mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-06-20 04:04:21 -04:00
config: automatically upload new Azure SNP versions to API + sign version with release key (#1854)
* sign version with release key and remove version from fetcher interface * extend azure-reporter GH action to upload updated version values to the Attestation API
This commit is contained in:
Adrian Stobbe
GitHub
parent
18da9b8128
commit
a813760f96
14 changed files with 214 additions and 76 deletions
|
|
@ -10,27 +10,32 @@ import (
|
|||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"reflect"
|
||||
"time"
|
||||
|
||||
configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
|
||||
attestationconfigclient "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/client"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/staticupload"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
const (
|
||||
awsRegion = "eu-central-1"
|
||||
awsBucket = "cdn-constellation-backend"
|
||||
invalidDefault = 0
|
||||
envAwsKeyID = "AWS_ACCESS_KEY_ID"
|
||||
envAwsKey = "AWS_ACCESS_KEY"
|
||||
awsRegion = "eu-central-1"
|
||||
awsBucket = "cdn-constellation-backend"
|
||||
invalidDefault = 0
|
||||
envAwsKeyID = "AWS_ACCESS_KEY_ID"
|
||||
envAwsKey = "AWS_ACCESS_KEY"
|
||||
envCosignPwd = "COSIGN_PASSWORD"
|
||||
envCosignPrivateKey = "COSIGN_PRIVATE_KEY"
|
||||
)
|
||||
|
||||
var (
|
||||
versionFilePath string
|
||||
// Cosign credentials.
|
||||
cosignPwd string
|
||||
privateKeyPath string
|
||||
cosignPwd string
|
||||
privateKey string
|
||||
)
|
||||
|
||||
// Execute executes the root command.
|
||||
|
|
@ -41,58 +46,102 @@ func Execute() error {
|
|||
// newRootCmd creates the root command.
|
||||
func newRootCmd() *cobra.Command {
|
||||
rootCmd := &cobra.Command{
|
||||
Use: "AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload -b 2 -t 0 -s 6 -m 93 --cosign-pwd $PWD --private-key $FILE_PATH",
|
||||
Use: "COSIGN_PASSWORD=$CPWD COSIGN_PRIVATE_KEY=$CKEY AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload --version-file $FILE",
|
||||
Short: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api.",
|
||||
|
||||
Long: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3.",
|
||||
RunE: runCmd,
|
||||
Long: fmt.Sprintf("Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3. Set the %s and %s environment variables to authenticate with cosign.", envCosignPrivateKey, envCosignPwd),
|
||||
PreRunE: envCheck,
|
||||
RunE: runCmd,
|
||||
}
|
||||
rootCmd.PersistentFlags().StringVarP(&versionFilePath, "version-file", "f", "", "File path to the version json file.")
|
||||
rootCmd.PersistentFlags().StringVar(&cosignPwd, "cosign-pwd", "", "Cosign password used to decrpyt the private key.")
|
||||
rootCmd.PersistentFlags().StringVar(&privateKeyPath, "private-key", "", "File path of private key used to sign the payload.")
