empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 09:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
96fc090723
fleet/server/kolide/app.go
Zachary Wasserman c1aa8355cb
Add support for multiple enroll secrets (#2238) 
- Support multiple enroll secrets
- Record name of enroll secret used when host enrolls
- Update fleetctl and UI to support these features
2020-05-29 09:12:39 -07:00

306 lines
12 KiB
Go
Raw Blame History

package kolide
import (
"context"
"encoding/json"
"time"
)
// AppConfigStore contains method for saving and retrieving
// application configuration
type AppConfigStore interface {
NewAppConfig(info *AppConfig) (*AppConfig, error)
AppConfig() (*AppConfig, error)
SaveAppConfig(info *AppConfig) error
// VerifyEnrollSecret checks that the provided secret matches an active
// enroll secret. If it is successfully matched, the name of the secret is
// returned. Otherwise an error is returned.
VerifyEnrollSecret(secret string) (string, error)
// ApplyEnrollSecretSpec adds and updates the enroll secrets specified in
// the spec.
ApplyEnrollSecretSpec(spec *EnrollSecretSpec) error
// GetEnrollSecretSpec gets the spec for the current enroll secrets.
GetEnrollSecretSpec() (*EnrollSecretSpec, error)
}
// AppConfigService provides methods for configuring
// the Fleet application
type AppConfigService interface {
NewAppConfig(ctx context.Context, p AppConfigPayload) (info *AppConfig, err error)
AppConfig(ctx context.Context) (info *AppConfig, err error)
ModifyAppConfig(ctx context.Context, p AppConfigPayload) (info *AppConfig, err error)
SendTestEmail(ctx context.Context, config *AppConfig) error
// ApplyEnrollSecretSpec adds and updates the enroll secrets specified in
// the spec.
ApplyEnrollSecretSpec(ctx context.Context, spec *EnrollSecretSpec) error
// GetEnrollSecretSpec gets the spec for the current enroll secrets.
GetEnrollSecretSpec(ctx context.Context) (*EnrollSecretSpec, error)
// Certificate returns the PEM encoded certificate chain for osqueryd TLS termination.
// For cases where the connection is self-signed, the server will attempt to
// connect using the InsecureSkipVerify option in tls.Config.
CertificateChain(ctx context.Context) (cert []byte, err error)
}
// SMTP settings names returned from API, these map to SMTPAuthType and
// SMTPAuthMethod
const (
AuthMethodNameCramMD5 = "authmethod_cram_md5"
AuthMethodNameLogin = "authmethod_login"
AuthMethodNamePlain = "authmethod_plain"
AuthTypeNameUserNamePassword = "authtype_username_password"
AuthTypeNameNone = "authtype_none"
)
type SMTPAuthType int
const (
AuthTypeUserNamePassword SMTPAuthType = iota
AuthTypeNone
)
func (a SMTPAuthType) String() string {
switch a {
case AuthTypeUserNamePassword:
return AuthTypeNameUserNamePassword
case AuthTypeNone:
return AuthTypeNameNone
default:
return ""
}
}
type SMTPAuthMethod int
const (
AuthMethodPlain SMTPAuthMethod = iota
AuthMethodCramMD5
AuthMethodLogin
)
func (m SMTPAuthMethod) String() string {
switch m {
case AuthMethodPlain:
return AuthMethodNamePlain
case AuthMethodCramMD5:
return AuthMethodNameCramMD5
case AuthMethodLogin:
return AuthMethodNameLogin
default:
return ""
}
}
// AppConfig holds configuration about the Fleet application.
// AppConfig data can be managed by a Fleet API user.
type AppConfig struct {
ID uint
OrgName string `db:"org_name"`
OrgLogoURL string `db:"org_logo_url"`
KolideServerURL string `db:"kolide_server_url"`
// SMTPConfigured is a flag that indicates if smtp has been successfully
// tested with the settings provided by an admin user.
SMTPConfigured bool `db:"smtp_configured"`
// SMTPSenderAddress is the email address that will appear in emails sent
// from Fleet
SMTPSenderAddress string `db:"smtp_sender_address"`
// SMTPServer is the host name of the SMTP server Fleet will use to send mail
SMTPServer string `db:"smtp_server"`
// SMTPPort port SMTP server will use
SMTPPort uint `db:"smtp_port"`
// SMTPAuthenticationType type of authentication for SMTP
SMTPAuthenticationType SMTPAuthType `db:"smtp_authentication_type"`
// SMTPUserName must be provided if SMTPAuthenticationType is UserNamePassword
SMTPUserName string `db:"smtp_user_name"`
// SMTPPassword must be provided if SMTPAuthenticationType is UserNamePassword
SMTPPassword string `db:"smtp_password"`
// SMTPEnableSSLTLS whether to use SSL/TLS for SMTP
SMTPEnableTLS bool `db:"smtp_enable_ssl_tls"`
// SMTPAuthenticationMethod authentication method smtp server will use
SMTPAuthenticationMethod SMTPAuthMethod `db:"smtp_authentication_method"`
// SMTPDomain optional domain for SMTP
SMTPDomain string `db:"smtp_domain"`
// SMTPVerifySSLCerts defaults to true but can be turned off if self signed
// SSL certs are used by the SMTP server
SMTPVerifySSLCerts bool `db:"smtp_verify_ssl_certs"`
// SMTPEnableStartTLS detects of TLS is enabled on mail server and starts to use it (default true)
SMTPEnableStartTLS bool `db:"smtp_enable_start_tls"`
// EntityID is a uri that identifies this service provider
EntityID string `db:"entity_id"`
// IssuerURI is the uri that identifies the identity provider
IssuerURI string `db:"issuer_uri"`
// IDPImageURL is a link to a logo or other image that is used for UX
IDPImageURL string `db:"idp_image_url"`
// Metadata contains IDP metadata XML
Metadata string `db:"metadata"`
// MetadataURL is a URL provided by the IDP which can be used to download
// metadata
MetadataURL string `db:"metadata_url"`
// IDPName is a human friendly name for the IDP
IDPName string `db:"idp_name"`
// EnableSSO flag to determine whether or not to enable SSO
EnableSSO bool `db:"enable_sso"`
// FIMInterval defines the interval when file integrity checks will occur
FIMInterval int `db:"fim_interval"`
// FIMFileAccess defines the FIMSections which will be monitored for file access events as a JSON formatted array
FIMFileAccesses string `db:"fim_file_accesses"`
// HostExpiryEnabled defines whether automatic host cleanup is enabled.
HostExpiryEnabled bool `db:"host_expiry_enabled"`
// HostExpiryWindow defines a number in days after which a host will be removed if it has not communicated with Fleet.
HostExpiryWindow int `db:"host_expiry_window"`
// LiveQueryDisabled defines whether live queries are disabled.
LiveQueryDisabled bool `db:"live_query_disabled"`
// AdditionalQueries is the set of additional queries that should be run
// when collecting details from hosts.
AdditionalQueries *json.RawMessage `db:"additional_queries"`
}
// ModifyAppConfigRequest contains application configuration information
// sent from front end and used to change app config elements.
type ModifyAppConfigRequest struct {
// TestSMTP is this is set to true, the SMTP configuration will be tested
// with the results of the test returned to caller. No config changes
// will be applied.
TestSMTP bool `json:"test_smtp"`
AppConfig AppConfig `json:"app_config"`
}
// SSOSettingsPayload wire format for SSO settings
type SSOSettingsPayload struct {
// EntityID is a uri that identifies this service provider
EntityID *string `json:"entity_id"`
// IssuerURI is the uri that identifies the identity provider
IssuerURI *string `json:"issuer_uri"`
// IDPImageURL is a link to a logo or other image that is used for UX
IDPImageURL *string `json:"idp_image_url"`
// Metadata contains IDP metadata XML
Metadata *string `json:"metadata"`
// MetadataURL is a URL provided by the IDP which can be used to download
// metadata
MetadataURL *string `json:"metadata_url"`
// IDPName is a human friendly name for the IDP
IDPName *string `json:"idp_name"`
// EnableSSO flag to determine whether or not to enable SSO
EnableSSO *bool `json:"enable_sso"`
}
// SMTPSettingsPayload is part of the AppConfigPayload which defines the wire representation
// of the app config endpoints
type SMTPSettingsPayload struct {
// SMTPEnabled indicates whether the user has selected that SMTP is
// enabled in the UI.
SMTPEnabled *bool `json:"enable_smtp"`
// SMTPConfigured is a flag that indicates if smtp has been successfully
// tested with the settings provided by an admin user.
