fixup! fix delete + behavior without any version

edgelesssys · Sep 22, 2023 · db3a25c · db3a25c
1 parent 7fd1c5b
commit db3a25c
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 11 deletions.
diff --git a/internal/api/attestationconfigapi/cli/delete.go b/internal/api/attestationconfigapi/cli/delete.go
@@ -74,12 +74,18 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) {
 		return fmt.Errorf("getting distribution: %w", err)
 	}
 
+	windowSize, err := cmd.Flags().GetInt("cache-window-size")
+	if err != nil {
+		return fmt.Errorf("getting cache window size: %w", err)
+	}
+
 	cfg := staticupload.Config{
 		Bucket:         bucket,
 		Region:         region,
 		DistributionID: distribution,
 	}
-	client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg, []byte(cosignPwd), []byte(privateKey), false, log)
+	client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg,
+		[]byte(cosignPwd), []byte(privateKey), false, windowSize, log)
 	if err != nil {
 		return fmt.Errorf("create attestation client: %w", err)
 	}

diff --git a/internal/api/attestationconfigapi/cli/main.go b/internal/api/attestationconfigapi/cli/main.go
@@ -131,10 +131,10 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
 	}
 
 	url := "https://d33dzgxuwsgbpw.cloudfront.net"
-	latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDN(url).FetchAzureSEVSNPVersionLatest(ctx)
+	latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx)
 	if err != nil {
-		if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) && flags.force {
-			log.Infof("No versions found in API, but assuming that we are uploading the first version.\n")
+		if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) {
+			log.Infof("No versions found in API, but assuming that we are uploading the first version.")
 		} else {
 			return fmt.Errorf("fetching latest version: %w", err)
 		}

diff --git a/internal/api/attestationconfigapi/fetcher.go b/internal/api/attestationconfigapi/fetcher.go
@@ -40,9 +40,14 @@ func NewFetcher() Fetcher {
 	return NewFetcherWithClient(apifetcher.NewHTTPClient(), constants.CDNRepositoryURL)
 }
 
-// NewFetcherWithCustomCDN returns a new fetcher with custom CDN URL.
-func NewFetcherWithCustomCDN(cdnURL string) Fetcher {
-	return NewFetcherWithClient(apifetcher.NewHTTPClient(), cdnURL)
+// NewFetcherWithCustomCDNAndCosignKey returns a new fetcher with custom CDN URL.
+func NewFetcherWithCustomCDNAndCosignKey(cdnURL, cosignKey string) Fetcher {
+	verifier, err := sigstore.NewCosignVerifier([]byte(cosignKey))
+	if err != nil {
+		// This relies on an embedded public key. If this key can not be validated, there is no way to recover from this.
+		panic(fmt.Errorf("creating cosign verifier: %w", err))
+	}
+	return newFetcherWithClientAndVerifier(apifetcher.NewHTTPClient(), verifier, cdnURL)
 }
 
 // NewFetcherWithClient returns a new fetcher with custom http client.
@@ -69,7 +74,7 @@ func (f *fetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation A
 func (f *fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion AzureSEVSNPVersionAPI) (AzureSEVSNPVersionAPI, error) {
 	fetchedVersion, err := apifetcher.FetchAndVerify(ctx, f.HTTPClient, f.cdnURL, azureVersion, f.verifier)
 	if err != nil {
-		return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
+		return fetchedVersion, fmt.Errorf("fetching version %s: %w", azureVersion.Version, err)
 	}
 	return fetchedVersion, nil
 }
@@ -89,7 +94,7 @@ func (f *fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context) (res AzureS
 	}
 	res, err = f.FetchAzureSEVSNPVersion(ctx, getVersionRequest)
 	if err != nil {
-		return res, fmt.Errorf("fetching version: %w", err)
+		return res, err
 	}
 	return
 }
diff --git a/internal/api/fetcher/fetcher.go b/internal/api/fetcher/fetcher.go
@@ -95,7 +95,6 @@ func FetchAndVerify[T apiObject](ctx context.Context, c HTTPClient, cdnURL strin
 	if err != nil {
 		return fetchedObj, fmt.Errorf("fetching signature: %w", err)
 	}
-
 	err = cosignVerifier.VerifySignature(marshalledObj, signature.Signature)
 	if err != nil {
 		return fetchedObj, fmt.Errorf("verifying signature: %w", err)
@@ -130,7 +129,7 @@ type apiObject interface {
 // signature manages the signature of a object saved at location 'Signed'.
 type signature struct {
 	// Signed is the object that is signed.
-	Signed string `json:"signed"`
+	Signed string `json:"-"`
 	// Signature is the signature of `Signed`.
 	Signature []byte `json:"signature"`
 }