Add a bit more logging to attestation and join-service on error (#1076)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-01-26 11:24:29 +01:00 committed by GitHub
parent c81863d181
commit aa3ac82408
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 23 deletions

View File

@ -157,6 +157,9 @@ type Validator struct {
func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey, func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger, validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger,
) *Validator { ) *Validator {
if log == nil {
log = &nopAttestationLogger{}
}
return &Validator{ return &Validator{
expected: expected, expected: expected,
getTrustedKey: getTrustedKey, getTrustedKey: getTrustedKey,
@ -167,10 +170,13 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio
} }
// Validate a TPM based attestation. // Validate a TPM based attestation.
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) { func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, err error) {
if v.log != nil { v.log.Infof("Validating attestation document")
v.log.Infof("Validating attestation document") defer func() {
} if err != nil {
v.log.Warnf("Failed to validate attestation document: %s", err)
}
}()
var attDoc AttestationDocument var attDoc AttestationDocument
if err := json.Unmarshal(attDocRaw, &attDoc); err != nil { if err := json.Unmarshal(attDocRaw, &attDoc); err != nil {
@ -210,9 +216,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
if !pcr.WarnOnly { if !pcr.WarnOnly {
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx) return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
} }
if v.log != nil { v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
}
} }
} }
@ -222,9 +226,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
return nil, fmt.Errorf("verifying signed user data: %w", err) return nil, fmt.Errorf("verifying signed user data: %w", err)
} }
if v.log != nil { v.log.Infof("Successfully validated attestation document")
v.log.Infof("Successfully validated attestation document")
}
return attDoc.UserData, nil return attDoc.UserData, nil
} }
@ -281,3 +283,12 @@ func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (mea
return m, nil return m, nil
} }
// nopAttestationLogger is a no-op implementation of AttestationLogger.
type nopAttestationLogger struct{}
// Infof is a no-op.
func (nopAttestationLogger) Infof(string, ...interface{}) {}
// Warnf is a no-op.
func (nopAttestationLogger) Warnf(string, ...interface{}) {}

View File

@ -93,40 +93,43 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
log.Infof("Requesting measurement secret") log.Infof("Requesting measurement secret")
measurementSecret, err := s.dataKeyGetter.GetDataKey(ctx, attestation.MeasurementSecretContext, crypto.DerivedKeyLengthDefault) measurementSecret, err := s.dataKeyGetter.GetDataKey(ctx, attestation.MeasurementSecretContext, crypto.DerivedKeyLengthDefault)
if err != nil { if err != nil {
log.With(zap.Error(err)).Errorf("Unable to get measurement secret") log.With(zap.Error(err)).Errorf("Failed to get measurement secret")
return nil, status.Errorf(codes.Internal, "unable to get measurement secret: %s", err) return nil, status.Errorf(codes.Internal, "getting measurement secret: %s", err)
} }
log.Infof("Requesting disk encryption key") log.Infof("Requesting disk encryption key")
stateDiskKey, err := s.dataKeyGetter.GetDataKey(ctx, req.DiskUuid, crypto.StateDiskKeyLength) stateDiskKey, err := s.dataKeyGetter.GetDataKey(ctx, req.DiskUuid, crypto.StateDiskKeyLength)
if err != nil { if err != nil {
log.With(zap.Error(err)).Errorf("Unable to get key for stateful disk") log.With(zap.Error(err)).Errorf("Failed to get key for stateful disk")
return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err) return nil, status.Errorf(codes.Internal, "getting key for stateful disk: %s", err)
} }
log.Infof("Creating Kubernetes join token") log.Infof("Creating Kubernetes join token")
kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL) kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL)
if err != nil { if err != nil {
log.With(zap.Error(err)).Errorf("Unable to generate Kubernetes join arguments") log.With(zap.Error(err)).Errorf("Failed to generate Kubernetes join arguments")
return nil, status.Errorf(codes.Internal, "unable to generate Kubernetes join arguments: %s", err) return nil, status.Errorf(codes.Internal, "generating Kubernetes join arguments: %s", err)
} }
log.Infof("Querying NodeVersion CR for components ConfigMap name") log.Infof("Querying NodeVersion custom resource for components ConfigMap name")
componentsConfigMapName, err := s.getK8sComponentsConfigMapName(ctx) componentsConfigMapName, err := s.getK8sComponentsConfigMapName(ctx)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "unable to get components ConfigMap name: %s", err) log.With(zap.Error(err)).Errorf("Failed getting components ConfigMap name")
return nil, status.Errorf(codes.Internal, "getting components ConfigMap name: %s", err)
} }
log.Infof("Querying %s ConfigMap for components", componentsConfigMapName) log.Infof("Querying %s ConfigMap for components", componentsConfigMapName)
components, err := s.kubeClient.GetComponents(ctx, componentsConfigMapName) components, err := s.kubeClient.GetComponents(ctx, componentsConfigMapName)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "unable to get components: %s", err) log.With(zap.Error(err)).Errorf("Failed getting components from ConfigMap")
return nil, status.Errorf(codes.Internal, "getting components: %s", err)
} }
log.Infof("Creating signed kubelet certificate") log.Infof("Creating signed kubelet certificate")
kubeletCert, err := s.ca.GetCertificate(req.CertificateRequest) kubeletCert, err := s.ca.GetCertificate(req.CertificateRequest)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err) log.With(zap.Error(err)).Errorf("Failed generating kubelet certificate")
return nil, status.Errorf(codes.Internal, "Generating kubelet certificate: %s", err)
} }
var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey
@ -135,7 +138,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys() filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys()
if err != nil { if err != nil {
log.With(zap.Error(err)).Errorf("Failed to load control plane certificates and keys") log.With(zap.Error(err)).Errorf("Failed to load control plane certificates and keys")
return nil, status.Errorf(codes.Internal, "ActivateControlPlane failed: %s", err) return nil, status.Errorf(codes.Internal, "loading control-plane certificates and keys: %s", err)
} }
for k, v := range filesMap { for k, v := range filesMap {
@ -148,11 +151,13 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
nodeName, err := s.ca.GetNodeNameFromCSR(req.CertificateRequest) nodeName, err := s.ca.GetNodeNameFromCSR(req.CertificateRequest)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "unable to get node name from CSR: %s", err) log.With(zap.Error(err)).Errorf("Failed getting node name from CSR")
return nil, status.Errorf(codes.Internal, "getting node name from CSR: %s", err)
} }
if err := s.kubeClient.AddNodeToJoiningNodes(ctx, nodeName, componentsConfigMapName, req.IsControlPlane); err != nil { if err := s.kubeClient.AddNodeToJoiningNodes(ctx, nodeName, componentsConfigMapName, req.IsControlPlane); err != nil {
return nil, status.Errorf(codes.Internal, "unable to add node to joining nodes: %s", err) log.With(zap.Error(err)).Errorf("Failed adding node to joining nodes")
return nil, status.Errorf(codes.Internal, "adding node to joining nodes: %s", err)
} }
log.Infof("IssueJoinTicket successful") log.Infof("IssueJoinTicket successful")
@ -188,6 +193,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo
return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err) return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err)
} }
log.Infof("IssueRejoinTicket successful")
return &joinproto.IssueRejoinTicketResponse{ return &joinproto.IssueRejoinTicketResponse{
StateDiskKey: stateDiskKey, StateDiskKey: stateDiskKey,
MeasurementSecret: measurementSecret, MeasurementSecret: measurementSecret,