Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-02 12:06:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

AB#2305 Fix missing atls verifier in init call (#352)

Browse source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-08-09 14:04:40 +02:00 committed by GitHub
parent aee3f2afa2
commit 8f5f84deb5
9 changed files with 184 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

53
cli/internal/cloudcmd/validators.go
View file

@ -18,14 +18,14 @@ import (
const warningStr = "Warning: not verifying the Constellation cluster's %s measurements\n"
type Validators struct {
provider cloudprovider.Provider
pcrs map[uint32][]byte
validators []atls.Validator
type Validator struct {
provider cloudprovider.Provider
pcrs map[uint32][]byte
validator atls.Validator
}
func NewValidators(provider cloudprovider.Provider, config *config.Config) (*Validators, error) {
v := Validators{}
func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Validator, error) {
v := Validator{}
if provider == cloudprovider.Unknown {
return nil, errors.New("unknown cloud provider")
}
@ -36,7 +36,7 @@ func NewValidators(provider cloudprovider.Provider, config *config.Config) (*Val
return &v, nil
}
func (v *Validators) UpdateInitPCRs(ownerID, clusterID string) error {
func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
if err := v.updatePCR(uint32(vtpm.PCRIndexOwnerID), ownerID); err != nil {
return err
}
@ -48,7 +48,7 @@ func (v *Validators) UpdateInitPCRs(ownerID, clusterID string) error {
// When adding, the input is first decoded from base64.
// We then calculate the expected PCR by hashing the input using SHA256,
// appending expected PCR for initialization, and then hashing once more.
func (v *Validators) updatePCR(pcrIndex uint32, encoded string) error {
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
if encoded == "" {
delete(v.pcrs, pcrIndex)
return nil
@ -65,7 +65,7 @@ func (v *Validators) updatePCR(pcrIndex uint32, encoded string) error {
return nil
}
func (v *Validators) setPCRs(config *config.Config) error {
func (v *Validator) setPCRs(config *config.Config) error {
switch v.provider {
case cloudprovider.GCP:
gcpPCRs := config.Provider.GCP.Measurements
@ -89,33 +89,32 @@ func (v *Validators) setPCRs(config *config.Config) error {
return nil
}
// V returns validators as list of atls.Validator.
func (v *Validators) V() []atls.Validator {
v.updateValidators()
return v.validators
// V returns the validator as atls.Validator.
func (v *Validator) V() atls.Validator {
v.updateValidator()
return v.validator
}
func (v *Validators) updateValidators() {
// PCRS returns the validator's PCR map.
func (v *Validator) PCRS() map[uint32][]byte {
return v.pcrs
}
func (v *Validator) updateValidator() {
switch v.provider {
case cloudprovider.GCP:
v.validators = []atls.Validator{
gcp.NewValidator(v.pcrs),
}
v.validator = gcp.NewValidator(v.pcrs)
case cloudprovider.Azure:
v.validators = []atls.Validator{
azure.NewValidator(v.pcrs),
}
v.validator = azure.NewValidator(v.pcrs)
case cloudprovider.QEMU:
v.validators = []atls.Validator{
qemu.NewValidator(v.pcrs),
}
v.validator = qemu.NewValidator(v.pcrs)
}
}
// Warnings returns warnings for the specifc PCR values that are not verified.
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validators) Warnings() string {
func (v *Validator) Warnings() string {
sb := &strings.Builder{}
if v.pcrs[0] == nil || v.pcrs[1] == nil {
@ -141,11 +140,11 @@ func (v *Validators) Warnings() string {
return sb.String()
}
// WarningsIncludeInit returns warnings for the specifc PCR values that are not verified.
// WarningsIncludeInit returns warnings for the specific PCR values that are not verified.
// Warnings regarding the initialization are included.
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validators) WarningsIncludeInit() string {
func (v *Validator) WarningsIncludeInit() string {
warnings := v.Warnings()
if v.pcrs[uint32(vtpm.PCRIndexOwnerID)] == nil || v.pcrs[uint32(vtpm.PCRIndexClusterID)] == nil {
warnings = warnings + fmt.Sprintf(warningStr, "initialization status")
@ -154,7 +153,7 @@ func (v *Validators) WarningsIncludeInit() string {
return warnings
}
func (v *Validators) checkPCRs(pcrs map[uint32][]byte) error {
func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
if len(pcrs) == 0 {
return errors.New("no PCR values provided")
}

