Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30

Allow to disable Apple MDM SCEP renewal/verification (#23660)

Browse source 
https://github.com/fleetdm/confidential/issues/8528

Manual merge from special branch
https://github.com/fleetdm/fleet/compare/rc-patch-fleet-v4.57.3...rh-patch-4.57.3,
gated by env vars.

No changes entry since this is a temporary feature for a customer, which
we may not want to maintain.
This commit is contained in:
Victor Lyuboslavsky 2024-11-11 13:25:21 -06:00 committed by GitHub
parent 3604a9abf8
commit 90915b9e1d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
server/service/apple_mdm.go
View file

@ -3846,6 +3846,12 @@ func RenewSCEPCertificates(
config *config.FleetConfig, config *config.FleetConfig,
commander *apple_mdm.MDMAppleCommander, commander *apple_mdm.MDMAppleCommander,
) error { ) error {
renewalDisable, exists := os.LookupEnv("FLEET_MDM_APPLE_SCEP_RENEWAL_DISABLE")
if exists && (strings.EqualFold(renewalDisable, "true") || renewalDisable == "1") {
level.Info(logger).Log("msg", "skipping renewal of macOS SCEP certificates as FLEET_MDM_APPLE_SCEP_RENEWAL_DISABLE is set to true")
return nil
}
appConfig, err := ds.AppConfig(ctx) appConfig, err := ds.AppConfig(ctx)
if err != nil { if err != nil {
return fmt.Errorf("reading app config: %w", err) return fmt.Errorf("reading app config: %w", err)

10
server/service/handler.go
View file

@ -5,7 +5,9 @@ import (
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
"os"
"regexp" "regexp"
"strings"
eeservice "github.com/fleetdm/fleet/v4/ee/server/service" eeservice "github.com/fleetdm/fleet/v4/ee/server/service"
"github.com/fleetdm/fleet/v4/server/config" "github.com/fleetdm/fleet/v4/server/config"
@ -1210,7 +1212,13 @@ func registerMDM(
mdmService = certauth.New(mdmService, mdmStorage) mdmService = certauth.New(mdmService, mdmStorage)
var mdmHandler http.Handler = httpmdm.CheckinAndCommandHandler(mdmService, mdmLogger.With("handler", "checkin-command")) var mdmHandler http.Handler = httpmdm.CheckinAndCommandHandler(mdmService, mdmLogger.With("handler", "checkin-command"))
mdmHandler = httpmdm.CertVerifyMiddleware(mdmHandler, certVerifier, mdmLogger.With("handler", "cert-verify")) verifyDisable, exists := os.LookupEnv("FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE")
if exists && (strings.EqualFold(verifyDisable, "true") || verifyDisable == "1") {
level.Info(logger).Log("msg",
"disabling verification of macOS SCEP certificates as FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE is set to true")
} else {
mdmHandler = httpmdm.CertVerifyMiddleware(mdmHandler, certVerifier, mdmLogger.With("handler", "cert-verify"))
}
mdmHandler = httpmdm.CertExtractMdmSignatureMiddleware(mdmHandler, mdmLogger.With("handler", "cert-extract")) mdmHandler = httpmdm.CertExtractMdmSignatureMiddleware(mdmHandler, mdmLogger.With("handler", "cert-extract"))
mux.Handle(apple_mdm.MDMPath, mdmHandler) mux.Handle(apple_mdm.MDMPath, mdmHandler)
return nil return nil