mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-02 06:16:08 -04:00
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Adrian Stobbe
GitHub
parent
03c5692fdd
commit
a2de1d23ec
18 changed files with 871 additions and 177 deletions
|
|
@ -170,7 +170,6 @@ go_test(
|
|||
"//internal/license",
|
||||
"//internal/logger",
|
||||
"//internal/semver",
|
||||
"//internal/sigstore",
|
||||
"//internal/state",
|
||||
"//internal/versions",
|
||||
"//operators/constellation-node-operator/api/v1alpha1",
|
||||
|
|
|
|||
|
|
@ -17,12 +17,13 @@ import (
|
|||
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/featureset"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/pflag"
|
||||
|
|
@ -73,10 +74,18 @@ func (f *fetchMeasurementsFlags) parse(flags *pflag.FlagSet) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
type verifyFetcher interface {
|
||||
FetchAndVerifyMeasurements(ctx context.Context,
|
||||
image string, csp cloudprovider.Provider, attestationVariant variant.Variant,
|
||||
noVerify bool,
|
||||
) (measurements.M, error)
|
||||
}
|
||||
|
||||
type configFetchMeasurementsCmd struct {
|
||||
flags fetchMeasurementsFlags
|
||||
canFetchMeasurements bool
|
||||
log debugLog
|
||||
verifyFetcher verifyFetcher
|
||||
}
|
||||
|
||||
func runConfigFetchMeasurements(cmd *cobra.Command, _ []string) error {
|
||||
|
|
@ -90,19 +99,20 @@ func runConfigFetchMeasurements(cmd *cobra.Command, _ []string) error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("constructing Rekor client: %w", err)
|
||||
}
|
||||
cfm := &configFetchMeasurementsCmd{log: log, canFetchMeasurements: featureset.CanFetchMeasurements}
|
||||
|
||||
verifyFetcher := measurements.NewVerifyFetcher(sigstore.NewCosignVerifier, rekor, http.DefaultClient)
|
||||
cfm := &configFetchMeasurementsCmd{log: log, canFetchMeasurements: featureset.CanFetchMeasurements, verifyFetcher: verifyFetcher}
|
||||
if err := cfm.flags.parse(cmd.Flags()); err != nil {
|
||||
return fmt.Errorf("parsing flags: %w", err)
|
||||
}
|
||||
cfm.log.Debugf("Using flags %+v", cfm.flags)
|
||||
|
||||
fetcher := attestationconfigapi.NewFetcherWithClient(http.DefaultClient, constants.CDNRepositoryURL)
|
||||
return cfm.configFetchMeasurements(cmd, sigstore.NewCosignVerifier, rekor, fileHandler, fetcher, http.DefaultClient)
|
||||
return cfm.configFetchMeasurements(cmd, fileHandler, fetcher)
|
||||
}
|
||||
|
||||
func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
|
||||
cmd *cobra.Command, newCosignVerifier cosignVerifierConstructor, rekor rekorVerifier,
|
||||
fileHandler file.Handler, fetcher attestationconfigapi.Fetcher, client *http.Client,
|
||||
cmd *cobra.Command, fileHandler file.Handler, fetcher attestationconfigapi.Fetcher,
|
||||
) error {
|
||||
if !cfm.canFetchMeasurements {
|
||||
cmd.PrintErrln("Fetching measurements is not supported in the OSS build of the Constellation CLI. Consult the documentation for instructions on where to download the enterprise version.")
|
||||
|
|
@ -132,58 +142,16 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
|
|||
if err := cfm.flags.updateURLs(conf); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cfm.log.Debugf("Fetching and verifying measurements")
|
||||
imageVersion, err := versionsapi.NewVersionFromShortPath(conf.Image, versionsapi.VersionKindImage)
|
||||
fetchedMeasurements, err := cfm.verifyFetcher.FetchAndVerifyMeasurements(ctx, conf.Image, conf.GetProvider(),
|
||||
conf.GetAttestationConfig().GetVariant(), cfm.flags.insecure)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
publicKey, err := keyselect.CosignPublicKeyForVersion(imageVersion)
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting public key: %w", err)
|
||||
}
|
||||
cosign, err := newCosignVerifier(publicKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating cosign verifier: %w", err)
|
||||
}
|
||||
|
||||
var fetchedMeasurements measurements.M
|
||||
var hash string
|
||||
if cfm.flags.insecure {
|
||||
if err := fetchedMeasurements.FetchNoVerify(
|
||||
ctx,
|
||||
client,
|
||||
cfm.flags.measurementsURL,
|
||||
imageVersion,
|
||||
conf.GetProvider(),
|
||||
conf.GetAttestationConfig().GetVariant(),
|
||||
); err != nil {
|
||||
return fmt.Errorf("fetching measurements without verification: %w", err)
|
||||
}
|
||||
|
||||
cfm.log.Debugf("Fetched measurements without verification")
|
||||
} else {
|
||||
hash, err = fetchedMeasurements.FetchAndVerify(
|
||||
ctx,
|
||||
client,
|
||||
cosign,
|
||||
cfm.flags.measurementsURL,
|
||||
cfm.flags.signatureURL,
|
||||
imageVersion,
|
||||
conf.GetProvider(),
|
||||
conf.GetAttestationConfig().GetVariant(),
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fetching and verifying measurements: %w", err)
|
||||
}
|
||||
cfm.log.Debugf("Fetched and verified measurements, hash is %s", hash)
|
||||
if err := sigstore.VerifyWithRekor(cmd.Context(), publicKey, rekor, hash); err != nil {
|
||||
var rekorErr *measurements.RekorError
|
||||
if errors.As(err, &rekorErr) {
|
||||
cmd.PrintErrf("Ignoring Rekor related error: %v\n", err)
|
||||
cmd.PrintErrln("Make sure the downloaded measurements are trustworthy!")
|
||||
} else {
|
||||
return fmt.Errorf("fetching and verifying measurements: %w", err)
|
||||
}
|
||||
|
||||
cfm.log.Debugf("Verified measurements with Rekor")
|
||||
}
|
||||
cfm.log.Debugf("Measurements:\n", fetchedMeasurements)
|
||||
|
||||
|
|
@ -234,5 +202,3 @@ type rekorVerifier interface {
|
|||
SearchByHash(context.Context, string) ([]string, error)
|
||||
VerifyEntry(context.Context, string, string) error
|
||||
}
|
||||
|
||||
type cosignVerifierConstructor func([]byte) (sigstore.Verifier, error)
|
||||
|
|
|
|||
|
|
@ -7,23 +7,20 @@ SPDX-License-Identifier: AGPL-3.0-only
|
|||
package cmd
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
|
@ -154,114 +151,17 @@ func newTestClient(fn roundTripFunc) *http.Client {
|
|||
}
|
||||
|
||||
func TestConfigFetchMeasurements(t *testing.T) {
|
||||
measurements := `{
|
||||
"version": "v999.999.999",
|
||||
"ref": "-",
|
||||
"stream": "stable",
|
||||
"list": [
|
||||
{
|
||||
"csp": "GCP",
|
||||
"attestationVariant":"gcp-sev-es",
|
||||
"measurements": {
|
||||
"0": {
|
||||
"expected": "0000000000000000000000000000000000000000000000000000000000000000",
|
||||
"warnOnly":false
|
||||
},
|
||||
"1": {
|
||||
"expected": "1111111111111111111111111111111111111111111111111111111111111111",
|
||||
"warnOnly":false
|
||||
},
|
||||
"2": {
|
||||
"expected": "2222222222222222222222222222222222222222222222222222222222222222",
|
||||
"warnOnly":false
|
||||
},
|
||||
"3": {
|
||||
"expected": "3333333333333333333333333333333333333333333333333333333333333333",
|
||||
"warnOnly":false
|
||||
},
|
||||
"4": {
|
||||
"expected": "4444444444444444444444444444444444444444444444444444444444444444",
|
||||
"warnOnly":false
|
||||
},
|
||||
"5": {
|
||||
"expected": "5555555555555555555555555555555555555555555555555555555555555555",
|
||||
"warnOnly":false
|
||||
},
|
||||
"6": {
|
||||
"expected": "6666666666666666666666666666666666666666666666666666666666666666",
|
||||
"warnOnly":false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
`
|
||||
signature := "placeholder-signature"
|
||||
|
||||
client := newTestClient(func(req *http.Request) *http.Response {
|
||||
if req.URL.Path == "/constellation/v2/ref/-/stream/stable/v999.999.999/image/measurements.json" {
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusOK,
|
||||
Body: io.NopCloser(bytes.NewBufferString(measurements)),
|
||||
Header: make(http.Header),
|
||||
}
|
||||
}
|
||||
if req.URL.Path == "/constellation/v2/ref/-/stream/stable/v999.999.999/image/measurements.json.sig" {
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusOK,
|
||||
Body: io.NopCloser(bytes.NewBufferString(signature)),
|
||||
Header: make(http.Header),
|
||||
}
|
||||
}
|
||||
|
||||
fmt.Println("unexpected request", req.URL.String())
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusNotFound,
|
||||
Body: io.NopCloser(bytes.NewBufferString("Not found.")),
|
||||
Header: make(http.Header),
|
||||
}
|
||||
})
|
||||
|
||||
testCases := map[string]struct {
|
||||
cosign cosignVerifierConstructor
|
||||
rekor rekorVerifier
|
||||
insecureFlag bool
|
||||
err error
|
||||
wantErr bool
|
||||
}{
|
||||
"success": {
|
||||
cosign: newStubCosignVerifier,
|
||||
rekor: singleUUIDVerifier(),
|
||||
"no error succeeds": {},
|
||||
"failing rekor verify should not result in error": {
|
||||
err: &measurements.RekorError{},
|
||||
},
|
||||
"success without cosign": {
|
||||
insecureFlag: true,
|
||||
cosign: func(_ []byte) (sigstore.Verifier, error) {
|
||||
return &stubCosignVerifier{
|
||||
verifyError: assert.AnError,
|
||||
}, nil
|
||||
},
|
||||
rekor: singleUUIDVerifier(),
|
||||
},
|
||||
"failing search should not result in error": {
|
||||
cosign: newStubCosignVerifier,
|
||||
rekor: &stubRekorVerifier{
|
||||
SearchByHashUUIDs: []string{},
|
||||
SearchByHashError: assert.AnError,
|
||||
},
|
||||
},
|
||||
"failing verify should not result in error": {
|
||||
cosign: newStubCosignVerifier,
|
||||
rekor: &stubRekorVerifier{
|
||||
SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
|
||||
VerifyEntryError: assert.AnError,
|
||||
},
|
||||
},
|
||||
"signature verification failure": {
|
||||
cosign: func(_ []byte) (sigstore.Verifier, error) {
|
||||
return &stubCosignVerifier{
|
||||
verifyError: assert.AnError,
|
||||
}, nil
|
||||
},
|
||||
rekor: singleUUIDVerifier(),
|
||||
"error other than Rekor fails": {
|
||||
err: assert.AnError,
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
|
@ -279,11 +179,12 @@ func TestConfigFetchMeasurements(t *testing.T) {
|
|||
|
||||
err := fileHandler.WriteYAML(constants.ConfigFilename, gcpConfig, file.OptMkdirAll)
|
||||
require.NoError(err)
|
||||
cfm := &configFetchMeasurementsCmd{canFetchMeasurements: true, log: logger.NewTest(t)}
|
||||
fetcher := stubVerifyFetcher{err: tc.err}
|
||||
cfm := &configFetchMeasurementsCmd{canFetchMeasurements: true, log: logger.NewTest(t), verifyFetcher: fetcher}
|
||||
cfm.flags.insecure = tc.insecureFlag
|
||||
cfm.flags.force = true
|
||||
|
||||
err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, stubAttestationFetcher{}, client)
|
||||
err = cfm.configFetchMeasurements(cmd, fileHandler, stubAttestationFetcher{})
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
return
|
||||
|
|
@ -293,6 +194,14 @@ func TestConfigFetchMeasurements(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
type stubVerifyFetcher struct {
|
||||
err error
|
||||
}
|
||||
|
||||
func (f stubVerifyFetcher) FetchAndVerifyMeasurements(_ context.Context, _ string, _ cloudprovider.Provider, _ variant.Variant, _ bool) (measurements.M, error) {
|
||||
return nil, f.err
|
||||
}
|
||||
|
||||
type stubAttestationFetcher struct{}
|
||||
|
||||
func (f stubAttestationFetcher) FetchSEVSNPVersionList(_ context.Context, _ attestationconfigapi.SEVSNPVersionList) (attestationconfigapi.SEVSNPVersionList, error) {
|
||||
|
|
|
|||
|
|
@ -8,8 +8,6 @@ package cmd
|
|||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
)
|
||||
|
||||
// singleUUIDVerifier constructs a RekorVerifier that returns a single UUID and no errors,
|
||||
|
|
@ -43,10 +41,6 @@ type stubCosignVerifier struct {
|
|||
verifyError error
|
||||
}
|
||||
|
||||
func newStubCosignVerifier(_ []byte) (sigstore.Verifier, error) {
|
||||
return &stubCosignVerifier{}, nil
|
||||
}
|
||||
|
||||
func (v *stubCosignVerifier) VerifySignature(_, _ []byte) error {
|
||||
return v.verifyError
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue