mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
internal: refactor oid package to variant package (#1538)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
db5660e3d6
commit
99b12e4035
@ -38,8 +38,8 @@ go_library(
|
||||
"//internal/grpc/dialer",
|
||||
"//internal/kubernetes/kubectl",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/role",
|
||||
"//internal/variant",
|
||||
"//internal/versions/components",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3",
|
||||
|
||||
@ -32,7 +32,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kubernetes/kubectl"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/afero"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
@ -71,7 +71,7 @@ func main() {
|
||||
log.With(zap.Error(err)).Fatalf("Helm client could not be initialized")
|
||||
}
|
||||
|
||||
attestVariant, err := oid.FromString(os.Getenv(constants.AttestationVariant))
|
||||
attestVariant, err := variant.FromString(os.Getenv(constants.AttestationVariant))
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to parse attestation variant")
|
||||
}
|
||||
|
||||
@ -44,7 +44,7 @@ go_test(
|
||||
"//internal/kms/setup",
|
||||
"//internal/kms/uri",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/versions/components",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
|
||||
@ -22,7 +22,7 @@ import (
|
||||
kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions/components"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -62,7 +62,7 @@ func TestNew(t *testing.T) {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
server, err := New(context.TODO(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(oid.Dummy{}), fh, &tc.metadata, logger.NewTest(t))
|
||||
server, err := New(context.TODO(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(variant.Dummy{}), fh, &tc.metadata, logger.NewTest(t))
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
return
|
||||
|
||||
@ -33,7 +33,7 @@ go_library(
|
||||
"//internal/constants",
|
||||
"//internal/kubernetes",
|
||||
"//internal/kubernetes/kubectl",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/versions",
|
||||
"//internal/versions/components",
|
||||
"//internal/versionsapi",
|
||||
@ -83,7 +83,7 @@ go_test(
|
||||
"//internal/config",
|
||||
"//internal/constants",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/versions",
|
||||
"//internal/versions/components",
|
||||
"//operators/constellation-node-operator/api/v1alpha1",
|
||||
|
||||
@ -18,13 +18,13 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
// Validator validates Platform Configuration Registers (PCRs).
|
||||
type Validator struct {
|
||||
attestationVariant oid.Getter
|
||||
attestationVariant variant.Variant
|
||||
pcrs measurements.M
|
||||
idKeyConfig idkeydigest.Config
|
||||
validator atls.Validator
|
||||
@ -34,17 +34,17 @@ type Validator struct {
|
||||
// NewValidator creates a new Validator.
|
||||
func NewValidator(conf *config.Config, maaURL string, log debugLog) (*Validator, error) {
|
||||
v := Validator{log: log}
|
||||
variant, err := oid.FromString(conf.AttestationVariant)
|
||||
attestVariant, err := variant.FromString(conf.AttestationVariant)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parsing attestation variant: %w", err)
|
||||
}
|
||||
v.attestationVariant = variant // valid variant
|
||||
v.attestationVariant = attestVariant // valid variant
|
||||
|
||||
if err := v.setPCRs(conf); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if v.attestationVariant.OID().Equal(oid.AzureSEVSNP{}.OID()) {
|
||||
if v.attestationVariant.Equal(variant.AzureSEVSNP{}) {
|
||||
v.idKeyConfig = idkeydigest.Config{
|
||||
IDKeyDigests: conf.Provider.Azure.IDKeyDigest,
|
||||
EnforcementPolicy: conf.IDKeyDigestPolicy(),
|
||||
@ -96,32 +96,11 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
|
||||
}
|
||||
|
||||
func (v *Validator) setPCRs(config *config.Config) error {
|
||||
switch v.attestationVariant {
|
||||
case oid.AWSNitroTPM{}:
|
||||
awsPCRs := config.Provider.AWS.Measurements
|
||||
if len(awsPCRs) == 0 {
|
||||
return errors.New("no expected measurement provided")
|
||||
}
|
||||
v.pcrs = awsPCRs
|
||||
case oid.AzureSEVSNP{}, oid.AzureTrustedLaunch{}:
|
||||
azurePCRs := config.Provider.Azure.Measurements
|
||||
if len(azurePCRs) == 0 {
|
||||
return errors.New("no expected measurement provided")
|
||||
}
|
||||
v.pcrs = azurePCRs
|
||||
case oid.GCPSEVES{}:
|
||||
gcpPCRs := config.Provider.GCP.Measurements
|
||||
if len(gcpPCRs) == 0 {
|
||||
return errors.New("no expected measurement provided")
|
||||
}
|
||||
v.pcrs = gcpPCRs
|
||||
case oid.QEMUVTPM{}:
|
||||
qemuPCRs := config.Provider.QEMU.Measurements
|
||||
if len(qemuPCRs) == 0 {
|
||||
return errors.New("no expected measurement provided")
|
||||
}
|
||||
v.pcrs = qemuPCRs
|
||||
measurements := config.GetMeasurements()
|
||||
if len(measurements) == 0 {
|
||||
return errors.New("no measurements found in config")
|
||||
}
|
||||
v.pcrs = measurements
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -43,7 +43,7 @@ func TestNewValidator(t *testing.T) {
|
||||
}{
|
||||
"gcp": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.GCPSEVES{}.String(),
|
||||
AttestationVariant: variant.GCPSEVES{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
GCP: &config.GCPConfig{
|
||||
Measurements: testPCRs,
|
||||
@ -53,7 +53,7 @@ func TestNewValidator(t *testing.T) {
|
||||
},
|
||||
"azure cvm": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AzureSEVSNP{}.String(),
|
||||
AttestationVariant: variant.AzureSEVSNP{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
Azure: &config.AzureConfig{
|
||||
Measurements: testPCRs,
|
||||
@ -63,7 +63,7 @@ func TestNewValidator(t *testing.T) {
|
||||
},
|
||||
"azure trusted launch": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AzureTrustedLaunch{}.String(),
|
||||
AttestationVariant: variant.AzureTrustedLaunch{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
Azure: &config.AzureConfig{
|
||||
Measurements: testPCRs,
|
||||
@ -73,7 +73,7 @@ func TestNewValidator(t *testing.T) {
|
||||
},
|
||||
"qemu": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.QEMUVTPM{}.String(),
|
||||
AttestationVariant: variant.QEMUVTPM{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
QEMU: &config.QEMUConfig{
|
||||
Measurements: testPCRs,
|
||||
@ -83,7 +83,7 @@ func TestNewValidator(t *testing.T) {
|
||||
},
|
||||
"no pcrs provided": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AzureSEVSNP{}.String(),
|
||||
AttestationVariant: variant.AzureSEVSNP{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
Azure: &config.AzureConfig{
|
||||
Measurements: measurements.M{},
|
||||
@ -105,7 +105,7 @@ func TestNewValidator(t *testing.T) {
|
||||
},
|
||||
"set idkeydigest": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AzureSEVSNP{}.String(),
|
||||
AttestationVariant: variant.AzureSEVSNP{}.String(),
|
||||
Provider: config.ProviderConfig{
|
||||
Azure: &config.AzureConfig{
|
||||
Measurements: testPCRs,
|
||||
@ -128,7 +128,7 @@ func TestNewValidator(t *testing.T) {
|
||||
} else {
|
||||
assert.NoError(err)
|
||||
assert.Equal(tc.config.GetMeasurements(), validators.pcrs)
