Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

config: sign Azure versions on upload & verify on fetch (#1836)

Browse Source 
* add SignContent() + integrate into configAPI

* use static client for upload versions tool; fix staticupload calleeReference bug

* use version to get proper cosign pub key.

* mock fetcher in CLI tests

* only provide config.New constructor with fetcher

Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
This commit is contained in:
Adrian Stobbe 2023-06-01 13:55:46 +02:00 committed by GitHub
parent e0285c122e
commit b51cc52945
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
55 changed files with 752 additions and 308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
bazel/toolchains/go_module_deps.bzl
View File

@ -754,8 +754,8 @@ def go_dependencies():
build_file_generation = "on",
build_file_proto_mode = "disable_global",
importpath = "github.com/Azure/go-autorest/autorest/azure/auth",
sum = "h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=",
version = "v0.5.11",
sum = "h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=",
version = "v0.5.12",
)
go_repository(
name = "com_github_azure_go_autorest_autorest_azure_cli",
@ -929,6 +929,7 @@ def go_dependencies():
sum = "h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=",
version = "v0.0.0-20151223152923-e2c28503fcd0",
)
go_repository(
name = "com_github_burntsushi_toml",
build_file_generation = "on",
@ -1109,6 +1110,7 @@ def go_dependencies():
sum = "h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4=",
version = "v0.9.1",
)
go_repository(
name = "com_github_clbanning_x2j",
build_file_generation = "on",
@ -1575,6 +1577,7 @@ def go_dependencies():
sum = "h1:RSohk2RsiZqLZ0zCjtfn3S4Gp4exhpBWHyQ7D0yGjAk=",
version = "v0.9.0",
)
go_repository(
name = "com_github_devigned_tab",
build_file_generation = "on",
@ -1790,6 +1793,7 @@ def go_dependencies():
sum = "h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=",
version = "v3.10.1",
)
go_repository(
name = "com_github_emirpasic_gods",
build_file_generation = "on",
@ -2692,8 +2696,8 @@ def go_dependencies():
build_file_generation = "on",
build_file_proto_mode = "disable_global",
importpath = "github.com/google/go-containerregistry",
sum = "h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=",
version = "v0.14.0",
sum = "h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=",
version = "v0.14.1-0.20230409045903-ed5c185df419",
)
go_repository(
name = "com_github_google_go_github_v28",
@ -2703,6 +2707,7 @@ def go_dependencies():
sum = "h1:kORf5ekX5qwXO2mGzXXOjMe/g6ap8ahVe0sBEulhSxo=",
version = "v28.1.1",
)
go_repository(
name = "com_github_google_go_licenses",
build_file_generation = "on",
@ -3583,6 +3588,7 @@ def go_dependencies():
sum = "h1:UKkYhof1njT1/xq4SEg5z+VpTgjmNeHwPGRQl7takDI=",
version = "v0.0.0-20161109143554-76bb4ee9f0ab",
)
go_repository(
name = "com_github_jellydator_ttlcache_v3",
build_file_generation = "on",
@ -4371,8 +4377,8 @@ def go_dependencies():
build_file_generation = "on",
build_file_proto_mode = "disable_global",
importpath = "github.com/mitchellh/go-wordwrap",
sum = "h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=",
version = "v1.0.0",
sum = "h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=",
version = "v1.0.1",
)
go_repository(
name = "com_github_mitchellh_gox",
@ -5083,6 +5089,7 @@ def go_dependencies():
sum = "h1:YZcsG11NqnK4czYLrWd9mpEuAJIHVQLwdrleYfszMAA=",
version = "v0.7.1",
)
go_repository(
name = "com_github_protonmail_go_crypto",
build_file_generation = "on",
@ -5248,6 +5255,7 @@ def go_dependencies():
sum = "h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=",
version = "v1.0.0",
)
go_repository(
name = "com_github_samuel_go_zookeeper",
build_file_generation = "on",
@ -5490,6 +5498,7 @@ def go_dependencies():
sum = "h1:jH4AzR7qlEH/EWzm+opSpxCfuUcjHL+LJPuQE7h40WE=",
version = "v1.6.4",
)
go_repository(
name = "com_github_sirupsen_logrus",
build_file_generation = "on",
@ -5619,6 +5628,7 @@ def go_dependencies():
sum = "h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=",
version = "v1.15.0",
)
go_repository(
name = "com_github_src_d_gcfg",
build_file_generation = "on",
@ -5939,6 +5949,7 @@ def go_dependencies():
sum = "h1:eR9jm8DVMdrDUuVji4eOxPK4r/dANDlDBdISSUUV96s=",
version = "v0.20.1-0.20221031080346-e4081aa8a6de",
)
go_repository(
name = "com_github_x448_float16",
build_file_generation = "on",
@ -6152,6 +6163,7 @@ def go_dependencies():
sum = "h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI=",
version = "v0.0.0-20191215020915-b22d67c1ba0b",
)
go_repository(
name = "com_github_zeebo_xxh3",
build_file_generation = "on",
@ -8141,6 +8153,7 @@ def go_dependencies():
sum = "h1:5eeuG0BHx1+DHeT3AP+ISKZ2ht1UjGhm581ljqYpVeQ=",
version = "v0.0.0-20180518195852-02e53af36e6c",
)
go_repository(
name = "org_golang_google_api",
build_file_generation = "on",

1
cli/internal/cmd/BUILD.bazel
View File

@ -135,6 +135,7 @@ go_test(
"//cli/internal/terraform",
"//cli/internal/upgrade",
"//disk-mapper/recoverproto",
"//internal/api/configapi",
"//internal/api/versionsapi",
"//internal/atls",
"//internal/attestation/measurements",

10
cli/internal/cmd/configfetchmeasurements.go
View File

@ -15,6 +15,7 @@ import (
"time"
"github.com/edgelesssys/constellation/v2/cli/internal/featureset"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -64,12 +65,13 @@ func runConfigFetchMeasurements(cmd *cobra.Command, _ []string) error {
}
cfm := &configFetchMeasurementsCmd{log: log, canFetchMeasurements: featureset.CanFetchMeasurements}
return cfm.configFetchMeasurements(cmd, sigstore.CosignVerifier{}, rekor, fileHandler, http.DefaultClient)
fetcher := fetcher.NewConfigAPIFetcherWithClient(http.DefaultClient)
return cfm.configFetchMeasurements(cmd, sigstore.CosignVerifier{}, rekor, fileHandler, fetcher, http.DefaultClient)
}
func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
cmd *cobra.Command, cosign cosignVerifier, rekor rekorVerifier,
fileHandler file.Handler, client *http.Client,
fileHandler file.Handler, fetcher fetcher.ConfigAPIFetcher, client *http.Client,
) error {
flags, err := cfm.parseFetchMeasurementsFlags(cmd)
if err != nil {
@ -83,7 +85,8 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
}
cfm.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.NewWithClient(fileHandler, flags.configPath, client, flags.force)
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())
@ -110,6 +113,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
if err != nil {
return err
}
var fetchedMeasurements measurements.M
hash, err := fetchedMeasurements.FetchAndVerify(
ctx, client, cosign,

29
cli/internal/cmd/configfetchmeasurements_test.go
View File

@ -8,6 +8,7 @@ package cmd
import (
"bytes"
"context"
"errors"
"fmt"
"io"
@ -15,6 +16,7 @@ import (
"net/url"
"testing"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -279,7 +281,7 @@ func TestConfigFetchMeasurements(t *testing.T) {
require.NoError(err)
cfm := &configFetchMeasurementsCmd{canFetchMeasurements: true, log: logger.NewTest(t)}
err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, client)
err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, fakeConfigFetcher{}, client)
if tc.wantErr {
assert.Error(err)
return
@ -288,3 +290,28 @@ func TestConfigFetchMeasurements(t *testing.T) {
})
}
}
type fakeConfigFetcher struct{}
func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
return configapi.AzureSEVSNPVersionList(
[]string{},
), nil
}
func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
return configapi.AzureSEVSNPVersionGet{
AzureSEVSNPVersion: testCfg,
}, nil
}
func (f fakeConfigFetcher) FetchLatestAzureSEVSNPVersion(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersion, error) {
return testCfg, nil
}
var testCfg = configapi.AzureSEVSNPVersion{
Microcode: 93,
TEE: 0,
SNP: 6,
Bootloader: 2,
}

9
cli/internal/cmd/create.go
View File

@ -13,6 +13,7 @@ import (
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
@ -58,11 +59,11 @@ func runCreate(cmd *cobra.Command, _ []string) error {
fileHandler := file.NewHandler(afero.NewOsFs())
creator := cloudcmd.NewCreator(spinner)
c := &createCmd{log: log}
return c.create(cmd, creator, fileHandler, spinner)
fetcher := fetcher.NewConfigAPIFetcher()
return c.create(cmd, creator, fileHandler, spinner, fetcher)
}
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf,
) (retErr error) {
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf, fetcher fetcher.ConfigAPIFetcher) (retErr error) {
flags, err := c.parseCreateFlags(cmd)
if err != nil {
return err
@ -73,7 +74,7 @@ func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler
}
c.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
c.log.Debugf("Configuration file loaded: %+v", conf)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {

2
cli/internal/cmd/create_test.go
View File

@ -202,7 +202,7 @@ func TestCreate(t *testing.T) {
fileHandler := file.NewHandler(tc.setupFs(require, tc.provider))
c := &createCmd{log: logger.NewTest(t)}
err := c.create(cmd, tc.creator, fileHandler, &nopSpinner{})
err := c.create(cmd, tc.creator, fileHandler, &nopSpinner{}, fakeConfigFetcher{})
if tc.wantErr {
assert.Error(err)

8
cli/internal/cmd/init.go
View File

@ -19,6 +19,7 @@ import (
"text/tabwriter"
"time"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/compatibility"
@ -97,12 +98,13 @@ func runInitialize(cmd *cobra.Command, _ []string) error {
defer cancel()
cmd.SetContext(ctx)
i := &initCmd{log: log, spinner: spinner, merger: &kubeconfigMerger{log: log}, fh: &fileHandler}
return i.initialize(cmd, newDialer, fileHandler, license.NewClient())
fetcher := fetcher.NewConfigAPIFetcher()
return i.initialize(cmd, newDialer, fileHandler, license.NewClient(), fetcher)
}
// initialize initializes a Constellation.
func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.Validator) *dialer.Dialer,
fileHandler file.Handler, quotaChecker license.QuotaChecker,
fileHandler file.Handler, quotaChecker license.QuotaChecker, configFetcher fetcher.ConfigAPIFetcher,
) error {
flags, err := i.evalFlagArgs(cmd)
if err != nil {
@ -110,7 +112,7 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V
}
i.log.Debugf("Using flags: %+v", flags)
i.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, configFetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())

4
cli/internal/cmd/init_test.go
View File

@ -175,7 +175,7 @@ func TestInitialize(t *testing.T) {
defer cancel()
cmd.SetContext(ctx)
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{})
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, fakeConfigFetcher{})
if tc.wantErr {
assert.Error(err)
@ -519,7 +519,7 @@ func TestAttestation(t *testing.T) {
cmd.SetContext(ctx)
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{})
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, fakeConfigFetcher{})
assert.Error(err)
// make sure the error is actually a TLS handshake error
assert.Contains(err.Error(), "transport: authentication handshake failed")

10
cli/internal/cmd/miniup.go
View File

@ -15,6 +15,7 @@ import (
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -44,7 +45,8 @@ func newMiniUpCmd() *cobra.Command {
}
type miniUpCmd struct {
log debugLog
log debugLog
configFetcher fetcher.ConfigAPIFetcher
}
func runUp(cmd *cobra.Command, _ []string) error {
@ -60,7 +62,7 @@ func runUp(cmd *cobra.Command, _ []string) error {
defer spinner.Stop()
creator := cloudcmd.NewCreator(spinner)
m := &miniUpCmd{log: log}
m := &miniUpCmd{log: log, configFetcher: fetcher.NewConfigAPIFetcher()}
return m.up(cmd, creator, spinner)
}
@ -110,7 +112,7 @@ func (m *miniUpCmd) up(cmd *cobra.Command, creator cloudCreator, spinner spinner
func (m *miniUpCmd) prepareConfig(cmd *cobra.Command, fileHandler file.Handler, flags upFlags) (*config.Config, error) {
// check for existing config
if flags.configPath != "" {
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, m.configFetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())
@ -203,7 +205,7 @@ func (m *miniUpCmd) initializeMiniCluster(cmd *cobra.Command, fileHandler file.H
m.log.Debugf("Created new logger")
defer log.Sync()
i := &initCmd{log: log, merger: &kubeconfigMerger{log: log}, spinner: spinner}
if err := i.initialize(cmd, newDialer, fileHandler, license.NewClient()); err != nil {
if err := i.initialize(cmd, newDialer, fileHandler, license.NewClient(), m.configFetcher); err != nil {
return err
}
m.log.Debugf("Initialized mini cluster")

8
cli/internal/cmd/recover.go
View File

@ -18,6 +18,7 @@ import (
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
"github.com/edgelesssys/constellation/v2/disk-mapper/recoverproto"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -48,7 +49,8 @@ func NewRecoverCmd() *cobra.Command {
}
type recoverCmd struct {
log debugLog
log debugLog
configFetcher fetcher.ConfigAPIFetcher
}
func runRecover(cmd *cobra.Command, _ []string) error {
@ -61,7 +63,7 @@ func runRecover(cmd *cobra.Command, _ []string) error {
newDialer := func(validator atls.Validator) *dialer.Dialer {
return dialer.New(nil, validator, &net.Dialer{})
}
r := &recoverCmd{log: log}
r := &recoverCmd{log: log, configFetcher: fetcher.NewConfigAPIFetcher()}
return r.recover(cmd, fileHandler, 5*time.Second, &recoverDoer{log: r.log}, newDialer)
}
@ -82,7 +84,7 @@ func (r *recoverCmd) recover(
}
r.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, r.configFetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())

2
cli/internal/cmd/recover_test.go
View File

@ -163,7 +163,7 @@ func TestRecover(t *testing.T) {
))
newDialer := func(atls.Validator) *dialer.Dialer { return nil }
r := &recoverCmd{log: logger.NewTest(t)}
r := &recoverCmd{log: logger.NewTest(t), configFetcher: fakeConfigFetcher{}}
err := r.recover(cmd, fileHandler, time.Millisecond, tc.doer, newDialer)
if tc.wantErr {
assert.Error(err)

17
cli/internal/cmd/upgradeapply.go
View File

@ -19,6 +19,7 @@ import (
"github.com/edgelesssys/constellation/v2/cli/internal/kubernetes"
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
"github.com/edgelesssys/constellation/v2/cli/internal/upgrade"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/compatibility"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -65,16 +66,18 @@ func runUpgradeApply(cmd *cobra.Command, _ []string) error {
return err
}
fetcher := imagefetcher.New()
imagefetcher := imagefetcher.New()
configFetcher := fetcher.NewConfigAPIFetcher()
applyCmd := upgradeApplyCmd{upgrader: upgrader, log: log, fetcher: fetcher}
applyCmd := upgradeApplyCmd{upgrader: upgrader, log: log, imageFetcher: imagefetcher, configFetcher: configFetcher}
return applyCmd.upgradeApply(cmd, fileHandler)
}
type upgradeApplyCmd struct {
upgrader cloudUpgrader
fetcher imageFetcher
log debugLog
upgrader cloudUpgrader
imageFetcher imageFetcher
configFetcher fetcher.ConfigAPIFetcher
log debugLog
}
func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Handler) error {
@ -82,7 +85,7 @@ func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Hand
if err != nil {
return fmt.Errorf("parsing flags: %w", err)
}
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, u.configFetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())
@ -102,7 +105,7 @@ func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Hand
return fmt.Errorf("upgrading measurements: %w", err)
}
if err := u.migrateTerraform(cmd, fileHandler, u.fetcher, conf, flags); err != nil {
if err := u.migrateTerraform(cmd, fileHandler, u.imageFetcher, conf, flags); err != nil {
return fmt.Errorf("performing Terraform migrations: %w", err)
}

