cli: support custom attestation policies for maa (#1375)

* create and update maa attestation policy * use interface to allow unit testing * fix test csp * http request for policy patch * go mod tidy * remove hyphen * go mod tidy * wip: adapt to feedback * linting fixes * remove csp from tf call * fix type assertion * Add MAA URL to instance tags (#1409) Signed-off-by: Daniel Weiße <dw@edgeless.systems> * conditionally create maa provider * only set instance tag when maa is created * fix azure unit test * bazel tidy * remove AzureCVM const Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * encode policy at runtime * remove policy arg * fix unit test --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-05-02 22:34:56 -04:00 · 2023-03-20 13:33:04 +01:00 · 2023-03-20 13:33:04 +01:00 · f2ce9518a3
commit f2ce9518a3
parent 119bf02435
15 changed files with 329 additions and 39 deletions
--- a/cli/internal/cloudcmd/BUILD.bazel
+++ b/cli/internal/cloudcmd/BUILD.bazel
@ -38,6 +38,9 @@ go_library(
        "//internal/versions/components",
        "//internal/versionsapi",
        "//operators/constellation-node-operator/api/v1alpha1",
+        "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation",
+        "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy",
+        "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity",
        "@com_github_hashicorp_terraform_json//:terraform-json",
        "@com_github_spf13_cobra//:cobra",
        "@io_k8s_api//core/v1:core",
--- a/cli/internal/cloudcmd/clients_test.go
+++ b/cli/internal/cloudcmd/clients_test.go
@ -31,6 +31,7 @@ type stubTerraformClient struct {
 	initSecret             string
 	iamOutput              terraform.IAMOutput
 	uid                    string
+	attestationURL         string
 	tfjsonState            *tfjson.State
 	cleanUpWorkspaceCalled bool
 	removeInstallerCalled  bool
@ -46,9 +47,10 @@ type stubTerraformClient struct {

 func (c *stubTerraformClient) CreateCluster(ctx context.Context) (terraform.CreateOutput, error) {
 	return terraform.CreateOutput{
-		IP:     c.ip,
-		Secret: c.initSecret,
-		UID:    c.uid,
+		IP:             c.ip,
+		Secret:         c.initSecret,
+		UID:            c.uid,
+		AttestationURL: c.attestationURL,
 	}, c.createClusterErr
 }

--- a/cli/internal/cloudcmd/create.go
+++ b/cli/internal/cloudcmd/create.go
@ -8,9 +8,11 @@ package cloudcmd

 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"net/url"
 	"os"
 	"path"
@ -18,6 +20,9 @@ import (
 	"runtime"
 	"strings"

+	"github.com/Azure/azure-sdk-for-go/profiles/latest/attestation/attestation"
+	azpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/cli/internal/image"
 	"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
@ -34,6 +39,7 @@ type Creator struct {
 	newTerraformClient func(ctx context.Context) (terraformClient, error)
 	newLibvirtRunner   func() libvirtRunner
 	newRawDownloader   func() rawDownloader
+	policyPatcher      PolicyPatcher
 }

 // NewCreator creates a new creator.
@ -50,6 +56,7 @@ func NewCreator(out io.Writer) *Creator {
 		newRawDownloader: func() rawDownloader {
 			return image.NewDownloader()
 		},
+		policyPatcher: policyPatcher{},
 	}
 }

@ -182,8 +189,7 @@ func (c *Creator) createGCP(ctx context.Context, cl terraformClient, config *con
 	}, nil
 }

-func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *config.Config,
-	insType string, controlPlaneCount, workerCount int, image string,
+func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *config.Config, insType string, controlPlaneCount, workerCount int, image string,
 ) (idFile clusterid.File, retErr error) {
 	vars := terraform.AzureClusterVariables{
 		CommonVariables: terraform.CommonVariables{
@ -200,6 +206,7 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *c
 		ImageID:              image,
 		ConfidentialVM:       *config.Provider.Azure.ConfidentialVM,
 		SecureBoot:           *config.Provider.Azure.SecureBoot,
+		CreateMAA:            *config.Provider.Azure.EnforceIDKeyDigest,
 		Debug:                config.IsDebugCluster(),
 	}

@ -215,14 +222,98 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *c
 		return clusterid.File{}, err
 	}

+	if vars.CreateMAA {
+		// Patch the attestation policy to allow the cluster to boot while having secure boot disabled.
+		if err := c.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil {
+			return clusterid.File{}, err
+		}
+	}
+
 	return clusterid.File{
-		CloudProvider: cloudprovider.Azure,
-		IP:            tfOutput.IP,
-		InitSecret:    []byte(tfOutput.Secret),
-		UID:           tfOutput.UID,
+		CloudProvider:  cloudprovider.Azure,
+		IP:             tfOutput.IP,
+		InitSecret:     []byte(tfOutput.Secret),
+		UID:            tfOutput.UID,
+		AttestationURL: tfOutput.AttestationURL,
 	}, nil
 }

