keylimectl: Fix the API version detection for API < 3.0

ansasaki · ansasaki · commit d0f29739e918 · 2025-08-07T13:56:56.000+02:00
The old verifier replies with 200 OK to GET /v3.0/, even though it does
not support that version. To workaround this, first try the /version
endpoint and if the reply is 410 gone, then try the /v3.0/ endpoint to
confirm that it is a newer verifier.

Signed-off-by: Anderson Toshiyuki Sasaki &lt;ansasaki@redhat.com&gt;
diff --git a/keylimectl/src/client/verifier.rs b/keylimectl/src/client/verifier.rs
@@ -306,22 +306,20 @@ impl VerifierClient {
 
     /// Auto-detect and set the API version
     ///
-    /// Attempts to determine the verifier's API version by testing endpoint availability.
-    /// For API v3.0+, the /version endpoint was removed, so we test the versioned endpoints directly.
-    /// This follows the same pattern used in the rust-keylime agent's registrar client.
+    /// Implements a robust API version detection strategy that works with both old and new verifiers:
+    /// 1. First try `/version` endpoint - if it returns 410 Gone, we're likely talking to v3.0+ verifier
+    /// 2. If `/version` returns 410, confirm v3.0 support by testing `/v3.0/` endpoint
+    /// 3. If `/version` succeeds, use the returned version information
+    /// 4. If `/version` fails with other errors, fall back to testing individual versions
+    ///
+    /// This approach prevents false positives where old verifiers return 200 OK for `/v3.0/`
+    /// even though they don't actually support API v3.0.
     ///
     /// # Returns
     ///
     /// Returns `Ok(())` if version detection succeeded or failed gracefully.
     /// Returns `Err()` only for critical errors that prevent client operation.
     ///
-    /// # Behavior
-    ///
-    /// 1. For v3.0+: Tests `/v3.0/` endpoint availability directly (/version endpoint was removed)
-    /// 2. For v2.x: First tries `/version` endpoint, then falls back to endpoint testing
-    /// 3. On success, caches the detected version for future requests
-    /// 4. On complete failure, leaves default version unchanged
-    ///
     /// # Examples
     ///
     /// ```rust
@@ -339,39 +337,47 @@ impl VerifierClient {
     pub async fn detect_api_version(
         &mut self,
     ) -> Result<(), KeylimectlError> {
-        // Test each supported version from newest to oldest
-        for &api_version in SUPPORTED_API_VERSIONS.iter().rev() {
-            info!("Trying verifier API version {api_version}");
+        info!("Starting verifier API version detection");
+
+        // Step 1: Try the /version endpoint first
+        match self.get_verifier_api_version().await {
+            Ok(version) => {
+                info!("Successfully detected verifier API version from /version endpoint: {version}");
+                self.api_version = version;
+                return Ok(());
+            }
+            Err(KeylimectlError::Api { status: 410, .. }) => {
+                info!("/version endpoint returned 410 Gone - this indicates a v3.0+ verifier");
 
-            // For v3.0+, test the versioned root endpoint directly since /version was removed
-            if api_version.starts_with("3.") {
-                if self.test_api_version_v3(api_version).await.is_ok() {
-                    info!("Successfully detected verifier API version: {api_version}");
-                    self.api_version = api_version.to_string();
+                // Step 2: Confirm v3.0 support by testing the v3.0 endpoint
+                if self.test_api_version_v3("3.0").await.is_ok() {
+                    info!("Confirmed verifier supports API v3.0");
+                    self.api_version = "3.0".to_string();
                     return Ok(());
+                } else {
+                    warn!("Got 410 from /version but v3.0 endpoint test failed - falling back to version probing");
                 }
+            }
+            Err(e) => {
+                debug!("Failed to get version from /version endpoint ({e}), falling back to version probing");
+            }
+        }
+
+        // Step 3: Fall back to testing each version individually (newest to oldest)
+        info!("Falling back to individual version testing");
+        for &api_version in SUPPORTED_API_VERSIONS.iter().rev() {
+            debug!("Testing verifier API version {api_version}");
+
+            let version_works = if api_version.starts_with("3.") {
+                self.test_api_version_v3(api_version).await.is_ok()
             } else {
-                // For v2.x, try /version endpoint first for better version info
-                if api_version.starts_with("2.") {
-                    match self.get_verifier_api_version().await {
-                        Ok(version) => {
-                            info!("Detected verifier API version from /version endpoint: {version}");
-                            self.api_version = version;
-                            return Ok(());
-                        }
-                        Err(e) => {
-                            debug!("Failed to get version from /version endpoint: {e}");
-                            // Fall back to endpoint testing for this version
-                        }
-                    }
-                }
+                self.test_api_version(api_version).await.is_ok()
+            };
 
-                // Test this version by making a simple request
-                if self.test_api_version(api_version).await.is_ok() {
-                    info!("Successfully detected verifier API version: {api_version}");
-                    self.api_version = api_version.to_string();
-                    return Ok(());
-                }
+            if version_works {
+                info!("Successfully detected verifier API version: {api_version}");
+                self.api_version = api_version.to_string();
+                return Ok(());
             }
         }
 
@@ -2139,5 +2145,86 @@ mod tests {
             assert!(!url_v3.contains(agent_uuid));
             assert!(url_v3.ends_with("/agents/"));
         }
+
+        #[test]
+        fn test_api_version_detection_strategy() {
+            // Test the API version detection logic and priorities
+            let config = create_test_config();
+            let _client =
+                VerifierClient::new_without_version_detection(&config)
+                    .unwrap();
+
+            // Test that we correctly identify v3.0 scenarios
+            // This simulates the detection logic without making actual HTTP calls
+
+            // Scenario 1: /version returns 410 Gone (v3.0+ verifier)
+            let is_v3_indicator = true; // Simulates 410 response
+            assert!(
+                is_v3_indicator,
+                "410 Gone should indicate v3.0+ verifier"
+            );
+
+            // Scenario 2: /version succeeds (v2.x verifier)
+            let version_endpoint_works = true; // Simulates 200 OK with version info
+            assert!(
+                version_endpoint_works,
+                "/version success should indicate v2.x verifier"
+            );
+
+            // Test version parsing logic
+            let v3_version: f32 = "3.0".parse().unwrap();
+            let v2_version: f32 = "2.1".parse().unwrap();
+            assert!(v3_version >= 3.0, "v3.0 should be >= 3.0");
+            assert!(v2_version < 3.0, "v2.1 should be < 3.0");
+
+            // Test version ordering (newest first)
+            let versions: Vec<&str> =
+                SUPPORTED_API_VERSIONS.iter().rev().copied().collect();
+            assert_eq!(versions[0], "3.0", "Should try v3.0 first");
+            assert_eq!(versions[1], "2.3", "Should try v2.3 second");
+        }
+
+        #[test]
+        fn test_robust_version_detection_scenarios() {
+            // Test various scenarios for API version detection
+
+            // Scenario 1: Modern verifier (v3.0+)
+            // /version returns 410 Gone, /v3.0/ returns 200 OK
+            let version_410 = true;
+            let v3_endpoint_works = true;
+            let expected_modern = version_410 && v3_endpoint_works;
+            assert!(
+                expected_modern,
+                "Should detect v3.0 when /version=410 and /v3.0/ works"
+            );
+
+            // Scenario 2: Legacy verifier (v2.x)
+            // /version returns 200 OK with version info
+            let version_works = true;
+            let has_version_info = true;
+            let expected_legacy = version_works && has_version_info;
+            assert!(
+                expected_legacy,
+                "Should detect v2.x when /version works"
+            );
+
+            // Scenario 3: Problematic verifier
+            // /version returns 410 Gone, but /v3.0/ fails (misconfigured?)
+            let version_410_but_v3_fails = true;
+            let v3_endpoint_fails = true;
+            let needs_fallback =
+                version_410_but_v3_fails && v3_endpoint_fails;
+            assert!(needs_fallback, "Should fall back to individual testing when v3.0 test fails after 410");
+
+            // Scenario 4: Old verifier that responds 200 to /v3.0/ (false positive)
+            // This is prevented by testing /version first
+            let _old_verifier_responds_to_v3 = true; // This used to cause false positives
+            let version_endpoint_available = true; // But /version works, so we detect properly
+            let correct_detection = version_endpoint_available; // We use /version result, not /v3.0/
+            assert!(
+                correct_detection,
+                "Should use /version result even if /v3.0/ returns 200"
+            );
+        }
     }
 }
