feat(clients): use hardware id for device verification#6857
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
conectado
changed the title
conectado
force-pushed
the
feat/connlib/use-hardware-id-for-device-verification
branch
from
5a81233 to
fbe3e57
Compare
|
@jamilbk this is practically ready but we should decide if we keep the fallback or maybe skip smbios completely? |
conectado
requested review from
ReactorScram,
jamilbk and
thomaseizinger
and removed request for
ReactorScram
|
Before merging I also still need to test on iOS |
|
Also to note here, after merging this PR even when we fallback, due to no longer hashing the id, this will un-verify all new clients, so this might be worth a minor version change? |
I don't think many are using this feature yet, so I'll just let the customer know directly. |
thomaseizinger
left a comment
thomaseizinger
left a comment
There was a problem hiding this comment.
Overall looks good. From the issue it sounds like there are more changes coming though :)
kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt
Outdated
Show resolved
Hide resolved
conectado
force-pushed
the
feat/connlib/use-hardware-id-for-device-verification
branch
from
2d1fb47 to
01b9ff2
Compare
|
@thomaseizinger Ready for another round of reviews |
thomaseizinger
left a comment
thomaseizinger
left a comment
There was a problem hiding this comment.
LGTM
I think we should clean up the error handling but that can happen in a follow-up!
| val executor = Executors.newSingleThreadExecutor() | ||
|
|
||
| executor.execute { | ||
| val deviceInfo = DeviceInfo() | ||
|
|
||
| runCatching { | ||
| Tasks.await(FirebaseInstallations.getInstance().id) | ||
| }.onSuccess { firebaseInstallationId -> | ||
| deviceInfo.firebaseInstallationId = firebaseInstallationId | ||
| }.onFailure { exception -> | ||
| Log.d(TAG, "Failed to obtain firebase installation id: $exception") | ||
| } | ||
|
|
||
| val gson: Gson = | ||
| GsonBuilder() | ||
| .setFieldNamingPolicy(FieldNamingPolicy.LOWER_CASE_WITH_UNDERSCORES) | ||
| .create() | ||
|
|
||
| connlibSessionPtr = | ||
| ConnlibSession.connect( | ||
| apiUrl = config.apiUrl, | ||
| token = token, | ||
| deviceId = deviceId(), | ||
| deviceName = getDeviceName(), | ||
| osVersion = Build.VERSION.RELEASE, | ||
| logDir = getLogDir(), | ||
| logFilter = config.logFilter, | ||
| callback = callback, | ||
| deviceInfo = gson.toJson(deviceInfo), | ||
| ) | ||
|
|
||
| startNetworkMonitoring() | ||
| startDisconnectMonitoring() | ||
| } |
There was a problem hiding this comment.
This has gotten a bit verbose which was the main reason I suggested to do it elsewhere. I don't know how long it takes to fetch the Firebase ID, I guess once it is cached locally it shouldn't delay the connect much?
| install_rustls_crypto_provider(); | ||
|
|
||
| let secret = SecretString::from(token); | ||
| let device_info = serde_json::from_str(&device_info).unwrap(); |
There was a problem hiding this comment.
| let device_info = serde_json::from_str(&device_info).unwrap(); | |
| let device_info = serde_json::from_str(&device_info)?; |
| let log_filter = string_from_jstring!(env, log_filter); | ||
| let device_info = string_from_jstring!(env, device_info); | ||
|
|
||
| let device_info = serde_json::from_str(&device_info).unwrap(); |
There was a problem hiding this comment.
| let device_info = serde_json::from_str(&device_info).unwrap(); | |
| let device_info = serde_json::from_str(&device_info)?; |
conectado
deleted the
feat/connlib/use-hardware-id-for-device-verification
branch
|
@conectado Hm I thought we'd cut clients before this got merged. Are the portal changes already deployed to prod? Otherwise we need to revert this, cut clients, and merge this when we can deploy them to prod right? |
@jamilbk We just need to revert the changes to hashing the device id, which we should anyways, that was a left over from the first implementation. Everything else should be harmless as we only add fields not remove it. |
|
@conectado Got it, thanks for the clarification. If the only breakage here is that it resets verified clients, I'll check prod to see who's using that feature and then just notify them directly. |
@jamilbk yes, that should be it. Though shouldn't we just revert that change? I'm not sure why we hashed the id in the first place but there's no point to making this change anymore |
I'll send a PR for that so we are unblocked from releasing. |
Thank you @thomaseizinger ! I didn't find the time to sit down and do it myself |
|
PR here: #6918. |
As part of iterating on the correct approach in #6857, we at some point removed the hashing of the Firezone-generated device ID. This will break customers because all of the device IDs as seen by the portal are changing. We've since settled on a different approach for device verification. To not break anyone, we are re-introducing hashing of the device ID. Related: #6857.
|
@conectado Was there a reason why we are not also pulling the SMBIOS UUID for PC systems? That way we have field parity for all desktop systems, similar to what the WARP client pulls. I left a comment regarding this here: #6837 (comment) |
|
Fixed here: #6921 |
Addresses the comment here: #6857 (comment)
3 participants
We want to associate additional device information for the device verification, these are all parameters that tries to uniquely identify the hardware.
For that reason we read system information and send it as part of the query params to the portal, that way the portal can store this when device is verified and match against that later on.
These are the parameters according to each platform:
device_serialdevice_uuididentifier_for_vendorfirebase_installation_iddevice_serialdevice_serialFixes #6837