|
||||
variant, err := oid.FromString(tc.config.AttestationVariant)
|
||||
variant, err := variant.FromString(tc.config.AttestationVariant)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(variant, validators.attestationVariant)
|
||||
}
|
||||
@ -156,17 +156,17 @@ func TestValidatorV(t *testing.T) {
|
||||
}
|
||||
|
||||
testCases := map[string]struct {
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
pcrs measurements.M
|
||||
wantVs atls.Validator
|
||||
}{
|
||||
"gcp": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: gcp.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"azure cvm": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: snp.NewValidator(
|
||||
newTestPCRs(),
|
||||
@ -175,12 +175,12 @@ func TestValidatorV(t *testing.T) {
|
||||
),
|
||||
},
|
||||
"azure trusted launch": {
|
||||
variant: oid.AzureTrustedLaunch{},
|
||||
variant: variant.AzureTrustedLaunch{},
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: trustedlaunch.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"qemu": {
|
||||
variant: oid.QEMUVTPM{},
|
||||
variant: variant.QEMUVTPM{},
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: qemu.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
@ -235,50 +235,50 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
|
||||
}
|
||||
|
||||
testCases := map[string]struct {
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
pcrs measurements.M
|
||||
ownerID string
|
||||
clusterID string
|
||||
wantErr bool
|
||||
}{
|
||||
"gcp update owner ID": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
ownerID: one64,
|
||||
},
|
||||
"gcp update cluster ID": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
clusterID: one64,
|
||||
},
|
||||
"gcp update both": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
ownerID: one64,
|
||||
clusterID: one64,
|
||||
},
|
||||
"azure update owner ID": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
pcrs: newTestPCRs(),
|
||||
ownerID: one64,
|
||||
},
|
||||
"azure update cluster ID": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
pcrs: newTestPCRs(),
|
||||
clusterID: one64,
|
||||
},
|
||||
"azure update both": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
pcrs: newTestPCRs(),
|
||||
ownerID: one64,
|
||||
clusterID: one64,
|
||||
},
|
||||
"owner ID and cluster ID empty": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
},
|
||||
"invalid encoding": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
pcrs: newTestPCRs(),
|
||||
ownerID: "invalid",
|
||||
wantErr: true,
|
||||
@ -421,7 +421,7 @@ func TestUpdatePCR(t *testing.T) {
|
||||
}
|
||||
|
||||
validators := &Validator{
|
||||
attestationVariant: oid.GCPSEVES{},
|
||||
attestationVariant: variant.GCPSEVES{},
|
||||
pcrs: pcrs,
|
||||
}
|
||||
err := validators.updatePCR(tc.pcrIndex, tc.encoded)
|
||||
|
||||
@ -61,9 +61,9 @@ go_library(
|
||||
"//internal/kubernetes/kubectl",
|
||||
"//internal/license",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/retry",
|
||||
"//internal/sigstore",
|
||||
"//internal/variant",
|
||||
"//internal/versions",
|
||||
"//internal/versionsapi",
|
||||
"//internal/versionsapi/fetcher",
|
||||
@ -127,7 +127,7 @@ go_test(
|
||||
"//internal/kms/uri",
|
||||
"//internal/license",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/versions",
|
||||
"//internal/versionsapi",
|
||||
"//verify/verifyproto",
|
||||
|
||||
@ -15,7 +15,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
"github.com/siderolabs/talos/pkg/machinery/config/encoder"
|
||||
"github.com/spf13/afero"
|
||||
@ -109,13 +109,13 @@ func createConfig(provider cloudprovider.Provider) *config.Config {
|
||||
// TODO(AB#2976): Replace hardcoded values with user input
|
||||
switch provider {
|
||||
case cloudprovider.AWS:
|
||||
conf.AttestationVariant = oid.AWSNitroTPM{}.String()
|
||||
conf.AttestationVariant = variant.AWSNitroTPM{}.String()
|
||||
case cloudprovider.Azure:
|
||||
conf.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
conf.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
case cloudprovider.GCP:
|
||||
conf.AttestationVariant = oid.GCPSEVES{}.String()
|
||||
conf.AttestationVariant = variant.GCPSEVES{}.String()
|
||||
case cloudprovider.QEMU:
|
||||
conf.AttestationVariant = oid.QEMUVTPM{}.String()
|
||||
conf.AttestationVariant = variant.QEMUVTPM{}.String()
|
||||
}
|
||||
|
||||
return conf
|
||||
|
||||
@ -15,7 +15,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -94,7 +94,7 @@ func TestConfigGenerateDefaultGCPSpecific(t *testing.T) {
|
||||
require.NoError(cg.configGenerate(cmd, fileHandler, cloudprovider.GCP))
|
||||
|
||||
// TODO(AB#2976): Remove this once attestation variants are dynamically created
|
||||
wantConf.AttestationVariant = oid.GCPSEVES{}.String()
|
||||
wantConf.AttestationVariant = variant.GCPSEVES{}.String()
|
||||
|
||||
var readConfig config.Config
|
||||
err := fileHandler.ReadYAML(constants.ConfigFilename, &readConfig)
|
||||
|
||||
@ -33,7 +33,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
||||
"github.com/edgelesssys/constellation/v2/internal/license"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -399,14 +399,14 @@ func TestAttestation(t *testing.T) {
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
newDialer := func(v *cloudcmd.Validator) *dialer.Dialer {
|
||||
validator := &testValidator{
|
||||
Getter: oid.QEMUVTPM{},
|
||||
Getter: variant.QEMUVTPM{},
|
||||
pcrs: v.PCRS(),
|
||||
}
|
||||
return dialer.New(nil, validator, netDialer)
|
||||
}
|
||||
|
||||
issuer := &testIssuer{
|
||||
Getter: oid.QEMUVTPM{},
|
||||
Getter: variant.QEMUVTPM{},
|
||||
pcrs: map[uint32][]byte{
|
||||
0: bytes.Repeat([]byte{0xFF}, 32),
|
||||
1: bytes.Repeat([]byte{0xFF}, 32),
|
||||
@ -436,7 +436,7 @@ func TestAttestation(t *testing.T) {
|
||||
|
||||
cfg := config.Default()
|
||||
cfg.Image = "image"
|
||||
cfg.AttestationVariant = oid.QEMUVTPM{}.String()
|
||||
cfg.AttestationVariant = variant.QEMUVTPM{}.String()
|
||||
cfg.RemoveProviderExcept(cloudprovider.QEMU)
|
||||
cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce)
|
||||
cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
@ -460,7 +460,7 @@ func TestAttestation(t *testing.T) {
|
||||
}
|
||||
|
||||
type testValidator struct {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
pcrs measurements.M
|
||||
}
|
||||
|
||||
@ -482,7 +482,7 @@ func (v *testValidator) Validate(_ context.Context, attDoc []byte, _ []byte) ([]
|
||||
}
|
||||
|
||||
type testIssuer struct {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
pcrs map[uint32][]byte
|
||||
}
|
||||
|
||||
@ -530,7 +530,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
||||
|
||||
switch csp {
|
||||
case cloudprovider.Azure:
|
||||
conf.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
conf.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
conf.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
||||
conf.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
||||
conf.Provider.Azure.Location = "test-location"
|
||||
@ -542,7 +542,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
||||
conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
case cloudprovider.GCP:
|
||||
conf.AttestationVariant = oid.GCPSEVES{}.String()
|
||||
conf.AttestationVariant = variant.GCPSEVES{}.String()
|
||||
conf.Provider.GCP.Region = "test-region"
|
||||
conf.Provider.GCP.Project = "test-project"
|
||||
conf.Provider.GCP.Zone = "test-zone"
|
||||
@ -551,7 +551,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
||||
conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
case cloudprovider.QEMU:
|
||||
conf.AttestationVariant = oid.QEMUVTPM{}.String()
|
||||
conf.AttestationVariant = variant.QEMUVTPM{}.String()
|
||||
conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
||||
conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
|
||||
@ -25,7 +25,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/verify/verifyproto"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -247,7 +247,7 @@ func TestVerifyClient(t *testing.T) {
|
||||
Nonce: tc.nonce,
|
||||
}
|
||||
|
||||
err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(oid.Dummy{}))
|
||||
err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(variant.Dummy{}))
|
||||
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
||||
@ -362,7 +362,7 @@ go_test(
|
||||
"//internal/deploy/helm",
|
||||
"//internal/file",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_pkg_errors//:errors",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
|
||||
@ -23,7 +23,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -62,7 +62,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
}{
|
||||
"AWS": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AWSNitroTPM{}.String(),
|
||||
AttestationVariant: variant.AWSNitroTPM{}.String(),
|
||||
Provider: config.ProviderConfig{AWS: &config.AWSConfig{}},
|
||||
},
|
||||
valuesModifier: prepareAWSValues,
|
||||
@ -70,7 +70,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
},
|
||||
"Azure": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.AzureSEVSNP{}.String(),
|
||||
AttestationVariant: variant.AzureSEVSNP{}.String(),
|
||||
Provider: config.ProviderConfig{Azure: &config.AzureConfig{
|
||||
DeployCSIDriver: toPtr(true),
|
||||
EnforceIDKeyDigest: idkeydigest.StrictChecking,
|
||||
@ -87,7 +87,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
},
|
||||
"GCP": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.GCPSEVES{}.String(),
|
||||
AttestationVariant: variant.GCPSEVES{}.String(),
|
||||
Provider: config.ProviderConfig{GCP: &config.GCPConfig{
|
||||
DeployCSIDriver: toPtr(true),
|
||||
}},
|
||||
@ -97,7 +97,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
},
|
||||
"OpenStack": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.Dummy{}.String(),
|
||||
AttestationVariant: variant.Dummy{}.String(),
|
||||
Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
|
||||
},
|
||||
valuesModifier: prepareOpenStackValues,
|
||||
@ -105,7 +105,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
},
|
||||
"QEMU": {
|
||||
config: &config.Config{
|
||||
AttestationVariant: oid.QEMUVTPM{}.String(),
|
||||
AttestationVariant: variant.QEMUVTPM{}.String(),
|
||||
Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}},
|
||||
},
|
||||
valuesModifier: prepareQEMUValues,
|
||||
|
||||
@ -24,8 +24,8 @@ go_library(
|
||||
"//internal/grpc/dialer",
|
||||
"//internal/kms/setup",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/role",
|
||||
"//internal/variant",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@org_uber_go_zap//:zap",
|
||||
],
|
||||
|
||||
@ -30,8 +30,8 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
|
||||
kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/role"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/afero"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
@ -54,7 +54,7 @@ func main() {
|
||||
Infof("Starting disk-mapper")
|
||||
|
||||
// set up quote issuer for aTLS connections
|
||||
attestVariant, err := oid.FromString(os.Getenv(constants.AttestationVariant))
|
||||
attestVariant, err := variant.FromString(os.Getenv(constants.AttestationVariant))
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to parse attestation variant")
|
||||
}
|
||||
|
||||
@ -32,7 +32,7 @@ go_test(
|
||||
"//internal/grpc/testdialer",
|
||||
"//internal/kms/kms",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
"@com_github_stretchr_testify//require",
|
||||
"@org_uber_go_goleak//:goleak",
|
||||
|
||||
@ -19,7 +19,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -36,7 +36,7 @@ func TestServe(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
log := logger.NewTest(t)
|
||||
uuid := "uuid"
|
||||
server := New(atls.NewFakeIssuer(oid.Dummy{}), newStubKMS(nil, nil), log)
|
||||
server := New(atls.NewFakeIssuer(variant.Dummy{}), newStubKMS(nil, nil), log)
|
||||
dialer := testdialer.NewBufconnDialer()
|
||||
listener := dialer.GetListener("192.0.2.1:1234")
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
@ -53,7 +53,7 @@ func TestServe(t *testing.T) {
|
||||
cancel()
|
||||
wg.Wait()
|
||||
|
||||
server = New(atls.NewFakeIssuer(oid.Dummy{}), newStubKMS(nil, nil), log)
|
||||
server = New(atls.NewFakeIssuer(variant.Dummy{}), newStubKMS(nil, nil), log)
|
||||
dialer = testdialer.NewBufconnDialer()
|
||||
listener = dialer.GetListener("192.0.2.1:1234")
|
||||
|
||||
@ -105,7 +105,7 @@ func TestRecover(t *testing.T) {
|
||||
|
||||
ctx := context.Background()
|
||||
serverUUID := "uuid"
|
||||
server := New(atls.NewFakeIssuer(oid.Dummy{}), tc.factory, logger.NewTest(t))
|
||||
server := New(atls.NewFakeIssuer(variant.Dummy{}), tc.factory, logger.NewTest(t))
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
listener := netDialer.GetListener("192.0.2.1:1234")
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ go_library(
|
||||
visibility = ["//:__subpackages__"],
|
||||
deps = [
|
||||
"//internal/crypto",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
],
|
||||
)
|
||||
|
||||
@ -17,7 +17,7 @@ go_test(
|
||||
srcs = ["atls_test.go"],
|
||||
embed = [":atls"],
|
||||
deps = [
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
"@com_github_stretchr_testify//require",
|
||||
"@org_uber_go_goleak//:goleak",
|
||||
|
||||
@ -26,7 +26,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
const attestationTimeout = 30 * time.Second
|
||||
@ -75,13 +75,13 @@ func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*t
|
||||
|
||||
// Issuer issues an attestation document.
|
||||
type Issuer interface {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
Issue(ctx context.Context, userData []byte, nonce []byte) (quote []byte, err error)
|
||||
}
|
||||
|
||||
// Validator is able to validate an attestation document.
|
||||
type Validator interface {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
Validate(ctx context.Context, attDoc []byte, nonce []byte) ([]byte, error)
|
||||
}
|
||||
|
||||
@ -351,11 +351,11 @@ func (c *serverConnection) getCertificate(chi *tls.ClientHelloInfo) (*tls.Certif
|
||||
|
||||
// FakeIssuer fakes an issuer and can be used for tests.
|
||||
type FakeIssuer struct {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
}
|
||||
|
||||
// NewFakeIssuer creates a new FakeIssuer with the given OID.
