[LM-325] Add user attribution to PowerShell MDM scripts (Windows follow-up to #7)#9
Draft
Mahesh-Kete wants to merge 1 commit into
Conversation
…R directly, drop swap shims and dead profile-block helpers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds user attribution to the Windows / PowerShell Package Firewall MDM scripts —
the follow-up to #7 (bash). Every package-manager request is stamped
<console-user>@<machine>so the firewall log's User column traces to a person,without per-user API keys.
Stacked on #7 (base branch =
LM-325_Adding_user_attribution_for_bash_files);merge #7 first.
How it works (mirrors the bash design)
templates/envvars.ps1: theattributed username (
Get-EndorAttrUsername, byte-identical output to bash'sendor_attr_username— verified) plus derived auth values are written toHKCU:\Environment, where every new process inherits them.${ENDOR_ATTR_USER}/secret from HKCU. Literal tools (pip, uv, go) get attributed URLs baked into
pip.ini/uv.toml/ go env at install time.ENDOR_ATTR_USER, the shared blocks reference theattributed variable directly (
npmrc.txt,yarnrc.txt,mavensettings.txt) —the bash-side install-time swap shims from [LM-325] Add user attribution (<console-user>@<machine>) to bash Pack… #7 are deleted on both platforms.
Hardening ported from #7
[global]merge inInvoke-UpsertBlock(duplicate-section fix), incl.:delimiters, INI continuation lines, CRLF tolerance, content-derived key list;
Invoke-RemoveBlockrestores#endor-bak#-disabled keys.Test-KeyConflict.endor-remove.ps1also removesENDOR_ATTR_USER, legacyENDOR_PYPI_URL/ENDOR_GO_PROXY_URL, and yarn-copied registry lines.Windows-specific fixes
Write-EndorFile(BOM-less). WindowsPowerShell 5.1's
-Encoding UTF8writes a BOM that makes pip silently ignorepip.ini(empirically confirmed in earlier testing).uv.tomlpreviously shipped with a raw{{ENDOR_PYPI_URL}}token (never substituted by
generate.ps1on main); now filled at install time.powershell/templates/blocks/(4 stale duplicates ofshared/blocks) and the unusedSet-ProfileEnvBlock/Remove-ProfileEnvBlockhelpers (relics of the abandoned
$PROFILEapproach).Testing
allowed installs route through the firewall, malware test packages are Blocked,
and every log row shows
User = shrey@pkg-firewall-wi(previously N/A on Windows).pip config listparsespip.inicleanly (BOM fix confirmed on-box).usernames for the same label + key.
same case matrix as the bash suite — plus 27 generation tests: syntax parse of all
six outputs, unresolved-token audit, hostile-secret rejection, fills/footer/remove
content verification).
macOS in [LM-325] Add user attribution (<console-user>@<machine>) to bash Pack… #7; the Windows mechanism they depend on (HKCU expansion in
.npmrc)is covered by the npm run.