attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-05-02 14:26:23 -04:00 · 2023-03-21 12:46:49 +01:00 · 2023-03-21 12:46:49 +01:00 · 5a0234b3f2
commit 5a0234b3f2
parent 9a9688583d
66 changed files with 1073 additions and 542 deletions
--- a/cli/internal/cmd/recover.go
+++ b/cli/internal/cmd/recover.go
@ -16,6 +16,7 @@ import (
 	"time"

 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
+	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/disk-mapper/recoverproto"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@ -95,7 +96,8 @@ func (r *recoverCmd) recover(
 		interval = 20 * time.Second // Azure LB takes a while to remove unhealthy instances
 	}

-	validator, err := cloudcmd.NewValidator(conf, r.log)
+	r.log.Debugf("Creating aTLS Validator for %s", conf.AttestationVariant)
+	validator, err := cloudcmd.NewValidator(conf, flags.maaURL, r.log)
 	if err != nil {
 		return err
 	}
@ -208,20 +210,23 @@ type recoverFlags struct {
 	endpoint   string
 	secretPath string
 	configPath string
+	maaURL     string
 	force      bool
 }

 func (r *recoverCmd) parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFlags, error) {
+	var idFile clusterid.File
+	if err := fileHandler.ReadJSON(constants.ClusterIDsFileName, &idFile); err != nil && !errors.Is(err, afero.ErrFileNotFound) {
+		return recoverFlags{}, err
+	}
+
 	endpoint, err := cmd.Flags().GetString("endpoint")
 	r.log.Debugf("Endpoint flag is %s", endpoint)
 	if err != nil {
 		return recoverFlags{}, fmt.Errorf("parsing endpoint argument: %w", err)
 	}
 	if endpoint == "" {
-		endpoint, err = readIPFromIDFile(fileHandler)
-		if err != nil {
-			return recoverFlags{}, fmt.Errorf("getting recovery endpoint: %w", err)
-		}
+		endpoint = idFile.IP
 	}
 	endpoint, err = addPortIfMissing(endpoint, constants.RecoveryPort)
 	if err != nil {
@ -248,6 +253,7 @@ func (r *recoverCmd) parseRecoverFlags(cmd *cobra.Command, fileHandler file.Hand
 		endpoint:   endpoint,
 		secretPath: masterSecretPath,
 		configPath: configPath,
+		maaURL:     idFile.AttestationURL,
 		force:      force,
 	}, nil
 }