kbs_protocol: handle ProtocolVersion error

The RCAR client code currently ignores any errors for "request". Such errors can still happen, e.g., when 'version' field is rejected by KBS. Without catching errors we try to decode the Challenge json body but it actually contains the error information in it which results in decode errors instead. KBS added a new ProtocolVersion error which is now catched by the RCAR client code. The error is reported to the user if the client and server use incompatible versions. Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Aug 1, 2024 · 58e95d2 · 58e95d2
1 parent ebeea04
commit 58e95d2
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@@ -109,16 +109,28 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
 
         debug!("send auth request to {auth_endpoint}");
 
-        let challenge = self
+        let resp = self
             .http_client
             .post(auth_endpoint)
             .header("Content-Type", "application/json")
             .json(&request)
             .send()
-            .await?
-            .json::<Challenge>()
             .await?;
 
+        match resp.status() {
+            reqwest::StatusCode::UNAUTHORIZED => {
+                let error_info = resp.json::<ErrorInformation>().await?;
+                bail!(
+                    "KBS request unauthorized, ErrorInformation: {:?}",
+                    error_info
+                );
+            }
+            _ => {
+                debug!("KBS request OK");
+            }
+        }
+
+        let challenge = resp.json::<Challenge>().await?;
         debug!("get challenge: {challenge:#?}");
         let tee_pubkey = self.tee_key.export_pubkey()?;
         let runtime_data = json!({