2
cli/internal/cmd/upgradeapply_test.go
View File

@ -142,7 +142,7 @@ func TestUpgradeApply(t *testing.T) {
require.NoError(handler.WriteYAML(constants.ConfigFilename, cfg))
require.NoError(handler.WriteJSON(constants.ClusterIDsFileName, clusterid.File{}))
upgrader := upgradeApplyCmd{upgrader: tc.upgrader, log: logger.NewTest(t), fetcher: tc.fetcher}
upgrader := upgradeApplyCmd{upgrader: tc.upgrader, log: logger.NewTest(t), imageFetcher: tc.fetcher, configFetcher: fakeConfigFetcher{}}
err := upgrader.upgradeApply(cmd, handler)
if tc.wantErr {
assert.Error(err)

6
cli/internal/cmd/upgradecheck.go
View File

@ -91,7 +91,7 @@ func runUpgradeCheck(cmd *cobra.Command, _ []string) error {
log: log,
}
return up.upgradeCheck(cmd, fileHandler, flags)
return up.upgradeCheck(cmd, fileHandler, fetcher.NewConfigAPIFetcher(), flags)
}
func parseUpgradeCheckFlags(cmd *cobra.Command) (upgradeCheckFlags, error) {
@ -131,8 +131,8 @@ type upgradeCheckCmd struct {
}
// upgradePlan plans an upgrade of a Constellation cluster.
func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fileHandler file.Handler, flags upgradeCheckFlags) error {
conf, err := config.New(fileHandler, flags.configPath, flags.force)
func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fileHandler file.Handler, fetcher fetcher.ConfigAPIFetcher, flags upgradeCheckFlags) error {
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())

2
cli/internal/cmd/upgradecheck_test.go
View File

@ -271,7 +271,7 @@ func TestUpgradeCheck(t *testing.T) {
cmd := newUpgradeCheckCmd()
err := checkCmd.upgradeCheck(cmd, fileHandler, tc.flags)
err := checkCmd.upgradeCheck(cmd, fileHandler, fakeConfigFetcher{}, tc.flags)
if tc.wantError {
assert.Error(err)
return

8
cli/internal/cmd/verify.go
View File

@ -21,6 +21,7 @@ import (
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -71,10 +72,11 @@ func runVerify(cmd *cobra.Command, _ []string) error {
}
v := &verifyCmd{log: log}
return v.verify(cmd, fileHandler, verifyClient, formatter)
fetcher := fetcher.NewConfigAPIFetcher()
return v.verify(cmd, fileHandler, verifyClient, formatter, fetcher)
}
func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyClient verifyClient, formatter attestationDocFormatter) error {
func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyClient verifyClient, formatter attestationDocFormatter, configFetcher fetcher.ConfigAPIFetcher) error {
flags, err := c.parseVerifyFlags(cmd, fileHandler)
if err != nil {
return fmt.Errorf("parsing flags: %w", err)
@ -82,7 +84,7 @@ func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyC
c.log.Debugf("Using flags: %+v", flags)
c.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.New(fileHandler, flags.configPath, flags.force)
conf, err := config.New(fileHandler, flags.configPath, configFetcher, flags.force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())

2
cli/internal/cmd/verify_test.go
View File

@ -190,7 +190,7 @@ func TestVerify(t *testing.T) {
}
v := &verifyCmd{log: logger.NewTest(t)}
err := v.verify(cmd, fileHandler, tc.protoClient, tc.formatter)
err := v.verify(cmd, fileHandler, tc.protoClient, tc.formatter, fakeConfigFetcher{})
if tc.wantErr {
assert.Error(err)

1
cli/internal/terraform/terraform/aws/.terraform.lock.hcl
View File

@ -13,6 +13,7 @@ provider "registry.terraform.io/hashicorp/aws" {
"h1:Ohs//YZd3vzB0upovYRptLX5mTFKeyxFbeHgGajGj/A=",
"h1:P43vwcDPG99x5WBbmqwUPgfJrfXf6/ucAIbGlRb7k1w=",
"h1:QckVBFBnlQW8R0QvVqyad/9XNKsSistTpWhnoyeofcU=",
"h1:Qkd8amST1EcMx+aLmCnBvPXdANL5nIx9rqUFRElvz0U=",
"h1:X3t1gUv5lJkCyzE/q/LbZzhNd55SD8M0liZfI3D76b0=",
"h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=",
"h1:kxoaBW0OshdCEVEBM7d3eUGoiT8Lqmray9WkRYiQ28U=",

1
cli/internal/terraform/terraform/azure/.terraform.lock.hcl
View File

@ -12,6 +12,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
"h1:LEcmSqmNoexpH6NuglCS8dwLyZctQ6YAee2B9FL/9Cc=",
"h1:X4oTXB0Nv+FZ61FMKSObEwi+OSVyKYT+gNLTQilwq3g=",
"h1:j262GXstvnzNNRgVQ5ednS700xOjcMaUIvvUaMVD4Qk=",
"h1:narFXZvEqzmNRVaeU7l35V1DGlyvxtOw7gCzvAAWRGA=",
"h1:opIai9BbFwYAGmGhpMqvOKrqRLWscuIM3YI8Gt4ZPMw=",
"h1:qoV9BwWKSQ2znS9w9o8XTfUKSawX3tZlKRy36AkyNwg=",
"h1:yqO/Wvcqzt1bkeDE7ShsUBYPOllBDrOSmS9YFFiKAxc=",

1
debugd/internal/cdbg/cmd/BUILD.bazel
View File

@ -14,6 +14,7 @@ go_library(
"//debugd/internal/filetransfer",
"//debugd/internal/filetransfer/streamer",
"//debugd/service",
"//internal/api/fetcher",
"//internal/config",
"//internal/constants",
"//internal/file",

3
debugd/internal/cdbg/cmd/deploy.go
View File

@ -20,6 +20,7 @@ import (
"github.com/edgelesssys/constellation/v2/debugd/internal/filetransfer"
"github.com/edgelesssys/constellation/v2/debugd/internal/filetransfer/streamer"
pb "github.com/edgelesssys/constellation/v2/debugd/service"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
@ -68,7 +69,7 @@ func runDeploy(cmd *cobra.Command, _ []string) error {
fileHandler := file.NewHandler(fs)
streamer := streamer.New(fs)
transfer := filetransfer.New(log, streamer, filetransfer.ShowProgress)
constellationConfig, err := config.New(fileHandler, configName, force)
constellationConfig, err := config.New(fileHandler, configName, fetcher.NewConfigAPIFetcher(), force)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())

1
e2e/internal/upgrade/BUILD.bazel
View File

@ -38,6 +38,7 @@ go_test(
tags = ["manual"],
deps = [
"//e2e/internal/kubectl",
"//internal/api/fetcher",
"//internal/config",
"//internal/constants",
"//internal/file",

4
e2e/internal/upgrade/upgrade_test.go
View File

@ -21,6 +21,7 @@ import (
"time"
"github.com/edgelesssys/constellation/v2/e2e/internal/kubectl"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
@ -232,7 +233,8 @@ func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantCon
func writeUpgradeConfig(require *require.Assertions, image string, kubernetes string, microservices string) versionContainer {
fileHandler := file.NewHandler(afero.NewOsFs())
cfg, err := config.New(fileHandler, constants.ConfigFilename, true)
fetcher := fetcher.NewConfigAPIFetcher()
cfg, err := config.New(fileHandler, constants.ConfigFilename, fetcher, true)
var cfgErr *config.ValidationError
var longMsg string
if errors.As(err, &cfgErr) {

10
go.mod
View File

@ -148,7 +148,7 @@ require (
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
@ -226,14 +226,14 @@ require (
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-attestation v0.4.4-0.20221011162210-17f9c05652a9 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-containerregistry v0.14.0 // indirect
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 // indirect
github.com/google/go-sev-guest v0.4.1 // indirect
github.com/google/go-tspi v0.3.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/logger v1.1.1 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/trillian v1.5.2 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/google/uuid v1.3.0
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
github.com/gophercloud/gophercloud v1.3.0
github.com/gophercloud/utils v0.0.0-20230418172808-6eab72e966e1
@ -270,7 +270,7 @@ require (
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect
@ -303,7 +303,7 @@ require (
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/theupdateframework/go-tuf v0.5.2 // indirect
github.com/theupdateframework/go-tuf v0.5.2
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/vtolstov/go-ioctl v0.0.0-20151206205506-6be9cced4810 // indirect

12
go.sum
View File

@ -127,8 +127,8 @@ github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBW
github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc=
github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
@ -688,8 +688,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419/go.mod h1:ETSJmRH9iO4Q0WQILIMkDUiKk+CaxItZW+gEDjyw8Ug=
github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M=
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@ -1036,8 +1036,8 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=

1
hack/azure-snp-report-verify/BUILD.bazel
View File

@ -6,6 +6,7 @@ go_library(
importpath = "github.com/edgelesssys/constellation/v2/hack/azure-snp-report-verify",
visibility = ["//visibility:private"],
deps = [
"//internal/api/configapi",
"@in_gopkg_square_go_jose_v2//:go-jose_v2",
"@in_gopkg_square_go_jose_v2//jwt",
],

29
hack/azure-snp-report-verify/verify.go
View File

@ -13,12 +13,14 @@ import (
"encoding/base64"
"encoding/json"
"errors"
"flag"
"fmt"
"io"
"net/http"
"os"
"time"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
)
@ -43,6 +45,8 @@ func (i *IsolationTEE) PrintSVNs() {
}
func main() {
configAPIExportPath := flag.String("export-path", "azure-sev-snp-version.json", "Path to the exported config API file.")
flag.Parse()
if len(os.Args) != 2 {
fmt.Println("Usage:", os.Args[0], "<maa-jwt>")
return
@ -54,6 +58,31 @@ func main() {
fmt.Println("Successfully validated ID key digest:", report.IDKeyDigest)
fmt.Println("Currently reported SVNs:")
report.PrintSVNs()
if *configAPIExportPath != "" {
configAPIVersion := convertToConfigAPIFile(report)
if err := exportToJSONFile(configAPIVersion, *configAPIExportPath); err != nil {
panic(err)
}
fmt.Println("Successfully exported config API file to:", configAPIExportPath)
}
}
func convertToConfigAPIFile(i IsolationTEE) configapi.AzureSEVSNPVersion {
return configapi.AzureSEVSNPVersion{
Bootloader: uint8(i.BootloaderSvn),
TEE: uint8(i.TEESvn),
SNP: uint8(i.SNPFwSvn),
Microcode: uint8(i.MicrocodeSvn),
}
}
func exportToJSONFile(configAPIVersion configapi.AzureSEVSNPVersion, configAPIExportPath string) error {
data, err := json.Marshal(configAPIVersion)
if err != nil {
return err
}
return os.WriteFile(configAPIExportPath, data, 0o644)
}
func getTEEReport(rawToken string) (IsolationTEE, error) {

6
hack/configapi/BUILD.bazel
View File

@ -5,11 +5,7 @@ go_library(
srcs = ["main.go"],
importpath = "github.com/edgelesssys/constellation/v2/hack/configapi",
visibility = ["//visibility:private"],
deps = [
"//internal/api/configapi",
"//internal/kms/uri",
"@com_github_spf13_cobra//:cobra",
],
deps = ["//hack/configapi/cmd"],
)
go_binary(

13
hack/configapi/cmd/BUILD.bazel Normal file
View File

@ -0,0 +1,13 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
name = "cmd",
srcs = ["root.go"],
importpath = "github.com/edgelesssys/constellation/v2/hack/configapi/cmd",
visibility = ["//visibility:public"],
deps = [
"//internal/api/configapi",
"//internal/staticupload",
"@com_github_spf13_cobra//:cobra",
],
)

103
hack/configapi/cmd/root.go Normal file
View File

@ -0,0 +1,103 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package cmd
import (
"encoding/json"
"fmt"
"os"
"time"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/staticupload"
"github.com/spf13/cobra"
)
const (
awsRegion = "eu-central-1"
awsBucket = "cdn-constellation-backend"
invalidDefault = 0
envAwsKeyID = "AWS_ACCESS_KEY_ID"
envAwsKey = "AWS_ACCESS_KEY"
)
var (
versionFilePath string
// Cosign credentials.
cosignPwd string
privateKeyPath string
)
// Execute executes the root command.
func Execute() error {
return newRootCmd().Execute()
}
// newRootCmd creates the root command.
func newRootCmd() *cobra.Command {
rootCmd := &cobra.Command{
Use: "AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload -b 2 -t 0 -s 6 -m 93 --cosign-pwd $PWD --private-key $FILE_PATH",
Short: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api.",
Long: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3.",
RunE: runCmd,
}
rootCmd.PersistentFlags().StringVarP(&versionFilePath, "version-file", "f", "", "File path to the version json file.")
rootCmd.PersistentFlags().StringVar(&cosignPwd, "cosign-pwd", "", "Cosign password used to decrpyt the private key.")
rootCmd.PersistentFlags().StringVar(&privateKeyPath, "private-key", "", "File path of private key used to sign the payload.")
must(enforceRequiredFlags(rootCmd, "version-file", "cosign-pwd", "private-key"))
return rootCmd
}
func runCmd(cmd *cobra.Command, _ []string) error {
ctx := cmd.Context()
cfg := staticupload.Config{
Bucket: awsBucket,
Region: awsRegion,
}
privateKey, err := os.ReadFile(privateKeyPath)
if err != nil {
return fmt.Errorf("reading private key: %w", err)
}
versionBytes, err := os.ReadFile(versionFilePath)
if err != nil {
return fmt.Errorf("reading version file: %w", err)
}
var versions configapi.AzureSEVSNPVersion
err = json.Unmarshal(versionBytes, &versions)
if err != nil {
return fmt.Errorf("unmarshalling version file: %w", err)
}
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg, []byte(cosignPwd), privateKey)
if err != nil {
return fmt.Errorf("creating repo: %w", err)
}
if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
return fmt.Errorf("uploading version: %w", err)
}
cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", versions)
return nil
}
func enforceRequiredFlags(cmd *cobra.Command, flags ...string) error {
for _, flag := range flags {
if err := cmd.MarkPersistentFlagRequired(flag); err != nil {
return err
}
}
return nil
}
func must(err error) {
if err != nil {
panic(err)
}
}

81
hack/configapi/main.go
View File

@ -7,85 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-only
package main
import (
"context"
"fmt"
"time"
"os"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
"github.com/spf13/cobra"
"github.com/edgelesssys/constellation/v2/hack/configapi/cmd"
)
const (
awsRegion = "eu-central-1"
awsBucket = "cdn-constellation-backend"
invalidDefault = 0
)
var (
// AWS S3 credentials.
awsAccessKeyID string
awsAccessKey string
// Azure SEV-SNP version numbers.
bootloaderVersion uint8
teeVersion uint8
snpVersion uint8
microcodeVersion uint8
)
func handleError(err error) {
if err != nil {
panic(err)
}
}
func main() {
myCmd := &cobra.Command{
Use: "upload a set of versions specific to the azure-sev-snp attestation variant to the config api",
Short: "upload a set of versions specific to the azure-sev-snp attestation variant to the config api",
Run: func(cmd *cobra.Command, args []string) {
ctx := context.Background()
cfg := uri.AWSS3Config{
Bucket: awsBucket,
AccessKeyID: awsAccessKeyID,
AccessKey: awsAccessKey,
Region: awsRegion,
}
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
if err != nil {
panic(err)
}
versions := configapi.AzureSEVSNPVersion{
Bootloader: bootloaderVersion,
TEE: teeVersion,
SNP: snpVersion,
Microcode: microcodeVersion,
}
if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
panic(err)
} else {
fmt.Println("Successfully uploaded version numbers", versions)
}
},
if err := cmd.Execute(); err != nil {
os.Exit(1)
}
myCmd.PersistentFlags().Uint8VarP(&bootloaderVersion, "bootloader-version", "b", invalidDefault, "Bootloader version number")
handleError(myCmd.MarkPersistentFlagRequired("bootloader-version"))
myCmd.PersistentFlags().Uint8VarP(&teeVersion, "tee-version", "t", invalidDefault, "TEE version number")
handleError(myCmd.MarkPersistentFlagRequired("tee-version"))
myCmd.PersistentFlags().Uint8VarP(&snpVersion, "snp-version", "s", invalidDefault, "SNP version number")
handleError(myCmd.MarkPersistentFlagRequired("snp-version"))
myCmd.PersistentFlags().Uint8VarP(&microcodeVersion, "microcode-version", "m", invalidDefault, "Microcode version number")
handleError(myCmd.MarkPersistentFlagRequired("microcode-version"))
myCmd.PersistentFlags().StringVar(&awsAccessKeyID, "key-id", "", "ID of the Access key to use for AWS tests. Required for AWS KMS and storage test.")
handleError(myCmd.MarkPersistentFlagRequired("key-id"))
myCmd.PersistentFlags().StringVar(&awsAccessKey, "key", "", "Access key to use for AWS tests. Required for AWS KMS and storage test.")
handleError(myCmd.MarkPersistentFlagRequired("key"))
handleError(myCmd.Execute())
os.Exit(0)
}

