Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-1417

deviceauth: accepting a particular auth set should automatically reject all other out sets of that device



    • Type: Story
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 1.2.0, 1.1.1
    • Fix Version/s: None
    • Labels:


      When accepting an authorization data set of a particular device, other auth sets should be invalidated (i.e. rejected). This does not happen now, and it's possible that the device will obtain a token using and older auth set (eg. device does a key rotation, the new auth set gets accepted, but the device will still be able to get a token using the older key).

      This work covers:

      • fixing deviceauth logic, steps:
        1. list all auth sets
        2. update db and reject all auth sets but the one that got accepted
        3. update db and accept the remaining auth set
      • trying to minimize the impact of not having transactions at DB level
      • adding migration
        • verify that timestamp works and if so migration shall switch all but the most recently updated accepted auth sets to rejected state
        • otherwise we should discuss how to identify the auth set that should be accepted


          Container Issues



              • Assignee:
                mborzecki Maciej Borzecki
                mborzecki Maciej Borzecki
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created:

                  Zendesk Support

                    Summary Panel