get failed agents

Signed-off-by: Marek Safarik <[email protected]>

Author: Marek Safarik

.env.example

@@ -3,7 +3,7 @@
 # Keylime API endpoints
 KEYLIME_VERIFIER_URL=https://localhost:8881
 KEYLIME_REGISTRAR_URL=https://localhost:8891
-KEYLIME_API_VERSION=v2.3
+KEYLIME_API_VERSION=v2.4
 
 # TLS Configuration
 KEYLIME_TLS_ENABLED=true

backend/client.go

@@ -12,19 +12,14 @@ import (
 
 // newKeylimeClient creates HTTP client for Keylime API with mTLS support
 func newKeylimeClient(baseURL string) *KeylimeClient {
-	apiVersion := getEnv("KEYLIME_API_VERSION", "v2.3")
-
 	// Remove "http(s)://" prefix if present
 	baseURL = strings.TrimPrefix(baseURL, "https://")
 	baseURL = strings.TrimPrefix(baseURL, "http://")
 
-	// Check if TLS is enabled
-	tlsEnabled := getEnv("KEYLIME_TLS_ENABLED", "true") == "true"
-
 	var finalURL string
 	var httpClient *http.Client
 
-	if tlsEnabled {
+	if config.TLSEnabled {
 		finalURL = "https://" + strings.TrimSuffix(baseURL, "/")
 		tlsConfig := createTLSConfig()
 		httpClient = &http.Client{
@@ -39,22 +34,16 @@ func newKeylimeClient(baseURL string) *KeylimeClient {
 
 	return &KeylimeClient{
 		baseURL:    finalURL,
-		apiVersion: apiVersion,
+		apiVersion: config.APIVersion,
 		httpClient: httpClient,
 	}
 }
 
 // createTLSConfig creates TLS configuration with mTLS support
 // Equivalent to Python's HostNameIgnoreAdapter with SSL context
 func createTLSConfig() *tls.Config {
-	// Default certificate paths (same as Keylime default)
-	certDir := getEnv("KEYLIME_CERT_DIR", "/var/lib/keylime/cv_ca")
-	clientCert := getEnv("KEYLIME_CLIENT_CERT", certDir+"/client-cert.crt")
-	clientKey := getEnv("KEYLIME_CLIENT_KEY", certDir+"/client-private.pem")
-	caCert := getEnv("KEYLIME_CA_CERT", certDir+"/cacert.crt")
-
 	// Load client certificate and key
-	cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
+	cert, err := tls.LoadX509KeyPair(config.ClientCert, config.ClientKey)
 	if err != nil {
 		log.Printf("Warning: Failed to load client certificate: %v", err)
 		log.Printf("Attempting to connect without client cert (may fail with mTLS servers)")
@@ -65,7 +54,7 @@ func createTLSConfig() *tls.Config {
 	}
 
 	// Load CA certificate
-	caCertPEM, err := os.ReadFile(caCert)
+	caCertPEM, err := os.ReadFile(config.CAPath)
 	if err != nil {
 		log.Printf("Warning: Failed to load CA certificate: %v", err)
 		log.Printf("Using system CA pool")
@@ -79,15 +68,12 @@ func createTLSConfig() *tls.Config {
 		}
 	}
 
-	// Check if hostname verification should be ignored
-	ignoreHostname := getEnv("KEYLIME_IGNORE_HOSTNAME", "true") == "true"
-
 	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      caCertPool,
 		// Ignore hostname verification (like Python's HostNameIgnoreAdapter)
 		// This is needed because Keylime certs often don't have correct hostname
-		InsecureSkipVerify: ignoreHostname,
+		InsecureSkipVerify: config.IgnoreHostname,
 	}
 
 	return tlsConfig
@@ -112,10 +98,3 @@ func (kc *KeylimeClient) Delete(endpoint string) (*http.Response, error) {
 	}
 	return kc.httpClient.Do(req)
 }
-
-func getEnv(key, defaultValue string) string {
-	if value := os.Getenv(key); value != "" {
-		return value
-	}
-	return defaultValue
-}

backend/main.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"log"
 	"net/http"
+	"os"
 
 	"github.com/joho/godotenv"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
@@ -12,6 +13,8 @@ import (
 var (
 	keylimeVerifierClient  *KeylimeClient
 	keylimeRegistrarClient *KeylimeClient
+
+	config Config
 )
 
 func main() {
@@ -20,35 +23,58 @@ func main() {
 	if err1 != nil && err2 != nil {
 		log.Printf("No .env file found, using defaults")
 	}
-	verifierBaseURL := getEnv("KEYLIME_VERIFIER_URL", "https://localhost:8881")
-	registrarBaseURL := getEnv("KEYLIME_REGISTRAR_URL", "https://localhost:8891")
-	keylimeVerifierClient = newKeylimeClient(verifierBaseURL)
-	keylimeRegistrarClient = newKeylimeClient(registrarBaseURL)
+	loadConfig()
+	keylimeVerifierClient = newKeylimeClient(config.VerifierURL)
+	keylimeRegistrarClient = newKeylimeClient(config.RegistrarURL)
 
-	port := getEnv("PORT", "8080")
 	http.HandleFunc("/health", healthHandler)
 	http.HandleFunc("/agents", getAllAgentsHandler)
 
 	runMode := getEnv("RUN_MODE", "mcp")
 
 	if runMode == "http" {
 		// HTTP-only mode (for containers)
-		log.Printf("Starting HTTP server on :%s", port)
-		log.Fatal(http.ListenAndServe(":"+port, nil))
+		log.Printf("Starting HTTP server on :%s", config.Port)
+		log.Fatal(http.ListenAndServe(":"+config.Port, nil))
 	} else {
 		// MCP mode (for Claude Desktop)
 		go func() {
-			log.Printf("HTTP test server: http://localhost:%s", port)
-			if err := http.ListenAndServe(":"+port, nil); err != nil {
+			log.Printf("HTTP test server: http://localhost:%s", config.Port)
+			if err := http.ListenAndServe(":"+config.Port, nil); err != nil {
 				log.Printf("HTTP server error: %v", err)
 			}
 		}()
 
 		server := mcp.NewServer(&mcp.Implementation{Name: "Keylime", Version: "v1.0.0"}, nil)
 		mcp.AddTool(server, &mcp.Tool{Name: "Get_all_agents", Description: "Retrieves a list of all registered agent UUIDs"}, getAllAgents)
 		mcp.AddTool(server, &mcp.Tool{Name: "Get_agent_status", Description: "Retrieves the current status information for a specific agent identified by its UUID"}, getAgentStatus)
+		mcp.AddTool(server, &mcp.Tool{Name: "Get_failed_agents", Description: "Retrieves all agents currently in a failed operational state with their detailed status information including attestation history and failure reasons"}, getFailedAgents)
 		if err := server.Run(context.Background(), &mcp.StdioTransport{}); err != nil {
 			log.Fatal(err)
 		}
 	}
 }
+
+func loadConfig() {
+	certDir := getEnv("KEYLIME_CERT_DIR", "/home/msafarik/.keylime/certs") // TODO: Make this configurable or better way to set this (just for debugging purposes)
+
+	config = Config{
+		VerifierURL:    getEnv("KEYLIME_VERIFIER_URL", "https://localhost:8881"),
+		RegistrarURL:   getEnv("KEYLIME_REGISTRAR_URL", "https://localhost:8891"),
+		CertDir:        certDir,
+		TLSEnabled:     getEnv("KEYLIME_TLS_ENABLED", "true") == "true",
+		IgnoreHostname: getEnv("KEYLIME_IGNORE_HOSTNAME", "true") == "true",
+		APIVersion:     getEnv("KEYLIME_API_VERSION", "v2.3"),
+		ClientCert:     getEnv("KEYLIME_CLIENT_CERT", certDir+"/client-cert.crt"),
+		ClientKey:      getEnv("KEYLIME_CLIENT_KEY", certDir+"/client-private.pem"),
+		CAPath:         getEnv("KEYLIME_CA_CERT", certDir+"/cacert.crt"),
+		Port:           getEnv("PORT", "8080"),
+	}
+}
+
+func getEnv(key, defaultValue string) string {
+	if value := os.Getenv(key); value != "" {
+		return value
+	}
+	return defaultValue
+}

