PrincsFilter to ClientFilter reimplementation #186
Conversation
MrAnno
force-pushed
the
subscription-wildcard-filter
branch
from
4144e3a to
7220434
Compare
|
Hi! Thanks, again, for this cool PR! Let's start this (huge) answer with a some history! At first, OpenWEC only supported Kerberos authentication. The Kerberos principal filter was implemented to mimic the subscription ACL of MS WEC, even if explicitly listing principals is quite tedious. I had some plans to parse the Kerberos PAC at some point to enable filtering on AD groups or claims, but I never found the time (and the motivation) to do it. I later added the custom "uri" system to manage which subscriptions are available to which machines, depending on the configuration of the machines. When TLS authentication was implemented, we extended the "Kerberos principal filter" to support TLS subjects, but we did not change the name out of laziness (sorry). In practice, my organization used custom "uri" to tag events based on the location of the machines, but we stopped doing that at some point. We never used the prinicpal/subject filtering feature. I assume you have a specific use case in mind. Could you share it?
|
|
Thank you for the detailed and thorough explanation. :) I also had a feeling that something bigger needs to be done around the current filtering implementation, so I really like your idea. The case-insensitivity option is also something that I find very useful, I would even consider changing the default (but only with the new config naming, I don't want to break anything when one uses the old option names, of course). In our use-cases, machine filtering is essential, as events are coming from very different domains, locations, etc. towards the same collector, and even with wildcards, it is sometimes non-trivial to achieve the the desired categorization when using TLS. The URI trick sounds good, but managing "what we collect and from where" would be better being stored on the server side, we would like to keep everything unified and stupid on the client side. So all things considered, I would gladly continue this implementation in the direction you suggested as "filter rework". (Sorry for the typo, I usually wrap up conversations terribly, so I asked for a little help :)) |
|
About the MachineID part: I don't have a specific use case that would not work with principals or cert subjects, I just had a fairly old memory when I was investigating the Microsoft implementation of WEC that in case of the source-initiated push method with TLS, their wildcard filters might have been applied on the Machine field of the request and not on the cert DN or common name. |
Ok. I'm fine with adding such a filter as long as the documentation clearly states that the value can be manipulated by an evil machine.
That's nice! I will be happy to help you if you need it 😄 Do you plan to implement the "single filter" approach or the last one with multiple filters? |
|
I would go with the single filter list and try to implement it in a way that wouldn't cause too many problems if one wanted to extend the functionality to the ACL-like idea you mentioned. The single filter list with flags (case-sensitivity, pattern) and a type field covers all my use cases. |
|
Sorry for the delay, I'll update the PR soon. |
The name "princs" does not make sense when TLS is used, so an alias
has been added:
[filter]
operation = "Only"
cert_subjects = [
"win10.windomain.local",
]
MrAnno
changed the title
MrAnno
force-pushed
the
subscription-wildcard-filter
branch
from
7220434 to
3bbb970
Compare
MrAnno
force-pushed
the
subscription-wildcard-filter
branch
from
3bbb970 to
183c7b5
Compare
This was used only by the CLI interface, which is deprecated. Subscriptions are now config files, which represents the current state, so no modifier methods are required.
It will be used to filter clients based on their self-advertised name.
MrAnno
force-pushed
the
subscription-wildcard-filter
branch
from
183c7b5 to
b7c61b4
Compare
MrAnno
changed the title
|
@vruello I updated the PR description. I'm still learning Rust, and it seems I have made a few relatively bad decisions, so the implementation does not look as clean as I wanted it to be. |
Case-sensitive by default in case "princs" is used.
MrAnno
force-pushed
the
subscription-wildcard-filter
branch
from
b7c61b4 to
1f5850f
Compare
|
Hi! Thanks for all your work on this feature! Do you think it is ready for review? |
|
My pleasure. :)
Yes, I think it is ready. |
|
Cool! I will check it out as soon as possible 😄 |
There was a problem hiding this comment.
Thanks for the update! (and sorry for being a bit slow to review it)
I think it is much better than before. I wrote some comments. Most of the remaining work seems to be adding a new export version and adding some tests for filters.
I have some doubts about whether the "type/kind" (TLS subject, Kerberos principal, Machine ID) and the "flags" (case sensitive, "exact" or "glob") of targets should be global or target-specific. In fact, it feels more natural (and powerful) to specify them "per target", but I am not sure of how to format them in configuration files.
Do you have an opinion on this? (we need to decide this before (re-)working on the implementation)
| # [filter] | ||
| # operation = "Only" | ||
| # princs = ["courgette@REALM", "radis@REALM"] | ||
| # type = "MachineID" |
There was a problem hiding this comment.
In this case, the targets are Kerberos principals so this is odd. We should either use the KerberosPrinc type or change the targets to computer names.
| Only, | ||
| Except, | ||
| } | ||
|
|
||
| impl Display for PrincsFilterOperation { | ||
| impl Display for ClientFilterOperation { |
There was a problem hiding this comment.
We should probably replace this by a strum macro.
| } | ||
| } | ||
| } | ||
|
|
||
| impl PrincsFilterOperation { | ||
| pub fn opt_from_str(op: &str) -> Result<Option<PrincsFilterOperation>> { | ||
| impl FromStr for ClientFilterOperation { |
There was a problem hiding this comment.
This could also be replaced by strum (https://docs.rs/strum/latest/strum/derive.EnumString.html).
| pub kind: crate::subscription::ClientFilterType, | ||
| #[serde(default)] | ||
| pub flags: crate::subscription::ClientFilterFlags, | ||
| #[serde(default)] |
There was a problem hiding this comment.
I don't think that we should allow a filter without targets.
There was a problem hiding this comment.
This is optional only because I had to implement backward-compatibility for the old princs field, where case case-sensitivity is on by default.
There was a problem hiding this comment.
Perhaps it would be easier to keep the filter case-sensitive by default even with the new syntax. What do you think?
| #[serde(default)] | ||
| pub flags: crate::subscription::ClientFilterFlags, | ||
| #[serde(default)] | ||
| pub targets: HashSet<String>, |
There was a problem hiding this comment.
Could we use a serde alias "princs" instead of another attribute (https://serde.rs/field-attrs.html#alias)?
There was a problem hiding this comment.
I wanted to use an alias, but I had to differentiate the new and the old configuration mode so that I can be backward compatible with case-sensitivity.
There was a problem hiding this comment.
(same answer as just above: what about keeping case-sensitive filters by default?)
| let client_filter = match client_filter_op { | ||
| Some(op) => { | ||
| let client_filter_type: Option<_> = row.get("client_filter_type")?; | ||
| let client_filter_type = client_filter_type.unwrap_or("KerberosPrinc".to_owned()); |
There was a problem hiding this comment.
I don't like this hardcoded string KerberosPrinc. I think it is better to keep client_filter_type an option and let ClientFilter::from pick the default.
There was a problem hiding this comment.
What would you say if I:
- updated the database column to use an enum type and set Kerberos as default; or
- implemented a default method for
ClientFilterType, which can be used here when the database contains old empty values?
There was a problem hiding this comment.
updated the database column to use an enum type and set Kerberos as default;
This is PostgreSQL-specific as there are no enums in SQLite. We could use a default value for a string field, but it does not feel right.
implemented a default method for ClientFilterType, which can be used here when the database contains old empty values?
If client_filter_op is set, client_filter_type MUST be set EXCEPT if we are processing an "old" filter. In this case, ClientFilter::from could easily use an unwrap_or_default() on ClientFilterType as you say, but... there is actually a third option:
Write the "legacy" value in the migration (i.e. put "KerberosPrinc" in
client_filter_typeifclient_filter_opis not null in the migration).
Since this is only a "migration" issue, I think it should be handled properly in the migration code. We don't want to have to maintain weird cases caused by past migrations in the application code forever.
| @@ -546,6 +556,11 @@ impl Database for SQLiteDatabase { | |||
|
|
|||
| async fn store_subscription(&self, subscription: &SubscriptionData) -> Result<()> { | |||
| let subscription = subscription.clone(); | |||
| let client_filter_op: Option<String> = subscription.client_filter().map(|f| f.operation().to_string()); | |||
| let client_filter_type = subscription.client_filter().map(|f| f.kind().to_string()); | |||
| let client_filter_flags = subscription.client_filter().map(|f| f.flags().to_string()); | |||
There was a problem hiding this comment.
I would prefer to store flags as a number in database.
| } | ||
| } | ||
|
|
||
| pub fn eval(&self, client: &str, machine_id: Option<&str>) -> bool { |
There was a problem hiding this comment.
It would be cool to have some tests for filters as their logic gets a bit more complicated.
| filter.set_princs(value.princs)?; | ||
| Ok(filter) | ||
| fn try_from(value: ClientFilter) -> std::prelude::v1::Result<Self, Self::Error> { | ||
| #[allow(deprecated)] |
There was a problem hiding this comment.
Do we really need this allow since new_legacy itself is not deprecated (and shouldn't be to support backwards compatibility)?
| pub fn from(operation: String, kind: String, flags: Option<String>, targets: Option<String>) -> Result<Self> { | ||
| let flags: ClientFilterFlags = bitflags::parser::from_str_strict(flags.unwrap_or_default().as_str()).map_err(|e| anyhow!("{:?}", e))?; | ||
|
|
||
| let mut t = if flags.contains(ClientFilterFlags::GlobPattern) { |
There was a problem hiding this comment.
I don't like one-letter variables 😢
I think it would be unnecessary (at least in our use cases) to allow per-target types and flags. My reasoning is something like this: |
|
Your reasoning is quite convincing. We are probably in one of those cases where perfect is the enemy of good, and supporting limited filtering capabilities is probably the best choice for now. We'll always be able to add a more complete (and complex) filtering syntax later, if the need arises. |
Client filter
Filtering modes:
Only: the subscription will only be shown to the listed clientsExcept: the subscription will be shown to everyone except the listed clientsFiltering types:
KerberosPrinc: the filter will be evaluated on the Kerberos principalTLSCertSubject: the filter will be evaluated on the TLS certificate's subject fieldMachineID: the filtering is done based on the name of the computerThe default is either
KerberosPrincorTLSCertSubject, depending on how server authentication is configured.Warning:
MachineIDis not cryptographically authenticated information, it can be spoofed.Filtering flags:
GlobPattern: Glob patterns like*and?can be used intargetsCaseSensitive: Filter matching will be case-sensitiveFlags are composable using the
|operator.The comparison is case-insensitive by default.
Backward compatibility:
princsfield instead oftargets.V3Import/Export API?