fleet
fleet copied to clipboard
fleetdm
Show who viewed macOS PIN when locking device
Goal
| User story |
|---|
| As a Fleet user, |
| I want to know who viewed macOS PIN when locking device |
| so that I can conduct a security audit. |
Context
Issue #19545 added view_pin parameter to the Lock Host activity item. Frontend should use that parameter to update the activity text in the UI.
- Requestor(s): _________________________
- Product designer: _________________________
Changes
Product
- [ ] UI changes: TODO
- [ ] CLI usage changes: TODO
- [ ] REST API changes: TODO
- [ ] Fleet's agent (fleetd) changes: TODO
- [ ] Permissions changes: TODO
- [ ] Outdated documentation changes: TODO
- [ ] Changes to paid features or tiers: TODO
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
Issue https://github.com/fleetdm/fleet/issues/19545 added view_pin parameter to the Lock Host activity item
Hey @getvictor, what does this view_pin key tell me as a user? https://github.com/fleetdm/fleet/pull/19792/files#diff-9f70e9133b8f91c2034329e45fbe2386fdc4fb0b27c114ce6e3b6f0310320551R1006
My understanding is that for macOS hosts, we always return the PIN when a user hits the POST /lock API. This will be clear in the REST API documentation (PR here).
Do we set view_pin to false if the user selects the Lock button in the UI?
That would kind of make sense because the user doesn't see the PIN when they select Lock. That said, it would also not make sense because the PIN shows up in the browser's console (Network tab).
