improve logging and error reporting in the puppet module (#12369)

For #12355
2024-11-06 08:55:24 +00:00 · 2023-06-16 12:40:50 -03:00 · 2023-06-16 12:40:50 -03:00 · 6d789d6e19
commit 6d789d6e19
parent eefd81233f
10 changed files with 202 additions and 26 deletions
--- a/ee/tools/puppet/fleetdm/README.md
+++ b/ee/tools/puppet/fleetdm/README.md
@ -54,7 +54,7 @@ define profiles using the custom resource type `fleetdm::profile`:
 ```pp
 node default {
  fleetdm::profile { 'com.apple.universalaccess':
-    template => 'xml template',
+    template => template('fleetdm/profile-template.mobileconfig.erb'),
    group    => 'workstations',
  }
 }
@ -66,7 +66,12 @@ If your DEP profile had `await_device_configured` set to `true`, you can use the

 ```
 $host_uuid = $facts['system_profiler']['hardware_uuid']
-fleetdm::release_device($host_uuid)
+$response = fleetdm::release_device($host_uuid)
+$err = $response['error']
+
+if $err != '' {
+  notify { "error releasing device: ${err}": }
+}
 ```

 ## Limitations
--- a/ee/tools/puppet/fleetdm/examples/multiple-teams.pp
+++ b/ee/tools/puppet/fleetdm/examples/multiple-teams.pp
@ -1,10 +1,11 @@
 node default {
-  fleetdm::profile { 'com.apple.universalaccess':
-    template => 'xml template',
-    group    => 'workstations',
+  fleetdm::profile { 'cis.macOSBenchmark.section2.BluetoothSharing':
+    template => template('fleetdm/automatic_updates.mobileconfig.erb'),
+    group    => 'base',
  }

-  fleetdm::profile { 'com.apple.homescreenlayout':
-    template => 'xml template',
+  fleetdm::profile { 'com.apple.SoftwareUpdate':
+    template => template('fleetdm/disable_bluetooth_file_sharing.mobileconfig.erb'),
+    group    => 'workstations',
  }
 }
--- a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb
@ -4,15 +4,24 @@ require 'puppet/util/fleet_client'

 Puppet::Functions.create_function(:"fleetdm::preassign_profile") do
  dispatch :preassign_profile do
-    param 'String', :uuid
+    param 'String', :profile_identifier
+    param 'String', :host_uuid
    param 'String', :template
    optional_param 'String', :group
  end

-  def preassign_profile(uuid, template, group = 'default')
+  def preassign_profile(profile_identifier, host_uuid, template, group = 'default')
    host = call_function('lookup', 'fleetdm::host')
    token = call_function('lookup', 'fleetdm::token')
    client = Puppet::Util::FleetClient.new(host, token)
-    client.preassign_profile(uuid, template, group)
+    response = client.preassign_profile(host_uuid, template, group)
+
+    if response['error'].empty?
+      Puppet.info("successfully pre-assigned profile #{profile_identifier}")
+    else
+      Puppet.err("error pre-assigning profile #{profile_identifier}: #{response['error']} \n\n #{template}")
+    end
+
+    response
  end
 end
--- a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb
@ -32,6 +32,14 @@ Puppet::Functions.create_function(:"fleetdm::release_device") do
    host = call_function('lookup', 'fleetdm::host')
    token = call_function('lookup', 'fleetdm::token')
    client = Puppet::Util::FleetClient.new(host, token)
-    client.send_mdm_command(uuid, command_xml)
+    response = client.send_mdm_command(uuid, command_xml)
+
+    if response['error'].empty?
+      Puppet.info('successfully released device')
+    else
+      Puppet.err("error releasing device: #{response['error']}")
+    end
+
+    response
  end
 end
--- a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
@ -8,7 +8,8 @@ Puppet::Reports.register_report(:fleetdm) do

  def process
    return if noop
-    node = Puppet::Node.new(Puppet[:node_name_value])
+    node_name = Puppet[:node_name_value]
+    node = Puppet::Node.new(node_name)
    compiler = Puppet::Parser::Compiler.new(node)
    scope = Puppet::Parser::Scope.new(compiler)
    lookup_invocation = Puppet::Pops::Lookup::Invocation.new(scope, {}, {}, nil)
@ -18,7 +19,10 @@ Puppet::Reports.register_report(:fleetdm) do
    client = Puppet::Util::FleetClient.new(host, token)
    response = client.match_profiles

-    return unless response[:status] >= 400 && response[:status] < 600
-    Puppet.err _('Unable to match profiles to Fleet [%{code}] %{message}') % { code: response[:status], message: response[:body] }
+    if response['error'].empty?
+      Puppet.info("successfully matched #{node_name} with a team containing configuration profiles")
+    else
+      Puppet.err("error matching node #{node_name} with a team containing configuration profiles: #{response['error']}")
+    end
  end
 end
--- a/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb
@ -59,7 +59,7 @@ module Puppet::Util
        #
        # I couldn't find a built-in Ruby function to do raw encoding, so we're
        # removing the padding manually instead.
-        'command' => Base64.strict_encode64(command_xml).gsub(/[\n=]/, ""),
+        'command' => Base64.strict_encode64(command_xml).gsub(%r{[\n=]}, ''),
        'device_ids' => [uuid],
      })
    end
@ -71,6 +71,7 @@ module Puppet::Util
    # @param headers [Hash] (optional) Additional headers to include in the request.
    # @return [Hash] The response status code, headers, and body.
    def post(path, body = nil, headers = {})
+      out = { 'error' => '' }
      uri = URI.parse("#{@host}#{path}")

      http = Net::HTTP.new(uri.host, uri.port)
@ -82,23 +83,45 @@ module Puppet::Util
      headers.each { |key, value| request[key] = value }
      request.body = body.to_json if body

-      response = http.request(request)
-      parse_response(response)
+      begin
+        response = http.request(request)
+        out = parse_response(response)
+      rescue => e
+        out['error'] = e
+      end
+
+      out
    end

    private

    def parse_response(response)
-      {
-        status: response.code.to_i,
-        headers: response.to_hash,
-        body: response.body ? JSON.parse(response.body) : nil,
+      out = {
+        'status' => response.code.to_i,
+        'error' => ''
      }
+
+      if (400...600).cover?(response.code.to_i)
+        message = 'server returned a non-ok status code without an error'
+
+        if response.body
+          body = JSON.parse(response.body)
+          message = body['message']
+
+          unless body['errors'].nil?
+            error_messages = body['errors'].map { |e| "#{e['name']} #{e['reason']}" }
+            message = [message, *error_messages].join(': ')
+          end
+        end
+
+        out['error'] = message
+      end
+
+      out
    rescue JSON::ParserError => e
      {
-        status: response.code.to_i,
-        headers: response.to_hash,
-        error: "Failed to parse response body: #{e.message}"
+        'status' => response.code.to_i,
+       'error' => "Failed to parse response body: #{e.message}"
      }
    end
  end
--- a/ee/tools/puppet/fleetdm/manifests/profile.pp
+++ b/ee/tools/puppet/fleetdm/manifests/profile.pp
@ -36,6 +36,15 @@ define fleetdm::profile (
    }

    $host_uuid = $facts['system_profiler']['hardware_uuid']
-    fleetdm::preassign_profile($host_uuid, $template, $group)
+    $response = fleetdm::preassign_profile($name, $host_uuid, $template, $group)
+    $err = $response['error']
+
+    if $err != '' {
+      notify { "error pre-assigning profile ${$name}: ${$err}":
+        loglevel => 'err',
+      }
+    } else {
+      notify { "successfully pre-assigned profile ${$name}": }
+    }
  }
 }
--- a/ee/tools/puppet/fleetdm/metadata.json
+++ b/ee/tools/puppet/fleetdm/metadata.json
@ -1,6 +1,6 @@
 {
  "name": "root-fleetdm",
-  "version": "0.1.0",
+  "version": "0.1.1",
  "author": "Fleet Device Management Inc",
  "summary": "",
  "license": "proprietary",
--- a/ee/tools/puppet/fleetdm/templates/automatic_updates.mobileconfig.erb
+++ b/ee/tools/puppet/fleetdm/templates/automatic_updates.mobileconfig.erb
@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>AllowPreReleaseInstallation</key>
+			<true/>
+			<key>AutomaticCheckEnabled</key>
+			<true/>
+			<key>AutomaticDownload</key>
+			<true/>
+			<key>AutomaticallyInstallAppUpdates</key>
+			<true/>
+			<key>AutomaticallyInstallMacOSUpdates</key>
+			<true/>
+			<key>ConfigDataInstall</key>
+			<true/>
+			<key>CriticalUpdateInstall</key>
+			<true/>
+			<key>PayloadDescription</key>
+			<string>Configures Software Update settings</string>
+			<key>PayloadDisplayName</key>
+			<string>Software Update</string>
+			<key>PayloadIdentifier</key>
+			<string>com.github.erikberglund.ProfileCreator.BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8.com.apple.SoftwareUpdate.A8B97032-7645-4068-B457-01DE5C6B33F7</string>
+			<key>PayloadOrganization</key>
+			<string></string>
+			<key>PayloadType</key>
+			<string>com.apple.SoftwareUpdate</string>
+			<key>PayloadUUID</key>
+			<string>A8B97032-7645-4068-B457-01DE5C6B33F7</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>Enables automatic updates</string>
+	<key>PayloadDisplayName</key>
+	<string>Turn on automatic updates</string>
+	<key>PayloadIdentifier</key>
+	<string>com.github.erikberglund.ProfileCreator.BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8</string>
+	<key>PayloadOrganization</key>
+	<string>FleetDM</string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
--- a/ee/tools/puppet/fleetdm/templates/disable_bluetooth_file_sharing.mobileconfig.erb
+++ b/ee/tools/puppet/fleetdm/templates/disable_bluetooth_file_sharing.mobileconfig.erb
@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+
+	<key>PayloadDescription</key>
+	<string>This profile configuration is designed to apply the CIS Benchmark for macOS 10.14 (v2.0.0), 10.15 (v2.0.0), 11.0 (v2.0.0), and 12.0 (v1.0.0)</string>
+	<key>PayloadDisplayName</key>
+	<string>Disable Bluetooth sharing</string>
+	<key>PayloadEnabled</key>
+	<true/>
+	<key>PayloadIdentifier</key>
+	<string>cis.macOSBenchmark.section2.BluetoothSharing</string>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>5CEBD712-28EB-432B-84C7-AA28A5A383D8</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+    <key>PayloadRemovalDisallowed</key>
+    <true/>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.apple.Bluetooth</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>PrefKeyServicesEnabled</key>
+								<false/>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadDescription</key>
+			<string>Disables Bluetooth Sharing</string>
+			<key>PayloadDisplayName</key>
+			<string>Custom</string>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0240DD1C-70DC-4766-9018-04322BFEEAD1</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0240DD1C-70DC-4766-9018-04322BFEEAD1</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+</dict>
+</plist>