mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
7dadec3ecf
#7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
523 lines
16 KiB
Go
523 lines
16 KiB
Go
package packaging
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"regexp"
|
|
"runtime"
|
|
|
|
"github.com/Masterminds/semver"
|
|
"github.com/fleetdm/fleet/v4/orbit/pkg/constant"
|
|
"github.com/fleetdm/fleet/v4/orbit/pkg/update"
|
|
"github.com/fleetdm/fleet/v4/pkg/file"
|
|
"github.com/fleetdm/fleet/v4/pkg/secure"
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
var bomRegexp = regexp.MustCompile(`(.+)\t([0-9]+/[0-9]+)`)
|
|
|
|
// See helful docs in http://bomutils.dyndns.org/tutorial.html
|
|
|
|
// BuildPkg builds a macOS .pkg.
|
|
//
|
|
// Building packages works out of the box in macOS, but it's also supported on
|
|
// Linux given that the necessary dependencies are installed and
|
|
// Options.NativeTooling is `true`
|
|
//
|
|
// Note: this function is not safe for concurrent use
|
|
func BuildPkg(opt Options) (string, error) {
|
|
// Initialize directories
|
|
tmpDir, err := initializeTempDir()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
rootDir := filepath.Join(tmpDir, "root")
|
|
if err := secure.MkdirAll(rootDir, constant.DefaultDirMode); err != nil {
|
|
return "", fmt.Errorf("create root dir: %w", err)
|
|
}
|
|
orbitRoot := filepath.Join(rootDir, "opt", "orbit")
|
|
if err := secure.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
|
|
return "", fmt.Errorf("create orbit dir: %w", err)
|
|
}
|
|
|
|
// Initialize autoupdate metadata
|
|
|
|
updateOpt := update.DefaultOptions
|
|
|
|
updateOpt.RootDirectory = orbitRoot
|
|
updateOpt.ServerURL = opt.UpdateURL
|
|
updateOpt.Targets = update.DarwinTargets
|
|
updateOpt.ServerCertificatePath = opt.UpdateTLSServerCertificate
|
|
|
|
if opt.UpdateTLSClientCertificate != "" {
|
|
updateClientCrt, err := tls.LoadX509KeyPair(opt.UpdateTLSClientCertificate, opt.UpdateTLSClientKey)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error loading update client certificate and key: %w", err)
|
|
}
|
|
updateOpt.ClientCertificate = &updateClientCrt
|
|
}
|
|
|
|
if opt.Desktop {
|
|
updateOpt.Targets["desktop"] = update.DesktopMacOSTarget
|
|
// Override default channel with the provided value.
|
|
updateOpt.Targets.SetTargetChannel("desktop", opt.DesktopChannel)
|
|
}
|
|
|
|
// Override default channels with the provided values.
|
|
updateOpt.Targets.SetTargetChannel("orbit", opt.OrbitChannel)
|
|
updateOpt.Targets.SetTargetChannel("osqueryd", opt.OsquerydChannel)
|
|
|
|
if opt.UpdateRoots != "" {
|
|
updateOpt.RootKeys = opt.UpdateRoots
|
|
}
|
|
|
|
updatesData, err := InitializeUpdates(updateOpt)
|
|
if err != nil {
|
|
return "", fmt.Errorf("initialize updates: %w", err)
|
|
}
|
|
log.Debug().Stringer("data", updatesData).Msg("updates initialized")
|
|
if opt.Version == "" {
|
|
// We set the package version to orbit's latest version.
|
|
opt.Version = updatesData.OrbitVersion
|
|
}
|
|
|
|
if orbitSemVer, err := semver.NewVersion(updatesData.OrbitVersion); err == nil {
|
|
if orbitSemVer.LessThan(semver.MustParse("0.0.11")) {
|
|
opt.LegacyVarLibSymlink = true
|
|
}
|
|
}
|
|
// If err != nil we assume non-legacy Orbit.
|
|
|
|
// Write files
|
|
|
|
if err := writePackageInfo(opt, tmpDir); err != nil {
|
|
return "", fmt.Errorf("write PackageInfo: %w", err)
|
|
}
|
|
if err := writeDistribution(opt, tmpDir); err != nil {
|
|
return "", fmt.Errorf("write Distribution: %w", err)
|
|
}
|
|
if err := writeScripts(opt, tmpDir); err != nil {
|
|
return "", fmt.Errorf("write postinstall: %w", err)
|
|
}
|
|
if err := writeSecret(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write enroll secret: %w", err)
|
|
}
|
|
if err := writeOsqueryFlagfile(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write flagfile: %w", err)
|
|
}
|
|
if err := writeOsqueryCertPEM(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write certs.pem: %w", err)
|
|
}
|
|
|
|
if opt.StartService {
|
|
if err := writeLaunchd(opt, rootDir); err != nil {
|
|
return "", fmt.Errorf("write launchd: %w", err)
|
|
}
|
|
}
|
|
|
|
if opt.FleetCertificate != "" {
|
|
if err := writeFleetServerCertificate(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write fleet server certificate: %w", err)
|
|
}
|
|
}
|
|
|
|
if opt.FleetTLSClientCertificate != "" {
|
|
if err := writeFleetClientCertificate(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write fleet client certificate: %w", err)
|
|
}
|
|
}
|
|
|
|
if opt.UpdateTLSServerCertificate != "" {
|
|
if err := writeUpdateServerCertificate(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write update server certificate: %w", err)
|
|
}
|
|
}
|
|
|
|
if opt.UpdateTLSClientCertificate != "" {
|
|
if err := writeUpdateClientCertificate(opt, orbitRoot); err != nil {
|
|
return "", fmt.Errorf("write update client certificate: %w", err)
|
|
}
|
|
}
|
|
|
|
// Build package
|
|
|
|
if err := xarBom(opt, tmpDir); err != nil {
|
|
return "", fmt.Errorf("build pkg: %w", err)
|
|
}
|
|
|
|
generatedPath := filepath.Join(tmpDir, "orbit.pkg")
|
|
isDarwin := runtime.GOOS == "darwin"
|
|
isLinuxNative := runtime.GOOS == "linux" && opt.NativeTooling
|
|
|
|
if len(opt.SignIdentity) != 0 {
|
|
if len(opt.MacOSDevIDCertificateContent) != 0 {
|
|
return "", errors.New("providing a sign identity and a Dev ID certificate is not supported")
|
|
}
|
|
|
|
log.Info().Str("identity", opt.SignIdentity).Msg("productsign package")
|
|
if err := signPkg(generatedPath, opt.SignIdentity); err != nil {
|
|
return "", fmt.Errorf("productsign: %w", err)
|
|
}
|
|
}
|
|
|
|
if isLinuxNative && len(opt.MacOSDevIDCertificateContent) > 0 {
|
|
if len(opt.SignIdentity) != 0 {
|
|
return "", errors.New("providing a sign identity and a Dev ID certificate is not supported")
|
|
}
|
|
|
|
if err := rSign(generatedPath, opt.MacOSDevIDCertificateContent); err != nil {
|
|
return "", fmt.Errorf("rcodesign: %w", err)
|
|
}
|
|
}
|
|
|
|
if opt.Notarize {
|
|
switch {
|
|
case isDarwin:
|
|
if err := NotarizeStaple(generatedPath, "com.fleetdm.orbit"); err != nil {
|
|
return "", err
|
|
}
|
|
case isLinuxNative:
|
|
if len(opt.AppStoreConnectAPIKeyID) == 0 || len(opt.AppStoreConnectAPIKeyIssuer) == 0 {
|
|
return "", errors.New("both an App Store Connect API key and issuer must be set for native notarization")
|
|
}
|
|
|
|
if err := rNotarizeStaple(generatedPath, opt.AppStoreConnectAPIKeyID, opt.AppStoreConnectAPIKeyIssuer, opt.AppStoreConnectAPIKeyContent); err != nil {
|
|
return "", err
|
|
}
|
|
default:
|
|
return "", errors.New("notarization is not supported in this platform")
|
|
}
|
|
}
|
|
|
|
filename := "fleet-osquery.pkg"
|
|
if opt.NativeTooling {
|
|
filename = filepath.Join("build", filename)
|
|
}
|
|
if err := file.Copy(generatedPath, filename, constant.DefaultFileMode); err != nil {
|
|
return "", fmt.Errorf("rename pkg: %w", err)
|
|
}
|
|
log.Info().Str("path", filename).Msg("wrote pkg package")
|
|
|
|
return filename, nil
|
|
}
|
|
|
|
func writePackageInfo(opt Options, rootPath string) error {
|
|
// PackageInfo is metadata for the pkg
|
|
path := filepath.Join(rootPath, "flat", "base.pkg", "PackageInfo")
|
|
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
