fleet/server/mdm/apple/config/config.go
Lucas Manuel Rodriguez 9191f4ce66
Add Apple MDM functionality (#7940)
* WIP

* Adding DEP functionality to Fleet

* Better organize additional MDM code

* Add cmdr.py and amend API paths

* Fix lint

* Add demo file

* Fix demo.md

* go mod tidy

* Add munki setup to Fleet

* Add diagram to demo.md

* Add fixes

* Update TODOs and demo.md

* Fix cmdr.py and add TODO

* Add endpoints to demo.md

* Add more Munki PoC/demo stuff

* WIP

* Remove proposals from PoC

* Replace prepare commands with fleetctl commands

* Update demo.md with current state

* Remove config field

* Amend demo

* Remove Munki setup from MVP-Dogfood

* Update demo.md

* Add apple mdm commands (#7769)

* fleetctl enqueue mdm command

* fix deps

* Fix build

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>

* Add command to upload installers

* go mod tidy

* fix subcommands help

There is a bug in urfave/cli where help text is not generated properly when subcommands
are nested too deep.

* Add support for installing apps

* Add a way to list enrolled devices

* Add dep listing

* Rearrange endpoints

* Move DEP routine to schedule

* Define paths globally

* Add a way to list enrollments and installers

* Parse device-ids as comma-separated string

* Remove unused types

* Add simple commands and nest under enqueue-command

* Fix simple commands

* Add help to enqueue-command

* merge apple_mdm database

* Fix commands

* update nanomdm

* Split nanomdm and nanodep schemas

* Set 512 MB in memory for upload

* Remove empty file

* Amend profile

* Add sample commands

* Add delete installers and fix bug in DEP profile assigning

* Add dogfood.md deployment guide

* Update schema.sql

* Dump schema with MySQL 5

* Set default value for authenticate_at

* add tokens to enrollment profiles

When a device downloads an MDM enrollment profile, verify the token passed
as a query parameter. This ensures untrusted devices don't enroll with
our MDM server.

- Rename enrollments to enrollment profiles. Enrollments is used by nano
  to refer to devices that are enrolled with MDM
- Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles
- Generate a token for authentication when creating an enrollment profile
- Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token=

* remove mdm apple server url

* update docs

* make dump-test-schema

* Update nanomdm with missing prefix table

* Add docs and simplify changes

* Add changes file

* Add method docs

* Fix compile and revert prepare.go changes

* Revert migration status check change

* Amend comments

* Add more docs

* Clarify storage of installers

* Remove TODO

* Remove unused

* update dogfood.md

* remove cmdr.py

* Add authorization tests

* Add TODO comment

* use kitlog for nano logging

* Add yaml tags

* Remove unused flag

* Remove changes file

* Only run DEP routine if MDM is enabled

* Add docs to all new exported types

* Add docs

* more nano logging changes

* Fix unintentional removal

* more nano logging changes

* Fix compile test

* Use string for configs and fix config test

* Add docs and amend changes

* revert changes to basicAuthHandler

* remove exported BasicAuthHandler

* rename rego authz type

* Add more information to dep list

* add db tag

* update deps

* Fix schema

* Remove unimplemented

Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 19:53:54 -03:00

79 lines
2.2 KiB
Go

// Package config has utilities to verify Apple MDM related configuration.
package config
import (
"encoding/json"
"errors"
"fmt"
configpkg "github.com/fleetdm/fleet/v4/server/config"
nanodep_client "github.com/micromdm/nanodep/client"
"github.com/micromdm/nanomdm/cryptoutil"
"golang.org/x/crypto/ssh"
)
// Verify verifies the Apple MDM configuration.
func Verify(config configpkg.MDMAppleConfig) error {
if err := verifySCEPConfig(config); err != nil {
return fmt.Errorf("scep: %w", err)
}
if err := verifyMDMConfig(config); err != nil {
return fmt.Errorf("mdm: %w", err)
}
if err := verifyDEPConfig(config); err != nil {
return fmt.Errorf("dep: %w", err)
}
return nil
}
func verifySCEPConfig(config configpkg.MDMAppleConfig) error {
pemCert := []byte(config.SCEP.CA.PEMCert)
if len(pemCert) == 0 {
return errors.New("missing pem certificate")
}
if _, err := cryptoutil.DecodePEMCertificate(pemCert); err != nil {
return fmt.Errorf("parse pem certificate: %w", err)
}
pemKey := []byte(config.SCEP.CA.PEMKey)
if len(pemKey) == 0 {
return errors.New("missing private key")
}
if _, err := ssh.ParseRawPrivateKey(pemKey); err != nil {
return fmt.Errorf("parse MDM push PEM private key: %w", err)
}
return nil
}
func verifyMDMConfig(config configpkg.MDMAppleConfig) error {
pushPEMCert := []byte(config.MDM.PushCert.PEMCert)
if len(pushPEMCert) == 0 {
return errors.New("missing PEM certificate")
}
if _, err := cryptoutil.DecodePEMCertificate(pushPEMCert); err != nil {
return fmt.Errorf("parse PEM certificate: %w", err)
}
_, err := cryptoutil.TopicFromPEMCert(pushPEMCert)
if err != nil {
return fmt.Errorf("extract topic from push PEM cert: %w", err)
}
pemKey := []byte(config.MDM.PushCert.PEMKey)
if len(pemKey) == 0 {
return errors.New("missing PEM private key")
}
if _, err := ssh.ParseRawPrivateKey(pemKey); err != nil {
return fmt.Errorf("parse PEM private key: %w", err)
}
return nil
}
func verifyDEPConfig(config configpkg.MDMAppleConfig) error {
token := []byte(config.DEP.Token)
if len(token) == 0 {
return errors.New("missing MDM DEP token")
}
if err := json.Unmarshal(token, &nanodep_client.OAuth1Tokens{}); err != nil {
return fmt.Errorf("parse DEP token: %w", err)
}
return nil
}