4
hack/go.mod
View File

@ -164,7 +164,7 @@ require (
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-attestation v0.4.4-0.20221011162210-17f9c05652a9 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-containerregistry v0.14.0 // indirect
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 // indirect
github.com/google/go-sev-guest v0.6.1 // indirect
github.com/google/go-tpm v0.3.3 // indirect
github.com/google/go-tpm-tools v0.3.12 // indirect
@ -219,7 +219,7 @@ require (
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect

8
hack/go.sum
View File

@ -664,8 +664,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419/go.mod h1:ETSJmRH9iO4Q0WQILIMkDUiKk+CaxItZW+gEDjyw8Ug=
github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M=
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@ -1019,8 +1019,8 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=

8
internal/api/configapi/BUILD.bazel
View File

@ -14,9 +14,10 @@ go_library(
deps = [
"//internal/constants",
"//internal/kms/storage",
"//internal/kms/storage/awss3",
"//internal/kms/uri",
"//internal/sigstore",
"//internal/staticupload",
"//internal/variant",
"@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
],
)
@ -28,8 +29,7 @@ go_test(
],
embed = [":configapi"],
deps = [
"//internal/kms/uri",
"//internal/variant",
"//internal/staticupload",
"@com_github_stretchr_testify//require",
"@in_gopkg_yaml_v3//:yaml_v3",
],

72
internal/api/configapi/repo.go
View File

@ -6,54 +6,78 @@ SPDX-License-Identifier: AGPL-3.0-only
package configapi
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"path"
"sort"
"time"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/edgelesssys/constellation/v2/internal/kms/storage"
"github.com/edgelesssys/constellation/v2/internal/kms/storage/awss3"
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
"github.com/edgelesssys/constellation/v2/internal/sigstore"
"github.com/edgelesssys/constellation/v2/internal/staticupload"
"github.com/edgelesssys/constellation/v2/internal/variant"
)
// AttestationVersionRepo manages (modifies) the version information for the attestation variants.
type AttestationVersionRepo struct {
*awss3.Storage
*staticupload.Client
cosignPwd []byte // used to decrypt the cosign private key
privKey []byte // used to sign
}
// NewAttestationVersionRepo returns a new AttestationVersionRepo.
func NewAttestationVersionRepo(ctx context.Context, cfg uri.AWSS3Config) (*AttestationVersionRepo, error) {
s3, err := awss3.New(ctx, cfg)
func NewAttestationVersionRepo(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []byte) (*AttestationVersionRepo, error) {
client, err := staticupload.New(ctx, cfg)
if err != nil {
return nil, fmt.Errorf("failed to create s3 storage: %w", err)
}
return &AttestationVersionRepo{s3}, nil
return &AttestationVersionRepo{client, cosignPwd, privateKey}, nil
}
// UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP.
func (a AttestationVersionRepo) UploadAzureSEVSNP(ctx context.Context, versions AzureSEVSNPVersion, date time.Time) error {
bt, err := json.Marshal(versions)
versionBytes, err := json.Marshal(versions)
if err != nil {
return err
}
variant := variant.AzureSEVSNP{}
fname := date.Format("2006-01-02-15-04") + ".json"
err = a.Put(ctx, fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname), bt)
filePath := fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname)
err = put(ctx, a.Client, filePath, versionBytes)
if err != nil {
return err
}
err = a.createAndUploadSignature(ctx, versionBytes, filePath)
if err != nil {
return err
}
return a.addVersionToList(ctx, variant, fname)
}
// createAndUploadSignature signs the given content and uploads the signature to the given filePath with the .sig suffix.
func (a AttestationVersionRepo) createAndUploadSignature(ctx context.Context, content []byte, filePath string) error {
signature, err := sigstore.SignContent(a.cosignPwd, a.privKey, content)
if err != nil {
return fmt.Errorf("sign version file: %w", err)
}
err = put(ctx, a.Client, filePath+".sig", signature)
if err != nil {
return fmt.Errorf("upload signature: %w", err)
}
return nil
}
// List returns the list of versions for the given attestation type.
func (a AttestationVersionRepo) List(ctx context.Context, attestation variant.Variant) ([]string, error) {
key := path.Join(attestationURLPath, attestation.String(), "list")
bt, err := a.Get(ctx, key)
bt, err := get(ctx, a.Client, key)
if err != nil {
return nil, err
}
@ -71,13 +95,13 @@ func (a AttestationVersionRepo) DeleteList(ctx context.Context, attestation vari
if err != nil {
return err
}
return a.Put(ctx, path.Join(attestationURLPath, attestation.String(), "list"), bt)
return put(ctx, a.Client, path.Join(attestationURLPath, attestation.String(), "list"), bt)
}
func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestation variant.Variant, fname string) error {
versions := []string{}
key := path.Join(attestationURLPath, attestation.String(), "list")
bt, err := a.Get(ctx, key)
bt, err := get(ctx, a.Client, key)
if err == nil {
if err := json.Unmarshal(bt, &versions); err != nil {
return err
@ -92,5 +116,29 @@ func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestatio
if err != nil {
return err
}
return a.Put(ctx, key, json)
return put(ctx, a.Client, key, json)
}
// get is a convenience method.
func get(ctx context.Context, client *staticupload.Client, path string) ([]byte, error) {
getObjectInput := &s3.GetObjectInput{
Bucket: &client.BucketID,
Key: &path,
}
output, err := client.GetObject(ctx, getObjectInput)
if err != nil {
return nil, fmt.Errorf("getting object: %w", err)
}
return io.ReadAll(output.Body)
}
// put is a convenience method.
func put(ctx context.Context, client *staticupload.Client, path string, data []byte) error {
putObjectInput := &s3.PutObjectInput{
Bucket: &client.BucketID,
Key: &path,
Body: bytes.NewReader(data),
}
_, err := client.Upload(ctx, putObjectInput)
return err
}

77
internal/api/configapi/repo_test.go
View File

@ -11,40 +11,59 @@ import (
"context"
"flag"
"fmt"
"io"
"os"
"testing"
"time"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
"github.com/edgelesssys/constellation/v2/internal/variant"
"github.com/edgelesssys/constellation/v2/internal/staticupload"
"github.com/stretchr/testify/require"
)
const (
awsBucket = "cdn-constellation-backend"
awsRegion = "eu-central-1"
envAwsKeyID = "AWS_ACCESS_KEY_ID"
envAwsKey = "AWS_ACCESS_KEY"
)
var cfg staticupload.Config
var (
awsRegion = flag.String("aws-region", "us-east-1", "Region to use for AWS tests. Required for AWS KMS test.")
awsAccessKeyID = flag.String("aws-access-key-id", "", "ID of the Access key to use for AWS tests. Required for AWS KMS and storage test.")
awsAccessKey = flag.String("aws-access-key", "", "Access key to use for AWS tests. Required for AWS KMS and storage test.")
awsBucket = flag.String("aws-bucket", "", "Name of the S3 bucket to use for AWS storage test. Required for AWS storage test.")
cosignPwd = flag.String("cosign-pwd", "", "Password to decrypt the cosign private key. Required for signing.")
privateKeyPath = flag.String("private-key", "", "Path to the private key used for signing. Required for signing.")
privateKey []byte
)
func TestMain(m *testing.M) {
flag.Parse()
if *awsAccessKey == "" || *awsAccessKeyID == "" || *awsBucket == "" || *awsRegion == "" {
if *cosignPwd == "" || *privateKeyPath == "" {
flag.Usage()
fmt.Println("Required flags not set: --aws-access-key, --aws-access-key-id, --aws-bucket, --aws-region. Skipping tests.")
os.Exit(0)
fmt.Println("Required flags not set: --cosign-pwd, --private-key. Skipping tests.")
os.Exit(1)
}
if _, present := os.LookupEnv(envAwsKey); !present {
fmt.Printf("%s not set. Skipping tests.\n", envAwsKey)
os.Exit(1)
}
if _, present := os.LookupEnv(envAwsKeyID); !present {
fmt.Printf("%s not set. Skipping tests.\n", envAwsKeyID)
os.Exit(1)
}
cfg = staticupload.Config{
Bucket: awsBucket,
Region: awsRegion,
}
file, _ := os.Open(*privateKeyPath)
var err error
privateKey, err = io.ReadAll(file)
if err != nil {
panic(err)
}
os.Exit(m.Run())
}
var cfg = uri.AWSS3Config{
Bucket: *awsBucket,
AccessKeyID: *awsAccessKeyID,
AccessKey: *awsAccessKey,
Region: *awsRegion,
}
var versionValues = configapi.AzureSEVSNPVersion{
Bootloader: 2,
TEE: 0,
@ -54,32 +73,8 @@ var versionValues = configapi.AzureSEVSNPVersion{
func TestUploadAzureSEVSNPVersions(t *testing.T) {
ctx := context.Background()
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg, []byte(*cosignPwd), privateKey)
require.NoError(t, err)
d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
require.NoError(t, sut.UploadAzureSEVSNP(ctx, versionValues, d))
}
func TestListVersions(t *testing.T) {
ctx := context.Background()
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
require.NoError(t, err)
err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
require.NoError(t, err)
res, err := sut.List(ctx, variant.AzureSEVSNP{})
require.NoError(t, err)
require.Equal(t, []string{}, res)
d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
err = sut.UploadAzureSEVSNP(ctx, versionValues, d)
require.NoError(t, err)
res, err = sut.List(ctx, variant.AzureSEVSNP{})
require.NoError(t, err)
require.Equal(t, []string{"2021-01-01-01-01.json"}, res)
err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
require.NoError(t, err)
}

1
internal/api/fetcher/BUILD.bazel
View File

@ -13,6 +13,7 @@ go_library(
deps = [
"//internal/api/configapi",
"//internal/api/versionsapi",
"//internal/sigstore",
],
)

68
internal/api/fetcher/configapi.go
View File

@ -8,48 +8,94 @@ package fetcher
import (
"context"
"encoding/json"
"fmt"
"net/url"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/sigstore"
)
// ConfigAPIFetcher fetches config API resources without authentication.
type ConfigAPIFetcher struct {
type ConfigAPIFetcher interface {
FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error)
FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error)
FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (configapi.AzureSEVSNPVersion, error)
}
// configAPIFetcher fetches config API resources without authentication.
type configAPIFetcher struct {
*fetcher
}
// NewConfigAPIFetcher returns a new Fetcher.
func NewConfigAPIFetcher() *ConfigAPIFetcher {
return &ConfigAPIFetcher{newFetcher()}
func NewConfigAPIFetcher() ConfigAPIFetcher {
return NewConfigAPIFetcherWithClient(NewHTTPClient())
}
// NewConfigAPIFetcherWithClient returns a new Fetcher with custom http client.
func NewConfigAPIFetcherWithClient(client HTTPClient) *ConfigAPIFetcher {
return &ConfigAPIFetcher{newFetcherWith(client)}
func NewConfigAPIFetcherWithClient(client HTTPClient) ConfigAPIFetcher {
return &configAPIFetcher{
fetcher: newFetcherWith(client),
}
}
// FetchAzureSEVSNPVersionList fetches the version list information from the config API.
func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
func (f *configAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
return fetch(ctx, f.httpc, attestation)
}
// FetchAzureSEVSNPVersion fetches the version information from the config API.
func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation configapi.AzureSEVSNPVersionGet) (configapi.AzureSEVSNPVersionGet, error) {
// TODO(elchead): follow-up PR for AB#3045 to check signature (sigstore.VerifySignature)
return fetch(ctx, f.httpc, attestation)
func (f *configAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
cosignPublicKey, err := sigstore.CosignPublicKeyForVersion(version)
if err != nil {
return azureVersion, fmt.Errorf("get public key for config: %w", err)
}
urlString, err := azureVersion.URL()
if err != nil {
return azureVersion, err
}
fetchedVersion, err := fetch(ctx, f.httpc, azureVersion)
if err != nil {
return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
}
versionBytes, err := json.Marshal(fetchedVersion)
if err != nil {
return fetchedVersion, fmt.Errorf("marshal version for verify %s: %w", fetchedVersion.Version, err)
}
signature, err := fetchBytesFromRawURL(ctx, fmt.Sprintf("%s.sig", urlString), f.httpc)
if err != nil {
return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", fetchedVersion.Version, err)
}
err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature, cosignPublicKey)
if err != nil {
return fetchedVersion, fmt.Errorf("verify version %s signature: %w", fetchedVersion.Version, err)
}
return fetchedVersion, nil
}
// FetchLatestAzureSEVSNPVersion returns the latest versions of the given type.
func (f *ConfigAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context) (res configapi.AzureSEVSNPVersion, err error) {
func (f *configAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (res configapi.AzureSEVSNPVersion, err error) {
var versions configapi.AzureSEVSNPVersionList
versions, err = f.FetchAzureSEVSNPVersionList(ctx, versions)
if err != nil {
return res, fmt.Errorf("fetching versions list: %w", err)
}
get := configapi.AzureSEVSNPVersionGet{Version: versions[0]} // get latest version (as sorted reversely alphanumerically)
get, err = f.FetchAzureSEVSNPVersion(ctx, get)
get, err = f.FetchAzureSEVSNPVersion(ctx, get, version)
if err != nil {
return res, fmt.Errorf("failed fetching version: %w", err)
}
return get.AzureSEVSNPVersion, nil
}
func fetchBytesFromRawURL(ctx context.Context, urlString string, client HTTPClient) ([]byte, error) {
url, err := url.Parse(urlString)
if err != nil {
return nil, fmt.Errorf("parse version url %s: %w", urlString, err)
}
return getFromURL(ctx, client, url)
}

72
internal/api/fetcher/configapi_test.go
View File

@ -15,27 +15,66 @@ import (
"testing"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetVersion(t *testing.T) {
client := &http.Client{
Transport: &fakeConfigAPIHandler{},
}
fetcher := NewConfigAPIFetcherWithClient(client)
res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
require.NoError(t, err)
assert.Equal(t, uint8(2), res.Bootloader)
var testCfg = configapi.AzureSEVSNPVersion{
Microcode: 93,
TEE: 0,
SNP: 6,
Bootloader: 2,
}
type fakeConfigAPIHandler struct{}
func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
testcases := map[string]struct {
signature []byte
wantErr bool
want configapi.AzureSEVSNPVersion
}{
"get version with valid signature": {
signature: []byte("MEUCIQDNn6wiSh9Nz9mtU9RvxvfkH3fNDFGeqopjTIRoBNkyrAIgSsKgdYNQXvPevaLWmmpnj/9WcgrltAQ+KfI+bQfklAo="),
want: testCfg,
},
"fail with invalid signature": {
signature: []byte("invalid"),
wantErr: true,
},
}
for name, tc := range testcases {
t.Run(name, func(t *testing.T) {
client := &http.Client{
Transport: &fakeConfigAPIHandler{
signature: tc.signature,
},
}
require := require.New(t)
version, err := versionsapi.NewVersionFromShortPath("stream/debug/v9.9.9", versionsapi.VersionKindImage)
require.NoError(err)
fetcher := NewConfigAPIFetcherWithClient(client)
assert := assert.New(t)
res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
if tc.wantErr {
assert.Error(err)
} else {
assert.NoError(err)
assert.Equal(testCfg, res)
}
})
}
}
type fakeConfigAPIHandler struct {
signature []byte
}
// RoundTrip resolves the request and returns a dummy response.
func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
res := &http.Response{}
data := []string{"2021-01-01-01-01.json"}
data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
bt, err := json.Marshal(data)
if err != nil {
return nil, err
@ -47,12 +86,7 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
return res, nil
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
res := &http.Response{}
bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
Microcode: 93,
TEE: 0,
SNP: 6,
Bootloader: 2,
})
bt, err := json.Marshal(testCfg)
if err != nil {
return nil, err
}
@ -60,6 +94,12 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
res.StatusCode = http.StatusOK
return res, nil
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
res := &http.Response{}
res.Body = io.NopCloser(bytes.NewReader(f.signature))
res.StatusCode = http.StatusOK
return res, nil
}
return nil, errors.New("no endpoint found")
}

