PSSO migrations for final schema shape#47431
Conversation
JordanMontgomery
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## feature/fleet-macos-password-sync #47431 +/- ##
=====================================================================
+ Coverage 67.00% 67.04% +0.03%
=====================================================================
Files 3284 3284
Lines 228924 228904 -20
Branches 11709 11709
=====================================================================
+ Hits 153382 153459 +77
+ Misses 61675 61572 -103
- Partials 13867 13873 +6
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
JordanMontgomery
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| // the previously-established session key, validates it against the | ||
| // upstream IdP via the wired PSSOIdPClient, and returns the resulting | ||
| // claims as a JWT-inside-JWE. | ||
| func (svc *Service) handlePSSOPasswordRequest(ctx context.Context, device *fleet.PSSODevice, claims *pssoTokenClaims) ([]byte, error) { |
There was a problem hiding this comment.
This is all unused PSSO v1 code being removed(we are only supporting v2)
| if err != nil { | ||
| return nil, ctxerr.Wrap(ctx, err, "parse apv encryption key") | ||
| } | ||
| hostKeys, err := svc.ds.ListPSSOKeys(ctx, hostUUID) |
There was a problem hiding this comment.
I'm not sure this is strictly needed but it feels worthwhile just in case we've missed something in our KID calculations
| pssoNonceStore fleet.PSSONonceStore | ||
|
|
||
| // pssoIdPClient validates passwords for the PSSO password_request flow. | ||
| // pssoIdPClient validates passwords for the PSSO password login flow. |
There was a problem hiding this comment.
Renamed because password_request was PSSO v1 and password login is V2
| // SetOrUpdatePSSODevice upserts a host's PSSO registration: the device row | ||
| // plus the given key rows in a single transaction. Keys are upserted by kid; | ||
| // keys from earlier registrations are left in place so they keep working. | ||
| func (ds *Datastore) SetOrUpdatePSSODevice(ctx context.Context, hostUUID string, keys []fleet.PSSOKey) error { |
There was a problem hiding this comment.
The reason for leaving old keys behind is to allow for rotation. We do clear keys on ADE re-enroll. The apple docs make it seem like rotation should be supported but it's not entirely clear when that happens vs just a total reset/reregistration
1 participant
Related issue: Resolves #47105
Also fixes a small clock skew bug I found while testing. My mac was 1 second ahead of my server and that caused JWT verification to fail and need to be retried. Added a 1 second allowance on it
Going into feature branch so some test failures are expected/fine and will be fixed on the feature branch in followup PRs
Checklist for submitter
No changes file but the overall feature will add one
If some of the following don't apply, delete the relevant line.
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Testing
Added/updated automated tests
Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)
QA'd all new/changed functionality manually
Database migrations
COLLATE utf8mb4_unicode_ci).