mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Sammy Kerata Oina
8eb1fac9ad
* Refactor and update dependencies in the project - Updated go.sum to replace `github.com/absmach/magistrala` with `github.com/absmach/supermq` across various modules. - Removed VSock configuration from environment variables and QEMU arguments. - Updated QEMU configuration and related tests to remove references to guest CID and VSock. - Added new HTTP transport layer for API endpoints in the manager. - Introduced Prometheus monitoring configuration with alert rules and Alertmanager setup. - Updated service and VM interfaces to remove unused methods and references. - Refactored tests to align with the new structure and dependencies. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add MaxVMs configuration and enforce limit on VM creation Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add comprehensive tests for HTTP transport handlers and endpoints Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add test case for exceeding maximum number of VMs in TestRun Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Improve error handling in TestHandlerWithCustomRouter to ensure response writing is checked Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update dependencies to latest versions - Upgrade cel.dev/expr from v0.23.0 to v0.24.0 - Upgrade github.com/absmach/supermq from v0.16.0 to v0.17.0 - Upgrade github.com/cenkalti/backoff from v4.3.0 to v5.0.2 - Upgrade github.com/cncf/xds/go to v0.0.0-20250501225837-2ac532fd4443 - Upgrade github.com/go-chi/chi/v5 from v5.2.1 to v5.2.2 - Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.4 - Upgrade github.com/gofrs/uuid/v5 from v5.3.0 to v5.3.2 - Upgrade github.com/prometheus/client_golang from v1.22.0 to v1.23.0 - Upgrade github.com/prometheus/client_model from v0.6.1 to v0.6.2 - Upgrade github.com/prometheus/common from v0.62.0 to v0.65.0 - Upgrade github.com/prometheus/procfs from v0.15.1 to v0.16.1 - Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from v0.60.0 to v0.62.0 - Upgrade go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.36.0 to v1.37.0 - Upgrade golang.org/x/crypto from v0.39.0 to v0.40.0 - Upgrade golang.org/x/sys from v0.33.0 to v0.34.0 - Upgrade golang.org/x/text from v0.26.0 to v0.27.0 - Upgrade golang.org/x/time from v0.11.0 to v0.12.0 - Upgrade google.golang.org/grpc from v1.73.0 to v1.74.2 Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
321 lines
9.6 KiB
Go
321 lines
9.6 KiB
Go
// Copyright (c) Ultraviolet
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
package cli
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha512"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"os"
|
|
"strconv"
|
|
|
|
"github.com/absmach/supermq/pkg/errors"
|
|
"github.com/google/go-sev-guest/proto/check"
|
|
"github.com/google/go-tpm-tools/proto/attest"
|
|
"github.com/spf13/cobra"
|
|
"github.com/spf13/pflag"
|
|
"github.com/ultravioletrs/cocos/pkg/attestation"
|
|
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
|
|
"github.com/ultravioletrs/cocos/pkg/attestation/gcp"
|
|
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
|
|
"google.golang.org/protobuf/proto"
|
|
)
|
|
|
|
type fieldType int
|
|
|
|
const (
|
|
measurementField fieldType = iota
|
|
hostDataField
|
|
)
|
|
|
|
const (
|
|
// 0o744 file permission gives RWX permission to the user and only the R permission to others.
|
|
filePermission = 0o744
|
|
// Length of the expected host data and measurement field in bytes.
