mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-12 01:49:34 -04:00
f16ccf5679
keyservice joinservice upgrade-agent measurement-reader debugd disk-mapper rewrote joinservice main rewrote some unit tests rewrote upgrade-agent + some grpc functions rewrote measurement-reader rewrote debugd removed unused import removed forgotten zap reference in measurements reader rewrote disk-mapper + tests rewrote packages verify disk-mapper malicious join bootstrapper attestationconfigapi versionapi internal/cloud/azure disk-mapper tests image/upload/internal/cmd rewrote verify (WIP with loglevel increase) rewrote forgotten zap references in disk-mapper rewrote malicious join rewrote bootstrapper rewrote parts of internal/ rewrote attestationconfigapi (WIP) rewrote versionapi cli rewrote internal/cloud/azure rewrote disk-mapper tests (untested by me rn) rewrote image/upload/internal/cmd removed forgotten zap references in verify/cmd rewrote packages hack/oci-pin hack/qemu-metadata-api debugd/internal/debugd/deploy hack/bazel-deps-mirror cli/internal/cmd cli-k8s-compatibility rewrote hack/qemu-metadata-api/server rewrote debugd/internal/debugd/deploy rewrote hack/bazel-deps-mirror rewrote rest of hack/qemu-metadata-api rewrote forgotten zap references in joinservice server rewrote cli/internal/cmd rewrote cli-k8s-compatibility rewrote packages internal/staticupload e2d/internal/upgrade internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds some missed unit tests rewrote e2e/internal/upgrade rewrote internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds search and replace test logging over all left *_test.go
130 lines
3.5 KiB
Go
130 lines
3.5 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package watcher
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"encoding/asn1"
|
|
"fmt"
|
|
"path/filepath"
|
|
"sync"
|
|
"log/slog"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
|
)
|
|
|
|
// Updatable implements an updatable atls.Validator.
|
|
type Updatable struct {
|
|
log *slog.Logger
|
|
mux sync.Mutex
|
|
fileHandler file.Handler
|
|
variant variant.Variant
|
|
cachedCerts cachedCerts
|
|
atls.Validator
|
|
}
|
|
|
|
// NewValidator initializes a new updatable validator and performs an initial update (aka. initialization).
|
|
func NewValidator(log *slog.Logger, variant variant.Variant, fileHandler file.Handler, cachedCerts cachedCerts) (*Updatable, error) {
|
|
u := &Updatable{
|
|
log: log,
|
|
fileHandler: fileHandler,
|
|
variant: variant,
|
|
cachedCerts: cachedCerts,
|
|
}
|
|
err := u.Update()
|
|
|
|
return u, err
|
|
}
|
|
|
|
type cachedCerts interface {
|
|
SevSnpCerts() (ask *x509.Certificate, ark *x509.Certificate)
|
|
}
|
|
|
|
// Validate calls the validators Validate method, and prevents any updates during the call.
|
|
func (u *Updatable) Validate(ctx context.Context, attDoc []byte, nonce []byte) ([]byte, error) {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
return u.Validator.Validate(ctx, attDoc, nonce)
|
|
}
|
|
|
|
// OID returns the validators Object Identifier.
|
|
func (u *Updatable) OID() asn1.ObjectIdentifier {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
return u.Validator.OID()
|
|
}
|
|
|
|
// Update switches out the underlying validator.
|
|
func (u *Updatable) Update() error {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
|
|
u.log.Info("Updating expected measurements")
|
|
|
|
data, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cfg, err := config.UnmarshalAttestationConfig(data, u.variant)
|
|
if err != nil {
|
|
return fmt.Errorf("unmarshaling config: %w", err)
|
|
}
|
|
u.log.Debug("New expected measurements: %+v", cfg.GetMeasurements())
|
|
|
|
cfgWithCerts, err := u.configWithCerts(cfg)
|
|
if err != nil {
|
|
return fmt.Errorf("adding cached certificates: %w", err)
|
|
}
|
|
|
|
validator, err := choose.Validator(cfgWithCerts, u.log)
|
|
if err != nil {
|
|
return fmt.Errorf("choosing validator: %w", err)
|
|
}
|
|
u.Validator = validator
|
|
|
|
return nil
|
|
}
|
|
|
|
// addCachedCerts adds the certificates cached by the validator to the attestation config, if applicable.
|
|
func (u *Updatable) configWithCerts(cfg config.AttestationCfg) (config.AttestationCfg, error) {
|
|
switch c := cfg.(type) {
|
|
case *config.AzureSEVSNP:
|
|
ask, err := u.getCachedAskCert()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
|
|
}
|
|
c.AMDSigningKey = config.Certificate(ask)
|
|
return c, nil
|
|
case *config.AWSSEVSNP:
|
|
ask, err := u.getCachedAskCert()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
|
|
}
|
|
c.AMDSigningKey = config.Certificate(ask)
|
|
return c, nil
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// getCachedAskCert returns the cached SEV-SNP ASK certificate.
|
|
func (u *Updatable) getCachedAskCert() (x509.Certificate, error) {
|
|
if u.cachedCerts == nil {
|
|
return x509.Certificate{}, fmt.Errorf("no cached certs available")
|
|
}
|
|
ask, _ := u.cachedCerts.SevSnpCerts()
|
|
if ask == nil {
|
|
return x509.Certificate{}, fmt.Errorf("no ASK available")
|
|
}
|
|
return *ask, nil
|
|
}
|