Commit Graph

53 Commits

Author SHA1 Message Date
Roberto Dip
a23d208b1d
gate DEP enrollment behind SSO when configured (#11309)
#10739

Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-04-27 09:43:20 -03:00
gillespi314
003e208e4d
Update CLI flow to manage adding and deleting MDM bootstrap packages by applying config and team specs (#11349) 2023-04-26 16:09:21 -05:00
Martin Angers
582e85c876
Add support for the mdm.macos_setup.macos_setup_assistant key in fleetctl, API (#11296) 2023-04-25 09:36:01 -04:00
gillespi314
a37d138f4b
Migrate MDM status values in datastore and API layers (#11278) 2023-04-24 16:27:15 -05:00
Roberto Dip
5c487890ca
add an endpoint to get an aggregate summary of bootstrap packages (#11156)
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-04-22 10:23:38 -05:00
Lucas Manuel Rodriguez
ed4f6e4178
Remove old mdm_command action (do we really need it?) (#11222)
A question in form of PR:

Do we really need the following two entities in our
[policy.rego](https://github.com/fleetdm/fleet/blob/main/server/authz/policy.rego)
`1. (object=mdm_apple_command, action=read/write)` and `2. (object=host,
action=mdm_command)`? (Maybe mdm_command is a leftover action from the
PoC?)

Guess: `mdm_apple_command` (`fleet.MDMAppleCommandAuthz`) is what we
want: `action=write` means you can enqueue, `action=read` means you can
list commands and read their results.

PS: Found this while trying to add command execution permissions to the
new `GitOps` role.
2023-04-18 07:53:33 -03:00
Martin Angers
c1d3f67e6f
Add fleetctl get mdm-commands command and supporting API endpoint (#11163) 2023-04-17 11:45:16 -04:00
Lucas Manuel Rodriguez
5aa5f8aae3
Add MDM configuration permissions to GitOps (#11207)
#8593 

Adding new MDM functionality to GitOps.

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [x] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-17 12:08:55 -03:00
Roberto Dip
a59b8a5096
various profile fixes (#11084)
### Related tickets

https://github.com/fleetdm/fleet/issues/10775
https://github.com/fleetdm/fleet/issues/10678
https://github.com/fleetdm/fleet/issues/11024
https://github.com/fleetdm/fleet/issues/11026

### What's happening

- Implemented the hashing mechanism defined by @mna in #10678, however
this mechanism is mainly relevant for batch profile updates via the CLI,
we can't leverage it when a host switches teams.
- Modified `BulkSetPendingMDMAppleHostProfiles` so when two profiles
with the same identifier are sheduled both for removal and update, the
function will now mark only the `install` as `pending` so it's picked by
the cron, and will `DELETE` the `remove` entry from the database so it's
not picked by the cron and never sent to the user.
- `GetHostMDMProfiles` and consequently the profiles returned in `GET
/api/_version_/fleet/hosts` return `host_mdm_apple_profiles.state =
NULL` as "Enforcing (pending", the distinction between `status =
'pending'` and `status IS NULL` is only useful for the cron, for users
both mean the same thing, and all our profile aggregations already
behave this way.
- Using the solution implemented by @gillespi314 in
https://github.com/fleetdm/fleet/pull/10998 we're now deleting the host
row from `host_disk_encryption_keys` if a host is moved from a team that
enforces disk encryption to a team that doesn't.


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-04-08 23:23:36 -03:00
Roberto Dip
34833d64a5
improve table cleanup on unenrollment (#11075)
https://github.com/fleetdm/fleet/issues/10948
2023-04-07 22:02:17 -03:00
Roberto Dip
77e5c004f4
implement bootstrap packages during DEP enrollment (#11052)
#10213
2023-04-07 17:31:02 -03:00
Roberto Dip
40c5bb1c25
install fleetd on DEP enrolled hosts during enrollment (#10971)
https://github.com/fleetdm/fleet/issues/9459
2023-04-05 20:52:26 -03:00
Martin Angers
741a7aa5d0
Finalize MDM commands part 3: add the fleetctl get mdm-command-results command (#10964) 2023-04-05 10:50:36 -04:00
Roberto Dip
337d61c823
automatically install a fleetd configuration profile to relevant teams (#10910)
Related to #9459, this adds logic to the cron to add a
`com.fleetdm.fleetd.config` configuration profile to the
`apple_mdm_configuration_profiles` table.

As noted in the comments, this makes some assumptions:

- This profile will be applied to all hosts in the team (or "no team",)
but it will only be used by hosts that have a fleetd installation
without
  an enroll secret and fleet URL (mainly DEP enrolled hosts).
- Once the profile is applied to a team (or "no team",) it's not removed
if
  AppConfig.MDM.AppleBMDefaultTeam changes, this is to preserve existing
agents using the configuration (mainly ServerURL as EnrollSecret is used
  only during enrollment)
2023-04-04 17:09:20 -03:00
Martin Angers
e0e547f1a2
Finalize MDM commands part 2: implement fleetctl mdm run-command (#10866) 2023-04-03 14:25:49 -04:00
Lucas Manuel Rodriguez
40265d0e6f
Fix SMTP e-mail send when SMTP server has credentials (#10758)
#9609

This PR also fixes #10777.

The issue is: We were using `svc.AppConfig` instead of
`svc.ds.AppConfig` to retrieve the SMTP credentials.
`svc.AppConfig` obfuscates credentials, whereas `svc.ds.AppConfig` does
not.
To help prevent this from happening again I've renamed `svc.AppConfig`
to `svc.AppConfigObfuscated`.
I've also added a new test SMTP server
(https://github.com/axllent/mailpit) that supports Basic Authentication
and tests that make use of it to catch these kind of bugs (the tests are
executed when running `go test` with `MAIL_TEST=1`).

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-28 15:23:15 -03:00
Gabriel Hernandez
005956f9bc
Feat/implement api for disk encryption status aggregate (#10422)
relates to #9434

implements the `GET /fleet/mdm/apple/filevault/summary` aggregate
endpoint.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests

---------

Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-03-28 15:50:14 +01:00
Roberto Dip
98845f03a6
remove feature flags to enable MDM (#10746)
https://github.com/fleetdm/fleet/issues/10025
2023-03-27 16:30:29 -03:00
Martin Angers
b6e10eb6da
Update host MDM profile status to pending in response to triggering events (#10443) 2023-03-27 14:43:01 -04:00
Martin Angers
2fb5aa629d
Normalize the naming of mdm settings, update docs and document missing ones (#10681)
#10408
2023-03-23 07:30:28 -03:00
Roberto Dip
c1aa0f04b6
fix DEP enrollment by setting configuration_web_url if empty (#10662)
https://github.com/fleetdm/fleet/issues/10661

- [x] Manual QA for all new/changed functionality
2023-03-22 10:00:41 -03:00
Roberto Dip
09b6b8610f
delete all host MDM profiles when is unenrolled programatically through the API (#10603)
https://github.com/fleetdm/fleet/issues/10507
2023-03-20 19:37:15 -03:00
Roberto Dip
f04ff27180
Prevent user action in profiles managed by Fleet (#10559)
related to https://github.com/fleetdm/fleet/issues/10547,
https://github.com/fleetdm/fleet/issues/10549,
https://github.com/fleetdm/fleet/issues/10550 and
https://github.com/fleetdm/fleet/issues/10552 this prevents user
interaction with fleet-managed profiles, including:

- batch actions
- individual POST/UPDATE/DELETE actions
- listing

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
2023-03-17 18:52:30 -03:00
gillespi314
560af163a1
Include MDM profile name and identifier in activity details (#10575) 2023-03-17 16:16:18 -05:00
gillespi314
c838395c44
Add profile name to host mdm apple profiles (#10455) 2023-03-14 11:21:52 -05:00
Lucas Manuel Rodriguez
3757aace08
Add UUID to Fleet errors and clean up error msgs (#10411)
#8129 

Apart from fixing the issue in #8129, this change also introduces UUIDs
to Fleet errors. To be able to match a returned error from the API to a
error in the Fleet logs. See
https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for
more context.

Samples with the changes in this PR:
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0"
}
```
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd'
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "json decoder error"
    }
  ],
  "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d"
}
```
```
curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams"
{
  "message": "Authentication required",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication required"
    }
  ],
  "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Authorization header required",
  "errors": [
    {
      "name": "base",
      "reason": "Authorization header required"
    }
  ],
  "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Permission Denied",
  "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06"
}
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 13:44:06 -03:00
Roberto Dip
a1ca172c95
allow to set up a DEP flow gated by Okta auth (#10338)
#10271
2023-03-13 10:33:32 -03:00
Martin Angers
0d6b9b98d4
Add mdm.macos_settings disk encryption fields to the response of GET /hosts/{id} and device. (#10371) 2023-03-08 15:42:23 -05:00
Martin Angers
765c8754b6
Add enabled/disabled disk encryption activities and trigger profiles generation (#10319) 2023-03-08 08:31:53 -05:00
Martin Angers
50a2739609
Allow updating enable_disk_encryption via the Modify Team endpoint (#10208) 2023-03-06 09:54:51 -05:00
gillespi314
deb5bea3ff
Escape SCEP challenge for MDM enrollment profile XML (#10261) 2023-03-03 12:59:21 -06:00
gillespi314
615052a9ac
Create new API endpoint to provide aggregate status count of MDM profiles applying to hosts (#10194) 2023-03-01 18:36:59 -06:00
Roberto Dip
164bb4bf5c
add logic to configure FileVault + escrow (#10160)
Related to #9495, this adds the underlying methods to send a
configuration profile that enables FileVault and FileVault Escrow, so we
can fetch and decrypt the encryption key later on.

These methods still need to be called somewhere, and they might need to
be moved outside of `Service`, but at least this gives us a start.
2023-03-01 10:43:15 -03:00
gillespi314
838645a905
Screen for unsupported MDM config profile payload types in CLI (#10098) 2023-02-24 14:12:53 -06:00
gillespi314
e31fc889f1
Add MDM profiles to host detail in API responses (#10034)
Issue #9599 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-02-22 16:26:06 -06:00
Roberto Dip
8284274c3b
incomplete implementation of device wipe and lock (#9947) 2023-02-22 17:11:44 -03:00
Roberto Dip
262e9870e3
add a cron job to reconcile profiles (#9946)
https://github.com/fleetdm/fleet/issues/9590
2023-02-22 14:49:06 -03:00
Roberto Dip
5a09ac0bfc
refactor how we send Fleet initiated MDM commands (#9903)
https://github.com/fleetdm/fleet/issues/9590

- move the logic to send commands into its own service method that can
be used internally by cron jobs and other services.
- deprecate the use of `rawEnqueueCommand` as it's copyied from the
nanomdm codebase where it's used in other context as a general command
API handler
2023-02-17 16:26:51 -03:00
gillespi314
086964726d
Add API endpoints for MDM config profiles (#9817)
Issue #9586

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-02-17 09:28:28 -06:00
Martin Angers
4a1f3988f0
Add "edited macos profiles" activity when applying custom settings via fleetctl (#9862)
#9587 and #9639
2023-02-16 13:53:26 -03:00
Martin Angers
33f33163a9
Add macos custom profiles support via fleetctl apply (#9824) 2023-02-15 13:01:44 -05:00
Roberto Dip
119ada71da
fix XML formatting of RemoveProfile command (#9805)
potential fix for https://github.com/fleetdm/fleet/issues/9802, I still
can't reproduce locally but it might be that ngrok is doing some magic
encoding/decoding the bytes transferred.
2023-02-13 17:20:43 -03:00
Roberto Dip
4c4c114e96
add mocks + tests and move things around (#9574)
#8948

- Add more go:generate commands for MDM mocks
- Add unit and integration tests for MDM code
- Move interfaces from their PoC location to match existing patterns
2023-01-31 11:46:01 -03:00
gillespi314
1b4e8e692a
Add API endpoint to unenroll a host from Fleet's MDM (#9447) 2023-01-23 17:05:24 -06:00
Roberto Dip
2447a371b0
use nanomdm's multi service + integration tests and fixes (#9269)
**Use nano's multi service**

This allows us to integrate more seamlessly with nano and to run our
custom MDM logic _after_ the request was handled by nano, which gives us
more flexibility (for example: now we can issue commands after a
TokenUpdate message)

From nano's code:

> MultiService executes multiple services for the same service calls.
> The first service returns values or errors to the caller. We give the
> first service a chance to alter any 'core' request data (say, the
> Enrollment ID) by waiting for it to finish then we run the remaining
> services' calls in parallel.

**Integration tests + fixes**

- Move some of the service logic from `cmd/` to `server/service`
- Add integration tests for the MDM enrollment flow, including SCEP
authentication.
- Fixed a bug that set `host_mdm.mdm_id = 0`  during MDM enrollment due
  to how MySQL reports the last insert id when `ON DUPLICATE KEY` is
  used.
- Completely remove the host row from `host_mdm` when a device is
  unenrolled from MDM to match the behavior of how we ingest MDM data
  from osquery

Related to https://github.com/fleetdm/fleet/issues/8708,
https://github.com/fleetdm/fleet/issues/9034
2023-01-16 17:06:30 -03:00
Martin Angers
656e5bfc70
Flag when the Apple BM terms have expired (#9091)
#8862 

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-01-06 17:44:20 -03:00
Lucas Manuel Rodriguez
ba6b6e12cc
Fix ingestion of MDM server for macOS and Windows hosts (#9133)
* Fix ingestion of MDM server for macOS and Windows hosts

* Return early if there are no mobile_device_management_solutions to clean up

* Run make dump-test-schema

* Fix TestHosts/DeleteHosts test

* Add test for host unenrolling from MDM

* Fix lint

* Fix typo

* Identify Fleet MDM

* Move logic to deduce MDM name out of Datastore

* Run make dump-test-schema

* Remove printfs from migration
2023-01-04 10:29:48 -03:00
Lucas Manuel Rodriguez
19ad7cc637
Set interface for response types (#9121)
* Set interface for response types

* Fix TestEndpointer test
2022-12-27 11:26:59 -03:00
Roberto Dip
e191f47aed
fix failed enrollments due to duplicate slashes on paths (#9089)
This ensures URLs in enrollment profiles are properly formatted,
preventing errors as described in #9088.
2022-12-23 14:55:17 -03:00
Michal Nicpon
37f454c0be
Add dep key pair endpoint (#9007) 2022-12-16 19:39:36 +01:00