Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-07 14:32:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

Browse source 
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-03-21 12:46:49 +01:00 committed by GitHub
parent 9a9688583d
commit 5a0234b3f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
66 changed files with 1073 additions and 542 deletions
Download patch file Download diff file Expand all files Collapse all files

25
internal/cloud/azure/imds_test.go
View file

@ -92,6 +92,11 @@ func TestIMDSClient(t *testing.T) {
},
}
defaultWantTags := map[string]string{
cloud.TagUID: "uid",
cloud.TagRole: "worker",
}
testCases := map[string]struct {
server httpBufconnServer
wantProviderIDErr bool
@ -106,6 +111,8 @@ func TestIMDSClient(t *testing.T) {
wantName string
wantSubscriptionErr bool
wantSubscriptionID string
wantTagsErr bool
wantTags map[string]string
}{
"metadata response parsed": {
server: newHTTPBufconnServerWithMetadataResponse(response),
@ -115,6 +122,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantName: "computer-name",
wantSubscriptionID: "subscription-id",
wantTags: defaultWantTags,
},
"metadata response without resource ID": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutID),
@ -124,6 +132,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantName: "computer-name",
wantSubscriptionID: "subscription-id",
wantTags: defaultWantTags,
},
"metadata response without UID tag": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutUID),
@ -133,6 +142,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantName: "computer-name",
wantSubscriptionID: "subscription-id",
wantTags: map[string]string{cloud.TagRole: "worker"},
},
"metadata response without role tag": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutRole),
@ -142,6 +152,7 @@ func TestIMDSClient(t *testing.T) {
wantRoleErr: true,
wantName: "computer-name",
wantSubscriptionID: "subscription-id",
wantTags: map[string]string{cloud.TagUID: "uid"},
},
"metadata response without resource group": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutGroup),
@ -151,6 +162,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantName: "computer-name",
wantSubscriptionID: "subscription-id",
wantTags: defaultWantTags,
},
"metadata response without name": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutName),
@ -160,6 +172,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantNameErr: true,
wantSubscriptionID: "subscription-id",
wantTags: defaultWantTags,
},
"metadata response without subscription ID": {
server: newHTTPBufconnServerWithMetadataResponse(responseWithoutSubscriptionID),
@ -169,6 +182,7 @@ func TestIMDSClient(t *testing.T) {
wantRole: role.Worker,
wantName: "computer-name",
wantSubscriptionErr: true,
wantTags: defaultWantTags,
},
"invalid imds response detected": {
server: newHTTPBufconnServer(func(writer http.ResponseWriter, request *http.Request) {
@ -180,6 +194,7 @@ func TestIMDSClient(t *testing.T) {
wantRoleErr: true,
wantNameErr: true,
wantSubscriptionErr: true,
wantTagsErr: true,
},
}
@ -197,7 +212,7 @@ func TestIMDSClient(t *testing.T) {
DialTLS: tc.server.Dial,
},
}
iClient := imdsClient{client: &hClient}
iClient := IMDSClient{client: &hClient}
ctx := context.Background()
@ -248,6 +263,14 @@ func TestIMDSClient(t *testing.T) {
assert.NoError(err)
assert.Equal(tc.wantSubscriptionID, subscriptionID)
}
tags, err := iClient.Tags(ctx)
if tc.wantTagsErr {
assert.Error(err)
} else {
assert.NoError(err)
assert.Equal(tc.wantTags, tags)
}
})
}
}