From fce783c5b559f73bccee2776812533fb6d657422 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Thu, 8 Feb 2024 10:50:26 +0100 Subject: [PATCH] coordinator: add tests for SetManifest peer authentication --- coordinator/coordapi_test.go | 131 +++++++++++++++++++++++++++++++++-- 1 file changed, 126 insertions(+), 5 deletions(-) diff --git a/coordinator/coordapi_test.go b/coordinator/coordapi_test.go index ed87f6b87..04ff1d069 100644 --- a/coordinator/coordapi_test.go +++ b/coordinator/coordapi_test.go @@ -2,6 +2,12 @@ package main import ( "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/sha256" + "crypto/tls" + "crypto/x509" "encoding/json" "log/slog" "sync" @@ -12,6 +18,8 @@ import ( "github.com/edgelesssys/nunki/internal/memstore" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/peer" ) func TestManifestSet(t *testing.T) { @@ -27,12 +35,17 @@ func TestManifestSet(t *testing.T) { require.NoError(t, err) return b } + trustedKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + require.NoError(t, err) + untrustedKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + require.NoError(t, err) testCases := map[string]struct { - req *coordapi.SetManifestRequest - mSGetter *stubManifestSetGetter - caGetter *stubCertChainGetter - wantErr bool + req *coordapi.SetManifestRequest + mSGetter *stubManifestSetGetter + caGetter *stubCertChainGetter + workloadOwnerKey *ecdsa.PrivateKey + wantErr bool }{ "empty request": { req: &coordapi.SetManifestRequest{}, @@ -109,6 +122,84 @@ func TestManifestSet(t *testing.T) { caGetter: &stubCertChainGetter{}, wantErr: true, }, + "workload owner key match": { + req: &coordapi.SetManifestRequest{ + Manifest: newManifestBytes(func(m *manifest.Manifest) { + m.Policies = map[manifest.HexString][]string{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + } + }), + Policies: [][]byte{ + []byte("a"), + []byte("b"), + }, + }, + mSGetter: &stubManifestSetGetter{ + getManifestResp: []*manifest.Manifest{manifestWithWorkloadOwnerKey(trustedKey)}, + }, + caGetter: &stubCertChainGetter{}, + workloadOwnerKey: trustedKey, + }, + "workload owner key mismatch": { + req: &coordapi.SetManifestRequest{ + Manifest: newManifestBytes(func(m *manifest.Manifest) { + m.Policies = map[manifest.HexString][]string{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + } + }), + Policies: [][]byte{ + []byte("a"), + []byte("b"), + }, + }, + mSGetter: &stubManifestSetGetter{ + getManifestResp: []*manifest.Manifest{manifestWithWorkloadOwnerKey(trustedKey)}, + }, + caGetter: &stubCertChainGetter{}, + workloadOwnerKey: untrustedKey, + wantErr: true, + }, + "workload owner key missing": { + req: &coordapi.SetManifestRequest{ + Manifest: newManifestBytes(func(m *manifest.Manifest) { + m.Policies = map[manifest.HexString][]string{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + } + }), + Policies: [][]byte{ + []byte("a"), + []byte("b"), + }, + }, + mSGetter: &stubManifestSetGetter{ + getManifestResp: []*manifest.Manifest{manifestWithWorkloadOwnerKey(trustedKey)}, + }, + caGetter: &stubCertChainGetter{}, + wantErr: true, + }, + "manifest not updatable": { + req: &coordapi.SetManifestRequest{ + Manifest: newManifestBytes(func(m *manifest.Manifest) { + m.Policies = map[manifest.HexString][]string{ + manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + } + }), + Policies: [][]byte{ + []byte("a"), + []byte("b"), + }, + }, + mSGetter: &stubManifestSetGetter{ + getManifestResp: []*manifest.Manifest{manifestWithWorkloadOwnerKey(nil)}, + }, + caGetter: &stubCertChainGetter{}, + workloadOwnerKey: trustedKey, + wantErr: true, + }, } for name, tc := range testCases { @@ -123,7 +214,7 @@ func TestManifestSet(t *testing.T) { logger: slog.Default(), } - ctx := context.Background() + ctx := rpcContext(tc.workloadOwnerKey) resp, err := coordinator.SetManifest(ctx, tc.req) if tc.wantErr { @@ -293,6 +384,36 @@ func (s *stubCertChainGetter) GetRootCACert() []byte { return []byte("root") } func (s *stubCertChainGetter) GetMeshCACert() []byte { return []byte("mesh") } func (s *stubCertChainGetter) GetIntermCert() []byte { return []byte("inter") } +func rpcContext(key *ecdsa.PrivateKey) context.Context { + var peerCertificates []*x509.Certificate + if key != nil { + peerCertificates = []*x509.Certificate{{ + PublicKey: key.Public(), + PublicKeyAlgorithm: x509.ECDSA, + }} + } + return peer.NewContext(context.Background(), &peer.Peer{ + AuthInfo: credentials.TLSInfo{State: tls.ConnectionState{ + PeerCertificates: peerCertificates, + }}, + }) +} + +func manifestWithWorkloadOwnerKey(key *ecdsa.PrivateKey) *manifest.Manifest { + m := manifest.Default() + if key == nil { + return &m + } + pubKey, err := x509.MarshalPKIXPublicKey(&key.PublicKey) + if err != nil { + panic(err) + } + ownerKeyHash := sha256.Sum256(pubKey) + ownerKeyHex := manifest.NewHexString(ownerKeyHash[:]) + m.WorkloadOwnerKeys = []manifest.HexString{ownerKeyHex} + return &m +} + func toPtr[T any](t T) *T { return &t }