diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index 3f3045823..8e96a6356 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -157,6 +157,9 @@ type Validator struct { func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger, ) *Validator { + if log == nil { + log = &nopAttestationLogger{} + } return &Validator{ expected: expected, getTrustedKey: getTrustedKey, @@ -167,10 +170,13 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio } // Validate a TPM based attestation. -func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) { - if v.log != nil { - v.log.Infof("Validating attestation document") - } +func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, err error) { + v.log.Infof("Validating attestation document") + defer func() { + if err != nil { + v.log.Warnf("Failed to validate attestation document: %s", err) + } + }() var attDoc AttestationDocument if err := json.Unmarshal(attDocRaw, &attDoc); err != nil { @@ -210,9 +216,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) { if !pcr.WarnOnly { return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx) } - if v.log != nil { - v.log.Warnf("Encountered untrusted PCR value at index %d", idx) - } + v.log.Warnf("Encountered untrusted PCR value at index %d", idx) } } @@ -222,9 +226,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) { return nil, fmt.Errorf("verifying signed user data: %w", err) } - if v.log != nil { - v.log.Infof("Successfully validated attestation document") - } + v.log.Infof("Successfully validated attestation document") return attDoc.UserData, nil } @@ -281,3 +283,12 @@ func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (mea return m, nil } + +// nopAttestationLogger is a no-op implementation of AttestationLogger. +type nopAttestationLogger struct{} + +// Infof is a no-op. +func (nopAttestationLogger) Infof(string, ...interface{}) {} + +// Warnf is a no-op. +func (nopAttestationLogger) Warnf(string, ...interface{}) {} diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index fa7097b82..7d8fd6932 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -93,40 +93,43 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi log.Infof("Requesting measurement secret") measurementSecret, err := s.dataKeyGetter.GetDataKey(ctx, attestation.MeasurementSecretContext, crypto.DerivedKeyLengthDefault) if err != nil { - log.With(zap.Error(err)).Errorf("Unable to get measurement secret") - return nil, status.Errorf(codes.Internal, "unable to get measurement secret: %s", err) + log.With(zap.Error(err)).Errorf("Failed to get measurement secret") + return nil, status.Errorf(codes.Internal, "getting measurement secret: %s", err) } log.Infof("Requesting disk encryption key") stateDiskKey, err := s.dataKeyGetter.GetDataKey(ctx, req.DiskUuid, crypto.StateDiskKeyLength) if err != nil { - log.With(zap.Error(err)).Errorf("Unable to get key for stateful disk") - return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err) + log.With(zap.Error(err)).Errorf("Failed to get key for stateful disk") + return nil, status.Errorf(codes.Internal, "getting key for stateful disk: %s", err) } log.Infof("Creating Kubernetes join token") kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL) if err != nil { - log.With(zap.Error(err)).Errorf("Unable to generate Kubernetes join arguments") - return nil, status.Errorf(codes.Internal, "unable to generate Kubernetes join arguments: %s", err) + log.With(zap.Error(err)).Errorf("Failed to generate Kubernetes join arguments") + return nil, status.Errorf(codes.Internal, "generating Kubernetes join arguments: %s", err) } - log.Infof("Querying NodeVersion CR for components ConfigMap name") + log.Infof("Querying NodeVersion custom resource for components ConfigMap name") componentsConfigMapName, err := s.getK8sComponentsConfigMapName(ctx) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to get components ConfigMap name: %s", err) + log.With(zap.Error(err)).Errorf("Failed getting components ConfigMap name") + return nil, status.Errorf(codes.Internal, "getting components ConfigMap name: %s", err) } log.Infof("Querying %s ConfigMap for components", componentsConfigMapName) components, err := s.kubeClient.GetComponents(ctx, componentsConfigMapName) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to get components: %s", err) + log.With(zap.Error(err)).Errorf("Failed getting components from ConfigMap") + return nil, status.Errorf(codes.Internal, "getting components: %s", err) } log.Infof("Creating signed kubelet certificate") kubeletCert, err := s.ca.GetCertificate(req.CertificateRequest) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err) + log.With(zap.Error(err)).Errorf("Failed generating kubelet certificate") + return nil, status.Errorf(codes.Internal, "Generating kubelet certificate: %s", err) } var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey @@ -135,7 +138,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys() if err != nil { log.With(zap.Error(err)).Errorf("Failed to load control plane certificates and keys") - return nil, status.Errorf(codes.Internal, "ActivateControlPlane failed: %s", err) + return nil, status.Errorf(codes.Internal, "loading control-plane certificates and keys: %s", err) } for k, v := range filesMap { @@ -148,11 +151,13 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi nodeName, err := s.ca.GetNodeNameFromCSR(req.CertificateRequest) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to get node name from CSR: %s", err) + log.With(zap.Error(err)).Errorf("Failed getting node name from CSR") + return nil, status.Errorf(codes.Internal, "getting node name from CSR: %s", err) } if err := s.kubeClient.AddNodeToJoiningNodes(ctx, nodeName, componentsConfigMapName, req.IsControlPlane); err != nil { - return nil, status.Errorf(codes.Internal, "unable to add node to joining nodes: %s", err) + log.With(zap.Error(err)).Errorf("Failed adding node to joining nodes") + return nil, status.Errorf(codes.Internal, "adding node to joining nodes: %s", err) } log.Infof("IssueJoinTicket successful") @@ -188,6 +193,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err) } + log.Infof("IssueRejoinTicket successful") return &joinproto.IssueRejoinTicketResponse{ StateDiskKey: stateDiskKey, MeasurementSecret: measurementSecret,