Connect My Computer: Derive agent label from username in main process#34302
Merged
Connect My Computer: Derive agent label from username in main process#34302
Conversation
ravicious
added
backport/branch/v14
no-changelog
ravicious
commented
Nov 7, 2023
|
|
||
| const labels = Object.entries({ | ||
| // TODO(ravicious): Move this to a JavaScript version of constants.go. | ||
| 'teleport.dev/connect-my-computer/owner': args.username, |
Member
Author
There was a problem hiding this comment.
As I wrote in the description, this is just temporary and the next commit will move this and another label to a better location. I just didn't want to spend time on thinking about it upfront since coming up with that new location wasn't needed for this particular PR.
gzdunek
approved these changes
Nov 8, 2023
avatus
approved these changes
Nov 8, 2023
|
@ravicious See the table below for backport results.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When Connect sets up a Connect My Computer agent, it must execute
teleport node configurewith the arg--labels=teleport.dev/connect-my-computer/owner=<username>. The previous version would pass the labels like this:CreateConnectMyComputerNodeToken).CreateConnectMyComputerNodeTokenResponse).teleport node configurewith the labels.This PR makes it so that tshd returns no labels and instead the renderer passes just the username to the main process and the main process derives the agent label from that username.
The original flow was implemented so that the name of the label,
teleport.dev/connect-my-computer/owner, is not hardcoded in the JS code and instead is taken directly from the Go code.However, soon we'll have to hardcode a label in JS anyway. In order to implement polling for the Discover flow, I'll have to pass an extra hidden label anyway. The Go code won't even need to know about this label as it'll be shared exclusively between the Web UI and Connect. I'm going to create a
constants.goequivalent in the JS code that's going to live in the shared package to accomplish that.On top of that, the IPC message sent from the renderer to the main process which creates a config file accepts arbitrary labels, so it technically has a greater attack surface than an IPC message which does not implement. If an attacker compromises the renderer process, they'll be able to create nodes with arbitrary labels. The new implementation does not prevent that, you can still pass a username like
alice,foo=barwhich will result in the node also getting thefoo=barlabel. But at least the node will always haveteleport.dev/connect-my-computer/ownerset to some kind of value.To completely get rid of the problem with that "injection" attack, we'd need to read the username from within the main process. However, currently the main process has no access to information from tshd. For the same reason, the empty state in Connect is not able to link to the Web UI.