config: enable azure snp version fetcher again + minimum age for latest version (#1899)

* fetch latest version when older than 2 weeks * extend hack upload tool to pass an upload date * Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882)" This reverts commit c7b22d314a. * fix tests * use NewAzureSEVSNPVersionList for type guarantees * Revert "use NewAzureSEVSNPVersionList for type guarantees" This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4. * assure list is sorted * improve root.go style * daniel feedback
2025-11-15 01:50:44 -05:00 · 2023-06-09 12:48:12 +02:00 · 2023-06-09 12:48:12 +02:00 · 3fde118b33
commit 3fde118b33
parent 72e168e653
13 changed files with 239 additions and 189 deletions
--- a/internal/api/attestationconfigapi/azure.go
+++ b/internal/api/attestationconfigapi/azure.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/url"
 	"path"
+	"sort"
 	"strings"

 	"github.com/edgelesssys/constellation/v2/internal/constants"
@ -110,6 +111,11 @@ func (i AzureSEVSNPVersionList) ValidateRequest() error {
 	return nil
 }

+// SortAzureSEVSNPVersionList sorts the list of versions in reverse order.
+func SortAzureSEVSNPVersionList(versions AzureSEVSNPVersionList) {
+	sort.Sort(sort.Reverse(sort.StringSlice(versions)))
+}
+
 // Validate validates the response.
 func (i AzureSEVSNPVersionList) Validate() error {
 	if len(i) < 1 {
--- a/internal/api/attestationconfigapi/client.go
+++ b/internal/api/attestationconfigapi/client.go
@ -9,7 +9,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"sort"
 	"time"

 	apiclient "github.com/edgelesssys/constellation/v2/internal/api/client"
@ -43,7 +42,7 @@ func NewClient(ctx context.Context, cfg staticupload.Config, cosignPwd, privateK
 	return repo, clientClose, nil
 }

-// UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP.
+// UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP. Then version name is the UTC timestamp of the date. The /list entry stores the version name + .json suffix.
 func (a Client) UploadAzureSEVSNP(ctx context.Context, version AzureSEVSNPVersion, date time.Time) error {
 	versions, err := a.List(ctx, variant.AzureSEVSNP{})
 	if err != nil {
@ -181,6 +180,6 @@ func executeAllCmds(ctx context.Context, client *apiclient.Client, cmds []crudCm
 func addVersion(versions []string, newVersion string) []string {
 	versions = append(versions, newVersion)
 	versions = variant.RemoveDuplicate(versions)
-	sort.Sort(sort.Reverse(sort.StringSlice(versions)))
+	SortAzureSEVSNPVersionList(versions)
 	return versions
 }
--- a/internal/api/attestationconfigapi/fetcher.go
+++ b/internal/api/attestationconfigapi/fetcher.go
@ -10,24 +10,30 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
+	"time"

 	apifetcher "github.com/edgelesssys/constellation/v2/internal/api/fetcher"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 )

+// minimumAgeVersion is the minimum age to accept the version as latest.
+const minimumAgeVersion = 14 * 24 * time.Hour
+
 const cosignPublicKey = constants.CosignPublicKeyReleases

 // Fetcher fetches config API resources without authentication.
 type Fetcher interface {
 	FetchAzureSEVSNPVersion(ctx context.Context, azureVersion AzureSEVSNPVersionAPI) (AzureSEVSNPVersionAPI, error)
 	FetchAzureSEVSNPVersionList(ctx context.Context, attestation AzureSEVSNPVersionList) (AzureSEVSNPVersionList, error)
-	FetchAzureSEVSNPVersionLatest(ctx context.Context) (AzureSEVSNPVersionAPI, error)
+	FetchAzureSEVSNPVersionLatest(ctx context.Context, now time.Time) (AzureSEVSNPVersionAPI, error)
 }

 // fetcher fetches AttestationCfg API resources without authentication.
 type fetcher struct {
 	apifetcher.HTTPClient
+	verifier sigstore.Verifier
 }

