Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync clean all #1275

Merged
merged 10 commits into from
Jan 24, 2024
Merged

Sync clean all #1275

merged 10 commits into from
Jan 24, 2024

Conversation

mlw
Copy link
Contributor

@mlw mlw commented Jan 19, 2024
edited
Loading

***IMPORTANT: This PR introduces a change in behavior!***

Currently, clean syncs result in the entire rules database being deleted and newly received rules being written. However this means that any transitive rules are also wiped out, causing pain for users.

This PR changes the meaning of clean syncs to instead only delete non-transitive rules before writing the newly received rules.

The following describes the new behavior:

  1. santactl sync --clean will only remove non-transitive rules
  2. santactl sync --clean-all is a new flag that will remove all rules (like --clean before this PR)
  3. The preflight response key clean_sync is now deprecated
  4. The preflight response key clean_sync is treated as only removing non-transitive rules
  5. A new preflight response key is supported, sync_type
  6. The sync_type preflight response key supports the following values
    • normal - Only new rules will be added, existing rules will not be removed
    • clean - Remove non-transitive rules before writing new rules
    • clean_all - Remove all rules before writing new rules
    • Not set - Same as normal
  7. The server can still force a clean or clean_all action in the preflight response
  8. The client can force a clean_all action even if the server only responded with clean
    • This is because from the server's perspective, this is the same operation. A user is allowed to dictate if all rules or only transitive rules should be removed (presuming the server doesn't force all rules)

Fixes #1272

@mlw mlw added this to the 2024.1 milestone Jan 19, 2024
@mlw mlw requested a review from a team as a code owner January 19, 2024 05:52
pmarkowsky
pmarkowsky previously approved these changes Jan 23, 2024
View reviewed changes
Copy link
Contributor

@pmarkowsky pmarkowsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Source/common/BUILD Show resolved Hide resolved
Source/common/SNTConfiguratorTest.m Outdated Show resolved Hide resolved
russellhancox
russellhancox reviewed Jan 23, 2024
View reviewed changes
docs/development/sync-protocol.md Outdated Show resolved Hide resolved
docs/development/sync-protocol.md Outdated Show resolved Hide resolved
Source/santasyncservice/SNTSyncPostflight.m Show resolved Hide resolved
@mlw mlw merged commit 70474ab into google:main Jan 24, 2024
10 checks passed
@brandonfriess-stripe brandonfriess-stripe mentioned this pull request Feb 1, 2024
Merged
@radsec radsec mentioned this pull request Mar 26, 2024
Merged
np5 added a commit to zentralopensource/zentral that referenced this pull request Apr 5, 2024
@np5
Add sync_type key in Santa preflight response
8abd292 
See google/santa#1275
@np5 np5 mentioned this pull request Apr 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russellhancox russellhancox russellhancox approved these changes

@pmarkowsky pmarkowsky Awaiting requested review from pmarkowsky

Assignees
No one assigned
Labels
configurator enhancement rules santactl sync service Issues related to the sync service / protocol transitive allowlisting
Projects
None yet
Milestone
2024.1
Development

Successfully merging this pull request may close these issues.

Clean syncs should only optionally remove transitive rules
3 participants
@mlw @russellhancox @pmarkowsky