config: enable azure snp version fetcher again + minimum age for latest version (#1899)

* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback

internal/api/attestationconfigapi/fetcher_test.go

@@ -13,11 +13,56 @@ import (
 	"io"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 )
 
-var testCfg = AzureSEVSNPVersionAPI{
+func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
+	now := time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC)
+	testcases := map[string]struct {
+		fetcherVersions []string
+		timeAtTest      time.Time
+		wantErr         bool
+		want            AzureSEVSNPVersionAPI
+	}{
+		"get latest version if older than 2 weeks": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"},
+			timeAtTest:      now.Add(days(15)),
+			want:            latestVersion,
+		},
+		"get older version if latest version is not older than minimum age": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"},
+			timeAtTest:      now.Add(days(7)),
+			want:            olderVersion,
+		},
+		"fail when no version is older minimum age": {
+			fetcherVersions: []string{"2021-01-01-01-01.json", "2020-12-31-00-00.json"},
+			timeAtTest:      now.Add(days(2)),
+			wantErr:         true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			client := &http.Client{
+				Transport: &fakeConfigAPIHandler{
+					versions: tc.fetcherVersions,
+				},
+			}
+			fetcher := newFetcherWithClientAndVerifier(client, dummyVerifier{})
+			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background(), tc.timeAtTest)
+			assert := assert.New(t)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(tc.want, res)
+			}
+		})
+	}
+}
+
+var latestVersion = AzureSEVSNPVersionAPI{
 	AzureSEVSNPVersion: AzureSEVSNPVersion{
 		Microcode:  93,
 		TEE:        0,
@@ -26,52 +71,29 @@ var testCfg = AzureSEVSNPVersionAPI{
 	},
 }
 
-func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
-	testcases := map[string]struct {
-		signature []byte
-		wantErr   bool
-		want      AzureSEVSNPVersionAPI
-	}{
-		"get version with valid signature": {
-			signature: []byte("MEQCIBPEbYg89MIQuaGStLhKGLGMKvKFoYCaAniDLwoIwulqAiB+rj7KMaMOMGxmUsjI7KheCXSNM8NzN+tuDw6AywI75A=="), // signed with release key
-			want:      testCfg,
-		},
-		"fail with invalid signature": {
-			signature: []byte("invalid"),
-			wantErr:   true,
-		},
-	}
-	for name, tc := range testcases {
-		t.Run(name, func(t *testing.T) {
-			client := &http.Client{
-				Transport: &fakeConfigAPIHandler{
-					signature: tc.signature,
-				},
-			}
-			fetcher := NewFetcherWithClient(client)
-			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
+var olderVersion = AzureSEVSNPVersionAPI{
+	AzureSEVSNPVersion: AzureSEVSNPVersion{
+		Microcode:  1,
+		TEE:        0,
+		SNP:        1,
+		Bootloader: 1,
+	},
+}
 
-			assert := assert.New(t)
-			if tc.wantErr {
-				assert.Error(err)
-			} else {
-				assert.NoError(err)
-				assert.Equal(testCfg, res)
-			}
-		})
-	}
+func days(days int) time.Duration {
+	return time.Duration(days*24) * time.Hour
 }
 
 type fakeConfigAPIHandler struct {
-	signature []byte
+	versions []string
 }
 
 // RoundTrip resolves the request and returns a dummy response.
 func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
+	signature := []byte("placeholderSignature")
 	if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
 		res := &http.Response{}
-		data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
-		bt, err := json.Marshal(data)
+		bt, err := json.Marshal(f.versions)
 		if err != nil {
 			return nil, err
 		}
@@ -82,7 +104,17 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		return res, nil
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
 		res := &http.Response{}
-		bt, err := json.Marshal(testCfg)
+		bt, err := json.Marshal(latestVersion)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2019-01-01-01-01.json" {
+		res := &http.Response{}
+		bt, err := json.Marshal(olderVersion)
 		if err != nil {
 			return nil, err
 		}
@@ -93,7 +125,20 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
 		res := &http.Response{}
 		obj := AzureSEVSNPVersionSignature{
-			Signature: f.signature,
+			Signature: signature,
+		}
+		bt, err := json.Marshal(obj)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2019-01-01-01-01.json.sig" {
+		res := &http.Response{}
+		obj := AzureSEVSNPVersionSignature{
+			Signature: signature,
 		}
 		bt, err := json.Marshal(obj)
 		if err != nil {
@@ -106,3 +151,9 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 	}
 	return nil, errors.New("no endpoint found")
 }
+
+type dummyVerifier struct{}
+
+func (s dummyVerifier) VerifySignature(_, _, _ []byte) error {
+	return nil
+}