Add measurement corpus as part of the control plane artifacts (#21)

Author: labbott

artifact/src/kind.rs

@@ -196,6 +196,9 @@ pub enum KnownArtifactKind {
     SwitchSp,
     SwitchRot,
     SwitchRotBootloader,
+
+    // Reference Measurements
+    MeasurementCorpus,
 }
 
 impl KnownArtifactKind {
@@ -222,6 +225,7 @@ impl KnownArtifactKind {
             | KnownArtifactKind::Trampoline
             | KnownArtifactKind::ControlPlane
             | KnownArtifactKind::Zone
+            | KnownArtifactKind::MeasurementCorpus
             | KnownArtifactKind::PscSp
             | KnownArtifactKind::PscRotBootloader
             | KnownArtifactKind::SwitchSp

bin/invalid-manifests/duplicate-measurement.toml

@@ -0,0 +1,18 @@
+# This manifest has two measurement corpora that hash to the same contents. This
+# is not allowed.
+
+system_version = "1.0.0"
+
+[[artifact.control_plane]]
+name = "fake-control-plane"
+version = "1.0.0"
+[artifact.control_plane.source]
+kind = "composite-control-plane"
+zones = [
+    { kind = "fake", artifact_name = "zone-1", file_name = "zone1.tar.gz", size = "1MiB" },
+    { kind = "fake", artifact_name = "zone-2", file_name = "zone2.tar.gz", size = "1MiB" },
+]
+measurement_corpus = [
+    { kind = "fake", artifact_name = "measurement1", file_name = "measurement1.cbor", size = "1MiB" },
+    { kind = "fake", artifact_name = "measurement1", file_name = "measurement1-dup.cbor", size = "1MiB" },
+]

bin/invalid-manifests/duplicate-zone-file-name.toml

@@ -12,3 +12,7 @@ zones = [
     { kind = "fake", artifact_name = "zone-1", file_name = "zone1.tar.gz", size = "1MiB" },
     { kind = "fake", artifact_name = "zone-1", file_name = "zone1-dup.tar.gz", size = "1MiB" },
 ]
+measurement_corpus = [
+    { kind = "fake", artifact_name = "measurement1", file_name = "measurement1.cbor", size = "1MiB" },
+    { kind = "fake", artifact_name = "measurement2", file_name = "measurement2.cbor", size = "1MiB" },
+]

bin/manifests/fake-non-semver.toml

@@ -44,6 +44,10 @@ zones = [
     { kind = "fake", artifact_name = "zone-1", file_name = "zone1.tar.gz", size = "1MiB" },
     { kind = "fake", artifact_name = "zone-2", file_name = "zone2.tar.gz", size = "1MiB" },
 ]
+measurement_corpus = [
+    { kind = "fake", artifact_name = "measurement1", file_name = "a.cbor", size = "1MiB" },
+    { kind = "fake", artifact_name = "measurement2", file_name = "b.cbor", size = "1MiB" },
+]
 
 [[artifact.psc_sp]]
 name = "fake-psc-sp"

bin/manifests/fake.toml

@@ -42,6 +42,10 @@ zones = [
     { kind = "fake", artifact_name = "zone-1", file_name = "zone1.tar.gz", size = "1MiB" },
     { kind = "fake", artifact_name = "zone-2", file_name = "zone2.tar.gz", size = "1MiB" },
 ]
+measurement_corpus = [
+    { kind = "fake", artifact_name = "measurement1", file_name = "a.cbor", size = "1MiB" },
+    { kind = "fake", artifact_name = "measurement2", file_name = "b.cbor", size = "1MiB" },
+]
 
 [[artifact.psc_sp]]
 name = "fake-psc-sp"

bin/tests/integration-tests/command_tests.rs

@@ -258,6 +258,41 @@ fn test_assemble_duplicate_zone() -> Result<()> {
     Ok(())
 }
 
