gcp: remove nonsense test

edgelesssys · Apr 5, 2024 · 39a3f67 · 39a3f67
1 parent 36f4c0d
commit 39a3f67
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 208 deletions.
diff --git a/internal/attestation/gcp/snp/BUILD.bazel b/internal/attestation/gcp/snp/BUILD.bazel
@@ -32,10 +32,7 @@ go_library(
 
 go_test(
     name = "snp_test",
-    srcs = [
-        "issuer_test.go",
-        "validator_test.go",
-    ],
+    srcs = ["validator_test.go"],
     embed = [":snp"],
     # keep
     gotags = select({
@@ -44,16 +41,10 @@ go_test(
     }),
     deps = [
         "//internal/attestation",
-        "//internal/attestation/aws/snp/testdata",
-        "//internal/attestation/simulator",
-        "//internal/attestation/snp",
         "//internal/attestation/vtpm",
         "//internal/config",
-        "//internal/logger",
-        "@com_github_google_go_sev_guest//abi",
         "@com_github_google_go_sev_guest//proto/sevsnp",
         "@com_github_google_go_sev_guest//verify",
-        "@com_github_google_go_tpm_tools//client",
         "@com_github_google_go_tpm_tools//proto/attest",
         "@com_github_stretchr_testify//assert",
         "@com_github_stretchr_testify//require",

diff --git a/internal/attestation/gcp/snp/issuer_test.go b/internal/attestation/gcp/snp/issuer_test.go
diff --git a/internal/attestation/gcp/snp/validator_test.go b/internal/attestation/gcp/snp/validator_test.go
@@ -11,53 +11,47 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/hex"
-	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"regexp"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/attestation"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/aws/snp/testdata"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/v2/internal/config"
-	"github.com/edgelesssys/constellation/v2/internal/logger"
-	"github.com/google/go-sev-guest/abi"
 	"github.com/google/go-sev-guest/proto/sevsnp"
-	spb "github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/google/go-sev-guest/verify"
 	"github.com/google/go-tpm-tools/proto/attest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestGetTrustedKey(t *testing.T) {
-	validator := func() *Validator { return &Validator{reportValidator: stubGCPValidator{}} }
+	validator := func(ek []byte) *Validator {
+		return &Validator{
+			reportValidator: stubGCPValidator{},
+			gceKeyGetter: func(ctx context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error) {
+				return ek, nil
+			},
+		}
+	}
 	testCases := map[string]struct {
-		akPub   []byte
-		info    []byte
-		wantErr bool
+		akPub []byte
+		ek    []byte
+		info  []byte
 	}{
-		"null byte docs": {
-			akPub:   []byte{0x00, 0x00, 0x00, 0x00},
-			info:    []byte{0x00, 0x00, 0x00, 0x00},
-			wantErr: true,
-		},
-		"nil": {
-			akPub:   nil,
-			info:    nil,
-			wantErr: true,
+		"success": {
+			akPub: []byte("akPub"),
+			ek:    []byte("ek"),
+			info:  []byte("info"),
 		},
 	}
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)
-			out, err := validator().getTrustedKey(
+			out, err := validator(tc.ek).getTrustedKey(
 				context.Background(),
 				vtpm.AttestationDocument{
 					Attestation: &attest.Attestation{
@@ -68,142 +62,12 @@ func TestGetTrustedKey(t *testing.T) {
 				nil,
 			)
 
