2024-02-13 18:03:53 +00:00
|
|
|
package mysql
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
2025-09-17 19:38:54 +00:00
|
|
|
"database/sql"
|
2024-02-13 18:03:53 +00:00
|
|
|
"errors"
|
2024-05-30 21:18:42 +00:00
|
|
|
"fmt"
|
2026-02-19 14:27:24 +00:00
|
|
|
"log/slog"
|
2024-02-13 18:03:53 +00:00
|
|
|
"strings"
|
2024-11-20 19:08:27 +00:00
|
|
|
"time"
|
2024-02-13 18:03:53 +00:00
|
|
|
|
2024-08-29 22:51:46 +00:00
|
|
|
abmctx "github.com/fleetdm/fleet/v4/server/contexts/apple_bm"
|
2024-02-13 18:03:53 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
2024-05-30 21:18:42 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/mdm/assets"
|
2024-02-26 15:26:00 +00:00
|
|
|
nanodep_client "github.com/fleetdm/fleet/v4/server/mdm/nanodep/client"
|
|
|
|
|
nanodep_mysql "github.com/fleetdm/fleet/v4/server/mdm/nanodep/storage/mysql"
|
2024-02-13 18:03:53 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/mdm"
|
|
|
|
|
nanomdm_mysql "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/storage/mysql"
|
2026-01-08 19:17:19 +00:00
|
|
|
common_mysql "github.com/fleetdm/fleet/v4/server/platform/mysql"
|
2024-02-13 18:03:53 +00:00
|
|
|
"github.com/jmoiron/sqlx"
|
|
|
|
|
)
|
|
|
|
|
|
2025-09-17 19:38:54 +00:00
|
|
|
// lockConflictError indicates a lock command already exists for the host
|
|
|
|
|
type lockConflictError struct {
|
|
|
|
|
hostUUID string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e lockConflictError) Error() string {
|
|
|
|
|
return "host already has a pending lock command"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e lockConflictError) IsConflict() bool {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-19 22:06:00 +00:00
|
|
|
func (e lockConflictError) IsClientError() bool {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-17 19:38:54 +00:00
|
|
|
// isConflict checks if an error implements the IsConflict() interface
|
|
|
|
|
func isConflict(err error) bool {
|
|
|
|
|
type conflictInterface interface {
|
|
|
|
|
IsConflict() bool
|
|
|
|
|
}
|
|
|
|
|
if c, ok := err.(conflictInterface); ok {
|
|
|
|
|
return c.IsConflict()
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-13 18:03:53 +00:00
|
|
|
// NanoMDMStorage wraps a *nanomdm_mysql.MySQLStorage and overrides further functionality.
|
|
|
|
|
type NanoMDMStorage struct {
|
|
|
|
|
*nanomdm_mysql.MySQLStorage
|
|
|
|
|
|
2024-05-30 21:18:42 +00:00
|
|
|
db *sqlx.DB
|
2026-02-19 14:27:24 +00:00
|
|
|
logger *slog.Logger
|
2024-05-30 21:18:42 +00:00
|
|
|
ds fleet.Datastore
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewMDMAppleMDMStorage returns a MySQL nanomdm storage that uses the Datastore
|
|
|
|
|
// underlying MySQL writer *sql.DB.
|
2024-05-30 21:18:42 +00:00
|
|
|
func (ds *Datastore) NewMDMAppleMDMStorage() (*NanoMDMStorage, error) {
|
2024-11-20 19:08:27 +00:00
|
|
|
s, err := nanomdm_mysql.New(
|
|
|
|
|
nanomdm_mysql.WithDB(ds.primary.DB),
|
2026-02-24 22:52:36 +00:00
|
|
|
nanomdm_mysql.WithLogger(ds.logger),
|
2024-12-05 18:02:48 +00:00
|
|
|
nanomdm_mysql.WithReaderFunc(ds.reader),
|
2024-11-20 19:08:27 +00:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &NanoMDMStorage{
|
|
|
|
|
MySQLStorage: s,
|
|
|
|
|
db: ds.primary,
|
2026-02-24 22:52:36 +00:00
|
|
|
logger: ds.logger,
|
2024-11-20 19:08:27 +00:00
|
|
|
ds: ds,
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewTestMDMAppleMDMStorage returns a test MySQL nanomdm storage that uses the
|
|
|
|
|
// Datastore underlying MySQL writer *sql.DB. It allows configuring the async
|
|
|
|
|
// last seen time's capacity and interval and should only be used in tests.
|
|
|
|
|
func (ds *Datastore) NewTestMDMAppleMDMStorage(asyncCap int, asyncInterval time.Duration) (*NanoMDMStorage, error) {
|
|
|
|
|
s, err := nanomdm_mysql.New(
|
|
|
|
|
nanomdm_mysql.WithDB(ds.primary.DB),
|
2026-02-24 22:52:36 +00:00
|
|
|
nanomdm_mysql.WithLogger(ds.logger),
|
2024-12-05 18:02:48 +00:00
|
|
|
nanomdm_mysql.WithReaderFunc(ds.reader),
|
2024-11-20 19:08:27 +00:00
|
|
|
nanomdm_mysql.WithAsyncLastSeen(asyncCap, asyncInterval),
|
|
|
|
|
)
|
2024-02-13 18:03:53 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &NanoMDMStorage{
|
|
|
|
|
MySQLStorage: s,
|
|
|
|
|
db: ds.primary,
|
2026-02-24 22:52:36 +00:00
|
|
|
logger: ds.logger,
|
2024-05-30 21:18:42 +00:00
|
|
|
ds: ds,
|
2024-02-13 18:03:53 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RetrievePushCert partially implements nanomdm_storage.PushCertStore.
|
|
|
|
|
//
|
2024-05-30 21:18:42 +00:00
|
|
|
// Always returns "0" as stale token because fleet.Datastore always returns a valid push certificate.
|
2024-02-13 18:03:53 +00:00
|
|
|
func (s *NanoMDMStorage) RetrievePushCert(
|
|
|
|
|
ctx context.Context, topic string,
|
2024-05-30 21:18:42 +00:00
|
|
|
) (*tls.Certificate, string, error) {
|
|
|
|
|
cert, err := assets.APNSKeyPair(ctx, s.ds)
|
2024-02-13 18:03:53 +00:00
|
|
|
if err != nil {
|
2024-05-30 21:18:42 +00:00
|
|
|
return nil, "", ctxerr.Wrap(ctx, err, "loading push certificate")
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
2024-05-30 21:18:42 +00:00
|
|
|
return cert, "0", nil
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// IsPushCertStale partially implements nanomdm_storage.PushCertStore.
|
|
|
|
|
//
|
2024-05-30 21:18:42 +00:00
|
|
|
// Always returns `false` because the underlying datastore implementation makes sure that the token is always fresh.
|
2024-02-13 18:03:53 +00:00
|
|
|
func (s *NanoMDMStorage) IsPushCertStale(ctx context.Context, topic, staleToken string) (bool, error) {
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// StorePushCert partially implements nanomdm_storage.PushCertStore.
|
|
|
|
|
func (s *NanoMDMStorage) StorePushCert(ctx context.Context, pemCert, pemKey []byte) error {
|
2024-05-30 21:18:42 +00:00
|
|
|
return errors.New("please use fleet.Datastore to manage MDM assets")
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
2025-09-17 19:38:54 +00:00
|
|
|
// GetPendingLockCommand returns the most recent unacknowledged DeviceLock command
|
|
|
|
|
// for the given host, along with its unlock PIN.
|
|
|
|
|
// Returns nil, "", nil if no pending lock command exists.
|
|
|
|
|
func (s *NanoMDMStorage) GetPendingLockCommand(ctx context.Context, hostUUID string) (*mdm.Command, string, error) {
|
|
|
|
|
query := `
|
|
|
|
|
SELECT nc.command_uuid, nc.request_type, nc.command, hma.unlock_pin
|
|
|
|
|
FROM nano_commands nc
|
|
|
|
|
INNER JOIN host_mdm_actions hma ON hma.lock_ref = nc.command_uuid
|
|
|
|
|
LEFT JOIN nano_command_results ncr ON ncr.command_uuid = nc.command_uuid
|
|
|
|
|
INNER JOIN nano_enrollment_queue neq ON neq.command_uuid = nc.command_uuid
|
|
|
|
|
WHERE neq.id = ?
|
|
|
|
|
AND nc.request_type = 'DeviceLock'
|
|
|
|
|
AND ncr.command_uuid IS NULL
|
|
|
|
|
ORDER BY nc.created_at DESC
|
|
|
|
|
LIMIT 1`
|
|
|
|
|
|
|
|
|
|
var result struct {
|
|
|
|
|
CommandUUID string `db:"command_uuid"`
|
|
|
|
|
RequestType string `db:"request_type"`
|
|
|
|
|
Command []byte `db:"command"`
|
|
|
|
|
UnlockPIN string `db:"unlock_pin"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err := sqlx.GetContext(ctx, s.db, &result, query, hostUUID)
|
|
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
|
return nil, "", nil
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, "", ctxerr.Wrap(ctx, err, "getting pending lock command")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmd := &mdm.Command{
|
|
|
|
|
CommandUUID: result.CommandUUID,
|
|
|
|
|
Command: struct {
|
|
|
|
|
RequestType string
|
|
|
|
|
}{
|
|
|
|
|
RequestType: result.RequestType,
|
|
|
|
|
},
|
|
|
|
|
Raw: result.Command,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cmd, result.UnlockPIN, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-13 18:03:53 +00:00
|
|
|
// EnqueueDeviceLockCommand enqueues a DeviceLock command for the given host.
|
|
|
|
|
//
|
|
|
|
|
// A few implementation details:
|
|
|
|
|
// - It can only be called for a single hosts, to ensure we don't use the same
|
|
|
|
|
// pin for multiple hosts.
|
|
|
|
|
// - The method performs fleet-specific actions after the command is enqueued.
|
2025-09-17 19:38:54 +00:00
|
|
|
// - It will fail with a ConflictError if a lock command already exists.
|
2024-02-13 18:03:53 +00:00
|
|
|
func (s *NanoMDMStorage) EnqueueDeviceLockCommand(
|
|
|
|
|
ctx context.Context,
|
|
|
|
|
host *fleet.Host,
|
|
|
|
|
cmd *mdm.Command,
|
|
|
|
|
pin string,
|
|
|
|
|
) error {
|
2024-12-16 17:16:42 +00:00
|
|
|
return common_mysql.WithRetryTxx(ctx, s.db, func(tx sqlx.ExtContext) error {
|
2025-09-17 19:38:54 +00:00
|
|
|
// check if a lock already exists using SELECT FOR UPDATE to prevent a race
|
|
|
|
|
var existingLockRef *string
|
|
|
|
|
err := sqlx.GetContext(ctx, tx, &existingLockRef,
|
|
|
|
|
`SELECT lock_ref FROM host_mdm_actions WHERE host_id = ? FOR UPDATE`,
|
|
|
|
|
host.ID)
|
|
|
|
|
|
|
|
|
|
// If we got a row and it has a lock_ref, fail with conflict
|
|
|
|
|
if err == nil && existingLockRef != nil && *existingLockRef != "" {
|
|
|
|
|
// A lock command already exists, don't overwrite
|
|
|
|
|
return lockConflictError{hostUUID: host.UUID}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If the row doesn't exist, that's OK, we'll insert it
|
|
|
|
|
if err != nil && err != sql.ErrNoRows {
|
|
|
|
|
return ctxerr.Wrap(ctx, err, "checking for existing lock")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Now enqueue the command
|
2024-02-13 18:03:53 +00:00
|
|
|
if err := enqueueCommandDB(ctx, tx, []string{host.UUID}, cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-17 19:38:54 +00:00
|
|
|
// Insert or update the host_mdm_actions row
|
2024-02-13 18:03:53 +00:00
|
|
|
stmt := `
|
2024-02-26 16:31:00 +00:00
|
|
|
INSERT INTO host_mdm_actions (
|
|
|
|
|
host_id,
|
|
|
|
|
lock_ref,
|
2024-02-26 21:52:23 +00:00
|
|
|
unlock_pin,
|
|
|
|
|
fleet_platform
|
2024-02-26 16:31:00 +00:00
|
|
|
)
|
2024-02-26 21:52:23 +00:00
|
|
|
VALUES (?, ?, ?, ?)
|
2024-02-26 16:31:00 +00:00
|
|
|
ON DUPLICATE KEY UPDATE
|
|
|
|
|
wipe_ref = NULL,
|
|
|
|
|
unlock_ref = NULL,
|
2024-02-13 18:03:53 +00:00
|
|
|
unlock_pin = VALUES(unlock_pin),
|
2024-02-26 16:31:00 +00:00
|
|
|
lock_ref = VALUES(lock_ref)`
|
2024-02-13 18:03:53 +00:00
|
|
|
|
2024-02-26 21:52:23 +00:00
|
|
|
if _, err := tx.ExecContext(ctx, stmt, host.ID, cmd.CommandUUID, pin, host.FleetPlatform()); err != nil {
|
2024-02-13 18:03:53 +00:00
|
|
|
return ctxerr.Wrap(ctx, err, "modifying host_mdm_actions for DeviceLock")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}, s.logger)
|
|
|
|
|
}
|
|
|
|
|
|
Add lost mode behaviour for iOS/iPadOS (#33805)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33416
It's been decided to ship the feature and in the guide mention the apple
bug, that we are currently tracking.
[Slack
🧵](https://fleetdm.slack.com/archives/C03C41L5YEL/p1760448150025089?thread_ts=1760433366.092499&cid=C03C41L5YEL)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* New Features
* Added Lost Mode support to lock iOS and iPadOS devices.
* Added ability to disable Lost Mode to unlock iOS/iPadOS devices.
* Improvements
* More consistent lock/unlock experience across macOS, iOS/iPadOS,
Windows, and Linux, with clearer status and activity updates.
* iOS/iPadOS now shows pending unlock status while Lost Mode disable is
in progress.
* Tests
* Added comprehensive end-to-end tests covering lock/unlock/wipe across
Apple, Windows, and Linux devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-10-14 14:30:05 +00:00
|
|
|
func (s *NanoMDMStorage) EnqueueDeviceUnlockCommand(ctx context.Context, host *fleet.Host, cmd *mdm.Command) error {
|
|
|
|
|
return common_mysql.WithRetryTxx(ctx, s.db, func(tx sqlx.ExtContext) error {
|
|
|
|
|
if err := enqueueCommandDB(ctx, tx, []string{host.UUID}, cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stmt := `
|
|
|
|
|
INSERT INTO host_mdm_actions (
|
|
|
|
|
host_id,
|
|
|
|
|
unlock_ref,
|
|
|
|
|
fleet_platform
|
|
|
|
|
)
|
|
|
|
|
VALUES (?, ?, ?)
|
|
|
|
|
ON DUPLICATE KEY UPDATE
|
|
|
|
|
unlock_ref = VALUES(unlock_ref),
|
|
|
|
|
unlock_pin = NULL`
|
|
|
|
|
|
|
|
|
|
if _, err := tx.ExecContext(ctx, stmt, host.ID, cmd.CommandUUID, host.FleetPlatform()); err != nil {
|
|
|
|
|
return ctxerr.Wrap(ctx, err, "modifying host_mdm_actions for DeviceUnlock")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}, s.logger)
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-26 16:31:00 +00:00
|
|
|
// EnqueueDeviceWipeCommand enqueues a EraseDevice command for the given host.
|
|
|
|
|
func (s *NanoMDMStorage) EnqueueDeviceWipeCommand(ctx context.Context, host *fleet.Host, cmd *mdm.Command) error {
|
2024-12-16 17:16:42 +00:00
|
|
|
return common_mysql.WithRetryTxx(ctx, s.db, func(tx sqlx.ExtContext) error {
|
2024-02-26 16:31:00 +00:00
|
|
|
if err := enqueueCommandDB(ctx, tx, []string{host.UUID}, cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stmt := `
|
|
|
|
|
INSERT INTO host_mdm_actions (
|
|
|
|
|
host_id,
|
2024-02-26 21:52:23 +00:00
|
|
|
wipe_ref,
|
|
|
|
|
fleet_platform
|
2024-02-26 16:31:00 +00:00
|
|
|
)
|
2024-02-26 21:52:23 +00:00
|
|
|
VALUES (?, ?, ?)
|
2024-02-26 16:31:00 +00:00
|
|
|
ON DUPLICATE KEY UPDATE
|
|
|
|
|
wipe_ref = VALUES(wipe_ref)`
|
|
|
|
|
|
2024-02-26 21:52:23 +00:00
|
|
|
if _, err := tx.ExecContext(ctx, stmt, host.ID, cmd.CommandUUID, host.FleetPlatform()); err != nil {
|
2024-02-26 16:31:00 +00:00
|
|
|
return ctxerr.Wrap(ctx, err, "modifying host_mdm_actions for DeviceWipe")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}, s.logger)
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-09 18:47:27 +00:00
|
|
|
func (s *NanoMDMStorage) GetAllMDMConfigAssetsByName(ctx context.Context, assetNames []fleet.MDMAssetName,
|
Add lost mode behaviour for iOS/iPadOS (#33805)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33416
It's been decided to ship the feature and in the guide mention the apple
bug, that we are currently tracking.
[Slack
🧵](https://fleetdm.slack.com/archives/C03C41L5YEL/p1760448150025089?thread_ts=1760433366.092499&cid=C03C41L5YEL)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* New Features
* Added Lost Mode support to lock iOS and iPadOS devices.
* Added ability to disable Lost Mode to unlock iOS/iPadOS devices.
* Improvements
* More consistent lock/unlock experience across macOS, iOS/iPadOS,
Windows, and Linux, with clearer status and activity updates.
* iOS/iPadOS now shows pending unlock status while Lost Mode disable is
in progress.
* Tests
* Added comprehensive end-to-end tests covering lock/unlock/wipe across
Apple, Windows, and Linux devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-10-14 14:30:05 +00:00
|
|
|
queryerContext sqlx.QueryerContext,
|
|
|
|
|
) (map[fleet.MDMAssetName]fleet.MDMConfigAsset, error) {
|
2024-10-09 18:47:27 +00:00
|
|
|
return s.ds.GetAllMDMConfigAssetsByName(ctx, assetNames, queryerContext)
|
2024-05-30 21:18:42 +00:00
|
|
|
}
|
|
|
|
|
|
2024-08-29 22:51:46 +00:00
|
|
|
func (s *NanoMDMStorage) GetABMTokenByOrgName(ctx context.Context, orgName string) (*fleet.ABMToken, error) {
|
|
|
|
|
return s.ds.GetABMTokenByOrgName(ctx, orgName)
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-18 21:27:35 +00:00
|
|
|
// ExpandEmbeddedSecrets in NanoMDMStorage overrides the implementation in nanomdm_mysql.MySQLStorage.
|
|
|
|
|
func (s *NanoMDMStorage) ExpandEmbeddedSecrets(ctx context.Context, document string) (string, error) {
|
|
|
|
|
return s.ds.ExpandEmbeddedSecrets(ctx, document)
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-12 12:06:56 +00:00
|
|
|
// ExpandHostSecrets expands host-scoped secrets in the document using the enrollment ID.
|
|
|
|
|
func (s *NanoMDMStorage) ExpandHostSecrets(ctx context.Context, document string, enrollmentID string) (string, error) {
|
|
|
|
|
return s.ds.ExpandHostSecrets(ctx, document, enrollmentID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *NanoMDMStorage) SetRecoveryLockFailed(ctx context.Context, hostUUID string, errorMsg string) error {
|
|
|
|
|
return s.ds.SetRecoveryLockFailed(ctx, hostUUID, errorMsg)
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-05 13:59:07 +00:00
|
|
|
// ClearQueue in NanoMDMStorage overrides the implementation in
|
|
|
|
|
// nanomdm_mysql.MySQLStorage. It does call
|
|
|
|
|
// nanomdm_mysql.MySQLStorage.ClearQueue, but expands on its behavior.
|
|
|
|
|
func (s *NanoMDMStorage) ClearQueue(r *mdm.Request) error {
|
|
|
|
|
err := common_mysql.WithRetryTxx(r.Context, s.db, func(tx sqlx.ExtContext) error {
|
|
|
|
|
if err := s.ds.ClearMDMUpcomingActivitiesDB(r.Context, tx, r.ID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}, s.logger)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return s.MySQLStorage.ClearQueue(r)
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-13 18:03:53 +00:00
|
|
|
// NewMDMAppleDEPStorage returns a MySQL nanodep storage that uses the Datastore
|
|
|
|
|
// underlying MySQL writer *sql.DB.
