Allow enroll secret to read from file

This is needed to be able to secure the enroll secret while maintaining
standard file permissions for the macOS launchd plist.

Also moves the default directory from /var/lib/fleet/orbit to
/var/lib/orbit.

cmd/orbit/orbit.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/fleetdm/orbit/pkg/constant"
@@ -24,7 +25,7 @@ import (
 const (
 	tufURL         = "https://tuf.fleetctl.com"
 	certPath       = "/tmp/fleet.pem"
-	defaultRootDir = "/var/lib/fleet/orbit"
+	defaultRootDir = "/var/lib/orbit"
 )
 
 func main() {
@@ -67,6 +68,11 @@ func main() {
 			Usage:   "Enroll secret for authenticating to Fleet server",
 			EnvVars: []string{"ORBIT_ENROLL_SECRET"},
 		},
+		&cli.StringFlag{
+			Name:    "enroll-secret-path",
+			Usage:   "Path to file containing enroll secret",
+			EnvVars: []string{"ORBIT_ENROLL_SECRET_PATH"},
+		},
 		&cli.StringFlag{
 			Name:    "osquery-version",
 			Usage:   "Version of osquery to use",
@@ -84,6 +90,19 @@ func main() {
 			zerolog.SetGlobalLevel(zerolog.DebugLevel)
 		}
 
+		if c.String("enroll-secret-path") != "" {
+			if c.String("enroll-secret") != "" {
+				return errors.New("enroll-secret and enroll-secret-path may not be specified together")
+			}
+
+			b, err := ioutil.ReadFile(c.String("enroll-secret-path"))
+			if err != nil {
+				return errors.Wrap(err, "read enroll secret file")
+			}
+
+			c.Set("enroll-secret", strings.TrimSpace(string(b)))
+		}
+
 		if err := os.MkdirAll(c.String("root-dir"), constant.DefaultDirMode); err != nil {
 			return errors.Wrap(err, "initialize root dir")
 		}
@@ -164,7 +183,8 @@ func main() {
 			)
 		}
 
-		if enrollSecret := c.String("enroll-secret"); enrollSecret != "" {
+		enrollSecret := c.String("enroll-secret")
+		if enrollSecret != "" {
 			options = append(options,
 				osquery.WithEnv([]string{"ENROLL_SECRET=" + enrollSecret}),
 				osquery.WithFlags([]string{"--enroll_secret_env", "ENROLL_SECRET"}),
@@ -172,6 +192,10 @@ func main() {
 		}
 
 		if fleetURL != "" {
+			if enrollSecret == "" {
+				return errors.New("enroll secret must be specified to connect to Fleet server")
+			}
+
 			options = append(options,
 				osquery.WithFlags(osquery.FleetFlags(fleetURL)),
 			)

go.mod

@@ -13,7 +13,6 @@ require (
 	github.com/rs/zerolog v1.20.0
 	github.com/stretchr/testify v1.6.1
 	github.com/theupdateframework/go-tuf v0.0.0-20201230183259-aee6270feb55
-	github.com/urfave/cli v1.22.5
 	github.com/urfave/cli/v2 v2.3.0
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect
 )

pkg/packaging/deb.go

@@ -31,7 +31,7 @@ func BuildDeb(opt Options) error {
 	if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create root dir")
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit")
+	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
 	if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create orbit dir")
 	}
@@ -85,13 +85,13 @@ func BuildDeb(opt Options) error {
 		},
 		&files.Content{
 			Source:      "orbit",
-			Destination: "/var/lib/fleet/orbit/orbit",
+			Destination: "/var/lib/orbit/orbit",
 			FileInfo: &files.ContentFileInfo{
 				Mode: constant.DefaultExecutableMode,
 			},
 		},
 		&files.Content{
-			Source:      "/var/lib/fleet/orbit/orbit",
+			Source:      "/var/lib/orbit/orbit",
 			Destination: "/usr/local/bin/orbit",
 			Type:        "symlink",
 			FileInfo: &files.ContentFileInfo{
@@ -122,7 +122,7 @@ func BuildDeb(opt Options) error {
 			Contents: contents,
 			EmptyFolders: []string{
 				"/var/log/osquery",
-				"/var/log/fleet/orbit",
+				"/var/log/orbit",
 			},
 			Scripts: nfpm.Scripts{
 				PostInstall: postInstallPath,

pkg/packaging/macos.go

@@ -34,7 +34,7 @@ func BuildPkg(opt Options) error {
 	if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create root dir")
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit")
+	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
 	if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create orbit dir")
 	}
@@ -75,16 +75,15 @@ func BuildPkg(opt Options) error {
 	if err := writeScripts(opt, tmpDir); err != nil {
 		return errors.Wrap(err, "write postinstall")
 	}
+	if err := writeSecret(opt, orbitRoot); err != nil {
+		return errors.Wrap(err, "write enroll secret")
+	}
 	if opt.StartService {
 		if err := writeLaunchd(opt, filesystemRoot); err != nil {
 			return errors.Wrap(err, "write launchd")
 		}
 	}
-	if err := copyFile(
-		"./orbit",
-		filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit", "orbit"),
-		0755,
-	); err != nil {
+	if err := copyFile("./orbit", filepath.Join(orbitRoot, "orbit"), 0755); err != nil {
 		return errors.Wrap(err, "write orbit")
 	}
 
@@ -155,6 +154,20 @@ func writeScripts(opt Options, rootPath string) error {
 	return nil
 }
 
+func writeSecret(opt Options, orbitRoot string) error {
+	// Enroll secret
+	path := filepath.Join(orbitRoot, "secret")
+	if err := os.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
+		return errors.Wrap(err, "mkdir")
+	}
+
+	if err := ioutil.WriteFile(path, []byte(opt.EnrollSecret), 0600); err != nil {
+		return errors.Wrap(err, "write file")
+	}
+
+	return nil
+}
+
 func writeLaunchd(opt Options, rootPath string) error {
 	// launchd is the service mechanism on macOS
 	path := filepath.Join(rootPath, "Library", "LaunchDaemons", "com.fleetdm.orbit.plist")

pkg/packaging/macos_templates.go

@@ -33,7 +33,7 @@ var macosDistributionTemplate = template.Must(template.New("").Option("missingke
 var macosPostinstallTemplate = template.Must(template.New("").Option("missingkey=error").Parse(
 	`#!/bin/bash
 
-ln -sf /var/lib/fleet/orbit/orbit /usr/local/bin/orbit
+ln -sf /var/lib/orbit/orbit /usr/local/bin/orbit
 
 {{ if .StartService -}}
 launchctl stop com.fleetdm.orbit
@@ -55,7 +55,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
     <string>com.fleetdm.orbit</string>
     <key>ProgramArguments</key>
     <array>
-       <string>/var/lib/fleet/orbit/orbit</string>
+       <string>/var/lib/orbit/orbit</string>
     </array>
     <key>StandardOutPath</key>
     <string>/var/log/orbit/orbit.stdout.log</string>
@@ -65,7 +65,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
     <dict>
       {{ if .Insecure }}<key>ORBIT_INSECURE</key><string>true</string>{{ end }}
       {{ if .FleetURL }}<key>ORBIT_FLEET_URL</key><string>{{.FleetURL}}</string>{{ end }}
-      {{ if .EnrollSecret }}<key>ORBIT_ENROLL_SECRET</key><string>{{.EnrollSecret}}</string>{{ end }}
+      {{ if .EnrollSecret }}<key>ORBIT_ENROLL_SECRET_PATH</key><string>/var/lib/orbit/secret</string>{{ end }}
     </dict>
     <key>KeepAlive</key><true/>
     <key>RunAtLoad</key><true/>

pkg/update/update.go

@@ -52,7 +52,7 @@ var (
 	// DefaultOptions are the default options to use when creating an update
 	// client.
 	DefaultOptions = Options{
-		RootDirectory:     "/var/fleet",
+		RootDirectory:     "/var/lib/orbit",
 		ServerURL:         "https://tuf.fleetctl.com",
 		LocalStore:        client.MemoryLocalStore(),
 		InsecureTransport: false,