mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 15:09:39 -05:00
Add a bit more logging to attestation and join-service on error (#1076)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
c81863d181
commit
aa3ac82408
@ -157,6 +157,9 @@ type Validator struct {
|
||||
func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
|
||||
validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger,
|
||||
) *Validator {
|
||||
if log == nil {
|
||||
log = &nopAttestationLogger{}
|
||||
}
|
||||
return &Validator{
|
||||
expected: expected,
|
||||
getTrustedKey: getTrustedKey,
|
||||
@ -167,10 +170,13 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio
|
||||
}
|
||||
|
||||
// Validate a TPM based attestation.
|
||||
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||
if v.log != nil {
|
||||
v.log.Infof("Validating attestation document")
|
||||
}
|
||||
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, err error) {
|
||||
v.log.Infof("Validating attestation document")
|
||||
defer func() {
|
||||
if err != nil {
|
||||
v.log.Warnf("Failed to validate attestation document: %s", err)
|
||||
}
|
||||
}()
|
||||
|
||||
var attDoc AttestationDocument
|
||||
if err := json.Unmarshal(attDocRaw, &attDoc); err != nil {
|
||||
@ -210,9 +216,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||
if !pcr.WarnOnly {
|
||||
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
|
||||
}
|
||||
if v.log != nil {
|
||||
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
|
||||
}
|
||||
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
|
||||
}
|
||||
}
|
||||
|
||||
@ -222,9 +226,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||
return nil, fmt.Errorf("verifying signed user data: %w", err)
|
||||
}
|
||||
|
||||
if v.log != nil {
|
||||
v.log.Infof("Successfully validated attestation document")
|
||||
}
|
||||
v.log.Infof("Successfully validated attestation document")
|
||||
return attDoc.UserData, nil
|
||||
}
|
||||
|
||||
@ -281,3 +283,12 @@ func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (mea
|
||||
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// nopAttestationLogger is a no-op implementation of AttestationLogger.
|
||||
type nopAttestationLogger struct{}
|
||||
|
||||
// Infof is a no-op.
|
||||
func (nopAttestationLogger) Infof(string, ...interface{}) {}
|
||||
|
||||
// Warnf is a no-op.
|
||||
func (nopAttestationLogger) Warnf(string, ...interface{}) {}
|
||||
|
@ -93,40 +93,43 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||
log.Infof("Requesting measurement secret")
|
||||
measurementSecret, err := s.dataKeyGetter.GetDataKey(ctx, attestation.MeasurementSecretContext, crypto.DerivedKeyLengthDefault)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Errorf("Unable to get measurement secret")
|
||||
return nil, status.Errorf(codes.Internal, "unable to get measurement secret: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed to get measurement secret")
|
||||
return nil, status.Errorf(codes.Internal, "getting measurement secret: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("Requesting disk encryption key")
|
||||
stateDiskKey, err := s.dataKeyGetter.GetDataKey(ctx, req.DiskUuid, crypto.StateDiskKeyLength)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Errorf("Unable to get key for stateful disk")
|
||||
return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed to get key for stateful disk")
|
||||
return nil, status.Errorf(codes.Internal, "getting key for stateful disk: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("Creating Kubernetes join token")
|
||||
kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Errorf("Unable to generate Kubernetes join arguments")
|
||||
return nil, status.Errorf(codes.Internal, "unable to generate Kubernetes join arguments: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed to generate Kubernetes join arguments")
|
||||
return nil, status.Errorf(codes.Internal, "generating Kubernetes join arguments: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("Querying NodeVersion CR for components ConfigMap name")
|
||||
log.Infof("Querying NodeVersion custom resource for components ConfigMap name")
|
||||
componentsConfigMapName, err := s.getK8sComponentsConfigMapName(ctx)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "unable to get components ConfigMap name: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed getting components ConfigMap name")
|
||||
return nil, status.Errorf(codes.Internal, "getting components ConfigMap name: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("Querying %s ConfigMap for components", componentsConfigMapName)
|
||||
components, err := s.kubeClient.GetComponents(ctx, componentsConfigMapName)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "unable to get components: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed getting components from ConfigMap")
|
||||
return nil, status.Errorf(codes.Internal, "getting components: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("Creating signed kubelet certificate")
|
||||
kubeletCert, err := s.ca.GetCertificate(req.CertificateRequest)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed generating kubelet certificate")
|
||||
return nil, status.Errorf(codes.Internal, "Generating kubelet certificate: %s", err)
|
||||
}
|
||||
|
||||
var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey
|
||||
@ -135,7 +138,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||
filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys()
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Errorf("Failed to load control plane certificates and keys")
|
||||
return nil, status.Errorf(codes.Internal, "ActivateControlPlane failed: %s", err)
|
||||
return nil, status.Errorf(codes.Internal, "loading control-plane certificates and keys: %s", err)
|
||||
}
|
||||
|
||||
for k, v := range filesMap {
|
||||
@ -148,11 +151,13 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||
|
||||
nodeName, err := s.ca.GetNodeNameFromCSR(req.CertificateRequest)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "unable to get node name from CSR: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed getting node name from CSR")
|
||||
return nil, status.Errorf(codes.Internal, "getting node name from CSR: %s", err)
|
||||
}
|
||||
|
||||
if err := s.kubeClient.AddNodeToJoiningNodes(ctx, nodeName, componentsConfigMapName, req.IsControlPlane); err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "unable to add node to joining nodes: %s", err)
|
||||
log.With(zap.Error(err)).Errorf("Failed adding node to joining nodes")
|
||||
return nil, status.Errorf(codes.Internal, "adding node to joining nodes: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("IssueJoinTicket successful")
|
||||
@ -188,6 +193,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo
|
||||
return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err)
|
||||
}
|
||||
|
||||
log.Infof("IssueRejoinTicket successful")
|
||||
return &joinproto.IssueRejoinTicketResponse{
|
||||
StateDiskKey: stateDiskKey,
|
||||
MeasurementSecret: measurementSecret,
|
||||
|
Loading…
Reference in New Issue
Block a user