Skip to content

LM 325 mdm script support for user attribution#6

Open
Mahesh-Kete wants to merge 3 commits into
mainfrom
LM-325_mdm_script_support_for_user_attribution
Open

LM 325 mdm script support for user attribution#6
Mahesh-Kete wants to merge 3 commits into
mainfrom
LM-325_mdm_script_support_for_user_attribution

Conversation

@Mahesh-Kete

@Mahesh-Kete Mahesh-Kete commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

LM-325: MDM script support for user attribution in Package Firewall

What & why

Adds user attribution to the Package Firewall MDM scripts so every package-install
request is traceable to the individual developer/machine that triggered it — without
issuing per-user API keys
. The org keeps using its single shared API key; the only
change is that the generated scripts now bake a per-machine identity into the Basic-auth
username, which the firewall decodes and stamps onto the log as User.

Closes LM-325 (epic LM-304 / initiative PC-455). Backend decode landed in LM-326.

How it works

The generated scripts compute the attributed username at install time on the
developer's machine (where MDM runs them):

username = base64( base64("userattr:" + "console-user@machine") + ":" + apiKeyId)
password = apiSecret # unchanged

The firewall's decodeAttributedUsername() unwraps the label, authenticates with the
real API key (so auth is unchanged and fully backward-compatible — a plain username
passes through untouched), and records the label on the firewall log.

  • Sentinel: userattr: (matches auth.go on main).
  • Label: <console-user>@<machine>
  • Unverified telemetry only — the label is client-supplied and must never be used as
    an authz signal.

What changed

  • New install-time credential blockbash/templates/attribution.sh /
    powershell/templates/envvars.ps1 compute the attributed username + derived
    credentials (ENDOR_ATTR_USER, ENDOR_AUTH_B64, ENDOR_PYPI_URL, ENDOR_GO_PROXY_URL).
  • Encoding helpers added to lib/common.sh / lib/common.ps1
    (endor_attr_username, endor_urlenc_b64, endor_host_label, and PS equivalents).
  • Credentials moved from generation-time to install-time — the per-machine label
    only exists on the dev machine, so credentials can no longer be precomputed.
  • All ecosystems wired — npm/pnpm/yarn/bun, pip/uv/poetry, Go, Maven (env-ref tools
    read ${ENDOR_*}; pip/uv/go bake the literal value since they can't expand env vars).
  • Localhost testing support — npm strict-ssl=false auto-added for a localhost FQDN.

Testing

Verified end-to-end against a local endorfactory (localhost:8086, namespace parent)
across all four ecosystems. Same blocked packages, baseline vs. attribution:

Ecosystem Package User (main) User (this PR)
npm is-odd@3.0.1 - mrkete@C02N3JXH76
pypi tinytag==1.10.1 - mrkete@C02N3JXH76
Go github.com/google/uuid@v1.3.1 - mrkete@C02N3JXH76
Maven junit:junit:4.13.2 - mrkete@C02N3JXH76

Without user attribution (baseline / main):
1
2

With user attribution (this PR):
3

For powershell Windows. (With and without in Same Image tested in staging env demo-environment.test-user-attribution)
4

Notes / follow-ups

  • PowerShell side is implemented symmetrically but not yet smoke-tested on Windows.

@Mahesh-Kete Mahesh-Kete changed the title Lm 325 mdm script support for user attribution LM 325 mdm script support for user attribution Jun 30, 2026
@Mahesh-Kete Mahesh-Kete requested a review from shrey-endor July 2, 2026 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant