mirror of
https://github.com/fleetdm/fleet
synced 2026-05-03 13:28:40 +00:00
13eeebe548
Changes: - Created a new database model: `MicrosoftComplianceTenant`. A model that stores information about complaince tenants - Added `/policies/is-cloud-customer`: a policy that blocks requests to microsoft proxy endpoints if a `MS API KEY` header is missing or does not match a new config variable (`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`) - Added `microsoft-proxy/create-compliance-partner-tenant`: an action that creates a database record for a new compliance tenant and generates an API key that is used to authenticate future requests to microsoft proxy endpoints for an entra tenant. - Added `microsoft-proxy/get-compliance-partner-settings`: an action that returns information about Fleet's complaince partner entra application and the entra tenant's admin consent status (whether or not a tenant's entra admin has granted permissions to Fleet's compliance partner application) - Added `microsoft-proxy/get-tenants-admin-consent-status`: an action that updates the admin consent status of a compliance tenant record. - Added `microsoft-proxy/setup-compliance-partner-tenant`: an action that provisions a compliance tenant, creates a complaince policy for macOS devices assigns the created policy to the built-in "All users" user group on the tenants entra instance. - Added `microsoft-proxy/update-one-devices-compliance-status`: an action that receives information about a device on a compliance tenant's Fleet instance, sends that information to their Entra instance, and returns the messsage ID returned by the asynchronus Entra API. - Added `microsoft-proxy/get-one-compliance-status-result`: an action that returns the result of a compliance status update from the Entra API. - Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A helper that gets an access token for a tenant's entra instance and the URLs of the API endpoints the microsoft proxy actions use for a tenant. - Added `scripts/send-entra-heartbeat-requests` A script that will run daily to keep all microsoft compliance integrations provisioned. - --------- Co-authored-by: Lucas Rodriguez <[email protected]>
52 lines
2 KiB
JavaScript
Vendored
52 lines
2 KiB
JavaScript
Vendored
module.exports = {
|
|
|
|
|
|
friendlyName: 'Get compliance partner settings',
|
|
|
|
|
|
description: '',
|
|
|
|
inputs: {
|
|
entraTenantId: {
|
|
type: 'string',
|
|
required: true,
|
|
},
|
|
fleetServerSecret: {
|
|
type: 'string',
|
|
required: true,
|
|
},
|
|
},
|
|
|
|
|
|
exits: {
|
|
success: { outputDescription: 'The setup and admin consent status of a Microsoft complianance tenant'},
|
|
},
|
|
|
|
|
|
fn: async function ({entraTenantId, fleetServerSecret}) {
|
|
|
|
let informationAboutThisTenant = await MicrosoftComplianceTenant.findOne({entraTenantId: entraTenantId, fleetServerSecret: fleetServerSecret});
|
|
if(!informationAboutThisTenant) {
|
|
return this.res.notFound();
|
|
}
|
|
|
|
// Otherwise, build an admin consent url for this tenant and include it in the response body.
|
|
// Generate a state token for the admin consent link.
|
|
let stateTokenForThisAdminConsentLink = sails.helpers.strings.random.with({len: 30, style: 'url-friendly'});
|
|
// Update the database record for this tenant to include the generated state token.
|
|
await MicrosoftComplianceTenant.updateOne({id: informationAboutThisTenant.id}).set({stateTokenForAdminConsent: stateTokenForThisAdminConsentLink});
|
|
// Build an admin consent url for this request.
|
|
let adminConsentUrlForThisTenant = `https://login.microsoftonline.com/${entraTenantId}/adminconsent?client_id=${encodeURIComponent(sails.config.custom.compliancePartnerClientId)}&state=${encodeURIComponent(stateTokenForThisAdminConsentLink)}&redirect_uri=${encodeURIComponent(`${sails.config.custom.baseUrl}/api/v1/microsoft-compliance-partner/adminconsent`)}`;
|
|
|
|
return {
|
|
entra_tenant_id: entraTenantId,// eslint-disable-line camelcase
|
|
setup_done: informationAboutThisTenant.setupCompleted,// eslint-disable-line camelcase
|
|
admin_consented: informationAboutThisTenant.adminConsented,// eslint-disable-line camelcase
|
|
admin_consent_url: adminConsentUrlForThisTenant,// eslint-disable-line camelcase
|
|
setup_error: informationAboutThisTenant.setupError// eslint-disable-line camelcase
|
|
};
|
|
|
|
}
|
|
|
|
|
|
};
|