Skip to content

feat(pedm): account tracking #1319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(pedm): account tracking #1319

wants to merge 2 commits into from

Conversation

allan2
Copy link
Contributor

@allan2 allan2 commented Apr 26, 2025

This commit adds tracking of user accounts and domain accounts. Changes to accounts on the system such as name change, creation, removal, and even SID change are captured.

Accounts now use an internally generated stable ID. This stable ID can be used to build policies in a robust manner.

The functionality has been tested with real account creation, deletion, and removal on Windows for both DB backends.

This commit also includes query helpers for parametrization and bulk insertion.

A basic endpoint, /accounts, is added for displaying info about existing accounts in a fashion similar to Get-LocalUser.

@allan2
feat(pedm): account tracking
00a4a5e 
This commit adds tracking of user accounts and domain accounts.
Changes to accounts on the system such as name change, creation, removal, and even SID change are captured.

Accounts now use an internally generated stable ID. This stable ID can be used to build policies in a robust manner.

The functionality has been tested with real account creation, deletion, and removal on Windows for both DB backends.

This commit also includes query helpers for parametrization and bulk insertion.

A basic endpoint, `/accounts`, is added for displaying info about
existing accounts in a fashion similar to `Get-LocalUser`.
@github-actions GitHub Actions
Copy link

Let maintainers know that an action is required on their side

  • Add the label release-required Please cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module) when you request a maintainer to cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module)

  • Add the label release-blocker Follow-up is required before cutting a new release if a follow-up is required before cutting a new release

  • Add the label publish-required Please publish libraries (`Devolutions.Gateway.Utils`, OpenAPI clients, etc) when you request a maintainer to publish libraries (Devolutions.Gateway.Utils, OpenAPI clients, etc.)

  • Add the label publish-blocker Follow-up is required before publishing libraries if a follow-up is required before publishing libraries

@allan2
Fix query args test typo
0512914 
The function works as expected. The expected side of the test was wrong.
CBenoit
CBenoit reviewed Apr 26, 2025
View reviewed changes
crates/devolutions-pedm/src/account.rs
///
/// `LookupAccountNameW` must be called to enable `ConvertSidToStringSidW` to work.
#[cfg(target_os = "windows")]
#[allow(clippy::multiple_unsafe_ops_per_block)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Do not allow this. Put a SAFETY comment for each unsafe operation.

CBenoit
CBenoit reviewed Apr 26, 2025
View reviewed changes
crates/devolutions-pedm/src/account.rs
/// `LookupAccountNameW` must be called to enable `ConvertSidToStringSidW` to work.
#[cfg(target_os = "windows")]
#[allow(clippy::multiple_unsafe_ops_per_block)]
#[allow(clippy::cast_possible_truncation)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Justify why this lint is disabled.

CBenoit
CBenoit reviewed Apr 26, 2025
View reviewed changes
crates/devolutions-pedm/src/account.rs
#[cfg(target_os = "windows")]
#[allow(clippy::multiple_unsafe_ops_per_block)]
#[allow(clippy::cast_possible_truncation)]
pub(crate) unsafe fn list_accounts() -> Result<Vec<Account>, ListAccountsError> {
Copy link
Member

@CBenoit CBenoit Apr 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Why this function is marked as unsafe? What are the safety preconditions to uphold in order to call it? It seems to me that it is wrapping unsafe operations in a way that can be proven safe locally (unless there are other "ambient" preconditions?).

CBenoit
CBenoit reviewed Apr 26, 2025
View reviewed changes
crates/devolutions-pedm/src/account.rs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: This sounds similar, but slightly different from the primitives provided by the identity module of win-api-wrappers. Can you elaborate why you had to implement a different abstraction?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CBenoit CBenoit CBenoit left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@allan2 @CBenoit