Enable upload of TDX reports to Constellation CDN

Signed-off-by: Daniel Weiße <[email protected]>
edgelesssys · Jun 13, 2024 · 6fadbaf · 6fadbaf
1 parent f68709d
commit 6fadbaf
Show file tree

Hide file tree

Showing 11 changed files with 485 additions and 313 deletions.
diff --git a/internal/api/attestationconfigapi/cli/BUILD.bazel b/internal/api/attestationconfigapi/cli/BUILD.bazel
@@ -22,7 +22,6 @@ go_library(
         "//internal/api/attestationconfigapi/cli/client",
         "//internal/api/fetcher",
         "//internal/attestation/variant",
-        "//internal/cloud/cloudprovider",
         "//internal/constants",
         "//internal/file",
         "//internal/logger",
@@ -31,6 +30,7 @@ go_library(
         "@com_github_aws_aws_sdk_go_v2//aws",
         "@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
         "@com_github_aws_aws_sdk_go_v2_service_s3//types",
+        "@com_github_google_go_tdx_guest//proto/tdx",
         "@com_github_spf13_afero//:afero",
         "@com_github_spf13_cobra//:cobra",
     ],

diff --git a/internal/api/attestationconfigapi/cli/client/BUILD.bazel b/internal/api/attestationconfigapi/cli/client/BUILD.bazel
@@ -5,7 +5,8 @@ go_library(
     name = "client",
     srcs = [
         "client.go",
-        "reporter.go",
+        "reportersnp.go",
+        "reportertdx.go",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi/cli/client",
     visibility = ["//:__subpackages__"],
@@ -24,7 +25,7 @@ go_test(
     name = "client_test",
     srcs = [
         "client_test.go",
-        "reporter_test.go",
+        "reportersnp_test.go",
     ],
     embed = [":client"],
     deps = [

diff --git a/internal/api/attestationconfigapi/cli/client/client.go b/internal/api/attestationconfigapi/cli/client/client.go
@@ -15,8 +15,12 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"path"
+	"strings"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	apiclient "github.com/edgelesssys/constellation/v2/internal/api/client"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
@@ -54,40 +58,23 @@ func New(ctx context.Context, cfg staticupload.Config, cosignPwd, privateKey []b
 	return repo, clientClose, nil
 }
 
-// uploadSEVSNPVersion uploads the latest version numbers of the SEVSNP. Then version name is the UTC timestamp of the date. The /list entry stores the version name + .json suffix.
-func (a Client) uploadSEVSNPVersion(ctx context.Context, attestation variant.Variant, version attestationconfigapi.SEVSNPVersion, date time.Time) error {
-	versions, err := a.List(ctx, attestation)
+// DeleteVersion deletes the given version (without .json suffix) from the API.
+func (c Client) DeleteVersion(ctx context.Context, attestation variant.Variant, versionStr string) error {
+	versions, err := c.List(ctx, attestation)
 	if err != nil {
 		return fmt.Errorf("fetch version list: %w", err)
 	}
-	ops := a.constructUploadCmd(attestation, version, versions, date)
 
-	return executeAllCmds(ctx, a.s3Client, ops)
-}
-
-// DeleteSEVSNPVersion deletes the given version (without .json suffix) from the API.
-func (a Client) DeleteSEVSNPVersion(ctx context.Context, attestation variant.Variant, versionStr string) error {
-	versions, err := a.List(ctx, attestation)
-	if err != nil {
-		return fmt.Errorf("fetch version list: %w", err)
-	}
-
-	ops, err := a.deleteSEVSNPVersion(versions, versionStr)
+	ops, err := c.deleteVersion(versions, versionStr)
 	if err != nil {
 		return err
 	}
-	return executeAllCmds(ctx, a.s3Client, ops)
+	return executeAllCmds(ctx, c.s3Client, ops)
 }
 
