Feat save certs (#19390)

for #10383 # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
fleetdm · May 31, 2024 · a343eda · a343eda
2 parents 4571b54 + 83ecb0c
commit a343eda
Show file tree

Hide file tree

Showing 153 changed files with 5,227 additions and 1,604 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -38,6 +38,5 @@
     "prettier.requireConfig": true,
     "yaml.schemas": {
         "https://json.schemastore.org/codecov.json": ".github/workflows/codecov.yml"
-    },
-    "favorites.sortOrder": "ASC"
+    }
 }
diff --git a/changes/10383-mdm-saved-certs-ui b/changes/10383-mdm-saved-certs-ui
@@ -0,0 +1 @@
+- Updated UI to support new workflows for macOS MDM setup and credentials.
diff --git a/changes/19014-certs-endpoints b/changes/19014-certs-endpoints
@@ -0,0 +1,2 @@
+- Adds a `GET /fleet/mdm/apple/request_csr` endpoint, which returns the signed APNS CSR needed to
+  activate Apple MDM.
diff --git a/changes/19179-bm b/changes/19179-bm
@@ -0,0 +1 @@
+* Added new endpoints to configure ABM keypairs and tokens
diff --git a/changes/jve-pk-docs b/changes/jve-pk-docs
@@ -0,0 +1,2 @@
+- Updates the private key requirements to allow keys longer than 32 bytes
+- Adds documentation around the new `FLEET_SERVER_PRIVATE_KEY` var
diff --git a/changes/post-apns-cert b/changes/post-apns-cert
@@ -0,0 +1,2 @@
+- Adds 2 new endpoints: `POST` and `DELETE /fleet/mdm/apple/apns_certificate`. These endpoints let
+  users manage APNS certificates in Fleet.
diff --git a/changes/save-certs-encrypted b/changes/save-certs-encrypted
@@ -0,0 +1,2 @@
+- Adds a new Fleet server config variable, `FLEET_SERVER_PRIVATE_KEY`. This variable contains the
+  private key used to encrypt the MDM certificates and keys stored in Fleet.
diff --git a/cmd/fleet/cron.go b/cmd/fleet/cron.go
@@ -20,6 +20,7 @@ import (
 	"github.com/fleetdm/fleet/v4/server/fleet"
 	"github.com/fleetdm/fleet/v4/server/mdm"
 	apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
+	"github.com/fleetdm/fleet/v4/server/mdm/assets"
 	"github.com/fleetdm/fleet/v4/server/mdm/nanodep/godep"
 	"github.com/fleetdm/fleet/v4/server/policies"
 	"github.com/fleetdm/fleet/v4/server/ptr"
@@ -807,7 +808,7 @@ func newCleanupsAndAggregationSchedule(
 		schedule.WithJob(
 			"verify_disk_encryption_keys",
 			func(ctx context.Context) error {
-				return verifyDiskEncryptionKeys(ctx, logger, ds, config)
+				return verifyDiskEncryptionKeys(ctx, logger, ds)
 			},
 		),
 		schedule.WithJob(
@@ -904,9 +905,15 @@ func verifyDiskEncryptionKeys(
 	ctx context.Context,
 	logger kitlog.Logger,
 	ds fleet.Datastore,
-	config *config.FleetConfig,
 ) error {
-	if !config.MDM.IsAppleSCEPSet() {
+
+	appCfg, err := ds.AppConfig(ctx)
+	if err != nil {
+		logger.Log("err", "unable to get app config", "details", err)
+		return ctxerr.Wrap(ctx, err, "fetching app config")
+	}
+
+	if !appCfg.MDM.EnabledAndConfigured {
 		logger.Log("inf", "skipping verification of macOS encryption keys as MDM is not fully configured")
 		return nil
 	}
@@ -917,10 +924,10 @@ func verifyDiskEncryptionKeys(
 		return err
 	}
 
-	cert, _, _, err := config.MDM.AppleSCEP()
+	cert, err := assets.CAKeyPair(ctx, ds)
 	if err != nil {
-		logger.Log("err", "unable to get SCEP keypair to decrypt keys", "details", err)
-		return err
+		logger.Log("err", "unable to get CA keypair", "details", err)
+		return ctxerr.Wrap(ctx, err, "parsing SCEP keypair")
 	}
 
 	decryptable := []uint{}
@@ -1013,11 +1020,24 @@ func newAppleMDMDEPProfileAssigner(
 ) (*schedule.Schedule, error) {
 	const name = string(fleet.CronAppleMDMDEPProfileAssigner)
 	logger = kitlog.With(logger, "cron", name, "component", "nanodep-syncer")
-	fleetSyncer := apple_mdm.NewDEPService(ds, depStorage, logger)
+	var fleetSyncer *apple_mdm.DEPService
 	s := schedule.New(
 		ctx, name, instanceID, periodicity, ds, ds,
 		schedule.WithLogger(logger),
 		schedule.WithJob("dep_syncer", func(ctx context.Context) error {
+			appCfg, err := ds.AppConfig(ctx)
+			if err != nil {
+				return ctxerr.Wrap(ctx, err, "retrieving app config")
+			}
+
+			if !appCfg.MDM.AppleBMEnabledAndConfigured {
+				return nil
+			}
+
+			if fleetSyncer == nil {
+				fleetSyncer = apple_mdm.NewDEPService(ds, depStorage, logger)
+			}
+
 			return fleetSyncer.RunAssigner(ctx)
 		}),
 	)
@@ -1031,8 +1051,6 @@ func newMDMProfileManager(
 	ds fleet.Datastore,
 	commander *apple_mdm.MDMAppleCommander,
 	logger kitlog.Logger,
-	loggingDebug bool,
-	cfg config.MDMConfig,
 ) (*schedule.Schedule, error) {
 	const (
 		name = string(fleet.CronMDMAppleProfileManager)
@@ -1047,7 +1065,7 @@ func newMDMProfileManager(
 		ctx, name, instanceID, defaultInterval, ds, ds,
 		schedule.WithLogger(logger),
 		schedule.WithJob("manage_apple_profiles", func(ctx context.Context) error {
-			return service.ReconcileAppleProfiles(ctx, ds, commander, logger, cfg)
+			return service.ReconcileAppleProfiles(ctx, ds, commander, logger)
 		}),
 		schedule.WithJob("manage_apple_declarations", func(ctx context.Context) error {
 			return service.ReconcileAppleDeclarations(ctx, ds, commander, logger)
@@ -1196,6 +1214,16 @@ func newIPhoneIPadRefetcher(
 		ctx, name, instanceID, periodicity, ds, ds,
 		schedule.WithLogger(logger),
 		schedule.WithJob("cron_iphone_ipad_refetcher", func(ctx context.Context) error {
+			appCfg, err := ds.AppConfig(ctx)
+			if err != nil {
+				return ctxerr.Wrap(ctx, err, "fetching app config")
+			}
+
+			if !appCfg.MDM.EnabledAndConfigured {
+				level.Debug(logger).Log("msg", "apple mdm is not configured, skipping run")
+				return nil
+			}
+
 			start := time.Now()
 			uuids, err := ds.ListIOSAndIPadOSToRefetch(ctx, 1*time.Hour)
 			if err != nil {

diff --git a/cmd/fleet/cron_test.go b/cmd/fleet/cron_test.go
@@ -6,21 +6,20 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/fleetdm/fleet/v4/server/config"
 	apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
 	"github.com/fleetdm/fleet/v4/server/mock"
+	mdmmock "github.com/fleetdm/fleet/v4/server/mock/mdm"
 	kitlog "github.com/go-kit/log"
 )
 
 func TestNewMDMProfileManagerWithoutConfig(t *testing.T) {
 	ctx := context.Background()
-	mdmStorage := &mock.MDMAppleStore{}
+	mdmStorage := &mdmmock.MDMAppleStore{}
 	ds := new(mock.Store)
-	mdmConfig := config.MDMConfig{}
-	cmdr := apple_mdm.NewMDMAppleCommander(mdmStorage, nil, mdmConfig)
+	cmdr := apple_mdm.NewMDMAppleCommander(mdmStorage, nil)
 	logger := kitlog.NewNopLogger()
 
-	sch, err := newMDMProfileManager(ctx, "foo", ds, cmdr, logger, false, mdmConfig)
+	sch, err := newMDMProfileManager(ctx, "foo", ds, cmdr, logger)
 	require.NotNil(t, sch)
 	require.NoError(t, err)
 }