Simpler Sync Server authentication mechanism?

[p-harrison]

My understanding of Santa communication to the Sync Server at the moment is you can leave it unauthenticated (for scenarios where it's inside your network perhaps) or use mutually authenticated TLS (client cert auth).

For born-in-the-cloud organisations or those aiming for cloud-only, setting up an always-on VPN or Certificate Authority with client cert deployment infrastructure is not really desirable and for smaller companies perhaps out of reach altogether.

So how about allowing for bearer token or API key authentication instead? A new configuration key like "bearer-token" could be added that when populated would cause the sync service to include that token in all requests to the Sync Server. An MDM can be used to push a single bearer token to all devices, or something more creative to make them unique per device, but that's up to whomever is setting up the MDM and Sync Server. This would not be as secure as mutual TLS, but for small organisations it should be more than sufficient and makes for a much easier entry point to Santa.

I think this change would be relatively easy to implement and is unlikely to break any existing Sync Servers.

Thoughts?

[russellhancox]

I think this is very reasonable. You could pass a token currently as URL parameter but I would expect most servers are more likely to expect a token as a header.

As different servers may want the token to be passed in different headers, we could instead provide a config key to send any arbitrary headers with requests (excluding a few important ones such as Content-Length, Content-Encoding and UserAgent). You could then configure this to pass your token in whatever header your server uses.

[p-harrison]

Is there a way to add custom URL query parameters via config currently, or are you thinking of a sub-path to the SyncBaseURL like https://mysantaserver.com/randomauthstringhere/ ? It hadn’t occurred to me that something in the sub URL is encrypted in the HTTPS session. Although the likelihood of the server URL being exposed to end users or IT admins is probably higher.

[russellhancox]

I had been thinking of adding it as part of the SyncBaseURL but that won't work because the full URLs are appended to the end of the base URL. The URL is encrypted (ignoring DNS requests) but this is still likely not the best route.

[p-harrison]

Just wanted to say thanks for implementing #1143 @russellhancox , I tested it earlier as a way to authenticate to an Azure API Management gateway, worked perfectly!

<key>mcx_preference_settings</key>
<dict>
    <key>SyncBaseURL</key>
    <string>https://**********.azure-api.net</string>
    <key>FailClosed</key>
    <true/>
    <key>SyncEnableCleanSyncEventUpload</key>
    <true/>
    <key>MachineOwner</key>
    <string>{{userprincipalname}}</string>
    <key>SyncExtraHeaders</key>
    <dict>
        <key>Ocp-Apim-Subscription-Key</key>
        <string>*******************************</string>
    </dict>
</dict>