|
||||
func NewFakeIssuer(oid oid.Getter) *FakeIssuer {
|
||||
func NewFakeIssuer(oid variant.Getter) *FakeIssuer {
|
||||
return &FakeIssuer{oid}
|
||||
}
|
||||
|
||||
@ -366,17 +366,17 @@ func (FakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byt
|
||||
|
||||
// FakeValidator fakes a validator and can be used for tests.
|
||||
type FakeValidator struct {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
err error // used for package internal testing only
|
||||
}
|
||||
|
||||
// NewFakeValidator creates a new FakeValidator with the given OID.
|
||||
func NewFakeValidator(oid oid.Getter) *FakeValidator {
|
||||
func NewFakeValidator(oid variant.Getter) *FakeValidator {
|
||||
return &FakeValidator{oid, nil}
|
||||
}
|
||||
|
||||
// NewFakeValidators returns a slice with a single FakeValidator.
|
||||
func NewFakeValidators(oid oid.Getter) []Validator {
|
||||
func NewFakeValidators(oid variant.Getter) []Validator {
|
||||
return []Validator{NewFakeValidator(oid)}
|
||||
}
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ import (
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -193,7 +193,7 @@ func TestClientConnectionConcurrency(t *testing.T) {
|
||||
var urls []string
|
||||
|
||||
for i := 0; i < serverCount; i++ {
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(variant.Dummy{}), NewFakeValidators(variant.Dummy{}))
|
||||
require.NoError(err)
|
||||
|
||||
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@ -211,7 +211,7 @@ func TestClientConnectionConcurrency(t *testing.T) {
|
||||
// Create client.
|
||||
//
|
||||
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(variant.Dummy{}), NewFakeValidators(variant.Dummy{}))
|
||||
require.NoError(err)
|
||||
client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
|
||||
|
||||
@ -266,7 +266,7 @@ func TestServerConnectionConcurrency(t *testing.T) {
|
||||
|
||||
var urls []string
|
||||
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(variant.Dummy{}), NewFakeValidators(variant.Dummy{}))
|
||||
require.NoError(err)
|
||||
|
||||
for i := 0; i < serverCount; i++ {
|
||||
@ -285,7 +285,7 @@ func TestServerConnectionConcurrency(t *testing.T) {
|
||||
// Create client.
|
||||
//
|
||||
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
|
||||
clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(variant.Dummy{}), NewFakeValidators(variant.Dummy{}))
|
||||
require.NoError(err)
|
||||
client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_aws_aws_sdk_go_v2_config//:config",
|
||||
"@com_github_aws_aws_sdk_go_v2_feature_ec2_imds//:imds",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_ec2//:ec2",
|
||||
|
||||
@ -15,7 +15,7 @@ import (
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
|
||||
"github.com/google/go-tpm-tools/client"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
@ -23,7 +23,7 @@ import (
|
||||
|
||||
// Issuer for AWS TPM attestation.
|
||||
type Issuer struct {
|
||||
oid.AWSNitroTPM
|
||||
variant.AWSNitroTPM
|
||||
*vtpm.Issuer
|
||||
}
|
||||
|
||||
|
||||
@ -17,14 +17,14 @@ import (
|
||||
"github.com/aws/aws-sdk-go-v2/service/ec2"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
// Validator for AWS TPM attestation.
|
||||
type Validator struct {
|
||||
oid.AWSNitroTPM
|
||||
variant.AWSNitroTPM
|
||||
*vtpm.Validator
|
||||
getDescribeClient func(context.Context, string) (awsMetadataAPI, error)
|
||||
}
|
||||
|
||||
@ -19,7 +19,7 @@ go_library(
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/cloud/azure",
|
||||
"//internal/crypto",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_edgelesssys_go_azguestattestation//maa",
|
||||
"@com_github_google_go_tpm//tpm2",
|
||||
"@com_github_google_go_tpm_tools//client",
|
||||
|
||||
@ -13,7 +13,7 @@ import (
|
||||
"io"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/go-azguestattestation/maa"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
)
|
||||
@ -22,7 +22,7 @@ const tpmAkIdx = 0x81000003
|
||||
|
||||
// Issuer for Azure TPM attestation.
|
||||
type Issuer struct {
|
||||
oid.AzureSEVSNP
|
||||
variant.AzureSEVSNP
|
||||
*vtpm.Issuer
|
||||
|
||||
imds imdsAPI
|
||||
|
||||
@ -24,7 +24,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
internalCrypto "github.com/edgelesssys/constellation/v2/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
@ -40,7 +40,7 @@ const (
|
||||
|
||||
// Validator for Azure confidential VM attestation.
|
||||
type Validator struct {
|
||||
oid.AzureSEVSNP
|
||||
variant.AzureSEVSNP
|
||||
*vtpm.Validator
|
||||
hclValidator hclAkValidator
|
||||
maa maaValidator
|
||||
|
||||
@ -14,7 +14,7 @@ go_library(
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/crypto",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_google_go_tpm//tpm2",
|
||||
"@com_github_google_go_tpm_tools//client",
|
||||
"@com_github_google_go_tpm_tools//proto/attest",
|
||||
|
||||
@ -16,7 +16,7 @@ import (
|
||||
"net/http"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
@ -28,7 +28,7 @@ const (
|
||||
|
||||
// Issuer for Azure trusted launch TPM attestation.
|
||||
type Issuer struct {
|
||||
oid.AzureTrustedLaunch
|
||||
variant.AzureTrustedLaunch
|
||||
*vtpm.Issuer
|
||||
hClient httpClient
|
||||
}
|
||||
|
||||
@ -18,7 +18,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
certutil "github.com/edgelesssys/constellation/v2/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
@ -29,7 +29,7 @@ var ameRoot = mustParseX509("-----BEGIN CERTIFICATE-----\nMIIFVjCCAz6gAwIBAgIQJd
|
||||
|
||||
// Validator for Azure trusted launch VM attestation.
|
||||
type Validator struct {
|
||||
oid.AzureTrustedLaunch
|
||||
variant.AzureTrustedLaunch
|
||||
*vtpm.Validator
|
||||
roots *x509.CertPool
|
||||
}
|
||||
|
||||
@ -16,7 +16,7 @@ go_library(
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/attestation/qemu",
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
],
|
||||
)
|
||||
|
||||
@ -26,7 +26,7 @@ go_test(
|
||||
embed = [":choose"],
|
||||
deps = [
|
||||
"//internal/attestation/idkeydigest",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
"@com_github_stretchr_testify//require",
|
||||
],
|
||||
|
||||
@ -18,47 +18,47 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
// Issuer returns the issuer for the given variant.
|
||||
func Issuer(variant oid.Getter, log vtpm.AttestationLogger) (atls.Issuer, error) {
|
||||
switch variant {
|
||||
case oid.AWSNitroTPM{}:
|
||||
func Issuer(attestationVariant variant.Variant, log vtpm.AttestationLogger) (atls.Issuer, error) {
|
||||
switch attestationVariant {
|
||||
case variant.AWSNitroTPM{}:
|
||||
return aws.NewIssuer(log), nil
|
||||
case oid.AzureTrustedLaunch{}:
|
||||
case variant.AzureTrustedLaunch{}:
|
||||
return trustedlaunch.NewIssuer(log), nil
|
||||
case oid.AzureSEVSNP{}:
|
||||
case variant.AzureSEVSNP{}:
|
||||
return snp.NewIssuer(log), nil
|
||||
case oid.GCPSEVES{}:
|
||||
case variant.GCPSEVES{}:
|
||||
return gcp.NewIssuer(log), nil
|
||||
case oid.QEMUVTPM{}:
|
||||
case variant.QEMUVTPM{}:
|
||||
return qemu.NewIssuer(log), nil
|
||||
case oid.Dummy{}:
|
||||
return atls.NewFakeIssuer(oid.Dummy{}), nil
|
||||
case variant.Dummy{}:
|
||||
return atls.NewFakeIssuer(variant.Dummy{}), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown attestation variant: %s", variant)
|
||||
return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant)
|
||||
}
|
||||
}
|
||||
|
||||
// Validator returns the validator for the given variant.
|
||||
func Validator(
|
||||
variant oid.Getter, measurements measurements.M, idKeyCfg idkeydigest.Config, log vtpm.AttestationLogger,
|
||||
attestationVariant variant.Variant, measurements measurements.M, idKeyCfg idkeydigest.Config, log vtpm.AttestationLogger,
|
||||
) (atls.Validator, error) {
|
||||
switch variant {
|
||||
case oid.AWSNitroTPM{}:
|
||||
switch attestationVariant {
|
||||
case variant.AWSNitroTPM{}:
|
||||
return aws.NewValidator(measurements, log), nil
|
||||
case oid.AzureTrustedLaunch{}:
|
||||
case variant.AzureTrustedLaunch{}:
|
||||
return trustedlaunch.NewValidator(measurements, log), nil
|
||||
case oid.AzureSEVSNP{}:
|
||||
case variant.AzureSEVSNP{}:
|
||||
return snp.NewValidator(measurements, idKeyCfg, log), nil
|
||||
case oid.GCPSEVES{}:
|
||||
case variant.GCPSEVES{}:
|
||||
return gcp.NewValidator(measurements, log), nil
|
||||
case oid.QEMUVTPM{}:
|
||||
case variant.QEMUVTPM{}:
|
||||
return qemu.NewValidator(measurements, log), nil
|
||||
case oid.Dummy{}:
|
||||
return atls.NewFakeValidator(oid.Dummy{}), nil
|
||||
case variant.Dummy{}:
|
||||
return atls.NewFakeValidator(variant.Dummy{}), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown attestation variant: %s", variant)
|
||||
return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant)
|
||||
}
|
||||
}
|
||||
|
||||
@ -11,33 +11,33 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestIssuer(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
wantErr bool
|
||||
}{
|
||||
"aws-nitro-tpm": {
|
||||
variant: oid.AWSNitroTPM{},
|
||||
variant: variant.AWSNitroTPM{},
|
||||
},
|
||||
"azure-sev-snp": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
},
|
||||
"azure-trusted-launch": {
|
||||
variant: oid.AzureTrustedLaunch{},
|
||||
variant: variant.AzureTrustedLaunch{},
|
||||
},
|
||||
"gcp-sev-es": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
},
|
||||
"qemu-vtpm": {
|
||||
variant: oid.QEMUVTPM{},
|
||||
variant: variant.QEMUVTPM{},
|
||||
},
|
||||
"dummy": {
|
||||
variant: oid.Dummy{},
|
||||
variant: variant.Dummy{},
|
||||
},
|
||||
"unknown": {
|
||||
variant: unknownVariant{},
|
||||
@ -64,26 +64,26 @@ func TestIssuer(t *testing.T) {
|
||||
|
||||
func TestValidator(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
wantErr bool
|
||||
}{
|
||||
"aws-nitro-tpm": {
|
||||
variant: oid.AWSNitroTPM{},
|
||||
variant: variant.AWSNitroTPM{},
|
||||
},
|
||||
"azure-sev-snp": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
},
|
||||
"azure-trusted-launch": {
|
||||
variant: oid.AzureTrustedLaunch{},
|
||||
variant: variant.AzureTrustedLaunch{},
|
||||
},
|
||||
"gcp-sev-es": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
},
|
||||
"qemu-vtpm": {
|
||||
variant: oid.QEMUVTPM{},
|
||||
variant: variant.QEMUVTPM{},
|
||||
},
|
||||
"dummy": {
|
||||
variant: oid.Dummy{},
|
||||
variant: variant.Dummy{},
|
||||
},
|
||||
"unknown": {
|
||||
variant: unknownVariant{},
|
||||
@ -113,3 +113,11 @@ type unknownVariant struct{}
|
||||
func (unknownVariant) OID() asn1.ObjectIdentifier {
|
||||
return asn1.ObjectIdentifier{1, 3, 9900, 9999, 9999}
|
||||
}
|
||||
|
||||
func (unknownVariant) String() string {
|
||||
return "unknown"
|
||||
}
|
||||
|
||||
func (unknownVariant) Equal(other variant.Getter) bool {
|
||||
return other.OID().Equal(unknownVariant{}.OID())
|
||||
}
|
||||
|
||||
@ -13,7 +13,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_google_go_tpm_tools//client",
|
||||
"@com_github_google_go_tpm_tools//proto/attest",
|
||||
"@com_github_googleapis_gax_go_v2//:gax-go",
|
||||
|
||||
@ -14,14 +14,14 @@ import (
|
||||
|
||||
"cloud.google.com/go/compute/metadata"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
)
|
||||
|
||||
// Issuer for GCP confidential VM attestation.
|
||||
type Issuer struct {
|
||||
oid.GCPSEVES
|
||||
variant.GCPSEVES
|
||||
*vtpm.Issuer
|
||||
}
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ import (
|
||||
"cloud.google.com/go/compute/apiv1/computepb"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
"github.com/googleapis/gax-go/v2"
|
||||
"google.golang.org/api/option"
|
||||
@ -28,7 +28,7 @@ const minimumGceVersion = 1
|
||||
|
||||
// Validator for GCP confidential VM attestation.
|
||||
type Validator struct {
|
||||
oid.GCPSEVES
|
||||
variant.GCPSEVES
|
||||
*vtpm.Validator
|
||||
|
||||
restClient func(context.Context, ...option.ClientOption) (gcpRestClient, error)
|
||||
|
||||
@ -12,7 +12,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/attestation/vtpm",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_google_go_tpm//tpm2",
|
||||
"@com_github_google_go_tpm_tools//client",
|
||||
"@com_github_google_go_tpm_tools//proto/attest",
|
||||
|
||||
@ -11,13 +11,13 @@ import (
|
||||
"io"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
)
|
||||
|
||||
// Issuer for qemu TPM attestation.
|
||||
type Issuer struct {
|
||||
oid.QEMUVTPM
|
||||
variant.QEMUVTPM
|
||||
*vtpm.Issuer
|
||||
}
|
||||
|
||||
|
||||
@ -12,14 +12,14 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
// Validator for QEMU VM attestation.
