Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call revocation actions #159

Merged
merged 1 commit into from
Feb 23, 2021
Merged

Call revocation actions #159

merged 1 commit into from
Feb 23, 2021

Conversation

lkatalin
Copy link
Contributor

@lkatalin lkatalin commented Feb 10, 2021
edited
Loading

This code runs those revocation scripts which were sent by the tenant and can be accessed from the secure mount point post-attestation.

I've decided not to check whether the revocation scripts begin with local_action, since they are all listed in action_list anyhow. But if someone has a reason that they should be marked that way, I can add this check back again.

I had a few other thoughts and questions inline marked with TODO and would love some suggestions on those points. The most important being: If these scripts don't run for whatever reason (ex. the Python version was too old), is that detected in some other part of the code? It seems like we would want a guarantee that a node can't continue to be in the cluster if it doesn't run the scripts, since it could still be in communication with the compromised node, for example.

@lkatalin lkatalin force-pushed the revactions branch 2 times, most recently from 2a0879c to f7e7180 Compare February 10, 2021 22:49
@lkatalin lkatalin force-pushed the revactions branch 3 times, most recently from 7b55ede to 2693f38 Compare February 12, 2021 23:23
@lkatalin lkatalin marked this pull request as ready for review February 12, 2021 23:33
ashcrow
ashcrow reviewed Feb 16, 2021
View reviewed changes
Copy link
Contributor

@ashcrow ashcrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like great progress!! 😄

src/revocation.rs Outdated Show resolved Hide resolved
src/revocation.rs Show resolved Hide resolved
src/revocation.rs Outdated Show resolved Hide resolved
lukehinds
lukehinds reviewed Feb 17, 2021
View reviewed changes
Copy link
Member

@lukehinds lukehinds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good to me. It would be nice to have some tests, just trying to think how we can do that. Not sure if we need to mock or can rely on the CI containers having a py env.

@lkatalin lkatalin force-pushed the revactions branch 5 times, most recently from 4e55d27 to 1067596 Compare February 17, 2021 21:33
@lkatalin
Copy link
Contributor Author

lkatalin commented Feb 17, 2021
edited
Loading

This is looking good to me. It would be nice to have some tests, just trying to think how we can do that. Not sure if we need to mock or can rely on the CI containers having a py env.

@lukehinds This is a good point and I'm adding some unit tests. They pass locally, but as you pointed out, there is a problem with not having Python in the CI container. I'm going to try to fix this in a separate PR because it is proving to be tricky.
Edit: not sure what was going on earlier, but it looks like it works now.

lkatalin
lkatalin commented Feb 17, 2021
View reviewed changes
src/revocation.rs Outdated Show resolved Hide resolved
@lkatalin lkatalin requested a review from ashcrow February 17, 2021 21:53
ashcrow
ashcrow reviewed Feb 17, 2021
View reviewed changes
src/main.rs Outdated Show resolved Hide resolved
@lkatalin
Copy link
Contributor Author

@ashcrow @lukehinds I will have to figure out this CI failure tomorrow (not able to replicated it locally) and might add some more unit tests, but was wondering if you have other comments on how it works currently. Thanks.

@lkatalin lkatalin force-pushed the revactions branch 3 times, most recently from d1cfb6a to 7725ccd Compare February 19, 2021 23:30
@lkatalin lkatalin force-pushed the revactions branch 3 times, most recently from d7ceb56 to 4b33cc8 Compare February 20, 2021 00:58
@lkatalin
Copy link
Contributor Author

Tests passing again!

ashcrow
ashcrow reviewed Feb 22, 2021
View reviewed changes
src/revocation.rs Outdated Show resolved Hide resolved
@lkatalin lkatalin force-pushed the revactions branch 2 times, most recently from 8e0eeb9 to af04103 Compare February 22, 2021 18:47
ashcrow
ashcrow reviewed Feb 22, 2021
View reviewed changes
src/revocation.rs Outdated Show resolved Hide resolved
@lkatalin lkatalin force-pushed the revactions branch 2 times, most recently from 0ad6fe3 to 5e029f5 Compare February 22, 2021 21:16
@lkatalin
Call revocation actions
7df05e3 
Signed-off-by: Lily Sturmann <[email protected]>
@lkatalin lkatalin requested a review from ashcrow February 22, 2021 22:17
@ashcrow
Copy link
Contributor

ashcrow commented Feb 22, 2021
edited
Loading

Let us know once you're ready for a re-review!! Never mind -- I see it now 😄

ashcrow
ashcrow approved these changes Feb 22, 2021
View reviewed changes
Copy link
Contributor

@ashcrow ashcrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 😄

src/revocation.rs

let mut outputs = Vec::new();

if Path::new(&action_file).exists() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

future: It may make sense to load this once rather than when we run revocations. However, I believe this is fine and may be what we want long term depending on the expectations of the users.

@lukehinds
Copy link
Member

looks good to me , @lkatalin you can self merge if you like (just in case you have further tweaks).

@lkatalin lkatalin merged commit 57c39a5 into keylime:master Feb 23, 2021
@lkatalin lkatalin mentioned this pull request Feb 23, 2021
Closed
@lkatalin lkatalin deleted the revactions branch July 16, 2021 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukehinds lukehinds lukehinds approved these changes

@ashcrow ashcrow ashcrow approved these changes

@puiterwijk puiterwijk Awaiting requested review from puiterwijk

Assignees

@ashcrow ashcrow

@puiterwijk puiterwijk

@lukehinds lukehinds

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lkatalin @ashcrow @lukehinds @puiterwijk