keylimectl: A replacement for `keylime_tenant` in rust #1068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft

ansasaki wants to merge 28 commits into keylime:master from ansasaki:keylimectl

Contributor

ansasaki commented Aug 4, 2025 •

edited

Loading

Disclaimer: this is an AI generated rewrite. We should be careful reviewing it.

Adds a modern Rust replacement for keylime_tenant with full API compatibility and improved usability.

Features

Agent Management: add, remove, update, status, reactivate commands
Policy Management: runtime and measured boot policy CRUD operations
Resource Listing: agents, policies with detailed/basic views
Multi-format Output: JSON, table, YAML with configurable verbosity
Robust Error Handling: typed errors with context and retry logic
TLS Support: mutual authentication with certificate validation
Configuration: file-based config with CLI overrides

Implementation

8,512 lines of documented Rust code
158 comprehensive unit tests (100% pass rate)
0 clippy warnings, full type safety
Modular architecture with proper abstractions
IPv6 support and exponential backoff retry

Usage

keylimectl agent add <uuid> --ip 192.168.1.100 --port 9002
keylimectl policy create web-policy --file policy.json
keylimectl list agents --detailed

Replaces Python keylime_tenant while maintaining backward compatibility.

ansasaki marked this pull request as draft

August 4, 2025 12:04

ansasaki requested review from sergio-correia and sarroutbi

August 4, 2025 12:09

keylime-bot assigned sergio-correia and sarroutbi

ansasaki force-pushed the keylimectl branch 2 times, most recently from b55ee8e to da44cbc Compare

August 4, 2025 15:43

codecov bot commented Aug 5, 2025 •

edited

Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 44.59%. Comparing base (cbf60a7) to head (dbe4a6c).

Files with missing lines	Patch %	Lines
keylime-push-model-agent/src/attestation.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

Flag	Coverage Δ
e2e-testsuite	`44.59% <0.00%> (-14.34%)`	⬇️
upstream-unit-tests	`44.59% <0.00%> (-14.34%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
keylime-push-model-agent/src/struct_filler.rs	`0.00% <ø> (-23.63%)`	⬇️
keylime-push-model-agent/src/attestation.rs	`0.00% <0.00%> (-45.66%)`	⬇️

... and 49 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

ansasaki force-pushed the keylimectl branch 3 times, most recently from 7cd11bf to 9609be7 Compare

August 7, 2025 10:19

ansasaki added 19 commits

August 27, 2025 11:34


          Initial implementation of add and delete commands

8e2cc6d

Assisted-by: Claude 4 Sonnet
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: documentation and tests improvement

d117284

Also fixed linting issues reported by clippy

Assisted-by: Claude 4 Sonnet
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Implement measured-boot command

58081f6

Assisted-by: Claude 4 Sonnet
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: test and document remaining commands

f9d1370

Test and document list, measured_boot, and policy commands.

Assisted-by: Claude 4 Sonnet
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: fix linting warnings

2f03250

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Make configuration file optional

cdb0e0c

When the configuration file is not found, use the default values.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Use keylimectl.conf instead of tenant.conf

31776f8

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Add example configuration file

d65d692

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: add support for multiple API versions

a885cc4

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Use default TLS keys and certificates

50f6229

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimeclt: Add communication with agent for API < 3.0

09dbfcf

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: refactor client and error handling

f5990bb

Use a common client implementation and make error handling uniform
throughout the code.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Integrate builder usage and cleanup

722fe86

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Remove more unused code

8e0eb72

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Disable hostname checking in clients

dd0e070

This is necessary because keylime certificates don't properly set the
Subject Alternative Name (SAN).

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Remove UUID format enforcing

735fe40

The agent UUID was enforced to be a well formed UUID, but the agent ID
can be any string.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix agent retrieval from registrar

ec251e1

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimeclt: add support for --tpm-policy

17cf9c6

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: use structures instead of building JSON ad-hoc

aec5e24

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

ansasaki added 9 commits

August 27, 2025 11:34


          keylimeclt: Fix requests for API version 3.0

a046961

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix API 3.0 detection on verifier

3c1e85c

The /version endpoint was removed. To test if the API version is
supported, the applications should try a GET request to the /v3.0/
endpoint instead.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Add debug messages with requests info

ce9403a

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix agent add URL for API version 3.0

efab371

In version 3.0, the add operation should make a POST request to the
/v3.0/agents/ without the ID of the agent being added.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix the API version detection for API < 3.0

fbac27f

The old verifier replies with 200 OK to GET /v3.0/, even though it does
not support that version. To workaround this, first try the /version
endpoint and if the reply is 410 gone, then try the /v3.0/ endpoint to
confirm that it is a newer verifier.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix API version detection on agent

d9bc8f3

Use the response from /version endpoint instead of trying all the API
versions right away.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          keylimectl: Fix agent add operation

c460d31

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>


          bump cargo.lock

d244ee8


          Fix clippy warnings

dbe4a6c

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

ansasaki force-pushed the keylimectl branch from e256703 to dbe4a6c Compare

August 27, 2025 09:40

ansasaki mentioned this pull request

Meeting 27/08/2025 keylime/meetings#91

Open

30 tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet