mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
config: sign Azure versions on upload & verify on fetch (#1836)
* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
This commit is contained in:
parent
e0285c122e
commit
b51cc52945
@ -754,8 +754,8 @@ def go_dependencies():
|
||||
build_file_generation = "on",
|
||||
build_file_proto_mode = "disable_global",
|
||||
importpath = "github.com/Azure/go-autorest/autorest/azure/auth",
|
||||
sum = "h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=",
|
||||
version = "v0.5.11",
|
||||
sum = "h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=",
|
||||
version = "v0.5.12",
|
||||
)
|
||||
go_repository(
|
||||
name = "com_github_azure_go_autorest_autorest_azure_cli",
|
||||
@ -929,6 +929,7 @@ def go_dependencies():
|
||||
sum = "h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=",
|
||||
version = "v0.0.0-20151223152923-e2c28503fcd0",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_burntsushi_toml",
|
||||
build_file_generation = "on",
|
||||
@ -1109,6 +1110,7 @@ def go_dependencies():
|
||||
sum = "h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4=",
|
||||
version = "v0.9.1",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_clbanning_x2j",
|
||||
build_file_generation = "on",
|
||||
@ -1575,6 +1577,7 @@ def go_dependencies():
|
||||
sum = "h1:RSohk2RsiZqLZ0zCjtfn3S4Gp4exhpBWHyQ7D0yGjAk=",
|
||||
version = "v0.9.0",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_devigned_tab",
|
||||
build_file_generation = "on",
|
||||
@ -1790,6 +1793,7 @@ def go_dependencies():
|
||||
sum = "h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=",
|
||||
version = "v3.10.1",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_emirpasic_gods",
|
||||
build_file_generation = "on",
|
||||
@ -2692,8 +2696,8 @@ def go_dependencies():
|
||||
build_file_generation = "on",
|
||||
build_file_proto_mode = "disable_global",
|
||||
importpath = "github.com/google/go-containerregistry",
|
||||
sum = "h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=",
|
||||
version = "v0.14.0",
|
||||
sum = "h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=",
|
||||
version = "v0.14.1-0.20230409045903-ed5c185df419",
|
||||
)
|
||||
go_repository(
|
||||
name = "com_github_google_go_github_v28",
|
||||
@ -2703,6 +2707,7 @@ def go_dependencies():
|
||||
sum = "h1:kORf5ekX5qwXO2mGzXXOjMe/g6ap8ahVe0sBEulhSxo=",
|
||||
version = "v28.1.1",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_google_go_licenses",
|
||||
build_file_generation = "on",
|
||||
@ -3583,6 +3588,7 @@ def go_dependencies():
|
||||
sum = "h1:UKkYhof1njT1/xq4SEg5z+VpTgjmNeHwPGRQl7takDI=",
|
||||
version = "v0.0.0-20161109143554-76bb4ee9f0ab",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_jellydator_ttlcache_v3",
|
||||
build_file_generation = "on",
|
||||
@ -4371,8 +4377,8 @@ def go_dependencies():
|
||||
build_file_generation = "on",
|
||||
build_file_proto_mode = "disable_global",
|
||||
importpath = "github.com/mitchellh/go-wordwrap",
|
||||
sum = "h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=",
|
||||
version = "v1.0.0",
|
||||
sum = "h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=",
|
||||
version = "v1.0.1",
|
||||
)
|
||||
go_repository(
|
||||
name = "com_github_mitchellh_gox",
|
||||
@ -5083,6 +5089,7 @@ def go_dependencies():
|
||||
sum = "h1:YZcsG11NqnK4czYLrWd9mpEuAJIHVQLwdrleYfszMAA=",
|
||||
version = "v0.7.1",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_protonmail_go_crypto",
|
||||
build_file_generation = "on",
|
||||
@ -5248,6 +5255,7 @@ def go_dependencies():
|
||||
sum = "h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=",
|
||||
version = "v1.0.0",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_samuel_go_zookeeper",
|
||||
build_file_generation = "on",
|
||||
@ -5490,6 +5498,7 @@ def go_dependencies():
|
||||
sum = "h1:jH4AzR7qlEH/EWzm+opSpxCfuUcjHL+LJPuQE7h40WE=",
|
||||
version = "v1.6.4",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_sirupsen_logrus",
|
||||
build_file_generation = "on",
|
||||
@ -5619,6 +5628,7 @@ def go_dependencies():
|
||||
sum = "h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=",
|
||||
version = "v1.15.0",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_src_d_gcfg",
|
||||
build_file_generation = "on",
|
||||
@ -5939,6 +5949,7 @@ def go_dependencies():
|
||||
sum = "h1:eR9jm8DVMdrDUuVji4eOxPK4r/dANDlDBdISSUUV96s=",
|
||||
version = "v0.20.1-0.20221031080346-e4081aa8a6de",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_x448_float16",
|
||||
build_file_generation = "on",
|
||||
@ -6152,6 +6163,7 @@ def go_dependencies():
|
||||
sum = "h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI=",
|
||||
version = "v0.0.0-20191215020915-b22d67c1ba0b",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "com_github_zeebo_xxh3",
|
||||
build_file_generation = "on",
|
||||
@ -8141,6 +8153,7 @@ def go_dependencies():
|
||||
sum = "h1:5eeuG0BHx1+DHeT3AP+ISKZ2ht1UjGhm581ljqYpVeQ=",
|
||||
version = "v0.0.0-20180518195852-02e53af36e6c",
|
||||
)
|
||||
|
||||
go_repository(
|
||||
name = "org_golang_google_api",
|
||||
build_file_generation = "on",
|
||||
|
@ -135,6 +135,7 @@ go_test(
|
||||
"//cli/internal/terraform",
|
||||
"//cli/internal/upgrade",
|
||||
"//disk-mapper/recoverproto",
|
||||
"//internal/api/configapi",
|
||||
"//internal/api/versionsapi",
|
||||
"//internal/atls",
|
||||
"//internal/attestation/measurements",
|
||||
|
@ -15,6 +15,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/featureset"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -64,12 +65,13 @@ func runConfigFetchMeasurements(cmd *cobra.Command, _ []string) error {
|
||||
}
|
||||
cfm := &configFetchMeasurementsCmd{log: log, canFetchMeasurements: featureset.CanFetchMeasurements}
|
||||
|
||||
return cfm.configFetchMeasurements(cmd, sigstore.CosignVerifier{}, rekor, fileHandler, http.DefaultClient)
|
||||
fetcher := fetcher.NewConfigAPIFetcherWithClient(http.DefaultClient)
|
||||
return cfm.configFetchMeasurements(cmd, sigstore.CosignVerifier{}, rekor, fileHandler, fetcher, http.DefaultClient)
|
||||
}
|
||||
|
||||
func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
|
||||
cmd *cobra.Command, cosign cosignVerifier, rekor rekorVerifier,
|
||||
fileHandler file.Handler, client *http.Client,
|
||||
fileHandler file.Handler, fetcher fetcher.ConfigAPIFetcher, client *http.Client,
|
||||
) error {
|
||||
flags, err := cfm.parseFetchMeasurementsFlags(cmd)
|
||||
if err != nil {
|
||||
@ -83,7 +85,8 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
|
||||
}
|
||||
|
||||
cfm.log.Debugf("Loading configuration file from %q", flags.configPath)
|
||||
conf, err := config.NewWithClient(fileHandler, flags.configPath, client, flags.force)
|
||||
|
||||
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
@ -110,6 +113,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var fetchedMeasurements measurements.M
|
||||
hash, err := fetchedMeasurements.FetchAndVerify(
|
||||
ctx, client, cosign,
|
||||
|
@ -8,6 +8,7 @@ package cmd
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -15,6 +16,7 @@ import (
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -279,7 +281,7 @@ func TestConfigFetchMeasurements(t *testing.T) {
|
||||
require.NoError(err)
|
||||
cfm := &configFetchMeasurementsCmd{canFetchMeasurements: true, log: logger.NewTest(t)}
|
||||
|
||||
err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, client)
|
||||
err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, fakeConfigFetcher{}, client)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
return
|
||||
@ -288,3 +290,28 @@ func TestConfigFetchMeasurements(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type fakeConfigFetcher struct{}
|
||||
|
||||
func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
|
||||
return configapi.AzureSEVSNPVersionList(
|
||||
[]string{},
|
||||
), nil
|
||||
}
|
||||
|
||||
func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
|
||||
return configapi.AzureSEVSNPVersionGet{
|
||||
AzureSEVSNPVersion: testCfg,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (f fakeConfigFetcher) FetchLatestAzureSEVSNPVersion(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersion, error) {
|
||||
return testCfg, nil
|
||||
}
|
||||
|
||||
var testCfg = configapi.AzureSEVSNPVersion{
|
||||
Microcode: 93,
|
||||
TEE: 0,
|
||||
SNP: 6,
|
||||
Bootloader: 2,
|
||||
}
|
||||
|
@ -13,6 +13,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
@ -58,11 +59,11 @@ func runCreate(cmd *cobra.Command, _ []string) error {
|
||||
fileHandler := file.NewHandler(afero.NewOsFs())
|
||||
creator := cloudcmd.NewCreator(spinner)
|
||||
c := &createCmd{log: log}
|
||||
return c.create(cmd, creator, fileHandler, spinner)
|
||||
fetcher := fetcher.NewConfigAPIFetcher()
|
||||
return c.create(cmd, creator, fileHandler, spinner, fetcher)
|
||||
}
|
||||
|
||||
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf,
|
||||
) (retErr error) {
|
||||
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf, fetcher fetcher.ConfigAPIFetcher) (retErr error) {
|
||||
flags, err := c.parseCreateFlags(cmd)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -73,7 +74,7 @@ func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler
|
||||
}
|
||||
|
||||
c.log.Debugf("Loading configuration file from %q", flags.configPath)
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
|
||||
c.log.Debugf("Configuration file loaded: %+v", conf)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
|
@ -202,7 +202,7 @@ func TestCreate(t *testing.T) {
|
||||
|
||||
fileHandler := file.NewHandler(tc.setupFs(require, tc.provider))
|
||||
c := &createCmd{log: logger.NewTest(t)}
|
||||
err := c.create(cmd, tc.creator, fileHandler, &nopSpinner{})
|
||||
err := c.create(cmd, tc.creator, fileHandler, &nopSpinner{}, fakeConfigFetcher{})
|
||||
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
@ -19,6 +19,7 @@ import (
|
||||
"text/tabwriter"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/atls"
|
||||
"github.com/edgelesssys/constellation/v2/internal/compatibility"
|
||||
|
||||
@ -97,12 +98,13 @@ func runInitialize(cmd *cobra.Command, _ []string) error {
|
||||
defer cancel()
|
||||
cmd.SetContext(ctx)
|
||||
i := &initCmd{log: log, spinner: spinner, merger: &kubeconfigMerger{log: log}, fh: &fileHandler}
|
||||
return i.initialize(cmd, newDialer, fileHandler, license.NewClient())
|
||||
fetcher := fetcher.NewConfigAPIFetcher()
|
||||
return i.initialize(cmd, newDialer, fileHandler, license.NewClient(), fetcher)
|
||||
}
|
||||
|
||||
// initialize initializes a Constellation.
