api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)

* rename to attestationconfigapi + put client and fetcher inside pkg * rename api/version to versionsapi and put fetcher + client inside pkg * rename AttestationConfigAPIFetcher to Fetcher
2025-09-24 14:58:35 -04:00 · 2023-06-07 16:16:32 +02:00 · 2023-06-07 16:16:32 +02:00 · 4284f892ce
commit 4284f892ce
parent 25037026e1
98 changed files with 385 additions and 490 deletions
--- a/internal/api/attestationconfigapi/BUILD.bazel
+++ b/internal/api/attestationconfigapi/BUILD.bazel
@ -0,0 +1,33 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("//bazel/go:go_test.bzl", "go_test")
+
+go_library(
+    name = "attestationconfigapi",
+    srcs = [
+        "attestationconfigapi.go",
+        "azure.go",
+        "client.go",
+        "fetcher.go",
+    ],
+    importpath = "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi",
+    visibility = ["//:__subpackages__"],
+    deps = [
+        "//internal/api/client",
+        "//internal/api/fetcher",
+        "//internal/constants",
+        "//internal/logger",
+        "//internal/sigstore",
+        "//internal/staticupload",
+        "//internal/variant",
+    ],
+)
+
+go_test(
+    name = "attestationconfigapi_test",
+    srcs = [
+        "client_test.go",
+        "fetcher_test.go",
+    ],
+    embed = [":attestationconfigapi"],
+    deps = ["@com_github_stretchr_testify//assert"],
+)
--- a/internal/api/attestationconfigapi/attestationconfigapi.go
+++ b/internal/api/attestationconfigapi/attestationconfigapi.go
@ -0,0 +1,23 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+/*
+# AttestationConfig API
+
+The AttestationConfig API provides values for the attestation key in the Constellation config.
+
+This package defines API types that represents objects of the AttestationConfig API.
+The types provide helper methods for validation and commonly used operations on the
+information contained in the objects. Especially the paths used for the API are defined
+in these helper methods.
+
+Regarding the decision to implement new types over using the existing types from internal/config:
+AttesationCfg objects for AttestationCfg API need to hold some version information (for sorting, recognizing latest).
+Thus, existing config types (AWSNitroTPM, AzureSEVSNP, ...) can not be extended to implement apiObject interface.
+Instead, we need a separate type that wraps _all_ attestation types. In the codebase this is done using the AttestationCfg interface.
+The new type AttestationCfgGet needs to be located inside internal/config in order to implement UnmarshalJSON.
+*/
+package attestationconfigapi
--- a/internal/api/attestationconfigapi/azure.go
+++ b/internal/api/attestationconfigapi/azure.go
@ -0,0 +1,132 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package attestationconfigapi
+
+import (
+	"fmt"
+	"net/url"
+	"path"
+	"strings"
+
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/variant"
+)
+
+// attestationURLPath is the URL path to the attestation versions.
+const attestationURLPath = "constellation/v1/attestation"
+
+// AzureSEVSNPVersionType is the type of the version to be requested.
+type AzureSEVSNPVersionType string
+
+// AzureSEVSNPVersion tracks the latest version of each component of the Azure SEVSNP.
+type AzureSEVSNPVersion struct {
+	// Bootloader is the latest version of the Azure SEVSNP bootloader.
+	Bootloader uint8 `json:"bootloader"`
+	// TEE is the latest version of the Azure SEVSNP TEE.
+	TEE uint8 `json:"tee"`
+	// SNP is the latest version of the Azure SEVSNP SNP.
+	SNP uint8 `json:"snp"`
+	// Microcode is the latest version of the Azure SEVSNP microcode.
+	Microcode uint8 `json:"microcode"`
+}
+
+// AzureSEVSNPVersionSignature is the object to perform CRUD operations on the config api.
+type AzureSEVSNPVersionSignature struct {
+	Version   string `json:"-"`
+	Signature []byte `json:"signature"`
+}
+
+// JSONPath returns the path to the JSON file for the request to the config api.
