Skip to content

Integrate authentication middleware into ResilientClient #1108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 20, 2025
Merged

Integrate authentication middleware into ResilientClient #1108

merged 3 commits into from
Nov 20, 2025

Conversation

@sergio-correia
Copy link
Contributor

@sergio-correia sergio-correia commented Sep 3, 2025

Here we integrated authentication middleware into ResilientClient with automatic token
management and refresh, establishing an authentication system that transparently handles
TPM-based challenge-response authentication for HTTP clients.

@sergio-correia sergio-correia marked this pull request as draft September 3, 2025 11:12
@codecov
Copy link

codecov bot commented Sep 3, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 38.46154% with 408 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.39%. Comparing base (fb2b083) to head (a4dc10f).
⚠️ Report is 3 commits behind head on master.

Files with missing lines Patch % Lines
keylime/src/auth.rs 44.59% 205 Missing ⚠️
keylime/src/resilient_client.rs 44.52% 76 Missing ⚠️
keylime/src/context_info.rs 5.08% 56 Missing ⚠️
keylime/src/error.rs 23.68% 29 Missing ⚠️
keylime-push-model-agent/src/attestation.rs 31.81% 15 Missing ⚠️
keylime-push-model-agent/src/main.rs 13.33% 13 Missing ⚠️
keylime/src/structures/sessions.rs 22.22% 7 Missing ⚠️
keylime-push-model-agent/src/state_machine.rs 0.00% 6 Missing ⚠️
keylime/src/https_client.rs 0.00% 1 Missing ⚠️
Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 57.39% <38.46%> (-0.79%) ⬇️
upstream-unit-tests 57.39% <38.46%> (-0.79%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
keylime-push-model-agent/src/struct_filler.rs 25.43% <ø> (ø)
keylime-push-model-agent/src/url_selector.rs 67.03% <100.00%> (+0.02%) ⬆️
keylime/src/config/base.rs 87.16% <100.00%> (+0.17%) ⬆️
keylime/src/config/push_model.rs 60.00% <ø> (ø)
keylime/src/https_client.rs 27.77% <0.00%> (+2.13%) ⬆️
keylime-push-model-agent/src/state_machine.rs 17.31% <0.00%> (-0.61%) ⬇️
keylime/src/structures/sessions.rs 22.22% <22.22%> (ø)
keylime-push-model-agent/src/main.rs 37.07% <13.33%> (-4.82%) ⬇️
keylime-push-model-agent/src/attestation.rs 42.94% <31.81%> (-1.82%) ⬇️
keylime/src/error.rs 9.02% <23.68%> (+1.08%) ⬆️
... and 3 more

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sergio-correia sergio-correia force-pushed the pop-auth-integration branch 2 times, most recently from f66734d to 9dc6ee9 Compare September 4, 2025 06:58
@ansasaki ansasaki mentioned this pull request Sep 24, 2025
Open
30 tasks
@sergio-correia sergio-correia force-pushed the pop-auth-integration branch 2 times, most recently from d3cce05 to d1973c2 Compare November 11, 2025 00:17
@sergio-correia sergio-correia marked this pull request as ready for review November 11, 2025 01:32
sarroutbi
sarroutbi approved these changes Nov 11, 2025
View reviewed changes
Copy link
Contributor

@sarroutbi sarroutbi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Changes LGTM

@sergio-correia
feat: add authentication client with middleware integration
5d4cbc4 
Implement complete authentication system with challenge-response protocol,
TPM2_Certify-based proof-of-possession, automatic token management, and
configurable TLS security (secure by default).

- AuthenticationClient with configurable API versioning (default: v3.0)
- Authentication middleware for ResilientClient with auto token refresh
- Async TPM operations trait with mock and real implementations
- JSON:API compliant serialization and graceful unenrolled agent handling
- Automatic retry with exponential backoff on authentication failures
- Configurable TLS certificate validation (default: secure, opt-in insecure for testing)
- Security warnings emitted once at agent startup when insecure TLS settings enabled

Assisted-by: Claude 4 Sonnet
Signed-off-by: Sergio Correia <[email protected]>
@sergio-correia
refactor: improve middleware and error handling
0e0d1a7 
Enhance authentication middleware with precise endpoint detection and
structured error types for better debugging and error handling.

Middleware improvements:
- Segment-based path matching instead of string contains
- Match "sessions" only as last or second-to-last path segment
- Prevents false positives on URLs like /users/sessions_count

Error handling improvements:
- AuthError enum with specific variants per failure mode
- is_retryable() method for intelligent retry logic
- Captures HTTP status codes and response bodies for debugging
- Backwards compatible with anyhow::Result

Assisted-by: Claude 4 Sonnet
Signed-off-by: Sergio Correia <[email protected]>
@sergio-correia
docs: improve challenge encoding and async TPM documentation
a4dc10f 
Enhanced documentation and warnings for better developer understanding.

Challenge encoding:
- Improved warning when challenge is not valid base64
- Show base64 decode error and challenge preview for debugging
- Clarify UTF-8 fallback is for testing/backwards compatibility

Async TPM operations:
- Document async/sync bridge pattern using spawn_blocking
- Explain runtime requirements (tokio runtime, blocking thread pool)
- Clarify why TPM operations need blocking threads (hardware I/O, sync API)
- Document error handling for both task panics and TPM failures

Assisted-by: Claude 4 Sonnet
Signed-off-by: Sergio Correia <[email protected]>
@sergio-correia sergio-correia merged commit e5e343f into keylime:master Nov 20, 2025
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarroutbi sarroutbi sarroutbi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sergio-correia @sarroutbi