Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Adding error logging for SOAP faults. Relaxing enrollment request checks (#13876)

Browse source 
This relates to #13875 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
This commit is contained in:
Marcos Oviedo 2023-09-14 14:29:12 -03:00 committed by GitHub
parent e80ea50240
commit d0ab1c744e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/13875-fix-windows-automatic-enrollment Normal file
View file

@ -0,0 +1 @@
* Fix for strict checks on Windows MDM Automatic Enrollment

2
server/fleet/microsoft_mdm.go
View file

@ -224,7 +224,7 @@ func (req *SoapRequest) IsValidRequestSecurityTokenMsg() error {
}
reqEnrollType, err := req.Body.RequestSecurityToken.GetContextItem(mdm.ReqSecTokenContextItemEnrollmentType)
if err != nil || reqEnrollType != mdm.ReqSecTokenEnrollType {
if err != nil || (reqEnrollType != mdm.ReqSecTokenEnrollTypeDevice && reqEnrollType != mdm.ReqSecTokenEnrollTypeFull) {
return fmt.Errorf("invalid requestsecuritytoken message %s: %s - %v", mdm.ReqSecTokenContextItemEnrollmentType, reqEnrollType, err)
}

10
server/mdm/microsoft/microsoft_mdm.go
View file

@ -154,8 +154,14 @@ const (
// Certificate Renewal Period in seconds (180 days)
PolicyCertRenewalPeriodInSecs = "15552000"
// Supported Enroll Type
ReqSecTokenEnrollType = "Full"
// Supported Enroll types gathered from MS-MDE2 Spec Section 2.2.9.3
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/f7553554-b6e1-4a0d-abd6-6a2534503af7
// Supported Enroll Type Device
ReqSecTokenEnrollTypeDevice = "Device"
// Supported Enroll Type Full
ReqSecTokenEnrollTypeFull = "Full"
// Provisioning Doc Certificate Renewal Period (365 days)
WstepCertRenewalPeriodInDays = "365"

2
server/service/microsoft_mdm.go
View file

@ -1505,7 +1505,7 @@ func GetContextItem(secTokenMsg *fleet.RequestSecurityToken, contextItem string)
// GetAuthorizedSoapFault authorize the request so SoapFault message can be returned
func (svc *Service) GetAuthorizedSoapFault(ctx context.Context, eType string, origMsg int, errorMsg error) *fleet.SoapFault {
svc.authz.SkipAuthorization(ctx)
logging.WithErr(ctx, ctxerr.Wrap(ctx, errorMsg, "soap fault"))
soapFault := NewSoapFault(eType, origMsg, errorMsg)
return &soapFault