Skip to content

Commit

Permalink
[aws_iid] tolerate network interfaces not being ordered by device ind…
Browse files Browse the repository at this point in the history
…ex (#5300)

Signed-off-by: James Ribe <manbeardo@gmail.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
  • Loading branch information
Manbeardo and amartinezfayo authored Jul 30, 2024
1 parent 14a3908 commit d52216d
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 6 deletions.
15 changes: 10 additions & 5 deletions pkg/server/plugin/nodeattestor/awsiid/iid.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"math"
"os"
"regexp"
"slices"
"sort"
"strings"
"sync"
Expand Down Expand Up @@ -328,13 +329,17 @@ func (p *IIDAttestorPlugin) SetLogger(log hclog.Logger) {
}

func (p *IIDAttestorPlugin) checkBlockDevice(instance ec2types.Instance) error {
ifaceZeroDeviceIndex := *instance.NetworkInterfaces[0].Attachment.DeviceIndex

if ifaceZeroDeviceIndex != 0 {
return fmt.Errorf("the EC2 instance network interface attachment device index must be zero (has %d)", ifaceZeroDeviceIndex)
ifaceZeroIndex := slices.IndexFunc(
instance.NetworkInterfaces,
func(net ec2types.InstanceNetworkInterface) bool {
return *net.Attachment.DeviceIndex == 0
},
)
if ifaceZeroIndex == -1 {
return errors.New("the EC2 instance network interface with device index 0 is inaccessible")
}

ifaceZeroAttachTime := instance.NetworkInterfaces[0].Attachment.AttachTime
ifaceZeroAttachTime := instance.NetworkInterfaces[ifaceZeroIndex].Attachment.AttachTime

// skip anti-tampering mechanism when RootDeviceType is instance-store
// specifically, if device type is persistent, and the device was attached past
Expand Down
23 changes: 22 additions & 1 deletion pkg/server/plugin/nodeattestor/awsiid/iid_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,28 @@ func TestAttest(t *testing.T) {
output.Reservations[0].Instances[0].NetworkInterfaces[0].Attachment.DeviceIndex = &nonzeroDeviceIndex
},
expectCode: codes.Internal,
expectMsgPrefix: "nodeattestor(aws_iid): failed aws ec2 attestation: the EC2 instance network interface attachment device index must be zero (has 1)",
expectMsgPrefix: "nodeattestor(aws_iid): failed aws ec2 attestation: the EC2 instance network interface with device index 0 is inaccessible",
},
{
name: "block device anti-tampering check succeeds when network devices are not ordered by device index",
mutateDescribeInstancesOutput: func(output *ec2.DescribeInstancesOutput) {
output.Reservations[0].Instances[0].NetworkInterfaces[0].Attachment.DeviceIndex = &nonzeroDeviceIndex
output.Reservations[0].Instances[0].NetworkInterfaces = append(
output.Reservations[0].Instances[0].NetworkInterfaces,
ec2types.InstanceNetworkInterface{
Attachment: &ec2types.InstanceNetworkInterfaceAttachment{
DeviceIndex: &zeroDeviceIndex,
},
},
)
},
expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance",
expectSelectors: []*common.Selector{
{Type: caws.PluginName, Value: "az:test-az"},
{Type: caws.PluginName, Value: "image:id:test-image-id"},
{Type: caws.PluginName, Value: "instance:id:test-instance"},
{Type: caws.PluginName, Value: "region:test-region"},
},
},
{
name: "block device anti-tampering check fails to locate root device",
Expand Down

0 comments on commit d52216d

Please sign in to comment.