 // List returns the list of versions for the given attestation variant.
-func (a Client) List(ctx context.Context, attestation variant.Variant) (attestationconfigapi.VersionList, error) {
-	if !attestation.Equal(variant.AzureSEVSNP{}) &&
-		!attestation.Equal(variant.AWSSEVSNP{}) &&
-		!attestation.Equal(variant.GCPSEVSNP{}) {
-		return attestationconfigapi.VersionList{}, fmt.Errorf("unsupported attestation variant: %s", attestation)
-	}
-
-	versions, err := apiclient.Fetch(ctx, a.s3Client, attestationconfigapi.VersionList{Variant: attestation})
+func (c Client) List(ctx context.Context, attestation variant.Variant) (attestationconfigapi.VersionList, error) {
+	versions, err := apiclient.Fetch(ctx, c.s3Client, attestationconfigapi.VersionList{Variant: attestation})
 	if err != nil {
 		var notFoundErr *apiclient.NotFoundError
 		if errors.As(err, &notFoundErr) {
@@ -101,7 +88,7 @@ func (a Client) List(ctx context.Context, attestation variant.Variant) (attestat
 	return versions, nil
 }
 
-func (a Client) deleteSEVSNPVersion(versions attestationconfigapi.VersionList, versionStr string) (ops []crudCmd, err error) {
+func (c Client) deleteVersion(versions attestationconfigapi.VersionList, versionStr string) (ops []crudCmd, err error) {
 	versionStr = versionStr + ".json"
 	ops = append(ops, deleteCmd{
 		apiObject: attestationconfigapi.VersionAPIEntry{
@@ -116,12 +103,12 @@ func (a Client) deleteSEVSNPVersion(versions attestationconfigapi.VersionList, v
 	}
 	ops = append(ops, putCmd{
 		apiObject: removedVersions,
-		signer:    a.signer,
+		signer:    c.signer,
 	})
 	return ops, nil
 }
 
-func (a Client) constructUploadCmd(attestation variant.Variant, version attestationconfigapi.SEVSNPVersion, versionNames attestationconfigapi.VersionList, date time.Time) []crudCmd {
+func (c Client) constructUploadCmd(attestation variant.Variant, version attestationconfigapi.SEVSNPVersion, versionNames attestationconfigapi.VersionList, date time.Time) []crudCmd {
 	if !attestation.Equal(versionNames.Variant) {
 		return nil
 	}
@@ -131,19 +118,41 @@ func (a Client) constructUploadCmd(attestation variant.Variant, version attestat
 
 	res = append(res, putCmd{
 		apiObject: attestationconfigapi.VersionAPIEntry{Version: dateStr, Variant: attestation, SEVSNPVersion: version},
-		signer:    a.signer,
+		signer:    c.signer,
 	})
 
 	versionNames.AddVersion(dateStr)
 
 	res = append(res, putCmd{
 		apiObject: versionNames,
-		signer:    a.signer,
+		signer:    c.signer,
 	})
 
 	return res
 }
 
+func (c Client) listCachedVersions(ctx context.Context, attestation variant.Variant) ([]string, error) {
+	list, err := c.s3Client.ListObjectsV2(ctx, &s3.ListObjectsV2Input{
+		Bucket: aws.String(c.bucketID),
+		Prefix: aws.String(reportVersionDir(attestation)),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("list objects: %w", err)
+	}
+
+	var dates []string
+	for _, obj := range list.Contents {
+		fileName := path.Base(*obj.Key)
+
+		// The cache contains signature and json files
+		// We only want the json files
+		if strings.HasSuffix(fileName, ".json") {
+			dates = append(dates, strings.TrimSuffix(fileName, ".json"))
+		}
+	}
+	return dates, nil
+}
+
 func removeVersion(list attestationconfigapi.VersionList, versionStr string) (removedVersions attestationconfigapi.VersionList, err error) {
 	versions := list.List
 	for i, v := range versions {

diff --git a/internal/api/attestationconfigapi/cli/client/client_test.go b/internal/api/attestationconfigapi/cli/client/client_test.go
@@ -44,7 +44,7 @@ func TestDeleteAzureSEVSNPVersions(t *testing.T) {
 	}
 	versions := attestationconfigapi.VersionList{List: []string{"2023-01-01.json", "2021-01-01.json", "2019-01-01.json"}}
 
-	ops, err := sut.deleteSEVSNPVersion(versions, "2021-01-01")
+	ops, err := sut.deleteVersion(versions, "2021-01-01")
 
 	assert := assert.New(t)
 	assert.NoError(err)

diff --git a/internal/api/attestationconfigapi/cli/client/reporter.go b/internal/api/attestationconfigapi/cli/client/reporter.go