From c6faca6e8ba47f597f180e337960764e36917e01 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Fri, 2 Aug 2024 17:24:23 +0200 Subject: [PATCH] manifest: add WorkloadSecretID field This field will be used as part of the workload secret feature (RFC 007) to generate secrets. --- cli/cmd/policies.go | 15 ++++---- coordinator/internal/authority/authority.go | 3 +- .../internal/authority/authority_test.go | 2 +- .../internal/authority/userapi_test.go | 36 +++++++++---------- e2e/openssl/openssl_test.go | 4 ++- e2e/policy/policy_test.go | 2 +- internal/manifest/manifest.go | 8 ++++- internal/manifest/manifest_test.go | 4 +-- 8 files changed, 42 insertions(+), 32 deletions(-) diff --git a/cli/cmd/policies.go b/cli/cmd/policies.go index 3245e21ea5..9b023f19e0 100644 --- a/cli/cmd/policies.go +++ b/cli/cmd/policies.go @@ -76,22 +76,23 @@ func policiesFromKubeResources(yamlPaths []string) ([]deployment, error) { return deployments, nil } -func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexString][]string, error) { - policyHashes := make(map[manifest.HexString][]string) +func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexString]manifest.PolicyEntry, error) { + policyHashes := make(map[manifest.HexString]manifest.PolicyEntry) for _, depl := range policies { - if existingNames, ok := policyHashes[depl.policy.Hash()]; ok { - if slices.Equal(existingNames, depl.DNSNames()) { + if entry, ok := policyHashes[depl.policy.Hash()]; ok { + if slices.Equal(entry.SANs, depl.DNSNames()) { return nil, fmt.Errorf("policy hash collision: %s and %s have the same hash %v", - existingNames, depl.name, depl.policy.Hash()) + entry.SANs, depl.name, depl.policy.Hash()) } continue } - policyHashes[depl.policy.Hash()] = depl.DNSNames() + entry := manifest.PolicyEntry{SANs: depl.DNSNames(), WorkloadSecretID: depl.name} + policyHashes[depl.policy.Hash()] = entry } return policyHashes, nil } -func checkPoliciesMatchManifest(policies []deployment, policyHashes map[manifest.HexString][]string) error { +func checkPoliciesMatchManifest(policies []deployment, policyHashes map[manifest.HexString]manifest.PolicyEntry) error { if len(policies) != len(policyHashes) { return fmt.Errorf("policy count mismatch: %d policies in deployment, but %d in manifest", len(policies), len(policyHashes)) diff --git a/coordinator/internal/authority/authority.go b/coordinator/internal/authority/authority.go index d6435f9130..7f822ab8b2 100644 --- a/coordinator/internal/authority/authority.go +++ b/coordinator/internal/authority/authority.go @@ -107,10 +107,11 @@ func (m *Authority) ValidateCallback(_ context.Context, report *sevsnp.Report, } hostData := manifest.NewHexString(report.HostData) - dnsNames, ok := state.manifest.Policies[hostData] + entry, ok := state.manifest.Policies[hostData] if !ok { return fmt.Errorf("report data %s not found in manifest", hostData) } + dnsNames := entry.SANs peerPubKey, err := x509.ParsePKIXPublicKey(peerPubKeyBytes) if err != nil { diff --git a/coordinator/internal/authority/authority_test.go b/coordinator/internal/authority/authority_test.go index ec6cd1166d..9fa9f5190c 100644 --- a/coordinator/internal/authority/authority_test.go +++ b/coordinator/internal/authority/authority_test.go @@ -82,7 +82,7 @@ func newManifest(t *testing.T) (*manifest.Manifest, []byte, [][]byte) { mnfst, err := manifest.Default(platforms.AKSCloudHypervisorSNP) require.NoError(t, err) - mnfst.Policies = map[manifest.HexString][]string{policyHashHex: {"test"}} + mnfst.Policies = map[manifest.HexString]manifest.PolicyEntry{policyHashHex: {SANs: []string{"test"}, WorkloadSecretID: "test2"}} mnfst.WorkloadOwnerKeyDigests = []manifest.HexString{keyDigest} mnfstBytes, err := json.Marshal(mnfst) require.NoError(t, err) diff --git a/coordinator/internal/authority/userapi_test.go b/coordinator/internal/authority/userapi_test.go index 0703b0f00c..9d28531652 100644 --- a/coordinator/internal/authority/userapi_test.go +++ b/coordinator/internal/authority/userapi_test.go @@ -76,9 +76,9 @@ func TestManifestSet(t *testing.T) { "request without policies": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("a"): {"a1", "a2"}, - manifest.HexString("b"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("a"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("b"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } }), }, @@ -87,9 +87,9 @@ func TestManifestSet(t *testing.T) { "policy not in manifest": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } }), Policies: [][]byte{ @@ -103,9 +103,9 @@ func TestManifestSet(t *testing.T) { "valid manifest": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } }), Policies: [][]byte{ @@ -167,9 +167,9 @@ func TestManifestSet(t *testing.T) { req := &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } }), Policies: [][]byte{ @@ -226,9 +226,9 @@ func TestGetManifests(t *testing.T) { m, err := manifest.Default(platforms.AKSCloudHypervisorSNP) require.NoError(err) - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } manifestBytes, err := json.Marshal(m) require.NoError(err) @@ -399,9 +399,9 @@ func TestUserAPIConcurrent(t *testing.T) { setReq := &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[manifest.HexString]manifest.PolicyEntry{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"}, } }), Policies: [][]byte{ diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go index 64f587cf9b..406691016b 100644 --- a/e2e/openssl/openssl_test.go +++ b/e2e/openssl/openssl_test.go @@ -150,7 +150,9 @@ func TestOpenSSL(t *testing.T) { require.NoError(json.Unmarshal(manifestBytes, &m)) // Add test domain name to first policy. for policyHash := range m.Policies { - m.Policies[policyHash] = append(m.Policies[policyHash], fmt.Sprintf("test-%s", deploymentToRestart)) + entry := m.Policies[policyHash] + entry.SANs = append(entry.SANs, fmt.Sprintf("test-%s", deploymentToRestart)) + m.Policies[policyHash] = entry break } manifestBytes, err = json.Marshal(m) diff --git a/e2e/policy/policy_test.go b/e2e/policy/policy_test.go index 0df8dfca70..1a743a5885 100644 --- a/e2e/policy/policy_test.go +++ b/e2e/policy/policy_test.go @@ -91,7 +91,7 @@ func TestPolicy(t *testing.T) { // Remove a policy from the manifest. for policyHash := range m.Policies { - if slices.Contains(m.Policies[policyHash], opensslFrontend) { + if slices.Contains(m.Policies[policyHash].SANs, opensslFrontend) { delete(m.Policies, policyHash) } } diff --git a/internal/manifest/manifest.go b/internal/manifest/manifest.go index 5c2c1c8375..2a0ab46693 100644 --- a/internal/manifest/manifest.go +++ b/internal/manifest/manifest.go @@ -16,12 +16,18 @@ import ( // Manifest is the Coordinator manifest and contains the reference values of the deployment. type Manifest struct { // policyHash/HOSTDATA -> commonName - Policies map[HexString][]string + Policies map[HexString]PolicyEntry ReferenceValues ReferenceValues WorkloadOwnerKeyDigests []HexString SeedshareOwnerPubKeys []HexString } +// PolicyEntry is a policy entry in the manifest. It contains further information the user wants to associate with the policy. +type PolicyEntry struct { + SANs []string + WorkloadSecretID string +} + // HexStrings is a slice of HexString. type HexStrings []HexString diff --git a/internal/manifest/manifest_test.go b/internal/manifest/manifest_test.go index 470892d256..a6f98589e4 100644 --- a/internal/manifest/manifest_test.go +++ b/internal/manifest/manifest_test.go @@ -84,14 +84,14 @@ func TestValidate(t *testing.T) { }, { m: &Manifest{ - Policies: map[HexString][]string{HexString(""): {}}, + Policies: map[HexString]PolicyEntry{HexString(""): {}}, ReferenceValues: mnf.ReferenceValues, }, wantErr: true, }, { m: &Manifest{ - Policies: map[HexString][]string{HexString(""): {}}, + Policies: map[HexString]PolicyEntry{HexString(""): {}}, ReferenceValues: ReferenceValues{ AKS: &AKSReferenceValues{ SNP: mnf.ReferenceValues.AKS.SNP,