|
||||
must(enforceRequiredFlags(rootCmd, "version-file", "cosign-pwd", "private-key"))
|
||||
must(enforceRequiredFlags(rootCmd, "version-file"))
|
||||
|
||||
return rootCmd
|
||||
}
|
||||
|
||||
func envCheck(_ *cobra.Command, _ []string) error {
|
||||
if os.Getenv(envCosignPrivateKey) == "" || os.Getenv(envCosignPwd) == "" {
|
||||
return fmt.Errorf("please set both %s and %s environment variables", envCosignPrivateKey, envCosignPwd)
|
||||
}
|
||||
cosignPwd = os.Getenv(envCosignPwd)
|
||||
privateKey = os.Getenv(envCosignPrivateKey)
|
||||
return nil
|
||||
}
|
||||
|
||||
func runCmd(cmd *cobra.Command, _ []string) error {
|
||||
ctx := cmd.Context()
|
||||
cfg := staticupload.Config{
|
||||
Bucket: awsBucket,
|
||||
Region: awsRegion,
|
||||
}
|
||||
privateKey, err := os.ReadFile(privateKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading private key: %w", err)
|
||||
}
|
||||
|
||||
versionBytes, err := os.ReadFile(versionFilePath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading version file: %w", err)
|
||||
}
|
||||
var versions configapi.AzureSEVSNPVersion
|
||||
err = json.Unmarshal(versionBytes, &versions)
|
||||
if err != nil {
|
||||
var inputVersion attestationconfig.AzureSEVSNPVersion
|
||||
if err = json.Unmarshal(versionBytes, &inputVersion); err != nil {
|
||||
return fmt.Errorf("unmarshalling version file: %w", err)
|
||||
}
|
||||
|
||||
sut, sutClose, err := attestationconfigclient.New(ctx, cfg, []byte(cosignPwd), privateKey)
|
||||
latestAPIVersion, err := fetcher.New().FetchAzureSEVSNPVersionLatest(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating repo: %w", err)
|
||||
return fmt.Errorf("fetching latest version: %w", err)
|
||||
}
|
||||
defer func() {
|
||||
if err := sutClose(ctx); err != nil {
|
||||
fmt.Printf("closing repo: %v\n", err)
|
||||
}
|
||||
}()
|
||||
|
||||
if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
|
||||
return fmt.Errorf("uploading version: %w", err)
|
||||
isNewer, err := isInputNewerThanLatestAPI(inputVersion, latestAPIVersion.AzureSEVSNPVersion)
|
||||
if err != nil {
|
||||
return fmt.Errorf("comparing versions: %w", err)
|
||||
}
|
||||
if isNewer {
|
||||
fmt.Printf("Input version: %+v is newer than latest API version: %+v\n", inputVersion, latestAPIVersion)
|
||||
sut, sutClose, err := attestationconfigclient.New(ctx, cfg, []byte(cosignPwd), []byte(privateKey))
|
||||
defer func() {
|
||||
if err := sutClose(ctx); err != nil {
|
||||
fmt.Printf("closing repo: %v\n", err)
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating repo: %w", err)
|
||||
}
|
||||
|
||||
if err := sut.UploadAzureSEVSNP(ctx, inputVersion, time.Now()); err != nil {
|
||||
return fmt.Errorf("uploading version: %w", err)
|
||||
}
|
||||
cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", inputVersion)
|
||||
} else {
|
||||
cmd.Printf("Input version: %+v is not newer than latest API version: %+v\n", inputVersion, latestAPIVersion)
|
||||
}
|
||||
cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", versions)
|
||||
return nil
|
||||
}
|
||||
|
||||
// isInputNewerThanLatestAPI compares all version fields with the latest API version and returns true if any input field is newer.
|
||||
func isInputNewerThanLatestAPI(input, latest attestationconfig.AzureSEVSNPVersion) (bool, error) {
|
||||
inputValues := reflect.ValueOf(input)
|
||||
latestValues := reflect.ValueOf(latest)
|
||||
fields := reflect.TypeOf(input)
|
||||
num := fields.NumField()
|
||||
// validate that no input field is smaller than latest
|
||||
for i := 0; i < num; i++ {
|
||||
field := fields.Field(i)
|
||||
inputValue := inputValues.Field(i).Uint()
|
||||
latestValue := latestValues.Field(i).Uint()
|
||||
if inputValue < latestValue {
|
||||
return false, fmt.Errorf("input %s version: %d is older than latest API version: %d", field.Name, inputValue, latestValue)
|
||||
} else if inputValue > latestValue {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
// check if any input field is greater than latest
|
||||
for i := 0; i < num; i++ {
|
||||
inputValue := inputValues.Field(i).Uint()
|
||||
latestValue := latestValues.Field(i).Uint()
|
||||
if inputValue > latestValue {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
func enforceRequiredFlags(cmd *cobra.Command, flags ...string) error {
|
||||
for _, flag := range flags {
|
||||
if err := cmd.MarkPersistentFlagRequired(flag); err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue