Daniel Weiße e350ca0f57
attestation: add Azure TDX attestation (#2827)
* Implement Azure TDX attestation primitives
* Add default measurements and claims for Azure TDX
* Enable Constellation on Azure TDX

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-24 15:10:15 +01:00

140 lines
3.0 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package snp
import (
"context"
"encoding/json"
"errors"
"io"
"testing"
"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
"github.com/edgelesssys/go-azguestattestation/maa"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetSNPAttestation(t *testing.T) {
testCases := map[string]struct {
maaURL string
maaToken string
apiError error
tokenErr error
paramsErr error
wantErr bool
}{
"success without maa": {
wantErr: false,
},
"success with maa": {
maaURL: "maaurl",
maaToken: "maatoken",
wantErr: false,
},
"api fails": {
apiError: errors.New(""),
wantErr: true,
},
"createToken fails": {
maaURL: "maaurl",
tokenErr: errors.New(""),
wantErr: true,
},
"newParameters fails": {
paramsErr: errors.New(""),
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
imdsClient := stubImdsClient{
maaURL: tc.maaURL,
apiError: tc.apiError,
}
params := maa.Parameters{
SNPReport: []byte("snpreport"),
RuntimeData: []byte("runtimedata"),
VcekCert: []byte("vcekcert"),
VcekChain: []byte("vcekchain"),
}
maa := &stubMaaTokenCreator{
token: tc.maaToken,
tokenErr: tc.tokenErr,
params: params,
paramsErr: tc.paramsErr,
}
issuer := Issuer{
imds: imdsClient,
maa: maa,
}
data := []byte("data")
attestationJSON, err := issuer.getInstanceInfo(context.Background(), nil, data)
if tc.wantErr {
assert.Error(err)
return
}
require.NoError(err)
assert.Equal(data, maa.gotParamsData)
if tc.maaURL == "" {
assert.Empty(maa.gotTokenData)
} else {
assert.Equal(data, maa.gotTokenData)
}
var instanceInfo snp.InstanceInfo
err = json.Unmarshal(attestationJSON, &instanceInfo)
require.NoError(err)
assert.Equal(params.VcekCert, instanceInfo.ReportSigner)
assert.Equal(params.VcekChain, instanceInfo.CertChain)
assert.Equal(params.SNPReport, instanceInfo.AttestationReport)
assert.Equal(params.RuntimeData, instanceInfo.Azure.RuntimeData)
assert.Equal(tc.maaToken, instanceInfo.Azure.MAAToken)
})
}
}
type stubImdsClient struct {
maaURL string
apiError error
}
func (c stubImdsClient) getMAAURL(_ context.Context) (string, error) {
return c.maaURL, c.apiError
}
type stubMaaTokenCreator struct {
token string
tokenErr error
gotTokenData []byte
params maa.Parameters
paramsErr error
gotParamsData []byte
}
func (s *stubMaaTokenCreator) newParameters(_ context.Context, data []byte, _ io.ReadWriter) (maa.Parameters, error) {
s.gotParamsData = data
return s.params, s.paramsErr
}
func (s *stubMaaTokenCreator) createToken(_ context.Context, _ io.ReadWriter, _ string, data []byte, _ maa.Parameters) (string, error) {
s.gotTokenData = data
return s.token, s.tokenErr
}