config: Azure SNP tool can delete specific version from attestation API (#1863)

* client supports delete version * rename to new attestation / fetcher naming * add delete command to upload tool * test client delete * bazel update * use general client in attestation client * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * unit test azure sev upload * Update hack/configapi/cmd/delete.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * add client integration test * new client cmds use apiObject --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-07-23 23:40:44 -04:00 · 2023-06-05 12:33:22 +02:00 · 2023-06-05 12:33:22 +02:00 · c446f36b0f
commit c446f36b0f
parent 315b6c2f01
22 changed files with 549 additions and 228 deletions
--- a/internal/api/attestationconfig/client/client_test.go
+++ b/internal/api/attestationconfig/client/client_test.go
@ -1,82 +1,74 @@
-//go:build e2e
-
 /*
 Copyright (c) Edgeless Systems GmbH

 SPDX-License-Identifier: AGPL-3.0-only
 */
-package client_test
+package client

 import (
-	"context"
-	"flag"
-	"fmt"
-	"io"
-	"os"
 	"testing"
 	"time"

 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
-	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/client"
-	"github.com/edgelesssys/constellation/v2/internal/staticupload"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 )

-const (
-	awsBucket   = "cdn-constellation-backend"
-	awsRegion   = "eu-central-1"
-	envAwsKeyID = "AWS_ACCESS_KEY_ID"
-	envAwsKey   = "AWS_ACCESS_KEY"
-)
-
-var cfg staticupload.Config
-
-var (
-	cosignPwd      = flag.String("cosign-pwd", "", "Password to decrypt the cosign private key. Required for signing.")
-	privateKeyPath = flag.String("private-key", "", "Path to the private key used for signing. Required for signing.")
-	privateKey     []byte
-)
-
-func TestMain(m *testing.M) {
-	flag.Parse()
-	if *cosignPwd == "" || *privateKeyPath == "" {
-		flag.Usage()
-		fmt.Println("Required flags not set: --cosign-pwd, --private-key. Skipping tests.")
-		os.Exit(1)
+func TestUploadAzureSEVSNP(t *testing.T) {
+	sut := Client{
+		bucketID: "bucket",
+		signer:   fakeSigner{},
 	}
-	if _, present := os.LookupEnv(envAwsKey); !present {
-		fmt.Printf("%s not set. Skipping tests.\n", envAwsKey)
-		os.Exit(1)
-	}
-	if _, present := os.LookupEnv(envAwsKeyID); !present {
-		fmt.Printf("%s not set. Skipping tests.\n", envAwsKeyID)
-		os.Exit(1)
-	}
-	cfg = staticupload.Config{
-		Bucket: awsBucket,
-		Region: awsRegion,
-	}
-	file, _ := os.Open(*privateKeyPath)
-	var err error
-	privateKey, err = io.ReadAll(file)
-	if err != nil {
-		panic(err)
-	}
-	os.Exit(m.Run())
+	version := attestationconfig.AzureSEVSNPVersion{}
+	date := time.Date(2023, 1, 1, 1, 1, 1, 1, time.UTC)
+	ops, err := sut.uploadAzureSEVSNP(version, []string{"2021-01-01-01-01.json", "2019-01-01-01-01.json"}, date)
+	assert := assert.New(t)
+	assert.NoError(err)
+	dateStr := "2023-01-01-01-01.json"
+	assert.Contains(ops, putCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionAPI{
+			Version:            dateStr,
+			AzureSEVSNPVersion: version,
+		},
+	})
+	assert.Contains(ops, putCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionSignature{
+			Version:   dateStr,
+			Signature: []byte("signature"),
+		},
+	})
+	assert.Contains(ops, putCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionList([]string{"2023-01-01-01-01.json", "2021-01-01-01-01.json", "2019-01-01-01-01.json"}),
+	})
 }

-var versionValues = attestationconfig.AzureSEVSNPVersion{
-	Bootloader: 2,
-	TEE:        0,
-	SNP:        6,
-	Microcode:  93,
+func TestDeleteAzureSEVSNPVersions(t *testing.T) {
+	sut := Client{
+		bucketID: "bucket",
+	}
+	versions := attestationconfig.AzureSEVSNPVersionList([]string{"2023-01-01.json", "2021-01-01.json", "2019-01-01.json"})
+
+	ops, err := sut.deleteAzureSEVSNPVersion(versions, "2021-01-01")
+
+	assert := assert.New(t)
+	assert.NoError(err)
+	assert.Contains(ops, deleteCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionAPI{
+			Version: "2021-01-01.json",
+		},
+	})
+	assert.Contains(ops, deleteCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionSignature{
+			Version: "2021-01-01.json",
+		},
+	})
+
+	assert.Contains(ops, putCmd{
+		apiObject: attestationconfig.AzureSEVSNPVersionList([]string{"2023-01-01.json", "2019-01-01.json"}),
+	})
 }

-func TestUploadAzureSEVSNPVersions(t *testing.T) {
-	ctx := context.Background()
-	client, clientClose, err := client.New(ctx, cfg, []byte(*cosignPwd), privateKey)
-	require.NoError(t, err)
-	defer func() { _ = clientClose(ctx) }()
-	d := time.Date(2021, 1, 1, 1, 1, 1, 1, time.UTC)
-	require.NoError(t, client.UploadAzureSEVSNP(ctx, versionValues, d))
+type fakeSigner struct{}
+
+func (fakeSigner) Sign(_ []byte) ([]byte, error) {
+	return []byte("signature"), nil
 }