config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-02 14:26:23 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/api/fetcher/BUILD.bazel
+++ b/internal/api/fetcher/BUILD.bazel
@ -13,6 +13,7 @@ go_library(
    deps = [
        "//internal/api/configapi",
        "//internal/api/versionsapi",
+        "//internal/sigstore",
    ],
 )

--- a/internal/api/fetcher/configapi.go
+++ b/internal/api/fetcher/configapi.go
@ -8,48 +8,94 @@ package fetcher

 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"net/url"

 	"github.com/edgelesssys/constellation/v2/internal/api/configapi"
+	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 )

 // ConfigAPIFetcher fetches config API resources without authentication.
-type ConfigAPIFetcher struct {
+type ConfigAPIFetcher interface {
+	FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error)
+	FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error)
+	FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (configapi.AzureSEVSNPVersion, error)
+}
+
+// configAPIFetcher fetches config API resources without authentication.
+type configAPIFetcher struct {
 	*fetcher
 }

 // NewConfigAPIFetcher returns a new Fetcher.
-func NewConfigAPIFetcher() *ConfigAPIFetcher {
-	return &ConfigAPIFetcher{newFetcher()}
+func NewConfigAPIFetcher() ConfigAPIFetcher {
+	return NewConfigAPIFetcherWithClient(NewHTTPClient())
 }

 // NewConfigAPIFetcherWithClient returns a new Fetcher with custom http client.
-func NewConfigAPIFetcherWithClient(client HTTPClient) *ConfigAPIFetcher {
-	return &ConfigAPIFetcher{newFetcherWith(client)}
+func NewConfigAPIFetcherWithClient(client HTTPClient) ConfigAPIFetcher {
+	return &configAPIFetcher{
+		fetcher: newFetcherWith(client),
+	}
 }

 // FetchAzureSEVSNPVersionList fetches the version list information from the config API.
-func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
+func (f *configAPIFetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
 	return fetch(ctx, f.httpc, attestation)
 }

 // FetchAzureSEVSNPVersion fetches the version information from the config API.
-func (f *ConfigAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation configapi.AzureSEVSNPVersionGet) (configapi.AzureSEVSNPVersionGet, error) {
-	// TODO(elchead): follow-up PR for AB#3045 to check signature (sigstore.VerifySignature)
-	return fetch(ctx, f.httpc, attestation)
+func (f *configAPIFetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion configapi.AzureSEVSNPVersionGet, version versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
+	cosignPublicKey, err := sigstore.CosignPublicKeyForVersion(version)
+	if err != nil {
+		return azureVersion, fmt.Errorf("get public key for config: %w", err)
+	}
+	urlString, err := azureVersion.URL()
+	if err != nil {
+		return azureVersion, err
+	}
+	fetchedVersion, err := fetch(ctx, f.httpc, azureVersion)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
+	}
+	versionBytes, err := json.Marshal(fetchedVersion)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("marshal version for verify %s: %w", fetchedVersion.Version, err)
+	}
+
+	signature, err := fetchBytesFromRawURL(ctx, fmt.Sprintf("%s.sig", urlString), f.httpc)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", fetchedVersion.Version, err)
+	}
+
+	err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature, cosignPublicKey)
+	if err != nil {
+		return fetchedVersion, fmt.Errorf("verify version %s signature: %w", fetchedVersion.Version, err)
+	}
+	return fetchedVersion, nil
 }

 // FetchLatestAzureSEVSNPVersion returns the latest versions of the given type.
-func (f *ConfigAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context) (res configapi.AzureSEVSNPVersion, err error) {
+func (f *configAPIFetcher) FetchLatestAzureSEVSNPVersion(ctx context.Context, version versionsapi.Version) (res configapi.AzureSEVSNPVersion, err error) {
 	var versions configapi.AzureSEVSNPVersionList
 	versions, err = f.FetchAzureSEVSNPVersionList(ctx, versions)
 	if err != nil {
 		return res, fmt.Errorf("fetching versions list: %w", err)
 	}
 	get := configapi.AzureSEVSNPVersionGet{Version: versions[0]} // get latest version (as sorted reversely alphanumerically)
-	get, err = f.FetchAzureSEVSNPVersion(ctx, get)
+	get, err = f.FetchAzureSEVSNPVersion(ctx, get, version)
 	if err != nil {
 		return res, fmt.Errorf("failed fetching version: %w", err)
 	}
 	return get.AzureSEVSNPVersion, nil
 }
+
+func fetchBytesFromRawURL(ctx context.Context, urlString string, client HTTPClient) ([]byte, error) {
+	url, err := url.Parse(urlString)
+	if err != nil {
+		return nil, fmt.Errorf("parse version url %s: %w", urlString, err)
+	}
+	return getFromURL(ctx, client, url)
+}
--- a/internal/api/fetcher/configapi_test.go
+++ b/internal/api/fetcher/configapi_test.go
@ -15,27 +15,66 @@ import (
 	"testing"

 	"github.com/edgelesssys/constellation/v2/internal/api/configapi"
+	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-func TestGetVersion(t *testing.T) {
-	client := &http.Client{
-		Transport: &fakeConfigAPIHandler{},
-	}
-	fetcher := NewConfigAPIFetcherWithClient(client)
-	res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
-	require.NoError(t, err)
-	assert.Equal(t, uint8(2), res.Bootloader)
+var testCfg = configapi.AzureSEVSNPVersion{
+	Microcode:  93,
+	TEE:        0,
+	SNP:        6,
+	Bootloader: 2,
 }

-type fakeConfigAPIHandler struct{}
+func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
+	testcases := map[string]struct {
+		signature []byte
+		wantErr   bool
+		want      configapi.AzureSEVSNPVersion
+	}{
+		"get version with valid signature": {
+			signature: []byte("MEUCIQDNn6wiSh9Nz9mtU9RvxvfkH3fNDFGeqopjTIRoBNkyrAIgSsKgdYNQXvPevaLWmmpnj/9WcgrltAQ+KfI+bQfklAo="),
+			want:      testCfg,
+		},
+		"fail with invalid signature": {
+			signature: []byte("invalid"),
+			wantErr:   true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			client := &http.Client{
+				Transport: &fakeConfigAPIHandler{
+					signature: tc.signature,
+				},
+			}
+			require := require.New(t)
+			version, err := versionsapi.NewVersionFromShortPath("stream/debug/v9.9.9", versionsapi.VersionKindImage)
+			require.NoError(err)
+			fetcher := NewConfigAPIFetcherWithClient(client)
+
+			assert := assert.New(t)
+			res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(testCfg, res)
+			}
+		})
+	}
+}
+
+type fakeConfigAPIHandler struct {
+	signature []byte
+}

 // RoundTrip resolves the request and returns a dummy response.
 func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
 	if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
 		res := &http.Response{}
-		data := []string{"2021-01-01-01-01.json"}
+		data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
 		bt, err := json.Marshal(data)
 		if err != nil {
 			return nil, err
@ -47,12 +86,7 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		return res, nil
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
 		res := &http.Response{}
-		bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
-			Microcode:  93,
-			TEE:        0,
-			SNP:        6,
-			Bootloader: 2,
-		})
+		bt, err := json.Marshal(testCfg)
 		if err != nil {
 			return nil, err
 		}
@ -60,6 +94,12 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		res.StatusCode = http.StatusOK
 		return res, nil

+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
+		res := &http.Response{}
+		res.Body = io.NopCloser(bytes.NewReader(f.signature))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
 	}
 	return nil, errors.New("no endpoint found")
 }
--- a/internal/api/fetcher/fetcher.go
+++ b/internal/api/fetcher/fetcher.go
@ -17,7 +17,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
+	"net/url"
 )

 // fetcher fetches versions API resources without authentication.
@ -46,6 +48,24 @@ type apiObject interface {
 	URL() (string, error)
 }

+// getFromURL fetches the content from the given URL and returns the content as a byte slice.
+func getFromURL(ctx context.Context, client HTTPClient, sourceURL *url.URL) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
+	}
+	return io.ReadAll(resp.Body)
+}
+
 func fetch[T apiObject](ctx context.Context, c HTTPClient, obj T) (T, error) {
 	if err := obj.ValidateRequest(); err != nil {
 		return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)