Closes: https://github.com/fleetdm/fleet/issues/30914
Changes:
- Updated the `deliver-apple-csr` endpoint to return a
`csrMissingRequiredValue ` response when the provided unsigned CSR data
does not contain a required value.
Closes: https://github.com/fleetdm/confidential/issues/6158
Changes:
- Added two new config variables to website/config/custom:
- `bannedEmailDomainsForCSRSigning` An array of email domains that are
not allowed for CSR signing requests
- `bannedEmailDomainsForWebsiteSubmissions` an array of email domains
that are not allowed for website signups and contact form submissions.
- Updated the `deliver-apple-csr`, `deliver-talk-to-us-form-submission`,
`deliver-contact-form-message`, and `signup` actions to use the new
config variables.
When the file is provided as an attachment to the Sails helper, it gets
decoded, since we need for the signed CSR to be delivered in base64
format, we doubly encode the contents before sending the email.
This pull request relies on the `mdm-gen-cert` command from
https://github.com/fleetdm/fleet/pull/8884.
Closes: https://github.com/fleetdm/fleet/issues/8223
Changes:
- Updated the deploy Fleet website workflow to:
- Add Go as a dependency
- Build the mdm-gen-cert binary in `/website/.tools/`
- add the `/.tools/` folder to the Heroku app
- Added `deliver-apple-csr.js` - an API that:
- can be called by making a `POST` request to
`/api/v1/deliver-apple-csr`
- accepts `csr` as an input
- runs the `mdm-gen-cert` command with the `csr` set as an environment
variable
- returns an `invalidEmailDomain` response if the user's email domain is
in the array of banned email domains.
- saves the users organization and email address to the website's
database
- Sends an email to the requesting user's email address with the signed
CSR attached as a text file named `apple-apns-request.txt`
- Posts a message to a channel in the Fleet Slack.
- Added a new model: `CertificateSigningRequests` that contains two
required attributes: `emailAddress` and `organization`
- Added a new email template `email-signed-csr-for-apns`
- Updated routes, policies, eslintrc, and rebuilt cloud-sdk
Before this can be merged, we will need to:
- [x] Add new config variables in Heroku
- [x] `sails.config.custom.mdmVendorCertPem`
- [x] `sails.config.custom.mdmVendorKeyPem`
- [x] `sails.config.custom.mdmVendorKeyPassphrase`
- [x] `sails.config.custom.slackWebhookUrlForMDMSignups`
- [x] Add the `CertificateSigningRequests` model to the website's
database
