Apply CanReAttest filter and mask on agents listing

Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
spiffe · MarcosDY · Mar 9, 2023 · Feb 16, 2023 · Feb 16, 2023 · Feb 17, 2023
commit 4cdd21d743d81d69a40cdd0b6cdcfa66cad8b3ef
@@ -16,6 +16,7 @@ func TestAllTrueMasks(t *testing.T) {
 		X509SvidExpiresAt:    true,
 		Selectors:            true,
 		Banned:               true,
+		CanReAttest:          true,
 	}, protoutil.AllTrueAgentMask)
 
 	spiretest.AssertProtoEqual(t, &types.BundleMask{

@@ -160,6 +160,9 @@ const (
 	// ByBanned tags filtering by banned agents
 	ByBanned = "by_banned"
 
+	// ByCanReAttest tags filtering by agents that can re-attest
+	ByCanReAttest = "by_can_re_attest"
+
 	// BySelectorMatch tags Match used when filtering by Selectors
 	BySelectorMatch = "by_selector_match"
 

@@ -24,6 +24,7 @@ func ProtoFromAttestedNode(n *common.AttestedNode) (*types.Agent, error) {
 		X509SvidExpiresAt:    n.CertNotAfter,
 		X509SvidSerialNumber: n.CertSerialNumber,
 		Banned:               n.CertSerialNumber == "",
+		CanReAttest:          n.CanReattest,
 		Selectors:            ProtoFromSelectors(n.Selectors),
 	}, nil
 }
@@ -100,9 +100,14 @@ func (s *Service) ListAgents(ctx context.Context, req *agentv1.ListAgentsRequest
 		if filter.ByBanned != nil {
 			byBanned = &filter.ByBanned.Value
 		}
+		var byCanReAttest *bool
+		if filter.ByCanReAttest != nil {
+			byCanReAttest = &filter.ByCanReAttest.Value
+		}
 
 		listReq.ByAttestationType = filter.ByAttestationType
 		listReq.ByBanned = byBanned
+		listReq.ByCanReAttest = byCanReAttest
 
 		if filter.BySelectorMatch != nil {
 			selectors, err := api.SelectorsFromProto(filter.BySelectorMatch.Selectors)
@@ -635,6 +640,10 @@ func applyMask(a *types.Agent, mask *types.AgentMask) {
 	if !mask.Banned {
 		a.Banned = false
 	}
+
+	if !mask.CanReAttest {
+		a.CanReAttest = false
+	}
 }
 
 func validateAttestAgentParams(params *agentv1.AttestAgentRequest_Params) error {
@@ -684,6 +693,10 @@ func fieldsFromFilterRequest(filter *agentv1.ListAgentsRequest_Filter) logrus.Fi
 		fields[telemetry.ByBanned] = filter.ByBanned.Value
 	}
 
+	if filter.ByCanReAttest != nil {
+		fields[telemetry.ByCanReAttest] = filter.ByCanReAttest.Value
+	}
+
 	if filter.BySelectorMatch != nil {
 		fields[telemetry.BySelectorMatch] = filter.BySelectorMatch.Match.String()
 		fields[telemetry.BySelectors] = api.SelectorFieldFromProto(filter.BySelectorMatch.Selectors)

@@ -265,6 +265,7 @@ func TestListAgents(t *testing.T) {
 		CertNotAfter:        notAfter,
 		NewCertNotAfter:     newNoAfter,
 		NewCertSerialNumber: "new badcafe",
+		CanReattest:         false,
 		Selectors: []*common.Selector{
 			{Type: "a", Value: "1"},
 			{Type: "b", Value: "2"},
@@ -283,6 +284,7 @@ func TestListAgents(t *testing.T) {
 		CertNotAfter:        notAfter,
 		NewCertNotAfter:     newNoAfter,
 		NewCertSerialNumber: "new deadbeef",
+		CanReattest:         false,
 		Selectors: []*common.Selector{
 			{Type: "a", Value: "1"},
 			{Type: "c", Value: "3"},
@@ -301,6 +303,7 @@ func TestListAgents(t *testing.T) {
 		CertNotAfter:        notAfter,
 		NewCertNotAfter:     newNoAfter,
 		NewCertSerialNumber: "",
+		CanReattest:         true,
 	}
 	_, err = test.ds.CreateAttestedNode(ctx, node3)
 	require.NoError(t, err)
@@ -347,6 +350,7 @@ func TestListAgents(t *testing.T) {
 						Id:                   api.ProtoFromID(node1ID),
 						AttestationType:      "t1",
 						Banned:               false,
+						CanReAttest:          false,
 						X509SvidExpiresAt:    notAfter,
 						X509SvidSerialNumber: "badcafe",
 						Selectors: []*types.Selector{
@@ -358,6 +362,7 @@ func TestListAgents(t *testing.T) {
 						Id:                   api.ProtoFromID(node2ID),
 						AttestationType:      "t2",
 						Banned:               false,
+						CanReAttest:          false,
 						X509SvidExpiresAt:    notAfter,
 						X509SvidSerialNumber: "deadbeef",
 						Selectors: []*types.Selector{
@@ -369,6 +374,7 @@ func TestListAgents(t *testing.T) {
 						Id:                   api.ProtoFromID(node3ID),
 						AttestationType:      "t3",
 						Banned:               true,
+						CanReAttest:          true,
 						X509SvidExpiresAt:    notAfter,
 						X509SvidSerialNumber: "",
 					},
@@ -484,6 +490,57 @@ func TestListAgents(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "by can re-attest true",
+			req: &agentv1.ListAgentsRequest{
+				OutputMask: &types.AgentMask{},
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByCanReAttest: &wrapperspb.BoolValue{Value: true},
+				},
+			},
+			expectResp: &agentv1.ListAgentsResponse{
+				Agents: []*types.Agent{
+					{Id: api.ProtoFromID(node3ID)},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:        "success",
+						telemetry.Type:          "audit",
+						telemetry.ByCanReAttest: "true",
+					},
+				},
+			},
+		},
+		{
+			name: "by can re-attest false",
+			req: &agentv1.ListAgentsRequest{
+				OutputMask: &types.AgentMask{},
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByCanReAttest: &wrapperspb.BoolValue{Value: false},
+				},
+			},
+			expectResp: &agentv1.ListAgentsResponse{
+				Agents: []*types.Agent{
+					{Id: api.ProtoFromID(node1ID)},
+					{Id: api.ProtoFromID(node2ID)},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:        "success",
+						telemetry.Type:          "audit",
+						telemetry.ByCanReAttest: "false",
+					},
+				},
+			},
+		},
 		{
 			name: "by selectors",
 			req: &agentv1.ListAgentsRequest{

diff --git a/pkg/server/datastore/datastore.go b/pkg/server/datastore/datastore.go
@@ -135,7 +135,7 @@ type ListAttestedNodesRequest struct {
 	BySelectorMatch   *BySelectors
 	FetchSelectors    bool
 	Pagination        *Pagination
-	ByCanReattest     *bool
+	ByCanReAttest     *bool
 }
 
 type ListAttestedNodesResponse struct {

diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go
@@ -1283,9 +1283,9 @@ func buildListAttestedNodesQueryCTE(req *datastore.ListAttestedNodesRequest, dbT
 		}
 	}
 
-	// Filter by CanReattest. This is similar to ByBanned
-	if req.ByCanReattest != nil {
-		if *req.ByCanReattest {
+	// Filter by CanReAttest. This is similar to ByBanned
+	if req.ByCanReAttest != nil {
+		if *req.ByCanReAttest {
 			builder.WriteString("\t\tAND can_reattest = true\n")
 		} else {
 			builder.WriteString("\t\tAND can_reattest = false\n")
@@ -1511,8 +1511,8 @@ FROM attested_node_entries N
 		}
 
 		// Filter by CanReattest. This is similar to ByBanned
-		if req.ByCanReattest != nil {
-			if *req.ByCanReattest {
+		if req.ByCanReAttest != nil {
+			if *req.ByCanReAttest {
 				builder.WriteString("\t\tAND can_reattest = true\n")
 			} else {
 				builder.WriteString("\t\tAND can_reattest = false\n")

diff --git a/pkg/server/datastore/sqlstore/sqlstore_test.go b/pkg/server/datastore/sqlstore/sqlstore_test.go
@@ -902,7 +902,7 @@ func (s *PluginSuite) TestListAttestedNodes() {
 						ByAttestationType: tt.byAttestationType,
 						BySelectorMatch:   tt.bySelectors,
 						ByBanned:          tt.byBanned,
-						ByCanReattest:     tt.byCanReattest,
+						ByCanReAttest:     tt.byCanReattest,
 						FetchSelectors:    withSelectors,
 					}