fleet/ee/orbit/pkg/securehw/securehw_test.go

//go:build !windows

// Windows is disabled because the TPM simulator requires CGO, which causes lint failures on Windows.

package securehw

import (
	"os"
	"path/filepath"
	"testing"

	"github.com/google/go-tpm/tpm2/transport/simulator"
	"github.com/rs/zerolog"
	"github.com/stretchr/testify/require"
)

func TestLoadTPMKeyFile(t *testing.T) {
	// Create a temporary directory for test files
	tempDir := t.TempDir()
	logger := zerolog.New(os.Stdout).With().Timestamp().Logger()

	// Create a TPM simulator
	sim, err := simulator.OpenSimulator()
	require.NoError(t, err)
	t.Cleanup(func() {
		require.NoError(t, sim.Close())
	})

	t.Run("missing key file", func(t *testing.T) {
		// Create tpm2SecureHW instance with non-existent key file path
		hw := &tpm2SecureHW{
			device:      sim,
			logger:      logger,
			keyFilePath: filepath.Join(tempDir, "non_existent_key.pem"),
		}

		// Try to load the key file
		privateKey, publicKey, err := hw.loadTPMKeyFile()

		// Should return ErrKeyNotFound
		require.Error(t, err)
		var keyNotFoundErr ErrKeyNotFound
		require.ErrorAs(t, err, &keyNotFoundErr)
		require.Nil(t, privateKey)
		require.Nil(t, publicKey)
	})

	t.Run("invalid key file format", func(t *testing.T) {
		// Create a file with invalid content
		invalidKeyPath := filepath.Join(tempDir, "invalid_key.pem")
		err = os.WriteFile(invalidKeyPath, []byte("this is not a valid TPM key file"), 0600)
		require.NoError(t, err)

		// Create tpm2SecureHW instance
		hw := &tpm2SecureHW{
			device:      sim,
			logger:      logger,
			keyFilePath: invalidKeyPath,
		}

		// Try to load the invalid key file
		privateKey, publicKey, err := hw.loadTPMKeyFile()

		// Should return an error about decoding
		require.Error(t, err)
		require.Contains(t, err.Error(), "failed to decode keyfile")
		require.Nil(t, privateKey)
		require.Nil(t, publicKey)
	})

	t.Run("empty key file", func(t *testing.T) {
		// Create an empty file
		emptyKeyPath := filepath.Join(tempDir, "empty_key.pem")
		err = os.WriteFile(emptyKeyPath, []byte{}, 0600)
		require.NoError(t, err)

		// Create tpm2SecureHW instance
		hw := &tpm2SecureHW{
			device:      sim,
			logger:      logger,
			keyFilePath: emptyKeyPath,
		}

		// Try to load the empty key file
		privateKey, publicKey, err := hw.loadTPMKeyFile()

		// Should return an error about decoding
		require.Error(t, err)
		require.Contains(t, err.Error(), "failed to decode keyfile")
		require.Nil(t, privateKey)
		require.Nil(t, publicKey)
	})

	t.Run("PEM formatted but not TPM key", func(t *testing.T) {
		// Create a file with valid PEM but not a TPM key
		pemKeyPath := filepath.Join(tempDir, "not_tpm_key.pem")
		pemContent := `-----BEGIN CERTIFICATE-----
MIIBkTCB+wIJAKHHIG...
-----END CERTIFICATE-----`
		err = os.WriteFile(pemKeyPath, []byte(pemContent), 0600)
		require.NoError(t, err)

		// Create tpm2SecureHW instance
		hw := &tpm2SecureHW{
			device:      sim,
			logger:      logger,
			keyFilePath: pemKeyPath,
		}

		// Try to load the PEM file that's not a TPM key
		privateKey, publicKey, err := hw.loadTPMKeyFile()

		// Should return an error about decoding
		require.Error(t, err)
		require.Contains(t, err.Error(), "failed to decode keyfile")
		require.Nil(t, privateKey)
		require.Nil(t, publicKey)
	})
}
Added integration test for TPM. (#31315) For #31048 This change includes some refactoring of orbit code. No functional changes. Moved non-Linux-specific code from `securehw_linux.go` to `securehw_tpm.go` so that tests on any platform can use it. There are no server changes impacting the upcoming 4.72 release. Just tests. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Introduced a new TPM 2.0-based secure hardware interface, enabling creation, loading, and management of ECC keys within a TPM device. * Added support for both standard and RFC 9421-compatible HTTP signatures using TPM-backed keys. * Bug Fixes * Improved error handling and resource management for TPM operations. * Tests * Added comprehensive unit tests for TPM key file loading scenarios. * Introduced integration tests using a simulated TPM device to validate end-to-end secure hardware and SCEP workflows. * Chores * Updated dependencies for enhanced compatibility and security. * Modernized build constraints for improved maintainability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-29 18:21:09 +00:00			`//go:build !windows`

