constellation/joinservice/internal/watcher/validator.go

131 lines
3.5 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package watcher
import (
"context"
"crypto/x509"
"encoding/asn1"
"fmt"
"log/slog"
"path/filepath"
"sync"
"github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
)
// Updatable implements an updatable atls.Validator.
type Updatable struct {
log *slog.Logger
mux sync.Mutex
fileHandler file.Handler
variant variant.Variant
cachedCerts cachedCerts
atls.Validator
}
// NewValidator initializes a new updatable validator and performs an initial update (aka. initialization).
func NewValidator(log *slog.Logger, variant variant.Variant, fileHandler file.Handler, cachedCerts cachedCerts) (*Updatable, error) {
u := &Updatable{
log: log,
fileHandler: fileHandler,
variant: variant,
cachedCerts: cachedCerts,
}
err := u.Update()
return u, err
}
type cachedCerts interface {
SevSnpCerts() (ask *x509.Certificate, ark *x509.Certificate)
}
// Validate calls the validators Validate method, and prevents any updates during the call.
func (u *Updatable) Validate(ctx context.Context, attDoc []byte, nonce []byte) ([]byte, error) {
u.mux.Lock()
defer u.mux.Unlock()
return u.Validator.Validate(ctx, attDoc, nonce)
}
// OID returns the validators Object Identifier.
func (u *Updatable) OID() asn1.ObjectIdentifier {
u.mux.Lock()
defer u.mux.Unlock()
return u.Validator.OID()
}
// Update switches out the underlying validator.
func (u *Updatable) Update() error {
u.mux.Lock()
defer u.mux.Unlock()
u.log.Info("Updating expected measurements")
data, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename))
if err != nil {
return err
}
cfg, err := config.UnmarshalAttestationConfig(data, u.variant)
if err != nil {
return fmt.Errorf("unmarshaling config: %w", err)
}
u.log.Debug(fmt.Sprintf("New expected measurements: %s", cfg.GetMeasurements().String()))
cfgWithCerts, err := u.configWithCerts(cfg)
if err != nil {
return fmt.Errorf("adding cached certificates: %w", err)
}
validator, err := choose.Validator(cfgWithCerts, u.log)
if err != nil {
return fmt.Errorf("choosing validator: %w", err)
}
u.Validator = validator
return nil
}
// addCachedCerts adds the certificates cached by the validator to the attestation config, if applicable.
func (u *Updatable) configWithCerts(cfg config.AttestationCfg) (config.AttestationCfg, error) {
switch c := cfg.(type) {
case *config.AzureSEVSNP:
ask, err := u.getCachedAskCert()
if err != nil {
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
}
c.AMDSigningKey = config.Certificate(ask)
return c, nil
case *config.AWSSEVSNP:
ask, err := u.getCachedAskCert()
if err != nil {
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
}
c.AMDSigningKey = config.Certificate(ask)
return c, nil
}
return cfg, nil
}
// getCachedAskCert returns the cached SEV-SNP ASK certificate.
func (u *Updatable) getCachedAskCert() (x509.Certificate, error) {
if u.cachedCerts == nil {
return x509.Certificate{}, fmt.Errorf("no cached certs available")
}
ask, _ := u.cachedCerts.SevSnpCerts()
if ask == nil {
return x509.Certificate{}, fmt.Errorf("no ASK available")
}
return *ask, nil
}