diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 6f3d7b116..7738131de 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -40,7 +40,7 @@ jobs: uses: ./.github/actions/pushdiff with: error: Go source needs to be updated, check the GitHub run summary for the diff. - suggested-fix: Run \`nix run .#generate\` to generate and tidy Go code. + suggested-fix: Run \`nix run .#scripts.generate\` to generate and tidy Go code. renovate-commit-msg: "fixup: update Go source" govulncheck: diff --git a/cli/cmd/set.go b/cli/cmd/set.go index 6df964e17..6681181d3 100644 --- a/cli/cmd/set.go +++ b/cli/cmd/set.go @@ -25,6 +25,7 @@ import ( "github.com/edgelesssys/contrast/internal/spinner" "github.com/edgelesssys/contrast/internal/userapi" "github.com/spf13/cobra" + "github.com/spf13/pflag" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -52,7 +53,7 @@ func NewSetCmd() *cobra.Command { cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file") cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at") must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator")) - cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty") + cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "override the expected policy hash of the coordinator") cmd.Flags().String("workload-owner-key", workloadOwnerPEM, "path to workload owner key (.pem) file") return cmd @@ -157,6 +158,21 @@ type setFlags struct { workspaceDir string } +func decodeCoordinatorPolicyHash(flags *pflag.FlagSet) ([]byte, error) { + hexEncoded, err := flags.GetString("coordinator-policy-hash") + if err != nil { + return nil, fmt.Errorf("getting coordinator-policy-hash flag: %w", err) + } + hash, err := hex.DecodeString(hexEncoded) + if err != nil { + return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err) + } + if len(hash) != 32 { + return nil, fmt.Errorf("coordinator-policy-hash must be exactly 32 hex-encoded bytes, got %d", len(hash)) + } + return hash, nil +} + func parseSetFlags(cmd *cobra.Command) (*setFlags, error) { flags := &setFlags{} var err error @@ -169,14 +185,10 @@ func parseSetFlags(cmd *cobra.Command) (*setFlags, error) { if err != nil { return nil, fmt.Errorf("failed to get coordinator flag: %w", err) } - policyString, err := cmd.Flags().GetString("coordinator-policy-hash") + flags.policy, err = decodeCoordinatorPolicyHash(cmd.Flags()) if err != nil { return nil, fmt.Errorf("failed to get coordinator-policy-hash flag: %w", err) } - flags.policy, err = hex.DecodeString(policyString) - if err != nil { - return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err) - } flags.workloadOwnerKeyPath, err = cmd.Flags().GetString("workload-owner-key") if err != nil { return nil, fmt.Errorf("getting workload-owner-key flag: %w", err) diff --git a/cli/cmd/verify.go b/cli/cmd/verify.go index 8b9c9b8ee..96cb0ef64 100644 --- a/cli/cmd/verify.go +++ b/cli/cmd/verify.go @@ -2,7 +2,6 @@ package cmd import ( "crypto/sha256" - "encoding/hex" "fmt" "net" "os" @@ -43,7 +42,7 @@ func NewVerifyCmd() *cobra.Command { cmd.Flags().String("workspace-dir", verifyDir, "directory to write files to, if not set explicitly to another location") cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at") must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator")) - cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty") + cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "override the expected policy hash of the coordinator") return cmd } @@ -126,14 +125,10 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) { if err != nil { return nil, err } - policyString, err := cmd.Flags().GetString("coordinator-policy-hash") + policy, err := decodeCoordinatorPolicyHash(cmd.Flags()) if err != nil { return nil, err } - policy, err := hex.DecodeString(policyString) - if err != nil { - return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err) - } return &verifyFlags{ coordinator: coordinator, diff --git a/go.mod b/go.mod index 5e366d374..538c68efa 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/google/go-sev-guest v0.11.0 github.com/spf13/afero v1.11.0 github.com/spf13/cobra v1.8.0 + github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 go.uber.org/goleak v1.3.0 golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 @@ -48,7 +49,6 @@ require ( github.com/pborman/uuid v1.2.1 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/crypto v0.19.0 // indirect golang.org/x/net v0.21.0 // indirect diff --git a/justfile b/justfile index e098ceb07..258def075 100644 --- a/justfile +++ b/justfile @@ -129,9 +129,11 @@ verify cli=default_cli: PID=$! trap "kill $PID" EXIT nix run .#scripts.wait-for-port-listen -- 1314 + policy=$(< ./{{ workspace_dir }}/coordinator-policy.sha256) t=$(date +%s) nix run .#{{ cli }} -- verify \ --workspace-dir ./{{ workspace_dir }}/verify \ + --coordinator-policy-hash "${policy}" \ -c localhost:1314 duration=$(( $(date +%s) - $t )) echo "Verified in $duration seconds."