Daniel Weiße 5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00

107 lines
3.2 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package azure
import (
"context"
"errors"
"fmt"
"net/http"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/applicationinsights/armapplicationinsights"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"github.com/microsoft/ApplicationInsights-Go/appinsights"
)
// Logger implements CloudLogger interface for Azure to Disclose early boot
// logs into Azure's App Insights service.
type Logger struct {
client appinsights.TelemetryClient
}
// NewLogger creates a new client to store information in Azure Application Insights
// https://github.com/Microsoft/ApplicationInsights-go
func NewLogger(ctx context.Context) (*Logger, error) {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
return nil, fmt.Errorf("loading credentials: %w", err)
}
imdsAPI := &IMDSClient{
client: &http.Client{Transport: &http.Transport{Proxy: nil}},
}
subscriptionID, err := imdsAPI.subscriptionID(ctx)
if err != nil {
return nil, fmt.Errorf("retrieving subscription ID: %w", err)
}
appInsightAPI, err := armapplicationinsights.NewComponentsClient(subscriptionID, cred, nil)
if err != nil {
return nil, fmt.Errorf("setting up insights API client. %w", err)
}
instrumentationKey, err := getAppInsightsKey(ctx, imdsAPI, appInsightAPI)
if err != nil {
return nil, fmt.Errorf("getting app insights instrumentation key: %w", err)
}
client := appinsights.NewTelemetryClient(instrumentationKey)
name, err := imdsAPI.name(ctx)
if err != nil {
return nil, fmt.Errorf("retrieving instance name: %w", err)
}
client.Context().CommonProperties["instance-name"] = name
return &Logger{client: client}, nil
}
// Disclose stores log information in Azure Application Insights!
// Do **NOT** log sensitive information!
func (l *Logger) Disclose(msg string) {
l.client.Track(appinsights.NewTraceTelemetry(msg, appinsights.Information))
}
// Close blocks until all information are written to cloud API.
func (l *Logger) Close() error {
<-l.client.Channel().Close()
return nil
}
// getAppInsightsKey returns a instrumentation key needed to set up cloud logging on Azure.
// The key is retrieved from the resource group of the instance the function is called from.
func getAppInsightsKey(ctx context.Context, imdsAPI imdsAPI, appInsightAPI applicationInsightsAPI) (string, error) {
resourceGroup, err := imdsAPI.resourceGroup(ctx)
if err != nil {
return "", err
}
uid, err := imdsAPI.uid(ctx)
if err != nil {
return "", err
}
pager := appInsightAPI.NewListByResourceGroupPager(resourceGroup, nil)
for pager.More() {
page, err := pager.NextPage(ctx)
if err != nil {
return "", fmt.Errorf("retrieving application insights: %w", err)
}
for _, component := range page.Value {
if component == nil || component.Tags == nil ||
component.Tags[cloud.TagUID] == nil || *component.Tags[cloud.TagUID] != uid {
continue
}
if component.Properties == nil || component.Properties.InstrumentationKey == nil {
return "", errors.New("unable to get instrumentation key")
}
return *component.Properties.InstrumentationKey, nil
}
}
return "", errors.New("could not find correctly tagged application insights")
}