backend/server

@@ -63,3 +63,66 @@ func getAgentStatus(ctx context.Context, req *mcp.CallToolRequest, input getAgen
 		LastEventID:                 agentStatus.Results.LastEventID,
 	}, nil
 }
+
+func getFailedAgents(ctx context.Context, req *mcp.CallToolRequest, input getFailedAgentsInput) (
+	*mcp.CallToolResult,
+	getFailedAgentsOutput,
+	error,
+) {
+	resp, err := keylimeRegistrarClient.Get("agents")
+	if err != nil {
+		log.Printf("Error fetching agents: %v", err)
+		return nil, getFailedAgentsOutput{}, err
+	}
+	defer resp.Body.Close()
+
+	var agents keylimeAgentListResponse
+	err = json.NewDecoder(resp.Body).Decode(&agents)
+	if err != nil {
+		log.Printf("Error decoding agents: %v", err)
+		return nil, getFailedAgentsOutput{}, err
+	}
+
+	var failedAgents getFailedAgentsOutput
+	for _, agentUUID := range agents.Results.UUIDs {
+		agentResp, err := keylimeVerifierClient.Get(fmt.Sprintf("agents/%s", agentUUID))
+		if err != nil {
+			log.Printf("Error fetching agent status: %v", err)
+			return nil, getFailedAgentsOutput{}, err
+		}
+
+		var agentStatus keylimeAgentStatusResponse
+		err = json.NewDecoder(agentResp.Body).Decode(&agentStatus)
+		agentResp.Body.Close() // Close immediately after use
+
+		if err != nil {
+			log.Printf("Error decoding agent status: %v", err)
+			return nil, getFailedAgentsOutput{}, err
+		}
+
+		// Check if agent is in failed state
+		if agentStatus.Results.OperationalState == StateFailed {
+			failedAgents.FailedAgents = append(failedAgents.FailedAgents, getAgentStatusOutput{
+				AgentUUID:                   agentUUID,
+				OperationalState:            agentStatus.Results.OperationalState,
+				OperationalStateDescription: stateToString(agentStatus.Results.OperationalState),
+				IP:                          agentStatus.Results.IP,
+				Port:                        agentStatus.Results.Port,
+				AttestationCount:            agentStatus.Results.AttestationCount,
+				LastReceivedQuote:           agentStatus.Results.LastReceivedQuote,
+				LastSuccessfulAttestation:   agentStatus.Results.LastSuccessfulAttestation,
+				SeverityLevel:               agentStatus.Results.SeverityLevel,
+				LastEventID:                 agentStatus.Results.LastEventID,
+				HashAlgorithm:               agentStatus.Results.HashAlg,
+				EncryptionAlgorithm:         agentStatus.Results.EncAlg,
+				SigningAlgorithm:            agentStatus.Results.SignAlg,
+				VerifierID:                  agentStatus.Results.VerifierID,
+				VerifierAddress:             fmt.Sprintf("%s:%d", agentStatus.Results.VerifierIP, agentStatus.Results.VerifierPort),
+				HasMeasuredBoot:             agentStatus.Results.HasMbRefstate != 0,
+				HasRuntimePolicy:            agentStatus.Results.HasRuntimePolicy != 0,
+			})
+		}
+	}
+
+	return nil, failedAgents, nil
+}

backend/tools.go

@@ -38,6 +38,20 @@ func stateToString(state int) string {
 	return "Unknown"
 }
 
+type Config struct {
+	VerifierURL    string
+	RegistrarURL   string
+	CertDir        string
+	TLSEnabled     bool
+	IgnoreHostname bool
+
+	APIVersion string
+	ClientCert string
+	ClientKey  string
+	CAPath     string
+	Port       string
+}
+
 type HealthResponse struct {
 	Status  string `json:"status"`
 	Service string `json:"service"`
@@ -93,6 +107,42 @@ type keylimeAgentStatusResponse struct {
 	} `json:"results"`
 }
 
+type getFailedAgentsInput struct{}
+
+type verifierAgentStatusResponse struct {
+	Code    int    `json:"code"`
+	Status  string `json:"status"`
+	Results struct {
+		OperationalState          int      `json:"operational_state"`
+		V                         string   `json:"v"`
+		IP                        string   `json:"ip"`
+		Port                      int      `json:"port"`
+		TPMPolicy                 string   `json:"tpm_policy"`
+		VTPMPolicy                string   `json:"vtpm_policy"`
+		MetaData                  string   `json:"meta_data"`
+		HasMbRefstate             int      `json:"has_mb_refstate"`
+		HasRuntimePolicy          int      `json:"has_runtime_policy"`
+		AcceptTPMHashAlgs         []string `json:"accept_tpm_hash_algs"`
+		AcceptTPMEncryptionAlgs   []string `json:"accept_tpm_encryption_algs"`
+		AcceptTPMSigningAlgs      []string `json:"accept_tpm_signing_algs"`
+		HashAlg                   string   `json:"hash_alg"`
+		EncAlg                    string   `json:"enc_alg"`
+		SignAlg                   string   `json:"sign_alg"`
+		VerifierID                string   `json:"verifier_id"`
+		VerifierIP                string   `json:"verifier_ip"`
+		VerifierPort              int      `json:"verifier_port"`
+		SeverityLevel             int      `json:"severity_level"`
+		LastEventID               string   `json:"last_event_id"`
+		AttestationCount          int      `json:"attestation_count"`
+		LastReceivedQuote         int      `json:"last_received_quote"`
+		LastSuccessfulAttestation int      `json:"last_successful_attestation"`
+	} `json:"results"`
+}
+
+type getFailedAgentsOutput struct {
+	FailedAgents []getAgentStatusOutput `json:"failed_agents"`
+}
+
 type getAgentStatusInput struct {
 	AgentUUID string `json:"agent_uuid"`
 }