39
cli/internal/cloudcmd/validators_test.go
View file

@ -15,7 +15,7 @@ import (
"github.com/stretchr/testify/assert"
)
func TestNewValidators(t *testing.T) {
func TestNewValidator(t *testing.T) {
zero := []byte("00000000000000000000000000000000")
one := []byte("11111111111111111111111111111111")
testPCRs := map[uint32][]byte{
@ -80,7 +80,7 @@ func TestNewValidators(t *testing.T) {
conf.Provider.QEMU = &config.QEMUConfig{Measurements: measurements}
}
validators, err := NewValidators(tc.provider, conf)
validators, err := NewValidator(tc.provider, conf)
if tc.wantErr {
assert.Error(err)
@ -93,7 +93,7 @@ func TestNewValidators(t *testing.T) {
}
}
func TestValidatorsWarnings(t *testing.T) {
func TestValidatorWarnings(t *testing.T) {
zero := []byte("00000000000000000000000000000000")
testCases := map[string]struct {
@ -233,7 +233,7 @@ func TestValidatorsWarnings(t *testing.T) {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
validators := Validators{pcrs: tc.pcrs}
validators := Validator{pcrs: tc.pcrs}
warnings := validators.Warnings()
warningsInclueInit := validators.WarningsIncludeInit()
@ -259,7 +259,7 @@ func TestValidatorsWarnings(t *testing.T) {
}
}
func TestValidatorsV(t *testing.T) {
func TestValidatorV(t *testing.T) {
zero := []byte("00000000000000000000000000000000")
newTestPCRs := func() map[uint32][]byte {
return map[uint32][]byte{
@ -282,28 +282,22 @@ func TestValidatorsV(t *testing.T) {
testCases := map[string]struct {
provider cloudprovider.Provider
pcrs map[uint32][]byte
wantVs []atls.Validator
wantVs atls.Validator
}{
"gcp": {
provider: cloudprovider.GCP,
pcrs: newTestPCRs(),
wantVs: []atls.Validator{
gcp.NewValidator(newTestPCRs()),
},
wantVs: gcp.NewValidator(newTestPCRs()),
},
"azure": {
provider: cloudprovider.Azure,
pcrs: newTestPCRs(),
wantVs: []atls.Validator{
azure.NewValidator(newTestPCRs()),
},
wantVs: azure.NewValidator(newTestPCRs()),
},
"qemu": {
provider: cloudprovider.QEMU,
pcrs: newTestPCRs(),
wantVs: []atls.Validator{
qemu.NewValidator(newTestPCRs()),
},
wantVs: qemu.NewValidator(newTestPCRs()),
},
}
@ -311,19 +305,16 @@ func TestValidatorsV(t *testing.T) {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
validators := &Validators{provider: tc.provider, pcrs: tc.pcrs}
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
resultValidators := validators.V()
resultValidator := validators.V()
assert.Equal(len(tc.wantVs), len(resultValidators))
for i, resValidator := range resultValidators {
assert.Equal(tc.wantVs[i].OID(), resValidator.OID())
}
assert.Equal(tc.wantVs.OID(), resultValidator.OID())
})
}
}
func TestValidatorsUpdateInitPCRs(t *testing.T) {
func TestValidatorUpdateInitPCRs(t *testing.T) {
zero := []byte("00000000000000000000000000000000")
one := []byte("11111111111111111111111111111111")
one64 := base64.StdEncoding.EncodeToString(one)
@ -402,7 +393,7 @@ func TestValidatorsUpdateInitPCRs(t *testing.T) {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
validators := &Validators{provider: tc.provider, pcrs: tc.pcrs}
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
err := validators.UpdateInitPCRs(tc.ownerID, tc.clusterID)
@ -515,7 +506,7 @@ func TestUpdatePCR(t *testing.T) {
pcrs[k] = v
}
validators := &Validators{
validators := &Validator{
provider: cloudprovider.GCP,
pcrs: pcrs,
}