mirror of
https://github.com/empayre/fleet.git
synced 2024-11-08 17:53:54 +00:00
64f2cfc9cd
- Add `team_id` field to secrets. - Remove secret `name` and `active` fields (migration deletes inactive secrets). - Assign hosts to Team based on secret provided. - Add API for retrieving secrets by Team.
247 lines
7.1 KiB
Go
247 lines
7.1 KiB
Go
package mysql
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/VividCortex/mysqlerr"
|
|
"github.com/fleetdm/fleet/server/kolide"
|
|
"github.com/go-sql-driver/mysql"
|
|
"github.com/jmoiron/sqlx"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
func (d *Datastore) NewAppConfig(info *kolide.AppConfig) (*kolide.AppConfig, error) {
|
|
if err := d.SaveAppConfig(info); err != nil {
|
|
return nil, errors.Wrap(err, "new app config")
|
|
}
|
|
|
|
return info, nil
|
|
}
|
|
|
|
func (d *Datastore) AppConfig() (*kolide.AppConfig, error) {
|
|
info := &kolide.AppConfig{}
|
|
err := d.db.Get(info, "SELECT * FROM app_configs LIMIT 1")
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "selecting app config")
|
|
}
|
|
return info, nil
|
|
}
|
|
|
|
func (d *Datastore) isEventSchedulerEnabled() (bool, error) {
|
|
rows, err := d.db.Query("SELECT @@event_scheduler")
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if !rows.Next() {
|
|
return false, errors.New("Error detecting MySQL event scheduler status.")
|
|
}
|
|
var value string
|
|
if err := rows.Scan(&value); err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return value == "ON", nil
|
|
}
|
|
|
|
func (d *Datastore) ManageHostExpiryEvent(hostExpiryEnabled bool, hostExpiryWindow int) error {
|
|
var err error
|
|
hostExpiryConfig := struct {
|
|
Window int `db:"host_expiry_window"`
|
|
}{}
|
|
if err = d.db.Get(&hostExpiryConfig, "SELECT host_expiry_window from app_configs LIMIT 1"); err != nil {
|
|
return errors.Wrap(err, "get expiry window setting")
|
|
}
|
|
|
|
shouldUpdateWindow := hostExpiryEnabled && hostExpiryConfig.Window != hostExpiryWindow
|
|
|
|
if !hostExpiryEnabled || shouldUpdateWindow {
|
|
if _, err := d.db.Exec("DROP EVENT IF EXISTS host_expiry"); err != nil {
|
|
if driverErr, ok := err.(*mysql.MySQLError); !ok || driverErr.Number != mysqlerr.ER_DBACCESS_DENIED_ERROR {
|
|
return errors.Wrap(err, "drop existing host_expiry event")
|
|
}
|
|
}
|
|
}
|
|
|
|
if shouldUpdateWindow {
|
|
sql := fmt.Sprintf("CREATE EVENT IF NOT EXISTS host_expiry ON SCHEDULE EVERY 1 HOUR ON COMPLETION PRESERVE DO DELETE FROM hosts WHERE seen_time < DATE_SUB(NOW(), INTERVAL %d DAY)", hostExpiryWindow)
|
|
if _, err := d.db.Exec(sql); err != nil {
|
|
return errors.Wrap(err, "create new host_expiry event")
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (d *Datastore) SaveAppConfig(info *kolide.AppConfig) error {
|
|
eventSchedulerEnabled, err := d.isEventSchedulerEnabled()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !eventSchedulerEnabled && info.HostExpiryEnabled {
|
|
return errors.New("MySQL Event Scheduler must be enabled to configure Host Expiry.")
|
|
}
|
|
|
|
if err := d.ManageHostExpiryEvent(info.HostExpiryEnabled, info.HostExpiryWindow); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Note that we hard code the ID column to 1, insuring that, if no rows
|
|
// exist, a row will be created with INSERT, if a row does exist the key
|
|
// will be violate uniqueness constraint and an UPDATE will occur
|
|
insertStatement := `
|
|
INSERT INTO app_configs (
|
|
id,
|
|
org_name,
|
|
org_logo_url,
|
|
kolide_server_url,
|
|
smtp_configured,
|
|
smtp_sender_address,
|
|
smtp_server,
|
|
smtp_port,
|
|
smtp_authentication_type,
|
|
smtp_enable_ssl_tls,
|
|
smtp_authentication_method,
|
|
smtp_domain,
|
|
smtp_user_name,
|
|
smtp_password,
|
|
smtp_verify_ssl_certs,
|
|
smtp_enable_start_tls,
|
|
entity_id,
|
|
issuer_uri,
|
|
idp_image_url,
|
|
metadata,
|
|
metadata_url,
|
|
idp_name,
|
|
enable_sso,
|
|
enable_sso_idp_login,
|
|
fim_interval,
|
|
fim_file_accesses,
|
|
host_expiry_enabled,
|
|
host_expiry_window,
