8000 Add launcherfile package for path and file consts by alexmwu · Pull Request #356 · google/go-tpm-tools · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add launcherfile package for path and file consts #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 14, 2023
Merged

Add launcherfile package for path and file consts #356

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 7 additions & 14 deletions launcher/container_runner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"github.com/google/go-tpm-tools/cel"
"github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm-tools/launcher/agent"
"github.com/google/go-tpm-tools/launcher/launcherfile"
"github.com/google/go-tpm-tools/launcher/spec"
"github.com/google/go-tpm-tools/launcher/verifier"
"github.com/google/go-tpm-tools/launcher/verifier/rest"
Expand All @@ -49,15 +50,7 @@ type ContainerRunner struct {
serialConsole *os.File
}

const (
// hostTokenPath defined the directory in the host that will store attestation tokens
hostTokenPath = "/tmp/container_launcher/"
// ContainerTokenMountPath defined the directory in the container stores attestation tokens
ContainerTokenMountPath = "/run/container_launcher/"
// AttestationVerifierTokenFile defines the name of the file the attestation token is stored in.
AttestationVerifierTokenFile = "attestation_verifier_claims_token"
tokenFileTmp = ".token.tmp"
)
const tokenFileTmp = ".token.tmp"

// Since we only allow one container on a VM, using a deterministic id is probably fine
const (
Expand Down Expand Up @@ -283,9 +276,9 @@ func formatEnvVars(envVars []spec.EnvVar) ([]string, error) {
// appendTokenMounts appends the default mount specs for the OIDC token
func appendTokenMounts(mounts []specs.Mount) []specs.Mount {
m := specs.Mount{}
m.Destination = ContainerTokenMountPath
m.Destination = launcherfile.ContainerRuntimeMountPath
m.Type = "bind"
m.Source = hostTokenPath
m.Source = launcherfile.HostTmpPath
m.Options = []string{"rbind", "ro"}

return append(mounts, m)
Expand Down Expand Up @@ -374,13 +367,13 @@ func (r *ContainerRunner) refreshToken(ctx context.Context) (time.Duration, erro
}

// Write to a temp file first.
tmpTokenPath := path.Join(hostTokenPath, tokenFileTmp)
tmpTokenPath := path.Join(launcherfile.HostTmpPath, tokenFileTmp)
if err = os.WriteFile(tmpTokenPath, token, 0644); err != nil {
return 0, fmt.Errorf("failed to write a tmp token file: %v", err)
}

// Rename the temp file to the token file (to avoid race conditions).
if err = os.Rename(tmpTokenPath, path.Join(hostTokenPath, AttestationVerifierTokenFile)); err != nil {
if err = os.Rename(tmpTokenPath, path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)); err != nil {
return 0, fmt.Errorf("failed to rename the token file: %v", err)
}

Expand Down Expand Up @@ -408,7 +401,7 @@ func (r *ContainerRunner) fetchAndWriteToken(ctx context.Context) error {
// retry specifies the refresher goroutine's retry policy.
func (r *ContainerRunner) fetchAndWriteTokenWithRetry(ctx context.Context,
retry *backoff.ExponentialBackOff) error {
if err := os.MkdirAll(hostTokenPath, 0744); err != nil {
if err := os.MkdirAll(launcherfile.HostTmpPath, 0744); err != nil {
return err
}
duration, err := r.refreshToken(ctx)
Expand Down
15 changes: 8 additions & 7 deletions launcher/container_runner_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/containerd/containerd/namespaces"
"github.com/golang-jwt/jwt/v4"
"github.com/google/go-tpm-tools/cel"
"github.com/google/go-tpm-tools/launcher/launcherfile"
"github.com/google/go-tpm-tools/launcher/spec"
"golang.org/x/oauth2"
"google.golang.org/api/option"
Expand Down Expand Up @@ -108,7 +109,7 @@ func TestRefreshToken(t *testing.T) {
logger: log.Default(),
}

if err := os.MkdirAll(hostTokenPath, 0744); err != nil {
if err := os.MkdirAll(launcherfile.HostTmpPath, 0744); err != nil {
t.Fatalf("Error creating host token path directory: %v", err)
}

Expand All @@ -117,7 +118,7 @@ func TestRefreshToken(t *testing.T) {
t.Fatalf("refreshToken returned with error: %v", err)
}

filepath := path.Join(hostTokenPath, AttestationVerifierTokenFile)
filepath := path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)
data, err := os.ReadFile(filepath)
if err != nil {
t.Fatalf("Failed to read from %s: %v", filepath, err)
Expand All @@ -134,7 +135,7 @@ func TestRefreshToken(t *testing.T) {
}

func TestRefreshTokenError(t *testing.T) {
if err := os.MkdirAll(hostTokenPath, 0744); err != nil {
if err := os.MkdirAll(launcherfile.HostTmpPath, 0744); err != nil {
t.Fatalf("Error creating host token path directory: %v", err)
}

Expand Down Expand Up @@ -194,7 +195,7 @@ func TestFetchAndWriteTokenSucceeds(t *testing.T) {
t.Fatalf("fetchAndWriteToken failed: %v", err)
}

filepath := path.Join(hostTokenPath, AttestationVerifierTokenFile)
filepath := path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)
data, err := os.ReadFile(filepath)
if err != nil {
t.Fatalf("Failed to read from %s: %v", filepath, err)
Expand Down Expand Up @@ -228,7 +229,7 @@ func TestTokenIsNotChangedIfRefreshFails(t *testing.T) {
t.Fatalf("fetchAndWriteToken failed: %v", err)
}

filepath := path.Join(hostTokenPath, AttestationVerifierTokenFile)
filepath := path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)
data, err := os.ReadFile(filepath)
if err != nil {
t.Fatalf("Failed to read from %s: %v", filepath, err)
Expand Down Expand Up @@ -306,7 +307,7 @@ func testRetryPolicyWithNTries(t *testing.T, numTries int, expectRefresh bool) {
if err := runner.fetchAndWriteTokenWithRetry(ctx, testRetryPolicyThreeTimes()); err != nil {
t.Fatalf("fetchAndWriteTokenWithRetry failed: %v", err)
}
filepath := path.Join(hostTokenPath, AttestationVerifierTokenFile)
filepath := path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)
data, err := os.ReadFile(filepath)
if err != nil {
t.Fatalf("failed to read from %s: %v", filepath, err)
Expand Down Expand Up @@ -360,7 +361,7 @@ func TestFetchAndWriteTokenWithTokenRefresh(t *testing.T) {
t.Fatalf("fetchAndWriteToken failed: %v", err)
}

filepath := path.Join(hostTokenPath, AttestationVerifierTokenFile)
filepath := path.Join(launcherfile.HostTmpPath, launcherfile.AttestationVerifierTokenFilename)
data, err := os.ReadFile(filepath)
if err != nil {
t.Fatalf("Failed to read from %s: %v", filepath, err)
Expand Down
12 changes: 12 additions & 0 deletions launcher/launcherfile/launcherfile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
// Package launcherfile contains functions and constants for interacting with
// launcher files.
package launcherfile

const (
// HostTmpPath defined the directory in the host that will store attestation tokens
HostTmpPath = "/tmp/container_launcher/"
// ContainerRuntimeMountPath defined the directory in the container stores attestation tokens
ContainerRuntimeMountPath = "/run/container_launcher/"
// AttestationVerifierTokenFilename defines the name of the file the attestation token is stored in.
AttestationVerifierTokenFilename = "attestation_verifier_claims_token"
)
0