Skip to content

Implement OTP/AgentAuthentication in the Island #3078

New issue
New issue
Closed
Closed
Implement OTP/AgentAuthentication in the Island#3078
Assignees
cakekoa
Labels
Complexity: MediumImpact: HighSecurity
Milestone
v2.1.0
@mssalvatore

Description

@mssalvatore
mssalvatore
opened on Mar 9, 2023

Description

Tasks

  • Investigate the OTP generation methods used and improve OTP infrastructure (0d) @cakekoa:
    • Remove unused endpoints
    • Make sure the secrets are properly generated
      • Use our secure_generate_random_string() utility, with at least the 62 alphanumeric, preferably with known command-line safe chars as well
      • 32 characters
    • Define a reasonable timeout
      • 2 minutes
    • Rate limit token fetching API (preferably we just generate very large (32 bytes or larger) OTPs)
      • Still want to do this, to prevent DOS. Can we do this on a per-user level? Look at Flask's offerings
    • Prevent OTP reuse: Make sure used OTPs cannot be reused
  • Implement the endpoint for authenticated agents to fetch an OTP. (0d) - @shreyamalviya
  • Implement the endpoint where the agent could submit the OTP to get an authentication token. (0d) - @shreyamalviya
    • Create agent user/role
    • Invalid token if it has been used.
  • Secure relevant endpoints for the agent user roles. All endpoints should require authentication by the island user and/or the agent user, except login and registration. (0d) - @shreyamalviya
  • Make sure tokens/session are cleaned up properly on timeout or on agent shutdown. (0d) @cakekoa
    • Delete agent users
    • Delete any agent users that do not exist in the agent repository (watch out for race conditions)
  • Change the manual run UI to generate commands with OTP's. (0.5d) @cakekoa
    • (optional) Add a BB test for manual runs
    • Make OTP all * @ilija-lazoroski
    • Add a refresh button to refresh the OTP
    • Refresh automatically every time the "copy to clipboard" button is pushed
    • Refresh automatically on ctrl-c
    • Display a countdown @cakekoa
      • Better display?
  • Change the "Run from island" button to generate and execute an OTP (0d) @cakekoa
  • Update documentation for the manual run page (0d) - @shreyamalviya
  • Make sure we're using the OTP objects everywhere and not strings. @mssalvatore
  • Make the Token type a SecretStr and move it to common (use in the Agent as well) (0.25d) @cakekoa
  • Agent logs out after cleanup (0d) @cakekoa
  • Invalidate all OTPs on startup. @cakekoa
  • Rate limit the login endpoint (3/second should be plenty for an interactive login, yeah?) @mssalvatore
    • Add BB test Not worth the struggle ATM.
  • Fix agent otp rate limiting key (user, not ip) @cakekoa
  • Remove the AGENT_OTP_FLAG feature flag (agent)

Metadata

Metadata

Assignees

Labels

Complexity: MediumImpact: HighSecurity

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions