194,7 @@ func TestConcurrent(t *testing.T) {
|
|||||||
|
|
||||||
func spawnPeer(require *require.Assertions, logger *zap.Logger, dialer *testdialer.BufconnDialer, netw *network, endpoint string) (*grpc.Server, *pubapi.API, *fakeVPN) {
|
func spawnPeer(require *require.Assertions, logger *zap.Logger, dialer *testdialer.BufconnDialer, netw *network, endpoint string) (*grpc.Server, *pubapi.API, *fakeVPN) {
|
||||||
vpn := newVPN(netw, endpoint)
|
vpn := newVPN(netw, endpoint)
|
||||||
cor, err := core.NewCore(vpn, &core.ClusterFake{}, &core.ProviderMetadataFake{}, &core.CloudControllerManagerFake{}, &core.CloudNodeManagerFake{}, &core.ClusterAutoscalerFake{}, logger, vtpm.OpenSimulatedTPM, fakeStoreFactory{}, file.NewHandler(afero.NewMemMapFs()))
|
cor, err := core.NewCore(vpn, &core.ClusterFake{}, &core.ProviderMetadataFake{}, &core.CloudControllerManagerFake{}, &core.CloudNodeManagerFake{}, &core.ClusterAutoscalerFake{}, &core.EncryptedDiskFake{}, logger, vtpm.OpenSimulatedTPM, fakeStoreFactory{}, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
require.NoError(cor.AdvanceState(state.AcceptingInit, nil, nil))
|
require.NoError(cor.AdvanceState(state.AcceptingInit, nil, nil))
|
||||||
|
|
||||||
|
@ -169,7 +169,7 @@ func TestInitCluster(t *testing.T) {
|
|||||||
|
|
||||||
zapLogger, err := zap.NewDevelopment()
|
zapLogger, err := zap.NewDevelopment()
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
core, err := NewCore(&stubVPN{}, &tc.cluster, &tc.metadata, &tc.cloudControllerManager, &tc.cloudNodeManager, &tc.clusterAutoscaler, zapLogger, vtpm.OpenSimulatedTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, &tc.cluster, &tc.metadata, &tc.cloudControllerManager, &tc.cloudNodeManager, &tc.clusterAutoscaler, nil, zapLogger, vtpm.OpenSimulatedTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
kubeconfig, err := core.InitCluster(tc.autoscalingNodeGroups, "cloud-service-account-uri")
|
kubeconfig, err := core.InitCluster(tc.autoscalingNodeGroups, "cloud-service-account-uri")
|
||||||
@ -284,7 +284,7 @@ func TestJoinCluster(t *testing.T) {
|
|||||||
|
|
||||||
zapLogger, err := zap.NewDevelopment()
|
zapLogger, err := zap.NewDevelopment()
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
core, err := NewCore(&tc.vpn, &tc.cluster, &tc.metadata, &tc.cloudControllerManager, &tc.cloudNodeManager, &tc.clusterAutoscaler, zapLogger, vtpm.OpenSimulatedTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&tc.vpn, &tc.cluster, &tc.metadata, &tc.cloudControllerManager, &tc.cloudNodeManager, &tc.clusterAutoscaler, nil, zapLogger, vtpm.OpenSimulatedTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
joinReq := kubeadm.BootstrapTokenDiscovery{
|
joinReq := kubeadm.BootstrapTokenDiscovery{
|
||||||
|
@ -36,6 +36,7 @@ type Core struct {
|
|||||||
cloudControllerManager CloudControllerManager
|
cloudControllerManager CloudControllerManager
|
||||||
cloudNodeManager CloudNodeManager
|
cloudNodeManager CloudNodeManager
|
||||||
clusterAutoscaler ClusterAutoscaler
|
clusterAutoscaler ClusterAutoscaler
|
||||||
|
encryptedDisk EncryptedDisk
|
||||||
kms kms.CloudKMS
|
kms kms.CloudKMS
|
||||||
zaplogger *zap.Logger
|
zaplogger *zap.Logger
|
||||||
persistentStoreFactory PersistentStoreFactory
|
persistentStoreFactory PersistentStoreFactory
|
||||||
@ -46,7 +47,7 @@ type Core struct {
|
|||||||
// NewCore creates and initializes a new Core object.
|
// NewCore creates and initializes a new Core object.
