Skip to content

Commit

Permalink
cli: don't allow empty coordinator policy hash
Browse files Browse the repository at this point in the history
  • Loading branch information
burgerdev committed Mar 21, 2024
1 parent ff94d4d commit 1d4eebb
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 14 deletions.
24 changes: 18 additions & 6 deletions cli/cmd/set.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/edgelesssys/contrast/internal/spinner"
"github.com/edgelesssys/contrast/internal/userapi"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
Expand Down Expand Up @@ -52,7 +53,7 @@ func NewSetCmd() *cobra.Command {
cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file")
cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty")
cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "override the expected policy hash of the coordinator")
cmd.Flags().String("workload-owner-key", workloadOwnerPEM, "path to workload owner key (.pem) file")

return cmd
Expand Down Expand Up @@ -157,6 +158,21 @@ type setFlags struct {
workspaceDir string
}

func decodeCoordinatorPolicyHash(flags *pflag.FlagSet) ([]byte, error) {
hexEncoded, err := flags.GetString("coordinator-policy-hash")
if err != nil {
return nil, fmt.Errorf("getting coordinator-policy-hash flag: %w", err)
}
hash, err := hex.DecodeString(hexEncoded)
if err != nil {
return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err)
}
if len(hash) != 32 {
return nil, fmt.Errorf("coordinator-policy-hash must be exactly 32 hex-encoded bytes, got %d", len(hash))
}
return hash, nil
}

func parseSetFlags(cmd *cobra.Command) (*setFlags, error) {
flags := &setFlags{}
var err error
Expand All @@ -169,14 +185,10 @@ func parseSetFlags(cmd *cobra.Command) (*setFlags, error) {
if err != nil {
return nil, fmt.Errorf("failed to get coordinator flag: %w", err)
}
policyString, err := cmd.Flags().GetString("coordinator-policy-hash")
flags.policy, err = decodeCoordinatorPolicyHash(cmd.Flags())
if err != nil {
return nil, fmt.Errorf("failed to get coordinator-policy-hash flag: %w", err)
}
flags.policy, err = hex.DecodeString(policyString)
if err != nil {
return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err)
}
flags.workloadOwnerKeyPath, err = cmd.Flags().GetString("workload-owner-key")
if err != nil {
return nil, fmt.Errorf("getting workload-owner-key flag: %w", err)
Expand Down
9 changes: 2 additions & 7 deletions cli/cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package cmd

import (
"crypto/sha256"
"encoding/hex"
"fmt"
"net"
"os"
Expand Down Expand Up @@ -43,7 +42,7 @@ func NewVerifyCmd() *cobra.Command {
cmd.Flags().String("workspace-dir", verifyDir, "directory to write files to, if not set explicitly to another location")
cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty")
cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "override the expected policy hash of the coordinator")

return cmd
}
Expand Down Expand Up @@ -126,14 +125,10 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
if err != nil {
return nil, err
}
policyString, err := cmd.Flags().GetString("coordinator-policy-hash")
policy, err := decodeCoordinatorPolicyHash(cmd.Flags())
if err != nil {
return nil, err
}
policy, err := hex.DecodeString(policyString)
if err != nil {
return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err)
}

return &verifyFlags{
coordinator: coordinator,
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ require (
github.com/google/go-sev-guest v0.11.0
github.com/spf13/afero v1.11.0
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.9.0
go.uber.org/goleak v1.3.0
golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
Expand Down Expand Up @@ -48,7 +49,6 @@ require (
github.com/pborman/uuid v1.2.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/net v0.21.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -129,9 +129,11 @@ verify cli=default_cli:
PID=$!
trap "kill $PID" EXIT
nix run .#scripts.wait-for-port-listen -- 1314
policy=$(< ./{{ workspace_dir }}/coordinator-policy.sha256)
t=$(date +%s)
nix run .#{{ cli }} -- verify \
--workspace-dir ./{{ workspace_dir }}/verify \
--coordinator-policy-hash "${policy}" \
-c localhost:1314
duration=$(( $(date +%s) - $t ))
echo "Verified in $duration seconds."
Expand Down

0 comments on commit 1d4eebb

Please sign in to comment.