kbs_protocol: handle ProtocolVersion error

The RCAR client code currently ignores any errors for "request". Such errors can still happen, e.g., when 'version' field is rejected by KBS. Without catching errors we try to decode the Challenge json body but it actually contains the error information in it which results in decode errors instead. KBS added a new ProtocolVersion error which is now catched by the RCAR client code. The error is reported to the user if the client and server use incompatible versions. Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Jul 31, 2024 · d316de2 · d316de2
1 parent 35e2f6a
commit d316de2
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@@ -109,16 +109,25 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
 
         debug!("send auth request to {auth_endpoint}");
 
-        let challenge = self
+        let resp = self
             .http_client
             .post(auth_endpoint)
             .header("Content-Type", "application/json")
             .json(&request)
             .send()
-            .await?
-            .json::<Challenge>()
             .await?;
 
+        match resp.status() {
+            reqwest::StatusCode::UNAUTHORIZED => {
+                let error_info = resp.json::<ErrorInformation>().await?;
+                bail!("KBS request unauthorized, ErrorInformation: {:?}", error_info);
+            }
+            _ => {
+                debug!("KBS request OK");
+            }
+        }
+
+        let challenge = resp.json::<Challenge>().await?;
         debug!("get challenge: {challenge:#?}");
         let tee_pubkey = self.tee_key.export_pubkey()?;
         let runtime_data = json!({