Refactor init/recovery to use kms URI

So far the masterSecret was sent to the initial bootstrapper on init/recovery. With this commit this information is encoded in the kmsURI that is sent during init. For recover, the communication with the recoveryserver is changed. Before a streaming gRPC call was used to exchanges UUID for measurementSecret and state disk key. Now a standard gRPC is made that includes the same kmsURI & storageURI that are sent during init.
2025-05-04 15:25:00 -04:00 · 2023-01-16 11:19:03 +01:00 · 2023-01-16 11:19:03 +01:00 · 9a1f52e94e
commit 9a1f52e94e
parent 0e71322e2e
35 changed files with 466 additions and 623 deletions
--- a/cli/internal/cmd/recover_test.go
+++ b/cli/internal/cmd/recover_test.go
@ -26,6 +26,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
+	kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -156,7 +157,7 @@ func TestRecover(t *testing.T) {

 			require.NoError(fileHandler.WriteJSON(
 				"constellation-mastersecret.json",
-				masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt},
+				kmssetup.MasterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt},
 				file.OptNone,
 			))

@ -244,101 +245,16 @@ func TestParseRecoverFlags(t *testing.T) {
 }

 func TestDoRecovery(t *testing.T) {
-	someErr := errors.New("error")
 	testCases := map[string]struct {
 		recoveryServer *stubRecoveryServer
 		wantErr        bool
 	}{
 		"success": {
-			recoveryServer: &stubRecoveryServer{
-				actions: [][]func(stream recoverproto.API_RecoverServer) error{{
-					func(stream recoverproto.API_RecoverServer) error {
-						_, err := stream.Recv()
-						return err
-					},
-					func(stream recoverproto.API_RecoverServer) error {
-						return stream.Send(&recoverproto.RecoverResponse{
-							DiskUuid: "00000000-0000-0000-0000-000000000000",
-						})
-					},
-					func(stream recoverproto.API_RecoverServer) error {
-						_, err := stream.Recv()
-						return err
-					},
-				}},
-			},
+			recoveryServer: &stubRecoveryServer{},
 		},
-		"error on first recv": {
-			recoveryServer: &stubRecoveryServer{
-				actions: [][]func(stream recoverproto.API_RecoverServer) error{
-					{
-						func(stream recoverproto.API_RecoverServer) error {
-							return someErr
-						},
-					},
-				},
-			},
-			wantErr: true,
-		},
-		"error on send": {
-			recoveryServer: &stubRecoveryServer{
-				actions: [][]func(stream recoverproto.API_RecoverServer) error{
-					{
-						func(stream recoverproto.API_RecoverServer) error {
-							_, err := stream.Recv()
-							return err
-						},
-						func(stream recoverproto.API_RecoverServer) error {
-							return someErr
-						},
-					},
-				},
-			},
-			wantErr: true,
-		},
-		"error on second recv": {
-			recoveryServer: &stubRecoveryServer{
-				actions: [][]func(stream recoverproto.API_RecoverServer) error{
-					{
-						func(stream recoverproto.API_RecoverServer) error {
-							_, err := stream.Recv()
-							return err
-						},
-						func(stream recoverproto.API_RecoverServer) error {
-							return stream.Send(&recoverproto.RecoverResponse{
-								DiskUuid: "00000000-0000-0000-0000-000000000000",
-							})
-						},
-						func(stream recoverproto.API_RecoverServer) error {
-							return someErr
-						},
-					},
-				},
-			},
-			wantErr: true,
-		},
-		"final message is an error": {
-			recoveryServer: &stubRecoveryServer{
-				actions: [][]func(stream recoverproto.API_RecoverServer) error{{
-					func(stream recoverproto.API_RecoverServer) error {
-						_, err := stream.Recv()
-						return err
-					},
-					func(stream recoverproto.API_RecoverServer) error {
-						return stream.Send(&recoverproto.RecoverResponse{
-							DiskUuid: "00000000-0000-0000-0000-000000000000",
-						})
-					},
-					func(stream recoverproto.API_RecoverServer) error {
-						_, err := stream.Recv()
-						return err
-					},
-					func(stream recoverproto.API_RecoverServer) error {
-						return someErr
-					},
-				}},
-			},
-			wantErr: true,
+		"server responds with error": {
+			recoveryServer: &stubRecoveryServer{recoverError: errors.New("someErr")},
+			wantErr:        true,
 		},
 	}

@ -357,13 +273,9 @@ func TestDoRecovery(t *testing.T) {

 			r := &recoverCmd{log: logger.NewTest(t)}
 			recoverDoer := &recoverDoer{
-				dialer:            dialer.New(nil, nil, netDialer),
-				endpoint:          addr,
-				measurementSecret: []byte("measurement-secret"),
-				getDiskKey: func(string) ([]byte, error) {
-					return []byte("disk-key"), nil
-				},
-				log: r.log,
+				dialer:   dialer.New(nil, nil, netDialer),
+				endpoint: addr,
+				log:      r.log,
 			}

 			err := recoverDoer.Do(context.Background())
@ -402,23 +314,15 @@ func TestDeriveStateDiskKey(t *testing.T) {
 }

 type stubRecoveryServer struct {
-	actions [][]func(recoverproto.API_RecoverServer) error
-	calls   int
+	recoverError error
 	recoverproto.UnimplementedAPIServer
 }

-func (s *stubRecoveryServer) Recover(stream recoverproto.API_RecoverServer) error {
-	if s.calls >= len(s.actions) {
-		return status.Error(codes.Unavailable, "server is unavailable")
+func (s *stubRecoveryServer) Recover(context.Context, *recoverproto.RecoverMessage) (*recoverproto.RecoverResponse, error) {
+	if s.recoverError != nil {
+		return nil, s.recoverError
 	}
-	s.calls++
-
-	for _, action := range s.actions[s.calls-1] {
-		if err := action(stream); err != nil {
-			return err
-		}
-	}
-	return nil
+	return &recoverproto.RecoverResponse{}, nil
 }

 type stubDoer struct {
@ -437,4 +341,4 @@ func (d *stubDoer) Do(context.Context) error {

 func (d *stubDoer) setDialer(grpcDialer, string) {}

-func (d *stubDoer) setSecrets(func(string) ([]byte, error), []byte) {}
+func (d *stubDoer) setURIs(kmsURI, storageURI string) {}