[LM-325] Add user attribution (<console-user>@<machine>) to bash Pack…#7
Open
Mahesh-Kete wants to merge 8 commits into
Open
[LM-325] Add user attribution (<console-user>@<machine>) to bash Pack…#7Mahesh-Kete wants to merge 8 commits into
Mahesh-Kete wants to merge 8 commits into
Conversation
…age Firewall MDM scripts
… auth last-write-wins
…al] merge, restore pip conflict alert, guard attribution swaps, drop dead env exports
e69e5be to
91c6588
Compare
…e the managed block
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds user attribution to the bash Package Firewall MDM scripts: every package-manager
request routed through the firewall is stamped
<console-user>@<machine>, so thefirewall log's User column traces to a person — without issuing per-user API keys.
Bash scripts only;
How it works
username = base64( base64("userattr:" + label) + ":" + apiKeyId ), password unchanged.Attribution is unverified telemetry — never an authorization signal.
install time:
generate.shemits acredentials_blockinto every generated script.${ENDOR_ATTR_USER}/secret from
~/.config/endor/env.sh. Literal tools (pip, uv, go — they can't expandenv vars in their configs) get attributed URLs baked into their config files at install time.
time (
js.sh,maven.sh), with guards that warn if a swap no longer matches.Hardening included
generate.shrejects credential characters that would corrupt generated scripts;URL userinfo is percent-encoded on both halves.
upsert_blocknow merges into a pre-existing[global]instead of appending aduplicate section (pip's configparser rejects duplicates → broken pip). Conflicting keys
are disabled reversibly (
#endor-bak#prefix), including:-delimited keys and indentedINI continuation lines;
endor-remove.shrestores the original config exactly.Fixes a pre-existing bug where any machine with existing pip config got a broken pip.
and persistently for conflicts the merge can't absorb (e.g.
index-urlunder[install])..npmrcusernamereference swapped to the attributed user — bun resolves.npmrcauth last-write-wins, which silently dropped bun's attribution.~/.yarnrcand can copy the Endor registryoutside the managed block;
endor-remove.shnow deletes exact-match copies of ourregistry line so offboardingfig behind.
env.shtrimmed to variables with actual runtime readers (dropped deadsecret-embedding exports).
Testing
go, maven): allowed installs succeed via the firewall, malware-flagged test packages are
Blocked, and every log rr>@`.
endor-remove.shrestores a pre-existing pip.confbyte-for-byte, re-enabling the keys it disabled.