+func (s AzureSEVSNPVersionSignature) JSONPath() string {
+	return path.Join(attestationURLPath, variant.AzureSEVSNP{}.String(), s.Version+".sig")
+}
+
+// URL returns the URL for the request to the config api.
+func (s AzureSEVSNPVersionSignature) URL() (string, error) {
+	return getURL(s)
+}
+
+// ValidateRequest validates the request.
+func (s AzureSEVSNPVersionSignature) ValidateRequest() error {
+	if !strings.HasSuffix(s.Version, ".json") {
+		return fmt.Errorf("%s version has no .json suffix", s.Version)
+	}
+	return nil
+}
+
+// Validate is a No-Op at the moment.
+func (s AzureSEVSNPVersionSignature) Validate() error {
+	return nil
+}
+
+// AzureSEVSNPVersionAPI is the request to get the version information of the specific version in the config api.
+type AzureSEVSNPVersionAPI struct {
+	Version string `json:"-"`
+	AzureSEVSNPVersion
+}
+
+// URL returns the URL for the request to the config api.
+func (i AzureSEVSNPVersionAPI) URL() (string, error) {
+	return getURL(i)
+}
+
+// JSONPath returns the path to the JSON file for the request to the config api.
+func (i AzureSEVSNPVersionAPI) JSONPath() string {
+	return path.Join(attestationURLPath, variant.AzureSEVSNP{}.String(), i.Version)
+}
+
+// ValidateRequest validates the request.
+func (i AzureSEVSNPVersionAPI) ValidateRequest() error {
+	if !strings.HasSuffix(i.Version, ".json") {
+		return fmt.Errorf("version has no .json suffix")
+	}
+	return nil
+}
+
+// Validate is a No-Op at the moment.
+func (i AzureSEVSNPVersionAPI) Validate() error {
+	return nil
+}
+
+// AzureSEVSNPVersionList is the request to list all versions in the config api.
+type AzureSEVSNPVersionList []string
+
+// URL returns the URL for the request to the config api.
+func (i AzureSEVSNPVersionList) URL() (string, error) {
+	return getURL(i)
+}
+
+// JSONPath returns the path to the JSON file for the request to the config api.
+func (i AzureSEVSNPVersionList) JSONPath() string {
+	return path.Join(attestationURLPath, variant.AzureSEVSNP{}.String(), "list")
+}
+
+// ValidateRequest is a NoOp as there is no input.
+func (i AzureSEVSNPVersionList) ValidateRequest() error {
+	return nil
+}
+
+// Validate validates the response.
+func (i AzureSEVSNPVersionList) Validate() error {
+	if len(i) < 1 {
+		return fmt.Errorf("no versions found in /list")
+	}
+	return nil
+}
+
+func getURL(obj jsoPather) (string, error) {
+	url, err := url.Parse(constants.CDNRepositoryURL)
+	if err != nil {
+		return "", fmt.Errorf("parsing CDN URL: %w", err)
+	}
+	url.Path = obj.JSONPath()
+	return url.String(), nil
+}
+
+type jsoPather interface {
+	JSONPath() string
+}
--- a/internal/api/attestationconfigapi/client.go
+++ b/internal/api/attestationconfigapi/client.go
@ -0,0 +1,186 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package attestationconfigapi
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sort"
+	"time"
+
+	apiclient "github.com/edgelesssys/constellation/v2/internal/api/client"
+	"github.com/edgelesssys/constellation/v2/internal/logger"
+	"github.com/edgelesssys/constellation/v2/internal/sigstore"
+	"github.com/edgelesssys/constellation/v2/internal/staticupload"
+	"github.com/edgelesssys/constellation/v2/internal/variant"
+)
+
+// Client manages (modifies) the version information for the attestation variants.
+type Client struct {
+	s3Client      *apiclient.Client
+	s3ClientClose func(ctx context.Context) error
+	bucketID      string
+	signer        sigstore.Signer
+}
+
+// NewClient returns a new Client.
+func NewClient(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []byte, dryRun bool, log *logger.Logger) (*Client, apiclient.CloseFunc, error) {
+	s3Client, clientClose, err := apiclient.NewClient(ctx, cfg.Region, cfg.Bucket, cfg.DistributionID, dryRun, log)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create s3 storage: %w", err)
+	}
+
+	repo := &Client{
+		s3Client:      s3Client,
+		s3ClientClose: clientClose,
+		signer:        sigstore.NewSigner(cosignPwd, privateKey),
+		bucketID:      cfg.Bucket,
+	}
+	return repo, clientClose, nil
+}
+
+// UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP.
+func (a Client) UploadAzureSEVSNP(ctx context.Context, version AzureSEVSNPVersion, date time.Time) error {
+	versions, err := a.List(ctx, variant.AzureSEVSNP{})
+	if err != nil {
+		return fmt.Errorf("fetch version list: %w", err)
+	}
+	ops, err := a.uploadAzureSEVSNP(version, versions, date)
+	if err != nil {
+		return err
+	}
+	return executeAllCmds(ctx, a.s3Client, ops)
+}
+
+// DeleteAzureSEVSNPVersion deletes the given version (without .json suffix) from the API.
+func (a Client) DeleteAzureSEVSNPVersion(ctx context.Context, versionStr string) error {
+	versions, err := a.List(ctx, variant.AzureSEVSNP{})
+	if err != nil {
+		return fmt.Errorf("fetch version list: %w", err)
+	}
+	ops, err := a.deleteAzureSEVSNPVersion(versions, versionStr)
+	if err != nil {
+		return err
+	}
+	return executeAllCmds(ctx, a.s3Client, ops)
+}
+
+// List returns the list of versions for the given attestation type.
+func (a Client) List(ctx context.Context, attestation variant.Variant) ([]string, error) {
+	if attestation.Equal(variant.AzureSEVSNP{}) {
+		versions, err := apiclient.Fetch(ctx, a.s3Client, AzureSEVSNPVersionList{})
+		if err != nil {
+			return nil, err
+		}
+		return versions, nil
+	}
+	return nil, fmt.Errorf("unsupported attestation type: %s", attestation)
+}
+
+func (a Client) deleteAzureSEVSNPVersion(versions AzureSEVSNPVersionList, versionStr string) (ops []crudCmd, err error) {
+	versionStr = versionStr + ".json"
+	ops = append(ops, deleteCmd{
+		apiObject: AzureSEVSNPVersionAPI{
+			Version: versionStr,
+		},
+	})
+
+	ops = append(ops, deleteCmd{
+		apiObject: AzureSEVSNPVersionSignature{
+			Version: versionStr,
+		},
+	})
+
+	removedVersions, err := removeVersion(versions, versionStr)
+	if err != nil {
+		return nil, err
+	}
+	ops = append(ops, putCmd{
+		apiObject: removedVersions,
+	})
+	return ops, nil
+}
+
+func (a Client) uploadAzureSEVSNP(versions AzureSEVSNPVersion, versionNames []string, date time.Time) (res []crudCmd, err error) {
+	dateStr := date.Format("2006-01-02-15-04") + ".json"
+
+	res = append(res, putCmd{AzureSEVSNPVersionAPI{Version: dateStr, AzureSEVSNPVersion: versions}})
+
+	versionBytes, err := json.Marshal(versions)
+	if err != nil {
+		return res, err
+	}
+	signature, err := a.createSignature(versionBytes, dateStr)
+	if err != nil {
+		return res, err
+	}
+	res = append(res, putCmd{signature})
+	newVersions := addVersion(versionNames, dateStr)
+	res = append(res, putCmd{AzureSEVSNPVersionList(newVersions)})
+	return
+}
+
+func (a Client) createSignature(content []byte, dateStr string) (res AzureSEVSNPVersionSignature, err error) {
+	signature, err := a.signer.Sign(content)
+	if err != nil {
+		return res, fmt.Errorf("sign version file: %w", err)
+	}
+	return AzureSEVSNPVersionSignature{
+		Signature: signature,
+		Version:   dateStr,
+	}, nil
+}
+
+func removeVersion(versions AzureSEVSNPVersionList, versionStr string) (removedVersions AzureSEVSNPVersionList, err error) {
+	for i, v := range versions {
+		if v == versionStr {
+			if i == len(versions)-1 {
+				removedVersions = versions[:i]
+			} else {
+				removedVersions = append(versions[:i], versions[i+1:]...)
+			}
+			return removedVersions, nil
+		}
+	}
+	return nil, fmt.Errorf("version %s not found in list %v", versionStr, versions)
+}
+
+type crudCmd interface {
+	Execute(ctx context.Context, c *apiclient.Client) error
+}
+
+type deleteCmd struct {
+	apiObject apiclient.APIObject
+}
+
+func (d deleteCmd) Execute(ctx context.Context, c *apiclient.Client) error {
+	return apiclient.Delete(ctx, c, d.apiObject)
+}
+
+type putCmd struct {
+	apiObject apiclient.APIObject
+}
+
+func (p putCmd) Execute(ctx context.Context, c *apiclient.Client) error {
+	return apiclient.Update(ctx, c, p.apiObject)
+}
+
+func executeAllCmds(ctx context.Context, client *apiclient.Client, cmds []crudCmd) error {
+	for _, cmd := range cmds {
+		if err := cmd.Execute(ctx, client); err != nil {
+			return fmt.Errorf("execute operation %+v: %w", cmd, err)
+		}
+	}
+	return nil
+}
+
+func addVersion(versions []string, newVersion string) []string {
+	versions = append(versions, newVersion)
+	versions = variant.RemoveDuplicate(versions)
+	sort.Sort(sort.Reverse(sort.StringSlice(versions)))
+	return versions
+}
--- a/internal/api/attestationconfigapi/client_test.go
+++ b/internal/api/attestationconfigapi/client_test.go
@ -0,0 +1,73 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package attestationconfigapi
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUploadAzureSEVSNP(t *testing.T) {
+	sut := Client{
+		bucketID: "bucket",
+		signer:   fakeSigner{},
+	}
+	version := AzureSEVSNPVersion{}
+	date := time.Date(2023, 1, 1, 1, 1, 1, 1, time.UTC)
+	ops, err := sut.uploadAzureSEVSNP(version, []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"}, date)
+	assert := assert.New(t)
+	assert.NoError(err)
+	dateStr := "2023-01-01-01-01.json"
+	assert.Contains(ops, putCmd{
+		apiObject: AzureSEVSNPVersionAPI{
+			Version:            dateStr,
+			AzureSEVSNPVersion: version,
+		},
+	})
+	assert.Contains(ops, putCmd{
+		apiObject: AzureSEVSNPVersionSignature{
+			Version:   dateStr,
+			Signature: []byte("signature"),
+		},
+	})
+	assert.Contains(ops, putCmd{
+		apiObject: AzureSEVSNPVersionList([]string{"2023-01-01-01-01.json", "2021-01-01-01-01.json", "2019-01-01-01-01.json"}),
+	})
+}
+
+func TestDeleteAzureSEVSNPVersions(t *testing.T) {
+	sut := Client{
+		bucketID: "bucket",
+	}
+	versions := AzureSEVSNPVersionList([]string{"2023-01-01.json", "2021-01-01.json", "2019-01-01.json"})
+
+	ops, err := sut.deleteAzureSEVSNPVersion(versions, "2021-01-01")
+
+	assert := assert.New(t)
+	assert.NoError(err)
+	assert.Contains(ops, deleteCmd{
+		apiObject: AzureSEVSNPVersionAPI{
+			Version: "2021-01-01.json",
+		},
+	})
+	assert.Contains(ops, deleteCmd{
+		apiObject: AzureSEVSNPVersionSignature{
+			Version: "2021-01-01.json",
+		},
+	})
+
+	assert.Contains(ops, putCmd{
+		apiObject: AzureSEVSNPVersionList([]string{"2023-01-01.json", "2019-01-01.json"}),
+	})
+}
+
+type fakeSigner struct{}
+
+func (fakeSigner) Sign(_ []byte) ([]byte, error) {
+	return []byte("signature"), nil
+}
--- a/internal/api/attestationconfigapi/fetcher.go
+++ b/internal/api/attestationconfigapi/fetcher.go
@ -0,0 +1,86 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package attestationconfigapi
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	apifetcher "github.com/edgelesssys/constellation/v2/internal/api/fetcher"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/sigstore"
+)
+
+const cosignPublicKey = constants.CosignPublicKeyReleases
+
+// Fetcher fetches config API resources without authentication.
+type Fetcher interface {
+	FetchAzureSEVSNPVersion(ctx context.Context, azureVersion AzureSEVSNPVersionAPI) (AzureSEVSNPVersionAPI, error)
+	FetchAzureSEVSNPVersionList(ctx context.Context, attestation AzureSEVSNPVersionList) (AzureSEVSNPVersionList, error)
+	FetchAzureSEVSNPVersionLatest(ctx context.Context) (AzureSEVSNPVersionAPI, error)
+}
+
+// fetcher fetches AttestationCfg API resources without authentication.
+type fetcher struct {
+	apifetcher.HTTPClient
+}
+
+// NewFetcher returns a new apifetcher.
+func NewFetcher() Fetcher {
+	return NewFetcherWithClient(apifetcher.NewHTTPClient())
+}
+
+// NewFetcherWithClient returns a new fetcher with custom http client.
+func NewFetcherWithClient(client apifetcher.HTTPClient) Fetcher {
+	return &fetcher{client}
+}
+
+// FetchAzureSEVSNPVersionList fetches the version list information from the config API.
+func (f *fetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation AzureSEVSNPVersionList) (AzureSEVSNPVersionList, error) {
+	return apifetcher.Fetch(ctx, f.HTTPClient, attestation)
+}
+
+// FetchAzureSEVSNPVersion fetches the version information from the config API.
+func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion AzureSEVSNPVersionAPI) (AzureSEVSNPVersionAPI, error) {
+	fetchedVersion, err := apifetcher.Fetch(ctx, f.HTTPClient, azureVersion)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
+	}
+	versionBytes, err := json.Marshal(fetchedVersion)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("marshal version for verify %s: %w", azureVersion.Version, err)
+	}
+
+	signature, err := apifetcher.Fetch(ctx, f.HTTPClient, AzureSEVSNPVersionSignature{
+		Version: azureVersion.Version,
+	})
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", azureVersion.Version, err)
+	}
+
+	err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature.Signature, []byte(cosignPublicKey))
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("verify version %s signature: %w", azureVersion.Version, err)
+	}
+	return fetchedVersion, nil
+}
+
+// FetchAzureSEVSNPVersionLatest returns the latest versions of the given type.
+func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context) (res AzureSEVSNPVersionAPI, err error) {
+	var list AzureSEVSNPVersionList
+	list, err = f.FetchAzureSEVSNPVersionList(ctx, list)
+	if err != nil {
+		return res, fmt.Errorf("fetching versions list: %w", err)
+	}
+	get := AzureSEVSNPVersionAPI{Version: list[0]} // get latest version (as sorted reversely alphanumerically)
+	get, err = f.FetchAzureSEVSNPVersion(ctx, get)
+	if err != nil {
+		return res, fmt.Errorf("fetching version: %w", err)
+	}
+	return get, nil
+}
--- a/internal/api/attestationconfigapi/fetcher_test.go
+++ b/internal/api/attestationconfigapi/fetcher_test.go
@ -0,0 +1,108 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package attestationconfigapi
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var testCfg = AzureSEVSNPVersionAPI{
+	AzureSEVSNPVersion: AzureSEVSNPVersion{
+		Microcode:  93,
+		TEE:        0,
+		SNP:        6,
+		Bootloader: 2,
+	},
+}
+
+func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
+	testcases := map[string]struct {
+		signature []byte
+		wantErr   bool
+		want      AzureSEVSNPVersionAPI
+	}{
+		"get version with valid signature": {
+			signature: []byte("MEQCIBPEbYg89MIQuaGStLhKGLGMKvKFoYCaAniDLwoIwulqAiB+rj7KMaMOMGxmUsjI7KheCXSNM8NzN+tuDw6AywI75A=="), // signed with release key
+			want:      testCfg,
+		},
+		"fail with invalid signature": {
+			signature: []byte("invalid"),
+			wantErr:   true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			client := &http.Client{
+				Transport: &fakeConfigAPIHandler{
+					signature: tc.signature,
+				},
+			}
+			fetcher := NewFetcherWithClient(client)
+			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
+
+			assert := assert.New(t)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(testCfg, res)
+			}
+		})
+	}
+}
+
+type fakeConfigAPIHandler struct {
+	signature []byte
+}
+
+// RoundTrip resolves the request and returns a dummy response.
