#!/usr/bin/env bash # Try to upload a file to S3 and then delete it using the configapi cli. # Check the file exists after uploading it. # Check the file does not exist after deleting it. ###### script header ###### lib=$(realpath @@BASE_LIB@@) || exit 1 stat "${lib}" >> /dev/null || exit 1 # shellcheck source=../../../../../bazel/sh/lib.bash if ! source "${lib}"; then echo "Error: could not find import" exit 1 fi configapi_cli=$(realpath @@CONFIGAPI_CLI@@) stat "${configapi_cli}" >> /dev/null configapi_cli="${configapi_cli} --testing" ###### script body ###### attestationVariant=$1 readonly attestationVariant readonly region="eu-west-1" readonly bucket="resource-api-testing" tmpdir=$(mktemp -d) readonly tmpdir registerExitHandler "rm -rf ${tmpdir}" # empty the bucket version state ${configapi_cli} delete recursive "${attestationVariant}" --region "${region}" --bucket "${bucket}" readonly current_report_path="${tmpdir}/attestationReportCurrent.json" readonly report_path="${tmpdir}/attestationReport.json" readonly older_report_path="${tmpdir}/attestationReportOld.json" if [[ ${attestationVariant} == *-tdx ]]; then cat << EOF > "${current_report_path}" { "header": { "qe_svn": "AAA=", "pce_svn": "AAA=", "qe_vendor_id": "KioqKioqKioqKioqKioqKg==" }, "td_quote_body": { "tee_tcb_svn": "AAAAAAAAAAAAAAAAAAAAAA==", "xfam": "AAAAAAAAAAA=" } } EOF # the high version numbers ensure that it's newer than the current latest value cat << EOF > "${report_path}" { "header": { "qe_svn": "//8=", "pce_svn": "//8=", "qe_vendor_id": "KioqKioqKioqKioqKioqKg==" }, "td_quote_body": { "tee_tcb_svn": "/////////////////////w==", "xfam": "AQIDBAUGBwg=" } } EOF # has an older version cat << EOF > "${older_report_path}" { "header": { "qe_svn": "//8=", "pce_svn": "/v8=", "qe_vendor_id": "KioqKioqKioqKioqKioqKg==" }, "td_quote_body": { "tee_tcb_svn": "/////////////////////g==", "xfam": "AQIDBAUGBwg=" } } EOF elif [[ ${attestationVariant} == *-sev-snp ]]; then cat << EOF > "${current_report_path}" { "snp_report": { "reported_tcb": { "bootloader": 1, "tee": 1, "snp": 1, "microcode": 1 }, "committed_tcb": { "bootloader": 1, "tee": 1, "snp": 1, "microcode": 1 }, "launch_tcb": { "bootloader": 1, "tee": 1, "snp": 1, "microcode": 1 } } } EOF # the high version numbers ensure that it's newer than the current latest value cat << EOF > "${report_path}" { "snp_report": { "reported_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 255 }, "committed_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 255 }, "launch_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 255 } } } EOF # has an older version cat << EOF > "${older_report_path}" { "snp_report": { "reported_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 254 }, "committed_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 254 }, "launch_tcb": { "bootloader": 255, "tee": 255, "snp": 255, "microcode": 254 } } } EOF else echo "Unknown attestation variant: ${attestationVariant}" exit 1 fi # upload a fake latest version for the fetcher ${configapi_cli} upload "${attestationVariant}" attestation-report "${current_report_path}" --force --upload-date "2000-01-01-01-01" --region "${region}" --bucket "${bucket}" # report 3 versions with different dates to fill the reporter cache readonly date_oldest="2023-02-01-03-04" ${configapi_cli} upload "${attestationVariant}" attestation-report "${older_report_path}" --upload-date "${date_oldest}" --region "${region}" --bucket "${bucket}" --cache-window-size 3 readonly date_older="2023-02-02-03-04" ${configapi_cli} upload "${attestationVariant}" attestation-report "${older_report_path}" --upload-date "${date_older}" --region "${region}" --bucket "${bucket}" --cache-window-size 3 readonly date="2023-02-03-03-04" ${configapi_cli} upload "${attestationVariant}" attestation-report "${report_path}" --upload-date "${date}" --region "${region}" --bucket "${bucket}" --cache-window-size 3 # expect that $date_oldest is served as latest version basepath="constellation/v1/attestation/${attestationVariant}" baseurl="https://d33dzgxuwsgbpw.cloudfront.net/${basepath}" if ! curl -fsSL "${baseurl}/${date_oldest}.json" > version.json; then echo "Checking for uploaded version file ${basepath}/${date_oldest}.json: request returned ${?}" exit 1 fi if [[ ${attestationVariant} == *-tdx ]]; then # check that version values are equal to expected if ! cmp -s <(echo -n '{"qeSVN":65535,"pceSVN":65534,"teeTCBSVN":[255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,254],"qeVendorID":[42,42,42,42,42,42,42,42,42,42,42,42,42,42,42,42],"xfam":[1,2,3,4,5,6,7,8]}') version.json; then echo "The version content:" cat version.json echo " is not equal to the expected version content:" echo '{"qeSVN":65535,"pceSVN":65534,"teeTCBSVN":[255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,254],"qeVendorID":[42,42,42,42,42,42,42,42,42,42,42,42,42,42,42,42],"xfam":[1,2,3,4,5,6,7,8]}' exit 1 fi elif [[ ${attestationVariant} == *-sev-snp ]]; then # check that version values are equal to expected if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then echo "The version content:" cat version.json echo " is not equal to the expected version content:" echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}' exit 1 fi fi if ! curl -fsSL "${baseurl}/${date_oldest}.json.sig" > /dev/null; then echo "Checking for uploaded version signature file ${basepath}/${date_oldest}.json.sig: request returned ${?}" exit 1 fi # check list endpoint if ! curl -fsSL "${baseurl}"/list > list.json; then echo "Checking for uploaded list file ${basepath}/list: request returned ${?}" exit 1 fi # check that version values are equal to expected if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then echo "The list content:" cat list.json echo " is not equal to the expected version content:" echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]' exit 1 fi # check that the other versions are not uploaded http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_older}.json") if [[ ${http_code} -ne 404 ]]; then echo "Expected HTTP code 404 for: ${basepath}/${date_older}.json, but got ${http_code}" exit 1 fi http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date}.json.sig") if [[ ${http_code} -ne 404 ]]; then echo "Expected HTTP code 404 for: ${basepath}/${date}.json, but got ${http_code}" exit 1 fi ${configapi_cli} delete "${attestationVariant}" attestation-report "${date_oldest}" --region "${region}" --bucket "${bucket}" # Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail. http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_oldest}.json") if [[ ${http_code} -ne 404 ]]; then echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}" exit 1 fi # Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail. http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_oldest}.json.sig") if [[ ${http_code} -ne 404 ]]; then echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}" exit 1 fi