mirror of
https://github.com/kairos-io/tpm-helpers.git
synced 2025-08-02 06:31:59 +00:00
Refactor logic, split such as can be re-used for posting data too
This commit is contained in:
parent
368dfd7874
commit
f0fe82f348
71
get.go
71
get.go
@ -60,9 +60,67 @@ func Authenticate(akBytes []byte, channel io.ReadWriter, opts ...Option) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func AuthRequest(r *http.Request, conn *websocket.Conn) error {
|
||||
token := r.Header.Get("Authorization")
|
||||
ek, at, err := GetAttestationData(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
secret, challenge, err := GenerateChallenge(ek, at)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
resp, err := writeRead(conn, challenge)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := ValidateChallenge(secret, resp); err != nil {
|
||||
return fmt.Errorf("error validating challenge: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
|
||||
writer, err := conn.NextWriter(websocket.BinaryMessage)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if _, err := writer.Write(input); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
writer.Close()
|
||||
_, reader, err := conn.NextReader()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ioutil.ReadAll(reader)
|
||||
}
|
||||
|
||||
// Get retrieves a message from a remote ws server after
|
||||
// a successfully process of the TPM challenge
|
||||
func Get(url string, opts ...Option) ([]byte, error) {
|
||||
conn, err := Connection(url, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
_, msg, err := conn.NextReader()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("reading payload from tpm get: %w", err)
|
||||
}
|
||||
|
||||
return ioutil.ReadAll(msg)
|
||||
}
|
||||
|
||||
// Connection returns a connection to the endpoint which suathenticated already.
|
||||
// The server side needs to call AuthRequest on the http request in order to authenticate and refuse connections
|
||||
func Connection(url string, opts ...Option) (*websocket.Conn, error) {
|
||||
c := newConfig()
|
||||
c.apply(opts...)
|
||||
|
||||
@ -128,7 +186,6 @@ func Get(url string, opts ...Option) ([]byte, error) {
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
_, msg, err := conn.NextReader()
|
||||
if err != nil {
|
||||
@ -149,22 +206,14 @@ func Get(url string, opts ...Option) ([]byte, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer writer.Close()
|
||||
|
||||
if err := json.NewEncoder(writer).Encode(challengeResp); err != nil {
|
||||
return nil, fmt.Errorf("encoding ChallengeResponse: %w", err)
|
||||
}
|
||||
|
||||
if err := writer.Close(); err != nil {
|
||||
return nil, fmt.Errorf("closing websocket writer: %w", err)
|
||||
}
|
||||
writer.Close()
|
||||
|
||||
_, msg, err = conn.NextReader()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("reading payload from tpm get: %w", err)
|
||||
}
|
||||
|
||||
return ioutil.ReadAll(msg)
|
||||
return conn, nil
|
||||
}
|
||||
|
||||
func getChallengeResponse(c *config, ec *attest.EncryptedCredential, aikBytes []byte) (*ChallengeResponse, error) {
|
||||
|
109
get_test.go
109
get_test.go
@ -4,7 +4,6 @@ import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
@ -15,28 +14,6 @@ import (
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
|
||||
writer, err := conn.NextWriter(websocket.BinaryMessage)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if _, err := writer.Write(input); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := writer.Close(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
_, reader, err := conn.NextReader()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ioutil.ReadAll(reader)
|
||||
}
|
||||
|
||||
var upgrader = websocket.Upgrader{
|
||||
ReadBufferSize: 1024,
|
||||
WriteBufferSize: 1024,
|
||||
@ -53,30 +30,12 @@ func WSServer(ctx context.Context) {
|
||||
m := http.NewServeMux()
|
||||
m.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) {
|
||||
conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
|
||||
|
||||
for {
|
||||
|
||||
token := r.Header.Get("Authorization")
|
||||
if err := AuthRequest(r, conn); err != nil {
|
||||
fmt.Println("error", err.Error())
|
||||
return
|
||||
}
|
||||
awesome := r.Header.Get("awesome")
|
||||
ek, at, err := GetAttestationData(token)
|
||||
if err != nil {
|
||||
fmt.Println("error", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
secret, challenge, err := GenerateChallenge(ek, at)