|
|
live_query_disabled,
|
|
additional_queries
|
|
)
|
|
VALUES( 1, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
|
|
ON DUPLICATE KEY UPDATE
|
|
org_name = VALUES(org_name),
|
|
org_logo_url = VALUES(org_logo_url),
|
|
kolide_server_url = VALUES(kolide_server_url),
|
|
smtp_configured = VALUES(smtp_configured),
|
|
smtp_sender_address = VALUES(smtp_sender_address),
|
|
smtp_server = VALUES(smtp_server),
|
|
smtp_port = VALUES(smtp_port),
|
|
smtp_authentication_type = VALUES(smtp_authentication_type),
|
|
smtp_enable_ssl_tls = VALUES(smtp_enable_ssl_tls),
|
|
smtp_authentication_method = VALUES(smtp_authentication_method),
|
|
smtp_domain = VALUES(smtp_domain),
|
|
smtp_user_name = VALUES(smtp_user_name),
|
|
smtp_password = VALUES(smtp_password),
|
|
smtp_verify_ssl_certs = VALUES(smtp_verify_ssl_certs),
|
|
smtp_enable_start_tls = VALUES(smtp_enable_start_tls),
|
|
entity_id = VALUES(entity_id),
|
|
issuer_uri = VALUES(issuer_uri),
|
|
idp_image_url = VALUES(idp_image_url),
|
|
metadata = VALUES(metadata),
|
|
metadata_url = VALUES(metadata_url),
|
|
idp_name = VALUES(idp_name),
|
|
enable_sso = VALUES(enable_sso),
|
|
enable_sso_idp_login = VALUES(enable_sso_idp_login),
|
|
fim_interval = VALUES(fim_interval),
|
|
fim_file_accesses = VALUES(fim_file_accesses),
|
|
host_expiry_enabled = VALUES(host_expiry_enabled),
|
|
host_expiry_window = VALUES(host_expiry_window),
|
|
live_query_disabled = VALUES(live_query_disabled),
|
|
additional_queries = VALUES(additional_queries)
|
|
`
|
|
|
|
_, err = d.db.Exec(insertStatement,
|
|
info.OrgName,
|
|
info.OrgLogoURL,
|
|
info.KolideServerURL,
|
|
info.SMTPConfigured,
|
|
info.SMTPSenderAddress,
|
|
info.SMTPServer,
|
|
info.SMTPPort,
|
|
info.SMTPAuthenticationType,
|
|
info.SMTPEnableTLS,
|
|
info.SMTPAuthenticationMethod,
|
|
info.SMTPDomain,
|
|
info.SMTPUserName,
|
|
info.SMTPPassword,
|
|
info.SMTPVerifySSLCerts,
|
|
info.SMTPEnableStartTLS,
|
|
info.EntityID,
|
|
info.IssuerURI,
|
|
info.IDPImageURL,
|
|
info.Metadata,
|
|
info.MetadataURL,
|
|
info.IDPName,
|
|
info.EnableSSO,
|
|
info.EnableSSOIdPLogin,
|
|
info.FIMInterval,
|
|
info.FIMFileAccesses,
|
|
info.HostExpiryEnabled,
|
|
info.HostExpiryWindow,
|
|
info.LiveQueryDisabled,
|
|
info.AdditionalQueries,
|
|
)
|
|
|
|
return err
|
|
}
|
|
|
|
func (d *Datastore) VerifyEnrollSecret(secret string) (*kolide.EnrollSecret, error) {
|
|
var s kolide.EnrollSecret
|
|
err := d.db.Get(&s, "SELECT team_id FROM enroll_secrets WHERE secret = ?", secret)
|
|
if err != nil {
|
|
return nil, errors.New("no matching secret found")
|
|
}
|
|
|
|
return &s, nil
|
|
}
|
|
|
|
func (d *Datastore) ApplyEnrollSecrets(teamID *uint, secrets []*kolide.EnrollSecret) error {
|
|
err := d.withRetryTxx(func(tx *sqlx.Tx) error {
|
|
if teamID != nil {
|
|
sql := `DELETE FROM enroll_secrets WHERE team_id = ?`
|
|
if _, err := tx.Exec(sql, teamID); err != nil {
|
|
return errors.Wrap(err, "clear before insert")
|
|
}
|
|
} else {
|
|
sql := `DELETE FROM enroll_secrets WHERE team_id IS NULL`
|
|
if _, err := tx.Exec(sql); err != nil {
|
|
return errors.Wrap(err, "clear before insert")
|
|
}
|
|
}
|
|
|
|
for _, secret := range secrets {
|
|
sql := `
|
|
INSERT INTO enroll_secrets (secret, team_id)
|
|
VALUES ( ?, ? )
|
|
`
|
|
if _, err := tx.Exec(sql, secret.Secret, teamID); err != nil {
|
|
return errors.Wrap(err, "upsert secret")
|
|
}
|
|
}
|
|
return nil
|
|
})
|
|
|
|
return err
|
|
}
|
|
|
|
func (d *Datastore) GetEnrollSecrets(teamID *uint) ([]*kolide.EnrollSecret, error) {
|
|
var args []interface{}
|
|
sql := "SELECT * FROM enroll_secrets WHERE "
|
|
// MySQL requires comparing NULL with IS. NULL = NULL evaluates to FALSE.
|
|
if teamID == nil {
|
|
sql += "team_id IS NULL"
|
|
} else {
|
|
sql += "team_id = ?"
|
|
args = append(args, teamID)
|
|
}
|
|
var secrets []*kolide.EnrollSecret
|
|
if err := d.db.Select(&secrets, sql, args...); err != nil {
|
|
return nil, errors.Wrap(err, "get secrets")
|
|
}
|
|
return secrets, nil
|
|
}
|