mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-02 06:16:08 -04:00
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks
* extend hack upload tool to pass an upload date
* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882)"
This reverts commit c7b22d314a.
* fix tests
* use NewAzureSEVSNPVersionList for type guarantees
* Revert "use NewAzureSEVSNPVersionList for type guarantees"
This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.
* assure list is sorted
* improve root.go style
* daniel feedback
This commit is contained in:
Adrian Stobbe
GitHub
parent
72e168e653
commit
3fde118b33
13 changed files with 239 additions and 189 deletions
|
|
@ -10,24 +10,30 @@ import (
|
|||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
apifetcher "github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
)
|
||||
|
||||
// minimumAgeVersion is the minimum age to accept the version as latest.
|
||||
const minimumAgeVersion = 14 * 24 * time.Hour
|
||||
|
||||
const cosignPublicKey = constants.CosignPublicKeyReleases
|
||||
|
||||
// Fetcher fetches config API resources without authentication.
|
||||
type Fetcher interface {
|
||||
FetchAzureSEVSNPVersion(ctx context.Context, azureVersion AzureSEVSNPVersionAPI) (AzureSEVSNPVersionAPI, error)
|
||||
FetchAzureSEVSNPVersionList(ctx context.Context, attestation AzureSEVSNPVersionList) (AzureSEVSNPVersionList, error)
|
||||
FetchAzureSEVSNPVersionLatest(ctx context.Context) (AzureSEVSNPVersionAPI, error)
|
||||
FetchAzureSEVSNPVersionLatest(ctx context.Context, now time.Time) (AzureSEVSNPVersionAPI, error)
|
||||
}
|
||||
|
||||
// fetcher fetches AttestationCfg API resources without authentication.
|
||||
type fetcher struct {
|
||||
apifetcher.HTTPClient
|
||||
verifier sigstore.Verifier
|
||||
}
|
||||
|
||||
// NewFetcher returns a new apifetcher.
|
||||
|
|
@ -37,7 +43,11 @@ func NewFetcher() Fetcher {
|
|||
|
||||
// NewFetcherWithClient returns a new fetcher with custom http client.
|
||||
func NewFetcherWithClient(client apifetcher.HTTPClient) Fetcher {
|
||||
return &fetcher{client}
|
||||
return newFetcherWithClientAndVerifier(client, sigstore.CosignVerifier{})
|
||||
}
|
||||
|
||||
func newFetcherWithClientAndVerifier(client apifetcher.HTTPClient, cosignVerifier sigstore.Verifier) Fetcher {
|
||||
return &fetcher{client, cosignVerifier}
|
||||
}
|
||||
|
||||
// FetchAzureSEVSNPVersionList fetches the version list information from the config API.
|
||||
|
|
@ -63,7 +73,7 @@ func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion Azur
|
|||
return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", azureVersion.Version, err)
|
||||
}
|
||||
|
||||
err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature.Signature, []byte(cosignPublicKey))
|
||||
err = f.verifier.VerifySignature(versionBytes, signature.Signature, []byte(cosignPublicKey))
|
||||
if err != nil {
|
||||
return fetchedVersion, fmt.Errorf("verify version %s signature: %w", azureVersion.Version, err)
|
||||
}
|
||||
|
|
@ -71,16 +81,34 @@ func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion Azur
|
|||
}
|
||||
|
||||
// FetchAzureSEVSNPVersionLatest returns the latest versions of the given type.
|
||||
func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context) (res AzureSEVSNPVersionAPI, err error) {
|
||||
func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context, now time.Time) (res AzureSEVSNPVersionAPI, err error) {
|
||||
var list AzureSEVSNPVersionList
|
||||
list, err = f.FetchAzureSEVSNPVersionList(ctx, list)
|
||||
if err != nil {
|
||||
return res, fmt.Errorf("fetching versions list: %w", err)
|
||||
}
|
||||
get := AzureSEVSNPVersionAPI{Version: list[0]} // get latest version (as sorted reversely alphanumerically)
|
||||
get, err = f.FetchAzureSEVSNPVersion(ctx, get)
|
||||
getVersionRequest, err := getLatestVersionOlderThanMinimumAge(list, now, minimumAgeVersion)
|
||||
if err != nil {
|
||||
return res, fmt.Errorf("finding latest valid version: %w", err)
|
||||
}
|
||||
res, err = f.FetchAzureSEVSNPVersion(ctx, getVersionRequest)
|
||||
if err != nil {
|
||||
return res, fmt.Errorf("fetching version: %w", err)
|
||||
}
|
||||
return get, nil
|
||||
return
|
||||
}
|
||||
|
||||
func getLatestVersionOlderThanMinimumAge(list AzureSEVSNPVersionList, now time.Time, minimumAgeVersion time.Duration) (AzureSEVSNPVersionAPI, error) {
|
||||
SortAzureSEVSNPVersionList(list)
|
||||
for _, v := range list {
|
||||
dateStr := strings.TrimSuffix(v, ".json")
|
||||
versionDate, err := time.Parse("2006-01-01-01-01", dateStr)
|
||||
if err != nil {
|
||||
return AzureSEVSNPVersionAPI{}, fmt.Errorf("parsing version date %s: %w", dateStr, err)
|
||||
}
|
||||
if now.Sub(versionDate) > minimumAgeVersion {
|
||||
return AzureSEVSNPVersionAPI{Version: v}, nil
|
||||
}
|
||||
}
|
||||
return AzureSEVSNPVersionAPI{}, fmt.Errorf("no valid version fulfilling minimum age found")
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue