Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-21 21:44:39 -04:00
Code Issues Projects Releases Packages Wiki Activity

Generate random salt for key derivation on init (#309)

Browse source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-07-29 09:52:47 +02:00 committed by GitHub
parent e0ce2e8a51
commit 9a3bd38912
25 changed files with 342 additions and 317 deletions
Download patch file Download diff file Expand all files Collapse all files

59
cli/internal/cmd/init.go
View file

@ -115,7 +115,8 @@ func initialize(cmd *cobra.Command, dialer grpcDialer, serviceAccCreator service
req := &initproto.InitRequest{
AutoscalingNodeGroups: autoscalingNodeGroups,
MasterSecret: flags.masterSecret,
MasterSecret: flags.masterSecret.Key,
Salt: flags.masterSecret.Salt,
KmsUri: kms.ClusterKMSURI,
StorageUri: kms.NoStoreURI,
KeyEncryptionKeyId: "",
@ -129,11 +130,7 @@ func initialize(cmd *cobra.Command, dialer grpcDialer, serviceAccCreator service
return err
}
if err := writeOutput(resp, controlPlanes.PublicIPs()[0], cmd.OutOrStdout(), fileHandler); err != nil {
return err
}
return nil
return writeOutput(resp, controlPlanes.PublicIPs()[0], cmd.OutOrStdout(), fileHandler)
}
func initCall(ctx context.Context, dialer grpcDialer, ip string, req *initproto.InitRequest) (*initproto.InitResponse, error) {
@ -185,7 +182,7 @@ func writeOutput(resp *initproto.InitResponse, ip string, wr io.Writer, fileHand
fmt.Fprintln(wr)
if err := fileHandler.Write(constants.AdminConfFilename, resp.Kubeconfig, file.OptNone); err != nil {
return fmt.Errorf("write kubeconfig: %w", err)
return fmt.Errorf("writing kubeconfig: %w", err)
}
idFile := clusterIDsFile{
@ -236,38 +233,52 @@ func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, erro
// initFlags are the resulting values of flag preprocessing.
type initFlags struct {
configPath string
masterSecret []byte
masterSecret masterSecret
autoscale bool
}
// masterSecret holds the master key and salt for deriving keys.
type masterSecret struct {
Key []byte `json:"key"`
Salt []byte `json:"salt"`
}
// readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret.
func readOrGenerateMasterSecret(writer io.Writer, fileHandler file.Handler, filename string) ([]byte, error) {
func readOrGenerateMasterSecret(writer io.Writer, fileHandler file.Handler, filename string) (masterSecret, error) {
if filename != "" {
// Try to read the base64 secret from file
encodedSecret, err := fileHandler.Read(filename)
if err != nil {
return nil, err
var secret masterSecret
if err := fileHandler.ReadJSON(filename, &secret); err != nil {
return masterSecret{}, err
}
decoded, err := base64.StdEncoding.DecodeString(string(encodedSecret))
if err != nil {
return nil, err
if len(secret.Key) < crypto.MasterSecretLengthMin {
return masterSecret{}, fmt.Errorf("provided master secret is smaller than the required minimum of %d Bytes", crypto.MasterSecretLengthMin)
}
if len(decoded) < crypto.MasterSecretLengthMin {
return nil, errors.New("provided master secret is smaller than the required minimum of 16 Bytes")
if len(secret.Salt) < crypto.RNGLengthDefault {
return masterSecret{}, fmt.Errorf("provided salt is smaller than the required minimum of %d Bytes", crypto.RNGLengthDefault)
}
return decoded, nil
return secret, nil
}
// No file given, generate a new secret, and save it to disk
masterSecret, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault)
key, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault)
if err != nil {
return nil, err
return masterSecret{}, err
}
if err := fileHandler.Write(constants.MasterSecretFilename, []byte(base64.StdEncoding.EncodeToString(masterSecret)), file.OptNone); err != nil {
return nil, err
salt, err := crypto.GenerateRandomBytes(crypto.RNGLengthDefault)