|
||||
func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.Validator) *dialer.Dialer,
|
||||
fileHandler file.Handler, quotaChecker license.QuotaChecker,
|
||||
fileHandler file.Handler, quotaChecker license.QuotaChecker, configFetcher fetcher.ConfigAPIFetcher,
|
||||
) error {
|
||||
flags, err := i.evalFlagArgs(cmd)
|
||||
if err != nil {
|
||||
@ -110,7 +112,7 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V
|
||||
}
|
||||
i.log.Debugf("Using flags: %+v", flags)
|
||||
i.log.Debugf("Loading configuration file from %q", flags.configPath)
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, configFetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
|
@ -175,7 +175,7 @@ func TestInitialize(t *testing.T) {
|
||||
defer cancel()
|
||||
cmd.SetContext(ctx)
|
||||
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
|
||||
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{})
|
||||
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, fakeConfigFetcher{})
|
||||
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
@ -519,7 +519,7 @@ func TestAttestation(t *testing.T) {
|
||||
cmd.SetContext(ctx)
|
||||
|
||||
i := &initCmd{log: logger.NewTest(t), spinner: &nopSpinner{}}
|
||||
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{})
|
||||
err := i.initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, fakeConfigFetcher{})
|
||||
assert.Error(err)
|
||||
// make sure the error is actually a TLS handshake error
|
||||
assert.Contains(err.Error(), "transport: authentication handshake failed")
|
||||
|
@ -15,6 +15,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/atls"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -44,7 +45,8 @@ func newMiniUpCmd() *cobra.Command {
|
||||
}
|
||||
|
||||
type miniUpCmd struct {
|
||||
log debugLog
|
||||
log debugLog
|
||||
configFetcher fetcher.ConfigAPIFetcher
|
||||
}
|
||||
|
||||
func runUp(cmd *cobra.Command, _ []string) error {
|
||||
@ -60,7 +62,7 @@ func runUp(cmd *cobra.Command, _ []string) error {
|
||||
defer spinner.Stop()
|
||||
creator := cloudcmd.NewCreator(spinner)
|
||||
|
||||
m := &miniUpCmd{log: log}
|
||||
m := &miniUpCmd{log: log, configFetcher: fetcher.NewConfigAPIFetcher()}
|
||||
return m.up(cmd, creator, spinner)
|
||||
}
|
||||
|
||||
@ -110,7 +112,7 @@ func (m *miniUpCmd) up(cmd *cobra.Command, creator cloudCreator, spinner spinner
|
||||
func (m *miniUpCmd) prepareConfig(cmd *cobra.Command, fileHandler file.Handler, flags upFlags) (*config.Config, error) {
|
||||
// check for existing config
|
||||
if flags.configPath != "" {
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, m.configFetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
@ -203,7 +205,7 @@ func (m *miniUpCmd) initializeMiniCluster(cmd *cobra.Command, fileHandler file.H
|
||||
m.log.Debugf("Created new logger")
|
||||
defer log.Sync()
|
||||
i := &initCmd{log: log, merger: &kubeconfigMerger{log: log}, spinner: spinner}
|
||||
if err := i.initialize(cmd, newDialer, fileHandler, license.NewClient()); err != nil {
|
||||
if err := i.initialize(cmd, newDialer, fileHandler, license.NewClient(), m.configFetcher); err != nil {
|
||||
return err
|
||||
}
|
||||
m.log.Debugf("Initialized mini cluster")
|
||||
|
@ -18,6 +18,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
|
||||
"github.com/edgelesssys/constellation/v2/disk-mapper/recoverproto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/atls"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -48,7 +49,8 @@ func NewRecoverCmd() *cobra.Command {
|
||||
}
|
||||
|
||||
type recoverCmd struct {
|
||||
log debugLog
|
||||
log debugLog
|
||||
configFetcher fetcher.ConfigAPIFetcher
|
||||
}
|
||||
|
||||
func runRecover(cmd *cobra.Command, _ []string) error {
|
||||
@ -61,7 +63,7 @@ func runRecover(cmd *cobra.Command, _ []string) error {
|
||||
newDialer := func(validator atls.Validator) *dialer.Dialer {
|
||||
return dialer.New(nil, validator, &net.Dialer{})
|
||||
}
|
||||
r := &recoverCmd{log: log}
|
||||
r := &recoverCmd{log: log, configFetcher: fetcher.NewConfigAPIFetcher()}
|
||||
return r.recover(cmd, fileHandler, 5*time.Second, &recoverDoer{log: r.log}, newDialer)
|
||||
}
|
||||
|
||||
@ -82,7 +84,7 @@ func (r *recoverCmd) recover(
|
||||
}
|
||||
|
||||
r.log.Debugf("Loading configuration file from %q", flags.configPath)
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, r.configFetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
|
@ -163,7 +163,7 @@ func TestRecover(t *testing.T) {
|
||||
))
|
||||
|
||||
newDialer := func(atls.Validator) *dialer.Dialer { return nil }
|
||||
r := &recoverCmd{log: logger.NewTest(t)}
|
||||
r := &recoverCmd{log: logger.NewTest(t), configFetcher: fakeConfigFetcher{}}
|
||||
err := r.recover(cmd, fileHandler, time.Millisecond, tc.doer, newDialer)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
@ -19,6 +19,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/kubernetes"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/upgrade"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/compatibility"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -65,16 +66,18 @@ func runUpgradeApply(cmd *cobra.Command, _ []string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
fetcher := imagefetcher.New()
|
||||
imagefetcher := imagefetcher.New()
|
||||
configFetcher := fetcher.NewConfigAPIFetcher()
|
||||
|
||||
applyCmd := upgradeApplyCmd{upgrader: upgrader, log: log, fetcher: fetcher}
|
||||
applyCmd := upgradeApplyCmd{upgrader: upgrader, log: log, imageFetcher: imagefetcher, configFetcher: configFetcher}
|
||||
return applyCmd.upgradeApply(cmd, fileHandler)
|
||||
}
|
||||
|
||||
type upgradeApplyCmd struct {
|
||||
upgrader cloudUpgrader
|
||||
fetcher imageFetcher
|
||||
log debugLog
|
||||
upgrader cloudUpgrader
|
||||
imageFetcher imageFetcher
|
||||
configFetcher fetcher.ConfigAPIFetcher
|
||||
log debugLog
|
||||
}
|
||||
|
||||
func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Handler) error {
|
||||
@ -82,7 +85,7 @@ func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Hand
|
||||
if err != nil {
|
||||
return fmt.Errorf("parsing flags: %w", err)
|
||||
}
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, u.configFetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
@ -102,7 +105,7 @@ func (u *upgradeApplyCmd) upgradeApply(cmd *cobra.Command, fileHandler file.Hand
|
||||
return fmt.Errorf("upgrading measurements: %w", err)
|
||||
}
|
||||
|
||||
if err := u.migrateTerraform(cmd, fileHandler, u.fetcher, conf, flags); err != nil {
|
||||
if err := u.migrateTerraform(cmd, fileHandler, u.imageFetcher, conf, flags); err != nil {
|
||||
return fmt.Errorf("performing Terraform migrations: %w", err)
|
||||
}
|
||||
|
||||
|
@ -142,7 +142,7 @@ func TestUpgradeApply(t *testing.T) {
|
||||
require.NoError(handler.WriteYAML(constants.ConfigFilename, cfg))
|
||||
require.NoError(handler.WriteJSON(constants.ClusterIDsFileName, clusterid.File{}))
|
||||
|
||||
upgrader := upgradeApplyCmd{upgrader: tc.upgrader, log: logger.NewTest(t), fetcher: tc.fetcher}
|
||||
upgrader := upgradeApplyCmd{upgrader: tc.upgrader, log: logger.NewTest(t), imageFetcher: tc.fetcher, configFetcher: fakeConfigFetcher{}}
|
||||
err := upgrader.upgradeApply(cmd, handler)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
@ -91,7 +91,7 @@ func runUpgradeCheck(cmd *cobra.Command, _ []string) error {
|
||||
log: log,
|
||||
}
|
||||
|
||||
return up.upgradeCheck(cmd, fileHandler, flags)
|
||||
return up.upgradeCheck(cmd, fileHandler, fetcher.NewConfigAPIFetcher(), flags)
|
||||
}
|
||||
|
||||
func parseUpgradeCheckFlags(cmd *cobra.Command) (upgradeCheckFlags, error) {
|
||||
@ -131,8 +131,8 @@ type upgradeCheckCmd struct {
|
||||
}
|
||||
|
||||
// upgradePlan plans an upgrade of a Constellation cluster.
|
||||
func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fileHandler file.Handler, flags upgradeCheckFlags) error {
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fileHandler file.Handler, fetcher fetcher.ConfigAPIFetcher, flags upgradeCheckFlags) error {
|
||||
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
|
@ -271,7 +271,7 @@ func TestUpgradeCheck(t *testing.T) {
|
||||
|
||||
cmd := newUpgradeCheckCmd()
|
||||
|
||||
err := checkCmd.upgradeCheck(cmd, fileHandler, tc.flags)
|
||||
err := checkCmd.upgradeCheck(cmd, fileHandler, fakeConfigFetcher{}, tc.flags)
|
||||
if tc.wantError {
|
||||
assert.Error(err)
|
||||
return
|
||||
|
@ -21,6 +21,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
|
||||
"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/atls"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
@ -71,10 +72,11 @@ func runVerify(cmd *cobra.Command, _ []string) error {
|
||||
}
|
||||
|
||||
v := &verifyCmd{log: log}
|
||||
return v.verify(cmd, fileHandler, verifyClient, formatter)
|
||||
fetcher := fetcher.NewConfigAPIFetcher()
|
||||
return v.verify(cmd, fileHandler, verifyClient, formatter, fetcher)
|
||||
}
|
||||
|
||||
func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyClient verifyClient, formatter attestationDocFormatter) error {
|
||||
func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyClient verifyClient, formatter attestationDocFormatter, configFetcher fetcher.ConfigAPIFetcher) error {
|
||||
flags, err := c.parseVerifyFlags(cmd, fileHandler)
|
||||
if err != nil {
|
||||
return fmt.Errorf("parsing flags: %w", err)
|
||||
@ -82,7 +84,7 @@ func (c *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyC
|
||||
c.log.Debugf("Using flags: %+v", flags)
|
||||
|
||||
c.log.Debugf("Loading configuration file from %q", flags.configPath)
|
||||
conf, err := config.New(fileHandler, flags.configPath, flags.force)
|
||||
conf, err := config.New(fileHandler, flags.configPath, configFetcher, flags.force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
|
@ -190,7 +190,7 @@ func TestVerify(t *testing.T) {
|
||||
}
|
||||
|
||||
v := &verifyCmd{log: logger.NewTest(t)}
|
||||
err := v.verify(cmd, fileHandler, tc.protoClient, tc.formatter)
|
||||
err := v.verify(cmd, fileHandler, tc.protoClient, tc.formatter, fakeConfigFetcher{})
|
||||
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
@ -13,6 +13,7 @@ provider "registry.terraform.io/hashicorp/aws" {
|
||||
"h1:Ohs//YZd3vzB0upovYRptLX5mTFKeyxFbeHgGajGj/A=",
|
||||
"h1:P43vwcDPG99x5WBbmqwUPgfJrfXf6/ucAIbGlRb7k1w=",
|
||||
"h1:QckVBFBnlQW8R0QvVqyad/9XNKsSistTpWhnoyeofcU=",
|
||||
"h1:Qkd8amST1EcMx+aLmCnBvPXdANL5nIx9rqUFRElvz0U=",
|
||||
"h1:X3t1gUv5lJkCyzE/q/LbZzhNd55SD8M0liZfI3D76b0=",
|
||||
"h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=",
|
||||
"h1:kxoaBW0OshdCEVEBM7d3eUGoiT8Lqmray9WkRYiQ28U=",
|
||||
|
@ -12,6 +12,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
|
||||
"h1:LEcmSqmNoexpH6NuglCS8dwLyZctQ6YAee2B9FL/9Cc=",
|
||||
"h1:X4oTXB0Nv+FZ61FMKSObEwi+OSVyKYT+gNLTQilwq3g=",
|
||||
"h1:j262GXstvnzNNRgVQ5ednS700xOjcMaUIvvUaMVD4Qk=",
|
||||
"h1:narFXZvEqzmNRVaeU7l35V1DGlyvxtOw7gCzvAAWRGA=",
|
||||
"h1:opIai9BbFwYAGmGhpMqvOKrqRLWscuIM3YI8Gt4ZPMw=",
|
||||
"h1:qoV9BwWKSQ2znS9w9o8XTfUKSawX3tZlKRy36AkyNwg=",
|
||||
"h1:yqO/Wvcqzt1bkeDE7ShsUBYPOllBDrOSmS9YFFiKAxc=",
|
||||
|
@ -14,6 +14,7 @@ go_library(
|
||||
"//debugd/internal/filetransfer",
|
||||
"//debugd/internal/filetransfer/streamer",
|
||||
"//debugd/service",
|
||||
"//internal/api/fetcher",
|
||||
"//internal/config",
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/debugd/internal/filetransfer"
|
||||
"github.com/edgelesssys/constellation/v2/debugd/internal/filetransfer/streamer"
|
||||
pb "github.com/edgelesssys/constellation/v2/debugd/service"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
@ -68,7 +69,7 @@ func runDeploy(cmd *cobra.Command, _ []string) error {
|
||||
fileHandler := file.NewHandler(fs)
|
||||
streamer := streamer.New(fs)
|
||||
transfer := filetransfer.New(log, streamer, filetransfer.ShowProgress)
|
||||
constellationConfig, err := config.New(fileHandler, configName, force)
|
||||
constellationConfig, err := config.New(fileHandler, configName, fetcher.NewConfigAPIFetcher(), force)
|
||||
var configValidationErr *config.ValidationError
|
||||
if errors.As(err, &configValidationErr) {
|
||||
cmd.PrintErrln(configValidationErr.LongMessage())
|
||||
|
@ -38,6 +38,7 @@ go_test(
|
||||
tags = ["manual"],
|
||||
deps = [
|
||||
"//e2e/internal/kubectl",
|
||||
"//internal/api/fetcher",
|
||||
"//internal/config",
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
|
@ -21,6 +21,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/e2e/internal/kubectl"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
@ -232,7 +233,8 @@ func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantCon
|
||||
|
||||
func writeUpgradeConfig(require *require.Assertions, image string, kubernetes string, microservices string) versionContainer {
|
||||
fileHandler := file.NewHandler(afero.NewOsFs())
|
||||
cfg, err := config.New(fileHandler, constants.ConfigFilename, true)
|
||||
fetcher := fetcher.NewConfigAPIFetcher()
|
||||
cfg, err := config.New(fileHandler, constants.ConfigFilename, fetcher, true)
|
||||
var cfgErr *config.ValidationError
|
||||
var longMsg string
|
||||
if errors.As(err, &cfgErr) {
|
||||
|
10
go.mod
10
go.mod
@ -148,7 +148,7 @@ require (
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
|
||||
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
|
||||
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
|
||||
github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
|
||||
@ -226,14 +226,14 @@ require (
|
||||
github.com/google/gnostic v0.5.7-v3refs // indirect
|
||||
github.com/google/go-attestation v0.4.4-0.20221011162210-17f9c05652a9 // indirect
|
||||
github.com/google/go-cmp v0.5.9 // indirect
|
||||
github.com/google/go-containerregistry v0.14.0 // indirect
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 // indirect
|
||||
github.com/google/go-sev-guest v0.4.1 // indirect
|
||||
github.com/google/go-tspi v0.3.0 // indirect
|
||||
github.com/google/gofuzz v1.2.0 // indirect
|
||||
github.com/google/logger v1.1.1 // indirect
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
|
||||
github.com/google/trillian v1.5.2 // indirect
|
||||
github.com/google/uuid v1.3.0 // indirect
|
||||
github.com/google/uuid v1.3.0
|
||||
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
|
||||
github.com/gophercloud/gophercloud v1.3.0
|
||||
github.com/gophercloud/utils v0.0.0-20230418172808-6eab72e966e1
|
||||
@ -270,7 +270,7 @@ require (
|
||||
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
|
||||
github.com/mitchellh/copystructure v1.2.0 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.0 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
|
||||
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
||||
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
||||
github.com/moby/locker v1.0.1 // indirect
|
||||
@ -303,7 +303,7 @@ require (
|
||||
github.com/sirupsen/logrus v1.9.0 // indirect
|
||||
github.com/spf13/cast v1.5.0 // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/theupdateframework/go-tuf v0.5.2 // indirect
|
||||
github.com/theupdateframework/go-tuf v0.5.2
|
||||
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
|
||||
github.com/transparency-dev/merkle v0.0.2 // indirect
|
||||
github.com/vtolstov/go-ioctl v0.0.0-20151206205506-6be9cced4810 // indirect
|
||||
|
12
go.sum
12
go.sum
@ -127,8 +127,8 @@ github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBW
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
|
||||
github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
|
||||
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
|
||||
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
|
||||
@ -688,8 +688,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
|
||||
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
|
||||
github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419/go.mod h1:ETSJmRH9iO4Q0WQILIMkDUiKk+CaxItZW+gEDjyw8Ug=
|
||||
github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
|
||||
github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M=
|
||||
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
|
||||
@ -1036,8 +1036,8 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
|
||||
github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
|
||||
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
|
||||
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
|
||||
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
|
||||
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
|
||||
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
|
||||
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
|
||||
|
@ -6,6 +6,7 @@ go_library(
|
||||
importpath = "github.com/edgelesssys/constellation/v2/hack/azure-snp-report-verify",
|
||||
visibility = ["//visibility:private"],
|
||||
deps = [
|
||||
"//internal/api/configapi",
|
||||
"@in_gopkg_square_go_jose_v2//:go-jose_v2",
|
||||
"@in_gopkg_square_go_jose_v2//jwt",
|
||||
],
|
||||
|
@ -13,12 +13,14 @@ import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
)
|
||||
@ -43,6 +45,8 @@ func (i *IsolationTEE) PrintSVNs() {
|
||||
}
|
||||
|
||||
func main() {
|
||||
configAPIExportPath := flag.String("export-path", "azure-sev-snp-version.json", "Path to the exported config API file.")
|
||||
flag.Parse()
|
||||
if len(os.Args) != 2 {
|
||||
fmt.Println("Usage:", os.Args[0], "<maa-jwt>")
|
||||
return
|
||||
@ -54,6 +58,31 @@ func main() {
|
||||
fmt.Println("Successfully validated ID key digest:", report.IDKeyDigest)
|
||||
fmt.Println("Currently reported SVNs:")
|
||||
report.PrintSVNs()
|
||||
|
||||
if *configAPIExportPath != "" {
|
||||
configAPIVersion := convertToConfigAPIFile(report)
|
||||
if err := exportToJSONFile(configAPIVersion, *configAPIExportPath); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
fmt.Println("Successfully exported config API file to:", configAPIExportPath)
|
||||
}
|
||||
}
|
||||
|
||||
func convertToConfigAPIFile(i IsolationTEE) configapi.AzureSEVSNPVersion {
|
||||
return configapi.AzureSEVSNPVersion{
|
||||
Bootloader: uint8(i.BootloaderSvn),
|
||||
TEE: uint8(i.TEESvn),
|
||||
SNP: uint8(i.SNPFwSvn),
|
||||
Microcode: uint8(i.MicrocodeSvn),
|
||||
}
|
||||
}
|
||||
|
||||
func exportToJSONFile(configAPIVersion configapi.AzureSEVSNPVersion, configAPIExportPath string) error {
|
||||
data, err := json.Marshal(configAPIVersion)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return os.WriteFile(configAPIExportPath, data, 0o644)
|
||||
}
|
||||
|
||||
func getTEEReport(rawToken string) (IsolationTEE, error) {
|
||||
|
@ -5,11 +5,7 @@ go_library(
|
||||
srcs = ["main.go"],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/hack/configapi",
|
||||
visibility = ["//visibility:private"],
|
||||
deps = [
|
||||
"//internal/api/configapi",
|
||||
"//internal/kms/uri",
|
||||
"@com_github_spf13_cobra//:cobra",
|
||||
],
|
||||
deps = ["//hack/configapi/cmd"],
|
||||
)
|
||||
|
||||
go_binary(
|
||||
|
13
hack/configapi/cmd/BUILD.bazel
Normal file
13
hack/configapi/cmd/BUILD.bazel
Normal file
@ -0,0 +1,13 @@
|
||||
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||
|
||||
go_library(
|
||||
name = "cmd",
|
||||
srcs = ["root.go"],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/hack/configapi/cmd",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//internal/api/configapi",
|
||||
"//internal/staticupload",
|
||||
"@com_github_spf13_cobra//:cobra",
|
||||
],
|
||||
)
|
103
hack/configapi/cmd/root.go
Normal file
103
hack/configapi/cmd/root.go
Normal file
@ -0,0 +1,103 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package cmd
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/staticupload"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
const (
|
||||
awsRegion = "eu-central-1"
|
||||
awsBucket = "cdn-constellation-backend"
|
||||
invalidDefault = 0
|
||||
envAwsKeyID = "AWS_ACCESS_KEY_ID"
|
||||
envAwsKey = "AWS_ACCESS_KEY"
|
||||
)
|
||||
|
||||
var (
|
||||
versionFilePath string
|
||||
// Cosign credentials.
|
||||
cosignPwd string
|
||||
privateKeyPath string
|
||||
)
|
||||
|
||||
// Execute executes the root command.
|
||||
func Execute() error {
|
||||
return newRootCmd().Execute()
|
||||
}
|
||||
|
||||
// newRootCmd creates the root command.
|
||||
func newRootCmd() *cobra.Command {
|
||||
rootCmd := &cobra.Command{
|
||||
Use: "AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload -b 2 -t 0 -s 6 -m 93 --cosign-pwd $PWD --private-key $FILE_PATH",
|
||||
Short: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api.",
|
||||
|
||||
Long: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3.",
|
||||
RunE: runCmd,
|
||||
}
|
||||
rootCmd.PersistentFlags().StringVarP(&versionFilePath, "version-file", "f", "", "File path to the version json file.")
|
||||
rootCmd.PersistentFlags().StringVar(&cosignPwd, "cosign-pwd", "", "Cosign password used to decrpyt the private key.")
|
||||
rootCmd.PersistentFlags().StringVar(&privateKeyPath, "private-key", "", "File path of private key used to sign the payload.")
|
||||
must(enforceRequiredFlags(rootCmd, "version-file", "cosign-pwd", "private-key"))
|
||||
|
||||
return rootCmd
|
||||
}
|
||||
|
||||
func runCmd(cmd *cobra.Command, _ []string) error {
|
||||
ctx := cmd.Context()
|
||||
cfg := staticupload.Config{
|
||||
Bucket: awsBucket,
|
||||
Region: awsRegion,
|
||||
}
|
||||
privateKey, err := os.ReadFile(privateKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading private key: %w", err)
|
||||
}
|
||||
|
||||
versionBytes, err := os.ReadFile(versionFilePath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading version file: %w", err)
|
||||
}
|
||||
var versions configapi.AzureSEVSNPVersion
|
||||
err = json.Unmarshal(versionBytes, &versions)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unmarshalling version file: %w", err)
|
||||
}
|
||||
|
||||
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg, []byte(cosignPwd), privateKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating repo: %w", err)
|
||||
}
|
||||
|
||||
if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
|
||||
return fmt.Errorf("uploading version: %w", err)
|
||||
}
|
||||
cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", versions)
|
||||
return nil
|
||||
}
|
||||
|
||||
func enforceRequiredFlags(cmd *cobra.Command, flags ...string) error {
|
||||
for _, flag := range flags {
|
||||
if err := cmd.MarkPersistentFlagRequired(flag); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func must(err error) {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
@ -7,85 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
"os"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/edgelesssys/constellation/v2/hack/configapi/cmd"
|
||||
)
|
||||
|
||||
const (
|
||||
awsRegion = "eu-central-1"
|
||||
awsBucket = "cdn-constellation-backend"
|
||||
invalidDefault = 0
|
||||
)
|
||||
|
||||
var (
|
||||
// AWS S3 credentials.
|
||||
awsAccessKeyID string
|
||||
awsAccessKey string
|
||||
|
||||
// Azure SEV-SNP version numbers.
|
||||
bootloaderVersion uint8
|
||||
teeVersion uint8
|
||||
snpVersion uint8
|
||||
microcodeVersion uint8
|
||||
)
|
||||
|
||||
func handleError(err error) {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
func main() {
|
||||
myCmd := &cobra.Command{
|
||||
Use: "upload a set of versions specific to the azure-sev-snp attestation variant to the config api",
|
||||
Short: "upload a set of versions specific to the azure-sev-snp attestation variant to the config api",
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
ctx := context.Background()
|
||||
cfg := uri.AWSS3Config{
|
||||
Bucket: awsBucket,
|
||||
AccessKeyID: awsAccessKeyID,
|
||||
AccessKey: awsAccessKey,
|
||||
Region: awsRegion,
|
||||
}
|
||||
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
versions := configapi.AzureSEVSNPVersion{
|
||||
Bootloader: bootloaderVersion,
|
||||
TEE: teeVersion,
|
||||
SNP: snpVersion,
|
||||
Microcode: microcodeVersion,
|
||||
}
|
||||
|
||||
if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
|
||||
panic(err)
|
||||
} else {
|
||||
fmt.Println("Successfully uploaded version numbers", versions)
|
||||
}
|
||||
},
|
||||
if err := cmd.Execute(); err != nil {
|
||||
os.Exit(1)
|
||||
}
|
||||
myCmd.PersistentFlags().Uint8VarP(&bootloaderVersion, "bootloader-version", "b", invalidDefault, "Bootloader version number")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("bootloader-version"))
|
||||
|
||||
myCmd.PersistentFlags().Uint8VarP(&teeVersion, "tee-version", "t", invalidDefault, "TEE version number")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("tee-version"))
|
||||
|
||||
myCmd.PersistentFlags().Uint8VarP(&snpVersion, "snp-version", "s", invalidDefault, "SNP version number")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("snp-version"))
|
||||
|
||||
myCmd.PersistentFlags().Uint8VarP(µcodeVersion, "microcode-version", "m", invalidDefault, "Microcode version number")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("microcode-version"))
|
||||
|
||||
myCmd.PersistentFlags().StringVar(&awsAccessKeyID, "key-id", "", "ID of the Access key to use for AWS tests. Required for AWS KMS and storage test.")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("key-id"))
|
||||
|
||||
myCmd.PersistentFlags().StringVar(&awsAccessKey, "key", "", "Access key to use for AWS tests. Required for AWS KMS and storage test.")
|
||||
handleError(myCmd.MarkPersistentFlagRequired("key"))
|
||||
handleError(myCmd.Execute())
|
||||
os.Exit(0)
|
||||
}
|
||||
|
@ -164,7 +164,7 @@ require (
|
||||
github.com/google/gnostic v0.5.7-v3refs // indirect
|
||||
github.com/google/go-attestation v0.4.4-0.20221011162210-17f9c05652a9 // indirect
|
||||
github.com/google/go-cmp v0.5.9 // indirect
|
||||
github.com/google/go-containerregistry v0.14.0 // indirect
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 // indirect
|
||||
github.com/google/go-sev-guest v0.6.1 // indirect
|
||||
github.com/google/go-tpm v0.3.3 // indirect
|
||||
github.com/google/go-tpm-tools v0.3.12 // indirect
|
||||
@ -219,7 +219,7 @@ require (
|
||||
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
|
||||
github.com/mitchellh/copystructure v1.2.0 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.0 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
|
||||
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
||||
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
||||
github.com/moby/locker v1.0.1 // indirect
|
||||
|
@ -664,8 +664,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
|
||||
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
|
||||
github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 h1:gMlTWagRJgCJ3EnISyF5+p9phYpFyWEI70Z56T+o2MY=
|
||||
github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419/go.mod h1:ETSJmRH9iO4Q0WQILIMkDUiKk+CaxItZW+gEDjyw8Ug=
|
||||
github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
|
||||
github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M=
|
||||
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
|
||||
@ -1019,8 +1019,8 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
|
||||
github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
|
||||
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
|
||||
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
|
||||
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
|
||||
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
|
||||
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
|
||||
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
|
||||
|
@ -14,9 +14,10 @@ go_library(
|
||||
deps = [
|
||||
"//internal/constants",
|
||||
"//internal/kms/storage",
|
||||
"//internal/kms/storage/awss3",
|
||||
"//internal/kms/uri",
|
||||
"//internal/sigstore",
|
||||
"//internal/staticupload",
|
||||
"//internal/variant",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
|
||||
],
|
||||
)
|
||||
|
||||
@ -28,8 +29,7 @@ go_test(
|
||||
],
|
||||
embed = [":configapi"],
|
||||
deps = [
|
||||
"//internal/kms/uri",
|
||||
"//internal/variant",
|
||||
"//internal/staticupload",
|
||||
"@com_github_stretchr_testify//require",
|
||||
"@in_gopkg_yaml_v3//:yaml_v3",
|
||||
],
|
||||
|
@ -6,54 +6,78 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
package configapi
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"path"
|
||||
"sort"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/storage"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/storage/awss3"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
"github.com/edgelesssys/constellation/v2/internal/staticupload"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
// AttestationVersionRepo manages (modifies) the version information for the attestation variants.
|
||||
type AttestationVersionRepo struct {
|
||||
*awss3.Storage
|
||||
*staticupload.Client
|
||||
cosignPwd []byte // used to decrypt the cosign private key
|
||||
privKey []byte // used to sign
|
||||
}
|
||||
|
||||
// NewAttestationVersionRepo returns a new AttestationVersionRepo.
|
||||
func NewAttestationVersionRepo(ctx context.Context, cfg uri.AWSS3Config) (*AttestationVersionRepo, error) {
|
||||
s3, err := awss3.New(ctx, cfg)
|
||||
func NewAttestationVersionRepo(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []byte) (*AttestationVersionRepo, error) {
|
||||
client, err := staticupload.New(ctx, cfg)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create s3 storage: %w", err)
|
||||
}
|
||||
return &AttestationVersionRepo{s3}, nil
|
||||
return &AttestationVersionRepo{client, cosignPwd, privateKey}, nil
|
||||
}
|
||||
|
||||
// UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP.
|
||||
func (a AttestationVersionRepo) UploadAzureSEVSNP(ctx context.Context, versions AzureSEVSNPVersion, date time.Time) error {
|
||||
bt, err := json.Marshal(versions)
|
||||
versionBytes, err := json.Marshal(versions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
variant := variant.AzureSEVSNP{}
|
||||
fname := date.Format("2006-01-02-15-04") + ".json"
|
||||
|
||||
err = a.Put(ctx, fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname), bt)
|
||||
filePath := fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname)
|
||||
err = put(ctx, a.Client, filePath, versionBytes)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = a.createAndUploadSignature(ctx, versionBytes, filePath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return a.addVersionToList(ctx, variant, fname)
|
||||
}
|
||||
|
||||
// createAndUploadSignature signs the given content and uploads the signature to the given filePath with the .sig suffix.
|
||||
func (a AttestationVersionRepo) createAndUploadSignature(ctx context.Context, content []byte, filePath string) error {
|
||||
signature, err := sigstore.SignContent(a.cosignPwd, a.privKey, content)
|
||||
if err != nil {
|
||||
return fmt.Errorf("sign version file: %w", err)
|
||||
}
|
||||
err = put(ctx, a.Client, filePath+".sig", signature)
|
||||
if err != nil {
|
||||
return fmt.Errorf("upload signature: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// List returns the list of versions for the given attestation type.
|
||||
func (a AttestationVersionRepo) List(ctx context.Context, attestation variant.Variant) ([]string, error) {
|
||||
key := path.Join(attestationURLPath, attestation.String(), "list")
|
||||
bt, err := a.Get(ctx, key)
|
||||
bt, err := get(ctx, a.Client, key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -71,13 +95,13 @@ func (a AttestationVersionRepo) DeleteList(ctx context.Context, attestation vari
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return a.Put(ctx, path.Join(attestationURLPath, attestation.String(), "list"), bt)
|
||||
return put(ctx, a.Client, path.Join(attestationURLPath, attestation.String(), "list"), bt)
|
||||
}
|
||||
|
||||
func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestation variant.Variant, fname string) error {
|
||||
versions := []string{}
|
||||
key := path.Join(attestationURLPath, attestation.String(), "list")
|
||||
bt, err := a.Get(ctx, key)
|
||||
bt, err := get(ctx, a.Client, key)
|
||||
if err == nil {
|
||||
if err := json.Unmarshal(bt, &versions); err != nil {
|
||||
return err
|
||||
@ -92,5 +116,29 @@ func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestatio
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return a.Put(ctx, key, json)
|
||||
return put(ctx, a.Client, key, json)
|
||||
}
|
||||
|
||||
// get is a convenience method.
|
||||
func get(ctx context.Context, client *staticupload.Client, path string) ([]byte, error) {
|
||||
getObjectInput := &s3.GetObjectInput{
|
||||
Bucket: &client.BucketID,
|
||||
Key: &path,
|
||||
}
|
||||
output, err := client.GetObject(ctx, getObjectInput)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("getting object: %w", err)
|
||||
}
|
||||
return io.ReadAll(output.Body)
|
||||
}
|
||||
|
||||
// put is a convenience method.
|
||||
func put(ctx context.Context, client *staticupload.Client, path string, data []byte) error {
|
||||
putObjectInput := &s3.PutObjectInput{
|
||||
Bucket: &client.BucketID,
|
||||
Key: &path,
|
||||
Body: bytes.NewReader(data),
|
||||
}
|
||||
_, err := client.Upload(ctx, putObjectInput)
|
||||
return err
|
||||
}
|
||||
|
@ -11,40 +11,59 @@ import (
|
||||
"context"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/staticupload"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
const (
|
||||
awsBucket = "cdn-constellation-backend"
|
||||
awsRegion = "eu-central-1"
|
||||
envAwsKeyID = "AWS_ACCESS_KEY_ID"
|
||||
envAwsKey = "AWS_ACCESS_KEY"
|
||||
)
|
||||
|
||||
var cfg staticupload.Config
|
||||
|
||||
var (
|
||||
awsRegion = flag.String("aws-region", "us-east-1", "Region to use for AWS tests. Required for AWS KMS test.")
|
||||
awsAccessKeyID = flag.String("aws-access-key-id", "", "ID of the Access key to use for AWS tests. Required for AWS KMS and storage test.")
|
||||
awsAccessKey = flag.String("aws-access-key", "", "Access key to use for AWS tests. Required for AWS KMS and storage test.")
|
||||
awsBucket = flag.String("aws-bucket", "", "Name of the S3 bucket to use for AWS storage test. Required for AWS storage test.")
|
||||
cosignPwd = flag.String("cosign-pwd", "", "Password to decrypt the cosign private key. Required for signing.")
|
||||
privateKeyPath = flag.String("private-key", "", "Path to the private key used for signing. Required for signing.")
|
||||
privateKey []byte
|
||||
)
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
flag.Parse()
|
||||
if *awsAccessKey == "" || *awsAccessKeyID == "" || *awsBucket == "" || *awsRegion == "" {
|
||||
if *cosignPwd == "" || *privateKeyPath == "" {
|
||||
flag.Usage()
|
||||
fmt.Println("Required flags not set: --aws-access-key, --aws-access-key-id, --aws-bucket, --aws-region. Skipping tests.")
|
||||
os.Exit(0)
|
||||
fmt.Println("Required flags not set: --cosign-pwd, --private-key. Skipping tests.")
