Stronghold

As soon as I heard about the Stronghold project, I was naturally interested. Istvan had been given something like 3–4 days to implement a relatively secure tool with which Agents could work without exposing any more client data than necessary. I knew that wasn’t realistic, and I had serious doubts that anything put together that quickly would actually give us what we wanted. I thought it could “work” in the strictest sense but would likely prove unsatisfactory if we tried to use it in production. It seemed too heavy, resource-dependent, and too limiting in terms of our control of presentation and user experience to be a viable long-term product. To Istvan’s credit, he single-handedly produced something that worked within an extremely aggressive timeline.

Concept

XPRA on AWS should be more reliable across varying bandwidths, easier to manage (once set up), and more customizable in terms of everything from underlying security to UI/UX presentation and design elements.

Assumptions

We should be able to leverage past work to quickly get something into place, then iterate. During the course of work, these assumptions proved to be deeply flawed, and with help from Gunar and Keenahn, we were able to focus our wants and needs more tightly.

Technical Implementation

Even after refining our MVP, actual research was required before an MVP would be possible. Keenahn allowed me to pair program with Shawn, who did an amazing job of powering through a constant stream of technical challenges.
The present architecture consists of NGINX on the periphery of our AWS instance as a reverse proxy for our Node.js app, which is built on top of Auth0’s example code. This Auth0 integration provides us with oAuth2 signin capabilities, plus the ability to set a rule that only grants access to users who authenticate with Google using an ‘@invisible.email’ address. As a result of this integration, Sentry duty should be greatly ameliorated since Sentries should only need to manage Agents via LastPass (versus having to actually sign in for each Agent within the Agent’s XPRA instance).
In addition to the Auth0 integration, our Node app orchestrates spinning up XPRA instances and proxying those instances out to users. This orchestration constituted the lion’s share of the time taken to do this work. Although conceptually this is a straight-forward process, integrating all of the moving parts into a functioning whole turned out to be radically more difficult than anticipated.
Now that the groundwork has been done, we should be able to incrementally add features and improvements. No doubt agents who are testing Stronghold will come back with valuable criticisms and feedback that we can incorporate into future Stronghold iterations.