From b3587b534267eab2366d32175e9080a1fa706318 Mon Sep 17 00:00:00 2001 From: PuneetPunamiya Date: Fri, 22 Sep 2023 23:28:01 +0530 Subject: [PATCH] Fixes Hashivault configuration with Chains Initially when kms was misconfigured, then the chains controller pod was getting panic and ended up getting crashed Hence, this patch checks it the vault address is valid and if it is not valid, then returns the error which handles the pod from getting panic and crashed Signed-off-by: PuneetPunamiya --- pkg/chains/signing/kms/kms.go | 19 +++++++++++-- pkg/chains/signing/kms/kms_test.go | 45 ++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 pkg/chains/signing/kms/kms_test.go diff --git a/pkg/chains/signing/kms/kms.go b/pkg/chains/signing/kms/kms.go index 8db5c1669a..c280fc888a 100644 --- a/pkg/chains/signing/kms/kms.go +++ b/pkg/chains/signing/kms/kms.go @@ -17,8 +17,9 @@ package kms import ( "context" "crypto" - - "github.com/tektoncd/chains/pkg/config" + "net" + "strings" + "time" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms" @@ -27,6 +28,7 @@ import ( _ "github.com/sigstore/sigstore/pkg/signature/kms/gcp" _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" "github.com/sigstore/sigstore/pkg/signature/options" + "github.com/tektoncd/chains/pkg/config" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" "github.com/spiffe/go-spiffe/v2/workloadapi" @@ -41,6 +43,19 @@ type Signer struct { // NewSigner returns a configured Signer func NewSigner(ctx context.Context, cfg config.KMSSigner) (*Signer, error) { kmsOpts := []signature.RPCOption{} + + // Checks if the vault address provide by the user is a valid address or not + if cfg.Auth.Address != "" { + vaultAddress := strings.TrimPrefix(cfg.Auth.Address, "http://") + vaultAddress = strings.TrimPrefix(vaultAddress, "https://") + + conn, err := net.DialTimeout("tcp", vaultAddress, 5*time.Second) + if err != nil { + return nil, err + } + defer conn.Close() + } + // pass through configuration options to RPCAuth used by KMS in sigstore rpcAuth := options.RPCAuth{ Address: cfg.Auth.Address, diff --git a/pkg/chains/signing/kms/kms_test.go b/pkg/chains/signing/kms/kms_test.go new file mode 100644 index 0000000000..eedadee2f2 --- /dev/null +++ b/pkg/chains/signing/kms/kms_test.go @@ -0,0 +1,45 @@ +/* +Copyright 2023 The Tekton Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package kms creates a signer using a key management server + +package kms + +import ( + "context" + "testing" + + "github.com/tektoncd/chains/pkg/config" +) + +func TestInValidVaultAddressTimeOut(t *testing.T) { + cfg := config.KMSSigner{} + cfg.Auth.Address = "http://test.com:8200" + + _, err := NewSigner(context.TODO(), cfg) + expectedErrorMessage := "dial tcp 67.225.146.248:8200: i/o timeout" + if err.Error() != expectedErrorMessage { + t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error()) + } +} + +func TestInValidVaultAddressConnectionRefuse(t *testing.T) { + cfg := config.KMSSigner{} + cfg.Auth.Address = "http://127.0.0.1:8200" + + _, err := NewSigner(context.TODO(), cfg) + expectedErrorMessage := "dial tcp 127.0.0.1:8200: connect: connection refused" + if err.Error() != expectedErrorMessage { + t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error()) + } +}