|
||||
if err != nil {
|
||||
fmt.Println("error", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
resp, _ := writeRead(conn, challenge)
|
||||
|
||||
if err := ValidateChallenge(secret, resp); err != nil {
|
||||
fmt.Println("error validating challenge", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
writer, _ := conn.NextWriter(websocket.BinaryMessage)
|
||||
json.NewEncoder(writer).Encode(map[string]string{"foo": "bar", "header": awesome})
|
||||
}
|
||||
@ -91,6 +50,66 @@ func WSServer(ctx context.Context) {
|
||||
}()
|
||||
}
|
||||
|
||||
// Mimics a WS server which accepts TPM Bearer token and receives data
|
||||
func WSServerReceiver(ctx context.Context, c chan map[string]string) {
|
||||
s := http.Server{
|
||||
Addr: ":8080",
|
||||
ReadTimeout: 10 * time.Second,
|
||||
WriteTimeout: 10 * time.Second,
|
||||
}
|
||||
|
||||
m := http.NewServeMux()
|
||||
m.HandleFunc("/post", func(w http.ResponseWriter, r *http.Request) {
|
||||
conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
|
||||
for {
|
||||
if err := AuthRequest(r, conn); err != nil {
|
||||
fmt.Println("error", err.Error())
|
||||
return
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
v := map[string]string{}
|
||||
err := conn.ReadJSON(&v)
|
||||
if err != nil {
|
||||
fmt.Println("error", err.Error())
|
||||
return
|
||||
}
|
||||
c <- v
|
||||
}
|
||||
})
|
||||
|
||||
s.Handler = m
|
||||
|
||||
go s.ListenAndServe()
|
||||
go func() {
|
||||
<-ctx.Done()
|
||||
s.Shutdown(ctx)
|
||||
}()
|
||||
}
|
||||
|
||||
var _ = Describe("POST", func() {
|
||||
Context("challenges", func() {
|
||||
It("posts pubhash", func() {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
rec := make(chan map[string]string, 10)
|
||||
WSServerReceiver(ctx, rec)
|
||||
|
||||
conn, err := Connection("http://localhost:8080/post", Emulated, WithSeed(1))
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
defer conn.Close()
|
||||
|
||||
err = conn.WriteJSON(map[string]string{"foo": "bar", "header": "foo"})
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
res := <-rec
|
||||
Expect(res).To(Equal(map[string]string{"foo": "bar", "header": "foo"}))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
var _ = Describe("GET", func() {
|
||||
Context("challenges", func() {
|
||||
It("fails for permissions", func() {
|
||||
|
3
go.mod
3
go.mod
@ -3,8 +3,10 @@ module github.com/kairos-io/tpm-helpers
|
||||
go 1.19
|
||||
|
||||
require (
|
||||
github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7
|
||||
github.com/google/certificate-transparency-go v1.1.4
|
||||
github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9
|
||||
github.com/google/go-tpm v0.3.3
|
||||
github.com/google/go-tpm-tools v0.3.7
|
||||
github.com/gorilla/websocket v1.5.0
|
||||
github.com/onsi/ginkgo/v2 v2.1.3
|
||||
@ -13,7 +15,6 @@ require (
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/google/go-tpm v0.3.3 // indirect
|
||||
github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
|
||||
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
|
||||
|
7
go.sum
7
go.sum
@ -85,6 +85,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsr
|
||||
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
|
||||
github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
|
||||
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
|
||||
@ -96,6 +97,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
|
||||
github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
|
||||
github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 h1:EUZwT2s8Z+p0LCSlDJT5HVfG19v0fG+YCHXiS/2Aslg=
|
||||
github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7/go.mod h1:RqZlxu2qyyf7MZNF/r08R/B0/sZSBxdJRYuUZhY1mbY=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
|
||||
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
|
||||
@ -325,6 +328,7 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
|
||||
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
||||
@ -383,6 +387,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
|
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
||||
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
|
||||
github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
|
||||
@ -565,6 +570,7 @@ golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
@ -737,6 +743,7 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
|
Loading…
Reference in New Issue
Block a user