|
||||
type Validator struct {
|
||||
oid.QEMUVTPM
|
||||
variant.QEMUVTPM
|
||||
*vtpm.Validator
|
||||
}
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ go_library(
|
||||
"//internal/config/instancetypes",
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/versions",
|
||||
"//internal/versionsapi",
|
||||
"@com_github_go_playground_locales//en",
|
||||
@ -49,7 +49,7 @@ go_test(
|
||||
"//internal/config/instancetypes",
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_go_playground_locales//en",
|
||||
"@com_github_go_playground_universal_translator//:universal-translator",
|
||||
"@com_github_go_playground_validator_v10//:validator",
|
||||
|
||||
@ -16,7 +16,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/go-playground/locales/en"
|
||||
ut "github.com/go-playground/universal-translator"
|
||||
"github.com/go-playground/validator/v10"
|
||||
@ -123,7 +123,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
c := Default()
|
||||
c.RemoveProviderExcept(cloudprovider.Azure)
|
||||
c.Image = "v" + constants.VersionInfo()
|
||||
c.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
c.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
c.Provider.Azure.SubscriptionID = "f4278079-288c-4766-a98c-ab9d5dba01a5"
|
||||
c.Provider.Azure.TenantID = "d4ff9d63-6d6d-4042-8f6a-21e804add5aa"
|
||||
c.Provider.Azure.Location = "westus"
|
||||
@ -143,7 +143,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
c := Default()
|
||||
c.RemoveProviderExcept(cloudprovider.Azure)
|
||||
c.Image = "v" + constants.VersionInfo()
|
||||
c.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
c.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
c.Provider.Azure.SubscriptionID = "f4278079-288c-4766-a98c-ab9d5dba01a5"
|
||||
c.Provider.Azure.TenantID = "d4ff9d63-6d6d-4042-8f6a-21e804add5aa"
|
||||
c.Provider.Azure.Location = "westus"
|
||||
@ -235,7 +235,7 @@ func TestValidate(t *testing.T) {
|
||||
cnf: func() *Config {
|
||||
cnf := Default()
|
||||
cnf.Image = "v" + constants.VersionInfo()
|
||||
cnf.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
cnf.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
az := cnf.Provider.Azure
|
||||
az.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
||||
az.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
||||
@ -265,7 +265,7 @@ func TestValidate(t *testing.T) {
|
||||
cnf: func() *Config {
|
||||
cnf := Default()
|
||||
cnf.Image = "v" + constants.VersionInfo()
|
||||
cnf.AttestationVariant = oid.GCPSEVES{}.String()
|
||||
cnf.AttestationVariant = variant.GCPSEVES{}.String()
|
||||
gcp := cnf.Provider.GCP
|
||||
gcp.Region = "test-region"
|
||||
gcp.Project = "test-project"
|
||||
|
||||
@ -20,7 +20,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/compatibility"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
|
||||
ut "github.com/go-playground/universal-translator"
|
||||
@ -482,23 +482,23 @@ func (c *Config) validAttestVariant(_ validator.FieldLevel) bool {
|
||||
// TODO: v2.8: remove variant fallback and make variant a required field
|
||||
c.addMissingVariant()
|
||||
|
||||
variant, err := oid.FromString(c.AttestationVariant)
|
||||
attestationVariant, err := variant.FromString(c.AttestationVariant)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
// make sure the variant is valid for the chosen CSP
|
||||
switch variant {
|
||||
case oid.AWSNitroTPM{}:
|
||||
switch attestationVariant {
|
||||
case variant.AWSNitroTPM{}:
|
||||
return c.Provider.AWS != nil
|
||||
case oid.AzureSEVSNP{}, oid.AzureTrustedLaunch{}:
|
||||
case variant.AzureSEVSNP{}, variant.AzureTrustedLaunch{}:
|
||||
return c.Provider.Azure != nil
|
||||
// TODO(malt3): remove this case once we have a vTPM for OpenStack
|
||||
case oid.Dummy{}:
|
||||
case variant.Dummy{}:
|
||||
return c.Provider.OpenStack != nil
|
||||
case oid.GCPSEVES{}:
|
||||
case variant.GCPSEVES{}:
|
||||
return c.Provider.GCP != nil
|
||||
case oid.QEMUVTPM{}:
|
||||
case variant.QEMUVTPM{}:
|
||||
return c.Provider.QEMU != nil
|
||||
default:
|
||||
return false
|
||||
@ -513,12 +513,12 @@ func (c *Config) addMissingVariant() {
|
||||
|
||||
switch c.GetProvider() {
|
||||
case cloudprovider.AWS:
|
||||
c.AttestationVariant = oid.AWSNitroTPM{}.String()
|
||||
c.AttestationVariant = variant.AWSNitroTPM{}.String()
|
||||
case cloudprovider.Azure:
|
||||
c.AttestationVariant = oid.AzureSEVSNP{}.String()
|
||||
c.AttestationVariant = variant.AzureSEVSNP{}.String()
|
||||
case cloudprovider.GCP:
|
||||
c.AttestationVariant = oid.GCPSEVES{}.String()
|
||||
c.AttestationVariant = variant.GCPSEVES{}.String()
|
||||
case cloudprovider.QEMU:
|
||||
c.AttestationVariant = oid.QEMUVTPM{}.String()
|
||||
c.AttestationVariant = variant.QEMUVTPM{}.String()
|
||||
}
|
||||
}
|
||||
|
||||
@ -22,7 +22,7 @@ go_test(
|
||||
"//internal/atls",
|
||||
"//internal/grpc/atlscredentials",
|
||||
"//internal/grpc/testdialer",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
"@com_github_stretchr_testify//require",
|
||||
"@org_golang_google_grpc//:go_default_library",
|
||||
|
||||
@ -13,7 +13,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/atls"
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -75,8 +75,8 @@ func TestDial(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
|
||||
server := newServer(oid.Dummy{}, tc.tls)
|
||||
dialer := New(nil, atls.NewFakeValidator(variant.Dummy{}), netDialer)
|
||||
server := newServer(variant.Dummy{}, tc.tls)
|
||||
api := &testAPI{}
|
||||
grpc_testing.RegisterTestServiceServer(server, api)
|
||||
go server.Serve(netDialer.GetListener("192.0.2.1:1234"))
|
||||
@ -97,7 +97,7 @@ func TestDial(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func newServer(oid oid.Getter, tls bool) *grpc.Server {
|
||||
func newServer(oid variant.Getter, tls bool) *grpc.Server {
|
||||
if tls {
|
||||
creds := atlscredentials.New(atls.NewFakeIssuer(oid), nil)
|
||||
return grpc.NewServer(grpc.Creds(creds))
|
||||
|
||||
@ -6,3 +6,10 @@ go_library(
|
||||
importpath = "github.com/edgelesssys/constellation/v2/internal/oid",
|
||||
visibility = ["//:__subpackages__"],
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "variant",
|
||||
srcs = ["variant.go"],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/internal/variant",
|
||||
visibility = ["//:__subpackages__"],
|
||||
)
|
||||
@ -5,7 +5,11 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
/*
|
||||
Package oid defines OIDs for different CSPs. Currently this is used in attested TLS to distinguish the attestation documents.
|
||||
Package variant defines Attestation variants for different CSPs.
|
||||
|
||||
Each variant defines an OID, a string representation, and a function to compare it to other OIDs.
|
||||
|
||||
The OID is used in attested TLS to distinguish the attestation documents.
|
||||
OIDs beginning with 1.3.9900 are reserved and can be used without registration.
|
||||
|
||||
* The 1.3.9900.1 branch is reserved for placeholder values and testing.