+#[test]
+fn test_assemble_duplicate_measurement() -> Result<()> {
+    let log_config = ConfigLogging::File {
+        level: ConfigLoggingLevel::Trace,
+        path: "UNUSED".into(),
+        if_exists: ConfigLoggingIfExists::Fail,
+    };
+    let logctx =
+        LogContext::new("test_assemble_duplicate_measurement", &log_config);
+    let tempdir = tempfile::tempdir().unwrap();
+    let key = Key::generate_ed25519()?;
+
+    let archive_path = tempdir.path().join("archive.zip");
+
+    let mut cmd = make_cmd(&key);
+    cmd.args([
+        "assemble",
+        "--skip-all-present",
+        "invalid-manifests/duplicate-measurement.toml",
+    ]);
+    cmd.arg(&archive_path);
+    cmd.assert()
+        .failure()
+        .stderr(predicate::str::contains(
+            r#"a deployment unit with the same kind and hash already exists in this control_plane artifact:"#,
+        ))
+        .stderr(predicate::str::contains("zone/"))
+        .stderr(predicate::str::contains(
+            r#"(existing name: measurement1.cbor, version: 1.0.0; new name: measurement1-dup.cbor, version: 1.0.0)"#,
+        ));
+
+    logctx.cleanup_successful();
+    Ok(())
+}
+
 #[test]
 fn test_assemble_duplicate_artifact() -> Result<()> {
     let log_config = ConfigLogging::File {

lib/src/artifact.rs

@@ -369,31 +369,44 @@ impl RotArchives {
     }
 }
 
+/// Represents an entry type in a control plane, used with `ControlPlaneImages::extract_into`
+pub enum ControlPlaneEntry {
+    Zone,
+    MeasurementCorpus,
+}
+
 /// Represents control plane zone images.
 ///
 /// The control plane artifact is actually a tarball that contains a set of zone
 /// images. This code extracts those images out of the tarball.
 #[derive(Clone, Debug)]
 pub struct ControlPlaneZoneImages {
     pub zones: Vec<(String, Bytes)>,
+    pub measurement_corpus: Vec<(String, Bytes)>,
 }
 
 impl ControlPlaneZoneImages {
     pub fn extract<R: io::Read>(reader: R) -> Result<Self> {
         let mut zones = Vec::new();
-        Self::extract_into(reader, |name, reader| {
+        let mut measurement_corpus = Vec::new();
+        Self::extract_into(reader, |name, kind, reader| {
             let mut buf = Vec::new();
             io::copy(reader, &mut buf)?;
-            zones.push((name, buf.into()));
+            match kind {
+                ControlPlaneEntry::Zone => zones.push((name, buf.into())),
+                ControlPlaneEntry::MeasurementCorpus => {
+                    measurement_corpus.push((name, buf.into()))
+                }
+            }
             Ok(())
         })?;
-        Ok(Self { zones })
+        Ok(Self { zones, measurement_corpus })
     }
 
     pub fn extract_into<R, F>(reader: R, mut handler: F) -> Result<()>
     where
         R: io::Read,
-        F: FnMut(String, &mut dyn io::Read) -> Result<()>,
+        F: FnMut(String, ControlPlaneEntry, &mut dyn io::Read) -> Result<()>,
     {
         let uncompressed =
             flate2::bufread::GzDecoder::new(BufReader::new(reader));
@@ -432,9 +445,24 @@ impl ControlPlaneZoneImages {
                     .and_then(|s| s.to_str())
                     .map(|s| s.to_string())
                 {
-                    handler(name, &mut entry)?;
+                    handler(name, ControlPlaneEntry::Zone, &mut entry)?;
                 }
                 zone_found = true;
+            } else if path
+                .starts_with(CONTROL_PLANE_ARCHIVE_MEASUREMENT_DIRECTORY)
+            {
+                if let Some(name) = path
+                    .file_name()
+                    .and_then(|s| s.to_str())
+                    .map(|s| s.to_string())
+                {
+                    handler(
+                        name,
+                        ControlPlaneEntry::MeasurementCorpus,
+                        &mut entry,
+                    )?;
+                }
+                // We will eventually want to make this required
             }
         }
 
@@ -463,3 +491,4 @@ pub(crate) static HOST_PHASE_2_FILE_NAME: &str = "image/zfs.img";
 pub(crate) static ROT_ARCHIVE_A_FILE_NAME: &str = "archive-a.zip";
 pub(crate) static ROT_ARCHIVE_B_FILE_NAME: &str = "archive-b.zip";
 static CONTROL_PLANE_ARCHIVE_ZONE_DIRECTORY: &str = "zones";
+static CONTROL_PLANE_ARCHIVE_MEASUREMENT_DIRECTORY: &str = "measurements";

lib/src/artifact/composite.rs

@@ -13,6 +13,7 @@ use tufaceous_artifact::ArtifactHash;
 use tufaceous_brand_metadata::{ArchiveType, Metadata};
 
 use super::{
+    CONTROL_PLANE_ARCHIVE_MEASUREMENT_DIRECTORY,
     CONTROL_PLANE_ARCHIVE_ZONE_DIRECTORY, HOST_PHASE_1_FILE_NAME,
     HOST_PHASE_2_FILE_NAME, ROT_ARCHIVE_A_FILE_NAME, ROT_ARCHIVE_B_FILE_NAME,
 };
@@ -56,6 +57,21 @@ impl<W: Write> CompositeControlPlaneArchiveBuilder<W> {
         Ok((hash, name.to_owned()))
     }
 
+    pub fn append_measurement(
+        &mut self,
+        name: &str,
+        entry: CompositeEntry<'_>,
+    ) -> Result<(ArtifactHash, String)> {
+        let name_path = Utf8Path::new(name);
+        if name_path.file_name() != Some(name) {
+            bail!("measurement filenames should not contain paths");
+        }
+        let path = Utf8Path::new(CONTROL_PLANE_ARCHIVE_MEASUREMENT_DIRECTORY)
+            .join(name_path);
+        let hash = self.inner.append_file(path.as_str(), entry)?;
+        Ok((hash, name.to_owned()))
+    }
+
     pub fn finish(self) -> Result<W> {
         self.inner.finish()
     }

lib/src/assemble/manifest.rs

@@ -247,6 +247,7 @@ impl ArtifactManifest {
                     }
                     DeserializedArtifactSource::CompositeControlPlane {
                         zones,
+                        measurement_corpus,
                     } => {
                         ensure!(
                             kind == KnownArtifactKind::ControlPlane,
@@ -289,6 +290,21 @@ impl ArtifactManifest {
                                 hash,
                             })?;
                         }
+                        for manifest in measurement_corpus {
+                            let (hash, name) = manifest.with_name_and_entry(
+                                &artifact_data.version,
+                                |name, entry| {
+                                    builder.append_measurement(name, entry)
+                                },
+                            )?;
+                            data_builder.insert(DeploymentUnitData {
+                                name: name.to_owned(),
+                                version: artifact_data.version.clone(),
+                                kind: zone_kind.clone(),
+                                hash,
+                            })?;
+                        }
+
                         (
                             ArtifactSource::Memory(builder.finish()?.into()),
                             data_builder.finish_units(),
@@ -338,7 +354,13 @@ impl ArtifactManifest {
     /// details if any artifacts are missing.
     pub fn verify_all_present(&self) -> Result<()> {
         let all_artifacts: BTreeSet<_> = KnownArtifactKind::iter()
-            .filter(|k| !matches!(k, KnownArtifactKind::Zone))
+            .filter(|k| {
+                !matches!(
+                    k,
+                    KnownArtifactKind::Zone
+                        | KnownArtifactKind::MeasurementCorpus
+                )
+            })
             .collect();
         let present_artifacts: BTreeSet<_> =
             self.artifacts.keys().copied().collect();
@@ -377,7 +399,8 @@ impl<'a> FakeDataAttributes<'a> {
             KnownArtifactKind::Host
             | KnownArtifactKind::Trampoline
             | KnownArtifactKind::ControlPlane
-            | KnownArtifactKind::Zone => {
+            | KnownArtifactKind::Zone
+            | KnownArtifactKind::MeasurementCorpus => {
                 return make_filler_text(
                     &self.kind.to_string(),
                     self.version,
@@ -582,6 +605,7 @@ pub enum DeserializedArtifactSource {
     },
     CompositeControlPlane {
         zones: Vec<DeserializedControlPlaneZoneSource>,
+        measurement_corpus: Vec<DeserializedControlPlaneZoneSource>,
     },
 }
 
@@ -608,10 +632,16 @@ impl DeserializedArtifactSource {
                 archive_b.apply_size_delta(size_delta)?;
                 Ok(())
             }
-            DeserializedArtifactSource::CompositeControlPlane { zones } => {
+            DeserializedArtifactSource::CompositeControlPlane {
+                zones,
+                measurement_corpus,
+            } => {
                 for zone in zones {
                     zone.apply_size_delta(size_delta)?;
                 }
+                for manifest in measurement_corpus {
+                    manifest.apply_size_delta(size_delta)?;
+                }
                 Ok(())
             }
         }
@@ -696,6 +726,8 @@ impl DeserializedFileArtifactSource {
     }
 }
 
+// FIXME probably give this a better name if we're going to use it for
+// measurements
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
 #[serde(tag = "kind", rename_all = "snake_case")]
 pub enum DeserializedControlPlaneZoneSource {