mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
d1992aa983
For #31048 This change includes some refactoring of orbit code. No functional changes. Moved non-Linux-specific code from `securehw_linux.go` to `securehw_tpm.go` so that tests on any platform can use it. There are no server changes impacting the upcoming 4.72 release. Just tests. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced a new TPM 2.0-based secure hardware interface, enabling creation, loading, and management of ECC keys within a TPM device. * Added support for both standard and RFC 9421-compatible HTTP signatures using TPM-backed keys. * **Bug Fixes** * Improved error handling and resource management for TPM operations. * **Tests** * Added comprehensive unit tests for TPM key file loading scenarios. * Introduced integration tests using a simulated TPM device to validate end-to-end secure hardware and SCEP workflows. * **Chores** * Updated dependencies for enhanced compatibility and security. * Modernized build constraints for improved maintainability. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
119 lines
3.2 KiB
Go
119 lines
3.2 KiB
Go
//go:build !windows
|
|
|
|
// Windows is disabled because the TPM simulator requires CGO, which causes lint failures on Windows.
|
|
|
|
package securehw
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/google/go-tpm/tpm2/transport/simulator"
|
|
"github.com/rs/zerolog"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestLoadTPMKeyFile(t *testing.T) {
|
|
// Create a temporary directory for test files
|
|
tempDir := t.TempDir()
|
|
logger := zerolog.New(os.Stdout).With().Timestamp().Logger()
|
|
|
|
// Create a TPM simulator
|
|
sim, err := simulator.OpenSimulator()
|
|
require.NoError(t, err)
|
|
t.Cleanup(func() {
|
|
require.NoError(t, sim.Close())
|
|
})
|
|
|
|
t.Run("missing key file", func(t *testing.T) {
|
|
// Create tpm2SecureHW instance with non-existent key file path
|
|
hw := &tpm2SecureHW{
|
|
device: sim,
|
|
logger: logger,
|
|
keyFilePath: filepath.Join(tempDir, "non_existent_key.pem"),
|
|
}
|
|
|
|
// Try to load the key file
|
|
privateKey, publicKey, err := hw.loadTPMKeyFile()
|
|
|
|
// Should return ErrKeyNotFound
|
|
require.Error(t, err)
|
|
var keyNotFoundErr ErrKeyNotFound
|
|
require.ErrorAs(t, err, &keyNotFoundErr)
|
|
require.Nil(t, privateKey)
|
|
require.Nil(t, publicKey)
|
|
})
|
|
|
|
t.Run("invalid key file format", func(t *testing.T) {
|
|
// Create a file with invalid content
|
|
invalidKeyPath := filepath.Join(tempDir, "invalid_key.pem")
|
|
err = os.WriteFile(invalidKeyPath, []byte("this is not a valid TPM key file"), 0600)
|
|
require.NoError(t, err)
|
|
|
|
// Create tpm2SecureHW instance
|
|
hw := &tpm2SecureHW{
|
|
device: sim,
|
|
logger: logger,
|
|
keyFilePath: invalidKeyPath,
|
|
}
|
|
|
|
// Try to load the invalid key file
|
|
privateKey, publicKey, err := hw.loadTPMKeyFile()
|
|
|
|
// Should return an error about decoding
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), "failed to decode keyfile")
|
|
require.Nil(t, privateKey)
|
|
require.Nil(t, publicKey)
|
|
})
|
|
|
|
t.Run("empty key file", func(t *testing.T) {
|
|
// Create an empty file
|
|
emptyKeyPath := filepath.Join(tempDir, "empty_key.pem")
|
|
err = os.WriteFile(emptyKeyPath, []byte{}, 0600)
|
|
require.NoError(t, err)
|
|
|
|
// Create tpm2SecureHW instance
|
|
hw := &tpm2SecureHW{
|
|
device: sim,
|
|
logger: logger,
|
|
keyFilePath: emptyKeyPath,
|
|
}
|
|
|
|
// Try to load the empty key file
|
|
privateKey, publicKey, err := hw.loadTPMKeyFile()
|
|
|
|
// Should return an error about decoding
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), "failed to decode keyfile")
|
|
require.Nil(t, privateKey)
|
|
require.Nil(t, publicKey)
|
|
})
|
|
|
|
t.Run("PEM formatted but not TPM key", func(t *testing.T) {
|
|
// Create a file with valid PEM but not a TPM key
|
|
pemKeyPath := filepath.Join(tempDir, "not_tpm_key.pem")
|
|
pemContent := `-----BEGIN CERTIFICATE-----
|
|
MIIBkTCB+wIJAKHHIG...
|
|
-----END CERTIFICATE-----`
|
|
err = os.WriteFile(pemKeyPath, []byte(pemContent), 0600)
|
|
require.NoError(t, err)
|
|
|
|
// Create tpm2SecureHW instance
|
|
hw := &tpm2SecureHW{
|
|
device: sim,
|
|
logger: logger,
|
|
keyFilePath: pemKeyPath,
|
|
}
|
|
|
|
// Try to load the PEM file that's not a TPM key
|
|
privateKey, publicKey, err := hw.loadTPMKeyFile()
|
|
|
|
// Should return an error about decoding
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), "failed to decode keyfile")
|
|
require.Nil(t, privateKey)
|
|
require.Nil(t, publicKey)
|
|
})
|
|
}
|