Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/website/api/controllers/microsoft-proxy/get-compliance-partner-settings.js

53 lines
2 KiB
JavaScript
Raw Normal View History

Website: Add Microsoft compliance proxy endpoints. (#27403) Changes: - Created a new database model: `MicrosoftComplianceTenant`. A model that stores information about complaince tenants - Added `/policies/is-cloud-customer`: a policy that blocks requests to microsoft proxy endpoints if a `MS API KEY` header is missing or does not match a new config variable (`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`) - Added `microsoft-proxy/create-compliance-partner-tenant`: an action that creates a database record for a new compliance tenant and generates an API key that is used to authenticate future requests to microsoft proxy endpoints for an entra tenant. - Added `microsoft-proxy/get-compliance-partner-settings`: an action that returns information about Fleet's complaince partner entra application and the entra tenant's admin consent status (whether or not a tenant's entra admin has granted permissions to Fleet's compliance partner application) - Added `microsoft-proxy/get-tenants-admin-consent-status`: an action that updates the admin consent status of a compliance tenant record. - Added `microsoft-proxy/setup-compliance-partner-tenant`: an action that provisions a compliance tenant, creates a complaince policy for macOS devices assigns the created policy to the built-in "All users" user group on the tenants entra instance. - Added `microsoft-proxy/update-one-devices-compliance-status`: an action that receives information about a device on a compliance tenant's Fleet instance, sends that information to their Entra instance, and returns the messsage ID returned by the asynchronus Entra API. - Added `microsoft-proxy/get-one-compliance-status-result`: an action that returns the result of a compliance status update from the Entra API. - Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A helper that gets an access token for a tenant's entra instance and the URLs of the API endpoints the microsoft proxy actions use for a tenant. - Added `scripts/send-entra-heartbeat-requests` A script that will run daily to keep all microsoft compliance integrations provisioned. - --------- Co-authored-by: Lucas Rodriguez <[email protected]>
2025-06-11 18:01:36 +00:00
module.exports = {
friendlyName: 'Get compliance partner settings',
description: '',
inputs: {
entraTenantId: {
type: 'string',
required: true,
},
fleetServerSecret: {
type: 'string',
required: true,
},
},
exits: {
success: { outputDescription: 'The setup and admin consent status of a Microsoft complianance tenant'},
},
fn: async function ({entraTenantId, fleetServerSecret}) {
let informationAboutThisTenant = await MicrosoftComplianceTenant.findOne({entraTenantId: entraTenantId, fleetServerSecret: fleetServerSecret});
if(!informationAboutThisTenant) {
return this.res.notFound();
}
// Otherwise, build an admin consent url for this tenant and include it in the response body.
// Generate a state token for the admin consent link.
let stateTokenForThisAdminConsentLink = sails.helpers.strings.random.with({len: 30, style: 'url-friendly'});
// Update the database record for this tenant to include the generated state token.
await MicrosoftComplianceTenant.updateOne({id: informationAboutThisTenant.id}).set({stateTokenForAdminConsent: stateTokenForThisAdminConsentLink});
// Build an admin consent url for this request.
let adminConsentUrlForThisTenant = `https://login.microsoftonline.com/${entraTenantId}/adminconsent?client_id=${encodeURIComponent(sails.config.custom.compliancePartnerClientId)}&state=${encodeURIComponent(stateTokenForThisAdminConsentLink)}&redirect_uri=${encodeURIComponent(`${sails.config.custom.baseUrl}/api/v1/microsoft-compliance-partner/adminconsent`)}`;
return {
entra_tenant_id: entraTenantId,// eslint-disable-line camelcase
setup_done: informationAboutThisTenant.setupCompleted,// eslint-disable-line camelcase
admin_consented: informationAboutThisTenant.adminConsented,// eslint-disable-line camelcase
admin_consent_url: adminConsentUrlForThisTenant,// eslint-disable-line camelcase
setup_error: informationAboutThisTenant.setupError// eslint-disable-line camelcase
};
}
};
Reference in a new issue Copy permalink