|
||||
@ -20,21 +24,41 @@ OIDs beginning with 1.3.9900 are reserved and can be used without registration.
|
||||
|
||||
Deprecated OIDs should never be reused for different purposes.
|
||||
Instead, new OIDs should be added in the appropriate branch at the next available index.
|
||||
|
||||
String representation should be lowercase and contain only letters, numbers, and hyphens.
|
||||
They should be prefixed with the branch name, e.g. all variants in the 1.3.9900.2 (AWS) branch should start with "aws-".
|
||||
Each variant should have a unique string representation.
|
||||
*/
|
||||
package oid
|
||||
package variant
|
||||
|
||||
import (
|
||||
"encoding/asn1"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
const (
|
||||
dummy = "dummy"
|
||||
awsNitroTPM = "aws-nitro-tpm"
|
||||
gcpSEVES = "gcp-sev-es"
|
||||
azureSEVSNP = "azure-sev-snp"
|
||||
azureTrustedLaunch = "azure-trustedlaunch"
|
||||
qemuVTPM = "qemu-vtpm"
|
||||
)
|
||||
|
||||
// Getter returns an ASN.1 Object Identifier.
|
||||
type Getter interface {
|
||||
OID() asn1.ObjectIdentifier
|
||||
}
|
||||
|
||||
// Variant describes an attestation variant.
|
||||
type Variant interface {
|
||||
Getter
|
||||
String() string
|
||||
Equal(other Getter) bool
|
||||
}
|
||||
|
||||
// FromString returns the OID for the given string.
|
||||
func FromString(oid string) (Getter, error) {
|
||||
func FromString(oid string) (Variant, error) {
|
||||
switch oid {
|
||||
case dummy:
|
||||
return Dummy{}, nil
|
||||
@ -65,6 +89,11 @@ func (Dummy) String() string {
|
||||
return dummy
|
||||
}
|
||||
|
||||
// Equal returns true if the other variant is also a Dummy.
|
||||
func (Dummy) Equal(other Getter) bool {
|
||||
return other.OID().Equal(Dummy{}.OID())
|
||||
}
|
||||
|
||||
// AWSNitroTPM holds the AWS nitro TPM OID.
|
||||
type AWSNitroTPM struct{}
|
||||
|
||||
@ -78,6 +107,11 @@ func (AWSNitroTPM) String() string {
|
||||
return awsNitroTPM
|
||||
}
|
||||
|
||||
// Equal returns true if the other variant is also AWSNitroTPM.
|
||||
func (AWSNitroTPM) Equal(other Getter) bool {
|
||||
return other.OID().Equal(AWSNitroTPM{}.OID())
|
||||
}
|
||||
|
||||
// GCPSEVES holds the GCP SEV-ES OID.
|
||||
type GCPSEVES struct{}
|
||||
|
||||
@ -91,6 +125,11 @@ func (GCPSEVES) String() string {
|
||||
return gcpSEVES
|
||||
}
|
||||
|
||||
// Equal returns true if the other variant is also GCPSEVES.
|
||||
func (GCPSEVES) Equal(other Getter) bool {
|
||||
return other.OID().Equal(GCPSEVES{}.OID())
|
||||
}
|
||||
|
||||
// AzureSEVSNP holds the OID for Azure SNP CVMs.
|
||||
type AzureSEVSNP struct{}
|
||||
|
||||
@ -104,6 +143,11 @@ func (AzureSEVSNP) String() string {
|
||||
return azureSEVSNP
|
||||
}
|
||||
|
||||
// Equal returns true if the other variant is also AzureSEVSNP.
|
||||
func (AzureSEVSNP) Equal(other Getter) bool {
|
||||
return other.OID().Equal(AzureSEVSNP{}.OID())
|
||||
}
|
||||
|
||||
// AzureTrustedLaunch holds the OID for Azure TrustedLaunch VMs.
|
||||
type AzureTrustedLaunch struct{}
|
||||
|
||||
@ -117,6 +161,11 @@ func (AzureTrustedLaunch) String() string {
|
||||
return azureTrustedLaunch
|
||||
}
|
||||
|
||||
// Equal returns true if the other variant is also AzureTrustedLaunch.
|
||||
func (AzureTrustedLaunch) Equal(other Getter) bool {
|
||||
return other.OID().Equal(AzureTrustedLaunch{}.OID())
|
||||
}
|
||||
|
||||
// QEMUVTPM holds the QEMUVTPM OID.
|
||||
type QEMUVTPM struct{}
|
||||
|
||||
@ -130,11 +179,7 @@ func (QEMUVTPM) String() string {
|
||||
return qemuVTPM
|
||||
}
|
||||
|
||||
const (
|
||||
dummy = "dummy"
|
||||
awsNitroTPM = "aws-nitro-tpm"
|
||||
gcpSEVES = "gcp-sev-es"
|
||||
azureSEVSNP = "azure-sev-snp"
|
||||
azureTrustedLaunch = "azure-trustedlaunch"
|
||||
qemuVTPM = "qemu-vtpm"
|
||||
)
|
||||
// Equal returns true if the other variant is also QEMUVTPM.
|
||||
func (QEMUVTPM) Equal(other Getter) bool {
|
||||
return other.OID().Equal(QEMUVTPM{}.OID())
|
||||
}
|
||||
@ -17,7 +17,7 @@ go_library(
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_fsnotify_fsnotify//:fsnotify",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@org_uber_go_zap//:zap",
|
||||
@ -39,7 +39,7 @@ go_test(
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"@com_github_fsnotify_fsnotify//:fsnotify",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
|
||||
@ -22,7 +22,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/afero"
|
||||
)
|
||||
|
||||
@ -31,12 +31,12 @@ type Updatable struct {
|
||||
log *logger.Logger
|
||||
mux sync.Mutex
|
||||
fileHandler file.Handler
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
atls.Validator
|
||||
}
|
||||
|
||||
// NewValidator initializes a new updatable validator.
