mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 00:45:19 +00:00
3757aace08
#8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
330 lines
9.6 KiB
Go
330 lines
9.6 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
hostctx "github.com/fleetdm/fleet/v4/server/contexts/host"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/logging"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// List Carves
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
type listCarvesRequest struct {
|
|
ListOptions fleet.CarveListOptions `url:"carve_options"`
|
|
}
|
|
|
|
type listCarvesResponse struct {
|
|
Carves []fleet.CarveMetadata `json:"carves"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r listCarvesResponse) error() error { return r.Err }
|
|
|
|
func listCarvesEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
|
|
req := request.(*listCarvesRequest)
|
|
carves, err := svc.ListCarves(ctx, req.ListOptions)
|
|
if err != nil {
|
|
return listCarvesResponse{Err: err}, nil
|
|
}
|
|
|
|
resp := listCarvesResponse{}
|
|
for _, carve := range carves {
|
|
resp.Carves = append(resp.Carves, *carve)
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (svc *Service) ListCarves(ctx context.Context, opt fleet.CarveListOptions) ([]*fleet.CarveMetadata, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.CarveMetadata{}, fleet.ActionRead); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return svc.carveStore.ListCarves(ctx, opt)
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// Get Carve
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
type getCarveRequest struct {
|
|
ID int64 `url:"id"`
|
|
}
|
|
|
|
type getCarveResponse struct {
|
|
Carve fleet.CarveMetadata `json:"carve"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r getCarveResponse) error() error { return r.Err }
|
|
|
|
func getCarveEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
|
|
req := request.(*getCarveRequest)
|
|
carve, err := svc.GetCarve(ctx, req.ID)
|
|
if err != nil {
|
|
return getCarveResponse{Err: err}, nil
|
|
}
|
|
|
|
return getCarveResponse{Carve: *carve}, nil
|
|
}
|
|
|
|
func (svc *Service) GetCarve(ctx context.Context, id int64) (*fleet.CarveMetadata, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.CarveMetadata{}, fleet.ActionRead); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return svc.carveStore.Carve(ctx, id)
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// Get Carve Block
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
type getCarveBlockRequest struct {
|
|
ID int64 `url:"id"`
|
|
BlockId int64 `url:"block_id"`
|
|
}
|
|
|
|
type getCarveBlockResponse struct {
|
|
Data []byte `json:"data"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r getCarveBlockResponse) error() error { return r.Err }
|
|
|
|
func getCarveBlockEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
|
|
req := request.(*getCarveBlockRequest)
|
|
data, err := svc.GetBlock(ctx, req.ID, req.BlockId)
|
|
if err != nil {
|
|
return getCarveBlockResponse{Err: err}, nil
|
|
}
|
|
|
|
return getCarveBlockResponse{Data: data}, nil
|
|
}
|
|
|
|
func (svc *Service) GetBlock(ctx context.Context, carveId, blockId int64) ([]byte, error) {
|
|
if err := svc.authz.Authorize(ctx, &fleet.CarveMetadata{}, fleet.ActionRead); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
metadata, err := svc.carveStore.Carve(ctx, carveId)
|
|
if err != nil {
|
|
return nil, ctxerr.Wrap(ctx, err, "get carve by name")
|
|
}
|
|
|
|
if metadata.Expired {
|
|
return nil, errors.New("cannot get block for expired carve")
|
|
}
|
|
|
|
if blockId > metadata.MaxBlock {
|
|
return nil, fmt.Errorf("block %d not yet available", blockId)
|
|
}
|
|
|
|
data, err := svc.carveStore.GetBlock(ctx, metadata, blockId)
|
|
if err != nil {
|
|
return nil, ctxerr.Wrapf(ctx, err, "get block %d", blockId)
|
|
}
|
|
|
|
return data, nil
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// Begin File Carve
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
type carveBeginRequest struct {
|
|
NodeKey string `json:"node_key"`
|
|
BlockCount int64 `json:"block_count"`
|
|
BlockSize int64 `json:"block_size"`
|
|
CarveSize int64 `json:"carve_size"`
|
|
CarveId string `json:"carve_id"`
|
|
RequestId string `json:"request_id"`
|
|
}
|
|
|
|
func (r *carveBeginRequest) hostNodeKey() string {
|
|
return r.NodeKey
|
|
}
|
|
|
|
type carveBeginResponse struct {
|
|
SessionId string `json:"session_id"`
|
|
Success bool `json:"success,omitempty"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r carveBeginResponse) error() error { return r.Err }
|
|
|
|
func carveBeginEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
|
|
req := request.(*carveBeginRequest)
|
|
|
|
payload := fleet.CarveBeginPayload{
|
|
BlockCount: req.BlockCount,
|
|
BlockSize: req.BlockSize,
|
|
CarveSize: req.CarveSize,
|
|
CarveId: req.CarveId,
|
|
RequestId: req.RequestId,
|
|
}
|
|
|
|
carve, err := svc.CarveBegin(ctx, payload)
|
|
if err != nil {
|
|
return carveBeginResponse{Err: err}, nil
|
|
}
|
|
|
|
return carveBeginResponse{SessionId: carve.SessionId, Success: true}, nil
|
|
}
|
|
|
|
const (
|
|
maxCarveSize = 8 * 1024 * 1024 * 1024 // 8GB
|
|
maxBlockSize = 256 * 1024 * 1024 // 256MB
|
|
)
|
|
|
|
func (svc *Service) CarveBegin(ctx context.Context, payload fleet.CarveBeginPayload) (*fleet.CarveMetadata, error) {
|
|
// skipauth: Authorization is currently for user endpoints only.
|
|
svc.authz.SkipAuthorization(ctx)
|
|
|
|
host, ok := hostctx.FromContext(ctx)
|
|
if !ok {
|
|
return nil, newOsqueryError("internal error: missing host from request context")
|
|
}
|
|
|
|
if payload.CarveSize == 0 {
|
|
return nil, newOsqueryError("carve_size must be greater than 0")
|
|
}
|
|
|
|
if payload.BlockSize > maxBlockSize {
|
|
return nil, newOsqueryError("block_size exceeds max")
|
|
}
|
|
if payload.CarveSize > maxCarveSize {
|
|
return nil, newOsqueryError("carve_size exceeds max")
|
|
}
|
|
|
|
// The carve should have a total size that fits appropriately into the
|
|
// number of blocks of the specified size.
|
|
if payload.CarveSize <= (payload.BlockCount-1)*payload.BlockSize ||
|
|
payload.CarveSize > payload.BlockCount*payload.BlockSize {
|
|
return nil, newOsqueryError("carve_size does not match block_size and block_count")
|
|
}
|
|
|
|
sessionId, err := uuid.NewRandom()
|
|
if err != nil {
|
|
return nil, newOsqueryError("internal error: generate session ID for carve: " + err.Error())
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
carve := &fleet.CarveMetadata{
|
|
Name: fmt.Sprintf("%s-%s-%s", host.Hostname, now.Format(time.RFC3339), payload.RequestId),
|
|
HostId: host.ID,
|
|
BlockCount: payload.BlockCount,
|
|
BlockSize: payload.BlockSize,
|
|
CarveSize: payload.CarveSize,
|
|
CarveId: payload.CarveId,
|
|
RequestId: payload.RequestId,
|
|
SessionId: sessionId.String(),
|
|
CreatedAt: now,
|
|
}
|
|
|
|
carve, err = svc.carveStore.NewCarve(ctx, carve)
|
|
if err != nil {
|
|
return nil, newOsqueryError("internal error: new carve: " + err.Error())
|
|
}
|
|
|
|
return carve, nil
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// Receive Block for File Carve
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
type carveBlockRequest struct {
|
|
BlockId int64 `json:"block_id"`
|
|
SessionId string `json:"session_id"`
|
|
RequestId string `json:"request_id"`
|
|
Data []byte `json:"data"`
|
|
}
|
|
|
|
type carveBlockResponse struct {
|
|
Success bool `json:"success,omitempty"`
|
|
Err error `json:"error,omitempty"`
|
|
}
|
|
|
|
func (r carveBlockResponse) error() error { return r.Err }
|
|
|
|
func carveBlockEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
|
|
req := request.(*carveBlockRequest)
|
|
|
|
payload := fleet.CarveBlockPayload{
|
|
SessionId: req.SessionId,
|
|
RequestId: req.RequestId,
|
|
BlockId: req.BlockId,
|
|
Data: req.Data,
|
|
}
|
|
|
|
err := svc.CarveBlock(ctx, payload)
|
|
if err != nil {
|
|
return carveBlockResponse{Err: err}, nil
|
|
}
|
|
|
|
return carveBlockResponse{Success: true}, nil
|
|
}
|
|
|
|
func (svc *Service) CarveBlock(ctx context.Context, payload fleet.CarveBlockPayload) error {
|
|
// skipauth: Authorization is currently for user endpoints only.
|
|
svc.authz.SkipAuthorization(ctx)
|
|
|
|
// Note host did not authenticate via node key. We need to authenticate them
|
|
// by the session ID and request ID
|
|
carve, err := svc.carveStore.CarveBySessionId(ctx, payload.SessionId)
|
|
if err != nil {
|
|
return ctxerr.Wrap(ctx, err, "find carve by session_id")
|
|
}
|
|
|
|
if payload.RequestId != carve.RequestId {
|
|
return errors.New("request_id does not match")
|
|
}
|
|
|
|
// Request is now authenticated
|
|
|
|
if err := svc.validateCarveBlock(payload, carve); err != nil {
|
|
carve.Error = ptr.String(err.Error())
|
|
if errRecord := svc.carveStore.UpdateCarve(ctx, carve); err != nil {
|
|
logging.WithExtras(ctx, "validate_carve_error", errRecord, "carve_id", carve.ID)
|
|
}
|
|
|
|
return ctxerr.Wrap(ctx, err, "validate carve block")
|
|
}
|
|
|
|
if err := svc.carveStore.NewBlock(ctx, carve, payload.BlockId, payload.Data); err != nil {
|
|
carve.Error = ptr.String(err.Error())
|
|
if errRecord := svc.carveStore.UpdateCarve(ctx, carve); err != nil {
|
|
logging.WithExtras(ctx, "record_carve_error", errRecord, "carve_id", carve.ID)
|
|
}
|
|
|
|
return ctxerr.Wrap(ctx, err, "save carve block data")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (svc *Service) validateCarveBlock(payload fleet.CarveBlockPayload, carve *fleet.CarveMetadata) error {
|
|
if payload.BlockId > carve.BlockCount-1 {
|
|
return fmt.Errorf("block_id exceeds expected max (%d): %d", carve.BlockCount-1, payload.BlockId)
|
|
}
|
|
|
|
if payload.BlockId != carve.MaxBlock+1 {
|
|
return fmt.Errorf("block_id does not match expected block (%d): %d", carve.MaxBlock+1, payload.BlockId)
|
|
}
|
|
|
|
if int64(len(payload.Data)) > carve.BlockSize {
|
|
return fmt.Errorf("exceeded declared block size %d: %d", carve.BlockSize, len(payload.Data))
|
|
}
|
|
|
|
return nil
|
|
}
|