This pull request relies on the `mdm-gen-cert` command from
https://github.com/fleetdm/fleet/pull/8884.
Closes: https://github.com/fleetdm/fleet/issues/8223
Changes:
- Updated the deploy Fleet website workflow to:
- Add Go as a dependency
- Build the mdm-gen-cert binary in `/website/.tools/`
- add the `/.tools/` folder to the Heroku app
- Added `deliver-apple-csr.js` - an API that:
- can be called by making a `POST` request to
`/api/v1/deliver-apple-csr`
- accepts `csr` as an input
- runs the `mdm-gen-cert` command with the `csr` set as an environment
variable
- returns an `invalidEmailDomain` response if the user's email domain is
in the array of banned email domains.
- saves the users organization and email address to the website's
database
- Sends an email to the requesting user's email address with the signed
CSR attached as a text file named `apple-apns-request.txt`
- Posts a message to a channel in the Fleet Slack.
- Added a new model: `CertificateSigningRequests` that contains two
required attributes: `emailAddress` and `organization`
- Added a new email template `email-signed-csr-for-apns`
- Updated routes, policies, eslintrc, and rebuilt cloud-sdk
Before this can be merged, we will need to:
- [x] Add new config variables in Heroku
- [x] `sails.config.custom.mdmVendorCertPem`
- [x] `sails.config.custom.mdmVendorKeyPem`
- [x] `sails.config.custom.mdmVendorKeyPassphrase`
- [x] `sails.config.custom.slackWebhookUrlForMDMSignups`
- [x] Add the `CertificateSigningRequests` model to the website's
database
Changes:
- Updated the `build-static-content` script to use a GitHub API token
for requests if one is provided e.g., `sails run build-static-content
--githubAccessToken="foo"`
- Updated the `build-for-prod` npm script to run the
`build-static-content` script with a variable named `BUILD_SCRIPT_ARGS`.
- Updated the "Deploy Fleet website" and "Test Fleet website" workflows
to run the `build-for-prod` script with a GitHub API token
. .
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
* Adding permissions to docs.yml and integration.yml
* Update codeql-analysis.yml
Adding top level read permissions to codeql workflow
* Update codeql-analysis.yml
Adding manual dispatch to codeql - to be able to test it easier
* Update deploy-fleet-website.yml
Adding top level read permission + write in the job so it can push the website
* Update test-website.yml
test-website should only need read permissions on content.
* Update fleet-and-orbit.yml
Testing Fleet and Orbit should be fine with top level read access
* Update fleetctl-preview.yml
fleetctl-preview should be fine with just read access at top level
* Update push-osquery-perf-to-ecr.yml
ECR is out of github so read permissions should be enough
* Update semgrep-analysis.yml
semgrep should only need read
* Update test-packaging.yml
Should only need read permission - setting on top
* Update test.yml
Should not need any write access - setting to READ on top.
* Update deploy-fleet-website.yml
Removing git write permission - since this pushes to Heroku not GitHub
* Tweaked as per Zach's comments
Removed some useless restrictions (contents none on a public repo for example)
* Removed meaningless permissions
contents: none - this does not have any security advantage on a public repo
* Upgrade to get rid of REPL schmutz
* rename workflow to lessen ambiguity vs. markdown compilation of docs
* ensure lockfile makes it to fleetdm.com prod
* skip force git add of package-lock to avoid confusion for now. (reverts 4e7e23990c472e84f3f24391ef360a175f725609)
* rename build script (because now it won't always be markdown source files)
* update metadata to match prev commit
* change key name in generated sailsrc for consistency
* stub query library page
* used named params so others can tell what's up with the forcing
* expand comments
* expand comments
* intermediate commit- playing with inlining the guts from doctemplater
* stub basic docpage shell and a little page to preview that on
* Compile YAML and set up query library page
* clean sailsrc
* optimize build by running everything in parallel
* Add note about the fact that we don't even need to clone anything since we've consolidated it all into one repo now. facepalm
* un-parallelize one bit that fails in CI if it's parallelized (it'll go away soon anyway)
* Brought in the mostly-unchanged stuff from Sails website- changed just enough to get it working
* inline beforeConvert and afterConvert, for readability
because it's better when you tell a story with the parts of the story in order
* trivial (change arg name for clarity)
* trivial (apply more up-to-date err callback convention)
* modernize some of the bits relying on reassigning arguments
* convert the rest of the way to async/await
* trivial
* just aesthetics
* remove reliance on app-level config
* mostly i'm doing this to remember how it works
* normalize better so this can be more flexible
* this makes it work (albeit needs a bit more fluffing)
* strip out more sails-specific stuff
* clean up menu files between runs, scrape off a bit more technical debt
* scrape out some more dead code
* use devDependencies for markdown compilation stuff since it won't be compiling at runtime
* stub script for compiling markdown content
* Fill in implementation of script, rename helper.
* add note about the non-markdown file problem
* tweak output paths for clarity
* Improve generated menu content and set up groundwork for being able to easily access it via config
* Use .sailsrc to hold onto menu content, so it's injected into config for easier access (rather than reading JSON files whenever needed)
* more explicit tmp filename, in case we forget how this works later
* fix typo in build script (missing .js extension)
* Stub query detail page and a dev route for developing it
http://localhost:2024/sandbox/example-query
* fix helper friendlyName
* Run compilation in series to avoid race condition in doc-templater when cloning from the same repo. Add todos about sitemap and further menu data cleanup.
* make sandbox actually useful
* Help prevent accidental checking in of compiled HTML files.
* rename script and generated folder in partials/
* fix/expand script metadata
Fourth attempt to limit the "Deploy Fleet Website" workflow to only the fleetdm/fleet repository.
Add the $ character to the $GITHUB_REPOSITORY env variable.
* rename dir
* no need to install website or docs from npm
At some point, would also be nice to be able to exclude assets/ as well, and to only install a pre-built version of Fleet's frontend code
* Bring in fleetdm.com website
From https://github.com/fleetdm/fleetdm.com as of https://github.com/fleetdm/fleetdm.com/releases/tag/v0.0.21
* add procfile for heroku
Using https://github.com/timanovsky/subdir-heroku-buildpack
* avoid getting anybody's hopes up
* Create deploy-fleet-website.yml (#82)
* Create deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* update pjs with SPDX-like license expressions. also fix repo URL
and remove package lock
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* remove dummy uri
* Dissect deploy script
* Update deploy-fleet-website.yml
* workaround for eslintrc nesting issue
* lint fixes
* forgot the .js
* add per-commit git config
* Update deploy-fleet-website.yml
* might as well remove that
* cleanup
* connect w/ heroku app and have it actually push
* fix bug I introduced in 578a1a01ffb8404aae869e05005e30a6ba2b2a95
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* the beauty, the glory, of javascript
* GH actions don't like "\n"
* Update deploy-fleet-website.yml
* restore \n chars from 0d45e568f693efba7d7072085bc98d72a482d9ae
hoping I was wrong in 0d45e568f693efba7d7072085bc98d72a482d9ae but see also https://github.community/t/what-is-the-correct-character-escaping-for-workflow-command-values-e-g-echo-xxxx/118465/5
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* Update deploy-fleet-website.yml
* rename script to prevent duplicate building
* Configure the real website
* clean up
* a test of the deploy workflow
* add handbook to npmignore
* I guess you could call this fixing a typo
* point workflow at master branch
* now clearly bogus: this completely unused version string