|
2024-05-30 21:18:42 +00:00
|
|
|
func (ds *Datastore) NewMDMAppleDEPStorage() (*NanoDEPStorage, error) {
|
2024-02-13 18:03:53 +00:00
|
|
|
s, err := nanodep_mysql.New(nanodep_mysql.WithDB(ds.primary.DB))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &NanoDEPStorage{
|
|
|
|
|
MySQLStorage: s,
|
2024-05-30 21:18:42 +00:00
|
|
|
ds: ds,
|
2024-02-13 18:03:53 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NanoDEPStorage wraps a *nanodep_mysql.MySQLStorage and overrides functionality to load
|
2024-05-30 21:18:42 +00:00
|
|
|
// DEP auth tokens from the tables managed by Fleet.
|
2024-02-13 18:03:53 +00:00
|
|
|
type NanoDEPStorage struct {
|
|
|
|
|
*nanodep_mysql.MySQLStorage
|
2024-05-30 21:18:42 +00:00
|
|
|
ds fleet.Datastore
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
2024-08-29 22:51:46 +00:00
|
|
|
// RetrieveAuthTokens partially implements nanodep.AuthTokensRetriever. NOTE: this method will first
|
|
|
|
|
// check the context for an ABM token; if it doesn't find one, it will fall back to checking the DB.
|
|
|
|
|
// This is so we can use the existing DEP client machinery without major changes. See
|
|
|
|
|
// https://github.com/fleetdm/fleet/issues/21177 for more details.
|
2024-02-13 18:03:53 +00:00
|
|
|
func (s *NanoDEPStorage) RetrieveAuthTokens(ctx context.Context, name string) (*nanodep_client.OAuth1Tokens, error) {
|
2024-08-29 22:51:46 +00:00
|
|
|
if ctxTok, ok := abmctx.FromContext(ctx); ok {
|
|
|
|
|
return ctxTok, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := assets.ABMToken(ctx, s.ds, name)
|
2024-05-30 21:18:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("retrieving token in nano dep storage: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, nil
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// StoreAuthTokens partially implements nanodep.AuthTokensStorer.
|
|
|
|
|
func (s *NanoDEPStorage) StoreAuthTokens(ctx context.Context, name string, tokens *nanodep_client.OAuth1Tokens) error {
|
2024-05-30 21:18:42 +00:00
|
|
|
return errors.New("please use fleet.Datastore to manage MDM assets")
|
2024-02-13 18:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func enqueueCommandDB(ctx context.Context, tx sqlx.ExtContext, ids []string, cmd *mdm.Command) error {
|
|
|
|
|
// NOTE: the code to insert into nano_commands and
|
|
|
|
|
// nano_enrollment_queue was copied verbatim from the nanomdm
|
|
|
|
|
// implementation. Ideally we modify some of the interfaces to not
|
|
|
|
|
// duplicate the code here, but that needs more careful planning
|
|
|
|
|
// (which we lack right now)
|
|
|
|
|
if len(ids) < 1 {
|
|
|
|
|
return errors.New("no id(s) supplied to queue command to")
|
|
|
|
|
}
|
|
|
|
|
_, err := tx.ExecContext(
|
|
|
|
|
ctx,
|
|
|
|
|
`INSERT INTO nano_commands (command_uuid, request_type, command) VALUES (?, ?, ?);`,
|
|
|
|
|
cmd.CommandUUID, cmd.Command.RequestType, cmd.Raw,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
query := `INSERT INTO nano_enrollment_queue (id, command_uuid) VALUES (?, ?)`
|
|
|
|
|
query += strings.Repeat(", (?, ?)", len(ids)-1)
|
|
|
|
|
args := make([]interface{}, len(ids)*2)
|
|
|
|
|
for i, id := range ids {
|
|
|
|
|
args[i*2] = id
|
|
|
|
|
args[i*2+1] = cmd.CommandUUID
|
|
|
|
|
}
|
|
|
|
|
if _, err = tx.ExecContext(ctx, query+";", args...); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|