mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-27 00:19:36 -05:00
a2de1d23ec
Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
199 lines
5.3 KiB
Go
199 lines
5.3 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package measurements
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/hex"
|
|
"io"
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestFetchMeasurements(t *testing.T) {
|
|
measurements := `{
|
|
"version": "v999.999.999",
|
|
"ref": "-",
|
|
"stream": "stable",
|
|
"list": [
|
|
{
|
|
"csp": "GCP",
|
|
"attestationVariant":"gcp-sev-es",
|
|
"measurements": {
|
|
"0": {
|
|
"expected": "0000000000000000000000000000000000000000000000000000000000000000",
|
|
"warnOnly":false
|
|
},
|
|
"1": {
|
|
"expected": "1111111111111111111111111111111111111111111111111111111111111111",
|
|
"warnOnly":false
|
|
},
|
|
"2": {
|
|
"expected": "2222222222222222222222222222222222222222222222222222222222222222",
|
|
"warnOnly":false
|
|
},
|
|
"3": {
|
|
"expected": "3333333333333333333333333333333333333333333333333333333333333333",
|
|
"warnOnly":false
|
|
},
|
|
"4": {
|
|
"expected": "4444444444444444444444444444444444444444444444444444444444444444",
|
|
"warnOnly":false
|
|
},
|
|
"5": {
|
|
"expected": "5555555555555555555555555555555555555555555555555555555555555555",
|
|
"warnOnly":false
|
|
},
|
|
"6": {
|
|
"expected": "6666666666666666666666666666666666666666666666666666666666666666",
|
|
"warnOnly":true
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
`
|
|
signature := "placeholder-signature"
|
|
|
|
client := newTestClient(func(req *http.Request) *http.Response {
|
|
if req.URL.Path == "/constellation/v2/ref/-/stream/stable/v999.999.999/image/measurements.json" {
|
|
return &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(measurements)),
|
|
Header: make(http.Header),
|
|
}
|
|
}
|
|
if req.URL.Path == "/constellation/v2/ref/-/stream/stable/v999.999.999/image/measurements.json.sig" {
|
|
return &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(signature)),
|
|
Header: make(http.Header),
|
|
}
|
|
}
|
|
|
|
return &http.Response{
|
|
StatusCode: http.StatusNotFound,
|
|
Body: io.NopCloser(bytes.NewBufferString("Not found.")),
|
|
Header: make(http.Header),
|
|
}
|
|
})
|
|
|
|
testCases := map[string]struct {
|
|
cosign cosignVerifierConstructor
|
|
rekor rekorVerifier
|
|
noVerify bool
|
|
wantErr bool
|
|
asRekorErr bool
|
|
}{
|
|
"success": {
|
|
cosign: newStubCosignVerifier,
|
|
rekor: singleUUIDVerifier(),
|
|
},
|
|
"success without cosign verify": {
|
|
noVerify: true,
|
|
cosign: func(_ []byte) (sigstore.Verifier, error) {
|
|
return &stubCosignVerifier{
|
|
verifyError: assert.AnError,
|
|
}, nil
|
|
},
|
|
rekor: singleUUIDVerifier(),
|
|
},
|
|
"failing search results is ErrRekor": {
|
|
cosign: newStubCosignVerifier,
|
|
rekor: &stubRekorVerifier{
|
|
SearchByHashUUIDs: []string{},
|
|
SearchByHashError: assert.AnError,
|
|
},
|
|
wantErr: true,
|
|
asRekorErr: true,
|
|
},
|
|
"failing verify is ErrRekor": {
|
|
cosign: newStubCosignVerifier,
|
|
rekor: &stubRekorVerifier{
|
|
SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
|
|
VerifyEntryError: assert.AnError,
|
|
},
|
|
wantErr: true,
|
|
asRekorErr: true,
|
|
},
|
|
"signature verification failure": {
|
|
cosign: func(_ []byte) (sigstore.Verifier, error) {
|
|
return &stubCosignVerifier{
|
|
verifyError: assert.AnError,
|
|
}, nil
|
|
},
|
|
rekor: singleUUIDVerifier(),
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
assert := assert.New(t)
|
|
sut := NewVerifyFetcher(tc.cosign, tc.rekor, client)
|
|
m, err := sut.FetchAndVerifyMeasurements(context.Background(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify)
|
|
if tc.wantErr {
|
|
assert.Error(err)
|
|
if tc.asRekorErr {
|
|
var rekErr *RekorError
|
|
assert.ErrorAs(err, &rekErr)
|
|
}
|
|
return
|
|
}
|
|
assert.NoError(err)
|
|
// verify example measurements
|
|
assert.Equal("6666666666666666666666666666666666666666666666666666666666666666", hex.EncodeToString(m[6].Expected))
|
|
assert.Equal(WarnOnly, m[6].ValidationOpt)
|
|
})
|
|
}
|
|
}
|
|
|
|
// SubRekorVerifier is a stub for RekorVerifier.
|
|
type stubRekorVerifier struct {
|
|
SearchByHashUUIDs []string
|
|
SearchByHashError error
|
|
VerifyEntryError error
|
|
}
|
|
|
|
// SearchByHash returns the exported fields SearchByHashUUIDs, SearchByHashError.
|
|
func (v *stubRekorVerifier) SearchByHash(context.Context, string) ([]string, error) {
|
|
return v.SearchByHashUUIDs, v.SearchByHashError
|
|
}
|
|
|
|
// VerifyEntry returns the exported field VerifyEntryError.
|
|
func (v *stubRekorVerifier) VerifyEntry(context.Context, string, string) error {
|
|
return v.VerifyEntryError
|
|
}
|
|
|
|
type stubCosignVerifier struct {
|
|
verifyError error
|
|
}
|
|
|
|
func newStubCosignVerifier(_ []byte) (sigstore.Verifier, error) {
|
|
return &stubCosignVerifier{}, nil
|
|
}
|
|
|
|
func (v *stubCosignVerifier) VerifySignature(_, _ []byte) error {
|
|
return v.verifyError
|
|
}
|
|
|
|
// singleUUIDVerifier constructs a RekorVerifier that returns a single UUID and no errors,
|
|
// and should work for most tests on the happy path.
|
|
func singleUUIDVerifier() *stubRekorVerifier {
|
|
return &stubRekorVerifier{
|
|
SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
|
|
SearchByHashError: nil,
|
|
VerifyEntryError: nil,
|
|
}
|
|
}
|