Add osquery-perf support for PSSO#48905
Conversation
| @@ -0,0 +1,82 @@ | |||
| package pssocrypto | |||
There was a problem hiding this comment.
Added because it was hanging out in my dev branch while testing some other changes
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Pull request overview
This PR adds Apple Platform SSO (PSSO) load-test simulation support to cmd/osquery-perf, plus a known-answer crypto test to ensure Fleet’s PSSO ECDH + Concat-KDF derivations stay aligned with Apple’s published vectors.
Changes:
- Add a PSSO simulation loop to macOS MDM agents in
osquery-perf(registration, login, key request/exchange) gated by new CLI flags and staggered over an interval. - Extend
osquery-perfstats logging with PSSO counters (registrations, logins, key ops, errors). - Add documentation for PSSO flags/behavior and add an Apple published-vector known-answer test for PSSO crypto.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| server/mdm/apple/psso/pssocrypto/apple_kat_test.go | Adds a known-answer test against Apple’s published encryption-verification vectors to catch drift in ECDH/KDF/party-info handling. |
| cmd/osquery-perf/README.md | Documents how to enable and configure PSSO simulation and the new related flags. |
| cmd/osquery-perf/osquery_perf/stats.go | Adds PSSO counters and includes them in periodic stats logs. |
| cmd/osquery-perf/agent.go | Implements PSSO simulation selection, token capture from MDM profile delivery, and the periodic PSSO activity loop; adds new CLI flags wiring. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
WalkthroughChangesThis PR adds Platform SSO (PSSO) simulation to the osquery-perf load-testing agent for macOS MDM devices. It introduces new agent state, a Sequence Diagram(s)Included above in the hidden review stack artifact for the PSSO simulation loop. Related PRs: None identified. Suggested labels: enhancement, mdm, load-testing Suggested reviewers: (unable to determine from provided context) Poem 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/osquery-perf/agent.go`:
- Around line 1431-1432: Gate the initial PSSO key exchange behind a successful
login in the affected flow(s) around pssoLogin and pssoKeyRequestExchange,
including the repeated sequence later in the same file. Update the calling logic
so pssoKeyRequestExchange is only invoked when pssoLogin succeeds and has stored
the refresh token, and skip or short-circuit the exchange on login failure to
avoid unnecessary errors and metric skew. Use the existing pssoLogin() and
pssoKeyRequestExchange() call sites as the targets for this control flow change.
- Around line 4057-4064: The mdm_psso_password flag exposes sensitive IdP
credentials via command-line arguments, so update the PSSO configuration flow in
agent.go to source the password from a safer input instead of requiring the
flag. After flag.Parse(), have the PSSO setup read a fallback from an
environment variable or password file when mdmPSSOPassword is empty, and keep
mdmPSSOPassword only as an explicit override path used by the Platform SSO login
logic.
In `@server/mdm/apple/psso/pssocrypto/apple_kat_test.go`:
- Around line 64-67: The Apple KAT currently builds fleetAPU from
ephECDH.PublicKey().Bytes(), which bypasses the explicit X/Y test vector and
only exercises the D-derived ECDH path. Update the assertion in
apple_kat_test.go to use eph.PublicKey.ECDH() so EncodeApplePartyInfo is
validated against the hard-coded ephemeral public key the same way
BuildPartyInfoJWE does.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 29b99ee8-ee24-4ed2-9ab8-f350904f0d2f
⛔ Files ignored due to path filters (1)
cmd/osquery-perf/README.mdis excluded by!**/*.md
📒 Files selected for processing (3)
cmd/osquery-perf/agent.gocmd/osquery-perf/osquery_perf/stats.goserver/mdm/apple/psso/pssocrypto/apple_kat_test.go
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## JM-47171 #48905 +/- ##
============================================
+ Coverage 67.91% 67.94% +0.02%
============================================
Files 3664 3663 -1
Lines 236560 236304 -256
Branches 11785 11785
============================================
- Hits 160665 160547 -118
+ Misses 61194 61076 -118
+ Partials 14701 14681 -20
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Related issue: Resolves #
Checklist for submitter
If some of the following don't apply, delete the relevant line.
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Testing
Added/updated automated tests
Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)
QA'd all new/changed functionality manually
Summary by CodeRabbit
New Features
Tests