|
|
return fmt.Errorf("mkdir: %w", err)
|
|
}
|
|
|
|
var contents bytes.Buffer
|
|
if err := macosPackageInfoTemplate.Execute(&contents, opt); err != nil {
|
|
return fmt.Errorf("execute template: %w", err)
|
|
}
|
|
|
|
if err := ioutil.WriteFile(path, contents.Bytes(), constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeScripts(opt Options, rootPath string) error {
|
|
// Postinstall script
|
|
path := filepath.Join(rootPath, "scripts", "postinstall")
|
|
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
|
|
return fmt.Errorf("mkdir: %w", err)
|
|
}
|
|
|
|
var contents bytes.Buffer
|
|
if err := macosPostinstallTemplate.Execute(&contents, opt); err != nil {
|
|
return fmt.Errorf("execute template: %w", err)
|
|
}
|
|
|
|
if err := ioutil.WriteFile(path, contents.Bytes(), 0o744); err != nil {
|
|
return fmt.Errorf("write file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeLaunchd(opt Options, rootPath string) error {
|
|
// launchd is the service mechanism on macOS
|
|
path := filepath.Join(rootPath, "Library", "LaunchDaemons", "com.fleetdm.orbit.plist")
|
|
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
|
|
return fmt.Errorf("mkdir: %w", err)
|
|
}
|
|
|
|
var contents bytes.Buffer
|
|
if err := macosLaunchdTemplate.Execute(&contents, opt); err != nil {
|
|
return fmt.Errorf("execute template: %w", err)
|
|
}
|
|
|
|
if err := ioutil.WriteFile(path, contents.Bytes(), 0o644); err != nil {
|
|
return fmt.Errorf("write file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeDistribution(opt Options, rootPath string) error {
|
|
// Distribution file is metadata for the pkg
|
|
path := filepath.Join(rootPath, "flat", "Distribution")
|
|
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
|
|
return fmt.Errorf("mkdir: %w", err)
|
|
}
|
|
|
|
var contents bytes.Buffer
|
|
if err := macosDistributionTemplate.Execute(&contents, opt); err != nil {
|
|
return fmt.Errorf("execute template: %w", err)
|
|
}
|
|
|
|
if err := ioutil.WriteFile(path, contents.Bytes(), constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeFleetServerCertificate(opt Options, orbitRoot string) error {
|
|
dstPath := filepath.Join(orbitRoot, "fleet.pem")
|
|
|
|
if err := file.Copy(opt.FleetCertificate, dstPath, 0o644); err != nil {
|
|
return fmt.Errorf("write fleet server certificate: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeUpdateServerCertificate(opt Options, orbitRoot string) error {
|
|
dstPath := filepath.Join(orbitRoot, "update.pem")
|
|
|
|
if err := file.Copy(opt.UpdateTLSServerCertificate, dstPath, 0o644); err != nil {
|
|
return fmt.Errorf("write update server certificate: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func writeFleetClientCertificate(opt Options, orbitRoot string) error {
|
|
dstPath := filepath.Join(orbitRoot, constant.FleetTLSClientCertificateFileName)
|
|
if err := file.Copy(opt.FleetTLSClientCertificate, dstPath, constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write fleet certificate file: %w", err)
|
|
}
|
|
dstPath = filepath.Join(orbitRoot, constant.FleetTLSClientKeyFileName)
|
|
if err := file.Copy(opt.FleetTLSClientKey, dstPath, constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write fleet key file: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func writeUpdateClientCertificate(opt Options, orbitRoot string) error {
|
|
dstPath := filepath.Join(orbitRoot, constant.UpdateTLSClientCertificateFileName)
|
|
if err := file.Copy(opt.UpdateTLSClientCertificate, dstPath, constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write update certificate file: %w", err)
|
|
}
|
|
dstPath = filepath.Join(orbitRoot, constant.UpdateTLSClientKeyFileName)
|
|
if err := file.Copy(opt.UpdateTLSClientKey, dstPath, constant.DefaultFileMode); err != nil {
|
|
return fmt.Errorf("write update key file: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// xarBom creates the actual .pkg format. It's a xar archive with a BOM (Bill of
|
|
// materials?). See http://bomutils.dyndns.org/tutorial.html.
