Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Agent-Driven Attestation #103

Open
stringlytyped opened this issue Sep 18, 2023 · 0 comments
Open

Agent-Driven Attestation #103

stringlytyped opened this issue Sep 18, 2023 · 0 comments

Comments

@stringlytyped
Copy link
Contributor

stringlytyped commented Sep 18, 2023

Enhancement Description

Enable an alternative operational model in which attestations are sent on an agent-driven basis instead of being requested by the verifier

Please to keep this description up to date.

stringlytyped added a commit to stringlytyped/keylime-enhancements that referenced this issue Sep 18, 2023
stringlytyped added a commit to stringlytyped/keylime-enhancements that referenced this issue Sep 18, 2023
Signed-off-by: Jean Snyman <jean.snyman@hpe.com>
stringlytyped added a commit to stringlytyped/keylime-enhancements that referenced this issue Sep 20, 2023
Signed-off-by: Jean Snyman <jean.snyman@hpe.com>
stringlytyped added a commit to stringlytyped/keylime-enhancements that referenced this issue Sep 20, 2023
Signed-off-by: Jean Snyman <jean.snyman@hpe.com>
maugustosilva added a commit that referenced this issue Sep 21, 2023
Add written proposal for enhancement #103
stringlytyped added a commit to hse-aurora/keylime-oss that referenced this issue Jun 28, 2024
This commit consolidates the work completed as part of pull request
keylime#1523 and contributes a new way of architecting REST APIs based loosely
on the model-view-controller (MVC) pattern. The class library in
`keylime.web.base` and `keylime.models.base` provides a number of
building blocks for structuring web service code in a consistent and
ordered fashion. These include:

- Routes: parameterised URI patterns for declaring API endpoints
- Servers: direct requests to a controller based on a list of routes
- Controllers: handle requests and produce an appropriate response
- Models: data structures which can be mutated, validated and persisted
  according to a set pattern

Additionally, this commit re-implements the registrar APIs in the new
paradigm. `keylime.registrar_common` is no longer invoked and is
effectively replaced by `keylime.web.registrar_server` and
`keylime.web.registrar.agents_controller`. The `registrarmain` database
table is now represented in memory using the `RegistrarAgent` model.
The model defines a schema for agent records and encapsulates the
functionality for mutating these records instead of overloading request
handlers with this responsibility. Certificate and key verification
checks are broken into several small methods each with a clear, minimal
purpose in an effort to ensure readability, traceability and
composability (even when the registrar is extended in the future).

The refactor of the registrar therefore acts as a good demonstration of
how the new web framework facilitates writing modular code with clear
separation of concerns. Future contributions to implement agent-driven
attestation (keylime/enhancements#103) will be done in a similar way.

Some minor features have been added or changed, e.g., request logging is
now more detailed and log messages try to be more helpful where
possible. The user now has the option of suppressing a portion of the
warnings generated when a certificate is not strictly ASN.1 DER
compliant, or even rejecting such certificates when received from an
agent. This partially fixes issue keylime#1559 (which will be further addressed
in subsequent PRs).

Other than that, this commit should be functionally equivalent to
earlier Keylime versions.

Squashes commits: 3b8119c, 796417d, a0d3cf7, 1b42ee2, c52b005, f5869aa,
3cd4c2a, 75facbd, e6ec507, 45a1362, 3c8f202, 30eb7dc, 2b9de05, b4a2df1,
1c2db6b, 705d9d4, e28baf6, 282071c, 2f7095d, f254a78, a249d28, 9fe4042,
b3eaa3e, ca3782a, 0ae1249, 9696a39, 33b7184, 7d8a4ee, 55eacb9, 2496836,
0d8a232, 4690017, ce9315a, 9c79359, 5055dc1, 9387a0b, 0db1fb8, 42fa62d,
89474ee, 7527175, fc1217e, de282c4, a28078f.
For context, refer to PR keylime#1523.

Signed-off-by: Jean Snyman <jean.snyman@hpe.com>
maugustosilva pushed a commit to keylime/keylime that referenced this issue Jun 28, 2024
This commit consolidates the work completed as part of pull request
#1523 and contributes a new way of architecting REST APIs based loosely
on the model-view-controller (MVC) pattern. The class library in
`keylime.web.base` and `keylime.models.base` provides a number of
building blocks for structuring web service code in a consistent and
ordered fashion. These include:

- Routes: parameterised URI patterns for declaring API endpoints
- Servers: direct requests to a controller based on a list of routes
- Controllers: handle requests and produce an appropriate response
- Models: data structures which can be mutated, validated and persisted
  according to a set pattern

Additionally, this commit re-implements the registrar APIs in the new
paradigm. `keylime.registrar_common` is no longer invoked and is
effectively replaced by `keylime.web.registrar_server` and
`keylime.web.registrar.agents_controller`. The `registrarmain` database
table is now represented in memory using the `RegistrarAgent` model.
The model defines a schema for agent records and encapsulates the
functionality for mutating these records instead of overloading request
handlers with this responsibility. Certificate and key verification
checks are broken into several small methods each with a clear, minimal
purpose in an effort to ensure readability, traceability and
composability (even when the registrar is extended in the future).

The refactor of the registrar therefore acts as a good demonstration of
how the new web framework facilitates writing modular code with clear
separation of concerns. Future contributions to implement agent-driven
attestation (keylime/enhancements#103) will be done in a similar way.

Some minor features have been added or changed, e.g., request logging is
now more detailed and log messages try to be more helpful where
possible. The user now has the option of suppressing a portion of the
warnings generated when a certificate is not strictly ASN.1 DER
compliant, or even rejecting such certificates when received from an
agent. This partially fixes issue #1559 (which will be further addressed
in subsequent PRs).

Other than that, this commit should be functionally equivalent to
earlier Keylime versions.

Squashes commits: 3b8119c, 796417d, a0d3cf7, 1b42ee2, c52b005, f5869aa,
3cd4c2a, 75facbd, e6ec507, 45a1362, 3c8f202, 30eb7dc, 2b9de05, b4a2df1,
1c2db6b, 705d9d4, e28baf6, 282071c, 2f7095d, f254a78, a249d28, 9fe4042,
b3eaa3e, ca3782a, 0ae1249, 9696a39, 33b7184, 7d8a4ee, 55eacb9, 2496836,
0d8a232, 4690017, ce9315a, 9c79359, 5055dc1, 9387a0b, 0db1fb8, 42fa62d,
89474ee, 7527175, fc1217e, de282c4, a28078f.
For context, refer to PR #1523.

Signed-off-by: Jean Snyman <jean.snyman@hpe.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant