Fix agent handling of 403 registration responses

sarroutbi · claude · sarroutbi · commit d6380609f350 · 2025-12-02T12:40:15.000+01:00
The agent was incorrectly interpreting 403 Forbidden responses from the registrar as API version incompatibility errors. This caused two problems: 1. The agent would try all enabled API versions, even though 403 indicates a permanent security rejection (e.g., TPM identity mismatch during re-registration) 2. The agent would continue running after registration failure, making it appear operational when it was not properly registered This issue became apparent with the Python keylime registrar security fix for CVE-2025-13609 (duplicate UUID vulnerability), which returns 403 Forbidden when an agent attempts to re-register with a different TPM identity. The agent will now correctly fail fast when the registrar rejects registration for security reasons. Related: keylime/keylime#1820 (Python registrar UUID spoofing fix) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -623,10 +623,24 @@ async fn main() -> Result<()> {
         ak_handle,
         retry_config: None,
     };
+    use keylime::error::Error;
+    use keylime::registrar_client::RegistrarClientError;
+
     match keylime::agent_registration::register_agent(aa, &mut ctx).await {
         Ok(()) => (),
+        Err(Error::RegistrarClient(
+            RegistrarClientError::RegistrationForbidden { message },
+        )) => {
+            error!("Failed to register agent: Registration forbidden - {message}");
+            error!("This indicates a security rejection (403 Forbidden), likely due to TPM identity mismatch or UUID spoofing attempt.");
+            error!("The existing agent record must be deleted before re-registering with a different TPM.");
+            return Err(Error::RegistrarClient(
+                RegistrarClientError::RegistrationForbidden { message },
+            ));
+        }
         Err(e) => {
             error!("Failed to register agent: {e:?}");
+            error!("Registration failed with a non-security error. The agent will continue but may have degraded functionality.");
         }
     }
 
diff --git a/keylime/src/registrar_client.rs b/keylime/src/registrar_client.rs
@@ -245,6 +245,10 @@ pub enum RegistrarClientError {
     #[error("Failed to register agent: received {code} from {addr}")]
     Registration { addr: String, code: u16 },
 
+    /// Registration forbidden - TPM identity mismatch or security rejection
+    #[error("Registration forbidden: {message}. This may indicate a TPM identity change or UUID spoofing attempt. The existing agent record must be deleted before re-registering with a different TPM.")]
+    RegistrationForbidden { message: String },
+
     /// Reqwest error
     #[error("Reqwest error: {0}")]
     Reqwest(#[from] reqwest::Error),
@@ -387,6 +391,16 @@ impl RegistrarClient {
         };
 
         if !resp.status().is_success() {
+            // Check if this is a 403 Forbidden - indicates security rejection
+            if resp.status() == StatusCode::FORBIDDEN {
+                let error_message = resp
+                    .text()
+                    .await
+                    .unwrap_or_else(|_| "Unknown error".to_string());
+                return Err(RegistrarClientError::RegistrationForbidden {
+                    message: error_message,
+                });
+            }
             return Err(RegistrarClientError::Registration {
                 addr,
                 code: resp.status().as_u16(),
@@ -438,6 +452,15 @@ impl RegistrarClient {
                 info!("Trying to register agent using API version {api_version}");
                 let r = self.try_register_agent(ai, api_version).await;
 
+                // Check if this is a security rejection (403 Forbidden)
+                // If so, return immediately - don't try other API versions
+                if let Err(RegistrarClientError::RegistrationForbidden {
+                    ..
+                }) = r
+                {
+                    return r;
+                }
+
                 // If successful, cache the API version for future requests
                 if r.is_ok() {
                     self.api_version = api_version.to_string();
@@ -458,6 +481,17 @@ impl RegistrarClient {
                         let r =
                             self.try_register_agent(ai, api_version).await;
 
+                        // Check if this is a security rejection (403 Forbidden)
+                        // If so, return immediately - don't try other API versions
+                        if let Err(
+                            RegistrarClientError::RegistrationForbidden {
+                                ..
+                            },
+                        ) = r
+                        {
+                            return r;
+                        }
+
                         // If successful, cache the API version for future requests
                         if r.is_ok() {
                             self.api_version = api_version.to_string();
