From 3ffe65b2f9e15adb55c29c926d149d584bc209bb Mon Sep 17 00:00:00 2001
From: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Date: Thu, 23 May 2024 14:56:43 -0400
Subject: [PATCH] feat: call website, start integration test

---
 server/fleet/service.go                |  2 +-
 server/mdm/apple/cert.go               | 12 ++---
 server/service/integration_mdm_test.go |  8 ++++
 server/service/mdm.go                  | 66 +++++++++++---------------
 4 files changed, 43 insertions(+), 45 deletions(-)

diff --git a/server/fleet/service.go b/server/fleet/service.go
index fa8c35ee07..74c767f0c1 100644
--- a/server/fleet/service.go
+++ b/server/fleet/service.go
@@ -689,7 +689,7 @@ type Service interface {
 	GetAppleBM(ctx context.Context) (*AppleBM, error)
 	RequestMDMAppleCSR(ctx context.Context, email, org string) (*AppleCSR, error)
 
-	GetMDMAppleCSR(ctx context.Context) (*AppleCSR, error)
+	GetMDMAppleCSR(ctx context.Context) (string, error)
 
 	// GetHostDEPAssignment retrieves the host DEP assignment for the specified host.
 	GetHostDEPAssignment(ctx context.Context, host *Host) (*HostDEPAssignment, error)
diff --git a/server/mdm/apple/cert.go b/server/mdm/apple/cert.go
index c45d7bcabc..b4ae2c0c05 100644
--- a/server/mdm/apple/cert.go
+++ b/server/mdm/apple/cert.go
@@ -145,7 +145,7 @@ func GetSignedAPNSCSR(client *http.Client, csr *x509.CertificateRequest) error {
 
 // GetSignedAPNSCSRNoEmail makes a request to the fleetdm.com API to get a signed APNs
 // CSR and returns the signed CSR
-func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest) (*x509.CertificateRequest, error) {
+func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest) ([]byte, error) {
 	csrPEM := EncodeCertRequestPEM(csr)
 
 	payload := getSignedAPNSCSRRequest{
@@ -180,12 +180,12 @@ func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest)
 		return nil, FleetWebsiteError{Status: resp.StatusCode, message: string(respBytes)}
 	}
 
-	signedCSR, err := x509.ParseCertificateRequest(respBytes)
-	if err != nil {
-		return nil, err
-	}
+	// signedCSR, err := x509.ParseCertificateRequest(respBytes)
+	// if err != nil {
+	// 	return nil, err
+	// }
 
-	return signedCSR, nil
+	return respBytes, nil
 }
 
 // NewSCEPCACertKey creates a self-signed CA certificate for use with SCEP and
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index 2eea049961..96cf351b18 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -893,6 +893,14 @@ func (s *integrationMDMTestSuite) TestAppleMDMCSRRequest() {
 	require.Contains(t, string(reqCSRResp.SCEPKey), "-----BEGIN RSA PRIVATE KEY-----\n")
 }
 
+func (s *integrationMDMTestSuite) TestGetMDMCSR() {
+	t := s.T()
+	resp := getMDMAppleCSRResponse{}
+	s.SucceedNextCSRRequest()
+	s.DoJSON("GET", "/api/latest/fleet/mdm/apple/request_csr", getMDMAppleCSRRequest{}, http.StatusOK, &resp)
+	require.NotNil(t, resp.CSR)
+}
+
 func (s *integrationMDMTestSuite) TestMDMAppleUnenroll() {
 	t := s.T()
 
diff --git a/server/service/mdm.go b/server/service/mdm.go
index 17589e0682..7567a3e882 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -2118,75 +2118,65 @@ func (svc *Service) ResendHostMDMProfile(ctx context.Context, hostID uint, profi
 type getMDMAppleCSRRequest struct{}
 
 type getMDMAppleCSRResponse struct {
-	Err error `json:"error,omitempty"`
+	CSR string `json:"csr"` // base64 encoded
+	Err error  `json:"error,omitempty"`
 }
 
 func (r getMDMAppleCSRResponse) error() error { return r.Err }
 
 func getMDMAppleCSREndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
 	slog.With("filename", "server/service/mdm.go", "func", "getMDMAppleCSREndpoint").Info("JVE_LOG: in endpoint method ")
-	_, err := svc.GetMDMAppleCSR(ctx)
+	signedCSRB64, err := svc.GetMDMAppleCSR(ctx)
 	if err != nil {
 		return &getMDMAppleCSRResponse{Err: err}, nil
 	}
 
-	return &getMDMAppleCSRResponse{}, nil
+	return &getMDMAppleCSRResponse{CSR: signedCSRB64}, nil
 }
 
-func (svc *Service) GetMDMAppleCSR(ctx context.Context) (*fleet.AppleCSR, error) {
+func (svc *Service) GetMDMAppleCSR(ctx context.Context) (string, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.AppleCSR{}, fleet.ActionWrite); err != nil {
-		return nil, err
+		return "", err
 	}
-	slog.With("filename", "server/service/mdm.go", "func", "GetMDMAppleCSR").Info("JVE_LOG: in service method ")
 
 	// Get SCEP certificate and key
 	scepCert, scepKey, err := apple_mdm.NewSCEPCACertKey()
 	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err, "generate SCEP cert and key")
+		return "", ctxerr.Wrap(ctx, err, "generate SCEP cert and key")
 	}
-	// slog.With("filename", "server/service/mdm.go", "func", "GetMDMAppleCSR").Info("\n\n\nJVE_LOG: what we got\n\n\n ", "certReq", string(scepCert.Raw), "privateKey", scepKey)
 
 	// Get APNS key
-	_, apnsKey, err := apple_mdm.GenerateAPNSCSRKeyNoEmail("foo")
+	apnsCSR, apnsKey, err := apple_mdm.GenerateAPNSCSRKeyNoEmail("foo")
 	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err, "generate APNS cert and key")
+		return "", ctxerr.Wrap(ctx, err, "generate APNS cert and key")
 	}
-	// slog.With("filename", "server/service/mdm.go", "func", "GetMDMAppleCSR").Info("\n\n\nJVE_LOG: what we got\n\n\n ", "certReq", string(apnsCSR.Raw), "privateKey", apnsKey)
 
 	// Submit CSR to fleetdm.com for signing
-	// websiteClient := fleethttp.NewClient(fleethttp.WithTimeout(10 * time.Second))
+	websiteClient := fleethttp.NewClient(fleethttp.WithTimeout(10 * time.Second))
 
-	// signedCSR, err := apple_mdm.GetSignedAPNSCSRNoEmail(websiteClient, apnsCSR)
-	// if err != nil {
-	// 	return nil, ctxerr.Wrap(ctx, err, "get signed CSR")
-	// }
-
-	// slog.With("filename", "server/service/mdm.go", "func", "GetMDMAppleCSR").Info("JVE_LOG: storing secrets ", "signedCSR", signedCSR)
+	signedCSRB64, err := apple_mdm.GetSignedAPNSCSRNoEmail(websiteClient, apnsCSR)
+	if err != nil {
+		return "", ctxerr.Wrap(ctx, err, "get signed CSR")
+	}
 
 	// Store APNS key, SCEP key, SCEP cert
 
-	// slog.With("filename", "server/service/mdm.go", "func", "GetMDMAppleCSR").Info("JVE_LOG: storing secrets ", "signedCSR", signedCSR)
-
-	scepCACertPEM := apple_mdm.EncodeCertPEM(scepCert)
-	scepCAKeyPEM := apple_mdm.EncodePrivateKeyPEM(scepKey)
-	apnsKeyPEM := apple_mdm.EncodePrivateKeyPEM(apnsKey)
-
-	appleCSR := &fleet.AppleCSR{
-		SCEPCert: scepCACertPEM,
-		SCEPKey:  scepCAKeyPEM,
-		APNsKey:  apnsKeyPEM,
+	var assets []fleet.MDMConfigAsset
+	for k, v := range map[fleet.MDMAssetName][]byte{
+		fleet.MDMAssetCACert:  apple_mdm.EncodeCertPEM(scepCert),
+		fleet.MDMAssetCAKey:   apple_mdm.EncodePrivateKeyPEM(scepKey),
+		fleet.MDMAssetAPNSKey: apple_mdm.EncodePrivateKeyPEM(apnsKey),
+	} {
+		assets = append(assets, fleet.MDMConfigAsset{
+			Name:  k,
+			Value: v,
+		})
 	}
 
-	asset := fleet.MDMConfigAsset{
-		Name:  fleet.MDMAssetCACert,
-		Value: scepCACertPEM,
+	if err := svc.ds.InsertMDMConfigAssets(ctx, assets); err != nil {
+		return "", ctxerr.Wrap(ctx, err, "inserting mdm config assets")
 	}
 
-	if err := svc.ds.InsertMDMConfigAssets(ctx, []fleet.MDMConfigAsset{asset}); err != nil {
-		return nil, err
-	}
-
-	// Return signed CSR
-
-	return appleCSR, nil
+	// Return signed CSR; these bytes are already base64 encoded
+	return string(signedCSRB64), nil
 }