			`// Windows is disabled because the TPM simulator requires CGO, which causes lint failures on Windows.`

			`package securehw`

			`import (`
			`"os"`
			`"path/filepath"`
			`"testing"`

			`"github.com/google/go-tpm/tpm2/transport/simulator"`
			`"github.com/rs/zerolog"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestLoadTPMKeyFile(t *testing.T) {`
			`// Create a temporary directory for test files`
			`tempDir := t.TempDir()`
			`logger := zerolog.New(os.Stdout).With().Timestamp().Logger()`

			`// Create a TPM simulator`
			`sim, err := simulator.OpenSimulator()`
			`require.NoError(t, err)`
			`t.Cleanup(func() {`
			`require.NoError(t, sim.Close())`
			`})`

			`t.Run("missing key file", func(t *testing.T) {`
			`// Create tpm2SecureHW instance with non-existent key file path`
			`hw := &tpm2SecureHW{`
			`device: sim,`
			`logger: logger,`
			`keyFilePath: filepath.Join(tempDir, "non_existent_key.pem"),`
			`}`

			`// Try to load the key file`
			`privateKey, publicKey, err := hw.loadTPMKeyFile()`

			`// Should return ErrKeyNotFound`
			`require.Error(t, err)`
			`var keyNotFoundErr ErrKeyNotFound`
			`require.ErrorAs(t, err, &keyNotFoundErr)`
			`require.Nil(t, privateKey)`
			`require.Nil(t, publicKey)`
			`})`

			`t.Run("invalid key file format", func(t *testing.T) {`
			`// Create a file with invalid content`
			`invalidKeyPath := filepath.Join(tempDir, "invalid_key.pem")`
			`err = os.WriteFile(invalidKeyPath, []byte("this is not a valid TPM key file"), 0600)`
			`require.NoError(t, err)`

			`// Create tpm2SecureHW instance`
			`hw := &tpm2SecureHW{`
			`device: sim,`
			`logger: logger,`
			`keyFilePath: invalidKeyPath,`
			`}`

			`// Try to load the invalid key file`
			`privateKey, publicKey, err := hw.loadTPMKeyFile()`

			`// Should return an error about decoding`
			`require.Error(t, err)`
			`require.Contains(t, err.Error(), "failed to decode keyfile")`
			`require.Nil(t, privateKey)`
			`require.Nil(t, publicKey)`
			`})`

			`t.Run("empty key file", func(t *testing.T) {`
			`// Create an empty file`
			`emptyKeyPath := filepath.Join(tempDir, "empty_key.pem")`
			`err = os.WriteFile(emptyKeyPath, []byte{}, 0600)`
			`require.NoError(t, err)`

			`// Create tpm2SecureHW instance`
			`hw := &tpm2SecureHW{`
			`device: sim,`
			`logger: logger,`
			`keyFilePath: emptyKeyPath,`
			`}`

			`// Try to load the empty key file`
			`privateKey, publicKey, err := hw.loadTPMKeyFile()`

			`// Should return an error about decoding`
			`require.Error(t, err)`
			`require.Contains(t, err.Error(), "failed to decode keyfile")`
			`require.Nil(t, privateKey)`
			`require.Nil(t, publicKey)`
			`})`

			`t.Run("PEM formatted but not TPM key", func(t *testing.T) {`
			`// Create a file with valid PEM but not a TPM key`
			`pemKeyPath := filepath.Join(tempDir, "not_tpm_key.pem")`
			pemContent := `-----BEGIN CERTIFICATE-----
			`MIIBkTCB+wIJAKHHIG...`
			-----END CERTIFICATE-----`
			`err = os.WriteFile(pemKeyPath, []byte(pemContent), 0600)`
			`require.NoError(t, err)`

			`// Create tpm2SecureHW instance`
			`hw := &tpm2SecureHW{`
			`device: sim,`
			`logger: logger,`
			`keyFilePath: pemKeyPath,`
			`}`

			`// Try to load the PEM file that's not a TPM key`
			`privateKey, publicKey, err := hw.loadTPMKeyFile()`

			`// Should return an error about decoding`
			`require.Error(t, err)`
			`require.Contains(t, err.Error(), "failed to decode keyfile")`
			`require.Nil(t, privateKey)`
			`require.Nil(t, publicKey)`
			`})`
			`}`