Skip to content

[LM-325] Add user attribution (<console-user>@<machine>) to bash Pack…#7

Open
Mahesh-Kete wants to merge 8 commits into
mainfrom
LM-325_Adding_user_attribution_for_bash_files
Open

[LM-325] Add user attribution (<console-user>@<machine>) to bash Pack…#7
Mahesh-Kete wants to merge 8 commits into
mainfrom
LM-325_Adding_user_attribution_for_bash_files

Conversation

@Mahesh-Kete

@Mahesh-Kete Mahesh-Kete commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

Adds user attribution to the bash Package Firewall MDM scripts: every package-manager
request routed through the firewall is stamped <console-user>@<machine>, so the
firewall log's User column traces to a person — without issuing per-user API keys.
Bash scripts only;

How it works

  • Contract (decoded by the backend, LM-326): Basic-auth
    username = base64( base64("userattr:" + label) + ":" + apiKeyId ), password unchanged.
    Attribution is unverified telemetry — never an authorization signal.
  • The label only exists on the developer's machine, so credentials are computed at
    install time
    : generate.sh emits a credentials_block into every generated script.
  • Env-expanding tools (npm, yarn berry, maven, poetry) read ${ENDOR_ATTR_USER} /
    secret from ~/.config/endor/env.sh. Literal tools (pip, uv, go — they can't expand
    env vars in their configs) get attributed URLs baked into their config files at install time.
  • Shared block files stay Windows-safe: bash swaps the credential references at install
    time (js.sh, maven.sh), with guards that warn if a swap no longer matches.

Hardening included

  • generate.sh rejects credential characters that would corrupt generated scripts;
    URL userinfo is percent-encoded on both halves.
  • pip: upsert_block now merges into a pre-existing [global] instead of appending a
    duplicate section (pip's configparser rejects duplicates → broken pip). Conflicting keys
    are disabled reversibly (#endor-bak# prefix), including :-delimited keys and indented
    INI continuation lines; endor-remove.sh restores the original config exactly.
    Fixes a pre-existing bug where any machine with existing pip config got a broken pip.
  • pip conflict warning retained → MDM alert (exit 1) when existing keys are overridden,
    and persistently for conflicts the merge can't absorb (e.g. index-url under [install]).
  • bun: .npmrc username reference swapped to the attributed user — bun resolves
    .npmrc auth last-write-wins, which silently dropped bun's attribution.
  • yarn 1.x offboarding: yarn rewrites ~/.yarnrc and can copy the Endor registry
    outside the managed block; endor-remove.sh now deletes exact-match copies of our
    registry line so offboardingfig behind.
  • env.sh trimmed to variables with actual runtime readers (dropped dead
    secret-embedding exports).

Testing

  • Staging E2E, all 10 tools yarn 2+, bun, pip, uv, poetry,
    go, maven): allowed installs succeed via the firewall, malware-flagged test packages are
    Blocked, and every log rr>@`.
  • Offboarding round-trip: endor-remove.sh restores a pre-existing pip.conf
    byte-for-byte, re-enabling the keys it disabled.
Screenshot 2026-07-06 at 9 54 51 AM

@Mahesh-Kete Mahesh-Kete closed this Jul 3, 2026
@Mahesh-Kete Mahesh-Kete reopened this Jul 3, 2026
@Mahesh-Kete Mahesh-Kete force-pushed the LM-325_Adding_user_attribution_for_bash_files branch from e69e5be to 91c6588 Compare July 6, 2026 03:53
@Mahesh-Kete Mahesh-Kete requested a review from shrey-endor July 6, 2026 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant