AB#1915 Local PCR calculation (#243)

* Add QEMU cloud-logging * Add QEMU metadata endpoints to collect logs during cluster boot * Send PCRs to QEMU metadata if boot fails on Azure or GCP Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-05-02 06:16:08 -04:00 · 2022-07-04 12:59:43 +02:00 · 2022-07-04 12:59:43 +02:00 · 4be29b04dc
commit 4be29b04dc
parent 70efb92adc
9 changed files with 348 additions and 21 deletions
--- a/hack/qemu-metadata-api/server/server_test.go
+++ b/hack/qemu-metadata-api/server/server_test.go
@ -6,11 +6,14 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"

 	"github.com/edgelesssys/constellation/coordinator/cloudprovider/cloudtypes"
 	"github.com/edgelesssys/constellation/hack/qemu-metadata-api/virtwrapper"
+	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/logger"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"libvirt.org/go/libvirt"
@ -63,7 +66,7 @@ func TestListAll(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)

-			server := New(logger.NewTest(t), tc.connect)
+			server := New(logger.NewTest(t), tc.connect, file.Handler{})

 			res, err := server.listAll()

@ -140,7 +143,7 @@ func TestListSelf(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), tc.connect)
+			server := New(logger.NewTest(t), tc.connect, file.Handler{})

 			req, err := http.NewRequest(http.MethodGet, "http://192.0.0.1/self", nil)
 			require.NoError(err)
@ -202,7 +205,7 @@ func TestListPeers(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			server := New(logger.NewTest(t), tc.connect)
+			server := New(logger.NewTest(t), tc.connect, file.Handler{})

 			req, err := http.NewRequest(http.MethodGet, "http://192.0.0.1/peers", nil)
 			require.NoError(err)
@ -226,6 +229,147 @@ func TestListPeers(t *testing.T) {
 	}
 }

+func TestPostLog(t *testing.T) {
+	testCases := map[string]struct {
+		remoteAddr string
+		message    io.Reader
+		method     string
+		wantErr    bool
+	}{
+		"success": {
+			remoteAddr: "192.0.100.1:1234",
+			method:     http.MethodPost,
+			message:    strings.NewReader("test message"),
+		},
+		"no body": {
+			remoteAddr: "192.0.100.1:1234",
+			method:     http.MethodPost,
+			message:    nil,
+			wantErr:    true,
+		},
+		"incorrect method": {
+			remoteAddr: "192.0.100.1:1234",
+			method:     http.MethodGet,
+			message:    strings.NewReader("test message"),
+			wantErr:    true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			server := New(logger.NewTest(t), &stubConnect{}, file.NewHandler(afero.NewMemMapFs()))
+
+			req, err := http.NewRequest(tc.method, "http://192.0.0.1/logs", tc.message)
+			require.NoError(err)
+			req.RemoteAddr = tc.remoteAddr
+
+			w := httptest.NewRecorder()
+			server.postLog(w, req)
+
+			if tc.wantErr {
+				assert.NotEqual(http.StatusOK, w.Code)
+			} else {
+				assert.Equal(http.StatusOK, w.Code)
+			}
+		})
+	}
+}
+
+func TestExportPCRs(t *testing.T) {
+	defaultConnect := &stubConnect{
+		network: stubNetwork{
+			leases: []libvirt.NetworkDHCPLease{
+				{
+					IPaddr:   "192.0.100.1",
+					Hostname: "control-plane-0",
+				},
+			},
+		},
+	}
+
+	testCases := map[string]struct {
+		remoteAddr string
+		connect    *stubConnect
+		message    string
+		method     string
+		wantErr    bool
+	}{
+		"success": {
+			remoteAddr: "192.0.100.1:1234",
+			connect:    defaultConnect,
+			method:     http.MethodPost,
+			message:    mustMarshal(t, map[uint32][]byte{0: []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")}),
+		},
+		"incorrect method": {
+			remoteAddr: "192.0.100.1:1234",
+			connect:    defaultConnect,
+			message:    mustMarshal(t, map[uint32][]byte{0: []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")}),
+			method:     http.MethodGet,
+			wantErr:    true,
+		},
+		"listAll error": {
+			remoteAddr: "192.0.100.1:1234",
+			connect: &stubConnect{
+				getNetworkErr: errors.New("error"),
+			},
+			message: mustMarshal(t, map[uint32][]byte{0: []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")}),
+			method:  http.MethodPost,
+			wantErr: true,
+		},
+		"invalid message": {
+			remoteAddr: "192.0.100.1:1234",
+			connect:    defaultConnect,
+			method:     http.MethodPost,
+			message:    "message",
+			wantErr:    true,
+		},
+		"invalid remote address": {
+			remoteAddr: "localhost",
+			connect:    defaultConnect,
+			method:     http.MethodPost,
+			message:    mustMarshal(t, map[uint32][]byte{0: []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")}),
+			wantErr:    true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			file := file.NewHandler(afero.NewMemMapFs())
+			server := New(logger.NewTest(t), tc.connect, file)
+
+			req, err := http.NewRequest(tc.method, "http://192.0.0.1/pcrs", strings.NewReader(tc.message))
+			require.NoError(err)
+			req.RemoteAddr = tc.remoteAddr
+
+			w := httptest.NewRecorder()
+			server.exportPCRs(w, req)
+
+			if tc.wantErr {
+				assert.NotEqual(http.StatusOK, w.Code)
+				return
+			}
+
+			assert.Equal(http.StatusOK, w.Code)
+			output, err := file.Read(exportedPCRsDir + tc.connect.network.leases[0].Hostname + "_pcrs.json")
+			require.NoError(err)
+			assert.JSONEq(tc.message, string(output))
+		})
+	}
+}
+
+func mustMarshal(t *testing.T, v interface{}) string {
+	t.Helper()
+	b, err := json.Marshal(v)
+	require.NoError(t, err)
+	return string(b)
+}
+
 type stubConnect struct {
 	network       stubNetwork
 	getNetworkErr error