diff --git a/internal/api/attestationconfigapi/cli/delete.go b/internal/api/attestationconfigapi/cli/delete.go index e47e5565c7b..05df3e6dd4f 100644 --- a/internal/api/attestationconfigapi/cli/delete.go +++ b/internal/api/attestationconfigapi/cli/delete.go @@ -69,10 +69,11 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) { return fmt.Errorf("getting bucket: %w", err) } - distribution, err := cmd.Flags().GetString("distribution") + testing, err := cmd.Flags().GetBool("testing") if err != nil { - return fmt.Errorf("getting distribution: %w", err) + return fmt.Errorf("getting testing flag: %w", err) } + _, distribution := getEnvironment(testing) cfg := staticupload.Config{ Bucket: bucket, @@ -108,10 +109,11 @@ func runRecursiveDelete(cmd *cobra.Command, _ []string) (retErr error) { return fmt.Errorf("getting bucket: %w", err) } - distribution, err := cmd.Flags().GetString("distribution") + testing, err := cmd.Flags().GetBool("testing") if err != nil { - return fmt.Errorf("getting distribution: %w", err) + return fmt.Errorf("getting testing flag: %w", err) } + _, distribution := getEnvironment(testing) log := logger.New(logger.PlainLog, zap.DebugLevel).Named("attestationconfigapi") client, closeFn, err := staticupload.New(cmd.Context(), staticupload.Config{ diff --git a/internal/api/attestationconfigapi/cli/e2e/test.sh.in b/internal/api/attestationconfigapi/cli/e2e/test.sh.in index 9160386dbd4..0f2255803e1 100755 --- a/internal/api/attestationconfigapi/cli/e2e/test.sh.in +++ b/internal/api/attestationconfigapi/cli/e2e/test.sh.in @@ -17,19 +17,18 @@ fi configapi_cli=$(realpath @@CONFIGAPI_CLI@@) stat "${configapi_cli}" >> /dev/null - +configapi_cli="${configapi_cli} --testing" ###### script body ###### readonly region="eu-west-1" readonly bucket="resource-api-testing" -readonly distribution="ETZGUP1CWRC2P" tmpdir=$(mktemp -d) readonly tmpdir registerExitHandler "rm -rf $tmpdir" # empty the bucket version state -${configapi_cli} delete recursive --region "$region" --bucket "$bucket" --distribution "$distribution" +${configapi_cli} delete recursive --region "$region" --bucket "$bucket" # the high version numbers ensure that it's newer than the current latest value readonly current_claim_path="$tmpdir/currentMaaClaim.json" @@ -44,7 +43,7 @@ cat << EOF > "$current_claim_path" } EOF # upload a fake latest version for the fetcher -${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket" --distribution "$distribution" +${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket" # the high version numbers ensure that it's newer than the current latest value readonly claim_path="$tmpdir/maaClaim.json" @@ -74,11 +73,11 @@ EOF # report 3 versions with different dates to fill the reporter cache readonly date_oldest="2023-02-01-03-04" -${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --distribution "$distribution" --cache-window-size 3 +${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3 readonly date_older="2023-02-02-03-04" -${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --distribution "$distribution" --cache-window-size 3 +${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3 readonly date="2023-02-03-03-04" -${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --distribution "$distribution" --cache-window-size 3 +${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3 # expect that $date_oldest is served as latest version baseurl="https://d33dzgxuwsgbpw.cloudfront.net/constellation/v1/attestation/azure-sev-snp" @@ -124,7 +123,7 @@ if [[ $http_code -ne 404 ]]; then exit 1 fi -${configapi_cli} delete --version "$date_oldest" --region "$region" --bucket "$bucket" --distribution "$distribution" +${configapi_cli} delete --version "$date_oldest" --region "$region" --bucket "$bucket" # Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail. http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_oldest}.json) diff --git a/internal/api/attestationconfigapi/cli/main.go b/internal/api/attestationconfigapi/cli/main.go index 56ecb999360..111bcaee6a9 100644 --- a/internal/api/attestationconfigapi/cli/main.go +++ b/internal/api/attestationconfigapi/cli/main.go @@ -11,7 +11,6 @@ You can execute an e2e test by running: `bazel run //internal/api/attestationcon The CLI is used in the CI pipeline. Manual actions that change the bucket's data shouldn't be necessary. The reporter CLI caches the observed version values in a dedicated caching directory and derives the latest API version from it. Any version update is then pushed to the API. -Notice that there is no synchronization on API operations. // TODO(elchead): what does this mean? */ package main @@ -75,7 +74,7 @@ func newRootCmd() *cobra.Command { rootCmd.Flags().IntP("cache-window-size", "s", versionWindowSize, "Number of versions to be considered for the latest version.") rootCmd.PersistentFlags().StringP("region", "r", awsRegion, "region of the targeted bucket.") rootCmd.PersistentFlags().StringP("bucket", "b", awsBucket, "bucket targeted by all operations.") - rootCmd.PersistentFlags().StringP("distribution", "i", distributionID, "cloudflare distribution used.") + rootCmd.PersistentFlags().Bool("testing", false, "upload to S3 test bucket.") must(rootCmd.MarkFlagRequired("maa-claims-path")) rootCmd.AddCommand(newDeleteCmd()) return rootCmd @@ -130,8 +129,7 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) { return fmt.Errorf("creating client: %w", err) } - url := "https://d33dzgxuwsgbpw.cloudfront.net" - latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx) + latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx) if err != nil { if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) { log.Infof("No versions found in API, but assuming that we are uploading the first version.") @@ -150,69 +148,79 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) { return nil } -type cliFlags struct { +type config struct { maaFilePath string uploadDate time.Time region string bucket string distribution string + url string force bool cacheWindowSize int } -func parseCliFlags(cmd *cobra.Command) (cliFlags, error) { +func parseCliFlags(cmd *cobra.Command) (config, error) { maaFilePath, err := cmd.Flags().GetString("maa-claims-path") if err != nil { - return cliFlags{}, fmt.Errorf("getting maa claims path: %w", err) + return config{}, fmt.Errorf("getting maa claims path: %w", err) } dateStr, err := cmd.Flags().GetString("upload-date") if err != nil { - return cliFlags{}, fmt.Errorf("getting upload date: %w", err) + return config{}, fmt.Errorf("getting upload date: %w", err) } uploadDate := time.Now() if dateStr != "" { uploadDate, err = time.Parse(attestationconfigapi.VersionFormat, dateStr) if err != nil { - return cliFlags{}, fmt.Errorf("parsing date: %w", err) + return config{}, fmt.Errorf("parsing date: %w", err) } } region, err := cmd.Flags().GetString("region") if err != nil { - return cliFlags{}, fmt.Errorf("getting region: %w", err) + return config{}, fmt.Errorf("getting region: %w", err) } bucket, err := cmd.Flags().GetString("bucket") if err != nil { - return cliFlags{}, fmt.Errorf("getting bucket: %w", err) + return config{}, fmt.Errorf("getting bucket: %w", err) } - distribution, err := cmd.Flags().GetString("distribution") + testing, err := cmd.Flags().GetBool("testing") if err != nil { - return cliFlags{}, fmt.Errorf("getting distribution: %w", err) + return config{}, fmt.Errorf("getting testing flag: %w", err) } + url, distribution := getEnvironment(testing) force, err := cmd.Flags().GetBool("force") if err != nil { - return cliFlags{}, fmt.Errorf("getting force: %w", err) + return config{}, fmt.Errorf("getting force: %w", err) } cacheWindowSize, err := cmd.Flags().GetInt("cache-window-size") if err != nil { - return cliFlags{}, fmt.Errorf("getting cache window size: %w", err) + return config{}, fmt.Errorf("getting cache window size: %w", err) } - return cliFlags{ + return config{ maaFilePath: maaFilePath, uploadDate: uploadDate, region: region, bucket: bucket, + url: url, distribution: distribution, force: force, cacheWindowSize: cacheWindowSize, }, nil } +func getEnvironment(testing bool) (url string, distributionID string) { + if testing { + return "https://d33dzgxuwsgbpw.cloudfront.net", "ETZGUP1CWRC2P" + } + return constants.CDNRepositoryURL, constants.CDNDefaultDistributionID +} + // maaTokenTCBClaims describes the TCB information in a MAA token. type maaTokenTCBClaims struct { IsolationTEE struct {