Escrow macOS Recovery Lock passwords

[noahtalerman]

Goal

User story
As an IT admin,
I want Fleet to escrow a unique Recovery Lock password for all my macOS hosts
so that I can share these passwords w/ end users to help if they forget their local macOS password.

Roadmap item

Original requests

Resources

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: TODO
• REST API changes: TODO
• Fleet's agent (fleetd) changes: No changes
• GitOps mode UI changes: No changes
• GitOps generation changes: No changes
• Activity changes: Add escrow and read activities for password recovery actions #39235
• Permissions changes:
  • View recovery password similar to view disk encryption key? (all but GitOps)
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Usage statistics: No changes
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Contributor API changes: TODO
• Feature guide changes: TODO
• Database schema migrations: TODO
• Load testing: TODO
• Load testing/osquery-perf improvements: TODO
• This is a premium only feature: Yes / No

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires testing in a hosted environment: TODO
• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

1. In Controls > OS Settings confirm new section "Passwords" is there.
   • If team has eligible hosts (macOS with silicon), options for Recovery password should be available.
   • If team does not have eligible hosts, options for Recovery password disabled with tooltip.
   • Tooltip for "Recovery password" in either case.
2. If recovery password enabled in OS settings:
   • Host details > Vitals shows "Recovery password" On with tooltip.
   • Host details > Actions dropdown has "Show recovery password"
   • Recovery password modal shows
3. If recovery password not enabled in OS settings:
   • Host details > Vitals shows "Recovery password":
     • Off with tooltip if recovery_password_enabled:false && eligible hosts on team.
     • --- with tooltip if no eligible hosts on team.
4. Permissions to view recovery password should be for all except GitOps (similar to encryption key permissions).
5. Host details > activity feed shows when recovery password is viewed.
6. Dashboard > global activity feed shows:
   • when recovery password is viewed.
   • when recovery password is escrowed.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[getvictor]

T-shirt size: S

Follow the FileVault key escrow pattern

• new table similar to host_disk_encryption_keys
• new SetRecoveryLock commander method
• business logic to trigger Recovery Lock escrow on enrollment/demand; confirm password was set
• CRUD for passwords
• UI to view passwords
• GitOps
• Activity

Mostly standard functionality, low risk.