From e466ce2f26b12f9660be9056b7106a8b19a18c52 Mon Sep 17 00:00:00 2001
From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Date: Tue, 8 Aug 2023 12:02:43 +0200
Subject: [PATCH] e2e: detect changing idKeyDigests on azure

by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---
 .github/actions/constellation_create/action.yml | 16 +++++++++++++++-
 .github/actions/e2e_test/action.yml             |  3 +++
 .github/workflows/e2e-test-weekly.yml           |  2 ++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml
index f43cb75a7..c4fa2876a 100644
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@@ -10,7 +10,7 @@ inputs:
     description: "Number of control-plane nodes to spawn."
     required: true
   cloudProvider:
-    description: "Either 'gcp' or 'azure'."
+    description: "Either 'gcp', 'aws' or 'azure'."
     required: true
   machineType:
     description: "Machine type of VM to spawn."
@@ -33,6 +33,9 @@ inputs:
   fetchMeasurements:
     default: "false"
     description: "Update measurements via the 'constellation config fetch-measurements' command."
+  azureSNPEnforcementPolicy:
+    required: false
+    description: "Azure SNP enforcement policy."
 
 outputs:
   kubeconfig:
@@ -50,6 +53,17 @@ runs:
       run: |
         yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml
 
+    - name: Set Azure SNP enforcement policy
+      if: inputs.azureSNPEnforcementPolicy != ''
+      shell: bash
+      run: |
+        if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
+          echo "SNP enforcement policy is only supported for Azure"
+          exit 1
+        fi
+        yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
+          = \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
+
     - name: Set image
       id: setImage
       shell: bash
diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
index 6fc7913db..56ddf14e4 100644
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@@ -74,6 +74,8 @@ inputs:
   fetchMeasurements:
     default: "false"
     description: "Update measurements via the 'constellation config fetch-measurements' command."
+  azureSNPEnforcementPolicy:
+    description: "Enable security policy for the cluster."
 
 outputs:
   kubeconfig:
@@ -239,6 +241,7 @@ runs:
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
         fetchMeasurements: ${{ inputs.fetchMeasurements }}
         cliVersion: ${{ inputs.cliVersion }}
+        azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}
 
     #
     # Test payloads
diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
index cc2b4b899..d9b17945b 100644
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@@ -99,6 +99,7 @@ jobs:
             refStream: "ref/main/stream/debug/?"
             provider: "azure"
             kubernetes-version: "v1.27"
+            azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
           - test: "verify"
             provider: "aws"
             refStream: "ref/main/stream/debug/?"
@@ -208,6 +209,7 @@ jobs:
           registry: ghcr.io
           githubToken: ${{ secrets.GITHUB_TOKEN }}
           fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
+          azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}
 
       - name: Always terminate cluster
         if: always()