From 90915b9e1dbbdc00a118b2ecd3d38bafbc6b7c1a Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Mon, 11 Nov 2024 13:25:21 -0600
Subject: [PATCH] Allow to disable Apple MDM SCEP renewal/verification (#23660)

https://github.com/fleetdm/confidential/issues/8528

Manual merge from special branch
https://github.com/fleetdm/fleet/compare/rc-patch-fleet-v4.57.3...rh-patch-4.57.3,
gated by env vars.

No changes entry since this is a temporary feature for a customer, which
we may not want to maintain.
---
 server/service/apple_mdm.go |  6 ++++++
 server/service/handler.go   | 10 +++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
index 1e7efdf971..bf429f3d59 100644
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@@ -3846,6 +3846,12 @@ func RenewSCEPCertificates(
 	config *config.FleetConfig,
 	commander *apple_mdm.MDMAppleCommander,
 ) error {
+	renewalDisable, exists := os.LookupEnv("FLEET_MDM_APPLE_SCEP_RENEWAL_DISABLE")
+	if exists && (strings.EqualFold(renewalDisable, "true") || renewalDisable == "1") {
+		level.Info(logger).Log("msg", "skipping renewal of macOS SCEP certificates as FLEET_MDM_APPLE_SCEP_RENEWAL_DISABLE is set to true")
+		return nil
+	}
+
 	appConfig, err := ds.AppConfig(ctx)
 	if err != nil {
 		return fmt.Errorf("reading app config: %w", err)
diff --git a/server/service/handler.go b/server/service/handler.go
index 56cc734eca..510eb9c392 100644
--- a/server/service/handler.go
+++ b/server/service/handler.go
@@ -5,7 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
 	"regexp"
+	"strings"
 
 	eeservice "github.com/fleetdm/fleet/v4/ee/server/service"
 	"github.com/fleetdm/fleet/v4/server/config"
@@ -1210,7 +1212,13 @@ func registerMDM(
 
 	mdmService = certauth.New(mdmService, mdmStorage)
 	var mdmHandler http.Handler = httpmdm.CheckinAndCommandHandler(mdmService, mdmLogger.With("handler", "checkin-command"))
-	mdmHandler = httpmdm.CertVerifyMiddleware(mdmHandler, certVerifier, mdmLogger.With("handler", "cert-verify"))
+	verifyDisable, exists := os.LookupEnv("FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE")
+	if exists && (strings.EqualFold(verifyDisable, "true") || verifyDisable == "1") {
+		level.Info(logger).Log("msg",
+			"disabling verification of macOS SCEP certificates as FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE is set to true")
+	} else {
+		mdmHandler = httpmdm.CertVerifyMiddleware(mdmHandler, certVerifier, mdmLogger.With("handler", "cert-verify"))
+	}
 	mdmHandler = httpmdm.CertExtractMdmSignatureMiddleware(mdmHandler, mdmLogger.With("handler", "cert-extract"))
 	mux.Handle(apple_mdm.MDMPath, mdmHandler)
 	return nil