rpms/keylime-agent-rust
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream version 0.2.7

Browse Source 
Resolves: RHEL-75791

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
This commit is contained in:
Anderson Toshiyuki Sasaki 2025-01-21 18:31:04 +01:00
parent 67b04d5e70
commit fc8305a681
7 changed files with 71 additions and 411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -14,3 +14,5 @@
/rust-keylime-0.2.2-vendor.tar.xz
/rust-keylime-0.2.5-vendor.tar.xz
/v0.2.5.tar.gz
/rust-keylime-0.2.7-vendor.tar.xz
/v0.2.7.tar.gz

15
keylime-agent-rust.spec
View File

@ -15,7 +15,7 @@
%endif
Name: keylime-agent-rust
Version: 0.2.5
Version: 0.2.7
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
Summary: Rust agent for Keylime
@ -54,15 +54,12 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz
# tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
Source1: rust-keylime-%{version}-vendor.tar.xz
## (0-99) General patches
# Fix build with latest rust: https://github.com/keylime/rust-keylime/pull/789
# and https://github.com/keylime/rust-keylime/pull/793
Patch0: rust-keylime-unnecessary-qualifications.patch
# Fix regression to support hostname in registrar_ip configuration option
# https://github.com/keylime/rust-keylime/pull/797
Patch1: rust-keylime-support-hostnames-in-registrar-ip.patch
## (100-199) Patches for building from system Rust libraries (Fedora)
# Enable logging for the keylime library
# Patch from https://github.com/keylime/rust-keylime/pull/922
Patch0: rust-keylime-enable-logging-keylime-lib.patch
# Drop completely the legacy-python-actions feature
Patch100: rust-keylime-metadata.patch
Patch1: rust-keylime-metadata.patch
## (100-199) Patches for building from system Rust libraries (Fedora)
## (200+) Patches for building from vendored Rust libraries (RHEL)
ExclusiveArch: %{rust_arches}

29
rust-keylime-enable-logging-keylime-lib.patch Normal file
View File

@ -0,0 +1,29 @@
From 43db7bdf66a11658614be63f06d74e379a18e0d8 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 21 Jan 2025 15:31:00 +0100
Subject: [PATCH] dist: Enable logging for keylime library in the service
Set the logging level as INFO for the keylime library in the systemd
service file.
Some of the messages were moved from main to the library and would not
be logged without this setting.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
dist/systemd/system/keylime_agent.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dist/systemd/system/keylime_agent.service b/dist/systemd/system/keylime_agent.service
index c5df621d..7ec1a7a1 100644
--- a/dist/systemd/system/keylime_agent.service
+++ b/dist/systemd/system/keylime_agent.service
@@ -17,7 +17,7 @@ ExecStart=/usr/bin/keylime_agent
TimeoutSec=60s
Restart=on-failure
RestartSec=120s
-Environment="RUST_LOG=keylime_agent=info"
+Environment="RUST_LOG=keylime_agent=info,keylime=info"
# If using swtpm with tpm2-abrmd service, uncomment the line below to set TCTI
# variable on the service environment
#Environment="TCTI=tabrmd:"

48
rust-keylime-metadata.patch
View File

@ -1,9 +1,36 @@
--- a/keylime-agent/Cargo.toml 2024-01-31 10:25:42.291841679 +0100
+++ b/keylime-agent/Cargo.toml 2024-01-31 10:28:02.795282892 +0100
@@ -48,18 +48,6 @@
--- a/keylime/Cargo.toml 2025-01-20 11:19:20.276090741 +0100
+++ b/keylime/Cargo.toml 2025-01-20 11:20:47.574791185 +0100
@@ -24,10 +24,6 @@
picky-asn1-der.workspace = true
picky-asn1-x509.workspace = true
tokio.workspace = true
-# wiremock was moved to be a regular dependency because optional
-# dev-dependencies are not supported
-# see: https://github.com/rust-lang/cargo/issues/1596
-wiremock = {version = "0.6", optional = true}
[dev-dependencies]
tempfile.workspace = true
@@ -37,4 +33,4 @@
# This feature enables tests that require a TPM and the TCTI environment
# variable properly configured
# This should change to dev-dependencies when we have integration testing
-testing = ["wiremock"]
+testing = []
--- a/keylime-agent/Cargo.toml 2025-01-20 11:19:40.095022736 +0100
+++ b/keylime-agent/Cargo.toml 2025-01-20 11:21:15.678694751 +0100
@@ -32,7 +32,6 @@
thiserror.workspace = true
uuid.workspace = true
zip.workspace = true
-zmq = {version = "0.9.2", optional = true}
[dev-dependencies]
actix-rt.workspace = true
@@ -41,18 +40,6 @@
# The features enabled by default
default = []
# this should change to dev-dependencies when we have integration testing
testing = ["wiremock"]
testing = []
-# Whether the agent should be compiled with support to listen for notification
-# messages on ZeroMQ
-#
@ -19,14 +46,3 @@
[package.metadata.deb]
section = "net"
--- a/Cargo.toml 2024-05-02 11:18:17.351856756 +0200
+++ b/Cargo.toml 2024-05-02 11:18:23.930839679 +0200
@@ -16,7 +16,7 @@
[workspace.dependencies]
actix-rt = "2"
actix-web = { version = "4", default-features = false, features = ["macros", "openssl"] }
-base64 = "0.21"
+base64 = "0.22"
cfg-if = "1"
clap = { version = "4.3", features = ["derive"] }
config = { version = "0.13", default-features = false, features = ["toml"] }

242
rust-keylime-support-hostnames-in-registrar-ip.patch
View File

@ -1,242 +0,0 @@
From d4becf39196aa17583b02ad21cadcfe606d49a86 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 28 May 2024 15:44:29 +0200
Subject: [PATCH] config: Support hostnames in registrar_ip option
This restores previous behavior where hostnames could be used to set the
'registrar_ip' configuration option.
The configuration will try to parse the input configuration string as an
IP and in case of failure, try to parse the string as a hostname.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
keylime-agent/src/config.rs | 9 ++-
keylime-agent/src/error.rs | 4 ++
keylime-agent/src/registrar_agent.rs | 40 ++++++++----
keylime/src/hostname.pest | 2 +
keylime/src/hostname_parser.rs | 94 ++++++++++++++++++++++++++++
keylime/src/lib.rs | 1 +
6 files changed, 136 insertions(+), 14 deletions(-)
create mode 100644 keylime/src/hostname.pest
create mode 100644 keylime/src/hostname_parser.rs
diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
index 03a6fa57..7ed5c70f 100644
--- a/keylime-agent/src/config.rs
+++ b/keylime-agent/src/config.rs
@@ -9,6 +9,7 @@ use config::{
use glob::glob;
use keylime::{
algorithms::{EncryptionAlgorithm, HashAlgorithm, SignAlgorithm},
+ hostname_parser::parse_hostname,
ip_parser::parse_ip,
list_parser::parse_list,
};
@@ -856,8 +857,12 @@ fn config_translate_keywords(
let ip = parse_ip(config.agent.ip.as_ref())?.to_string();
let contact_ip = parse_ip(config.agent.contact_ip.as_ref())?.to_string();
- let registrar_ip =
- parse_ip(config.agent.registrar_ip.as_ref())?.to_string();
+ let registrar_ip = match parse_ip(config.agent.registrar_ip.as_ref()) {
+ Ok(ip) => ip.to_string(),
+ Err(_) => {
+ parse_hostname(config.agent.registrar_ip.as_ref())?.to_string()
+ }
+ };
// Validate the configuration
diff --git a/keylime-agent/src/error.rs b/keylime-agent/src/error.rs
index 73bbc1a1..c322dcd3 100644
--- a/keylime-agent/src/error.rs
+++ b/keylime-agent/src/error.rs
@@ -47,6 +47,10 @@ pub(crate) enum Error {
Io(#[from] std::io::Error),
#[error("Failed to parse IP")]
IpParserError(#[from] keylime::ip_parser::IpParsingError),
+ #[error("Failed to parse hostname")]
+ HostnameParserError(
+ #[from] keylime::hostname_parser::HostnameParsingError,
+ ),
#[error("Text decoding error: {0}")]
Utf8(#[from] std::string::FromUtf8Error),
#[error("Secure Mount error: {0})")]
diff --git a/keylime-agent/src/registrar_agent.rs b/keylime-agent/src/registrar_agent.rs
index da75cf7e..0905ec19 100644
--- a/keylime-agent/src/registrar_agent.rs
+++ b/keylime-agent/src/registrar_agent.rs
@@ -84,12 +84,20 @@ pub(crate) async fn do_activate_agent(
) -> crate::error::Result<()> {
let data = Activate { auth_tag };
- // Add brackets if the address is IPv6
- let parsed_ip = registrar_ip.parse::<IpAddr>()?;
- let remote_ip = if parsed_ip.is_ipv6() {
- format!("[{registrar_ip}]")
- } else {
- registrar_ip.to_string()
+ let remote_ip = match registrar_ip.parse::<IpAddr>() {
+ Ok(addr) => {
+ // Add brackets if the address is IPv6
+ if addr.is_ipv6() {
+ format!("[{registrar_ip}]")
+ } else {
+ registrar_ip.to_string()
+ }
+ }
+ Err(_) => {
+ // The registrar_ip option can also be a hostname. If it is the case, the hostname was
+ // already validated during configuration
+ registrar_ip.to_string()
+ }
};
#[cfg(test)]
@@ -173,12 +181,20 @@ pub(crate) async fn do_register_agent(
port: Some(port),
};
- // Add brackets if the address is IPv6
- let parsed_ip = registrar_ip.parse::<IpAddr>()?;
- let remote_ip = if parsed_ip.is_ipv6() {
- format!("[{registrar_ip}]")
- } else {
- registrar_ip.to_string()
+ let remote_ip = match registrar_ip.parse::<IpAddr>() {
+ Ok(addr) => {
+ // Add brackets if the address is IPv6
+ if addr.is_ipv6() {
+ format!("[{registrar_ip}]")
+ } else {
+ registrar_ip.to_string()
+ }
+ }
+ Err(_) => {
+ // The registrar_ip option can also be a hostname. If it is the case, the hostname was
+ // already validated during configuration
+ registrar_ip.to_string()
+ }
};
#[cfg(test)]
diff --git a/keylime/src/hostname.pest b/keylime/src/hostname.pest
new file mode 100644
index 00000000..6e7c54e4
--- /dev/null
+++ b/keylime/src/hostname.pest
@@ -0,0 +1,2 @@
+hostname = {SOI ~ label ~ ("." ~ label)* ~ EOI}
+label = { ASCII_ALPHANUMERIC+ ~ ("-"+ ~ ASCII_ALPHANUMERIC+)*}
diff --git a/keylime/src/hostname_parser.rs b/keylime/src/hostname_parser.rs
new file mode 100644
index 00000000..dbf971a6
--- /dev/null
+++ b/keylime/src/hostname_parser.rs
@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Keylime Authors
+
+use pest::Parser;
+use pest_derive::Parser;
+use thiserror::Error;
+
+#[derive(Parser)]
+#[grammar = "hostname.pest"]
+pub struct HostnameParser;
+
+#[derive(Error, Debug)]
+pub enum HostnameParsingError {
+ #[error("Invalid input {0}")]
+ InvalidInput(String),
+
+ #[error("failed to parse the input {input}")]
+ ParseError {
+ input: String,
+ source: Box<pest::error::Error<Rule>>,
+ },
+}
+
+/// Parses a hostname from a string slice following RFC-1123
+///
+/// Valid hostnames are formed by labels separated by dots ('.').
+///
+/// The labels can only contain alphanumeric characters ('a'..'z' | 'A'..'Z' | '0'..'9') and the
+/// hyphen ('-'). The labels cannot begin or end with an hyphen.
+///
+/// # Arguments
+///
+/// * `hostname` the string to be parsed
+///
+/// # Returns
+///
+/// The obtained hostname as a &str if it is a valid hostname
+///
+/// # Examples
+///
+/// Valid hostnames:
+///
+/// * `hostname`
+/// * `host-name`
+/// * `a.b.c`
+/// * `a-b.c-d.e-f`
+///
+/// Invalid hostnames:
+///
+/// * `a_b.c`
+/// * `a.b-.c`
+/// * `a.-b.c`
+pub fn parse_hostname(hostname: &str) -> Result<&str, HostnameParsingError> {
+ let Some(pair) = HostnameParser::parse(Rule::hostname, hostname)
+ .map_err(|e| HostnameParsingError::ParseError {
+ input: hostname.to_string(),
+ source: Box::new(e),
+ })?
+ .next()
+ else {
+ return Err(HostnameParsingError::InvalidInput(hostname.to_string()));
+ };
+ return Ok(pair.as_str());
+}
+
+// Unit Testing
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn test_parse_hostname() {
+ // Sanity: most common case
+ assert_eq!(parse_hostname("hostname").unwrap(), "hostname"); //#[allow_ci]
+ assert_eq!(parse_hostname("ab.cd.ef").unwrap(), "ab.cd.ef"); //#[allow_ci]
+ assert_eq!(parse_hostname("ab-cd-ef").unwrap(), "ab-cd-ef"); //#[allow_ci]
+
+ // More advanced cases
+ assert_eq!(
+ parse_hostname("hostname-123.test").unwrap(), //#[allow_ci]
+ "hostname-123.test"
+ );
+ assert_eq!(parse_hostname("123-456.789").unwrap(), "123-456.789"); //#[allow_ci]
+ assert_eq!(parse_hostname("1----9").unwrap(), "1----9"); //#[allow_ci]
+
+ // Invalid input
+ assert!(parse_hostname("-host-na.me").is_err());
+ assert!(parse_hostname("host-na.me-").is_err());
+ assert!(parse_hostname(".host-na.me").is_err());
+ assert!(parse_hostname("host-na.me.").is_err());
+ assert!(parse_hostname("host_name").is_err());
+ assert!(parse_hostname("host..name").is_err());
+ }
+}
diff --git a/keylime/src/lib.rs b/keylime/src/lib.rs
index 3f0213eb..791729e1 100644
--- a/keylime/src/lib.rs
+++ b/keylime/src/lib.rs
@@ -1,5 +1,6 @@
pub mod algorithms;
pub mod crypto;
+pub mod hostname_parser;
pub mod ima;
pub mod ip_parser;
pub mod list_parser;

142
rust-keylime-unnecessary-qualifications.patch
View File

@ -1,142 +0,0 @@
From c91fba3382867737d194dfedf85cae7ee133c9e3 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 8 May 2024 14:13:47 +0200
Subject: [PATCH] Fix 'unnecessary qualification' warnings
Newer versions of the rust compiler generates warnings when symbols are
over-specified.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
keylime-agent/src/payloads.rs | 2 +-
keylime-agent/src/revocation.rs | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs
index 5c40125f..d42918c8 100644
--- a/keylime-agent/src/payloads.rs
+++ b/keylime-agent/src/payloads.rs
@@ -222,7 +222,7 @@ async fn run_encrypted_payload(
let action_file = unzipped.join("action_list");
if action_file.exists() {
- let action_data = std::fs::read_to_string(&action_file)
+ let action_data = fs::read_to_string(&action_file)
.expect("unable to read action_list");
action_data
diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs
index e5ffaade..c48116b1 100644
--- a/keylime-agent/src/revocation.rs
+++ b/keylime-agent/src/revocation.rs
@@ -203,7 +203,7 @@ fn run_revocation_actions(
let action_file = unzipped.join("action_list");
if action_file.exists() {
- action_data = std::fs::read_to_string(&action_file)
+ action_data = fs::read_to_string(&action_file)
.expect("unable to read action_list");
let file_actions = parse_list(&action_data)?;
@@ -528,7 +528,7 @@ mod tests {
env!("CARGO_MANIFEST_DIR"),
"/tests/unzipped/test_ok.json"
);
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");
@@ -567,7 +567,7 @@ mod tests {
env!("CARGO_MANIFEST_DIR"),
"/tests/unzipped/test_err.json"
);
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");
@@ -602,7 +602,7 @@ mod tests {
let revocation_actions = "local_action_stand_alone.py, local_action_rev_script1.py";
}
}
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");
From 96d4bd4349518f173ede77cc5986e5e425f621ba Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 21 May 2024 15:55:36 +0200
Subject: [PATCH] Fix leftover 'unnecessary qualification' warnings on tests
Fix leftover 'unnecessary qualification' warnings generated when running
the tests ('cargo test --features=testing') with newer rust compilers.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
keylime-agent/src/errors_handler.rs | 4 ++--
keylime-agent/src/keys_handler.rs | 5 +----
keylime-agent/src/main.rs | 4 ++--
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/keylime-agent/src/errors_handler.rs b/keylime-agent/src/errors_handler.rs
index b0fa4c24..48ea2ffb 100644
--- a/keylime-agent/src/errors_handler.rs
+++ b/keylime-agent/src/errors_handler.rs
@@ -266,7 +266,7 @@ pub(crate) fn wrap_404<B>(
#[cfg(test)]
mod tests {
use super::*;
- use actix_web::{middleware, test, App, Resource};
+ use actix_web::{test, App, Resource};
use core::future::Future;
use serde::{Deserialize, Serialize};
use serde_json::{json, Value};
@@ -379,7 +379,7 @@ mod tests {
let mut app = test::init_service(
App::new()
.wrap(
- middleware::ErrorHandlers::new()
+ ErrorHandlers::new()
.handler(http::StatusCode::NOT_FOUND, wrap_404),
)
.app_data(
diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs
index 6f4489d3..3407deeb 100644
--- a/keylime-agent/src/keys_handler.rs
+++ b/keylime-agent/src/keys_handler.rs
@@ -970,10 +970,7 @@ mod tests {
// Send Shutdown message to the workers for a graceful shutdown
keys_tx.send((KeyMessage::Shutdown, None)).await.unwrap(); //#[allow_ci]
- payload_tx
- .send(payloads::PayloadMessage::Shutdown)
- .await
- .unwrap(); //#[allow_ci]
+ payload_tx.send(PayloadMessage::Shutdown).await.unwrap(); //#[allow_ci]
arbiter.join();
}
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
index f0713f9b..77f84cd3 100644
--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
@@ -1066,7 +1066,7 @@ mod testing {
/// CryptoTest error
#[error("CryptoTestError")]
- CryptoTestError(#[from] crate::crypto::testing::CryptoTestError),
+ CryptoTestError(#[from] crypto::testing::CryptoTestError),
/// IO error
#[error("IOError")]
@@ -1078,7 +1078,7 @@ mod testing {
/// TPM error
#[error("TPMError")]
- TPMError(#[from] keylime::tpm::TpmError),
+ TPMError(#[from] tpm::TpmError),
/// TSS esapi error
#[error("TSSError")]

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (rust-keylime-0.2.5-vendor.tar.xz) = 96aba845b075f2ff638a2f82da8606ed44d9df7084318ed9bbfa9b781df6b862b3b1c54b609333cfda8f42c168b2f211699e3d3a28b19cb4432b4b05db384d1e
SHA512 (v0.2.5.tar.gz) = 3f36e3e248ff29dcbcbe77516f4edad7fa15a4e2fbdff5bc488393bb562abcc7c976712bc8cbdb4b397ee571d8652d9d8ad1c18740c92c1458176f218d067d39
SHA512 (rust-keylime-0.2.7-vendor.tar.xz) = 0359a2f95b6325f1cdcf24b54efb26d3cadff31e0a83c065cbca09cdfb5877a836364d68e9208eee498f41bc609b7312ff487fee923593e6af07201084a2b3e7
SHA512 (v0.2.7.tar.gz) = 6a9f4e581aa49c8be1599d235a54c6a65d0f45340ef37c3d08124b75c4c5ca2b8467dc00cac8dfae5402b5690bb90fe69a994770fe2715de6e9d4070dabebb7d