config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-02 06:16:08 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/staticupload/BUILD.bazel
+++ b/internal/staticupload/BUILD.bazel
@ -5,17 +5,20 @@ go_library(
    name = "staticupload",
    srcs = [
        "delete.go",
+        "get.go",
        "staticupload.go",
        "upload.go",
    ],
    importpath = "github.com/edgelesssys/constellation/v2/internal/staticupload",
    visibility = ["//:__subpackages__"],
    deps = [
+        "//internal/constants",
        "@com_github_aws_aws_sdk_go_v2_config//:config",
        "@com_github_aws_aws_sdk_go_v2_feature_s3_manager//:manager",
        "@com_github_aws_aws_sdk_go_v2_service_cloudfront//:cloudfront",
        "@com_github_aws_aws_sdk_go_v2_service_cloudfront//types",
        "@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
+        "@com_github_google_uuid//:uuid",
    ],
 )

--- a/internal/staticupload/get.go
+++ b/internal/staticupload/get.go
@ -0,0 +1,18 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package staticupload
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+)
+
+// GetObject returns an object from from AWS S3 Storage.
+func (s *Client) GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error) {
+	return s.s3Client.GetObject(ctx, params, optFns...)
+}
--- a/internal/staticupload/staticupload.go
+++ b/internal/staticupload/staticupload.go
@ -24,6 +24,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/cloudfront"
 	cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/google/uuid"
 )

 // Client is a static file uploader/updater/remover for the CDN / static API.
@ -34,6 +36,7 @@ type Client struct {
 	uploadClient   uploadClient
 	s3Client       objectStorageClient
 	distributionID string
+	BucketID       string

 	cacheInvalidationStrategy    CacheInvalidationStrategy
 	cacheInvalidationWaitTimeout time.Duration
@ -57,6 +60,13 @@ type Config struct {
 	CacheInvalidationWaitTimeout time.Duration
 }

+// SetsDefault checks if all necessary values are set and sets default values otherwise.
+func (c *Config) SetsDefault() {
+	if c.DistributionID == "" {
+		c.DistributionID = constants.CDNDefaultDistributionID
+	}
+}
+
 // CacheInvalidationStrategy is the strategy to use for invalidating the CDN cache.
 type CacheInvalidationStrategy int

@ -84,10 +94,8 @@ func (e InvalidationError) Unwrap() error {
 }

 // New creates a new Client.
-func New(
-	ctx context.Context,
-	config Config,
-) (*Client, error) {
+func New(ctx context.Context, config Config) (*Client, error) {
+	config.SetsDefault()
 	cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(config.Region))
 	if err != nil {
 		return nil, err
@ -104,6 +112,7 @@ func New(
 		distributionID:               config.DistributionID,
 		cacheInvalidationStrategy:    config.CacheInvalidationStrategy,
 		cacheInvalidationWaitTimeout: config.CacheInvalidationWaitTimeout,
+		BucketID:                     config.Bucket,
 	}, nil
 }

@ -165,7 +174,7 @@ func (c *Client) invalidateCacheForKeys(ctx context.Context, keys []string) (str
 	in := &cloudfront.CreateInvalidationInput{
 		DistributionId: &c.distributionID,
 		InvalidationBatch: &cftypes.InvalidationBatch{
-			CallerReference: ptr(fmt.Sprintf("%d", time.Now().Unix())),
+			CallerReference: ptr(uuid.New().String()),
 			Paths: &cftypes.Paths{
 				Items:    keys,
 				Quantity: ptr(int32(len(keys))),
@ -208,6 +217,10 @@ type uploadClient interface {
 	) (*s3manager.UploadOutput, error)
 }

+type getClient interface {
+	GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
+}
+
 type deleteClient interface {
 	DeleteObject(ctx context.Context, params *s3.DeleteObjectInput,
 		optFns ...func(*s3.Options),
@ -229,6 +242,7 @@ type cdnClient interface {

 type objectStorageClient interface {
 	deleteClient
+	getClient
 }

 // statically assert that Client implements the uploadClient interface.
--- a/internal/staticupload/staticupload_test.go
+++ b/internal/staticupload/staticupload_test.go
@ -551,3 +551,11 @@ func (s *stubObjectStorageClient) DeleteObjects(
 ) (*s3.DeleteObjectsOutput, error) {
 	return s.deleteObjectsOut, s.err
 }
+
+// currently not needed so no-Op.
+func (s *stubObjectStorageClient) GetObject(
+	_ context.Context, _ *s3.GetObjectInput,
+	_ ...func(*s3.Options),
+) (*s3.GetObjectOutput, error) {
+	return nil, nil
+}