Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retry cherry-pick changes for basic-attestation-on-localhost-api-version-bump from main #761

Closed
wants to merge 6 commits into from
Closed

Retry cherry-pick changes for basic-attestation-on-localhost-api-version-bump from main #761

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f799787
Install builddeps and fix entering builddir
kkaarreell Oct 31, 2024
fa8dcf0
Fix regexp syntax error
kkaarreell Dec 12, 2024
e4e9561
Update test to use agent with multiple API version support
ansasaki Dec 19, 2024
02f6dc6
api-version-bump: Adjust regex to require version numbers
ansasaki Jan 14, 2025
a9a45ac
Wait 3 seconds before checking agent log
kkaarreell Feb 17, 2025
e843fe9
Enable compatibility tests
ansasaki Feb 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 18 additions & 40 deletions compatibility/basic-attestation-on-localhost-api-version-bump/test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,6 @@ rlJournalStart

rlPhaseStartSetup "Do the keylime setup"
rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library"
# install recommend devel packages from CRB if missing
rpm -q tpm2-tss-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS tpm2-tss-devel"
rpm -q libarchive-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS libarchive-devel"
rpm -q zeromq-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS zeromq-devel"
[ -n "$INSTALL_PKGS" ] && rlRun "dnf --enablerepo \*CRB --enablerepo epel -y install $INSTALL_PKGS"
rlAssertRpm keylime

# update /etc/keylime.conf
Expand Down Expand Up @@ -48,44 +43,24 @@ rlJournalStart
WORKDIR=$( mktemp -d -p "/var/tmp" )
rlPhaseEnd

rlPhaseStartTest "Compile keylime agent with old API version"
# Store a backup of the installed binary
rlRun "rlFileBackup --namespace agent /usr/bin/keylime_agent"
# check if I am running agent from RPM file, i.e. not the upstream one
# in this case I am going to use sources from RPM file because
# I need to use the right version and extra patches from SRPM may
# be necessary
if rpm -q keylime-agent-rust; then
rlLogInfo "Will use agent sources from SRPM"
rlFetchSrcForInstalled keylime-agent-rust
rlRun "rpm -i keylime-agent-rust*.src.rpm"
rlRun "rpmbuild -bp ~/rpmbuild/SPECS/keylime-agent-rust.spec --nodeps --define '_builddir $PWD'" 0,1
rlRun "pushd keylime-agent-rust*build/rust-keylime*"
else
rlLogInfo "Will use agent sources from upstream repo"
rlRun "git clone ${RUST_KEYLIME_UPSTREAM_URL} ${WORKDIR}/rust-keylime"
rlRun "pushd ${WORKDIR}/rust-keylime"
rlPhaseStartTest "Get agent supported versions"
rlRun "limeStartAgent"
rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
mapfile -t SUPPORTED_VERSIONS< <(grep -ohE '> Starting server with API version.*' "$(limeAgentLogfile)" | grep -ohE '[0-9]+\.[0-9]+' | sort -V)
if [[ "${#SUPPORTED_VERSIONS[@]}" -lt 2 ]]; then
rlFail "Agent supports only one API version: ${SUPPORTED_VERSIONS[*]}"
fi
# Get a supported version older than the current
CURRENT_VERSION="$(grep -E '(^.*API_VERSION.*v)([0-9]+\.[0-9]+)' keylime-agent/src/common.rs | grep -o -E '[0-9]+\.[0-9]+')"
OLD_VERSION="$(grep -o -E "Supported older API versions: .*" "$(limeVerifierLogfile)" | grep -o -E '[0-9]+\.[0-9]+' | sed -n "1,/^$CURRENT_VERSION\$/ p" | grep -v "^$CURRENT_VERSION\$" | tail -1)"

# Replace the API version to fake an older version
rlRun "cp keylime-agent/src/common.rs keylime-agent/src/common.rs.backup"
rlRun "sed -i -E \"s/(^.*API_VERSION.*v)([0-9]+\.[0-9]+)/\1$OLD_VERSION/\" keylime-agent/src/common.rs"
rlRun "diff keylime-agent/src/common.rs.backup keylime-agent/src/common.rs" 1
# Replace agent binary
rlRun "cargo build"
rlLog "Agent supported versions: ${SUPPORTED_VERSIONS[*]}"
OLD_VERSION=${SUPPORTED_VERSIONS[0]}
LATEST_VERSION=${SUPPORTED_VERSIONS[${#SUPPORTED_VERSIONS[@]} -1]}
rlRun "limeStopAgent"
BUILDDIR=$PWD
rlRun "cp ${BUILDDIR}/target/debug/keylime_agent /usr/bin/keylime_agent"
rlRun "popd"
rlPhaseEnd

rlPhaseStartTest "Add keylime agent with old API version"
rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\""
rlRun "limeStartAgent"
rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
rlAssertGrep "Starting server with API version v${OLD_VERSION}" "$(limeAgentLogfile)" -E
sleep 3
rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E
rlRun "cat > script.expect <<_EOF
set timeout 20
spawn keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --verify --runtime-policy policy.json --cert default -c add
Expand All @@ -102,8 +77,10 @@ _EOF"

rlPhaseStartTest "Verify that API version is automatically bumped"
rlRun "limeStopAgent"
rlRun "rlFileRestore --namespace agent"
rlRun "limeUpdateConf agent api_versions \"\\\"${LATEST_VERSION}\\\"\""
rlRun "limeStartAgent"
sleep 3
rlAssertGrep "Starting server with API versions: ${LATEST_VERSION}$" "$(limeAgentLogfile)" -E
rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID API version updated\"' -m 10 -d 1 -t 10"
rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
rlRun -s "keylime_tenant -c cvlist"
Expand All @@ -112,16 +89,17 @@ _EOF"

rlPhaseStartTest "Verify that API version downgrade is not allowed"
rlRun "limeStopAgent"
rlRun "cp ${BUILDDIR}/target/debug/keylime_agent /usr/bin/keylime_agent"
rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\""
rlRun "limeStartAgent"
sleep 3
rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E
rlRun "limeWaitForAgentStatus $AGENT_ID '(Failed|Invalid Quote)'"
rlAssertGrep "WARNING - Agent $AGENT_ID API version $OLD_VERSION is lower or equal to previous version" "$(limeVerifierLogfile)"
rlAssertGrep "WARNING - Agent $AGENT_ID failed, stopping polling" "$(limeVerifierLogfile)"
rlPhaseEnd

rlPhaseStartCleanup "Do the keylime cleanup"
rlRun "limeStopAgent"
rlRun "rlFileRestore --namespace agent"
rlRun "limeStopRegistrar"
rlRun "limeStopVerifier"
if limeTPMEmulated; then
Expand Down
1 change: 1 addition & 0 deletions plans/distribution-fedora-keylime.fmf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ discover:
- /setup/inject_SELinux_AVC_check
- "^/functional/.*"
- "^/regression/.*"
- "^/compatibility/.*"

execute:
how: tmt
2 changes: 1 addition & 1 deletion setup/generate_coverage_report/patchcov.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ def get_patch_coverage(patch_path, db_path):
for row in table_context:
if row[0] in contexts_used:
prefix = get_test_code(row[0])
name = re.sub('^.*\/discover\/[^/]*\/tests', '', row[1])
name = re.sub(r'^.*/discover/[^/]*/tests', '', row[1])
print(' {} {}'.format(prefix, name))
print()

Expand Down