Improve measurements verification with Rekor (#206)

Fetched measurements are now verified using Rekor in addition to a signature check.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>

cli/internal/cmd/upgradeplan_test.go

@@ -271,7 +271,7 @@ func TestGetCompatibleImageMeasurements(t *testing.T) {
 
 	pubK := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----")
 
-	err := getCompatibleImageMeasurements(context.Background(), client, pubK, testImages)
+	err := getCompatibleImageMeasurements(context.Background(), client, singleUUIDVerifier(), pubK, testImages)
 	assert.NoError(err)
 
 	for _, image := range testImages {
@@ -295,6 +295,7 @@ func TestUpgradePlan(t *testing.T) {
 		planner                 stubUpgradePlanner
 		flags                   upgradePlanFlags
 		csp                     cloudprovider.Provider
+		verifier                rekorVerifier
 		imageFetchStatus        int
 		measurementsFetchStatus int
 		wantUpgrade             bool
@@ -312,6 +313,7 @@ func TestUpgradePlan(t *testing.T) {
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
 			csp:         cloudprovider.GCP,
+			verifier:    singleUUIDVerifier(),
 			wantUpgrade: false,
 		},
 		"upgrades gcp": {
@@ -326,6 +328,7 @@ func TestUpgradePlan(t *testing.T) {
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
 			csp:         cloudprovider.GCP,
+			verifier:    singleUUIDVerifier(),
 			wantUpgrade: true,
 		},
 		"upgrades azure": {
@@ -340,6 +343,7 @@ func TestUpgradePlan(t *testing.T) {
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
 			csp:         cloudprovider.Azure,
+			verifier:    singleUUIDVerifier(),
 			wantUpgrade: true,
 		},
 		"upgrade to stdout": {
@@ -354,6 +358,7 @@ func TestUpgradePlan(t *testing.T) {
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
 			csp:         cloudprovider.GCP,
+			verifier:    singleUUIDVerifier(),
 			wantUpgrade: true,
 		},
 		"current image not valid": {
@@ -367,8 +372,9 @@ func TestUpgradePlan(t *testing.T) {
 				filePath:     "upgrade-plan.yaml",
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
-			csp:     cloudprovider.GCP,
-			wantErr: true,
+			csp:      cloudprovider.GCP,
+			verifier: singleUUIDVerifier(),
+			wantErr:  true,
 		},
 		"image fetch error": {
 			planner: stubUpgradePlanner{
@@ -381,8 +387,9 @@ func TestUpgradePlan(t *testing.T) {
 				filePath:     "upgrade-plan.yaml",
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
-			csp:     cloudprovider.GCP,
-			wantErr: true,
+			csp:      cloudprovider.GCP,
+			verifier: singleUUIDVerifier(),
+			wantErr:  true,
 		},
 		"measurements fetch error": {
 			planner: stubUpgradePlanner{
@@ -395,8 +402,45 @@ func TestUpgradePlan(t *testing.T) {
 				filePath:     "upgrade-plan.yaml",
 				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
 			},
-			csp:     cloudprovider.GCP,
-			wantErr: true,
+			csp:      cloudprovider.GCP,
+			verifier: singleUUIDVerifier(),
+			wantErr:  true,
+		},
+		"failing search should not result in error": {
+			planner: stubUpgradePlanner{
+				image: "projects/constellation-images/global/images/constellation-v1-0-0",
+			},
+			imageFetchStatus:        http.StatusOK,
+			measurementsFetchStatus: http.StatusOK,
+			flags: upgradePlanFlags{
+				configPath:   constants.ConfigFilename,
+				filePath:     "upgrade-plan.yaml",
+				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
+			},
+			csp: cloudprovider.GCP,
+			verifier: &stubRekorVerifier{
+				SearchByHashUUIDs: []string{},
+				SearchByHashError: errors.New("some error"),
+			},
+			wantUpgrade: true,
+		},
+		"failing verify should not result in error": {
+			planner: stubUpgradePlanner{
+				image: "projects/constellation-images/global/images/constellation-v1-0-0",
+			},
+			imageFetchStatus:        http.StatusOK,
+			measurementsFetchStatus: http.StatusOK,
+			flags: upgradePlanFlags{
+				configPath:   constants.ConfigFilename,
+				filePath:     "upgrade-plan.yaml",
+				cosignPubKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUs5fDUIz9aiwrfr8BK4VjN7jE6sl\ngz7UuXsOin8+dB0SGrbNHy7TJToa2fAiIKPVLTOfvY75DqRAtffhO1fpBA==\n-----END PUBLIC KEY-----",
+			},
+			csp: cloudprovider.GCP,
+			verifier: &stubRekorVerifier{
+				SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
+				VerifyEntryError:  errors.New("some error"),
+			},
+			wantUpgrade: true,
 		},
 	}
 
@@ -445,7 +489,7 @@ func TestUpgradePlan(t *testing.T) {
 				}
 			})
 
-			err := upgradePlan(cmd, tc.planner, fileHandler, client, tc.flags)
+			err := upgradePlan(cmd, tc.planner, fileHandler, client, tc.verifier, tc.flags)
 			if tc.wantErr {
 				assert.Error(err)
 				return