fix: Azure SEV-SNP version always gets overwritten by latest API versions (#1930)

* fix that manual version gets overwritten by latest * put azure in seperate config file * otto feedback
2025-08-05 21:44:15 -04:00 · 2023-06-14 14:17:52 +02:00 · 2023-06-14 14:17:52 +02:00 · c5f75513b1
commit c5f75513b1
parent c1f9d86cd3
6 changed files with 202 additions and 142 deletions
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -22,7 +22,7 @@ import (
 	"go.uber.org/goleak"
 	"gopkg.in/yaml.v3"

-	configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
+	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
@ -57,16 +57,17 @@ func TestDefaultConfigWritesLatestVersion(t *testing.T) {
 	assert.Equal("latest", mp.getAzureSEVSNPVersion("bootloaderVersion"))
 }

-func TestReadConfigFile(t *testing.T) {
+func TestNew(t *testing.T) {
 	testCases := map[string]struct {
 		config     configMap
 		configName string
 		wantResult *Config
 		wantErr    bool
 	}{
-		"mix of Latest and uint as version value": {
+		"Azure SEV-SNP: mix of Latest and uint as version value in file correctly sets latest versions values": {
 			config: func() configMap {
-				conf := Default()
+				conf := Default() // default configures latest version
+				modifyConfigForAzureToPassValidate(conf)
 				m := getConfigAsMap(conf, t)
 				m.setAzureSEVSNPVersion("microcodeVersion", "Latest") // check uppercase also works
 				m.setAzureSEVSNPVersion("teeVersion", 2)
@ -77,17 +78,68 @@ func TestReadConfigFile(t *testing.T) {
 			configName: constants.ConfigFilename,
 			wantResult: func() *Config {
 				conf := Default()
-				conf.Attestation.AzureSEVSNP.BootloaderVersion = AttestationVersion{
-					Value:    1,
-					IsLatest: false,
+				modifyConfigForAzureToPassValidate(conf)
+				conf.Attestation.AzureSEVSNP.MicrocodeVersion = AttestationVersion{
+					Value:      testCfg.Microcode,
+					WantLatest: true,
 				}
 				conf.Attestation.AzureSEVSNP.TEEVersion = AttestationVersion{
-					Value:    2,
-					IsLatest: false,
+					Value:      2,
+					WantLatest: false,
+				}
+				conf.Attestation.AzureSEVSNP.BootloaderVersion = AttestationVersion{
+					Value:      1,
+					WantLatest: false,
+				}
+				conf.Attestation.AzureSEVSNP.SNPVersion = AttestationVersion{
+					Value:      testCfg.SNP,
+					WantLatest: true,
 				}
 				return conf
 			}(),
 		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			fileHandler := file.NewHandler(afero.NewMemMapFs())
+			if tc.config != nil {
+				require.NoError(fileHandler.WriteYAML(tc.configName, tc.config, file.OptNone))
+			}
+			result, err := New(fileHandler, tc.configName, stubAttestationFetcher{}, false)
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			assert.NoError(err)
+			assert.Equal(tc.wantResult, result)
+		})
+	}
+}
+
+func modifyConfigForAzureToPassValidate(c *Config) {
+	c.RemoveProviderAndAttestationExcept(cloudprovider.Azure)
+	c.Image = "v" + constants.VersionInfo()
+	c.Provider.Azure.SubscriptionID = "11111111-1111-1111-1111-111111111111"
+	c.Provider.Azure.TenantID = "11111111-1111-1111-1111-111111111111"
+	c.Provider.Azure.Location = "westus"
+	c.Provider.Azure.ResourceGroup = "test"
+	c.Provider.Azure.UserAssignedIdentity = "/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
+	c.Attestation.AzureSEVSNP.Measurements = measurements.M{
+		0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
+	}
+}
+
+func TestReadConfigFile(t *testing.T) {
+	testCases := map[string]struct {
+		config        configMap
+		configName    string
+		wantResult    *Config
+		wantErr       bool
+		wantedErrType error
+	}{
 		"refuse invalid version value": {
 			config: func() configMap {
 				conf := Default()
@ -205,16 +257,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
 			confToWrite: func() *Config { // valid config with all, but clientSecretValue
 				c := Default()
 				c.RemoveProviderAndAttestationExcept(cloudprovider.Azure)
-				c.Image = "v" + constants.VersionInfo()
-				c.Provider.Azure.SubscriptionID = "f4278079-288c-4766-a98c-ab9d5dba01a5"
-				c.Provider.Azure.TenantID = "d4ff9d63-6d6d-4042-8f6a-21e804add5aa"
-				c.Provider.Azure.Location = "westus"
-				c.Provider.Azure.ResourceGroup = "test"
-				c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
-				c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
-				c.Attestation.AzureSEVSNP.Measurements = measurements.M{
-					0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
-				}
+				modifyConfigForAzureToPassValidate(c)
 				return c
 			}(),
 			envToSet: map[string]string{
@ -225,18 +268,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
 		"set env overwrites": {
 			confToWrite: func() *Config {
 				c := Default()
-				c.RemoveProviderAndAttestationExcept(cloudprovider.Azure)
-				c.Image = "v" + constants.VersionInfo()
-				c.Provider.Azure.SubscriptionID = "f4278079-288c-4766-a98c-ab9d5dba01a5"
-				c.Provider.Azure.TenantID = "d4ff9d63-6d6d-4042-8f6a-21e804add5aa"
-				c.Provider.Azure.Location = "westus"
-				c.Provider.Azure.ResourceGroup = "test"
-				c.Provider.Azure.ClientSecretValue = "other-value" // < Note secret set in config, as well.
-				c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
-				c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
-				c.Attestation.AzureSEVSNP.Measurements = measurements.M{
-					0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
-				}
+				modifyConfigForAzureToPassValidate(c)
 				return c
 			}(),
 			envToSet: map[string]string{
@ -895,25 +927,25 @@ func getConfigAsMap(conf *Config, t *testing.T) (res configMap) {

 type stubAttestationFetcher struct{}

-func (f stubAttestationFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ configapi.AzureSEVSNPVersionList) (configapi.AzureSEVSNPVersionList, error) {
-	return configapi.AzureSEVSNPVersionList(
+func (f stubAttestationFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ attestationconfigapi.AzureSEVSNPVersionList) (attestationconfigapi.AzureSEVSNPVersionList, error) {
+	return attestationconfigapi.AzureSEVSNPVersionList(
 		[]string{},
 	), nil
 }

-func (f stubAttestationFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionAPI) (configapi.AzureSEVSNPVersionAPI, error) {
-	return configapi.AzureSEVSNPVersionAPI{
+func (f stubAttestationFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ attestationconfigapi.AzureSEVSNPVersionAPI) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
+	return attestationconfigapi.AzureSEVSNPVersionAPI{
 		AzureSEVSNPVersion: testCfg,
 	}, nil
 }

-func (f stubAttestationFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context, _ time.Time) (configapi.AzureSEVSNPVersionAPI, error) {
-	return configapi.AzureSEVSNPVersionAPI{
+func (f stubAttestationFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context, _ time.Time) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
+	return attestationconfigapi.AzureSEVSNPVersionAPI{
 		AzureSEVSNPVersion: testCfg,
 	}, nil
 }

-var testCfg = configapi.AzureSEVSNPVersion{
+var testCfg = attestationconfigapi.AzureSEVSNPVersion{
 	Microcode:  93,
 	TEE:        0,
 	SNP:        6,