-			if tc.wantErr {
-				assert.Error(err)
-			} else {
-				assert.NoError(err)
-			}
-
-			assert.Nil(out)
-		})
-	}
-}
-
-// TestValidateSNPReport has to setup the following to run ValidateSNPReport:
-// - parse ARK certificate from constants.go.
-// - parse cached ASK certificate.
-// - parse cached SNP report.
-// - parse cached AK hash. Hash and SNP report have to match.
-// - parse cache VLEK cert.
-func TestValidateSNPReport(t *testing.T) {
-	require := require.New(t)
-	certs, err := loadCerts(testdata.CertChain)
-	require.NoError(err)
-	ark := certs[1]
-	ask := certs[0]
-
-	// reportTransformer unpacks the base64 encoded report, applies the given transformations and re-encodes it.
-	reportTransformer := func(reportHex string, transformations func(*spb.Report)) string {
-		rawReport, err := base64.StdEncoding.DecodeString(reportHex)
-		require.NoError(err)
-		report, err := abi.ReportToProto(rawReport)
-		require.NoError(err)
-		transformations(report)
-		reportBytes, err := abi.ReportToAbiBytes(report)
-		require.NoError(err)
-		return base64.StdEncoding.EncodeToString(reportBytes)
-	}
-
-	testCases := map[string]struct {
-		ak                string
-		report            string
-		reportTransformer func(string, func(*spb.Report)) string
-		verifier          reportVerifier
-		validator         reportValidator
-		wantErr           bool
-	}{
-		"success": {
-			ak:        testdata.AKDigest,
-			report:    testdata.SNPReport,
-			verifier:  &reportVerifierImpl{},
-			validator: &reportValidatorImpl{},
-		},
-		"invalid report data": {
-			ak: testdata.AKDigest,
-			report: reportTransformer(testdata.SNPReport, func(r *spb.Report) {
-				r.ReportData = make([]byte, 64)
-			}),
-			verifier:  &stubReportVerifier{},
-			validator: &reportValidatorImpl{},
-			wantErr:   true,
-		},
-		"invalid report signature": {
-			ak:        testdata.AKDigest,
-			report:    reportTransformer(testdata.SNPReport, func(r *spb.Report) { r.Signature[0]++ }),
-			verifier:  &reportVerifierImpl{},
-			validator: &reportValidatorImpl{},
-			wantErr:   true,
-		},
-	}
-
-	for name, tc := range testCases {
-		t.Run(name, func(t *testing.T) {
-			assert := assert.New(t)
-
-			hash, err := hex.DecodeString(tc.ak)
-			require.NoError(err)
-
-			report, err := base64.StdEncoding.DecodeString(tc.report)
-			require.NoError(err)
-
-			info := snp.InstanceInfo{AttestationReport: report, ReportSigner: testdata.VLEK}
-			infoMarshalled, err := json.Marshal(info)
-			require.NoError(err)
-
-			v := gcpValidator{httpsGetter: newStubHTTPSGetter(&urlResponseMatcher{}, nil), verifier: tc.verifier, validator: tc.validator}
-			err = v.validate(vtpm.AttestationDocument{InstanceInfo: infoMarshalled}, ask, ark, [64]byte(hash), config.DefaultForGCPSEVSNP(), logger.NewTest(t))
-			if tc.wantErr {
-				assert.Error(err)
-			} else {
-				assert.NoError(err)
-			}
+			assert.NoError(err)
+			assert.Equal(tc.ek, out)
 		})
 	}
 }
 
-type stubHTTPSGetter struct {
-	urlResponseMatcher *urlResponseMatcher // maps responses to requested URLs
-	err                error
-}
-
-func newStubHTTPSGetter(urlResponseMatcher *urlResponseMatcher, err error) *stubHTTPSGetter {
-	return &stubHTTPSGetter{
-		urlResponseMatcher: urlResponseMatcher,
-		err:                err,
-	}
-}
-
-func (s *stubHTTPSGetter) Get(url string) ([]byte, error) {
-	if s.err != nil {
-		return nil, s.err
-	}
-	return s.urlResponseMatcher.match(url)
-}
-
-type urlResponseMatcher struct {
-	certChainResponse    []byte
-	wantCertChainRequest bool
-	vcekResponse         []byte
-	wantVcekRequest      bool
-}
-
-func (m *urlResponseMatcher) match(url string) ([]byte, error) {
-	switch {
-	case url == "https://kdsintf.amd.com/vcek/v1/Milan/cert_chain":
-		if !m.wantCertChainRequest {
-			return nil, fmt.Errorf("unexpected cert_chain request")
-		}
-		return m.certChainResponse, nil
-	case regexp.MustCompile(`https:\/\/kdsintf.amd.com\/vcek\/v1\/Milan\/.*`).MatchString(url):
-		if !m.wantVcekRequest {
-			return nil, fmt.Errorf("unexpected VCEK request")
-		}
-		return m.vcekResponse, nil
-	default:
-		return nil, fmt.Errorf("unexpected URL: %s", url)
-	}
-}
-
 func TestSha512sum(t *testing.T) {
 	testCases := map[string]struct {
 		key   string