Incorperate feedback. Add localhost block.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge.go

@@ -28,6 +28,12 @@ func BuiltIn() catalog.BuiltIn {
 	return builtin(New())
 }
 
+func BuiltInWithHostname(hostname string) catalog.BuiltIn {
+	plugin := New()
+	plugin.hostname = hostname
+	return builtin(plugin)
+}
+
 func builtin(p *Plugin) catalog.BuiltIn {
 	return catalog.MakeBuiltIn(pluginName,
 		nodeattestorv1.NodeAttestorPluginServer(p),
@@ -56,6 +62,8 @@ type Plugin struct {
 	c *Config
 
 	log hclog.Logger
+
+	hostname string
 }
 
 func New() *Plugin {
@@ -137,7 +145,7 @@ func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (*
 	}
 
 	// Make sure the configuration produces valid data
-	if _, err := loadConfigData(config); err != nil {
+	if _, err := loadConfigData(p.hostname, config); err != nil {
 		return nil, err
 	}
 
@@ -193,15 +201,19 @@ func (p *Plugin) loadConfigData() (*configData, error) {
 	if config == nil {
 		return nil, status.Error(codes.FailedPrecondition, "not configured")
 	}
-	return loadConfigData(config)
+	return loadConfigData(p.hostname, config)
 }
 
-func loadConfigData(config *Config) (*configData, error) {
+func loadConfigData(hostname string, config *Config) (*configData, error) {
 	if config.HostName == "" {
-		var err error
-		config.HostName, err = os.Hostname()
-		if err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "unable to fetch hostname: %v", err)
+		if hostname != "" {
+			config.HostName = hostname
+		} else {
+			var err error
+			config.HostName, err = os.Hostname()
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "unable to fetch hostname: %v", err)
+			}
 		}
 	}
 	var agentName = "default"

pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge_test.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/http"
 	"testing"
 
 	configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
@@ -155,7 +156,7 @@ func TestAidAttestationSucceeds(t *testing.T) {
 			serverStream: func(attestationData *common_httpchallenge.AttestationData, challenge []byte, expectPayload []byte, challengeobj *common_httpchallenge.Challenge, port int) nodeattestor.ServerStream {
 				return streamBuilder.IgnoreThenChallenge(challenge).
 					Handle(func(challengeResponse []byte) ([]byte, error) {
-						err := common_httpchallenge.VerifyChallenge(attestationData, challengeobj)
+						err := common_httpchallenge.VerifyChallenge(http.DefaultClient, attestationData, challengeobj)
 						return nil, err
 					}).Build()
 			},
@@ -171,7 +172,7 @@ func TestAidAttestationSucceeds(t *testing.T) {
 			serverStream: func(attestationData *common_httpchallenge.AttestationData, challenge []byte, expectPayload []byte, challengeobj *common_httpchallenge.Challenge, port int) nodeattestor.ServerStream {
 				return streamBuilder.ExpectThenChallenge(expectPayload, challenge).
 					Handle(func(challengeResponse []byte) ([]byte, error) {
-						err := common_httpchallenge.VerifyChallenge(attestationData, challengeobj)
+						err := common_httpchallenge.VerifyChallenge(http.DefaultClient, attestationData, challengeobj)
 						return nil, err
 					}).Build()
 			},
@@ -205,6 +206,6 @@ func loadAndConfigurePlugin(t *testing.T, config string) nodeattestor.NodeAttest
 
 func loadPlugin(t *testing.T, options ...plugintest.Option) nodeattestor.NodeAttestor {
 	na := new(nodeattestor.V1)
-	plugintest.Load(t, httpchallenge.BuiltIn(), na, options...)
+	plugintest.Load(t, httpchallenge.BuiltInWithHostname("wark"), na, options...)
 	return na
 }

pkg/common/plugin/httpchallenge/httpchallenge.go

@@ -53,7 +53,7 @@ func CalculateResponse(_ *Challenge) (*Response, error) {
 	return &Response{}, nil
 }
 
-func VerifyChallenge(attestationData *AttestationData, challenge *Challenge) error {
+func VerifyChallenge(client *http.Client, attestationData *AttestationData, challenge *Challenge) error {
 	if attestationData.HostName == "" {
 		return fmt.Errorf("hostname must be set")
 	}
@@ -86,7 +86,6 @@ func VerifyChallenge(attestationData *AttestationData, challenge *Challenge) err
 		return err
 	}
 
-	client := http.DefaultClient
 	resp, err := client.Do(req)
 	if err != nil {
 		return err

pkg/common/plugin/httpchallenge/httpchallenge_test.go

@@ -87,7 +87,7 @@ func TestValidateChallenge(t *testing.T) {
 				return dialer.DialContext(ctx, network, addr)
 			}
 
-			err := VerifyChallenge(ad, c)
+			err := VerifyChallenge(http.DefaultClient, ad, c)
 			if tt.expectErr != "" {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), tt.expectErr)

pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go

@@ -3,6 +3,7 @@ package httpchallenge
 import (
 	"context"
 	"encoding/json"
+	"net/http"
 	"regexp"
 	"sync"
 
@@ -58,10 +59,14 @@ type Plugin struct {
 	config *configuration
 
 	log hclog.Logger
+
+	client *http.Client
 }
 
 func New() *Plugin {
-	return &Plugin{}
+	return &Plugin{
+		client: http.DefaultClient,
+	}
 }
 
 func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
@@ -125,7 +130,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 	}
 
 	p.log.Debug("Verifying challenge")
-	if err := httpchallenge.VerifyChallenge(attestationData, challenge); err != nil {
+	if err := httpchallenge.VerifyChallenge(p.client, attestationData, challenge); err != nil {
 		return status.Errorf(codes.PermissionDenied, "challenge verification failed: %v", err)
 	}
 
@@ -254,6 +259,9 @@ func validateAgentName(agentName string, agentNamePattern *regexp.Regexp) error
 }
 
 func validateHostName(hostName string, dnsPatterns []*regexp.Regexp) error {
+	if hostName == "localhost" {
+		return status.Errorf(codes.PermissionDenied, "you can not use localhost as a hostname")
+	}
 	if len(dnsPatterns) == 0 {
 		return nil
 	}