config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-13 11:42:24 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/api/configapi/BUILD.bazel
+++ b/internal/api/configapi/BUILD.bazel
@ -14,9 +14,10 @@ go_library(
    deps = [
        "//internal/constants",
        "//internal/kms/storage",
-        "//internal/kms/storage/awss3",
-        "//internal/kms/uri",
+        "//internal/sigstore",
+        "//internal/staticupload",
        "//internal/variant",
+        "@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
    ],
 )

@ -28,8 +29,7 @@ go_test(
    ],
    embed = [":configapi"],
    deps = [
-        "//internal/kms/uri",
-        "//internal/variant",
+        "//internal/staticupload",
        "@com_github_stretchr_testify//require",
        "@in_gopkg_yaml_v3//:yaml_v3",
    ],
--- a/internal/api/configapi/repo.go
+++ b/internal/api/configapi/repo.go
@ -6,54 +6,78 @@ SPDX-License-Identifier: AGPL-3.0-only
 package configapi

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"path"
 	"sort"
 	"time"

+	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/edgelesssys/constellation/v2/internal/kms/storage"
-	"github.com/edgelesssys/constellation/v2/internal/kms/storage/awss3"
-	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+	"github.com/edgelesssys/constellation/v2/internal/sigstore"
+	"github.com/edgelesssys/constellation/v2/internal/staticupload"
 	"github.com/edgelesssys/constellation/v2/internal/variant"
 )

 // AttestationVersionRepo manages (modifies) the version information for the attestation variants.
 type AttestationVersionRepo struct {
-	*awss3.Storage
+	*staticupload.Client
+	cosignPwd []byte // used to decrypt the cosign private key
+	privKey   []byte // used to sign
 }

 // NewAttestationVersionRepo returns a new AttestationVersionRepo.
-func NewAttestationVersionRepo(ctx context.Context, cfg uri.AWSS3Config) (*AttestationVersionRepo, error) {
-	s3, err := awss3.New(ctx, cfg)
+func NewAttestationVersionRepo(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []byte) (*AttestationVersionRepo, error) {
+	client, err := staticupload.New(ctx, cfg)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create s3 storage: %w", err)
 	}
-	return &AttestationVersionRepo{s3}, nil
+	return &AttestationVersionRepo{client, cosignPwd, privateKey}, nil
 }

 // UploadAzureSEVSNP uploads the latest version numbers of the Azure SEVSNP.
 func (a AttestationVersionRepo) UploadAzureSEVSNP(ctx context.Context, versions AzureSEVSNPVersion, date time.Time) error {
-	bt, err := json.Marshal(versions)
+	versionBytes, err := json.Marshal(versions)
 	if err != nil {
 		return err
 	}
 	variant := variant.AzureSEVSNP{}
 	fname := date.Format("2006-01-02-15-04") + ".json"

-	err = a.Put(ctx, fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname), bt)
+	filePath := fmt.Sprintf("%s/%s/%s", attestationURLPath, variant.String(), fname)
+	err = put(ctx, a.Client, filePath, versionBytes)
+	if err != nil {
+		return err
+	}
+
+	err = a.createAndUploadSignature(ctx, versionBytes, filePath)
 	if err != nil {
 		return err
 	}
 	return a.addVersionToList(ctx, variant, fname)
 }

+// createAndUploadSignature signs the given content and uploads the signature to the given filePath with the .sig suffix.
+func (a AttestationVersionRepo) createAndUploadSignature(ctx context.Context, content []byte, filePath string) error {
+	signature, err := sigstore.SignContent(a.cosignPwd, a.privKey, content)
+	if err != nil {
+		return fmt.Errorf("sign version file: %w", err)
+	}
+	err = put(ctx, a.Client, filePath+".sig", signature)
+	if err != nil {
+		return fmt.Errorf("upload signature: %w", err)
+	}
+	return nil
+}
+
 // List returns the list of versions for the given attestation type.
 func (a AttestationVersionRepo) List(ctx context.Context, attestation variant.Variant) ([]string, error) {
 	key := path.Join(attestationURLPath, attestation.String(), "list")
-	bt, err := a.Get(ctx, key)
+	bt, err := get(ctx, a.Client, key)
 	if err != nil {
 		return nil, err
 	}
@ -71,13 +95,13 @@ func (a AttestationVersionRepo) DeleteList(ctx context.Context, attestation vari
 	if err != nil {
 		return err
 	}
-	return a.Put(ctx, path.Join(attestationURLPath, attestation.String(), "list"), bt)
+	return put(ctx, a.Client, path.Join(attestationURLPath, attestation.String(), "list"), bt)
 }

 func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestation variant.Variant, fname string) error {
 	versions := []string{}
 	key := path.Join(attestationURLPath, attestation.String(), "list")
-	bt, err := a.Get(ctx, key)
+	bt, err := get(ctx, a.Client, key)
 	if err == nil {
 		if err := json.Unmarshal(bt, &versions); err != nil {
 			return err
@ -92,5 +116,29 @@ func (a AttestationVersionRepo) addVersionToList(ctx context.Context, attestatio
 	if err != nil {
 		return err
 	}
-	return a.Put(ctx, key, json)
+	return put(ctx, a.Client, key, json)
+}
+
+// get is a convenience method.
+func get(ctx context.Context, client *staticupload.Client, path string) ([]byte, error) {
+	getObjectInput := &s3.GetObjectInput{
+		Bucket: &client.BucketID,
+		Key:    &path,
+	}
+	output, err := client.GetObject(ctx, getObjectInput)
+	if err != nil {
+		return nil, fmt.Errorf("getting object: %w", err)
+	}
+	return io.ReadAll(output.Body)
+}
+
+// put is a convenience method.
+func put(ctx context.Context, client *staticupload.Client, path string, data []byte) error {
+	putObjectInput := &s3.PutObjectInput{
+		Bucket: &client.BucketID,
+		Key:    &path,
+		Body:   bytes.NewReader(data),
+	}
+	_, err := client.Upload(ctx, putObjectInput)
+	return err
 }
--- a/internal/api/configapi/repo_test.go
+++ b/internal/api/configapi/repo_test.go
@ -11,40 +11,59 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"io"
 	"os"
 	"testing"
 	"time"

 	"github.com/edgelesssys/constellation/v2/internal/api/configapi"
-	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
+	"github.com/edgelesssys/constellation/v2/internal/staticupload"
 	"github.com/stretchr/testify/require"
 )

+const (
+	awsBucket   = "cdn-constellation-backend"
+	awsRegion   = "eu-central-1"
+	envAwsKeyID = "AWS_ACCESS_KEY_ID"
+	envAwsKey   = "AWS_ACCESS_KEY"
+)
+
+var cfg staticupload.Config
+
 var (
-	awsRegion      = flag.String("aws-region", "us-east-1", "Region to use for AWS tests. Required for AWS KMS test.")
-	awsAccessKeyID = flag.String("aws-access-key-id", "", "ID of the Access key to use for AWS tests. Required for AWS KMS and storage test.")
-	awsAccessKey   = flag.String("aws-access-key", "", "Access key to use for AWS tests. Required for AWS KMS and storage test.")
-	awsBucket      = flag.String("aws-bucket", "", "Name of the S3 bucket to use for AWS storage test. Required for AWS storage test.")
+	cosignPwd      = flag.String("cosign-pwd", "", "Password to decrypt the cosign private key. Required for signing.")
+	privateKeyPath = flag.String("private-key", "", "Path to the private key used for signing. Required for signing.")
+	privateKey     []byte
 )

 func TestMain(m *testing.M) {
 	flag.Parse()
-	if *awsAccessKey == "" || *awsAccessKeyID == "" || *awsBucket == "" || *awsRegion == "" {
+	if *cosignPwd == "" || *privateKeyPath == "" {
 		flag.Usage()
-		fmt.Println("Required flags not set: --aws-access-key, --aws-access-key-id, --aws-bucket, --aws-region. Skipping tests.")
-		os.Exit(0)
+		fmt.Println("Required flags not set: --cosign-pwd, --private-key. Skipping tests.")
+		os.Exit(1)
+	}
+	if _, present := os.LookupEnv(envAwsKey); !present {
+		fmt.Printf("%s not set. Skipping tests.\n", envAwsKey)
+		os.Exit(1)
+	}
+	if _, present := os.LookupEnv(envAwsKeyID); !present {
+		fmt.Printf("%s not set. Skipping tests.\n", envAwsKeyID)
+		os.Exit(1)
+	}
+	cfg = staticupload.Config{
+		Bucket: awsBucket,
+		Region: awsRegion,
+	}
+	file, _ := os.Open(*privateKeyPath)
+	var err error
+	privateKey, err = io.ReadAll(file)
+	if err != nil {
+		panic(err)
 	}
 	os.Exit(m.Run())
 }

-var cfg = uri.AWSS3Config{
-	Bucket:      *awsBucket,
-	AccessKeyID: *awsAccessKeyID,
-	AccessKey:   *awsAccessKey,
-	Region:      *awsRegion,
-}
-
 var versionValues = configapi.AzureSEVSNPVersion{
 	Bootloader: 2,
 	TEE:        0,
@ -54,32 +73,8 @@ var versionValues = configapi.AzureSEVSNPVersion{

 func TestUploadAzureSEVSNPVersions(t *testing.T) {
 	ctx := context.Background()
-	sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
+	sut, err := configapi.NewAttestationVersionRepo(ctx, cfg, []byte(*cosignPwd), privateKey)
 	require.NoError(t, err)
 	d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
 	require.NoError(t, sut.UploadAzureSEVSNP(ctx, versionValues, d))
 }
-
-func TestListVersions(t *testing.T) {
-	ctx := context.Background()
-
-	sut, err := configapi.NewAttestationVersionRepo(ctx, cfg)
-	require.NoError(t, err)
-
-	err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
-	require.NoError(t, err)
-
-	res, err := sut.List(ctx, variant.AzureSEVSNP{})
-	require.NoError(t, err)
-	require.Equal(t, []string{}, res)
-
-	d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
-	err = sut.UploadAzureSEVSNP(ctx, versionValues, d)
-	require.NoError(t, err)
-	res, err = sut.List(ctx, variant.AzureSEVSNP{})
-	require.NoError(t, err)
-	require.Equal(t, []string{"2021-01-01-01-01.json"}, res)
-
-	err = sut.DeleteList(ctx, variant.AzureSEVSNP{})
-	require.NoError(t, err)
-}