|
||||
func NewValidator(log *logger.Logger, variant oid.Getter, fileHandler file.Handler) (*Updatable, error) {
|
||||
func NewValidator(log *logger.Logger, variant variant.Variant, fileHandler file.Handler) (*Updatable, error) {
|
||||
u := &Updatable{
|
||||
log: log,
|
||||
fileHandler: fileHandler,
|
||||
@ -78,7 +78,7 @@ func (u *Updatable) Update() error {
|
||||
|
||||
// Read ID Key config
|
||||
var idKeyCfg idkeydigest.Config
|
||||
if u.variant.OID().Equal(oid.AzureSEVSNP{}.OID()) {
|
||||
if u.variant.Equal(variant.AzureSEVSNP{}) {
|
||||
u.log.Infof("Updating SEV-SNP ID Key config")
|
||||
|
||||
err := u.fileHandler.ReadJSON(filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename), &idKeyCfg)
|
||||
|
||||
@ -24,7 +24,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -40,24 +40,24 @@ func TestMain(m *testing.M) {
|
||||
|
||||
func TestNewUpdateableValidator(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
variant oid.Getter
|
||||
variant variant.Variant
|
||||
writeFile bool
|
||||
wantErr bool
|
||||
}{
|
||||
"azure": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
writeFile: true,
|
||||
},
|
||||
"gcp": {
|
||||
variant: oid.GCPSEVES{},
|
||||
variant: variant.GCPSEVES{},
|
||||
writeFile: true,
|
||||
},
|
||||
"qemu": {
|
||||
variant: oid.QEMUVTPM{},
|
||||
variant: variant.QEMUVTPM{},
|
||||
writeFile: true,
|
||||
},
|
||||
"no file": {
|
||||
variant: oid.AzureSEVSNP{},
|
||||
variant: variant.AzureSEVSNP{},
|
||||
writeFile: false,
|
||||
wantErr: true,
|
||||
},
|
||||
@ -112,7 +112,7 @@ func TestUpdate(t *testing.T) {
|
||||
// create server
|
||||
validator := &Updatable{
|
||||
log: logger.NewTest(t),
|
||||
variant: oid.Dummy{},
|
||||
variant: variant.Dummy{},
|
||||
fileHandler: handler,
|
||||
}
|
||||
|
||||
@ -146,7 +146,7 @@ func TestUpdate(t *testing.T) {
|
||||
defer server.Close()
|
||||
|
||||
// test connection to server
|
||||
clientOID := oid.Dummy{}
|
||||
clientOID := variant.Dummy{}
|
||||
resp, err := testConnection(require, server.URL, clientOID)
|
||||
require.NoError(err)
|
||||
defer resp.Body.Close()
|
||||
@ -155,7 +155,7 @@ func TestUpdate(t *testing.T) {
|
||||
assert.EqualValues("hello", body)
|
||||
|
||||
// update the server's validator
|
||||
validator.variant = oid.QEMUVTPM{}
|
||||
validator.variant = variant.QEMUVTPM{}
|
||||
require.NoError(validator.Update())
|
||||
|
||||
// client connection should fail now, since the server's validator expects a different OID from the client
|
||||
@ -198,7 +198,7 @@ func TestOIDConcurrency(t *testing.T) {
|
||||
// create server
|
||||
validator := &Updatable{
|
||||
log: logger.NewTest(t),
|
||||
variant: oid.Dummy{},
|
||||
variant: variant.Dummy{},
|
||||
fileHandler: handler,
|
||||
}
|
||||
|
||||
@ -228,7 +228,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
||||
validator := &Updatable{
|
||||
log: logger.NewTest(t),
|
||||
fileHandler: handler,
|
||||
variant: oid.Dummy{},
|
||||
variant: variant.Dummy{},
|
||||
}
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
|
||||
@ -256,7 +256,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func testConnection(require *require.Assertions, url string, oid oid.Getter) (*http.Response, error) {
|
||||
func testConnection(require *require.Assertions, url string, oid variant.Getter) (*http.Response, error) {
|
||||
clientConfig, err := atls.CreateAttestationClientTLSConfig(fakeIssuer{oid}, nil)
|
||||
require.NoError(err)
|
||||
client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
|
||||
@ -267,7 +267,7 @@ func testConnection(require *require.Assertions, url string, oid oid.Getter) (*h
|
||||
}
|
||||
|
||||
type fakeIssuer struct {
|
||||
oid.Getter
|
||||
variant.Getter
|
||||
}
|
||||
|
||||
func (fakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byte, error) {
|
||||
@ -280,6 +280,14 @@ func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||
return asn1.ObjectIdentifier(o)
|
||||
}
|
||||
|
||||
func (o fakeOID) String() string {
|
||||
return o.OID().String()
|
||||
}
|
||||
|
||||
func (o fakeOID) Equal(other variant.Getter) bool {
|
||||
return o.OID().Equal(other.OID())
|
||||
}
|
||||
|
||||
type fakeDoc struct {
|
||||
UserData []byte
|
||||
Nonce []byte
|
||||
|
||||
@ -18,7 +18,7 @@ go_library(
|
||||
"//internal/file",
|
||||
"//internal/grpc/atlscredentials",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//internal/watcher",
|
||||
"//joinservice/internal/kms",
|
||||
"//joinservice/internal/kubeadm",
|
||||
|
||||
@ -27,7 +27,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/watcher"
|
||||
"github.com/edgelesssys/constellation/v2/joinservice/internal/kms"
|
||||
"github.com/edgelesssys/constellation/v2/joinservice/internal/kubeadm"
|
||||
@ -56,7 +56,7 @@ func main() {
|
||||
|
||||
handler := file.NewHandler(afero.NewOsFs())
|
||||
|
||||
variant, err := oid.FromString(*attestationVariant)
|
||||
variant, err := variant.FromString(*attestationVariant)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to parse attestation variant")
|
||||
}
|
||||
|
||||
@ -9,7 +9,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/constants",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//measurement-reader/internal/sorted",
|
||||
"//measurement-reader/internal/tpm",
|
||||
"@org_uber_go_zap//:zap",
|
||||
|
||||
@ -12,7 +12,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/measurement-reader/internal/sorted"
|
||||
"github.com/edgelesssys/constellation/v2/measurement-reader/internal/tpm"
|
||||
"go.uber.org/zap"
|
||||
@ -21,21 +21,21 @@ import (
|
||||
|
||||
func main() {
|
||||
log := logger.New(logger.JSONLog, zapcore.InfoLevel)
|
||||
variant := os.Getenv(constants.AttestationVariant)
|
||||
attestationVariant, err := oid.FromString(variant)
|
||||
variantString := os.Getenv(constants.AttestationVariant)
|
||||
attestationVariant, err := variant.FromString(variantString)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to parse attestation variant")
|
||||
}
|
||||
|
||||
var m []sorted.Measurement
|
||||
switch attestationVariant {
|
||||
case oid.AWSNitroTPM{}, oid.AzureSEVSNP{}, oid.AzureTrustedLaunch{}, oid.GCPSEVES{}, oid.QEMUVTPM{}:
|
||||
case variant.AWSNitroTPM{}, variant.AzureSEVSNP{}, variant.AzureTrustedLaunch{}, variant.GCPSEVES{}, variant.QEMUVTPM{}:
|
||||
m, err = tpm.Measurements()
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to read TPM measurements")
|
||||
}
|
||||
default:
|
||||
log.With(zap.String("attestationVariant", variant)).Fatalf("Unsupported attestation variant")
|
||||
log.With(zap.String("attestationVariant", variantString)).Fatalf("Unsupported attestation variant")
|
||||
}
|
||||
|
||||
fmt.Println("Measurements:")
|
||||
|
||||
@ -9,7 +9,7 @@ go_library(
|
||||
"//internal/attestation/choose",
|
||||
"//internal/constants",
|
||||
"//internal/logger",
|
||||
"//internal/oid",
|
||||
"//internal/variant",
|
||||
"//verify/server",
|
||||
"@org_uber_go_zap//:zap",
|
||||
],
|
||||
|
||||
@ -14,7 +14,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/oid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/verify/server"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
@ -29,7 +29,7 @@ func main() {
|
||||
log.With(zap.String("version", constants.VersionInfo()), zap.String("attestationVariant", *attestationVariant)).
|
||||
Infof("Constellation Verification Service")
|
||||
|
||||
variant, err := oid.FromString(*attestationVariant)
|
||||
variant, err := variant.FromString(*attestationVariant)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to parse attestation variant")
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user