|
||||||
func NewCore(vpn VPN, kube Cluster,
|
func NewCore(vpn VPN, kube Cluster,
|
||||||
metadata ProviderMetadata, cloudControllerManager CloudControllerManager, cloudNodeManager CloudNodeManager, clusterAutoscaler ClusterAutoscaler,
|
metadata ProviderMetadata, cloudControllerManager CloudControllerManager, cloudNodeManager CloudNodeManager, clusterAutoscaler ClusterAutoscaler,
|
||||||
zapLogger *zap.Logger, openTPM vtpm.TPMOpenFunc, persistentStoreFactory PersistentStoreFactory, fileHandler file.Handler,
|
encryptedDisk EncryptedDisk, zapLogger *zap.Logger, openTPM vtpm.TPMOpenFunc, persistentStoreFactory PersistentStoreFactory, fileHandler file.Handler,
|
||||||
) (*Core, error) {
|
) (*Core, error) {
|
||||||
stor := store.NewStdStore()
|
stor := store.NewStdStore()
|
||||||
c := &Core{
|
c := &Core{
|
||||||
@ -58,6 +59,7 @@ func NewCore(vpn VPN, kube Cluster,
|
|||||||
cloudNodeManager: cloudNodeManager,
|
cloudNodeManager: cloudNodeManager,
|
||||||
cloudControllerManager: cloudControllerManager,
|
cloudControllerManager: cloudControllerManager,
|
||||||
clusterAutoscaler: clusterAutoscaler,
|
clusterAutoscaler: clusterAutoscaler,
|
||||||
|
encryptedDisk: encryptedDisk,
|
||||||
zaplogger: zapLogger,
|
zaplogger: zapLogger,
|
||||||
kms: nil, // KMS is set up during init phase
|
kms: nil, // KMS is set up during init phase
|
||||||
persistentStoreFactory: persistentStoreFactory,
|
persistentStoreFactory: persistentStoreFactory,
|
||||||
|
@ -33,7 +33,7 @@ func TestGetNextNodeIP(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
require.NoError(core.InitializeStoreIPs())
|
require.NoError(core.InitializeStoreIPs())
|
||||||
|
|
||||||
@ -76,7 +76,7 @@ func TestSwitchToPersistentStore(t *testing.T) {
|
|||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
storeFactory := &fakeStoreFactory{}
|
storeFactory := &fakeStoreFactory{}
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, storeFactory, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, storeFactory, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
require.NoError(core.SwitchToPersistentStore())
|
require.NoError(core.SwitchToPersistentStore())
|
||||||
@ -90,7 +90,7 @@ func TestGetIDs(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
_, _, err = core.GetIDs(nil)
|
_, _, err = core.GetIDs(nil)
|
||||||
@ -114,7 +114,7 @@ func TestNotifyNodeHeartbeat(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
const ip = "192.0.2.1"
|
const ip = "192.0.2.1"
|
||||||
@ -127,7 +127,7 @@ func TestDeriveKey(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
// error when no kms is set up
|
// error when no kms is set up
|
||||||
@ -208,7 +208,7 @@ func TestInitialize(t *testing.T) {
|
|||||||
}).ToFile(fileHandler))
|
}).ToFile(fileHandler))
|
||||||
}
|
}
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), openTPM, nil, fileHandler)
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), openTPM, nil, fileHandler)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
if tc.expectPanic {
|
if tc.expectPanic {
|
||||||
@ -266,7 +266,7 @@ func TestPersistNodeState(t *testing.T) {
|
|||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
require.NoError(file.Close())
|
require.NoError(file.Close())
|
||||||
}
|
}
|
||||||
core, err := NewCore(tc.vpn, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, fileHandler)
|
core, err := NewCore(tc.vpn, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, fileHandler)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
err = core.PersistNodeState(role.Coordinator, []byte("owner-id"), []byte("cluster-id"))
|
err = core.PersistNodeState(role.Coordinator, []byte("owner-id"), []byte("cluster-id"))
|
||||||
if tc.errExpected {
|
if tc.errExpected {
|
||||||
|
57
coordinator/core/diskencryption.go
Normal file
57
coordinator/core/diskencryption.go
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
package core
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetDiskUUID gets the disk's UUID.
|
||||||
|
func (c *Core) GetDiskUUID() (string, error) {
|
||||||
|
if err := c.encryptedDisk.Open(); err != nil {
|
||||||
|
return "", fmt.Errorf("retrieving uuid of encrypted disk failed: cannot open disk: %w", err)
|
||||||
|
}
|
||||||
|
defer c.encryptedDisk.Close()
|
||||||
|
uuid, err := c.encryptedDisk.UUID()
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("cannot retrieve uuid of disk: %w", err)
|
||||||
|
}
|
||||||
|
return uuid, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// UpdateDiskPassphrase switches the initial random passphrase of the encrypted disk to a permanent passphrase.
|
||||||
|
func (c *Core) UpdateDiskPassphrase(passphrase string) error {
|
||||||
|
if err := c.encryptedDisk.Open(); err != nil {
|
||||||
|
return fmt.Errorf("updating passphrase of encrypted disk failed: cannot open disk: %w", err)
|
||||||
|
}
|
||||||
|
defer c.encryptedDisk.Close()
|
||||||
|
return c.encryptedDisk.UpdatePassphrase(passphrase)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptedDisk manages the encrypted state disk.
|
||||||
|
type EncryptedDisk interface {
|
||||||
|
// Open prepares the underlying device for disk operations.
|
||||||
|
Open() error
|
||||||
|
// Close closes the underlying device.
|
||||||
|
Close() error
|
||||||
|
// UUID gets the device's UUID.
|
||||||
|
UUID() (string, error)
|
||||||
|
// UpdatePassphrase switches the initial random passphrase of the encrypted disk to a permanent passphrase.
|
||||||
|
UpdatePassphrase(passphrase string) error
|
||||||
|
}
|
||||||
|
|
||||||
|
type EncryptedDiskFake struct{}
|
||||||
|
|
||||||
|
func (f *EncryptedDiskFake) UUID() (string, error) {
|
||||||
|
return "fake-disk-uuid", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *EncryptedDiskFake) UpdatePassphrase(passphrase string) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *EncryptedDiskFake) Open() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *EncryptedDiskFake) Close() error {
|
||||||
|
return nil
|
||||||
|
}
|
122
coordinator/core/diskencryption_test.go
Normal file
122
coordinator/core/diskencryption_test.go
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
package core
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/edgelesssys/constellation/cli/file"
|
||||||
|
"github.com/spf13/afero"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"go.uber.org/zap"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestGetDiskUUID(t *testing.T) {
|
||||||
|
testCases := map[string]struct {
|
||||||
|
expectedUUID string
|
||||||
|
openErr error
|
||||||
|
uuidErr error
|
||||||
|
errExpected bool
|
||||||
|
}{
|
||||||
|
"getting uuid works": {
|
||||||
|
expectedUUID: "uuid",
|
||||||
|
},
|
||||||
|
"open can fail": {
|
||||||
|
openErr: errors.New("open-error"),
|
||||||
|
errExpected: true,
|
||||||
|
},
|
||||||
|
"getting disk uuid can fail": {
|
||||||
|
uuidErr: errors.New("uuid-err"),
|
||||||
|
errExpected: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, tc := range testCases {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
zapLogger, err := zap.NewDevelopment()
|
||||||
|
require.NoError(err)
|
||||||
|
diskStub := encryptedDiskStub{
|
||||||
|
openErr: tc.openErr,
|
||||||
|
uuidErr: tc.uuidErr,
|
||||||
|
uuid: tc.expectedUUID,
|
||||||
|
}
|
||||||
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, &diskStub, zapLogger, nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
|
require.NoError(err)
|
||||||
|
uuid, err := core.GetDiskUUID()
|
||||||
|
if tc.errExpected {
|
||||||
|
assert.Error(err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
require.NoError(err)
|
||||||
|
|
||||||
|
assert.Equal(tc.expectedUUID, uuid)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUpdateDiskPassphrase(t *testing.T) {
|
||||||
|
testCases := map[string]struct {
|
||||||
|
openErr error
|
||||||
|
updatePassphraseErr error
|
||||||
|
errExpected bool
|
||||||
|
}{
|
||||||
|
"updating passphrase works": {},
|
||||||
|
"open can fail": {
|
||||||
|
openErr: errors.New("open-error"),
|
||||||
|
errExpected: true,
|
||||||
|
},
|
||||||
|
"updating disk passphrase can fail": {
|
||||||
|
updatePassphraseErr: errors.New("update-err"),
|
||||||
|
errExpected: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, tc := range testCases {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
zapLogger, err := zap.NewDevelopment()
|
||||||
|
require.NoError(err)
|
||||||
|
diskStub := encryptedDiskStub{
|
||||||
|
openErr: tc.openErr,
|
||||||
|
updatePassphraseErr: tc.updatePassphraseErr,
|
||||||
|
}
|
||||||
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, &diskStub, zapLogger, nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
|
require.NoError(err)
|
||||||
|
err = core.UpdateDiskPassphrase("passphrase")
|
||||||
|
if tc.errExpected {
|
||||||
|
assert.Error(err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
require.NoError(err)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type encryptedDiskStub struct {
|
||||||
|
openErr error
|
||||||
|
closeErr error
|
||||||
|
uuid string
|
||||||
|
uuidErr error
|
||||||
|
updatePassphraseErr error
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *encryptedDiskStub) UUID() (string, error) {
|
||||||
|
return s.uuid, s.uuidErr
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *encryptedDiskStub) UpdatePassphrase(passphrase string) error {
|
||||||
|
return s.updatePassphraseErr
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *encryptedDiskStub) Open() error {
|
||||||
|
return s.openErr
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *encryptedDiskStub) Close() error {
|
||||||
|
return s.closeErr
|
||||||
|
}
|
@ -145,11 +145,12 @@ func newMockCoreWithDialer(dialer *bufconnDialer) (*Core, *pubapi.API, error) {
|
|||||||
ccmFake := &CloudControllerManagerFake{}
|
ccmFake := &CloudControllerManagerFake{}
|
||||||
cnmFake := &CloudNodeManagerFake{}
|
cnmFake := &CloudNodeManagerFake{}
|
||||||
autoscalerFake := &ClusterAutoscalerFake{}
|
autoscalerFake := &ClusterAutoscalerFake{}
|
||||||
|
encryptedDiskFake := &EncryptedDiskFake{}
|
||||||
|
|
||||||
getPublicAddr := func() (string, error) {
|
getPublicAddr := func() (string, error) {
|
||||||
return "192.0.2.1", nil
|
return "192.0.2.1", nil
|
||||||
}
|
}
|
||||||
core, err := NewCore(vpn, kubeFake, metadataFake, ccmFake, cnmFake, autoscalerFake, zapLogger, vtpm.OpenSimulatedTPM, &fakeStoreFactory{}, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(vpn, kubeFake, metadataFake, ccmFake, cnmFake, autoscalerFake, encryptedDiskFake, zapLogger, vtpm.OpenSimulatedTPM, &fakeStoreFactory{}, file.NewHandler(afero.NewMemMapFs()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
@ -53,7 +53,7 @@ func TestGetPeers(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
// prepare store
|
// prepare store
|
||||||
@ -113,7 +113,7 @@ func TestAddPeer(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
core, err := NewCore(&tc.vpn, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&tc.vpn, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), nil, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
err = core.AddPeer(tc.peer)
|
err = core.AddPeer(tc.peer)
|
||||||
|
@ -65,7 +65,7 @@ func TestAdvanceState(t *testing.T) {
|
|||||||
return vtpm.OpenSimulatedTPM()
|
return vtpm.OpenSimulatedTPM()
|
||||||
}
|
}
|
||||||
|
|
||||||
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, zaptest.NewLogger(t), openTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
core, err := NewCore(&stubVPN{}, nil, nil, nil, nil, nil, nil, zaptest.NewLogger(t), openTPM, nil, file.NewHandler(afero.NewMemMapFs()))
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
assert.Equal(state.Uninitialized, core.GetState())
|
assert.Equal(state.Uninitialized, core.GetState())
|
||||||
core.state = tc.initialState
|
core.state = tc.initialState
|
||||||
|
@ -23,6 +23,8 @@ type Core interface {
|
|||||||
SetUpKMS(ctx context.Context, storageURI, kmsURI, kekID string, useExisting bool) error
|
SetUpKMS(ctx context.Context, storageURI, kmsURI, kekID string, useExisting bool) error
|
||||||
GetKMSInfo() (kms.KMSInformation, error)
|
GetKMSInfo() (kms.KMSInformation, error)
|
||||||
GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error)
|
GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error)
|
||||||
|
GetDiskUUID() (string, error)
|
||||||
|
UpdateDiskPassphrase(passphrase string) error
|
||||||
|
|
||||||
GetState() state.State
|
GetState() state.State
|
||||||
RequireState(...state.State) error
|
RequireState(...state.State) error
|
||||||
|
@ -145,3 +145,11 @@ func (c *fakeCore) GetKMSInfo() (kms.KMSInformation, error) {
|
|||||||
func (c *fakeCore) GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error) {
|
func (c *fakeCore) GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error) {
|
||||||
return c.dataKey, c.getDataKeyErr
|
return c.dataKey, c.getDataKeyErr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *fakeCore) GetDiskUUID() (string, error) {
|
||||||
|
return "fake-disk-uuid", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *fakeCore) UpdateDiskPassphrase(passphrase string) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user