|
|
func xarBom(opt Options, rootPath string) error {
|
|
// Adapted from BSD licensed
|
|
// https://github.com/go-flutter-desktop/hover/blob/v0.46.2/cmd/packaging/darwin-pkg.go
|
|
|
|
// Copy payload/scripts
|
|
if err := cpio(
|
|
filepath.Join(rootPath, "root"),
|
|
filepath.Join(rootPath, "flat", "base.pkg", "Payload"),
|
|
); err != nil {
|
|
return fmt.Errorf("cpio Payload: %w", err)
|
|
}
|
|
if err := cpio(
|
|
filepath.Join(rootPath, "scripts"),
|
|
filepath.Join(rootPath, "flat", "base.pkg", "Scripts"),
|
|
); err != nil {
|
|
return fmt.Errorf("cpio Scripts: %w", err)
|
|
}
|
|
|
|
// Make Bill of materials (bom)
|
|
var cmdMkbom *exec.Cmd
|
|
isDarwin := runtime.GOOS == "darwin"
|
|
isLinuxNative := runtime.GOOS == "linux" && opt.NativeTooling
|
|
|
|
switch {
|
|
case isDarwin:
|
|
// Using mkbom directly results in permissions listed for the current user and group. We
|
|
// transform the output in order to explicitly set root (0) and admin (80).
|
|
inBomPath := filepath.Join(rootPath, "inBom")
|
|
cmd := exec.Command("mkbom", filepath.Join(rootPath, "root"), inBomPath)
|
|
if err := cmd.Run(); err != nil {
|
|
return fmt.Errorf("initial mkbom: %w", err)
|
|
}
|
|
bomContents, err := exec.Command("lsbom", inBomPath).Output()
|
|
if err != nil {
|
|
return fmt.Errorf("lsbom inBom: %w", err)
|
|
}
|
|
bomContents = bomReplace(bomContents)
|
|
if err := ioutil.WriteFile(inBomPath, bomContents, 0); err != nil {
|
|
return fmt.Errorf("write inBom: %w", err)
|
|
}
|
|
|
|
// Use the file list (with transformed permissions) via -i flag
|
|
cmdMkbom = exec.Command("mkbom", "-i", "inBom", filepath.Join("flat", "base.pkg", "Bom"))
|
|
cmdMkbom.Dir = rootPath
|
|
|
|
// No need for transformation when using the Linux mkbom because of the -u and -g flags
|
|
// available in that command.
|
|
case isLinuxNative:
|
|
cmdMkbom = exec.Command(
|
|
"mkbom", "-u", "0", "-g", "80",
|
|
filepath.Join(rootPath, "root"), filepath.Join("flat", "base.pkg", "Bom"),
|
|
)
|
|
cmdMkbom.Dir = rootPath
|
|
default:
|
|
// Same as linux native, but modified for running in Docker. This should
|
|
// be either Windows, or Linux without the --native-tooling flag.
|
|
cmdMkbom = exec.Command(
|
|
"docker", "run", "--rm", "-v", rootPath+":/root", "fleetdm/bomutils",
|
|
"mkbom", "-u", "0", "-g", "80",
|
|
// Use / instead of filepath.Join because these will always be paths within the Docker
|
|
// container (so Linux file paths) -- if we use filepath.Join we'll get invalid paths on
|
|
// Windows due to use of backslashes.
|
|
"/root/root", "/root/flat/base.pkg/Bom",
|
|
)
|
|
}
|
|
|
|
cmdMkbom.Stdout, cmdMkbom.Stderr = os.Stdout, os.Stderr
|
|
if err := cmdMkbom.Run(); err != nil {
|
|
return fmt.Errorf("mkbom: %w", err)
|
|
}
|
|
|
|
// List files for xar
|
|
var files []string
|
|
err := filepath.Walk(
|
|
filepath.Join(rootPath, "flat"),
|
|
func(path string, info os.FileInfo, _ error) error {
|
|
relativePath, err := filepath.Rel(filepath.Join(rootPath, "flat"), path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
files = append(files, relativePath)
|
|
return nil
|
|
},
|
|
)
|
|
if err != nil {
|
|
return fmt.Errorf("iterate files: %w", err)
|
|
}
|
|
|
|
// Make xar
|
|
var cmdXar *exec.Cmd
|
|
switch {
|
|
case isDarwin, isLinuxNative:
|
|
cmdXar = exec.Command("xar", append([]string{"--compression", "none", "-cf", filepath.Join("..", "orbit.pkg")}, files...)...)
