-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(agent): Devolutions Gateway service updater #889
Conversation
62033c3
to
83f96e6
Compare
/// BUILTIN\Administrators Allow FullControl | ||
/// BUILTIN\Users Allow ReadAndExecute, Synchronize | ||
/// </remarks> | ||
internal static string PROGRAM_DATA_SDDL = "O:SYG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;0x1201bf;;;LS)(A;OICI;0x1301bf;;;NS)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adjusted DACL as @thenextman commented here
/// for upgrade code table. | ||
/// | ||
/// e.g.: `{82318d3c-811f-4d5d-9a82-b7c31b076755}` => `C3D81328F118D5D4A9287B3CB1707655` | ||
pub fn uuid_to_reversed_hex(uuid: &str) -> Result<String, UpdaterError> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows UUIDs are weird 😄
use crate::updater::{Product, UpdaterCtx, UpdaterError}; | ||
|
||
/// List of allowed thumbprints for Devolutions code signing certificates | ||
const DEVOLUTIONS_CERT_THUMBPRINTS: &[&str] = &[ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Allowed devolutions certs thumbprints which @awakecoding shared with me
/// Enable updater module (enabled by default) | ||
#[serde(default)] | ||
pub disable: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: I think it would be better the other way around. You override the default value to "true" if that’s what you want.
/// Enable updater module (enabled by default) | |
#[serde(default)] | |
pub disable: bool, | |
/// Enable updater module (enabled by default) | |
#[serde(default = "true")] | |
pub enabled: bool, |
This PR implements Gateway updater logic in
devolutions-agent
.This update mechanism is triggered by changing
ProgramData/Devolutions/Agent/update.json
file, setting the required version to update the gateway.Example
update.json
:Features:
update.json
is created on first service start, and correct DACL is set to allowNT AUTHORITY/Network Service
(which is used by Gateway) to edit this file