From fc8305a68178a63a8fa6a17f1df1939a7e1b2871 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 21 Jan 2025 18:31:04 +0100 Subject: [PATCH] Update to upstream version 0.2.7 Resolves: RHEL-75791 Signed-off-by: Anderson Toshiyuki Sasaki --- .gitignore | 2 + keylime-agent-rust.spec | 15 +- rust-keylime-enable-logging-keylime-lib.patch | 29 +++ rust-keylime-metadata.patch | 48 ++-- ...me-support-hostnames-in-registrar-ip.patch | 242 ------------------ rust-keylime-unnecessary-qualifications.patch | 142 ---------- sources | 4 +- 7 files changed, 71 insertions(+), 411 deletions(-) create mode 100644 rust-keylime-enable-logging-keylime-lib.patch delete mode 100644 rust-keylime-support-hostnames-in-registrar-ip.patch delete mode 100644 rust-keylime-unnecessary-qualifications.patch diff --git a/.gitignore b/.gitignore index 769e785..73e022f 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ /rust-keylime-0.2.2-vendor.tar.xz /rust-keylime-0.2.5-vendor.tar.xz /v0.2.5.tar.gz +/rust-keylime-0.2.7-vendor.tar.xz +/v0.2.7.tar.gz diff --git a/keylime-agent-rust.spec b/keylime-agent-rust.spec index f54d171..f902f3e 100644 --- a/keylime-agent-rust.spec +++ b/keylime-agent-rust.spec @@ -15,7 +15,7 @@ %endif Name: keylime-agent-rust -Version: 0.2.5 +Version: 0.2.7 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Summary: Rust agent for Keylime @@ -54,15 +54,12 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz # tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor Source1: rust-keylime-%{version}-vendor.tar.xz ## (0-99) General patches -# Fix build with latest rust: https://github.com/keylime/rust-keylime/pull/789 -# and https://github.com/keylime/rust-keylime/pull/793 -Patch0: rust-keylime-unnecessary-qualifications.patch -# Fix regression to support hostname in registrar_ip configuration option -# https://github.com/keylime/rust-keylime/pull/797 -Patch1: rust-keylime-support-hostnames-in-registrar-ip.patch -## (100-199) Patches for building from system Rust libraries (Fedora) +# Enable logging for the keylime library +# Patch from https://github.com/keylime/rust-keylime/pull/922 +Patch0: rust-keylime-enable-logging-keylime-lib.patch # Drop completely the legacy-python-actions feature -Patch100: rust-keylime-metadata.patch +Patch1: rust-keylime-metadata.patch +## (100-199) Patches for building from system Rust libraries (Fedora) ## (200+) Patches for building from vendored Rust libraries (RHEL) ExclusiveArch: %{rust_arches} diff --git a/rust-keylime-enable-logging-keylime-lib.patch b/rust-keylime-enable-logging-keylime-lib.patch new file mode 100644 index 0000000..bccd0a0 --- /dev/null +++ b/rust-keylime-enable-logging-keylime-lib.patch @@ -0,0 +1,29 @@ +From 43db7bdf66a11658614be63f06d74e379a18e0d8 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 21 Jan 2025 15:31:00 +0100 +Subject: [PATCH] dist: Enable logging for keylime library in the service + +Set the logging level as INFO for the keylime library in the systemd +service file. + +Some of the messages were moved from main to the library and would not +be logged without this setting. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + dist/systemd/system/keylime_agent.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dist/systemd/system/keylime_agent.service b/dist/systemd/system/keylime_agent.service +index c5df621d..7ec1a7a1 100644 +--- a/dist/systemd/system/keylime_agent.service ++++ b/dist/systemd/system/keylime_agent.service +@@ -17,7 +17,7 @@ ExecStart=/usr/bin/keylime_agent + TimeoutSec=60s + Restart=on-failure + RestartSec=120s +-Environment="RUST_LOG=keylime_agent=info" ++Environment="RUST_LOG=keylime_agent=info,keylime=info" + # If using swtpm with tpm2-abrmd service, uncomment the line below to set TCTI + # variable on the service environment + #Environment="TCTI=tabrmd:" diff --git a/rust-keylime-metadata.patch b/rust-keylime-metadata.patch index 15f4103..bbe8e96 100644 --- a/rust-keylime-metadata.patch +++ b/rust-keylime-metadata.patch @@ -1,9 +1,36 @@ ---- a/keylime-agent/Cargo.toml 2024-01-31 10:25:42.291841679 +0100 -+++ b/keylime-agent/Cargo.toml 2024-01-31 10:28:02.795282892 +0100 -@@ -48,18 +48,6 @@ +--- a/keylime/Cargo.toml 2025-01-20 11:19:20.276090741 +0100 ++++ b/keylime/Cargo.toml 2025-01-20 11:20:47.574791185 +0100 +@@ -24,10 +24,6 @@ + picky-asn1-der.workspace = true + picky-asn1-x509.workspace = true + tokio.workspace = true +-# wiremock was moved to be a regular dependency because optional +-# dev-dependencies are not supported +-# see: https://github.com/rust-lang/cargo/issues/1596 +-wiremock = {version = "0.6", optional = true} + + [dev-dependencies] + tempfile.workspace = true +@@ -37,4 +33,4 @@ + # This feature enables tests that require a TPM and the TCTI environment + # variable properly configured + # This should change to dev-dependencies when we have integration testing +-testing = ["wiremock"] ++testing = [] +--- a/keylime-agent/Cargo.toml 2025-01-20 11:19:40.095022736 +0100 ++++ b/keylime-agent/Cargo.toml 2025-01-20 11:21:15.678694751 +0100 +@@ -32,7 +32,6 @@ + thiserror.workspace = true + uuid.workspace = true + zip.workspace = true +-zmq = {version = "0.9.2", optional = true} + + [dev-dependencies] + actix-rt.workspace = true +@@ -41,18 +40,6 @@ + # The features enabled by default default = [] - # this should change to dev-dependencies when we have integration testing - testing = ["wiremock"] + testing = [] -# Whether the agent should be compiled with support to listen for notification -# messages on ZeroMQ -# @@ -19,14 +46,3 @@ [package.metadata.deb] section = "net" ---- a/Cargo.toml 2024-05-02 11:18:17.351856756 +0200 -+++ b/Cargo.toml 2024-05-02 11:18:23.930839679 +0200 -@@ -16,7 +16,7 @@ - [workspace.dependencies] - actix-rt = "2" - actix-web = { version = "4", default-features = false, features = ["macros", "openssl"] } --base64 = "0.21" -+base64 = "0.22" - cfg-if = "1" - clap = { version = "4.3", features = ["derive"] } - config = { version = "0.13", default-features = false, features = ["toml"] } diff --git a/rust-keylime-support-hostnames-in-registrar-ip.patch b/rust-keylime-support-hostnames-in-registrar-ip.patch deleted file mode 100644 index 029e634..0000000 --- a/rust-keylime-support-hostnames-in-registrar-ip.patch +++ /dev/null @@ -1,242 +0,0 @@ -From d4becf39196aa17583b02ad21cadcfe606d49a86 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Tue, 28 May 2024 15:44:29 +0200 -Subject: [PATCH] config: Support hostnames in registrar_ip option - -This restores previous behavior where hostnames could be used to set the -'registrar_ip' configuration option. - -The configuration will try to parse the input configuration string as an -IP and in case of failure, try to parse the string as a hostname. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - keylime-agent/src/config.rs | 9 ++- - keylime-agent/src/error.rs | 4 ++ - keylime-agent/src/registrar_agent.rs | 40 ++++++++---- - keylime/src/hostname.pest | 2 + - keylime/src/hostname_parser.rs | 94 ++++++++++++++++++++++++++++ - keylime/src/lib.rs | 1 + - 6 files changed, 136 insertions(+), 14 deletions(-) - create mode 100644 keylime/src/hostname.pest - create mode 100644 keylime/src/hostname_parser.rs - -diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs -index 03a6fa57..7ed5c70f 100644 ---- a/keylime-agent/src/config.rs -+++ b/keylime-agent/src/config.rs -@@ -9,6 +9,7 @@ use config::{ - use glob::glob; - use keylime::{ - algorithms::{EncryptionAlgorithm, HashAlgorithm, SignAlgorithm}, -+ hostname_parser::parse_hostname, - ip_parser::parse_ip, - list_parser::parse_list, - }; -@@ -856,8 +857,12 @@ fn config_translate_keywords( - - let ip = parse_ip(config.agent.ip.as_ref())?.to_string(); - let contact_ip = parse_ip(config.agent.contact_ip.as_ref())?.to_string(); -- let registrar_ip = -- parse_ip(config.agent.registrar_ip.as_ref())?.to_string(); -+ let registrar_ip = match parse_ip(config.agent.registrar_ip.as_ref()) { -+ Ok(ip) => ip.to_string(), -+ Err(_) => { -+ parse_hostname(config.agent.registrar_ip.as_ref())?.to_string() -+ } -+ }; - - // Validate the configuration - -diff --git a/keylime-agent/src/error.rs b/keylime-agent/src/error.rs -index 73bbc1a1..c322dcd3 100644 ---- a/keylime-agent/src/error.rs -+++ b/keylime-agent/src/error.rs -@@ -47,6 +47,10 @@ pub(crate) enum Error { - Io(#[from] std::io::Error), - #[error("Failed to parse IP")] - IpParserError(#[from] keylime::ip_parser::IpParsingError), -+ #[error("Failed to parse hostname")] -+ HostnameParserError( -+ #[from] keylime::hostname_parser::HostnameParsingError, -+ ), - #[error("Text decoding error: {0}")] - Utf8(#[from] std::string::FromUtf8Error), - #[error("Secure Mount error: {0})")] -diff --git a/keylime-agent/src/registrar_agent.rs b/keylime-agent/src/registrar_agent.rs -index da75cf7e..0905ec19 100644 ---- a/keylime-agent/src/registrar_agent.rs -+++ b/keylime-agent/src/registrar_agent.rs -@@ -84,12 +84,20 @@ pub(crate) async fn do_activate_agent( - ) -> crate::error::Result<()> { - let data = Activate { auth_tag }; - -- // Add brackets if the address is IPv6 -- let parsed_ip = registrar_ip.parse::()?; -- let remote_ip = if parsed_ip.is_ipv6() { -- format!("[{registrar_ip}]") -- } else { -- registrar_ip.to_string() -+ let remote_ip = match registrar_ip.parse::() { -+ Ok(addr) => { -+ // Add brackets if the address is IPv6 -+ if addr.is_ipv6() { -+ format!("[{registrar_ip}]") -+ } else { -+ registrar_ip.to_string() -+ } -+ } -+ Err(_) => { -+ // The registrar_ip option can also be a hostname. If it is the case, the hostname was -+ // already validated during configuration -+ registrar_ip.to_string() -+ } - }; - - #[cfg(test)] -@@ -173,12 +181,20 @@ pub(crate) async fn do_register_agent( - port: Some(port), - }; - -- // Add brackets if the address is IPv6 -- let parsed_ip = registrar_ip.parse::()?; -- let remote_ip = if parsed_ip.is_ipv6() { -- format!("[{registrar_ip}]") -- } else { -- registrar_ip.to_string() -+ let remote_ip = match registrar_ip.parse::() { -+ Ok(addr) => { -+ // Add brackets if the address is IPv6 -+ if addr.is_ipv6() { -+ format!("[{registrar_ip}]") -+ } else { -+ registrar_ip.to_string() -+ } -+ } -+ Err(_) => { -+ // The registrar_ip option can also be a hostname. If it is the case, the hostname was -+ // already validated during configuration -+ registrar_ip.to_string() -+ } - }; - - #[cfg(test)] -diff --git a/keylime/src/hostname.pest b/keylime/src/hostname.pest -new file mode 100644 -index 00000000..6e7c54e4 ---- /dev/null -+++ b/keylime/src/hostname.pest -@@ -0,0 +1,2 @@ -+hostname = {SOI ~ label ~ ("." ~ label)* ~ EOI} -+label = { ASCII_ALPHANUMERIC+ ~ ("-"+ ~ ASCII_ALPHANUMERIC+)*} -diff --git a/keylime/src/hostname_parser.rs b/keylime/src/hostname_parser.rs -new file mode 100644 -index 00000000..dbf971a6 ---- /dev/null -+++ b/keylime/src/hostname_parser.rs -@@ -0,0 +1,94 @@ -+// SPDX-License-Identifier: Apache-2.0 -+// Copyright 2024 Keylime Authors -+ -+use pest::Parser; -+use pest_derive::Parser; -+use thiserror::Error; -+ -+#[derive(Parser)] -+#[grammar = "hostname.pest"] -+pub struct HostnameParser; -+ -+#[derive(Error, Debug)] -+pub enum HostnameParsingError { -+ #[error("Invalid input {0}")] -+ InvalidInput(String), -+ -+ #[error("failed to parse the input {input}")] -+ ParseError { -+ input: String, -+ source: Box>, -+ }, -+} -+ -+/// Parses a hostname from a string slice following RFC-1123 -+/// -+/// Valid hostnames are formed by labels separated by dots ('.'). -+/// -+/// The labels can only contain alphanumeric characters ('a'..'z' | 'A'..'Z' | '0'..'9') and the -+/// hyphen ('-'). The labels cannot begin or end with an hyphen. -+/// -+/// # Arguments -+/// -+/// * `hostname` the string to be parsed -+/// -+/// # Returns -+/// -+/// The obtained hostname as a &str if it is a valid hostname -+/// -+/// # Examples -+/// -+/// Valid hostnames: -+/// -+/// * `hostname` -+/// * `host-name` -+/// * `a.b.c` -+/// * `a-b.c-d.e-f` -+/// -+/// Invalid hostnames: -+/// -+/// * `a_b.c` -+/// * `a.b-.c` -+/// * `a.