backport multi-host push attestation test

[kkaarreell]

Summary by Sourcery

Introduce a new multihost test for push-mode attestation and share multihost role-assignment helpers across tests.

New Features:

• Add a multihost basic push attestation test covering verifier, registrar, agent, and optional second agent in push mode.

Enhancements:

• Extract multihost role and IP assignment logic into a reusable helper script used by existing and new tests.
• Extend multihost attestation test cleanup to remove generated certificate directories.

[sourcery-ai]

Reviewer's Guide

Introduces a new multihost basic push attestation test that reuses shared role-assignment helpers, configures verifier/registrar/agent(s) for push-mode attestation with TLS, and ensures proper cleanup of test artifacts and certs.

File-Level Changes

Change	Details	Files
Refactor multihost role assignment into a reusable helper script and consume it from existing tests.	Remove inline assign_server_roles and get_IP implementations from the basic attestation test script. Create a new multihost-roles-functions.sh helper with shared assign_server_roles and get_IP logic. Update tests to source the new helper script instead of defining role-assignment functions locally.	Multihost/basic-attestation/test.sh Multihost/multihost-roles-functions.sh
Add a new multihost basic push attestation test that exercises Keylime in push mode with verifier, registrar, agent, and optional second agent.	Implement Verifier role logic that generates TLS certificates, configures Keylime verifier for push mode, serves certs over HTTP, and synchronizes with agents and registrar. Implement Registrar role logic that fetches verifier-provided certs, configures registrar TLS settings, and coordinates test execution via sync primitives. Implement Agent role logic that configures tenant and Rust agent for push-mode attestation, manages TPM/IMA emulators, creates runtime policies, validates PASS/FAIL attestation flows, and supports optional Agent2 participation. Implement Agent2 role logic that runs a second push-mode agent with its own UUID and policy distribution via a local HTTP server. Add common setup/teardown sections that import helper libraries, assign multihost roles, handle temporary directories, and clean up Keylime data and generated certs.	Multihost/basic-push-attestation/test.sh
Ensure generated certificate directory is cleaned up after multihost attestation tests.	Add removal of the CERTDIR directory in the cleanup phase of both basic attestation and basic push attestation tests.	Multihost/basic-attestation/test.sh Multihost/basic-push-attestation/test.sh
Register the new multihost push attestation test in the FMF metadata hierarchy.	Add a main.fmf metadata file for the basic-push-attestation test. Update distribution and upstream multihost FMF plans to include the new push attestation test (diff content not fully shown but implied by new references).	Multihost/basic-push-attestation/main.fmf plans/distribution-c10s-keylime-multihost.fmf plans/upstream-keylime-multihost.fmf

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-advanced-security]

ShellCheck found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[sourcery-ai]

Hey - I've left some high level feedback:

• The global cleanup phases in both basic-attestation and basic-push-attestation unconditionally run rm -r "$CERTDIR", but CERTDIR is only set inside role functions; add a guard or default value to avoid accidentally removing the current directory or an unintended path when CERTDIR is unset or empty.
• In basic-push-attestation, several limeUpdateConf tenant calls for trusted_server_ca, client_cert, and client_key are duplicated, which makes the configuration harder to follow; consider consolidating these into a single set of assignments.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The global cleanup phases in both basic-attestation and basic-push-attestation unconditionally run `rm -r "$CERTDIR"`, but `CERTDIR` is only set inside role functions; add a guard or default value to avoid accidentally removing the current directory or an unintended path when `CERTDIR` is unset or empty.
- In basic-push-attestation, several `limeUpdateConf tenant` calls for `trusted_server_ca`, `client_cert`, and `client_key` are duplicated, which makes the configuration harder to follow; consider consolidating these into a single set of assignments.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[kkaarreell]

test failure is expected due to https://redhat.atlassian.net/browse/RHEL-154779