initserver: add client verification

2025-05-02 06:16:08 -04:00 · 2022-11-26 19:44:34 +01:00 · 2022-11-26 19:44:34 +01:00 · 3b6bc3b28f
commit 3b6bc3b28f
parent bffa5c580c
39 changed files with 704 additions and 175 deletions
--- a/hack/qemu-metadata-api/server/server.go
+++ b/hack/qemu-metadata-api/server/server.go
@ -24,17 +24,19 @@ import (

 // Server that provides QEMU metadata.
 type Server struct {
-	log     *logger.Logger
-	virt    virConnect
-	network string
+	log               *logger.Logger
+	virt              virConnect
+	network           string
+	initSecretHashVal []byte
 }

 // New creates a new Server.
-func New(log *logger.Logger, network string, conn virConnect) *Server {
+func New(log *logger.Logger, network, initSecretHash string, conn virConnect) *Server {
 	return &Server{
-		log:     log,
-		virt:    conn,
-		network: network,
+		log:               log,
+		virt:              conn,
+		network:           network,
+		initSecretHashVal: []byte(initSecretHash),
 	}
 }

@ -46,6 +48,7 @@ func (s *Server) ListenAndServe(port string) error {
 	mux.Handle("/log", http.HandlerFunc(s.postLog))
 	mux.Handle("/pcrs", http.HandlerFunc(s.exportPCRs))
 	mux.Handle("/endpoint", http.HandlerFunc(s.getEndpoint))
+	mux.Handle("/initsecrethash", http.HandlerFunc(s.initSecretHash))

 	server := http.Server{
 		Handler: mux,
@ -115,6 +118,26 @@ func (s *Server) listPeers(w http.ResponseWriter, r *http.Request) {
 	log.Infof("Request successful")
 }

+// initSecretHash returns the hash of the init secret.
+func (s *Server) initSecretHash(w http.ResponseWriter, r *http.Request) {
+	log := s.log.With(zap.String("initSecretHash", r.RemoteAddr))
+	if r.Method != http.MethodGet {
+		log.With(zap.String("method", r.Method)).Errorf("Invalid method for /initSecretHash")
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	log.Infof("Serving GET request for /initsecrethash")
+
+	w.Header().Set("Content-Type", "text/plain")
+	_, err := w.Write(s.initSecretHashVal)
+	if err != nil {
+		log.With(zap.Error(err)).Errorf("Failed to write init secret hash")
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	log.Infof("Request successful")
+}
+
 // getEndpoint returns the IP address of the first control-plane instance.
 // This allows us to fake a load balancer for QEMU instances.
 func (s *Server) getEndpoint(w http.ResponseWriter, r *http.Request) {
--- a/hack/qemu-metadata-api/server/server_test.go
+++ b/hack/qemu-metadata-api/server/server_test.go
@ -72,7 +72,7 @@ func TestListAll(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)

-			server := New(logger.NewTest(t), "test", tc.connect)
+			server := New(logger.NewTest(t), "test", "initSecretHash", tc.connect)

 			res, err := server.listAll()

@ -149,7 +149,7 @@ func TestListSelf(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), "test", tc.connect)
+			server := New(logger.NewTest(t), "test", "initSecretHash", tc.connect)

 			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/self", nil)
 			require.NoError(err)
@ -211,7 +211,7 @@ func TestListPeers(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), "test", tc.connect)
+			server := New(logger.NewTest(t), "test", "initSecretHash", tc.connect)

 			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/peers", nil)
 			require.NoError(err)
@ -266,7 +266,7 @@ func TestPostLog(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), "test", &stubConnect{})
+			server := New(logger.NewTest(t), "test", "initSecretHash", &stubConnect{})

 			req, err := http.NewRequestWithContext(context.Background(), tc.method, "http://192.0.0.1/logs", tc.message)
 			require.NoError(err)
@ -346,7 +346,7 @@ func TestExportPCRs(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), "test", tc.connect)
+			server := New(logger.NewTest(t), "test", "initSecretHash", tc.connect)

 			req, err := http.NewRequestWithContext(context.Background(), tc.method, "http://192.0.0.1/pcrs", strings.NewReader(tc.message))
 			require.NoError(err)
@ -365,6 +365,58 @@ func TestExportPCRs(t *testing.T) {
 	}
 }

+func TestInitSecretHash(t *testing.T) {
+	defaultConnect := &stubConnect{
+		network: stubNetwork{
+			leases: []libvirt.NetworkDHCPLease{
+				{
+					IPaddr:   "192.0.100.1",
+					Hostname: "control-plane-0",
+				},
+			},
+		},
+	}
+	testCases := map[string]struct {
+		connect  *stubConnect
+		method   string
+		wantHash string
+		wantErr  bool
+	}{
+		"success": {
+			connect: defaultConnect,
+			method:  http.MethodGet,
+		},
+		"wrong method": {
+			connect: defaultConnect,
+			method:  http.MethodPost,
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			server := New(logger.NewTest(t), "test", tc.wantHash, defaultConnect)
+
+			req, err := http.NewRequestWithContext(context.Background(), tc.method, "http://192.0.0.1/initsecrethash", nil)
+			require.NoError(err)
+
+			w := httptest.NewRecorder()
+			server.initSecretHash(w, req)
+
+			if tc.wantErr {
+				assert.NotEqual(http.StatusOK, w.Code)
+				return
+			}
+
+			assert.Equal(http.StatusOK, w.Code)
+			assert.Equal(tc.wantHash, w.Body.String())
+		})
+	}
+}
+
 func mustMarshal(t *testing.T, v any) string {
 	t.Helper()
 	b, err := json.Marshal(v)