|
|
hostDataLength = 32
|
|
measurementLength = 48
|
|
)
|
|
|
|
var (
|
|
errDecode = errors.New("base64 string could not be decoded")
|
|
errDataLength = errors.New("data does not have an adequate length")
|
|
errReadingAttestationPolicyFile = errors.New("error while reading the attestation policy file")
|
|
errUnmarshalJSON = errors.New("failed to unmarshal json")
|
|
errMarshalJSON = errors.New("failed to marshal json")
|
|
errWriteFile = errors.New("failed to write to file")
|
|
errAttestationPolicyField = errors.New("the specified field type does not exist in the attestation policy")
|
|
policy uint64 = 196639
|
|
)
|
|
|
|
func (cli *CLI) NewAttestationPolicyCmd() *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: "policy [command]",
|
|
Short: "Change attestation policy",
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
fmt.Printf("Change attestation policy\n\n")
|
|
fmt.Printf("Usage:\n %s [command]\n\n", cmd.CommandPath())
|
|
fmt.Printf("Available Commands:\n")
|
|
|
|
// Filter out "completion" command
|
|
availableCommands := make([]*cobra.Command, 0)
|
|
for _, subCmd := range cmd.Commands() {
|
|
if subCmd.Name() != "completion" {
|
|
availableCommands = append(availableCommands, subCmd)
|
|
}
|
|
}
|
|
|
|
for _, subCmd := range availableCommands {
|
|
fmt.Printf(" %-15s%s\n", subCmd.Name(), subCmd.Short)
|
|
}
|
|
|
|
fmt.Printf("\nFlags:\n")
|
|
cmd.Flags().VisitAll(func(flag *pflag.Flag) {
|
|
fmt.Printf(" -%s, --%s %s\n", flag.Shorthand, flag.Name, flag.Usage)
|
|
})
|
|
fmt.Printf("\nUse \"%s [command] --help\" for more information about a command.\n", cmd.CommandPath())
|
|
},
|
|
}
|
|
}
|
|
|
|
func (cli *CLI) NewAddMeasurementCmd() *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: "measurement",
|
|
Short: "Add measurement to the attestation policy file. The value should be in base64. The second parameter is attestation_policy.json file",
|
|
Example: "measurement <measurement> <attestation_policy.json>",
|
|
Args: cobra.ExactArgs(2),
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
if err := changeAttestationConfiguration(args[1], args[0], measurementLength, measurementField); err != nil {
|
|
printError(cmd, "Error could not change measurement data: %v ❌ ", err)
|
|
return
|
|
}
|
|
},
|
|
}
|
|
}
|
|
|
|
func (cli *CLI) NewAddHostDataCmd() *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: "hostdata",
|
|
Short: "Add host data to the attestation policy file. The value should be in base64. The second parameter is attestation_policy.json file",
|
|
Example: "hostdata <host-data> <attestation_policy.json>",
|
|
Args: cobra.ExactArgs(2),
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
if err := changeAttestationConfiguration(args[1], args[0], hostDataLength, hostDataField); err != nil {
|
|
printError(cmd, "Error could not change host data: %v ❌ ", err)
|
|
return
|
|
}
|
|
},
|
|
}
|
|
}
|
|
|
|
func (cli *CLI) NewGCPAttestationPolicy() *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: "gcp",
|
|
Short: "Get attestation policy for GCP CVM",
|
|
Example: `gcp <bin_vtmp_attestation_report_file> <vcpu_count>`,
|
|
Args: cobra.ExactArgs(2),
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
attestationBin, err := os.ReadFile(args[0])
|
|
if err != nil {
|
|
printError(cmd, "Error reading attestation report file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
vcpuCount, err := strconv.Atoi(args[1])
|
|
if err != nil {
|
|
printError(cmd, "Error converting vCPU count to integer: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestation := &attest.Attestation{}
|
|
|
|
if err := proto.Unmarshal(attestationBin, attestation); err != nil {
|
|
printError(cmd, "Error unmarshaling attestation report: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestationPB := attestation.GetSevSnpAttestation()
|
|
|
|
measurement, err := gcp.Extract384BitMeasurement(attestationPB)
|
|
if err != nil {
|
|
printError(cmd, "Error extracting 384-bit measurement: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
launchEndorsement, err := gcp.GetLaunchEndorsement(cmd.Context(), measurement)
|
|
if err != nil {
|
|
printError(cmd, "Error getting launch endorsement: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestationPolicy, err := gcp.GenerateAttestationPolicy(launchEndorsement, uint32(vcpuCount))
|
|
if err != nil {
|
|
printError(cmd, "Error generating attestation policy: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestationPolicyJson, err := json.MarshalIndent(attestationPolicy, "", " ")
|
|
if err != nil {
|
|
printError(cmd, "Error marshaling attestation policy: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
if err := os.WriteFile("attestation_policy.json", attestationPolicyJson, filePermission); err != nil {
|
|
printError(cmd, "Error writing attestation policy file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
cmd.Println("Attestation policy file generated successfully ✅")
|
|
},
|
|
}
|
|
}
|
|
|
|
func (cli *CLI) NewDownloadGCPOvmfFile() *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: "download",
|
|
Short: "Download GCP OVMF file",
|
|
Example: `download <bin_vtmp_attestation_report_file>`,
|
|
Args: cobra.ExactArgs(1),
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
attestationBin, err := os.ReadFile(args[0])
|
|
if err != nil {
|
|
printError(cmd, "Error reading attestation report file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestation := &attest.Attestation{}
|
|
|
|
if err := proto.Unmarshal(attestationBin, attestation); err != nil {
|
|
printError(cmd, "Error unmarshaling attestation report: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestationPB := attestation.GetSevSnpAttestation()
|
|
|
|
measurement, err := gcp.Extract384BitMeasurement(attestationPB)
|
|
if err != nil {
|
|
printError(cmd, "Error extracting 384-bit measurement: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
launchEndorsement, err := gcp.GetLaunchEndorsement(cmd.Context(), measurement)
|
|
if err != nil {
|
|
printError(cmd, "Error getting launch endorsement: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
ovmf, err := gcp.DownloadOvmfFile(cmd.Context(), fmt.Sprintf("%x", launchEndorsement.Digest))
|
|
if err != nil {
|
|
printError(cmd, "Error downloading OVMF file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
sum384 := sha512.Sum384(ovmf)
|
|
|
|
if !bytes.Equal(sum384[:], launchEndorsement.Digest) {
|
|
printError(cmd, "Error OVMF file does not match the measurement: %v ❌ ", fmt.Errorf("digest mismatch"))
|
|
} else {
|
|
cmd.Println("OVMF firmware in vm is unmodified ✅")
|
|
}
|
|
|
|
if err := os.WriteFile("ovmf.fd", ovmf, filePermission); err != nil {
|
|
printError(cmd, "Error writing OVMF file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
cmd.Println("OVMF file downloaded successfully ✅")
|
|
},
|
|
}
|
|
}
|
|
|
|
func (cli *CLI) NewAzureAttestationPolicy() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "azure",
|
|
Short: "Get attestation policy for Azure CVM",
|
|
Example: `azure <azure_maa_token_file> <product_name>`,
|
|
Args: cobra.ExactArgs(2),
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
token, err := os.ReadFile(args[0])
|
|
if err != nil {
|
|
printError(cmd, "Error reading attestation report file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
product := args[1]
|
|
|
|
config, err := azure.GenerateAttestationPolicy(string(token), product, policy)
|
|
if err != nil {
|
|
printError(cmd, "Error generating attestation policy: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
attestationPolicyJson, err := json.MarshalIndent(&config, "", " ")
|
|
if err != nil {
|
|
printError(cmd, "Error marshaling attestation policy: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
if err := os.WriteFile("attestation_policy.json", attestationPolicyJson, filePermission); err != nil {
|
|
printError(cmd, "Error writing attestation policy file: %v ❌ ", err)
|
|
return
|
|
}
|
|
|
|
cmd.Println("Attestation policy file generated successfully ✅")
|
|
},
|
|
}
|
|
|
|
cmd.Flags().Uint64Var(
|
|
&policy,
|
|
"policy",
|
|
policy,
|
|
"Policy of the guest CVM",
|
|
)
|
|
|
|
return cmd
|
|
}
|
|
|
|
func changeAttestationConfiguration(fileName, base64Data string, expectedLength int, field fieldType) error {
|
|
data, err := base64.StdEncoding.DecodeString(base64Data)
|
|
if err != nil {
|
|
return errDecode
|
|
}
|
|
|
|
if len(data) != expectedLength {
|
|
return errDataLength
|
|
}
|
|
|
|
ac := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
|
|
|
|
f, err := os.ReadFile(fileName)
|
|
if err != nil {
|
|
return errors.Wrap(errReadingAttestationPolicyFile, err)
|
|
}
|
|
|
|
if err = vtpm.ReadPolicyFromByte(f, &ac); err != nil {
|
|
return errors.Wrap(errUnmarshalJSON, err)
|
|
}
|
|
|
|
if ac.Config.Policy == nil {
|
|
ac.Config.Policy = &check.Policy{}
|
|
}
|
|
|
|
switch field {
|
|
case measurementField:
|
|
ac.Config.Policy.Measurement = data
|
|
case hostDataField:
|
|
ac.Config.Policy.HostData = data
|
|
default:
|
|
return errAttestationPolicyField
|
|
}
|
|
|
|
fileJson, err := vtpm.ConvertPolicyToJSON(&ac)
|
|
if err != nil {
|
|
return errors.Wrap(errMarshalJSON, err)
|
|
}
|
|
if err = os.WriteFile(fileName, fileJson, filePermission); err != nil {
|
|
return errors.Wrap(errWriteFile, err)
|
|
}
|
|
return nil
|
|
}
|