Fix push agent installation in containers

kkaarreell · kkaarreell · commit e39b435321c9 · 2025-12-04T20:13:43.000+01:00
diff --git a/Library/test-helpers/lime_con_install_upstream.sh b/Library/test-helpers/lime_con_install_upstream.sh
@@ -92,23 +92,16 @@ RPMPKG=$( awk '/Wrote:/ { print $2 }' build.log )
 rpm -ivh $RPMPKG
 
 # enable rust agent COPR repo and install agent
-cat > /etc/yum.repos.d/copr-rust-keylime-master.repo <<_EOF
-[copr-rust-keylime-master]
-name=Copr repo for keylime-rust-keylime-master owned by packit
-baseurl=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/fedora-\$releasever-\$basearch/
-type=rpm-md
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/pubkey.gpg
-repo_gpgcheck=0
-enabled=1
-enabled_metadata=1
-priority=1
-_EOF
-sed -i 's|keylime-rust-keylime-master/fedora|keylime-rust-keylime-master/centos-stream|' /etc/yum.repos.d/copr-rust-keylime-master.repo
-yum -y install keylime-agent-rust
+if [ -f /etc/fedora-release ]; then
+    dnf -y copr enable packit/keylime-rust-keylime-master-fedora
+else
+    _MAJOR=$( rpm -q --qf '%{VERSION}' centos-stream-release | cut -d '.' -f 1 )
+    _ARCH=$( arch )
+    dnf -y copr enable packit/keylime-rust-keylime-master-centos centos-stream-${_MAJOR}-${_ARCH}
+fi
+yum -y install keylime-agent-rust keylime-agent-rust-push
 curl -o /etc/keylime/keylime-agent.conf https://raw.githubusercontent.com/keylime/rust-keylime/master/keylime-agent.conf
-mkdir -p /etc/systemd/system/keylime_agent.service.d
+mkdir -p /etc/systemd/system/keylime_agent.service.d /etc/systemd/system/keylime_push_model_agent.service.d
 mkdir -p /etc/keylime/agent.conf.d
 
 # fix conf file ownership
diff --git a/container/functional/keylime_agent_container-basic-attestation/main.fmf b/container/functional/keylime_agent_container-basic-attestation/main.fmf
@@ -21,7 +21,7 @@ require:
   - podman
 recommend:
   - keylime
-duration: 10m
+duration: 15m
 enabled: true
 adjust:
   - when: swtpm != yes
diff --git a/container/functional/keylime_agent_container-basic-attestation/test.sh b/container/functional/keylime_agent_container-basic-attestation/test.sh
@@ -50,6 +50,7 @@ rlJournalStart
             rlRun "limeUpdateConf verifier challenge_lifetime 1800"
             rlRun "limeUpdateConf agent attestation_interval_seconds 10"
             rlRun "limeUpdateConf agent tls_accept_invalid_hostnames true"
+            rlRun "limeUpdateConf agent verifier_url '\"https://$SERVER_IP:8881\"'"
         fi
 
         # start tpm emulator
@@ -121,41 +122,59 @@ rlJournalStart
 
     rlPhaseStartTest "Add keylime agents"
         rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_FIRST -u $AGENT_ID_FIRST --runtime-policy policy1.json -f /etc/hosts -c add ${TENANT_ARGS}"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+        fi
         rlRun -s "keylime_tenant -c cvlist"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID_FIRST'" $rlRun_LOG -E
         #check second agent
         rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_SECOND -u $AGENT_ID_SECOND --runtime-policy policy2.json -f /etc/hosts -c add ${TENANT_ARGS}"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartTest "Execute good scripts"
         rlRun "$TESTDIR_FIRST/good-script.sh"
         rlRun "$TESTDIR_SECOND/good-script.sh"
-        sleep 5
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        sleep $limeTimeout
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'"
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
-
     rlPhaseStartTest "Fail first keylime agent and check second"
         rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_FIRST/bad-script.sh && chmod a+x $TESTDIR_FIRST/bad-script.sh"
         rlRun "$TESTDIR_FIRST/bad-script.sh"
-        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_FIRST failed\"' -m 30 -d 2 -t 60"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'"
+        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_FIRST.*failed\"' -m 30 -d 2 -t 60"
         rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_FIRST/bad-script.sh" $(limeVerifierLogfile)
-        rlAssertGrep "WARNING - Agent $AGENT_ID_FIRST failed, stopping polling" $(limeVerifierLogfile)
-        #check status of first agent
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'FAIL'"
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'"
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartTest "Fail second keylime agent"
         rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_SECOND/bad-script.sh && chmod a+x $TESTDIR_SECOND/bad-script.sh"
         rlRun "$TESTDIR_SECOND/bad-script.sh"
-        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_SECOND failed\"' -m 30 -d 2 -t 60"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'"
+        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_SECOND.*failed\"' -m 30 -d 2 -t 60"
         rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_SECOND/bad-script.sh" $(limeVerifierLogfile)
-        rlAssertGrep "WARNING - Agent $AGENT_ID_SECOND failed, stopping polling" $(limeVerifierLogfile)
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'FAIL'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartCleanup "Do the keylime cleanup"