20
internal/api/fetcher/fetcher.go
View File

@ -17,7 +17,9 @@ import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
)
// fetcher fetches versions API resources without authentication.
@ -46,6 +48,24 @@ type apiObject interface {
URL() (string, error)
}
// getFromURL fetches the content from the given URL and returns the content as a byte slice.
func getFromURL(ctx context.Context, client HTTPClient, sourceURL *url.URL) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
if err != nil {
return nil, err
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
}
return io.ReadAll(resp.Body)
}
func fetch[T apiObject](ctx context.Context, c HTTPClient, obj T) (T, error) {
if err := obj.ValidateRequest(); err != nil {
return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)

1
internal/api/versionsapi/cli/BUILD.bazel
View File

@ -14,6 +14,7 @@ go_library(
deps = [
"//internal/api/versionsapi",
"//internal/api/versionsapi/client",
"//internal/constants",
"//internal/logger",
"@com_github_aws_aws_sdk_go_v2_config//:config",
"@com_github_aws_aws_sdk_go_v2_service_ec2//:ec2",

3
internal/api/versionsapi/cli/main.go
View File

@ -23,6 +23,7 @@ import (
"os"
"os/signal"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/spf13/cobra"
)
@ -52,7 +53,7 @@ func newRootCmd() *cobra.Command {
rootCmd.PersistentFlags().Bool("verbose", false, "Enable verbose output")
rootCmd.PersistentFlags().String("region", "eu-central-1", "AWS region of the API S3 bucket")
rootCmd.PersistentFlags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the API")
rootCmd.PersistentFlags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
rootCmd.PersistentFlags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
rootCmd.AddCommand(newAddCmd())
rootCmd.AddCommand(newLatestCmd())

39
internal/attestation/measurements/measurements.go
View File

@ -487,27 +487,6 @@ func DefaultsFor(provider cloudprovider.Provider, attestationVariant variant.Var
}
}
func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
if err != nil {
return []byte{}, err
}
resp, err := client.Do(req)
if err != nil {
return []byte{}, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return []byte{}, fmt.Errorf("http status code: %d", resp.StatusCode)
}
content, err := io.ReadAll(resp.Body)
if err != nil {
return []byte{}, err
}
return content, nil
}
func checkLength(m map[uint32]Measurement) error {
var length int
for idx, measurement := range m {
@ -552,6 +531,24 @@ func (c mYamlContent) Swap(i, j int) {
c[2*i+1], c[2*j+1] = c[2*j+1], c[2*i+1]
}
// getFromURL fetches the content from the given URL and returns the content as a byte slice.
func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
if err != nil {
return nil, err
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
}
return io.ReadAll(resp.Body)
}
type cosignVerifier interface {
VerifySignature(content, signature, publicKey []byte) error
}

1
internal/config/BUILD.bazel
View File

@ -51,6 +51,7 @@ go_test(
embed = [":config"],
deps = [
"//internal/api/configapi",
"//internal/api/versionsapi",
"//internal/attestation/measurements",
"//internal/cloud/cloudprovider",
"//internal/config/instancetypes",

6
internal/config/azure.go
View File

@ -13,6 +13,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@ -96,9 +97,8 @@ func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
}
// FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(client fetcher.HTTPClient) error {
fetcher := fetcher.NewConfigAPIFetcherWithClient(client)
versions, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher fetcher.ConfigAPIFetcher, version versionsapi.Version) error {
versions, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
if err != nil {
return err
}

15
internal/config/config.go
View File

@ -32,6 +32,7 @@ import (
en_translations "github.com/go-playground/validator/v10/translations/en"
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@ -384,19 +385,19 @@ func fromFile(fileHandler file.Handler, name string) (*Config, error) {
// 2. For "latest" version values of the attestation variants fetch the version numbers.
// 3. Read secrets from environment variables.
// 4. Validate config. If `--force` is set the version validation will be disabled and any version combination is allowed.
func New(fileHandler file.Handler, name string, force bool) (*Config, error) {
return NewWithClient(fileHandler, name, fetcher.NewHTTPClient(), force)
}
// NewWithClient is New with a custom HTTP client.
func NewWithClient(fileHandler file.Handler, name string, client fetcher.HTTPClient, force bool) (*Config, error) {
func New(fileHandler file.Handler, name string, fetcher fetcher.ConfigAPIFetcher, force bool) (*Config, error) {
// Read config file
c, err := fromFile(fileHandler, name)
if err != nil {
return nil, err
}
if azure := c.Attestation.AzureSEVSNP; azure != nil {
if err := azure.FetchAndSetLatestVersionNumbers(client); err != nil {
version, err := versionsapi.NewVersionFromShortPath(c.Image, versionsapi.VersionKindImage)
if err != nil {
return nil, err
}
if err := azure.FetchAndSetLatestVersionNumbers(fetcher, version); err != nil {
return c, err
}
}

66
internal/config/config_test.go
View File

@ -7,11 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-only
package config
import (
"bytes"
"encoding/json"
"context"
"errors"
"io"
"net/http"
"reflect"
"testing"
@ -25,6 +22,7 @@ import (
"gopkg.in/yaml.v3"
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
@ -245,7 +243,6 @@ func TestNewWithDefaultOptions(t *testing.T) {
wantClientSecretValue: "some-secret",
},
}
client := newTestClient(&fakeConfigAPIHandler{})
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
@ -260,7 +257,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
}
// Test
c, err := NewWithClient(fileHandler, constants.ConfigFilename, client, false)
c, err := New(fileHandler, constants.ConfigFilename, fakeConfigFetcher{}, false)
if tc.wantErr {
assert.Error(err)
return
@ -881,44 +878,27 @@ func getConfigAsMap(conf *Config, t *testing.T) (res configMap) {
return
}
type fakeConfigAPIHandler struct{}
type fakeConfigFetcher struct{}
// RoundTrip resolves the request and returns a dummy response.
func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
res := &http.Response{}
data := []string{"2021-01-01-01-01.json"}
bt, err := json.Marshal(data)
if err != nil {
return nil, err
}
res.Body = io.NopCloser(bytes.NewReader(bt))
res.Header = http.Header{}
res.Header.Set("Content-Type", "application/json")
res.StatusCode = http.StatusOK
return res, nil
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
res := &http.Response{}
bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
Microcode: 93,
TEE: 0,
SNP: 6,
Bootloader: 2,
})
if err != nil {
return nil, err
}
res.Body = io.NopCloser(bytes.NewReader(bt))
res.StatusCode = http.StatusOK
return res, nil
}
return nil, errors.New("no endpoint found")
func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
return configapi.AzureSEVSNPVersionList(
[]string{},
), nil
}
// newTestClient returns *http.Client with Transport replaced to avoid making real calls.
func newTestClient(fn *fakeConfigAPIHandler) *http.Client {
return &http.Client{
Transport: fn,
}
func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
return configapi.AzureSEVSNPVersionGet{
AzureSEVSNPVersion: testCfg,
}, nil
}
func (f fakeConfigFetcher) FetchLatestAzureSEVSNPVersion(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersion, error) {
return testCfg, nil
}
var testCfg = configapi.AzureSEVSNPVersion{
Microcode: 93,
TEE: 0,
SNP: 6,
Bootloader: 2,
}

2
internal/constants/constants.go
View File

@ -197,6 +197,8 @@ const (
CDNMeasurementsFile = "measurements.json"
// CDNMeasurementsSignature is name of file containing signature for CDNMeasurementsFile.
CDNMeasurementsSignature = "measurements.json.sig"
// CDNDefaultDistributionID is the default CloudFront distribution ID to use.
CDNDefaultDistributionID = "E1H77EZTHC3NE4"
//
// PKI.

3
internal/sigstore/BUILD.bazel
View File

@ -5,6 +5,7 @@ go_library(
name = "sigstore",
srcs = [
"rekor.go",
"sign.go",
"sigstore.go",
"verify.go",
],
@ -22,6 +23,7 @@ go_library(
"@com_github_sigstore_rekor//pkg/verify",
"@com_github_sigstore_sigstore//pkg/cryptoutils",
"@com_github_sigstore_sigstore//pkg/signature",
"@com_github_theupdateframework_go_tuf//encrypted",
],
)
@ -29,6 +31,7 @@ go_test(
name = "sigstore_test",
srcs = [
"rekor_test.go",
"sign_test.go",
"verify_test.go",
],
embed = [":sigstore"],

71
internal/sigstore/sign.go Normal file
View File

@ -0,0 +1,71 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package sigstore
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/theupdateframework/go-tuf/encrypted"
)
const (
cosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
sigstorePrivateKeyPemType = "ENCRYPTED SIGSTORE PRIVATE KEY"
)
// SignContent signs the content with the cosign encrypted private key and corresponding cosign password.
func SignContent(password, encryptedPrivateKey, content []byte) ([]byte, error) {
sv, err := loadPrivateKey(encryptedPrivateKey, password)
if err != nil {
return nil, fmt.Errorf("loading private key: %w", err)
}
sig, err := sv.SignMessage(bytes.NewReader(content))
if err != nil {
return nil, fmt.Errorf("signing message: %w", err)
}
return []byte(base64.StdEncoding.EncodeToString(sig)), nil
}
func loadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) {
// Decrypt first
p, _ := pem.Decode(key)
if p == nil {
return nil, errors.New("invalid pem block")
}
if p.Type != cosignPrivateKeyPemType && p.Type != sigstorePrivateKeyPemType {
return nil, fmt.Errorf("unsupported pem type: %s", p.Type)
}
x509Encoded, err := encrypted.Decrypt(p.Bytes, pass)
if err != nil {
return nil, fmt.Errorf("decrypt: %w", err)
}
pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
if err != nil {
return nil, fmt.Errorf("parsing private key: %w", err)
}
switch pk := pk.(type) {
case *rsa.PrivateKey:
return signature.LoadRSAPKCS1v15SignerVerifier(pk, crypto.SHA256)
case *ecdsa.PrivateKey:
return signature.LoadECDSASignerVerifier(pk, crypto.SHA256)
case ed25519.PrivateKey:
return signature.LoadED25519SignerVerifier(pk)
default:
return nil, errors.New("unsupported key type")
}
}

59
internal/sigstore/sign_test.go Normal file
View File

@ -0,0 +1,59 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package sigstore
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestSignSignature(t *testing.T) {
assert := assert.New(t)
// Generated with: cosign generate-key-pair
privateKey := []byte("-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX\nVXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj\naXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth\nVklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5\na2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6\nTDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN\ndlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----")
password := []byte("")
content := []byte(`["2021-01-01-01-01.json"]\n`)
publicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")
testCases := map[string]struct {
content []byte
password []byte
privateKey []byte
wantErr bool
}{
"sign content with matching password and private key": {
content: content,
password: password,
privateKey: privateKey,
},
"fail with wrong password": {
content: content,
password: []byte("wrong"),
privateKey: privateKey,
wantErr: true,
},
"fail with wrong private key": {
content: content,
password: password,
privateKey: []byte("wrong"),
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
signature, err := SignContent(tc.password, tc.privateKey, tc.content)
if tc.wantErr {
assert.Error(err)
} else {
assert.NoError(err)
verifier := CosignVerifier{}
assert.NoError(verifier.VerifySignature(tc.content, signature, publicKey))
}
})
}
}

3
internal/staticupload/BUILD.bazel
View File

@ -5,17 +5,20 @@ go_library(
name = "staticupload",
srcs = [
"delete.go",
"get.go",
"staticupload.go",
"upload.go",
],
importpath = "github.com/edgelesssys/constellation/v2/internal/staticupload",
visibility = ["//:__subpackages__"],
deps = [
"//internal/constants",
"@com_github_aws_aws_sdk_go_v2_config//:config",
"@com_github_aws_aws_sdk_go_v2_feature_s3_manager//:manager",
"@com_github_aws_aws_sdk_go_v2_service_cloudfront//:cloudfront",
"@com_github_aws_aws_sdk_go_v2_service_cloudfront//types",
"@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
"@com_github_google_uuid//:uuid",
],
)

18
internal/staticupload/get.go Normal file
View File

@ -0,0 +1,18 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package staticupload
import (
"context"
"github.com/aws/aws-sdk-go-v2/service/s3"
)
// GetObject returns an object from from AWS S3 Storage.
func (s *Client) GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error) {
return s.s3Client.GetObject(ctx, params, optFns...)
}

24
internal/staticupload/staticupload.go
View File

@ -24,6 +24,8 @@ import (
"github.com/aws/aws-sdk-go-v2/service/cloudfront"
cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/google/uuid"
)
// Client is a static file uploader/updater/remover for the CDN / static API.
@ -34,6 +36,7 @@ type Client struct {
uploadClient uploadClient
s3Client objectStorageClient
distributionID string
BucketID string
cacheInvalidationStrategy CacheInvalidationStrategy
cacheInvalidationWaitTimeout time.Duration
@ -57,6 +60,13 @@ type Config struct {
CacheInvalidationWaitTimeout time.Duration
}
// SetsDefault checks if all necessary values are set and sets default values otherwise.
func (c *Config) SetsDefault() {
if c.DistributionID == "" {
c.DistributionID = constants.CDNDefaultDistributionID
}
}
// CacheInvalidationStrategy is the strategy to use for invalidating the CDN cache.
type CacheInvalidationStrategy int
@ -84,10 +94,8 @@ func (e InvalidationError) Unwrap() error {
}
// New creates a new Client.
func New(
ctx context.Context,
config Config,
) (*Client, error) {
func New(ctx context.Context, config Config) (*Client, error) {
config.SetsDefault()
cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(config.Region))
if err != nil {
return nil, err
@ -104,6 +112,7 @@ func New(
distributionID: config.DistributionID,
cacheInvalidationStrategy: config.CacheInvalidationStrategy,
cacheInvalidationWaitTimeout: config.CacheInvalidationWaitTimeout,
BucketID: config.Bucket,
}, nil
}
@ -165,7 +174,7 @@ func (c *Client) invalidateCacheForKeys(ctx context.Context, keys []string) (str
in := &cloudfront.CreateInvalidationInput{
DistributionId: &c.distributionID,
InvalidationBatch: &cftypes.InvalidationBatch{
CallerReference: ptr(fmt.Sprintf("%d", time.Now().Unix())),
CallerReference: ptr(uuid.New().String()),
Paths: &cftypes.Paths{
Items: keys,
Quantity: ptr(int32(len(keys))),
@ -208,6 +217,10 @@ type uploadClient interface {
) (*s3manager.UploadOutput, error)
}
type getClient interface {
GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
}
type deleteClient interface {
DeleteObject(ctx context.Context, params *s3.DeleteObjectInput,
optFns ...func(*s3.Options),
@ -229,6 +242,7 @@ type cdnClient interface {
type objectStorageClient interface {
deleteClient
getClient
}
// statically assert that Client implements the uploadClient interface.

8
internal/staticupload/staticupload_test.go
View File

@ -551,3 +551,11 @@ func (s *stubObjectStorageClient) DeleteObjects(
) (*s3.DeleteObjectsOutput, error) {
return s.deleteObjectsOut, s.err
}
// currently not needed so no-Op.
func (s *stubObjectStorageClient) GetObject(
_ context.Context, _ *s3.GetObjectInput,
_ ...func(*s3.Options),
) (*s3.GetObjectOutput, error) {
return nil, nil
}