SMTPConfigured *bool `json:"configured"`
// SMTPSenderAddress is the email address that will appear in emails sent
// from Fleet
SMTPSenderAddress *string `json:"sender_address"`
// SMTPServer is the host name of the SMTP server Fleet will use to send mail
SMTPServer *string `json:"server"`
// SMTPPort port SMTP server will use
SMTPPort *uint `json:"port"`
// SMTPAuthenticationType type of authentication for SMTP
SMTPAuthenticationType *string `json:"authentication_type"`
// SMTPUserName must be provided if SMTPAuthenticationType is UserNamePassword
SMTPUserName *string `json:"user_name"`
// SMTPPassword must be provided if SMTPAuthenticationType is UserNamePassword
SMTPPassword *string `json:"password"`
// SMTPEnableSSLTLS whether to use SSL/TLS for SMTP
SMTPEnableTLS *bool `json:"enable_ssl_tls"`
// SMTPAuthenticationMethod authentication method smtp server will use
SMTPAuthenticationMethod *string `json:"authentication_method"`
// SMTPDomain optional domain for SMTP
SMTPDomain *string `json:"domain"`
// SMTPVerifySSLCerts defaults to true but can be turned off if self signed
// SSL certs are used by the SMTP server
SMTPVerifySSLCerts *bool `json:"verify_ssl_certs"`
// SMTPEnableStartTLS detects of TLS is enabled on mail server and starts to use it (default true)
SMTPEnableStartTLS *bool `json:"enable_start_tls"`
}
// AppConfigPayload contains request/response format of
// the AppConfig endpoints.
type AppConfigPayload struct {
OrgInfo *OrgInfo `json:"org_info"`
ServerSettings *ServerSettings `json:"server_settings"`
SMTPSettings *SMTPSettingsPayload `json:"smtp_settings"`
HostExpirySettings *HostExpirySettings `json:"host_expiry_settings"`
HostSettings *HostSettings `json:"host_settings"`
// SMTPTest is a flag that if set will cause the server to test email configuration
SMTPTest *bool `json:"smtp_test,omitempty"`
// SSOSettings single sign settings
SSOSettings *SSOSettingsPayload `json:"sso_settings"`
}
// OrgInfo contains general info about the organization using Fleet.
type OrgInfo struct {
OrgName *string `json:"org_name,omitempty"`
OrgLogoURL *string `json:"org_logo_url,omitempty"`
}
// ServerSettings contains general settings about the kolide App.
type ServerSettings struct {
KolideServerURL *string `json:"kolide_server_url,omitempty"`
LiveQueryDisabled *bool `json:"live_query_disabled,omitempty"`
}
// HostExpirySettings contains settings pertaining to automatic host expiry.
type HostExpirySettings struct {
HostExpiryEnabled *bool `json:"host_expiry_enabled,omitempty"`
HostExpiryWindow *int `json:"host_expiry_window,omitempty"`
}
type HostSettings struct {
AdditionalQueries *json.RawMessage `json:"additional_queries"`
}
type OrderDirection int
const (
OrderAscending OrderDirection = iota
OrderDescending
)
// ListOptions defines options related to paging and ordering to be used when
// listing objects
type ListOptions struct {
// Which page to return (must be positive integer)
Page uint
// How many results per page (must be positive integer, 0 indicates
// unlimited)
PerPage uint
// Key to use for ordering
OrderKey string
// Direction of ordering
OrderDirection OrderDirection
}
// EnrollSecret contains information about an enroll secret, name, and active
// status. Enroll secrets are used for osquery authentication.
type EnrollSecret struct {
// Name is the name assigned to the secret
Name string `json:"name" db:"name"`
// Secret is the actual secret key.
Secret string `json:"secret" db:"secret"`
// Active determines whether the secret is currently allowed to be used for
// authentication.
Active bool `json:"active" db:"active"`
// CreatedAt is the time this enroll secret was first added.
CreatedAt time.Time `json:"created_at" db:"created_at"`
}
// EnrollSecretSpec is the fleetctl spec type for enroll secrets.
type EnrollSecretSpec struct {
// Secrets is the list of enroll secrets.
Secrets []EnrollSecret `json:"secrets"`
}
Reference in New Issue View Git Blame Copy Permalink