fleet/server/utils.go

package server

import (
	"bytes"
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"encoding/json"
	"encoding/pem"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"time"

	"github.com/fleetdm/fleet/v4/pkg/fleethttp"
)

// GenerateRandomText return a string generated by filling in keySize bytes with
// random data and then base64 encoding those bytes
func GenerateRandomText(keySize int) (string, error) {
	key := make([]byte, keySize)
	_, err := rand.Read(key)
	if err != nil {
		return "", err
	}
	return base64.StdEncoding.EncodeToString(key), nil
}

func httpSuccessStatus(statusCode int) bool {
	return statusCode >= 200 && statusCode <= 299
}

func PostJSONWithTimeout(ctx context.Context, url string, v interface{}) error {
	jsonBytes, err := json.Marshal(v)
	if err != nil {
		return err
	}

	client := fleethttp.NewClient(fleethttp.WithTimeout(30 * time.Second))
	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBytes))
	if err != nil {
		return err
	}

	req.Header.Set("Content-Type", "application/json")

	resp, err := client.Do(req)
	if err != nil {
		return fmt.Errorf("failed to POST to %s: %s, request-size=%d", url, err, len(jsonBytes))
	}
	defer resp.Body.Close()

	if !httpSuccessStatus(resp.StatusCode) {
		body, _ := ioutil.ReadAll(resp.Body)
		return fmt.Errorf("error posting to %s: %d. %s", url, resp.StatusCode, string(body))
	}

	return nil
}

// TODO: Consider moving other crypto functions from server/mdm/apple/util to here

// DecodePrivateKeyPEM decodes PEM-encoded private key data.
func DecodePrivateKeyPEM(encoded []byte) (*rsa.PrivateKey, error) {
	block, _ := pem.Decode(encoded)
	if block == nil {
		return nil, errors.New("no PEM-encoded data found")
	}
	if block.Type != "RSA PRIVATE KEY" {
		return nil, fmt.Errorf("unexpected block type %s", block.Type)
	}

	return x509.ParsePKCS1PrivateKey(block.Bytes)
}
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`package server`

			`import (`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`"bytes"`
			`"context"`
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`"crypto/rand"`
Add certificate management for Microsoft MDM (WSTEP) (#12543) Issue #12261 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-06-29 22:31:53 +00:00			`"crypto/rsa"`
			`"crypto/x509"`
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`"encoding/base64"`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`"encoding/json"`
Add certificate management for Microsoft MDM (WSTEP) (#12543) Issue #12261 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-06-29 22:31:53 +00:00			`"encoding/pem"`
			`"errors"`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"fmt"`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`"io/ioutil"`
			`"net/http"`
			`"time"`
Make creation of http.Client uniform across the codebase (#3097) 2021-11-24 20:56:54 +00:00
			`"github.com/fleetdm/fleet/v4/pkg/fleethttp"`
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`)`

			`// GenerateRandomText return a string generated by filling in keySize bytes with`
			`// random data and then base64 encoding those bytes`
			`func GenerateRandomText(keySize int) (string, error) {`
			`key := make([]byte, keySize)`
			`_, err := rand.Read(key)`
			`if err != nil {`
			`return "", err`
			`}`
			`return base64.StdEncoding.EncodeToString(key), nil`
			`}`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00
Modify `/server/utils` to handle all 2xx codes as POST success (#3534) 2021-12-30 22:00:10 +00:00			`func httpSuccessStatus(statusCode int) bool {`
			`return statusCode >= 200 && statusCode <= 299`
			`}`

Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`func PostJSONWithTimeout(ctx context.Context, url string, v interface{}) error {`
			`jsonBytes, err := json.Marshal(v)`
			`if err != nil {`
			`return err`
			`}`

Make creation of http.Client uniform across the codebase (#3097) 2021-11-24 20:56:54 +00:00			`client := fleethttp.NewClient(fleethttp.WithTimeout(30 * time.Second))`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBytes))`
			`if err != nil {`
			`return err`
			`}`

			`req.Header.Set("Content-Type", "application/json")`

			`resp, err := client.Do(req)`
			`if err != nil {`
Global policies automation webhooks (#3378) * Add webhook to app config * Add redis failing policies set and webhook * Add basic webhook test * Store hostname in redis * Global policy deletion to remove policy ID from set and config * Also process new passing policies * Fix unit test * Sort hosts * Add more tests * Add ListSets to the failing policies interface * Fix server URL and garbage collect on the triggering side * Do not use Redis SCAN * Fix Redis operation order * Add API changes to doc * Add comments * Add more tests * Fix tests * Add tests for config update upon deletion of policies * Run make dump-test-schema * Ignore policies that failed to run * Add proper unit tests to trigger logic * Fix comments * WIP * Add tests to service_osquerty_test.go * Use SSCAN for listing hosts instead of SMEMBERS * Add failing policies to docs/01-Using-Fleet/configuration-files/README.md * Remove skip * Fix PR comments 2021-12-23 21:26:55 +00:00			`return fmt.Errorf("failed to POST to %s: %s, request-size=%d", url, err, len(jsonBytes))`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`}`
			`defer resp.Body.Close()`

Modify `/server/utils` to handle all 2xx codes as POST success (#3534) 2021-12-30 22:00:10 +00:00			`if !httpSuccessStatus(resp.StatusCode) {`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`body, _ := ioutil.ReadAll(resp.Body)`
Global policies automation webhooks (#3378) * Add webhook to app config * Add redis failing policies set and webhook * Add basic webhook test * Store hostname in redis * Global policy deletion to remove policy ID from set and config * Also process new passing policies * Fix unit test * Sort hosts * Add more tests * Add ListSets to the failing policies interface * Fix server URL and garbage collect on the triggering side * Do not use Redis SCAN * Fix Redis operation order * Add API changes to doc * Add comments * Add more tests * Fix tests * Add tests for config update upon deletion of policies * Run make dump-test-schema * Ignore policies that failed to run * Add proper unit tests to trigger logic * Fix comments * WIP * Add tests to service_osquerty_test.go * Use SSCAN for listing hosts instead of SMEMBERS * Add failing policies to docs/01-Using-Fleet/configuration-files/README.md * Remove skip * Fix PR comments 2021-12-23 21:26:55 +00:00			`return fmt.Errorf("error posting to %s: %d. %s", url, resp.StatusCode, string(body))`
Issue 1599 offline webhook (#1777) * wip * Add tests and finish implementation * Add proper default for periodicity, changes file, and documentation * Fix tests and add defaults also to new installs * EnableHostUsers should be true if undefined as well * In some cases, periodicity can be zero because of the migrations * Apply defaults when migrating appconfig * Fix lint * lint * Address review comments 2021-08-27 14:15:36 +00:00			`}`

			`return nil`
			`}`
Add certificate management for Microsoft MDM (WSTEP) (#12543) Issue #12261 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-06-29 22:31:53 +00:00
			`// TODO: Consider moving other crypto functions from server/mdm/apple/util to here`

			`// DecodePrivateKeyPEM decodes PEM-encoded private key data.`
			`func DecodePrivateKeyPEM(encoded []byte) (*rsa.PrivateKey, error) {`
			`block, _ := pem.Decode(encoded)`
			`if block == nil {`
			`return nil, errors.New("no PEM-encoded data found")`
			`}`
			`if block.Type != "RSA PRIVATE KEY" {`
			`return nil, fmt.Errorf("unexpected block type %s", block.Type)`
			`}`

			`return x509.ParsePKCS1PrivateKey(block.Bytes)`
			`}`