mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-17 18:37:08 -05:00
d67d0ac9df
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
245 lines
7.6 KiB
Bash
Executable File
245 lines
7.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# Try to upload a file to S3 and then delete it using the configapi cli.
|
|
# Check the file exists after uploading it.
|
|
# Check the file does not exist after deleting it.
|
|
|
|
###### script header ######
|
|
|
|
lib=$(realpath @@BASE_LIB@@) || exit 1
|
|
stat "${lib}" >> /dev/null || exit 1
|
|
|
|
# shellcheck source=../../../../../bazel/sh/lib.bash
|
|
if ! source "${lib}"; then
|
|
echo "Error: could not find import"
|
|
exit 1
|
|
fi
|
|
|
|
configapi_cli=$(realpath @@CONFIGAPI_CLI@@)
|
|
stat "${configapi_cli}" >> /dev/null
|
|
configapi_cli="${configapi_cli} --testing"
|
|
###### script body ######
|
|
attestationVariant=$1
|
|
readonly attestationVariant
|
|
|
|
readonly region="eu-west-1"
|
|
readonly bucket="resource-api-testing"
|
|
|
|
tmpdir=$(mktemp -d)
|
|
readonly tmpdir
|
|
registerExitHandler "rm -rf ${tmpdir}"
|
|
|
|
# empty the bucket version state
|
|
${configapi_cli} delete recursive "${attestationVariant}" --region "${region}" --bucket "${bucket}"
|
|
|
|
readonly current_report_path="${tmpdir}/attestationReportCurrent.json"
|
|
readonly report_path="${tmpdir}/attestationReport.json"
|
|
readonly older_report_path="${tmpdir}/attestationReportOld.json"
|
|
|
|
if [[ ${attestationVariant} == *-tdx ]]; then
|
|
cat << EOF > "${current_report_path}"
|
|
{
|
|
"header": {
|
|
"qe_svn": "AAA=",
|
|
"pce_svn": "AAA=",
|
|
"qe_vendor_id": "KioqKioqKioqKioqKioqKg=="
|
|
},
|
|
"td_quote_body": {
|
|
"tee_tcb_svn": "AAAAAAAAAAAAAAAAAAAAAA==",
|
|
"xfam": "AAAAAAAAAAA="
|
|
}
|
|
}
|
|
EOF
|
|
# the high version numbers ensure that it's newer than the current latest value
|
|
cat << EOF > "${report_path}"
|
|
{
|
|
"header": {
|
|
"qe_svn": "//8=",
|
|
"pce_svn": "//8=",
|
|
"qe_vendor_id": "KioqKioqKioqKioqKioqKg=="
|
|
},
|
|
"td_quote_body": {
|
|
"tee_tcb_svn": "/////////////////////w==",
|
|
"xfam": "AQIDBAUGBwg="
|
|
}
|
|
}
|
|
EOF
|
|
# has an older version
|
|
cat << EOF > "${older_report_path}"
|
|
{
|
|
"header": {
|
|
"qe_svn": "//8=",
|
|
"pce_svn": "/v8=",
|
|
"qe_vendor_id": "KioqKioqKioqKioqKioqKg=="
|
|
},
|
|
"td_quote_body": {
|
|
"tee_tcb_svn": "/////////////////////g==",
|
|
"xfam": "AQIDBAUGBwg="
|
|
}
|
|
}
|
|
EOF
|
|
elif [[ ${attestationVariant} == *-sev-snp ]]; then
|
|
cat << EOF > "${current_report_path}"
|
|
{
|
|
"snp_report": {
|
|
"reported_tcb": {
|
|
"bootloader": 1,
|
|
"tee": 1,
|
|
"snp": 1,
|
|
"microcode": 1
|
|
},
|
|
"committed_tcb": {
|
|
"bootloader": 1,
|
|
"tee": 1,
|
|
"snp": 1,
|
|
"microcode": 1
|
|
},
|
|
"launch_tcb": {
|
|
"bootloader": 1,
|
|
"tee": 1,
|
|
"snp": 1,
|
|
"microcode": 1
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
# the high version numbers ensure that it's newer than the current latest value
|
|
cat << EOF > "${report_path}"
|
|
{
|
|
"snp_report": {
|
|
"reported_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 255
|
|
},
|
|
"committed_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 255
|
|
},
|
|
"launch_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 255
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
# has an older version
|
|
cat << EOF > "${older_report_path}"
|
|
{
|
|
"snp_report": {
|
|
"reported_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 254
|
|
},
|
|
"committed_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 254
|
|
},
|
|
"launch_tcb": {
|
|
"bootloader": 255,
|
|
"tee": 255,
|
|
"snp": 255,
|
|
"microcode": 254
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
else
|
|
echo "Unknown attestation variant: ${attestationVariant}"
|
|
exit 1
|
|
fi
|
|
|
|
# upload a fake latest version for the fetcher
|
|
${configapi_cli} upload "${attestationVariant}" attestation-report "${current_report_path}" --force --upload-date "2000-01-01-01-01" --region "${region}" --bucket "${bucket}"
|
|
|
|
# report 3 versions with different dates to fill the reporter cache
|
|
readonly date_oldest="2023-02-01-03-04"
|
|
${configapi_cli} upload "${attestationVariant}" attestation-report "${older_report_path}" --upload-date "${date_oldest}" --region "${region}" --bucket "${bucket}" --cache-window-size 3
|
|
readonly date_older="2023-02-02-03-04"
|
|
${configapi_cli} upload "${attestationVariant}" attestation-report "${older_report_path}" --upload-date "${date_older}" --region "${region}" --bucket "${bucket}" --cache-window-size 3
|
|
readonly date="2023-02-03-03-04"
|
|
${configapi_cli} upload "${attestationVariant}" attestation-report "${report_path}" --upload-date "${date}" --region "${region}" --bucket "${bucket}" --cache-window-size 3
|
|
|
|
# expect that $date_oldest is served as latest version
|
|
basepath="constellation/v1/attestation/${attestationVariant}"
|
|
baseurl="https://d33dzgxuwsgbpw.cloudfront.net/${basepath}"
|
|
if ! curl -fsSL "${baseurl}/${date_oldest}.json" > version.json; then
|
|
echo "Checking for uploaded version file ${basepath}/${date_oldest}.json: request returned ${?}"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ${attestationVariant} == *-tdx ]]; then
|
|
# check that version values are equal to expected
|
|
if ! cmp -s <(echo -n '{"qeSVN":65535,"pceSVN":65534,"teeTCBSVN":[255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,254],"qeVendorID":[42,42,42,42,42,42,42,42,42,42,42,42,42,42,42,42],"xfam":[1,2,3,4,5,6,7,8]}') version.json; then
|
|
echo "The version content:"
|
|
cat version.json
|
|
echo " is not equal to the expected version content:"
|
|
echo '{"qeSVN":65535,"pceSVN":65534,"teeTCBSVN":[255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,254],"qeVendorID":[42,42,42,42,42,42,42,42,42,42,42,42,42,42,42,42],"xfam":[1,2,3,4,5,6,7,8]}'
|
|
exit 1
|
|
fi
|
|
elif [[ ${attestationVariant} == *-sev-snp ]]; then
|
|
# check that version values are equal to expected
|
|
if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then
|
|
echo "The version content:"
|
|
cat version.json
|
|
echo " is not equal to the expected version content:"
|
|
echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}'
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if ! curl -fsSL "${baseurl}/${date_oldest}.json.sig" > /dev/null; then
|
|
echo "Checking for uploaded version signature file ${basepath}/${date_oldest}.json.sig: request returned ${?}"
|
|
exit 1
|
|
fi
|
|
|
|
# check list endpoint
|
|
if ! curl -fsSL "${baseurl}"/list > list.json; then
|
|
echo "Checking for uploaded list file ${basepath}/list: request returned ${?}"
|
|
exit 1
|
|
fi
|
|
# check that version values are equal to expected
|
|
if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then
|
|
echo "The list content:"
|
|
cat list.json
|
|
echo " is not equal to the expected version content:"
|
|
echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]'
|
|
exit 1
|
|
fi
|
|
|
|
# check that the other versions are not uploaded
|
|
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_older}.json")
|
|
if [[ ${http_code} -ne 404 ]]; then
|
|
echo "Expected HTTP code 404 for: ${basepath}/${date_older}.json, but got ${http_code}"
|
|
exit 1
|
|
fi
|
|
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date}.json.sig")
|
|
if [[ ${http_code} -ne 404 ]]; then
|
|
echo "Expected HTTP code 404 for: ${basepath}/${date}.json, but got ${http_code}"
|
|
exit 1
|
|
fi
|
|
|
|
${configapi_cli} delete "${attestationVariant}" attestation-report "${date_oldest}" --region "${region}" --bucket "${bucket}"
|
|
|
|
# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
|
|
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_oldest}.json")
|
|
if [[ ${http_code} -ne 404 ]]; then
|
|
echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"
|
|
exit 1
|
|
fi
|
|
# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
|
|
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null "${baseurl}/${date_oldest}.json.sig")
|
|
if [[ ${http_code} -ne 404 ]]; then
|
|
echo "Expected HTTP code 404 for: ${basepath}/${date_oldest}.json, but got ${http_code}"
|
|
exit 1
|
|
fi
|