Enable signature verification for attestation version list object

Signed-off-by: Daniel Weiße <[email protected]>
edgelesssys · Jun 17, 2024 · 0d9778a · 0d9778a
1 parent 1631b64
commit 0d9778a
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 15 deletions.
diff --git a/internal/api/attestationconfigapi/fetcher.go b/internal/api/attestationconfigapi/fetcher.go
@@ -72,8 +72,7 @@ func (f *fetcher) FetchLatestVersion(ctx context.Context, variant variant.Varian
 
 // fetchVersionList fetches the version list information from the config API.
 func (f *fetcher) fetchVersionList(ctx context.Context, variant variant.Variant) (VersionList, error) {
-	// TODO(derpsteb): Replace with FetchAndVerify once we move to v2 of the config API and the list is saved as (.json) file.
-	fetchedList, err := apifetcher.Fetch(ctx, f.HTTPClient, f.cdnURL, VersionList{Variant: variant})
+	fetchedList, err := apifetcher.FetchAndVerify(ctx, f.HTTPClient, f.cdnURL, VersionList{Variant: variant}, f.verifier)
 	if err != nil {
 		return VersionList{}, fmt.Errorf("fetching version list: %w", err)
 	}

diff --git a/internal/api/attestationconfigapi/fetcher_test.go b/internal/api/attestationconfigapi/fetcher_test.go
@@ -126,7 +126,8 @@ type fakeConfigAPIHandler struct {
 
 // RoundTrip resolves the request and returns a dummy response.
 func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, error) {
-	if req.URL.Path == fmt.Sprintf("/constellation/v1/attestation/%s/list", f.attestation.String()) {
+	switch req.URL.Path {
+	case fmt.Sprintf("/constellation/v1/attestation/%s/list", f.attestation.String()):
 		res := &http.Response{}
 		bt, err := json.Marshal(f.versions)
 		if err != nil {
@@ -137,7 +138,14 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		res.Header.Set("Content-Type", "application/json")
 		res.StatusCode = http.StatusOK
 		return res, nil
-	} else if req.URL.Path == fmt.Sprintf("/constellation/v1/attestation/%s/%s", f.attestation.String(), f.latestDate) {
+
+	case fmt.Sprintf("/constellation/v1/attestation/%s/list.sig", f.attestation.String()):
+		res := &http.Response{}
+		res.Body = io.NopCloser(bytes.NewReader([]byte("null")))
+		res.StatusCode = http.StatusOK
+		return res, nil
+
+	case fmt.Sprintf("/constellation/v1/attestation/%s/%s", f.attestation.String(), f.latestDate):
 		res := &http.Response{}
 		bt, err := json.Marshal(f.latestVersion)
 		if err != nil {
@@ -147,7 +155,7 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		res.StatusCode = http.StatusOK
 		return res, nil
 
-	} else if req.URL.Path == fmt.Sprintf("/constellation/v1/attestation/%s/%s", f.attestation.String(), f.olderDate) {
+	case fmt.Sprintf("/constellation/v1/attestation/%s/%s", f.attestation.String(), f.olderDate):
 		res := &http.Response{}
 		bt, err := json.Marshal(f.olderVersion)
 		if err != nil {
@@ -156,13 +164,14 @@ func (f *fakeConfigAPIHandler) RoundTrip(req *http.Request) (*http.Response, err
 		res.Body = io.NopCloser(bytes.NewReader(bt))
 		res.StatusCode = http.StatusOK
 		return res, nil
-	} else if req.URL.Path == fmt.Sprintf("/constellation/v1/attestation/%s/%s.sig", f.attestation.String(), f.latestDate) {
+
+	case fmt.Sprintf("/constellation/v1/attestation/%s/%s.sig", f.attestation.String(), f.latestDate):
 		res := &http.Response{}
 		res.Body = io.NopCloser(bytes.NewReader([]byte("null")))
 		res.StatusCode = http.StatusOK
 		return res, nil
 
-	} else if req.URL.Path == fmt.Sprintf("/constellation/v1/attestation/%s/%s.sig", f.attestation.String(), f.olderDate) {
+	case fmt.Sprintf("/constellation/v1/attestation/%s/%s.sig", f.attestation.String(), f.olderDate):
 		res := &http.Response{}
 		res.Body = io.NopCloser(bytes.NewReader([]byte("null")))
 		res.StatusCode = http.StatusOK

diff --git a/internal/api/fetcher/fetcher.go b/internal/api/fetcher/fetcher.go
@@ -20,12 +20,10 @@ package fetcher
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 )
@@ -145,7 +143,7 @@ type apiObject interface {
 // signature manages the signature of a object saved at location 'Signed'.
 type signature struct {
 	// Signed is the object that is signed.
-	Signed string `json:"-"`
+	Signed string `json:"signed"`
 	// Signature is the signature of `Signed`.
 	Signature []byte `json:"signature"`
 }
@@ -155,12 +153,8 @@ func (s signature) JSONPath() string {
 	return s.Signed + ".sig"
 }
 
-// ValidateRequest validates the request.
+// ValidateRequest is a no-op.
 func (s signature) ValidateRequest() error {
-	if !strings.HasSuffix(s.Signed, ".json") {
-		return errors.New("signed object missing .json suffix")
-	}
-
 	return nil
 }