cli: new flag to set the attestation type for config generate (#1769)

* add attestation flag to specify type in config
2025-05-02 14:26:23 -04:00 · 2023-05-17 16:53:56 +02:00 · 2023-05-17 16:53:56 +02:00 · f99e06b63b
commit f99e06b63b
parent e7b7a544f0
11 changed files with 336 additions and 42 deletions
--- a/internal/variant/BUILD.bazel
+++ b/internal/variant/BUILD.bazel
@ -5,4 +5,5 @@ go_library(
    srcs = ["variant.go"],
    importpath = "github.com/edgelesssys/constellation/v2/internal/variant",
    visibility = ["//:__subpackages__"],
+    deps = ["//internal/cloud/cloudprovider"],
 )
--- a/internal/variant/variant.go
+++ b/internal/variant/variant.go
@ -34,6 +34,9 @@ package variant
 import (
 	"encoding/asn1"
 	"fmt"
+	"sort"
+
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 )

 const (
@ -46,6 +49,42 @@ const (
 	qemuTDX            = "qemu-tdx"
 )

+var providerAttestationMapping = map[cloudprovider.Provider][]Variant{
+	cloudprovider.AWS:       {AWSNitroTPM{}},
+	cloudprovider.Azure:     {AzureSEVSNP{}, AzureTrustedLaunch{}},
+	cloudprovider.GCP:       {GCPSEVES{}},
+	cloudprovider.QEMU:      {QEMUVTPM{}},
+	cloudprovider.OpenStack: {QEMUVTPM{}},
+}
+
+// GetDefaultAttestation returns the default attestation type for the given provider. If not found, it returns the default variant.
+func GetDefaultAttestation(provider cloudprovider.Provider) Variant {
+	res, ok := providerAttestationMapping[provider]
+	if ok {
+		return res[0]
+	}
+	return Dummy{}
+}
+
+// GetAvailableAttestationTypes returns the available attestation types.
+func GetAvailableAttestationTypes() []Variant {
+	var res []Variant
+
+	// assumes that cloudprovider.Provider is a uint32 to sort the providers and get a consistent order
+	var keys []cloudprovider.Provider
+	for k := range providerAttestationMapping {
+		keys = append(keys, k)
+	}
+	sort.Slice(keys, func(i, j int) bool {
+		return uint(keys[i]) < uint(keys[j])
+	})
+
+	for _, k := range keys {
+		res = append(res, providerAttestationMapping[k]...)
+	}
+	return removeDuplicate(res)
+}
+
 // Getter returns an ASN.1 Object Identifier.
 type Getter interface {
 	OID() asn1.ObjectIdentifier
@ -79,7 +118,20 @@ func FromString(oid string) (Variant, error) {
 	return nil, fmt.Errorf("unknown OID: %q", oid)
 }

-// Dummy OID for testing.
+// ValidProvider returns true if the attestation type is valid for the given provider.
+func ValidProvider(provider cloudprovider.Provider, variant Variant) bool {
+	validTypes, ok := providerAttestationMapping[provider]
+	if ok {
+		for _, aType := range validTypes {
+			if variant.Equal(aType) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// Dummy OID for testfing.
 type Dummy struct{}

 // OID returns the struct's object identifier.
@ -92,7 +144,7 @@ func (Dummy) String() string {
 	return dummy
 }

-// Equal returns true if the other variant is also a Dummy.
+// Equal returns true if the other variant is also a Default.
 func (Dummy) Equal(other Getter) bool {
 	return other.OID().Equal(Dummy{}.OID())
 }
@ -206,3 +258,15 @@ func (QEMUTDX) String() string {
 func (QEMUTDX) Equal(other Getter) bool {
 	return other.OID().Equal(QEMUTDX{}.OID())
 }
+
+func removeDuplicate(sliceList []Variant) []Variant {
+	allKeys := make(map[Variant]bool)
+	list := []Variant{}
+	for _, item := range sliceList {
+		if _, value := allKeys[item]; !value {
+			allKeys[item] = true
+			list = append(list, item)
+		}
+	}
+	return list
+}