mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
3.8 KiB
3.8 KiB
Token Rotation for Fleet Desktop
This file is based on the original proposal described at #6348 modified based on a few lessons we learned and the new communication channel between Orbit and the Fleet server introduced in https://github.com/fleetdm/fleet/issues/6851
Compatibility
Fleet Desktop < v1.0.0 | Fleet Destkop >= v1.0.0 | |
---|---|---|
Server < 4.21 | OK/Rotation disabled | OK/Rotation disabled |
Server >= 4.21 | Fleet Destkop breaks after 1 hour | OK/Rotation enabled |
Fleet Server
- Add a new endpoint
POST /orbit/<orbit_node_key>/device_token
to create/update device tokens- Add
created_at
andupdated_at
columns to thehost_device_auth
table. - Do
INSERT ON DUPLICATE KEY token=token
and notupdate updated_at
if the token didn't change.
- Add
- Condsider a token expired if
now - updated_at > 1h
, APIs will return the usual authentication error when a token is expired. - The server doesn't need to make the
orbit_info
in the "extra detail queries" set anymore.
Orbit
-
When Orbit starts
- If we have a token, load and verify its validity by making a request to the Fleet Server
- If we don't have a token or if the token is invalid, rotate the token
-
Orbit will have two tickers running:
- Ticker I: runs every 5 minutes and verifies that the current token is still valid by making a request to the Fleet Server. This is to guard against the server invalidating the token (eg: DB restored from back-up, token
updated_at
manually changed, clocks out of sync etc.) If the token is invalid, it starts a rotation. - Ticker II: runs every 30 seconds and verifies the
mtime
of the identifier file, ifnow - mtime > 1h
starts a rotation. A short interval (could be even shorter) is needed in case the computer was shut-down or went to sleep.
- Ticker I: runs every 5 minutes and verifies that the current token is still valid by making a request to the Fleet Server. This is to guard against the server invalidating the token (eg: DB restored from back-up, token
Token Rotation
To rotate a token, Orbit will generate a valid UUID and:
- Write the value to the
identifier
file, we do this first to signal to Fleet Desktop that a rotation is happening and we can ensure it never operates on an invalid token during the exchange. - Do a
POST /orbit/<orbit_node_key>/device_token
with the new token value, retry three times in case of failure.
Compatibility
- Keep returning
device_auth_token
in theorbit_info
table, we might want to do this forever anyway to support live queries. - When Orbit starts, check if the server supports creating tokens via the API, if it doesn't:
- Don't do any kind of check or rotation
- Start a goroutine using
oklog.Group
to ping the server every 10 minutes and see if it supports token rotation. If it does, return from the group actor, which will make Orbit restart.
- Orbit will keep sending the
FLEET_DESKTOP_DEVICE_URL
variable to accomodate old Fleet Destkop versions.
Fleet Desktop
- Fleet Desktop will receive the path to the identifier file as an environment variable.
- As soon as Flet Desktop starts, it reads the identifier file and caches the
mtime
value in memory. - Fleet Desktop will have a ticker running every ~5 seconds to check for the
mtime
of the identifier file, if the value differs from the one stored in memory:- Disable all tray items and show "Connecting..."
- Initialize a ticker to check for the validity of the token, enable the tray items again once we have a valid token.
Misc
- As soon as any request fails, disable the tray items and show "Connecting..."
Release order
After things have been tested on unstable channels and Dogfood, it's important to release in the following order:
- Orbit to the stable channel
- Fleet Desktop to the stable channel
- Fleet Server