|
||||
os.Exit(1)
|
||||
}
|
||||
if _, present := os.LookupEnv(envAwsKey); !present {
|
||||
fmt.Printf("%s not set. Skipping tests.\n", envAwsKey)
|
||||
os.Exit(1)
|
||||
}
|
||||
if _, present := os.LookupEnv(envAwsKeyID); !present {
|
||||
fmt.Printf("%s not set. Skipping tests.\n", envAwsKeyID)
|
||||
os.Exit(1)
|
||||
}
|
||||
cfg = staticupload.Config{
|
||||
Bucket: awsBucket,
|
||||
Region: awsRegion,
|
||||
}
|
||||
file, _ := os.Open(*privateKeyPath)
|
||||
var err error
|
||||
privateKey, err = io.ReadAll(file)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
||||
var cfg = uri.AWSS3Config{
|
||||
Bucket: *awsBucket,
|
||||
AccessKeyID: *awsAccessKeyID,
|
||||
AccessKey: *awsAccessKey,
|
||||
Region: *awsRegion,
|
||||
}
|
||||
|
||||
var versionValues = configapi.AzureSEVSNPVersion{
|
||||
Bootloader: 2,
|
||||
TEE: 0,
|
||||
@ -54,32 +73,8 @@ var versionValues = configapi.AzureSEVSNPVersion{
|
||||
|
||||
func TestUploadAzureSEVSNPVersions(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
|
||||
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg, []byte(*cosignPwd), privateKey)
|
||||
require.NoError(t, err)
|
||||
d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
|
||||
require.NoError(t, sut.UploadAzureSEVSNP(ctx, versionValues, d))
|
||||
}
|
||||
|
||||
func TestListVersions(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
|
||||
require.NoError(t, err)
|
||||
|
||||
res, err := sut.List(ctx, variant.AzureSEVSNP{})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, []string{}, res)
|
||||
|
||||
d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
|
||||
err = sut.UploadAzureSEVSNP(ctx, versionValues, d)
|
||||
require.NoError(t, err)
|
||||
res, err = sut.List(ctx, variant.AzureSEVSNP{})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, []string{"2021-01-01-01-01.json"}, res)
|
||||
|
||||
err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
@ -13,6 +13,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/api/configapi",
|
||||
"//internal/api/versionsapi",
|
||||
"//internal/sigstore",
|
||||
],
|
||||
)
|
||||
|
||||
|
@ -8,48 +8,94 @@ package fetcher
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/url"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
)
|
||||
|
||||
// ConfigAPIFetcher fetches config API resources without authentication.
|
||||
type ConfigAPIFetcher struct {
|
||||
type ConfigAPIFetcher interface {
|
||||
FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error)
|
||||
FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error)
|
||||
FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (configapi.AzureSEVSNPVersion, error)
|
||||
}
|
||||
|
||||
// configAPIFetcher fetches config API resources without authentication.
|
||||
type configAPIFetcher struct {
|
||||
*fetcher
|
||||
}
|
||||
|
||||
// NewConfigAPIFetcher returns a new Fetcher.
|
||||
func NewConfigAPIFetcher() *ConfigAPIFetcher {
|
||||
return &ConfigAPIFetcher{newFetcher()}
|
||||
func NewConfigAPIFetcher() ConfigAPIFetcher {
|
||||
return NewConfigAPIFetcherWithClient(NewHTTPClient())
|
||||
}
|
||||
|
||||
// NewConfigAPIFetcherWithClient returns a new Fetcher with custom http client.
|
||||
func NewConfigAPIFetcherWithClient(client HTTPClient) *ConfigAPIFetcher {
|
||||
return &ConfigAPIFetcher{newFetcherWith(client)}
|
||||
func NewConfigAPIFetcherWithClient(client HTTPClient) ConfigAPIFetcher {
|
||||
return &configAPIFetcher{
|
||||
fetcher: newFetcherWith(client),
|
||||
}
|
||||
}
|
||||
|
||||
// FetchAzureSEVSNPVersionList fetches the version list information from the config API.
|
||||
func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
|
||||
func (f *configAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
|
||||
return fetch(ctx, f.httpc, attestation)
|
||||
}
|
||||
|
||||
// FetchAzureSEVSNPVersion fetches the version information from the config API.
|
||||
func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation configapi.AzureSEVSNPVersionGet) (configapi.AzureSEVSNPVersionGet, error) {
|
||||
// TODO(elchead): follow-up PR for AB#3045 to check signature (sigstore.VerifySignature)
|
||||
return fetch(ctx, f.httpc, attestation)
|
||||
func (f *configAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
|
||||
cosignPublicKey, err := sigstore.CosignPublicKeyForVersion(version)
|
||||
if err != nil {
|
||||
return azureVersion, fmt.Errorf("get public key for config: %w", err)
|
||||
}
|
||||
urlString, err := azureVersion.URL()
|
||||
if err != nil {
|
||||
return azureVersion, err
|
||||
}
|
||||
fetchedVersion, err := fetch(ctx, f.httpc, azureVersion)
|
||||
if err != nil {
|
||||
return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
|
||||
}
|
||||
versionBytes, err := json.Marshal(fetchedVersion)
|
||||
if err != nil {
|
||||
return fetchedVersion, fmt.Errorf("marshal version for verify %s: %w", fetchedVersion.Version, err)
|
||||
}
|
||||
|
||||
signature, err := fetchBytesFromRawURL(ctx, fmt.Sprintf("%s.sig", urlString), f.httpc)
|
||||
if err != nil {
|
||||
return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", fetchedVersion.Version, err)
|
||||
}
|
||||
|
||||
err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature, cosignPublicKey)
|
||||
if err != nil {
|
||||
return fetchedVersion, fmt.Errorf("verify version %s signature: %w", fetchedVersion.Version, err)
|
||||
}
|
||||
return fetchedVersion, nil
|
||||
}
|
||||
|
||||
// FetchLatestAzureSEVSNPVersion returns the latest versions of the given type.
|
||||
func (f *ConfigAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context) (res configapi.AzureSEVSNPVersion, err error) {
|
||||
func (f *configAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (res configapi.AzureSEVSNPVersion, err error) {
|
||||
var versions configapi.AzureSEVSNPVersionList
|
||||
versions, err = f.FetchAzureSEVSNPVersionList(ctx, versions)
|
||||
if err != nil {
|
||||
return res, fmt.Errorf("fetching versions list: %w", err)
|
||||
}
|
||||
get := configapi.AzureSEVSNPVersionGet{Version: versions[0]} // get latest version (as sorted reversely alphanumerically)
|
||||
get, err = f.FetchAzureSEVSNPVersion(ctx, get)
|
||||
get, err = f.FetchAzureSEVSNPVersion(ctx, get, version)
|
||||
if err != nil {
|
||||
return res, fmt.Errorf("failed fetching version: %w", err)
|
||||
}
|
||||
return get.AzureSEVSNPVersion, nil
|
||||
}
|
||||
|
||||
func fetchBytesFromRawURL(ctx context.Context, urlString string, client HTTPClient) ([]byte, error) {
|
||||
url, err := url.Parse(urlString)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse version url %s: %w", urlString, err)
|
||||
}
|
||||
return getFromURL(ctx, client, url)
|
||||
}
|
||||
|
@ -15,27 +15,66 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestGetVersion(t *testing.T) {
|
||||
client := &http.Client{
|
||||
Transport: &fakeConfigAPIHandler{},
|
||||
}
|
||||
fetcher := NewConfigAPIFetcherWithClient(client)
|
||||
res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, uint8(2), res.Bootloader)
|
||||
var testCfg = configapi.AzureSEVSNPVersion{
|
||||
Microcode: 93,
|
||||
TEE: 0,
|
||||
SNP: 6,
|
||||
Bootloader: 2,
|
||||
}
|
||||
|
||||
type fakeConfigAPIHandler struct{}
|
||||
func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
|
||||
testcases := map[string]struct {
|
||||
signature []byte
|
||||
wantErr bool
|
||||
want configapi.AzureSEVSNPVersion
|
||||
}{
|
||||
"get version with valid signature": {
|
||||
signature: []byte("MEUCIQDNn6wiSh9Nz9mtU9RvxvfkH3fNDFGeqopjTIRoBNkyrAIgSsKgdYNQXvPevaLWmmpnj/9WcgrltAQ+KfI+bQfklAo="),
|
||||
want: testCfg,
|
||||
},
|
||||
"fail with invalid signature": {
|
||||
signature: []byte("invalid"),
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
for name, tc := range testcases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
client := &http.Client{
|
||||
Transport: &fakeConfigAPIHandler{
|
||||
signature: tc.signature,
|
||||
},
|
||||
}
|
||||
require := require.New(t)
|
||||
version, err := versionsapi.NewVersionFromShortPath("stream/debug/v9.9.9", versionsapi.VersionKindImage)
|
||||
require.NoError(err)
|
||||
fetcher := NewConfigAPIFetcherWithClient(client)
|
||||
|
||||
assert := assert.New(t)
|
||||
res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
} else {
|
||||
assert.NoError(err)
|
||||
assert.Equal(testCfg, res)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type fakeConfigAPIHandler struct {
|
||||
signature []byte
|
||||
}
|
||||
|
||||
// RoundTrip resolves the request and returns a dummy response.
|
||||
func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
|
||||
res := &http.Response{}
|
||||
data := []string{"2021-01-01-01-01.json"}
|
||||
data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
|
||||
bt, err := json.Marshal(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -47,12 +86,7 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
|
||||
return res, nil
|
||||
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
|
||||
res := &http.Response{}
|
||||
bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
|
||||
Microcode: 93,
|
||||
TEE: 0,
|
||||
SNP: 6,
|
||||
Bootloader: 2,
|
||||
})
|
||||
bt, err := json.Marshal(testCfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -60,6 +94,12 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
|
||||
res.StatusCode = http.StatusOK
|
||||
return res, nil
|
||||
|
||||
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
|
||||
res := &http.Response{}
|
||||
res.Body = io.NopCloser(bytes.NewReader(f.signature))
|
||||
res.StatusCode = http.StatusOK
|
||||
return res, nil
|
||||
|
||||
}
|
||||
return nil, errors.New("no endpoint found")
|
||||
}
|
||||
|
@ -17,7 +17,9 @@ import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// fetcher fetches versions API resources without authentication.
|
||||
@ -46,6 +48,24 @@ type apiObject interface {
|
||||
URL() (string, error)
|
||||
}
|
||||
|
||||
// getFromURL fetches the content from the given URL and returns the content as a byte slice.
|
||||
func getFromURL(ctx context.Context, client HTTPClient, sourceURL *url.URL) ([]byte, error) {
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
|
||||
}
|
||||
return io.ReadAll(resp.Body)
|
||||
}
|
||||
|
||||
func fetch[T apiObject](ctx context.Context, c HTTPClient, obj T) (T, error) {
|
||||
if err := obj.ValidateRequest(); err != nil {
|
||||
return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)
|
||||
|
@ -14,6 +14,7 @@ go_library(
|
||||
deps = [
|
||||
"//internal/api/versionsapi",
|
||||
"//internal/api/versionsapi/client",
|
||||
"//internal/constants",
|
||||
"//internal/logger",
|
||||
"@com_github_aws_aws_sdk_go_v2_config//:config",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_ec2//:ec2",
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
"os"
|
||||
"os/signal"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
@ -52,7 +53,7 @@ func newRootCmd() *cobra.Command {
|
||||
rootCmd.PersistentFlags().Bool("verbose", false, "Enable verbose output")
|
||||
rootCmd.PersistentFlags().String("region", "eu-central-1", "AWS region of the API S3 bucket")
|
||||
rootCmd.PersistentFlags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the API")
|
||||
rootCmd.PersistentFlags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
|
||||
rootCmd.PersistentFlags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
|
||||
|
||||
rootCmd.AddCommand(newAddCmd())
|
||||
rootCmd.AddCommand(newLatestCmd())
|
||||
|
@ -487,27 +487,6 @@ func DefaultsFor(provider cloudprovider.Provider, attestationVariant variant.Var
|
||||
}
|
||||
}
|
||||
|
||||
func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([]byte, error) {
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
|
||||
if err != nil {
|
||||
return []byte{}, err
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return []byte{}, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return []byte{}, fmt.Errorf("http status code: %d", resp.StatusCode)
|
||||
}
|
||||
content, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return []byte{}, err
|
||||
}
|
||||
return content, nil
|
||||
}
|
||||
|
||||
func checkLength(m map[uint32]Measurement) error {
|
||||
var length int
|
||||
for idx, measurement := range m {
|
||||
@ -552,6 +531,24 @@ func (c mYamlContent) Swap(i, j int) {
|
||||
c[2*i+1], c[2*j+1] = c[2*j+1], c[2*i+1]
|
||||
}
|
||||
|
||||
// getFromURL fetches the content from the given URL and returns the content as a byte slice.
|
||||
func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([]byte, error) {
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
|
||||
}
|
||||
return io.ReadAll(resp.Body)
|
||||
}
|
||||
|
||||
type cosignVerifier interface {
|
||||
VerifySignature(content, signature, publicKey []byte) error
|
||||
}
|
||||
|
@ -51,6 +51,7 @@ go_test(
|
||||
embed = [":config"],
|
||||
deps = [
|
||||
"//internal/api/configapi",
|
||||
"//internal/api/versionsapi",
|
||||
"//internal/attestation/measurements",
|
||||
"//internal/cloud/cloudprovider",
|
||||
"//internal/config/instancetypes",
|
||||
|
@ -13,6 +13,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
@ -96,9 +97,8 @@ func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
|
||||
}
|
||||
|
||||
// FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.
|
||||
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(client fetcher.HTTPClient) error {
|
||||
fetcher := fetcher.NewConfigAPIFetcherWithClient(client)
|
||||
versions, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
|
||||
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher fetcher.ConfigAPIFetcher, version versionsapi.Version) error {
|
||||
versions, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -32,6 +32,7 @@ import (
|
||||
en_translations "github.com/go-playground/validator/v10/translations/en"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
@ -384,19 +385,19 @@ func fromFile(fileHandler file.Handler, name string) (*Config, error) {
|
||||
// 2. For "latest" version values of the attestation variants fetch the version numbers.
|
||||
// 3. Read secrets from environment variables.
|
||||
// 4. Validate config. If `--force` is set the version validation will be disabled and any version combination is allowed.
|
||||
func New(fileHandler file.Handler, name string, force bool) (*Config, error) {
|
||||
return NewWithClient(fileHandler, name, fetcher.NewHTTPClient(), force)
|
||||
}
|
||||
|
||||
// NewWithClient is New with a custom HTTP client.
|
||||
func NewWithClient(fileHandler file.Handler, name string, client fetcher.HTTPClient, force bool) (*Config, error) {
|
||||
func New(fileHandler file.Handler, name string, fetcher fetcher.ConfigAPIFetcher, force bool) (*Config, error) {
|
||||
// Read config file
|
||||
c, err := fromFile(fileHandler, name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if azure := c.Attestation.AzureSEVSNP; azure != nil {
|
||||
if err := azure.FetchAndSetLatestVersionNumbers(client); err != nil {
|
||||
version, err := versionsapi.NewVersionFromShortPath(c.Image, versionsapi.VersionKindImage)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := azure.FetchAndSetLatestVersionNumbers(fetcher, version); err != nil {
|
||||
return c, err
|
||||
}
|
||||
}
|
||||
|
@ -7,11 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
package config
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"context"
|
||||
"errors"
|
||||
"io"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
@ -25,6 +22,7 @@ import (
|
||||
"gopkg.in/yaml.v3"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/configapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
|
||||
@ -245,7 +243,6 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
wantClientSecretValue: "some-secret",
|
||||
},
|
||||
}
|
||||
client := newTestClient(&fakeConfigAPIHandler{})
|
||||
for name, tc := range testCases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
@ -260,7 +257,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
}
|
||||
|
||||
// Test
|
||||
c, err := NewWithClient(fileHandler, constants.ConfigFilename, client, false)
|
||||
c, err := New(fileHandler, constants.ConfigFilename, fakeConfigFetcher{}, false)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
return
|
||||
@ -881,44 +878,27 @@ func getConfigAsMap(conf *Config, t *testing.T) (res configMap) {
|
||||
return
|
||||
}
|
||||
|
||||
type fakeConfigAPIHandler struct{}
|
||||
type fakeConfigFetcher struct{}
|
||||
|
||||
// RoundTrip resolves the request and returns a dummy response.
|
||||
func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
|
||||
res := &http.Response{}
|
||||
data := []string{"2021-01-01-01-01.json"}
|
||||
bt, err := json.Marshal(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
res.Body = io.NopCloser(bytes.NewReader(bt))
|
||||
res.Header = http.Header{}
|
||||
res.Header.Set("Content-Type", "application/json")
|
||||
res.StatusCode = http.StatusOK
|
||||
return res, nil
|
||||
} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
|
||||
res := &http.Response{}
|
||||
bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
|
||||
Microcode: 93,
|
||||
TEE: 0,
|
||||
SNP: 6,
|
||||
Bootloader: 2,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
res.Body = io.NopCloser(bytes.NewReader(bt))
|
||||
res.StatusCode = http.StatusOK
|
||||
return res, nil
|
||||
|
||||
}
|
||||
return nil, errors.New("no endpoint found")
|
||||
func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
|
||||
return configapi.AzureSEVSNPVersionList(
|
||||
[]string{},
|
||||
), nil
|
||||
}
|
||||
|
||||
// newTestClient returns *http.Client with Transport replaced to avoid making real calls.
|
||||
func newTestClient(fn *fakeConfigAPIHandler) *http.Client {
|
||||
return &http.Client{
|
||||
Transport: fn,
|
||||
}
|
||||
func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
|
||||
return configapi.AzureSEVSNPVersionGet{
|
||||
AzureSEVSNPVersion: testCfg,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (f fakeConfigFetcher) FetchLatestAzureSEVSNPVersion(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersion, error) {
|
||||
return testCfg, nil
|
||||
}
|
||||
|
||||
var testCfg = configapi.AzureSEVSNPVersion{
|
||||
Microcode: 93,
|
||||
TEE: 0,
|
||||
SNP: 6,
|
||||
Bootloader: 2,
|
||||
}
|
||||
|
@ -197,6 +197,8 @@ const (
|
||||
CDNMeasurementsFile = "measurements.json"
|
||||
// CDNMeasurementsSignature is name of file containing signature for CDNMeasurementsFile.
|
||||
CDNMeasurementsSignature = "measurements.json.sig"
|
||||
// CDNDefaultDistributionID is the default CloudFront distribution ID to use.
|
||||
CDNDefaultDistributionID = "E1H77EZTHC3NE4"
|
||||
|
||||
//
|
||||
// PKI.
|
||||
|
@ -5,6 +5,7 @@ go_library(
|
||||
name = "sigstore",
|
||||
srcs = [
|
||||
"rekor.go",
|
||||
"sign.go",
|
||||
"sigstore.go",
|
||||
"verify.go",
|
||||
],
|
||||
@ -22,6 +23,7 @@ go_library(
|
||||
"@com_github_sigstore_rekor//pkg/verify",
|
||||
"@com_github_sigstore_sigstore//pkg/cryptoutils",
|
||||
"@com_github_sigstore_sigstore//pkg/signature",
|
||||
"@com_github_theupdateframework_go_tuf//encrypted",
|
||||
],
|
||||
)
|
||||
|
||||
@ -29,6 +31,7 @@ go_test(
|
||||
name = "sigstore_test",
|
||||
srcs = [
|
||||
"rekor_test.go",
|
||||
"sign_test.go",
|
||||
"verify_test.go",
|
||||
],
|
||||
embed = [":sigstore"],
|
||||
|
71
internal/sigstore/sign.go
Normal file
71
internal/sigstore/sign.go
Normal file
@ -0,0 +1,71 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
package sigstore
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/sigstore/sigstore/pkg/signature"
|
||||
"github.com/theupdateframework/go-tuf/encrypted"
|
||||
)
|
||||
|
||||
const (
|
||||
cosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
|
||||
sigstorePrivateKeyPemType = "ENCRYPTED SIGSTORE PRIVATE KEY"
|
||||
)
|
||||
|
||||
// SignContent signs the content with the cosign encrypted private key and corresponding cosign password.
|
||||
func SignContent(password, encryptedPrivateKey, content []byte) ([]byte, error) {
|
||||
sv, err := loadPrivateKey(encryptedPrivateKey, password)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("loading private key: %w", err)
|
||||
}
|
||||
sig, err := sv.SignMessage(bytes.NewReader(content))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("signing message: %w", err)
|
||||
}
|
||||
return []byte(base64.StdEncoding.EncodeToString(sig)), nil
|
||||
}
|
||||
|
||||
func loadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) {
|
||||
// Decrypt first
|
||||
p, _ := pem.Decode(key)
|
||||
if p == nil {
|
||||
return nil, errors.New("invalid pem block")
|
||||
}
|
||||
if p.Type != cosignPrivateKeyPemType && p.Type != sigstorePrivateKeyPemType {
|
||||
return nil, fmt.Errorf("unsupported pem type: %s", p.Type)
|
||||
}
|
||||
|
||||
x509Encoded, err := encrypted.Decrypt(p.Bytes, pass)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("decrypt: %w", err)
|
||||
}
|
||||
|
||||
pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parsing private key: %w", err)
|
||||
}
|
||||
switch pk := pk.(type) {
|
||||
case *rsa.PrivateKey:
|
||||
return signature.LoadRSAPKCS1v15SignerVerifier(pk, crypto.SHA256)
|
||||
case *ecdsa.PrivateKey:
|
||||
return signature.LoadECDSASignerVerifier(pk, crypto.SHA256)
|
||||
case ed25519.PrivateKey:
|
||||
return signature.LoadED25519SignerVerifier(pk)
|
||||
default:
|
||||
return nil, errors.New("unsupported key type")
|
||||
}
|
||||
}
|
59
internal/sigstore/sign_test.go
Normal file
59
internal/sigstore/sign_test.go
Normal file
@ -0,0 +1,59 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
package sigstore
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestSignSignature(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
// Generated with: cosign generate-key-pair
|
||||
privateKey := []byte("-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX\nVXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj\naXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth\nVklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5\na2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6\nTDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN\ndlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----")
|
||||
password := []byte("")
|
||||
content := []byte(`["2021-01-01-01-01.json"]\n`)
|
||||
publicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")
|
||||
|
||||
testCases := map[string]struct {
|
||||
content []byte
|
||||
password []byte
|
||||
privateKey []byte
|
||||
wantErr bool
|
||||
}{
|
||||
"sign content with matching password and private key": {
|
||||
content: content,
|
||||
password: password,
|
||||
privateKey: privateKey,
|
||||
},
|
||||
"fail with wrong password": {
|
||||
content: content,
|
||||
password: []byte("wrong"),
|
||||
privateKey: privateKey,
|
||||
wantErr: true,
|
||||
},
|
||||
"fail with wrong private key": {
|
||||
content: content,
|
||||
password: password,
|
||||
privateKey: []byte("wrong"),
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
for name, tc := range testCases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
signature, err := SignContent(tc.password, tc.privateKey, tc.content)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
} else {
|
||||
assert.NoError(err)
|
||||
verifier := CosignVerifier{}
|
||||
assert.NoError(verifier.VerifySignature(tc.content, signature, publicKey))
|
||||
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
@ -5,17 +5,20 @@ go_library(
|
||||
name = "staticupload",
|
||||
srcs = [
|
||||
"delete.go",
|
||||
"get.go",
|
||||
"staticupload.go",
|
||||
"upload.go",
|
||||
],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/internal/staticupload",
|
||||
visibility = ["//:__subpackages__"],
|
||||
deps = [
|
||||
"//internal/constants",
|
||||
"@com_github_aws_aws_sdk_go_v2_config//:config",
|
||||
"@com_github_aws_aws_sdk_go_v2_feature_s3_manager//:manager",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_cloudfront//:cloudfront",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_cloudfront//types",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
|
||||
"@com_github_google_uuid//:uuid",
|
||||
],
|
||||
)
|
||||
|
||||
|
18
internal/staticupload/get.go
Normal file
18
internal/staticupload/get.go
Normal file
@ -0,0 +1,18 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package staticupload
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
)
|
||||
|
||||
// GetObject returns an object from from AWS S3 Storage.
|
||||
func (s *Client) GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error) {
|
||||
return s.s3Client.GetObject(ctx, params, optFns...)
|
||||
}
|
@ -24,6 +24,8 @@ import (
|
||||
"github.com/aws/aws-sdk-go-v2/service/cloudfront"
|
||||
cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// Client is a static file uploader/updater/remover for the CDN / static API.
|
||||
@ -34,6 +36,7 @@ type Client struct {
|
||||
uploadClient uploadClient
|
||||
s3Client objectStorageClient
|
||||
distributionID string
|
||||
BucketID string
|
||||
|
||||
cacheInvalidationStrategy CacheInvalidationStrategy
|
||||
cacheInvalidationWaitTimeout time.Duration
|
||||
@ -57,6 +60,13 @@ type Config struct {
|
||||
CacheInvalidationWaitTimeout time.Duration
|
||||
}
|
||||
|
||||
// SetsDefault checks if all necessary values are set and sets default values otherwise.
|
||||
func (c *Config) SetsDefault() {
|
||||
if c.DistributionID == "" {
|
||||
c.DistributionID = constants.CDNDefaultDistributionID
|
||||
}
|
||||
}
|
||||
|
||||
// CacheInvalidationStrategy is the strategy to use for invalidating the CDN cache.
|
||||
type CacheInvalidationStrategy int
|
||||
|
||||
@ -84,10 +94,8 @@ func (e InvalidationError) Unwrap() error {
|
||||
}
|
||||
|
||||
// New creates a new Client.
|
||||
func New(
|
||||
ctx context.Context,
|
||||
config Config,
|
||||
) (*Client, error) {
|
||||
func New(ctx context.Context, config Config) (*Client, error) {
|
||||
config.SetsDefault()
|
||||
cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(config.Region))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -104,6 +112,7 @@ func New(
|
||||
distributionID: config.DistributionID,
|
||||
cacheInvalidationStrategy: config.CacheInvalidationStrategy,
|
||||
cacheInvalidationWaitTimeout: config.CacheInvalidationWaitTimeout,
|
||||
BucketID: config.Bucket,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -165,7 +174,7 @@ func (c *Client) invalidateCacheForKeys(ctx context.Context, keys []string) (str
|
||||
in := &cloudfront.CreateInvalidationInput{
|
||||
DistributionId: &c.distributionID,
|
||||
InvalidationBatch: &cftypes.InvalidationBatch{
|
||||
CallerReference: ptr(fmt.Sprintf("%d", time.Now().Unix())),
|
||||
CallerReference: ptr(uuid.New().String()),
|
||||
Paths: &cftypes.Paths{
|
||||
Items: keys,
|
||||
Quantity: ptr(int32(len(keys))),
|
||||
@ -208,6 +217,10 @@ type uploadClient interface {
|
||||
) (*s3manager.UploadOutput, error)
|
||||
}
|
||||
|
||||
type getClient interface {
|
||||
GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
|
||||
}
|
||||
|
||||
type deleteClient interface {
|
||||
DeleteObject(ctx context.Context, params *s3.DeleteObjectInput,
|
||||
optFns ...func(*s3.Options),
|
||||
@ -229,6 +242,7 @@ type cdnClient interface {
|
||||
|
||||
type objectStorageClient interface {
|
||||
deleteClient
|
||||
getClient
|
||||
}
|
||||
|
||||
// statically assert that Client implements the uploadClient interface.
|
||||
|
@ -551,3 +551,11 @@ func (s *stubObjectStorageClient) DeleteObjects(
|
||||
) (*s3.DeleteObjectsOutput, error) {
|
||||
return s.deleteObjectsOut, s.err
|
||||
}
|
||||
|
||||
// currently not needed so no-Op.
|
||||
func (s *stubObjectStorageClient) GetObject(
|
||||
_ context.Context, _ *s3.GetObjectInput,
|
||||
_ ...func(*s3.Options),
|
||||
) (*s3.GetObjectOutput, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user