|
|
cmdXar.Dir = filepath.Join(rootPath, "flat")
|
|
default:
|
|
cmdXar = exec.Command(
|
|
"docker", "run", "--rm", "-v", rootPath+":/root", "-w", "/root/flat", "fleetdm/bomutils",
|
|
"xar",
|
|
)
|
|
cmdXar.Args = append(cmdXar.Args, append([]string{"--compression", "none", "-cf", "/root/orbit.pkg"}, files...)...)
|
|
}
|
|
|
|
cmdXar.Stdout, cmdXar.Stderr = os.Stdout, os.Stderr
|
|
if err := cmdXar.Run(); err != nil {
|
|
return fmt.Errorf("run xar: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// bomReplace replaces the permission strings (typically "501/20") with the appropriate string ("0/80")
|
|
func bomReplace(inBom []byte) []byte {
|
|
return bomRegexp.ReplaceAll(inBom, []byte("$1\t0/80"))
|
|
}
|
|
|
|
func cpio(srcPath, dstPath string) error {
|
|
// This is the compression routine that is expected for pkg files.
|
|
dst, err := secure.OpenFile(dstPath, os.O_RDWR|os.O_CREATE, 0o755)
|
|
if err != nil {
|
|
return fmt.Errorf("open dst: %w", err)
|
|
}
|
|
defer dst.Close()
|
|
|
|
cmdFind := exec.Command("find", ".")
|
|
cmdFind.Dir = srcPath
|
|
cmdCpio := exec.Command("cpio", "-o", "--format", "odc", "-R", "0:80")
|
|
cmdCpio.Dir = srcPath
|
|
cmdGzip := exec.Command("gzip", "-c")
|
|
|
|
// Pipes like this: find | cpio | gzip > dstPath
|
|
cmdCpio.Stdin, err = cmdFind.StdoutPipe()
|
|
if err != nil {
|
|
return fmt.Errorf("pipe cpio: %w", err)
|
|
}
|
|
cmdGzip.Stdin, err = cmdCpio.StdoutPipe()
|
|
if err != nil {
|
|
return fmt.Errorf("pipe gzip: %w", err)
|
|
}
|
|
cmdGzip.Stdout = dst
|
|
|
|
err = cmdGzip.Start()
|
|
if err != nil {
|
|
return fmt.Errorf("start gzip: %w", err)
|
|
}
|
|
err = cmdCpio.Start()
|
|
if err != nil {
|
|
return fmt.Errorf("start cpio: %w", err)
|
|
}
|
|
err = cmdFind.Run()
|
|
if err != nil {
|
|
return fmt.Errorf("run find: %w", err)
|
|
}
|
|
err = cmdCpio.Wait()
|
|
if err != nil {
|
|
return fmt.Errorf("wait cpio: %w", err)
|
|
}
|
|
err = cmdGzip.Wait()
|
|
if err != nil {
|
|
return fmt.Errorf("wait gzip: %w", err)
|
|
}
|
|
err = dst.Sync()
|
|
if err != nil {
|
|
return fmt.Errorf("sync dst: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func signPkg(pkgPath, identity string) error {
|
|
var outBuf bytes.Buffer
|
|
cmdProductsign := exec.Command(
|
|
"productsign",
|
|
"--sign", identity,
|
|
pkgPath,
|
|
pkgPath+".signed",
|
|
)
|
|
cmdProductsign.Stdout = &outBuf
|
|
cmdProductsign.Stderr = &outBuf
|
|
if err := cmdProductsign.Run(); err != nil {
|
|
fmt.Println(outBuf.String())
|
|
return fmt.Errorf("productsign: %w", err)
|
|
}
|
|
|
|
if err := os.Rename(pkgPath+".signed", pkgPath); err != nil {
|
|
return fmt.Errorf("rename signed: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|