 // NewFetcher returns a new apifetcher.
@ -37,7 +43,11 @@ func NewFetcher() Fetcher {

 // NewFetcherWithClient returns a new fetcher with custom http client.
 func NewFetcherWithClient(client apifetcher.HTTPClient) Fetcher {
-	return &fetcher{client}
+	return newFetcherWithClientAndVerifier(client, sigstore.CosignVerifier{})
+}
+
+func newFetcherWithClientAndVerifier(client apifetcher.HTTPClient, cosignVerifier sigstore.Verifier) Fetcher {
+	return &fetcher{client, cosignVerifier}
 }

 // FetchAzureSEVSNPVersionList fetches the version list information from the config API.
@ -63,7 +73,7 @@ func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion Azur
 		return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", azureVersion.Version, err)
 	}

-	err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature.Signature, []byte(cosignPublicKey))
+	err = f.verifier.VerifySignature(versionBytes, signature.Signature, []byte(cosignPublicKey))
 	if err != nil {
 		return fetchedVersion, fmt.Errorf("verify version %s signature: %w", azureVersion.Version, err)
 	}
@ -71,16 +81,34 @@ func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion Azur
 }

 // FetchAzureSEVSNPVersionLatest returns the latest versions of the given type.
-func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context) (res AzureSEVSNPVersionAPI, err error) {
+func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context, now time.Time) (res AzureSEVSNPVersionAPI, err error) {
 	var list AzureSEVSNPVersionList
 	list, err = f.FetchAzureSEVSNPVersionList(ctx, list)
 	if err != nil {
 		return res, fmt.Errorf("fetching versions list: %w", err)
 	}
-	get := AzureSEVSNPVersionAPI{Version: list[0]} // get latest version (as sorted reversely alphanumerically)
-	get, err = f.FetchAzureSEVSNPVersion(ctx, get)
+	getVersionRequest, err := getLatestVersionOlderThanMinimumAge(list, now, minimumAgeVersion)
+	if err != nil {
+		return res, fmt.Errorf("finding latest valid version: %w", err)
+	}
+	res, err = f.FetchAzureSEVSNPVersion(ctx, getVersionRequest)
 	if err != nil {
 		return res, fmt.Errorf("fetching version: %w", err)
 	}
-	return get, nil
+	return
+}
+
+func getLatestVersionOlderThanMinimumAge(list AzureSEVSNPVersionList, now time.Time, minimumAgeVersion time.Duration) (AzureSEVSNPVersionAPI, error) {
+	SortAzureSEVSNPVersionList(list)
+	for _, v := range list {
+		dateStr := strings.TrimSuffix(v, ".json")
+		versionDate, err := time.Parse("2006-01-01-01-01", dateStr)
+		if err != nil {
+			return AzureSEVSNPVersionAPI{}, fmt.Errorf("parsing version date %s: %w", dateStr, err)
+		}
+		if now.Sub(versionDate) > minimumAgeVersion {
+			return AzureSEVSNPVersionAPI{Version: v}, nil
+		}
+	}
+	return AzureSEVSNPVersionAPI{}, fmt.Errorf("no valid version fulfilling minimum age found")
 }
--- a/internal/api/attestationconfigapi/fetcher_test.go
+++ b/internal/api/attestationconfigapi/fetcher_test.go
@ -13,11 +13,56 @@ import (
 	"io"
 	"net/http"
 	"testing"
+	"time"

 	"github.com/stretchr/testify/assert"
 )

-var testCfg = AzureSEVSNPVersionAPI{
+func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
+	now := time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC)
+	testcases := map[string]struct {
+		fetcherVersions []string
+		timeAtTest      time.Time
+		wantErr         bool
+		want            AzureSEVSNPVersionAPI
+	}{
+		"get latest version if older than 2 weeks": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"},
+			timeAtTest:      now.Add(days(15)),
+			want:            latestVersion,
+		},
+		"get older version if latest version is not older than minimum age": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"},
+			timeAtTest:      now.Add(days(7)),
+			want:            olderVersion,
+		},
+		"fail when no version is older minimum age": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2020-12-31-00-00.json"},
+			timeAtTest:      now.Add(days(2)),
+			wantErr:         true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			client := &http.Client{
+				Transport: &fakeConfigAPIHandler{
+					versions: tc.fetcherVersions,
+				},
+			}
+			fetcher := newFetcherWithClientAndVerifier(client, dummyVerifier{})
+			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background(), tc.timeAtTest)
+			assert := assert.New(t)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(tc.want, res)
+			}
+		})
+	}
+}
+
+var latestVersion = AzureSEVSNPVersionAPI{
 	AzureSEVSNPVersion: AzureSEVSNPVersion{
 		Microcode:  93,
 		TEE:        0,
@ -26,52 +71,29 @@ var testCfg = AzureSEVSNPVersionAPI{
 	},
 }

-func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
-	testcases := map[string]struct {
-		signature []byte
-		wantErr   bool
-		want      AzureSEVSNPVersionAPI
-	}{
-		"get version with valid signature": {
-			signature: []byte("MEQCIBPEbYg89MIQuaGStLhKGLGMKvKFoYCaAniDLwoIwulqAiB+rj7KMaMOMGxmUsjI7KheCXSNM8NzN+tuDw6AywI75A=="), // signed with release key
-			want:      testCfg,
-		},
-		"fail with invalid signature": {
-			signature: []byte("invalid"),
-			wantErr:   true,
-		},
-	}
-	for name, tc := range testcases {
-		t.Run(name, func(t *testing.T) {
-			client := &http.Client{
-				Transport: &fakeConfigAPIHandler{
-					signature: tc.signature,
-				},
-			}
-			fetcher := NewFetcherWithClient(client)
-			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
+var olderVersion = AzureSEVSNPVersionAPI{
+	AzureSEVSNPVersion: AzureSEVSNPVersion{
+		Microcode:  1,
+		TEE:        0,
+		SNP:        1,
+		Bootloader: 1,
+	},
+}

-			assert := assert.New(t)
-			if tc.wantErr {
-				assert.Error(err)
-			} else {
-				assert.NoError(err)
-				assert.Equal(testCfg, res)
-			}
-		})
-	}
+func days(days int) time.Duration {
+	return time.Duration(days*24) * time.Hour
 }

 type fakeConfigAPIHandler struct {
-	signature []byte
+	versions []string
 }

 // RoundTrip resolves the request and returns a dummy response.
 func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
+	signature := []byte("placeholderSignature")
 	if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
 		res := &http.Response{}
-		data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
-		bt, err := json.Marshal(data)
+		bt, err := json.Marshal(f.versions)
 		if err != nil {
 			return nil, err
 		}
@ -82,7 +104,17 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		return res, nil
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
 		res := &http.Response{}
-		bt, err := json.Marshal(testCfg)
+		bt, err := json.Marshal(latestVersion)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2019-01-01-01-01.json" {
+		res := &http.Response{}
+		bt, err := json.Marshal(olderVersion)
 		if err != nil {
 			return nil, err
 		}
@ -93,7 +125,20 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
 		res := &http.Response{}
 		obj := AzureSEVSNPVersionSignature{
-			Signature: f.signature,
+			Signature: signature,
+		}
+		bt, err := json.Marshal(obj)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2019-01-01-01-01.json.sig" {
+		res := &http.Response{}
+		obj := AzureSEVSNPVersionSignature{
+			Signature: signature,
 		}
 		bt, err := json.Marshal(obj)
 		if err != nil {
@ -106,3 +151,9 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 	}
 	return nil, errors.New("no endpoint found")
 }
+
+type dummyVerifier struct{}
+
+func (s dummyVerifier) VerifySignature(_, _, _ []byte) error {
+	return nil
+}