if err != nil {
return masterSecret{}, err
}
secret := masterSecret{
Key: key,
Salt: salt,
}
if err := fileHandler.WriteJSON(constants.MasterSecretFilename, secret, file.OptNone); err != nil {
return masterSecret{}, err
}
fmt.Fprintf(writer, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename)
return masterSecret, nil
return secret, nil
}
func getScalingGroupsFromState(stat state.ConstellationState, config *config.Config) (controlPlanes, workers cloudtypes.ScalingGroup, err error) {

115
cli/internal/cmd/init_test.go
View file

@ -256,59 +256,80 @@ func TestInitCompletion(t *testing.T) {
func TestReadOrGeneratedMasterSecret(t *testing.T) {
testCases := map[string]struct {
filename string
filecontent string
createFile bool
fs func() afero.Fs
wantErr bool
filename string
createFileFunc func(handler file.Handler) error
fs func() afero.Fs
wantErr bool
}{
"file with secret exists": {
filename: "someSecret",
filecontent: base64.StdEncoding.EncodeToString([]byte("ConstellationSecret")),
createFile: true,
fs: afero.NewMemMapFs,
wantErr: false,
filename: "someSecret",
fs: afero.NewMemMapFs,
createFileFunc: func(handler file.Handler) error {
return handler.WriteJSON(
"someSecret",
masterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
file.OptNone,
)
},
wantErr: false,
},
"no file given": {
filename: "",
filecontent: "",
fs: afero.NewMemMapFs,
wantErr: false,
filename: "",
createFileFunc: func(handler file.Handler) error { return nil },
fs: afero.NewMemMapFs,
wantErr: false,
},
"file does not exist": {
filename: "nonExistingSecret",
filecontent: "",
createFile: false,
fs: afero.NewMemMapFs,
wantErr: true,
filename: "nonExistingSecret",
createFileFunc: func(handler file.Handler) error { return nil },
fs: afero.NewMemMapFs,
wantErr: true,
},
"file is empty": {
filename: "emptySecret",
filecontent: "",
createFile: true,
fs: afero.NewMemMapFs,
wantErr: true,
filename: "emptySecret",
createFileFunc: func(handler file.Handler) error {
return handler.Write("emptySecret", []byte{}, file.OptNone)
},
fs: afero.NewMemMapFs,
wantErr: true,
},
"secret too short": {
filename: "shortSecret",
filecontent: base64.StdEncoding.EncodeToString([]byte("short")),
createFile: true,
fs: afero.NewMemMapFs,
wantErr: true,
"salt too short": {
filename: "shortSecret",
createFileFunc: func(handler file.Handler) error {
return handler.WriteJSON(
"shortSecret",
masterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("short")},
file.OptNone,
)
},
fs: afero.NewMemMapFs,
wantErr: true,
},
"secret not encoded": {
filename: "unencodedSecret",
filecontent: "Constellation",
createFile: true,
fs: afero.NewMemMapFs,
wantErr: true,
"key too short": {
filename: "shortSecret",
createFileFunc: func(handler file.Handler) error {
return handler.WriteJSON(
"shortSecret",
masterSecret{Key: []byte("short"), Salt: []byte("constellation-32Byte-length-salt")},
file.OptNone,
)
},
fs: afero.NewMemMapFs,
wantErr: true,
},
"invalid file content": {
filename: "unencodedSecret",
createFileFunc: func(handler file.Handler) error {
return handler.Write("unencodedSecret", []byte("invalid-constellation-master-secret"), file.OptNone)
},
fs: afero.NewMemMapFs,
wantErr: true,
},
"file not writeable": {
filename: "",
filecontent: "",
createFile: false,
fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) },
wantErr: true,
filename: "",
createFileFunc: func(handler file.Handler) error { return nil },
fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) },
wantErr: true,
},
}
@ -318,10 +339,7 @@ func TestReadOrGeneratedMasterSecret(t *testing.T) {
require := require.New(t)
fileHandler := file.NewHandler(tc.fs())
if tc.createFile {
require.NoError(fileHandler.Write(tc.filename, []byte(tc.filecontent), file.OptNone))
}
require.NoError(tc.createFileFunc(fileHandler))
var out bytes.Buffer
secret, err := readOrGenerateMasterSecret(&out, fileHandler, tc.filename)
@ -337,9 +355,10 @@ func TestReadOrGeneratedMasterSecret(t *testing.T) {
tc.filename = strings.Trim(filename[1], "\n")
}
content, err := fileHandler.Read(tc.filename)
require.NoError(err)
assert.Equal(content, []byte(base64.StdEncoding.EncodeToString(secret)))
var masterSecret masterSecret
require.NoError(fileHandler.ReadJSON(tc.filename, &masterSecret))
assert.Equal(masterSecret.Key, secret.Key)
assert.Equal(masterSecret.Salt, secret.Salt)
}
})
}

58
cli/internal/cmd/recover.go
View file

@ -1,7 +1,6 @@
package cmd
import (
"encoding/base64"
"errors"
"fmt"
"regexp"
@ -35,11 +34,11 @@ func NewRecoverCmd() *cobra.Command {
must(cmd.MarkFlagRequired("endpoint"))
cmd.Flags().String("disk-uuid", "", "disk UUID of the encrypted state disk (required)")
must(cmd.MarkFlagRequired("disk-uuid"))
cmd.Flags().String("master-secret", constants.MasterSecretFilename, "path to base64-encoded master secret")
cmd.Flags().String("master-secret", constants.MasterSecretFilename, "path to master secret file")
return cmd
}
func runRecover(cmd *cobra.Command, args []string) error {
func runRecover(cmd *cobra.Command, _ []string) error {
fileHandler := file.NewHandler(afero.NewOsFs())
recoveryClient := &proto.KeyClient{}
defer recoveryClient.Close()
@ -47,11 +46,16 @@ func runRecover(cmd *cobra.Command, args []string) error {
}
func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recoveryClient) error {
flags, err := parseRecoverFlags(cmd, fileHandler)
flags, err := parseRecoverFlags(cmd)
if err != nil {
return err
}
var masterSecret masterSecret
if err := fileHandler.ReadJSON(flags.secretPath, &masterSecret); err != nil {
return err
}
var stat state.ConstellationState
if err := fileHandler.ReadJSON(constants.StateFilename, &stat); err != nil {
return err
@ -74,12 +78,12 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
return err
}
diskKey, err := deriveStateDiskKey(flags.masterSecret, flags.diskUUID)
diskKey, err := deriveStateDiskKey(masterSecret.Key, masterSecret.Salt, flags.diskUUID)
if err != nil {
return err
}
measurementSecret, err := attestation.DeriveMeasurementSecret(flags.masterSecret)
measurementSecret, err := attestation.DeriveMeasurementSecret(masterSecret.Key, masterSecret.Salt)
if err != nil {
return err
}
@ -92,7 +96,7 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
return nil
}
func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFlags, error) {
func parseRecoverFlags(cmd *cobra.Command) (recoverFlags, error) {
endpoint, err := cmd.Flags().GetString("endpoint")
if err != nil {
return recoverFlags{}, fmt.Errorf("parsing endpoint argument: %w", err)
@ -115,10 +119,6 @@ func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFla
if err != nil {
return recoverFlags{}, fmt.Errorf("parsing master-secret path argument: %w", err)
}
masterSecret, err := readMasterSecret(fileHandler, masterSecretPath)
if err != nil {
return recoverFlags{}, fmt.Errorf("reading the master secret from file %s: %w", masterSecretPath, err)
}
configPath, err := cmd.Flags().GetString("config")
if err != nil {
@ -126,35 +126,21 @@ func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFla
}
return recoverFlags{
endpoint: endpoint,
diskUUID: diskUUID,
masterSecret: masterSecret,
configPath: configPath,
endpoint: endpoint,
diskUUID: diskUUID,
secretPath: masterSecretPath,
configPath: configPath,
}, nil
}
type recoverFlags struct {
endpoint string
diskUUID string
masterSecret []byte
configPath string
endpoint string
diskUUID string
secretPath string
configPath string
}
// readMasterSecret reads a base64 encoded master secret from file.
func readMasterSecret(fileHandler file.Handler, filename string) ([]byte, error) {
// Try to read the base64 secret from file
encodedSecret, err := fileHandler.Read(filename)
if err != nil {
return nil, err
}
decoded, err := base64.StdEncoding.DecodeString(string(encodedSecret))
if err != nil {
return nil, err
}
return decoded, nil
}
// deriveStateDiskKey derives a state disk key from a master secret and a disk UUID.
func deriveStateDiskKey(masterKey []byte, diskUUID string) ([]byte, error) {
return crypto.DeriveKey(masterKey, []byte("Constellation"), []byte(crypto.HKDFInfoPrefix+diskUUID), crypto.StateDiskKeyLength)
// deriveStateDiskKey derives a state disk key from a master key, a salt, and a disk UUID.
func deriveStateDiskKey(masterKey, salt []byte, diskUUID string) ([]byte, error) {
return crypto.DeriveKey(masterKey, salt, []byte(crypto.HKDFInfoPrefix+diskUUID), crypto.StateDiskKeyLength)
}

167
cli/internal/cmd/recover_test.go
View file

@ -42,6 +42,13 @@ func TestRecover(t *testing.T) {
validState := state.ConstellationState{CloudProvider: "GCP"}
invalidCSPState := state.ConstellationState{CloudProvider: "invalid"}
writeMasterSecret := func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
handler := file.NewHandler(fs)
require.NoError(handler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: []byte("master-secret"), Salt: []byte("salt")}, file.OptNone))
return fs
}
testCases := map[string]struct {
setupFs func(*require.Assertions) afero.Fs
existingState state.ConstellationState
@ -55,62 +62,51 @@ func TestRecover(t *testing.T) {
wantKey []byte
}{
"works": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
wantKey: []byte{0x4d, 0x34, 0x19, 0x1a, 0xf9, 0x23, 0xb9, 0x61, 0x55, 0x9b, 0xb2, 0x6, 0x15, 0x1b, 0x5f, 0xe, 0x21, 0xc2, 0xe5, 0x18, 0x1c, 0xfa, 0x32, 0x79, 0xa4, 0x6b, 0x84, 0x86, 0x7e, 0xd7, 0xf6, 0x76},
wantKey: []byte{
0xcb, 0x31, 0x9d, 0x3d, 0xe0, 0xb7, 0x8a, 0xe9, 0x20, 0xc0, 0x62, 0x00, 0x8f, 0xe4, 0x58, 0xa1,
0x87, 0x85, 0x5d, 0xa0, 0xca, 0xe2, 0x04, 0x5c, 0x80, 0xe8, 0xe6, 0xd5, 0x8a, 0x6c, 0xcb, 0x49,
},
},
"uppercase disk uuid works": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1",
diskUUIDFlag: "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF",
wantKey: []byte{0x7e, 0xc0, 0xa8, 0x84, 0xc4, 0x7, 0xda, 0x1, 0xed, 0xa9, 0xc8, 0x87, 0x77, 0xad, 0x86, 0x7c, 0x7d, 0x40, 0xa7, 0x28, 0x3d, 0xbd, 0x92, 0xea, 0xa1, 0x84, 0x67, 0x78, 0x58, 0x76, 0x13, 0x70},
wantKey: []byte{
0x9b, 0xb8, 0x4a, 0x62, 0x01, 0xb3, 0x32, 0xf6, 0xf2, 0x79, 0x43, 0x09, 0x86, 0xe7, 0x25, 0x0e,
0xd2, 0x77, 0xcb, 0x14, 0xe8, 0x8f, 0x38, 0xab, 0xe7, 0xd6, 0x25, 0x14, 0xa5, 0xa1, 0xff, 0xda,
},
},
"lowercase disk uuid results in same key": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1",
diskUUIDFlag: "abcdefab-cdef-abcd-abcd-abcdefabcdef",
wantKey: []byte{0x7e, 0xc0, 0xa8, 0x84, 0xc4, 0x7, 0xda, 0x1, 0xed, 0xa9, 0xc8, 0x87, 0x77, 0xad, 0x86, 0x7c, 0x7d, 0x40, 0xa7, 0x28, 0x3d, 0xbd, 0x92, 0xea, 0xa1, 0x84, 0x67, 0x78, 0x58, 0x76, 0x13, 0x70},
wantKey: []byte{
0x9b, 0xb8, 0x4a, 0x62, 0x01, 0xb3, 0x32, 0xf6, 0xf2, 0x79, 0x43, 0x09, 0x86, 0xe7, 0x25, 0x0e,
0xd2, 0x77, 0xcb, 0x14, 0xe8, 0x8f, 0x38, 0xab, 0xe7, 0xd6, 0x25, 0x14, 0xa5, 0xa1, 0xff, 0xda,
},
},
"missing flags": {
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
wantErr: true,
},
"missing config": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
configFlag: "nonexistent-config",
wantErr: true,
},
"missing state": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
@ -118,22 +114,14 @@ func TestRecover(t *testing.T) {
wantErr: true,
},
"invalid cloud provider": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: invalidCSPState,
endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
wantErr: true,
},
"connect fails": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
client: &stubRecoveryClient{connectErr: errors.New("connect failed")},
endpointFlag: "192.0.2.1",
@ -141,11 +129,7 @@ func TestRecover(t *testing.T) {
wantErr: true,
},
"pushing state key fails": {
setupFs: func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
setupFs: writeMasterSecret,
existingState: validState,
client: &stubRecoveryClient{pushStateDiskKeyErr: errors.New("pushing key failed")},
endpointFlag: "192.0.2.1",
@ -160,7 +144,7 @@ func TestRecover(t *testing.T) {
require := require.New(t)
cmd := NewRecoverCmd()
cmd.Flags().String("config", "", "") // register persisten flag manually
cmd.Flags().String("config", "", "") // register persistent flag manually
out := &bytes.Buffer{}
cmd.SetOut(out)
cmd.SetErr(&bytes.Buffer{})
@ -212,36 +196,29 @@ func TestParseRecoverFlags(t *testing.T) {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "invalid"},
wantErr: true,
},
"invalid master secret path": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012", "--master-secret", "invalid"},
wantErr: true,
},
"minimal args set": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012"},
wantFlags: recoverFlags{
endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012",
masterSecret: []byte("constellation-master-secret-leng"),
endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012",
secretPath: "constellation-mastersecret.json",
},
},
"all args set": {
args: []string{
"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012",
"--master-secret", "constellation-mastersecret.base64", "--config", "config-path",
},
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012", "--config", "config-path", "--master-secret", "/path/super-secret.json"},
wantFlags: recoverFlags{
endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012",
masterSecret: []byte("constellation-master-secret-leng"),
configPath: "config-path",
endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012",
secretPath: "/path/super-secret.json",
configPath: "config-path",
},
},
"uppercase disk-uuid is converted to lowercase": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF"},
wantFlags: recoverFlags{
endpoint: "192.0.2.1:2",
diskUUID: "abcdefab-cdef-abcd-abcd-abcdefabcdef",
masterSecret: []byte("constellation-master-secret-leng"),
endpoint: "192.0.2.1:2",
diskUUID: "abcdefab-cdef-abcd-abcd-abcdefabcdef",
secretPath: "constellation-mastersecret.json",
},
},
}
@ -251,12 +228,10 @@ func TestParseRecoverFlags(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
cmd := NewRecoverCmd()
cmd.Flags().String("config", "", "") // register persistent flag manually
require.NoError(cmd.ParseFlags(tc.args))
flags, err := parseRecoverFlags(cmd, file.NewHandler(fs))
flags, err := parseRecoverFlags(cmd)
if tc.wantErr {
assert.Error(err)
@ -268,52 +243,10 @@ func TestParseRecoverFlags(t *testing.T) {
}
}
func TestReadMasterSecret(t *testing.T) {
testCases := map[string]struct {
fileContents []byte
filename string
wantMasterSecret []byte
wantErr bool
}{
"invalid base64": {
fileContents: []byte("invalid"),
filename: "constellation-mastersecret.base64",
wantErr: true,
},
"invalid filename": {
fileContents: []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="),
filename: "invalid",
wantErr: true,
},
"correct master secret": {
fileContents: []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="),
filename: "constellation-mastersecret.base64",
wantMasterSecret: []byte("constellation-master-secret-leng"),
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", tc.fileContents, 0o777))
masterSecret, err := readMasterSecret(file.NewHandler(fs), tc.filename)
if tc.wantErr {
assert.Error(err)
return
}
assert.NoError(err)
assert.Equal(tc.wantMasterSecret, masterSecret)
})
}
}
func TestDeriveStateDiskKey(t *testing.T) {
testCases := map[string]struct {
masterKey []byte
salt []byte
diskUUID string
wantStateDiskKey []byte
}{
@ -322,10 +255,14 @@ func TestDeriveStateDiskKey(t *testing.T) {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
},
salt: []byte{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
},
diskUUID: "00000000-0000-0000-0000-000000000000",
wantStateDiskKey: []byte{
0xc6, 0xe0, 0xae, 0xfc, 0xbe, 0x7b, 0x7e, 0x87, 0x7a, 0xdd, 0xb2, 0x87, 0xe0, 0xcd, 0x4c, 0xe4,
0xde, 0xee, 0xb3, 0x57, 0xaa, 0x6c, 0xc9, 0x44, 0x90, 0xc4, 0x07, 0x72, 0x01, 0x7d, 0xd6, 0xb1,
0x2b, 0x5c, 0x82, 0x9f, 0x69, 0x1b, 0xfd, 0x42, 0x32, 0xf8, 0xaa, 0xc4, 0x64, 0xbc, 0xcc, 0x07,
0xe6, 0x05, 0xc7, 0xc8, 0xe8, 0x2c, 0xbc, 0xa0, 0x98, 0x37, 0xe8, 0x6d, 0x0b, 0x6d, 0x06, 0x65,
},
},
"all 0xff": {
@ -333,10 +270,14 @@ func TestDeriveStateDiskKey(t *testing.T) {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
},
salt: []byte{
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
},
diskUUID: "ffffffff-ffff-ffff-ffff-ffffffffffff",
wantStateDiskKey: []byte{
0x00, 0x74, 0x4c, 0xb0, 0x92, 0x9d, 0x20, 0x08, 0xfa, 0x72, 0xac, 0xd2, 0xb6, 0xe4, 0xc6, 0x6f,
0xa3, 0x53, 0x16, 0xb1, 0x9e, 0x77, 0x42, 0xe8, 0xd3, 0x66, 0xe8, 0x22, 0x33, 0xfc, 0x63, 0x4d,
0x14, 0x84, 0xaa, 0x39, 0xd3, 0x41, 0x5e, 0x90, 0x6e, 0x07, 0x94, 0x0f, 0xf2, 0x15, 0xd8, 0xb1,
0xee, 0xe7, 0x05, 0xd3, 0x02, 0x7d, 0xba, 0x93, 0x30, 0x6a, 0xf4, 0xab, 0xff, 0x4f, 0x70, 0xbe,
},
},
}
@ -345,7 +286,7 @@ func TestDeriveStateDiskKey(t *testing.T) {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
stateDiskKey, err := deriveStateDiskKey(tc.masterKey, tc.diskUUID)
stateDiskKey, err := deriveStateDiskKey(tc.masterKey, tc.salt, tc.diskUUID)
assert.NoError(err)
assert.Equal(tc.wantStateDiskKey, stateDiskKey)