adds local key and hardware key to launcher_info table, fixes vscode …

…debugging, increases local server write timeout (#1012)
kolide · Feb 2, 2023 · c0e0cdb · c0e0cdb
1 parent 4f9be4c
commit c0e0cdb
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 34 deletions.
diff --git a/ee/localserver/server.go b/ee/localserver/server.go
@@ -65,7 +65,7 @@ func New(logger log.Logger, db *bbolt.DB, kolideServer string) (*localServer, er
 		logger:       log.With(logger, "component", "localserver"),
 		limiter:      rate.NewLimiter(defaultRateLimit, defaultRateBurst),
 		kolideServer: kolideServer,
-		myEcKey:      agent.Keys(),
+		myEcKey:      agent.LocalDbKeys(),
 	}
 
 	// TODO: As there may be things that adjust the keys during runtime, we need to persist that across
@@ -102,7 +102,7 @@ func New(logger log.Logger, db *bbolt.DB, kolideServer string) (*localServer, er
 	// While we're transitioning, we want to support both v1 and v2 protocols
 	kryptoDeterminerMiddleware := NewKryptoDeterminerMiddleware(
 		ls.logger,
-		kbm.UnwrapV1Hander(ls.requestLoggingHandler(rsaAuthedMux)),
+		kbm.UnwrapV1Hander(rsaAuthedMux),
 		ecKryptoMiddleware.Wrap(ecAuthedMux),
 	)
 
@@ -114,7 +114,7 @@ func New(logger log.Logger, db *bbolt.DB, kolideServer string) (*localServer, er
 		Handler:           ls.requestLoggingHandler(ls.preflightCorsHandler(ls.rateLimitHandler(mux))),
 		ReadTimeout:       500 * time.Millisecond,
 		ReadHeaderTimeout: 50 * time.Millisecond,
-		WriteTimeout:      50 * time.Millisecond,
+		WriteTimeout:      5 * time.Second,
 		MaxHeaderBytes:    1024,
 	}
 

diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go
@@ -3,10 +3,12 @@ package agent
 import (
 	"crypto"
 	"fmt"
+	"time"
 
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
 	"github.com/kolide/launcher/pkg/agent/keys"
+	"github.com/kolide/launcher/pkg/backoff"
 	"go.etcd.io/bbolt"
 )
 
@@ -18,7 +20,7 @@ type keyInt interface {
 var hardwareKeys keyInt = keys.Noop
 var localDbKeys keyInt = keys.Noop
 
-func Keys() keyInt {
+func HardwareKeys() keyInt {
 	return hardwareKeys
 }
 
@@ -37,20 +39,19 @@ func SetupKeys(logger log.Logger, db *bbolt.DB) error {
 		return fmt.Errorf("setting up local db keys: %w", err)
 	}
 
-	// this is intended to be a temporary measure
-	// there is likely an issue where javascript is timing out
-	// while talking to the local server
-	// leaving commented code below until fix found
-	hardwareKeys = localDbKeys
-
-	// hardwareKeys, err = setupHardwareKeys(logger, db)
-	// if err != nil {
-	// 	// Now this is a conundrum. What should we do if there's a hardware keying error?
-	// 	// We could return the error, and abort, but that would block launcher for working in places
-	// 	// without keys. Inatead, we log the error and set Keys to the localDb key.
-	// 	level.Info(logger).Log("msg", "Failed to setting up hardware keys, falling back to local DB keys", "err", err)
-	// 	hardwareKeys = localDbKeys
-	// }
+	err = backoff.WaitFor(func() error {
+		hwKeys, err := setupHardwareKeys(logger, db)
+		if err != nil {
+			return err
+		}
+		hardwareKeys = hwKeys
+		return nil
+	}, 1*time.Second, 250*time.Millisecond)
+
+	if err != nil {
+		// Use of hardware keys is not fully implemented as of 2023-02-01, so log an error and move on
+		level.Info(logger).Log("msg", "failed to setting up hardware keys", "err", err)
+	}
 
 	return nil
 }

diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go
@@ -3,6 +3,8 @@ package table
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
+	"encoding/base64"
 	"runtime"
 
 	"github.com/kolide/kit/version"
@@ -26,10 +28,14 @@ func LauncherInfoTable(db *bbolt.DB) *table.Plugin {
 		table.TextColumn("identifier"),
 		table.TextColumn("osquery_instance_id"),
 
-		// New hardware and local keys
+		// Signing key info
 		table.TextColumn("signing_key"),
 		table.TextColumn("signing_key_source"),
+
+		// Exposure of both hardware and local keys
 		table.TextColumn("local_key"),
+		table.TextColumn("hardware_key"),
+		table.TextColumn("hardware_key_source"),
 
 		// Old RSA Key
 		table.TextColumn("fingerprint"),
@@ -39,7 +45,6 @@ func LauncherInfoTable(db *bbolt.DB) *table.Plugin {
 }
 
 func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc {
-
 	return func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
 		identifier, err := osquery.IdentifierFromDB(db)
 		if err != nil {
@@ -75,20 +80,30 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc {
 			},
 		}
 
-		// No logger, so just ignore errors. generate the pem encoding if we can.
-		if eccKey := agent.Keys().Public(); eccKey != nil {
-			var pem bytes.Buffer
-			if err := osquery.PublicKeyToPem(eccKey, &pem); err == nil {
-				results[0]["signing_key"] = pem.String()
-				results[0]["signing_key_source"] = agent.Keys().Type()
-			}
+		// always use local key as signing key for now until k2 is updated to handle hardware keys
+		var localPem bytes.Buffer
+		if err := osquery.PublicKeyToPem(agent.LocalDbKeys().Public(), &localPem); err == nil {
+			results[0]["signing_key"] = localPem.String()
+			results[0]["signing_key_source"] = agent.LocalDbKeys().Type()
+		}
+
+		// going forward were using DER format
+		localKeyDer, err := x509.MarshalPKIXPublicKey(agent.LocalDbKeys().Public())
+		if err == nil {
+			// der is a binary format, so convert to b64
+			results[0]["local_key"] = base64.StdEncoding.EncodeToString(localKeyDer)
+		}
+
+		// we might not always have hardware keys so check first
+		if agent.HardwareKeys().Public() == nil {
+			return results, nil
 		}
 
-		if localKey := agent.LocalDbKeys().Public(); localKey != nil {
-			var pem bytes.Buffer
-			if err := osquery.PublicKeyToPem(localKey, &pem); err == nil {
-				results[0]["local_key"] = pem.String()
-			}
+		hardwareKeyDer, err := x509.MarshalPKIXPublicKey(agent.HardwareKeys().Public())
+		if err == nil {
+			// der is a binary format, so convert to b64
+			results[0]["hardware_key"] = base64.StdEncoding.EncodeToString(hardwareKeyDer)
+			results[0]["hardware_key_source"] = agent.HardwareKeys().Type()
 		}
 
 		return results, nil

diff --git a/tools/vscode-debugging/conf/launch.json b/tools/vscode-debugging/conf/launch.json
@@ -29,8 +29,10 @@
                 "--debug",
                 "--hostname=localhost:3443",
                 "--enroll_secret_path=${workspaceFolder}/debug/k2_enroll_secret",
-                "--transport=osquery",
-                "--kolide_hosted",
+                // the osquery transport stopped working for debug around 20230202, possible investigation to follow
+                // "--transport=osquery",
+                // "--kolide_hosted",
+                "--transport=jsonrpc",
                 "--root_directory=${workspaceFolder}/debug",
                 "--root_pem=${workspaceFolder}/debug/localhost.crt",
                 "--autoupdate",