-b.c` -+pub fn parse_hostname(hostname: &str) -> Result<&str, HostnameParsingError> { -+ let Some(pair) = HostnameParser::parse(Rule::hostname, hostname) -+ .map_err(|e| HostnameParsingError::ParseError { -+ input: hostname.to_string(), -+ source: Box::new(e), -+ })? -+ .next() -+ else { -+ return Err(HostnameParsingError::InvalidInput(hostname.to_string())); -+ }; -+ return Ok(pair.as_str()); -+} -+ -+// Unit Testing -+#[cfg(test)] -+mod tests { -+ use super::*; -+ -+ #[test] -+ fn test_parse_hostname() { -+ // Sanity: most common case -+ assert_eq!(parse_hostname("hostname").unwrap(), "hostname"); //#[allow_ci] -+ assert_eq!(parse_hostname("ab.cd.ef").unwrap(), "ab.cd.ef"); //#[allow_ci] -+ assert_eq!(parse_hostname("ab-cd-ef").unwrap(), "ab-cd-ef"); //#[allow_ci] -+ -+ // More advanced cases -+ assert_eq!( -+ parse_hostname("hostname-123.test").unwrap(), //#[allow_ci] -+ "hostname-123.test" -+ ); -+ assert_eq!(parse_hostname("123-456.789").unwrap(), "123-456.789"); //#[allow_ci] -+ assert_eq!(parse_hostname("1----9").unwrap(), "1----9"); //#[allow_ci] -+ -+ // Invalid input -+ assert!(parse_hostname("-host-na.me").is_err()); -+ assert!(parse_hostname("host-na.me-").is_err()); -+ assert!(parse_hostname(".host-na.me").is_err()); -+ assert!(parse_hostname("host-na.me.").is_err()); -+ assert!(parse_hostname("host_name").is_err()); -+ assert!(parse_hostname("host..name").is_err()); -+ } -+} -diff --git a/keylime/src/lib.rs b/keylime/src/lib.rs -index 3f0213eb..791729e1 100644 ---- a/keylime/src/lib.rs -+++ b/keylime/src/lib.rs -@@ -1,5 +1,6 @@ - pub mod algorithms; - pub mod crypto; -+pub mod hostname_parser; - pub mod ima; - pub mod ip_parser; - pub mod list_parser; diff --git a/rust-keylime-unnecessary-qualifications.patch b/rust-keylime-unnecessary-qualifications.patch deleted file mode 100644 index 85de483..0000000 --- a/rust-keylime-unnecessary-qualifications.patch +++ /dev/null @@ -1,142 +0,0 @@ -From c91fba3382867737d194dfedf85cae7ee133c9e3 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 8 May 2024 14:13:47 +0200 -Subject: [PATCH] Fix 'unnecessary qualification' warnings - -Newer versions of the rust compiler generates warnings when symbols are -over-specified. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - keylime-agent/src/payloads.rs | 2 +- - keylime-agent/src/revocation.rs | 8 ++++---- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs -index 5c40125f..d42918c8 100644 ---- a/keylime-agent/src/payloads.rs -+++ b/keylime-agent/src/payloads.rs -@@ -222,7 +222,7 @@ async fn run_encrypted_payload( - let action_file = unzipped.join("action_list"); - - if action_file.exists() { -- let action_data = std::fs::read_to_string(&action_file) -+ let action_data = fs::read_to_string(&action_file) - .expect("unable to read action_list"); - - action_data -diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs -index e5ffaade..c48116b1 100644 ---- a/keylime-agent/src/revocation.rs -+++ b/keylime-agent/src/revocation.rs -@@ -203,7 +203,7 @@ fn run_revocation_actions( - let action_file = unzipped.join("action_list"); - - if action_file.exists() { -- action_data = std::fs::read_to_string(&action_file) -+ action_data = fs::read_to_string(&action_file) - .expect("unable to read action_list"); - - let file_actions = parse_list(&action_data)?; -@@ -528,7 +528,7 @@ mod tests { - env!("CARGO_MANIFEST_DIR"), - "/tests/unzipped/test_ok.json" - ); -- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] -+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] - let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] - let actions_dir = - &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); -@@ -567,7 +567,7 @@ mod tests { - env!