Support multiple API versions #889
Conversation
ansasaki
force-pushed
the
multiple_api
branch
from
743f8ea to
2dde804
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ansasaki
force-pushed
the
multiple_api
branch
from
2dde804 to
5627a10
Compare
|
The failing test needs an update proposed in: RedHat-SP-Security/keylime-tests#688 |
|
EDIT: Actually, with the refactoring to use a web framework for the registrar, the |
ansasaki
force-pushed
the
multiple_api
branch
3 times, most recently
from
ede6c9a to
a9aec72
Compare
This is to account for the addition of the options: - idevid_password - idevid_handle - iak_password - iak_handle Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
In many places the dependency are unnecessary and used only for testing. Replace the usage of common::API_VERSION with a static string. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Move the serialization module from keylime-agent to the keylime library Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Make the agent to provide the endpoints under multiple API versions (currently only under versions 2.1 and 2.2). A new configuration option is introduced, 'api_versions', which allows the user to set the API versions to enable. Only a subset of the versions defined in api::SUPPORTED_API_VERSIONS can be enabled. If a unsupported version is set in the configuration, it will be ignored with a warning. The agent will fail to start if no valid API versions list is configured. The 'api_versions' option supports 2 keywords that can be used instead of the explicit list of versions: - "default": Enables all the supported API versions - "latest": Enables only the latest supported API version This is part of the implementation of the enhancement proposal 114: keylime/enhancements#115 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
The registrar_client module implements the builder pattern to allow setting the optional parameters as needed. This also implements the mechanism to allow the agent to communicate with the registrar that support different API versions: - The client will make a GET request to the '/version' endpoint of the registrar. If the request is successful, the client will use the provided API version if it is enabled. - If the registrar does not support the '/version' endpoint, the client will try to register using each of the enabled API versions, starting from the latest. If none of the enabled versions is supported by the registrar, the registration fails. This is part of the implementation of the enhancement proposal 114: keylime/enhancements#115 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Use the keylime::registrar_client module instead of the registrar_agent, which is deleted. This enables the agent to communicate with a registrar using an older API version, restoring the backwards compatibility. This also removes the unnecessary `API_VERSION` from `common.rs`. This is part of the implementation of the enhancement proposal 114: keylime/enhancements#115 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Validate the values set in the `api_versions` configuration option, and filter only the supported versions. The configured versions are also sorted so that the agent can try the enabled versions from the newest to the oldest. If none of the configured options are supported, fallback to use all the supported API versions instead. This is part of the implementation of the enhancement proposal 114: keylime/enhancements#115 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
ansasaki
force-pushed
the
multiple_api
branch
2 times, most recently
from
c289e48 to
949af61
Compare
|
@keylime/developer Please consider prioritizing reviewing this PR as it is blocking the new agent version release. |
| @@ -11,7 +11,17 @@ | |||
| # The configuration file version | |||
| # | |||
| # To override, set KEYLIME_AGENT_VERSION environment variable. | |||
| version = "2.2" | |||
| version = "2.4" | |||
There was a problem hiding this comment.
What happened to 2.3 version? Is this 2.2 -> 2.4 jump expected?
There was a problem hiding this comment.
Look at the first commit in the series. 2.3 takes into account some idevid options.
There was a problem hiding this comment.
as @sergio-correia commented, the first commit in the series is the bump to the 2.3 version to account for the IDevID/IAK related configuration options.
I recommend reviewing the commits one by one instead of the whole diff from master as it makes it easier to follow the changes.
| let result = Version::from_str("22"); | ||
| assert!(result.is_err()); | ||
| let result = Version::from_str(".12"); | ||
| assert!(result.is_err()); |
There was a problem hiding this comment.
Does it make sense to add a version like 1.2.3? And if so ... should this be treated as error?
There was a problem hiding this comment.
It was agreed a long time ago that the configuration and API versions will be in the MAJOR.MINOR format.
This introduces a new configuration option
api_versionswhich allows the user to select a subset of the supported API versions to enable.The agent creates the endpoints under each enable API version, allowing it to receive requests from older versions of the other components (verifier and tenant).
During registration, the agent will try to query the version of the API supported by the registrar making a GET request to the
/versionendpoint. If the registrar supports it and replies with a version, the agent will check if the version is enabled and will use it for the following requests.In case the registrar does not support the
/versionendpoint, then the agent will try all the enabled versions. If the registration is successful, the agent will keep the successful API version to use in the following requests.This is part of the implementation for the enhancement proposal 114: keylime/enhancements#115