Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple API versions #889

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

ansasaki
Copy link
Contributor

@ansasaki ansasaki commented Dec 18, 2024

This introduces a new configuration option api_versions which allows the user to select a subset of the supported API versions to enable.

The agent creates the endpoints under each enable API version, allowing it to receive requests from older versions of the other components (verifier and tenant).

During registration, the agent will try to query the version of the API supported by the registrar making a GET request to the /version endpoint. If the registrar supports it and replies with a version, the agent will check if the version is enabled and will use it for the following requests.

In case the registrar does not support the /version endpoint, then the agent will try all the enabled versions. If the registration is successful, the agent will keep the successful API version to use in the following requests.

This is part of the implementation for the enhancement proposal 114: keylime/enhancements#115

@ansasaki ansasaki marked this pull request as draft December 18, 2024 19:52
Copy link

codecov bot commented Dec 18, 2024

Codecov Report

Attention: Patch coverage is 72.03390% with 165 lines in your changes missing coverage. Please review.

Project coverage is 61.69%. Comparing base (2f7b3ad) to head (a9aec72).
Report is 86 commits behind head on master.

Files with missing lines Patch % Lines
keylime/src/version.rs 32.91% 53 Missing ⚠️
keylime-agent/src/main.rs 7.84% 47 Missing ⚠️
keylime-agent/src/config.rs 55.55% 24 Missing ⚠️
keylime/src/registrar_client.rs 92.83% 22 Missing ⚠️
keylime-agent/src/errors_handler.rs 26.66% 11 Missing ⚠️
keylime-agent/src/error.rs 0.00% 6 Missing ⚠️
keylime/src/serialization.rs 96.55% 2 Missing ⚠️
Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 61.69% <72.03%> (+4.10%) ⬆️
upstream-unit-tests 61.69% <72.03%> (+10.68%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
keylime-agent/src/agent_handler.rs 59.57% <ø> (ø)
keylime-agent/src/api.rs 77.64% <100.00%> (ø)
keylime-agent/src/common.rs 67.97% <ø> (+0.02%) ⬆️
keylime-agent/src/keys_handler.rs 64.97% <ø> (-0.47%) ⬇️
keylime-agent/src/notifications_handler.rs 64.70% <ø> (-1.97%) ⬇️
keylime-agent/src/payloads.rs 81.64% <ø> (-1.21%) ⬇️
keylime-agent/src/quotes_handler.rs 51.90% <ø> (+1.04%) ⬆️
keylime/src/serialization.rs 96.55% <96.55%> (ø)
keylime-agent/src/error.rs 9.90% <0.00%> (-5.35%) ⬇️
keylime-agent/src/errors_handler.rs 45.36% <26.66%> (-10.80%) ⬇️
... and 4 more

... and 5 files with indirect coverage changes

@ansasaki
Copy link
Contributor Author

The failing test needs an update proposed in: RedHat-SP-Security/keylime-tests#688

@ansasaki ansasaki marked this pull request as ready for review December 19, 2024 17:13
@ansasaki
Copy link
Contributor Author

I just realized the registrar already supports the /version API in an undocumented API change.
We need to be more diligent updating the documentation. This is also a reminder for myself.

This is to account for the addition of the options:

- idevid_password
- idevid_handle
- iak_password
- iak_handle

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
In many places the dependency are unnecessary and used only for testing.
Replace the usage of common::API_VERSION with a static string.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Move the serialization module from keylime-agent to the keylime library

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Make the agent to provide the endpoints under multiple API versions
(currently only under versions 2.1 and 2.2).

A new configuration option is introduced, 'api_versions', which allows
the user to set the API versions to enable.  Only a subset of the
versions defined in api::SUPPORTED_API_VERSIONS can be enabled.  If a
unsupported version is set in the configuration, it will be ignored with
a warning.  The agent will fail to start if no valid API versions list
is configured.

The 'api_versions' option supports 2 keywords that can be used instead
of the explicit list of versions:

- "default": Enables all the supported API versions
- "latest": Enables only the latest supported API version

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
The registrar_client module implements the builder pattern to allow
setting the optional parameters as needed.

This also implements the mechanism to allow the agent to communicate
with the registrar that support different API versions:

- The client will make a GET request to the '/version' endpoint of the
  registrar.  If the request is successful, the client will use the
  provided API version if it is enabled.
- If the registrar does not support the '/version' endpoint, the client
  will try to register using each of the enabled API versions, starting
  from the latest. If none of the enabled versions is supported by the
  registrar, the registration fails.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Use the keylime::registrar_client module instead of the registrar_agent,
which is deleted.

This enables the agent to communicate with a registrar using an older
API version, restoring the backwards compatibility.

This also removes the unnecessary `API_VERSION` from `common.rs`.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Validate the values set in the `api_versions` configuration option, and
filter only the supported versions.

The configured versions are also sorted so that the agent can try the
enabled versions from the newest to the oldest.

If none of the configured options are supported, fallback to use all the
supported API versions instead.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant