diff --git a/ee/secureenclaverunner/secureenclaverunner.go b/ee/secureenclaverunner/secureenclaverunner.go index 7126e92a8..735d25c8a 100644 --- a/ee/secureenclaverunner/secureenclaverunner.go +++ b/ee/secureenclaverunner/secureenclaverunner.go @@ -45,54 +45,48 @@ func New(ctx context.Context, slogger *slog.Logger, store types.GetterSetterDele ctx, span := traces.StartSpan(ctx) defer span.End() - ser := &secureEnclaveRunner{ + return &secureEnclaveRunner{ uidPubKeyMap: make(map[string]*ecdsa.PublicKey), store: store, secureEnclaveClient: secureEnclaveClient, slogger: slogger.With("component", "secureenclaverunner"), mux: &sync.Mutex{}, interrupt: make(chan struct{}), - } + }, nil +} - data, err := store.Get([]byte(publicEccDataKey)) +// Public returns the public key of the current console user +// creating and peristing a new one if needed +func (ser *secureEnclaveRunner) Execute() error { + data, err := ser.store.Get([]byte(publicEccDataKey)) if err != nil { - traces.SetError(span, fmt.Errorf("getting public ecc data from store: %w", err)) - return nil, fmt.Errorf("getting public ecc data from store: %w", err) + return fmt.Errorf("getting public ecc data from store: %w", err) } - if data == nil { - return ser, nil - } - - if err := json.Unmarshal(data, ser); err != nil { - traces.SetError(span, fmt.Errorf("unmarshaling secure enclave signer: %w", err)) - ser.slogger.Log(ctx, slog.LevelError, - "unable to unmarshal secure enclave signer, data may be corrupt, wiping", - "err", err, - ) - - if err := store.Delete([]byte(publicEccDataKey)); err != nil { - traces.SetError(span, fmt.Errorf("deleting corrupt public ecc data: %w", err)) - ser.slogger.Log(ctx, slog.LevelError, + if data != nil { + if err := json.Unmarshal(data, ser); err != nil { + ser.slogger.Log(context.TODO(), slog.LevelError, "unable to unmarshal secure enclave signer, data may be corrupt, wiping", "err", err, ) + + if err := ser.store.Delete([]byte(publicEccDataKey)); err != nil { + ser.slogger.Log(context.TODO(), slog.LevelError, + "unable to unmarshal secure enclave signer, data may be corrupt, wiping", + "err", err, + ) + } } } - return ser, nil -} - -// Public returns the public key of the current console user -// creating and peristing a new one if needed -func (ser *secureEnclaveRunner) Execute() error { currentRetryInterval, maxRetryInterval := 1*time.Second, 1*time.Minute retryTicker := time.NewTicker(currentRetryInterval) defer retryTicker.Stop() for { - if _, err := ser.currentConsoleUserKey(context.TODO()); err != nil { - ser.slogger.Log(context.TODO(), slog.LevelError, + ctx := context.Background() + if _, err := ser.currentConsoleUserKey(ctx); err != nil { + ser.slogger.Log(ctx, slog.LevelError, "getting current console user key, will retry", "err", err, ) @@ -109,7 +103,7 @@ func (ser *secureEnclaveRunner) Execute() error { case <-retryTicker.C: continue case <-ser.interrupt: - ser.slogger.Log(context.TODO(), slog.LevelDebug, + ser.slogger.Log(ctx, slog.LevelDebug, "interrupt received, exiting secure enclave signer execute loop", ) return nil diff --git a/ee/secureenclaverunner/secureenclaverunner_test.go b/ee/secureenclaverunner/secureenclaverunner_test.go index 0400f431d..4d6e543a3 100644 --- a/ee/secureenclaverunner/secureenclaverunner_test.go +++ b/ee/secureenclaverunner/secureenclaverunner_test.go @@ -86,6 +86,14 @@ func Test_secureEnclaveRunner(t *testing.T) { ser, err := New(context.TODO(), multislogger.NewNopLogger(), store, nil) require.NoError(t, err) + go func() { + // sleep long enough to get through 2 cycles of exectue + time.Sleep(3 * time.Second) + ser.Interrupt(errors.New("test")) + }() + + require.NoError(t, ser.Execute()) + // should be able to fetch the key require.NotNil(t, ser.Public()) }) diff --git a/ee/tpmrunner/tpmrunner.go b/ee/tpmrunner/tpmrunner.go index 586b84c09..5588ac81b 100644 --- a/ee/tpmrunner/tpmrunner.go +++ b/ee/tpmrunner/tpmrunner.go @@ -14,25 +14,31 @@ import ( "github.com/kolide/launcher/pkg/traces" ) -type tpmRunner struct { - signer crypto.Signer - signerCreator tpmSignerCreator - store types.GetterSetterDeleter - slogger *slog.Logger - interrupt chan struct{} - interrupted bool -} +type ( + tpmRunner struct { + signer crypto.Signer + signerCreator tpmSignerCreator + store types.GetterSetterDeleter + slogger *slog.Logger + interrupt chan struct{} + interrupted bool + } -// tpmSignerCreator is an interface for creating and loading TPM signers -// useful for mocking in tests -type tpmSignerCreator interface { - CreateKey(opts ...tpm.TpmSignerOption) (private []byte, public []byte, err error) - New(private, public []byte) (crypto.Signer, error) -} + // tpmSignerCreator is an interface for creating and loading TPM signers + // useful for mocking in tests + tpmSignerCreator interface { + CreateKey(opts ...tpm.TpmSignerOption) (private []byte, public []byte, err error) + New(private, public []byte) (crypto.Signer, error) + } + + // defaultTpmSignerCreator is the default implementation of tpmSignerCreator + // using the tpm package + defaultTpmSignerCreator struct{} -// defaultTpmSignerCreator is the default implementation of tpmSignerCreator -// using the tpm package -type defaultTpmSignerCreator struct{} + // tpmRunnerOption is a functional option for tpmRunner + // useful for setting dependencies in tests + tpmRunnerOption func(*tpmRunner) +) // CreateKey creates a new TPM key func (d defaultTpmSignerCreator) CreateKey(opts ...tpm.TpmSignerOption) (private []byte, public []byte, err error) { @@ -44,19 +50,7 @@ func (d defaultTpmSignerCreator) New(private, public []byte) (crypto.Signer, err return tpm.New(private, public) } -// tpmRunnerOption is a functional option for tpmRunner -// useful for setting dependencies in tests -type tpmRunnerOption func(*tpmRunner) - func New(ctx context.Context, slogger *slog.Logger, store types.GetterSetterDeleter, opts ...tpmRunnerOption) (*tpmRunner, error) { - _, span := traces.StartSpan(ctx) - defer span.End() - - _, _, err := fetchKeyData(store) - if err != nil { - return nil, err - } - tpmRunner := &tpmRunner{ store: store, slogger: slogger.With("component", "tpmrunner"), diff --git a/ee/tpmrunner/tpmrunner_test.go b/ee/tpmrunner/tpmrunner_test.go index ef821a6fb..8a569aeb6 100644 --- a/ee/tpmrunner/tpmrunner_test.go +++ b/ee/tpmrunner/tpmrunner_test.go @@ -19,7 +19,7 @@ func withTpmSignerCreator(tpmSignerCreator tpmSignerCreator) tpmRunnerOption { } } -func Test_secureEnclaveSigner(t *testing.T) { +func Test_tpmRunner(t *testing.T) { t.Parallel() privKey, err := echelper.GenerateEcdsaKey()