empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b19233e21d
fleet/server/service/client_apple_mdm.go

177 lines
5.5 KiB
Go
Raw Normal View History

Add Apple MDM functionality (#7940) * WIP * Adding DEP functionality to Fleet * Better organize additional MDM code * Add cmdr.py and amend API paths * Fix lint * Add demo file * Fix demo.md * go mod tidy * Add munki setup to Fleet * Add diagram to demo.md * Add fixes * Update TODOs and demo.md * Fix cmdr.py and add TODO * Add endpoints to demo.md * Add more Munki PoC/demo stuff * WIP * Remove proposals from PoC * Replace prepare commands with fleetctl commands * Update demo.md with current state * Remove config field * Amend demo * Remove Munki setup from MVP-Dogfood * Update demo.md * Add apple mdm commands (#7769) * fleetctl enqueue mdm command * fix deps * Fix build Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com> * Add command to upload installers * go mod tidy * fix subcommands help There is a bug in urfave/cli where help text is not generated properly when subcommands are nested too deep. * Add support for installing apps * Add a way to list enrolled devices * Add dep listing * Rearrange endpoints * Move DEP routine to schedule * Define paths globally * Add a way to list enrollments and installers * Parse device-ids as comma-separated string * Remove unused types * Add simple commands and nest under enqueue-command * Fix simple commands * Add help to enqueue-command * merge apple_mdm database * Fix commands * update nanomdm * Split nanomdm and nanodep schemas * Set 512 MB in memory for upload * Remove empty file * Amend profile * Add sample commands * Add delete installers and fix bug in DEP profile assigning * Add dogfood.md deployment guide * Update schema.sql * Dump schema with MySQL 5 * Set default value for authenticate_at * add tokens to enrollment profiles When a device downloads an MDM enrollment profile, verify the token passed as a query parameter. This ensures untrusted devices don't enroll with our MDM server. - Rename enrollments to enrollment profiles. Enrollments is used by nano to refer to devices that are enrolled with MDM - Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles - Generate a token for authentication when creating an enrollment profile - Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token= * remove mdm apple server url * update docs * make dump-test-schema * Update nanomdm with missing prefix table * Add docs and simplify changes * Add changes file * Add method docs * Fix compile and revert prepare.go changes * Revert migration status check change * Amend comments * Add more docs * Clarify storage of installers * Remove TODO * Remove unused * update dogfood.md * remove cmdr.py * Add authorization tests * Add TODO comment * use kitlog for nano logging * Add yaml tags * Remove unused flag * Remove changes file * Only run DEP routine if MDM is enabled * Add docs to all new exported types * Add docs * more nano logging changes * Fix unintentional removal * more nano logging changes * Fix compile test * Use string for configs and fix config test * Add docs and amend changes * revert changes to basicAuthHandler * remove exported BasicAuthHandler * rename rego authz type * Add more information to dep list * add db tag * update deps * Fix schema * Remove unimplemented Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 22:53:54 +00:00
package service
import (
"bytes"
"context"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io"
"mime/multipart"
"net/http"
"net/url"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/google/uuid"
"howett.net/plist"
)
func (c *Client) CreateEnrollmentProfile(enrollmentProfileType fleet.MDMAppleEnrollmentType, depProfile *json.RawMessage) (*fleet.MDMAppleEnrollmentProfile, error) {
request := createMDMAppleEnrollmentProfileRequest{
Type: enrollmentProfileType,
DEPProfile: depProfile,
}
var response createMDMAppleEnrollmentProfileResponse
if err := c.authenticatedRequest(request, "POST", "/api/latest/fleet/mdm/apple/enrollmentprofiles", &response); err != nil {
return nil, fmt.Errorf("request: %w", err)
}
return response.EnrollmentProfile, nil
}
func (c *Client) ListEnrollments() ([]*fleet.MDMAppleEnrollmentProfile, error) {
request := listMDMAppleEnrollmentProfilesRequest{}
var response listMDMAppleEnrollmentProfilesResponse
if err := c.authenticatedRequest(request, "GET", "/api/latest/fleet/mdm/apple/enrollmentprofiles", &response); err != nil {
return nil, fmt.Errorf("request: %w", err)
}
return response.EnrollmentProfiles, nil
}
func (c *Client) EnqueueCommand(deviceIDs []string, rawPlist []byte) (*fleet.CommandEnqueueResult, error) {
var commandPayload map[string]interface{}
if _, err := plist.Unmarshal(rawPlist, &commandPayload); err != nil {
return nil, fmt.Errorf("unmarshal command plist: %w", err)
}
// generate a random command UUID
commandPayload["CommandUUID"] = uuid.New().String()
b, err := plist.Marshal(commandPayload, plist.XMLFormat)
if err != nil {
return nil, fmt.Errorf("marshal command plist: %w", err)
}
request := enqueueMDMAppleCommandRequest{
Command: base64.RawStdEncoding.EncodeToString(b),
DeviceIDs: deviceIDs,
NoPush: false,
}
var response enqueueMDMAppleCommandResponse
if err := c.authenticatedRequest(request, "POST", "/api/latest/fleet/mdm/apple/enqueue", &response); err != nil {
return nil, fmt.Errorf("request: %w", err)
}
return &response.Result, nil
}
func (c *Client) MDMAppleGetCommandResults(commandUUID string) (map[string]*fleet.MDMAppleCommandResult, error) {
verb, path := http.MethodGet, "/api/latest/fleet/mdm/apple/commandresults"
query := url.Values{}
query.Set("command_uuid", commandUUID)
var responseBody getMDMAppleCommandResultsResponse
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query.Encode())
if err != nil {
return nil, fmt.Errorf("send request: %w", err)
}
return responseBody.Results, nil
}
func (c *Client) UploadMDMAppleInstaller(ctx context.Context, name string, installer io.Reader) (uint, error) {
if c.token == "" {
return 0, errors.New("authentication token is empty")
}
body := &bytes.Buffer{}
writer := multipart.NewWriter(body)
fw, err := writer.CreateFormFile("installer", name)
if err != nil {
return 0, fmt.Errorf("create form file: %w", err)
}
_, err = io.Copy(fw, installer)
if err != nil {
return 0, fmt.Errorf("write form file: %w", err)
}
writer.Close()
var (
verb = "POST"
path = "/api/latest/fleet/mdm/apple/installers"
)
response, err := c.doContextWithBodyAndHeaders(ctx, verb, path, "",
body.Bytes(),
map[string]string{
"Content-Type": writer.FormDataContentType(),
"Accept": "application/json",
"Authorization": fmt.Sprintf("Bearer %s", c.token),
},
)
if err != nil {
return 0, fmt.Errorf("do multipart request: %w", err)
}
var installerResponse uploadAppleInstallerResponse
if err := c.parseResponse(verb, path, response, &installerResponse); err != nil {
return 0, fmt.Errorf("parse response: %w", err)
}
return installerResponse.ID, nil
}
func (c *Client) MDMAppleGetInstallerDetails(id uint) (*fleet.MDMAppleInstaller, error) {
verb, path := http.MethodGet, fmt.Sprintf("/api/latest/fleet/mdm/apple/installers/%d", id)
var responseBody getAppleInstallerDetailsResponse
err := c.authenticatedRequest(nil, verb, path, &responseBody)
if err != nil {
return nil, fmt.Errorf("send request: %w", err)
}
return responseBody.Installer, nil
}
func (c *Client) MDMAppleListDevices() ([]fleet.MDMAppleDevice, error) {
verb, path := http.MethodGet, "/api/latest/fleet/mdm/apple/devices"
var responseBody listMDMAppleDevicesResponse
err := c.authenticatedRequest(nil, verb, path, &responseBody)
if err != nil {
return nil, fmt.Errorf("send request: %w", err)
}
return responseBody.Devices, nil
}
func (c *Client) DEPListDevices() ([]fleet.MDMAppleDEPDevice, error) {
verb, path := http.MethodGet, "/api/latest/fleet/mdm/apple/dep/devices"
var responseBody listMDMAppleDEPDevicesResponse
err := c.authenticatedRequest(nil, verb, path, &responseBody)
if err != nil {
return nil, fmt.Errorf("send request: %w", err)
}
return responseBody.Devices, nil
}
func (c *Client) ListMDMAppleInstallers() ([]fleet.MDMAppleInstaller, error) {
request := listMDMAppleInstallersRequest{}
var response listMDMAppleInstallersResponse
if err := c.authenticatedRequest(request, "GET", "/api/latest/fleet/mdm/apple/installers", &response); err != nil {
return nil, fmt.Errorf("request: %w", err)
}
return response.Installers, nil
}
func (c *Client) MDMDeleteAppleInstaller(id uint) error {
verb, path := http.MethodDelete, fmt.Sprintf("/api/latest/fleet/mdm/apple/installers/%d", id)
var responseBody deleteAppleInstallerDetailsResponse
err := c.authenticatedRequest(nil, verb, path, &responseBody)
if err != nil {
return fmt.Errorf("send request: %w", err)
}
return nil
}
Reference in New Issue Copy Permalink