+// PolicyPatcher interacts with Azure to update the attestation policy.
+type PolicyPatcher interface {
+	Patch(ctx context.Context, attestationURL string) error
+}
+
+type policyPatcher struct{}
+
+// Patch updates the attestation policy to the base64-encoded attestation policy JWT for the given attestation URL.
+// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#next-steps
+func (p policyPatcher) Patch(ctx context.Context, attestationURL string) error {
+	// hacky way to update the MAA attestation policy. This should be changed as soon as either the Terraform provider supports it
+	// or the Go SDK gets updated to a recent API version.
+	// https://github.com/hashicorp/terraform-provider-azurerm/issues/20804
+	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		return fmt.Errorf("retrieving default Azure credentials: %w", err)
+	}
+	token, err := cred.GetToken(ctx, azpolicy.TokenRequestOptions{
+		Scopes: []string{"https://attest.azure.net/.default"},
+	})
+	if err != nil {
+		return fmt.Errorf("retrieving token from default Azure credentials: %w", err)
+	}
+
+	client := attestation.NewPolicyClient()
+
+	// azureGuest is the id for the "Azure VM" attestation type. Other types are documented here:
+	// https://learn.microsoft.com/en-us/rest/api/attestation/policy/set
+	req, err := client.SetPreparer(ctx, attestationURL, "azureGuest", p.encodeAttestationPolicy())
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token.Token))
+	if err != nil {
+		return fmt.Errorf("preparing request: %w", err)
+	}
+
+	resp, err := client.Send(req)
+	if err != nil {
+		return fmt.Errorf("sending request: %w", err)
+	}
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("updating attestation policy: unexpected status code: %s", resp.Status)
+	}
+
+	return nil
+}
+
+// encodeAttestationPolicy encodes the base64-encoded attestation policy in the JWS format specified here:
+// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#creating-the-policy-file-in-json-web-signature-format
+func (p policyPatcher) encodeAttestationPolicy() string {
+	const policy = `
+                version= 1.0;
+                authorizationrules
+                {
+                    [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny();
+                    [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny();
+                    // The line below was edited by the Constellation CLI. Do not edit manually.
+                    //[type=="secureboot", value==false] => deny();
+                    [type=="x-ms-azurevm-signingdisabled", value==false] => deny();
+                    [type=="x-ms-azurevm-dbvalidated", value==false] => deny();
+                    [type=="x-ms-azurevm-dbxvalidated", value==false] => deny();
+                    => permit();
+                };
+                issuancerules
+                {
+                };`
+	encodedPolicy := base64.RawURLEncoding.EncodeToString([]byte(policy))
+	const header = `{"alg":"none"}`
+	payload := fmt.Sprintf(`{"AttestationPolicy":"%s"}`, encodedPolicy)
+
+	encodedHeader := base64.RawURLEncoding.EncodeToString([]byte(header))
+	encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(payload))
+
+	return fmt.Sprintf("%s.%s.", encodedHeader, encodedPayload)
+}
+
 // The azurerm Terraform provider enforces its own convention of case sensitivity for Azure URIs which Azure's API itself does not enforce or, even worse, actually returns.
 // Let's go loco with case insensitive Regexp here and fix the user input here to be compliant with this arbitrary design decision.
 var (
--- a/cli/internal/cloudcmd/create_test.go
+++ b/cli/internal/cloudcmd/create_test.go
@ -30,6 +30,7 @@ func TestCreator(t *testing.T) {
 		libvirt               *stubLibvirtRunner
 		provider              cloudprovider.Provider
 		config                *config.Config
+		policyPatcher         *stubPolicyPatcher
 		wantErr               bool
 		wantRollback          bool // Use only together with stubClients.
 		wantTerraformRollback bool // When libvirt fails, don't call into Terraform.
@ -53,6 +54,35 @@ func TestCreator(t *testing.T) {
 			wantRollback:          true,
 			wantTerraformRollback: true,
 		},
+		"azure": {
+			tfClient:      &stubTerraformClient{ip: ip},
+			provider:      cloudprovider.Azure,
+			config:        config.Default(),
+			policyPatcher: &stubPolicyPatcher{},
+		},
+		"azure new policy patch error": {
+			tfClient:      &stubTerraformClient{ip: ip},
+			provider:      cloudprovider.Azure,
+			config:        config.Default(),
+			policyPatcher: &stubPolicyPatcher{someErr},
+			wantErr:       true,
+		},
+		"azure newTerraformClient error": {
+			newTfClientErr: someErr,
+			provider:       cloudprovider.Azure,
+			config:         config.Default(),
+			policyPatcher:  &stubPolicyPatcher{},
+			wantErr:        true,
+		},
+		"azure create cluster error": {
+			tfClient:              &stubTerraformClient{createClusterErr: someErr},
+			provider:              cloudprovider.Azure,
+			config:                config.Default(),
+			policyPatcher:         &stubPolicyPatcher{},
+			wantErr:               true,
+			wantRollback:          true,
+			wantTerraformRollback: true,
+		},
 		"qemu": {
 			tfClient: &stubTerraformClient{ip: ip},
 			libvirt:  &stubLibvirtRunner{},
@ -112,6 +142,7 @@ func TestCreator(t *testing.T) {
 						destination: "some-destination",
 					}
 				},
+				policyPatcher: tc.policyPatcher,
 			}

 			idFile, err := creator.Create(context.Background(), tc.provider, tc.config, "type", 2, 3)
@ -137,6 +168,14 @@ func TestCreator(t *testing.T) {
 	}
 }

+type stubPolicyPatcher struct {
+	patchErr error
+}
+
+func (s stubPolicyPatcher) Patch(ctx context.Context, attestationURL string) error {
+	return s.patchErr
+}
+
 func TestNormalizeAzureURIs(t *testing.T) {
 	testCases := map[string]struct {
 		in   terraform.AzureClusterVariables