Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple API versions #889

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Support multiple API versions #889

wants to merge 8 commits into from

Conversation

ansasaki
Copy link
Contributor

@ansasaki ansasaki commented Dec 18, 2024
edited
Loading

This introduces a new configuration option api_versions which allows the user to select a subset of the supported API versions to enable.

The agent creates the endpoints under each enable API version, allowing it to receive requests from older versions of the other components (verifier and tenant).

During registration, the agent will try to query the version of the API supported by the registrar making a GET request to the /version endpoint. If the registrar supports it and replies with a version, the agent will check if the version is enabled and will use it for the following requests.

In case the registrar does not support the /version endpoint, then the agent will try all the enabled versions. If the registration is successful, the agent will keep the successful API version to use in the following requests.

This is part of the implementation for the enhancement proposal 114: keylime/enhancements#115

@ansasaki ansasaki marked this pull request as draft December 18, 2024 19:52
@codecov Codecov
Copy link

codecov bot commented Dec 18, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 74.91525% with 148 lines in your changes missing coverage. Please review.

Project coverage is 62.03%. Comparing base (2f7b3ad) to head (2329f71).
Report is 87 commits behind head on master.

Files with missing lines Patch % Lines
keylime/src/version.rs 37.97% 49 Missing ⚠️
keylime-agent/src/main.rs 7.84% 47 Missing ⚠️
keylime/src/registrar_client.rs 92.83% 22 Missing ⚠️
keylime-agent/src/config.rs 79.62% 11 Missing ⚠️
keylime-agent/src/errors_handler.rs 26.66% 11 Missing ⚠️
keylime-agent/src/error.rs 0.00% 6 Missing ⚠️
keylime/src/serialization.rs 96.55% 2 Missing ⚠️
Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 62.03% <74.91%> (+4.44%) ⬆️
upstream-unit-tests 62.03% <74.91%> (+11.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
keylime-agent/src/agent_handler.rs 57.44% <ø> (ø)
keylime-agent/src/api.rs 76.47% <100.00%> (ø)
keylime-agent/src/common.rs 69.28% <ø> (+1.33%) ⬆️
keylime-agent/src/keys_handler.rs 64.72% <ø> (-0.72%) ⬇️
keylime-agent/src/notifications_handler.rs 66.66% <ø> (ø)
keylime-agent/src/payloads.rs 83.09% <ø> (+0.24%) ⬆️
keylime-agent/src/quotes_handler.rs 52.29% <ø> (+1.42%) ⬆️
keylime/src/serialization.rs 96.55% <96.55%> (ø)
keylime-agent/src/error.rs 9.90% <0.00%> (-5.35%) ⬇️
keylime-agent/src/config.rs 78.12% <79.62%> (-9.38%) ⬇️
... and 4 more

... and 5 files with indirect coverage changes

@ansasaki
Copy link
Contributor Author

The failing test needs an update proposed in: RedHat-SP-Security/keylime-tests#688

@ansasaki ansasaki marked this pull request as ready for review December 19, 2024 17:13
@ansasaki
Copy link
Contributor Author

I just realized the registrar already supports the /version API in an undocumented API change.
We need to be more diligent updating the documentation. This is also a reminder for myself.

@ansasaki ansasaki force-pushed the multiple_api branch 3 times, most recently from ede6c9a to a9aec72 Compare December 23, 2024 17:15
@ansasaki
keylime-agent.conf: Bump version to 2.3
d72c206 
This is to account for the addition of the options:

- idevid_password
- idevid_handle
- iak_password
- iak_handle

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Drop unnecessary dependency on common::API_VERSION
27c30ae 
In many places the dependency are unnecessary and used only for testing.
Replace the usage of common::API_VERSION with a static string.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Move 'serialization' module to the keylime library
4c1fcf1 
Move the serialization module from keylime-agent to the keylime library

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Provide endpoints under multiple API versions
cd32203 
Make the agent to provide the endpoints under multiple API versions
(currently only under versions 2.1 and 2.2).

A new configuration option is introduced, 'api_versions', which allows
the user to set the API versions to enable.  Only a subset of the
versions defined in api::SUPPORTED_API_VERSIONS can be enabled.  If a
unsupported version is set in the configuration, it will be ignored with
a warning.  The agent will fail to start if no valid API versions list
is configured.

The 'api_versions' option supports 2 keywords that can be used instead
of the explicit list of versions:

- "default": Enables all the supported API versions
- "latest": Enables only the latest supported API version

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
keylime: Introduce the registrar_client module
525c290 
The registrar_client module implements the builder pattern to allow
setting the optional parameters as needed.

This also implements the mechanism to allow the agent to communicate
with the registrar that support different API versions:

- The client will make a GET request to the '/version' endpoint of the
  registrar.  If the request is successful, the client will use the
  provided API version if it is enabled.
- If the registrar does not support the '/version' endpoint, the client
  will try to register using each of the enabled API versions, starting
  from the latest. If none of the enabled versions is supported by the
  registrar, the registration fails.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
main: Support using multiple API versions for registration
73f843f 
Use the keylime::registrar_client module instead of the registrar_agent,
which is deleted.

This enables the agent to communicate with a registrar using an older
API version, restoring the backwards compatibility.

This also removes the unnecessary `API_VERSION` from `common.rs`.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
version: Implement API version validation and ordering
2725d29 
Validate the values set in the `api_versions` configuration option, and
filter only the supported versions.

The configured versions are also sorted so that the agent can try the
enabled versions from the newest to the oldest.

If none of the configured options are supported, fallback to use all the
supported API versions instead.

This is part of the implementation of the enhancement proposal 114:
keylime/enhancements#115

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
TEMPORARILY CHANGE TESTS REPOSITORY
2329f71 
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@THS-on THS-on Awaiting requested review from THS-on

@sergio-correia sergio-correia Awaiting requested review from sergio-correia

At least 1 approving review is required to merge this pull request.

Assignees

@THS-on THS-on

@sergio-correia sergio-correia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ansasaki @THS-on @sergio-correia