config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-09 01:35:16 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/api/fetcher/configapi_test.go
+++ b/internal/api/fetcher/configapi_test.go
@ -15,27 +15,66 @@ import (
 	"testing"

 	"github.com/edgelesssys/constellation/v2/internal/api/configapi"
+	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-func TestGetVersion(t *testing.T) {
-	client := &http.Client{
-		Transport: &fakeConfigAPIHandler{},
-	}
-	fetcher := NewConfigAPIFetcherWithClient(client)
-	res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background())
-	require.NoError(t, err)
-	assert.Equal(t, uint8(2), res.Bootloader)
+var testCfg = configapi.AzureSEVSNPVersion{
+	Microcode:  93,
+	TEE:        0,
+	SNP:        6,
+	Bootloader: 2,
 }

-type fakeConfigAPIHandler struct{}
+func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
+	testcases := map[string]struct {
+		signature []byte
+		wantErr   bool
+		want      configapi.AzureSEVSNPVersion
+	}{
+		"get version with valid signature": {
+			signature: []byte("MEUCIQDNn6wiSh9Nz9mtU9RvxvfkH3fNDFGeqopjTIRoBNkyrAIgSsKgdYNQXvPevaLWmmpnj/9WcgrltAQ+KfI+bQfklAo="),
+			want:      testCfg,
+		},
+		"fail with invalid signature": {
+			signature: []byte("invalid"),
+			wantErr:   true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			client := &http.Client{
+				Transport: &fakeConfigAPIHandler{
+					signature: tc.signature,
+				},
+			}
+			require := require.New(t)
+			version, err := versionsapi.NewVersionFromShortPath("stream/debug/v9.9.9", versionsapi.VersionKindImage)
+			require.NoError(err)
+			fetcher := NewConfigAPIFetcherWithClient(client)
+
+			assert := assert.New(t)
+			res, err := fetcher.FetchLatestAzureSEVSNPVersion(context.Background(), version)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(testCfg, res)
+			}
+		})
+	}
+}
+
+type fakeConfigAPIHandler struct {
+	signature []byte
+}

 // RoundTrip resolves the request and returns a dummy response.
 func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
 	if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/list" {
 		res := &http.Response{}
-		data := []string{"2021-01-01-01-01.json"}
+		data := []string{"2021-01-01-01-01.json", "2019-01-01-01-02.json"} // return multiple versions to check that latest version is correctly selected
 		bt, err := json.Marshal(data)
 		if err != nil {
 			return nil, err
@ -47,12 +86,7 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		return res, nil
 	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json" {
 		res := &http.Response{}
-		bt, err := json.Marshal(configapi.AzureSEVSNPVersion{
-			Microcode:  93,
-			TEE:        0,
-			SNP:        6,
-			Bootloader: 2,
-		})
+		bt, err := json.Marshal(testCfg)
 		if err != nil {
 			return nil, err
 		}
@ -60,6 +94,12 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		res.StatusCode = http.StatusOK
 		return res, nil

+	} else if req.URL.Path == "/constellation/v1/attestation/azure-sev-snp/2021-01-01-01-01.json.sig" {
+		res := &http.Response{}
+		res.Body = io.NopCloser(bytes.NewReader(f.signature))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
 	}
 	return nil, errors.New("no endpoint found")
 }