Skip to content

Commit

Permalink
Enable attestationconfigapi CLI e2e test for azure-tdx
Browse files Browse the repository at this point in the history
Signed-off-by: Daniel Weiße <[email protected]>
  • Loading branch information
daniel-weisse committed Jun 13, 2024
1 parent 6fadbaf commit 0c1e2bd
Show file tree
Hide file tree
Showing 9 changed files with 137 additions and 95 deletions.
8 changes: 4 additions & 4 deletions .github/actions/e2e_attestationconfigapi/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: E2E Attestationconfig API Test
description: "Test the attestationconfig CLI is functional."

inputs:
csp:
description: "Cloud provider to run tests against"
default: "azure"
attestationVariant:
description: "attestation variant to run tests against"
default: "azure-sev-snp"
cosignPrivateKey:
description: "Cosign private key"
required: true
Expand All @@ -30,4 +30,4 @@ runs:
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.csp }}
bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.attestationVariant }}
13 changes: 5 additions & 8 deletions .github/actions/e2e_verify/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@ runs:
case "${{ inputs.attestationVariant }}"
in
"azure-sev-snp"|"aws-sev-snp"|"gcp-sev-snp")
"azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp")
echo "Extracting TCB versions for API update"
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json"
;;
*)
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
Expand All @@ -88,22 +88,19 @@ runs:
aws-region: eu-central-1

- name: Upload extracted TCBs
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
shell: bash
env:
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
run: |
reports=(snp-report-*.json)
reports=(attestation-report-*.json)
if [ -z ${#reports[@]} ]; then
exit 1
fi
attestationVariant=${{ inputs.attestationVariant }}
cloudProvider=${attestationVariant%%-*}
for file in "${reports[@]}"; do
path=$(realpath "${file}")
cat "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload {{ inputs.attestationVariant }} attestation-report "${path}"
done
4 changes: 2 additions & 2 deletions .github/workflows/e2e-attestationconfigapi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
fail-fast: false
max-parallel: 1
matrix:
csp: ["azure", "aws", "gcp"]
attestationVariant: ["azure-sev-snp", "azure-tdx", "aws-sev-snp", "gcp-sev-snp"]
runs-on: ubuntu-22.04
permissions:
id-token: write
Expand All @@ -36,4 +36,4 @@ jobs:
with:
cosignPrivateKey: ${{ secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_DEV_PASSWORD }}
csp: ${{ matrix.csp }}
attestationVariant: ${{ matrix.attestationVariant }}
23 changes: 15 additions & 8 deletions internal/api/attestationconfigapi/cli/client/reportersnp.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,8 @@ func (c Client) UploadSEVSNPVersionLatest(
}
c.s3Client.Logger.Info(fmt.Sprintf("Found minimal version: %+v with date: %s", minVersion, minDate))

if isInputNewerThanOtherVersion(minVersion, latestVersionInAPI) {
c.s3Client.Logger.Info(fmt.Sprintf("Input version: %+v is not newer than latest API version: %+v", minVersion, latestVersionInAPI))
if !isInputNewerThanOtherVersion(minVersion, latestVersionInAPI) {
c.s3Client.Logger.Info(fmt.Sprintf("Input version: %+v is not newer than latest API version: %+v. Skipping list update", minVersion, latestVersionInAPI))
return ErrNoNewerVersion
}

Expand Down Expand Up @@ -107,9 +107,9 @@ func (c Client) cacheSEVSNPVersion(ctx context.Context, variant variant.Variant,
return res.Execute(ctx, c.s3Client)
}

// findMinSEVSNPVersion finds the minimal version of the given version dates among the latest cached values in the version window size.
// findMinSEVSNPVersion finds the minimal version (the version with the lowest SVNs) of the given version dates among the latest cached values in the version window size.
func (c Client) findMinSEVSNPVersion(ctx context.Context, attestationVariant variant.Variant, versionDates []string) (attestationconfigapi.SEVSNPVersion, string, error) {
var minimalVersion attestationconfigapi.SEVSNPVersion
var minimalVersion *attestationconfigapi.SEVSNPVersion
var minimalDate string
sort.Sort(sort.Reverse(sort.StringSlice(versionDates))) // sort in reverse order to slice the latest versions
versionDates = versionDates[:c.cacheWindowSize]
Expand All @@ -123,14 +123,21 @@ func (c Client) findMinSEVSNPVersion(ctx context.Context, attestationVariant var
// Need to set this explicitly as the variant is not part of the marshalled JSON.
obj.variant = attestationVariant

// If the version we fetched has higher SVNs than the current minimal version, update the minimal version.
if isInputNewerThanOtherVersion(obj.SEVSNPVersion, minimalVersion) {
minimalVersion = obj.SEVSNPVersion
if minimalVersion == nil {
minimalVersion = &obj.SEVSNPVersion
minimalDate = date
continue
}

// If the current minimal version has newer versions than the one we just fetched,
// update the minimal version to the older version.
if isInputNewerThanOtherVersion(*minimalVersion, obj.SEVSNPVersion) {
minimalVersion = &obj.SEVSNPVersion
minimalDate = date
}
}

return minimalVersion, minimalDate, nil
return *minimalVersion, minimalDate, nil
}

// isInputNewerThanOtherVersion compares all version fields and returns true if any input field is newer.
Expand Down
29 changes: 17 additions & 12 deletions internal/api/attestationconfigapi/cli/client/reportertdx.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func (c Client) UploadTDXVersionLatest(
c.s3Client.Logger.Info(fmt.Sprintf("Found minimal version: %+v with date: %s", minVersion, minDate))

if !isInputNewerThanOtherTDXVersion(minVersion, latestVersionInAPI) {
c.s3Client.Logger.Info(fmt.Sprintf("Input version: %+v is not newer than latest API version: %+v", minVersion, latestVersionInAPI))
c.s3Client.Logger.Info(fmt.Sprintf("Input version: %+v is not newer than latest API version: %+v. Skipping list update", minVersion, latestVersionInAPI))
return ErrNoNewerVersion
}

Expand Down Expand Up @@ -95,7 +95,7 @@ func (c Client) cacheTDXVersion(ctx context.Context, variant variant.Variant, ve
}

func (c Client) findMinTDXVersion(ctx context.Context, attestationVariant variant.Variant, versionDates []string) (attestationconfigapi.TDXVersion, string, error) {
var minimalVersion attestationconfigapi.TDXVersion
var minimalVersion *attestationconfigapi.TDXVersion
var minimalDate string
sort.Sort(sort.Reverse(sort.StringSlice(versionDates)))
versionDates = versionDates[:c.cacheWindowSize]
Expand All @@ -108,14 +108,21 @@ func (c Client) findMinTDXVersion(ctx context.Context, attestationVariant varian
}
obj.variant = attestationVariant

// If the version we fetched has higher SVNs than the current minimal version, update the minimal version.
if isInputNewerThanOtherTDXVersion(obj.TDXVersion, minimalVersion) {
minimalVersion = obj.TDXVersion
if minimalVersion == nil {
minimalVersion = &obj.TDXVersion
minimalDate = date
continue
}

// If the current minimal version has newer versions than the one we just fetched,
// update the minimal version to the older version.
if isInputNewerThanOtherTDXVersion(*minimalVersion, obj.TDXVersion) {
minimalVersion = &obj.TDXVersion
minimalDate = date
}
}

return minimalVersion, minimalDate, nil
return *minimalVersion, minimalDate, nil
}

func isInputNewerThanOtherTDXVersion(input, other attestationconfigapi.TDXVersion) bool {
Expand All @@ -125,12 +132,6 @@ func isInputNewerThanOtherTDXVersion(input, other attestationconfigapi.TDXVersio
if input.QESVN < other.QESVN {
return false
}
if bytes.Equal(input.QEVendorID[:], other.QEVendorID[:]) {
return false
}
if bytes.Equal(input.XFAM[:], other.XFAM[:]) {
return false
}

// Validate component-wise security version numbers
for idx, inputVersion := range input.TEETCBSVN {
Expand All @@ -139,5 +140,9 @@ func isInputNewerThanOtherTDXVersion(input, other attestationconfigapi.TDXVersio
}
}

if bytes.Equal(input.QEVendorID[:], other.QEVendorID[:]) && bytes.Equal(input.XFAM[:], other.XFAM[:]) {
return false
}

return true
}
4 changes: 2 additions & 2 deletions internal/api/attestationconfigapi/cli/delete.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func newDeleteCmd() *cobra.Command {
Use: "delete {aws-sev-snp|azure-sev-snp|azure-tdx|gcp-sev-snp} {attestation-report|guest-firmware} <version>",
Short: "Delete an object from the attestationconfig API",
Long: "Delete a specific object version from the config api. <version> is the name of the object to delete (without .json suffix)",
Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete azure snp-report 1.0.0",
Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete azure-sev-snp attestation-report 1.0.0",
Args: cobra.MatchAll(cobra.ExactArgs(3), isAttestationVariant(0), isValidKind(1)),
PreRunE: envCheck,
RunE: runDelete,
Expand All @@ -39,7 +39,7 @@ func newDeleteCmd() *cobra.Command {
Use: "recursive {aws-sev-snp|azure-sev-snp|azure-tdx|gcp-sev-snp}",
Short: "delete all objects from the API path constellation/v1/attestation/<csp>",
Long: "Delete all objects from the API path constellation/v1/attestation/<csp>",
Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete recursive azure",
Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete recursive azure-sev-snp",
Args: cobra.MatchAll(cobra.ExactArgs(1), isAttestationVariant(0)),
RunE: runRecursiveDelete,
}
Expand Down
Loading

0 comments on commit 0c1e2bd

Please sign in to comment.