("CARGO_MANIFEST_DIR"), - "/tests/unzipped/test_err.json" - ); -- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] -+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] - let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] - let actions_dir = - &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); -@@ -602,7 +602,7 @@ mod tests { - let revocation_actions = "local_action_stand_alone.py, local_action_rev_script1.py"; - } - } -- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] -+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] - let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] - let actions_dir = - &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); -From 96d4bd4349518f173ede77cc5986e5e425f621ba Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Tue, 21 May 2024 15:55:36 +0200 -Subject: [PATCH] Fix leftover 'unnecessary qualification' warnings on tests - -Fix leftover 'unnecessary qualification' warnings generated when running -the tests ('cargo test --features=testing') with newer rust compilers. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - keylime-agent/src/errors_handler.rs | 4 ++-- - keylime-agent/src/keys_handler.rs | 5 +---- - keylime-agent/src/main.rs | 4 ++-- - 3 files changed, 5 insertions(+), 8 deletions(-) - -diff --git a/keylime-agent/src/errors_handler.rs b/keylime-agent/src/errors_handler.rs -index b0fa4c24..48ea2ffb 100644 ---- a/keylime-agent/src/errors_handler.rs -+++ b/keylime-agent/src/errors_handler.rs -@@ -266,7 +266,7 @@ pub(crate) fn wrap_404( - #[cfg(test)] - mod tests { - use super::*; -- use actix_web::{middleware, test, App, Resource}; -+ use actix_web::{test, App, Resource}; - use core::future::Future; - use serde::{Deserialize, Serialize}; - use serde_json::{json, Value}; -@@ -379,7 +379,7 @@ mod tests { - let mut app = test::init_service( - App::new() - .wrap( -- middleware::ErrorHandlers::new() -+ ErrorHandlers::new() - .handler(http::StatusCode::NOT_FOUND, wrap_404), - ) - .app_data( -diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs -index 6f4489d3..3407deeb 100644 ---- a/keylime-agent/src/keys_handler.rs -+++ b/keylime-agent/src/keys_handler.rs -@@ -970,10 +970,7 @@ mod tests { - - // Send Shutdown message to the workers for a graceful shutdown - keys_tx.send((KeyMessage::Shutdown, None)).await.unwrap(); //#[allow_ci] -- payload_tx -- .send(payloads::PayloadMessage::Shutdown) -- .await -- .unwrap(); //#[allow_ci] -+ payload_tx.send(PayloadMessage::Shutdown).await.unwrap(); //#[allow_ci] - arbiter.join(); - } - -diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs -index f0713f9b..77f84cd3 100644 ---- a/keylime-agent/src/main.rs -+++ b/keylime-agent/src/main.rs -@@ -1066,7 +1066,7 @@ mod testing { - - /// CryptoTest error - #[error("CryptoTestError")] -- CryptoTestError(#[from] crate::crypto::testing::CryptoTestError), -+ CryptoTestError(#[from] crypto::testing::CryptoTestError), - - /// IO error - #[error("IOError")] -@@ -1078,7 +1078,7 @@ mod testing { - - /// TPM error - #[error("TPMError")] -- TPMError(#[from] keylime::tpm::TpmError), -+ TPMError(#[from] tpm::TpmError), - - /// TSS esapi error - #[error("TSSError")] diff --git a/sources b/sources index a0fc54a..35b1662 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (rust-keylime-0.2.5-vendor.tar.xz) = 96aba845b075f2ff638a2f82da8606ed44d9df7084318ed9bbfa9b781df6b862b3b1c54b609333cfda8f42c168b2f211699e3d3a28b19cb4432b4b05db384d1e -SHA512 (v0.2.5.tar.gz) = 3f36e3e248ff29dcbcbe77516f4edad7fa15a4e2fbdff5bc488393bb562abcc7c976712bc8cbdb4b397ee571d8652d9d8ad1c18740c92c1458176f218d067d39 +SHA512 (rust-keylime-0.2.7-vendor.tar.xz) = 0359a2f95b6325f1cdcf24b54efb26d3cadff31e0a83c065cbca09cdfb5877a836364d68e9208eee498f41bc609b7312ff487fee923593e6af07201084a2b3e7 +SHA512 (v0.2.7.tar.gz) = 6a9f4e581aa49c8be1599d235a54c6a65d0f45340ef37c3d08124b75c4c5ca2b8467dc00cac8dfae5402b5690bb90fe69a994770fe2715de6e9d4070dabebb7d