+func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
+	if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
+		res := &http.Response{}
+		data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
+		bt, err := json.Marshal(data)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.Header = http.Header{}
+		res.Header.Set("Content-Type", "application/json")
+		res.StatusCode = http.StatusOK
+		return res, nil
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
+		res := &http.Response{}
+		bt, err := json.Marshal(testCfg)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
+		res := &http.Response{}
+		obj := AzureSEVSNPVersionSignature{
+			Signature: f.signature,
+		}
+		bt, err := json.Marshal(obj)
+		if err != nil {
+			return nil, err
+		}
+		res.Body = io.NopCloser(bytes.NewReader(bt))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	}
+	return nil, errors.New("no endpoint found")
+}
--- a/internal/api/attestationconfigapi/test/integration_test.go
+++ b/internal/api/attestationconfigapi/test/integration_test.go
@ -0,0 +1,83 @@
+//go:build integration
+
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package test
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"testing"
+	"time"
+
+	attestationconfig "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
+	"github.com/edgelesssys/constellation/v2/internal/logger"
+	"github.com/edgelesssys/constellation/v2/internal/staticupload"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+)
+
+const (
+	awsBucket   = "cdn-constellation-backend"
+	awsRegion   = "eu-central-1"
+	envAwsKeyID = "AWS_ACCESS_KEY_ID"
+	envAwsKey   = "AWS_ACCESS_KEY"
+)
+
+var cfg staticupload.Config
+
+var (
+	cosignPwd      = flag.String("cosign-pwd", "", "Password to decrypt the cosign private key. Required for signing.")
+	privateKeyPath = flag.String("private-key", "", "Path to the private key used for signing. Required for signing.")
+	privateKey     []byte
+)
+
+func TestMain(m *testing.M) {
+	flag.Parse()
+	if *cosignPwd == "" || *privateKeyPath == "" {
+		flag.Usage()
+		fmt.Println("Required flags not set: --cosign-pwd, --private-key. Skipping tests.")
+		os.Exit(1)
+	}
+	if _, present := os.LookupEnv(envAwsKey); !present {
+		fmt.Printf("%s not set. Skipping tests.\n", envAwsKey)
+		os.Exit(1)
+	}
+	if _, present := os.LookupEnv(envAwsKeyID); !present {
+		fmt.Printf("%s not set. Skipping tests.\n", envAwsKeyID)
+		os.Exit(1)
+	}
+	cfg = staticupload.Config{
+		Bucket: awsBucket,
+		Region: awsRegion,
+	}
+	file, _ := os.Open(*privateKeyPath)
+	var err error
+	privateKey, err = io.ReadAll(file)
+	if err != nil {
+		panic(err)
+	}
+	os.Exit(m.Run())
+}
+
+var versionValues = attestationconfig.AzureSEVSNPVersion{
+	Bootloader: 2,
+	TEE:        0,
+	SNP:        6,
+	Microcode:  93,
+}
+
+func TestUploadAzureSEVSNPVersions(t *testing.T) {
+	ctx := context.Background()
+	client, clientClose, err := attestationconfig.NewClient(ctx, cfg, []byte(*cosignPwd), privateKey, false, logger.New(logger.PlainLog, zap.DebugLevel).Named("attestationconfig"))
+	require.NoError(t, err)
+	defer func() { _ = clientClose(ctx) }()
+	d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
+	require.NoError(t, client.UploadAzureSEVSNP(ctx, versionValues, d))
+}