Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 08:28:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 107
fleet/server/mdm/mdm.go
Dan Tsekhanskiy 521ecfffa7
fix: Detect file starting with comment in mdm.go as well (#27673) 
Addresses
https://github.com/fleetdm/fleet/issues/26443#issuecomment-2749360869
after https://github.com/fleetdm/fleet/pull/27176 was merged. Reading
XML as a string in this way feels wrong, but I don't want to avoid a
refactor, so I'm checking for a "comment" string in this PR.

I tested by building fleetctl locally and running:

```sh
$ make fleetctl; ./build/fleetctl gitops -f it-and-security/teams/test.yml --dry-run
...
Client Version:   tf-mod-addon-monitoring-v1.5.1-1091-g8eb9111c6-dirty
Server Version:  0.0.0-SNAPSHOT-85f4f65
[+] applying MDM profiles for team TEST
Error: applying custom settings for team "TEST": POST /api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: disable-onedrive is not a valid macOS or Windows configuration profile. macOS profiles must be valid .mobileconfig or .json files. Windows configuration profiles can only have <Replace> or <Add> top level elements.
```

I'm not sure if the error above
([code](8eb9111c67/server/service/mdm.go (L2160)))
is caused by my test environment not yet having the updated server code.
The `--dry-run` passed in my test, as seen by the `[+] applying MDM
profiles for team TEST` line. I can't get any test code to be reflected
in the server response, so my hunch is that the issue should be fixed
after this PR.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- I did this in https://github.com/fleetdm/fleet/pull/27176, same change
message.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
2025-03-31 19:16:13 -05:00

208 lines
6.5 KiB
Go
Raw Blame History

package mdm
import (
"bytes"
"crypto"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/x509"
"encoding/base64"
"fmt"
"io"
"regexp"
"github.com/smallstep/pkcs7"
)
var ProfileVariableRegex = regexp.MustCompile(`(\$FLEET_VAR_(?P<name1>\w+))|(\${FLEET_VAR_(?P<name2>\w+)})`)
// ProfileDataVariableRegex matches variables present in <data> section of Apple profile, which may cause validation issues.
var ProfileDataVariableRegex = regexp.MustCompile(`(\$FLEET_VAR_DIGICERT_DATA_(?P<name1>\w+))|(\${FLEET_VAR_DIGICERT_DATA_(?P<name2>\w+)})`)
// MaxProfileRetries is the maximum times an install profile command may be
// retried, after which marked as failed and no further attempts will be made
// to install the profile.
const MaxProfileRetries = 1
// DecryptBase64CMS decrypts a base64 encoded pkcs7-encrypted value using the
// provided certificate and private key.
func DecryptBase64CMS(p7Base64 string, cert *x509.Certificate, key crypto.PrivateKey) ([]byte, error) {
p7Bytes, err := base64.StdEncoding.DecodeString(p7Base64)
if err != nil {
return nil, err
}
p7, err := pkcs7.Parse(p7Bytes)
if err != nil {
return nil, err
}
return p7.Decrypt(cert, key)
}
func prefixMatches(val []byte, prefix string) bool {
return len(val) >= len(prefix) &&
bytes.EqualFold([]byte(prefix), val[:len(prefix)])
}
// GetRawProfilePlatform identifies the platform type of a profile bytes by
// examining its initial content:
//
// - Returns "darwin" if the profile starts with "<?xml", typical of Apple
// platform profiles.
// - Returns "windows" if the profile begins with "<replace" or "<add",
// - Returns an empty string for profiles that are either unrecognized or
// empty.
func GetRawProfilePlatform(profile []byte) string {
trimmedProfile := bytes.TrimSpace(profile)
if len(trimmedProfile) == 0 {
return ""
}
if prefixMatches(trimmedProfile, "<?xml") || prefixMatches(trimmedProfile, `{`) {
return "darwin"
}
if prefixMatches(trimmedProfile, "<replace") || prefixMatches(trimmedProfile, "<add") || prefixMatches(trimmedProfile, "<!--") {
return "windows"
}
return ""
}
// GuessProfileExtension determines the likely file extension of a profile
// based on its content.
//
// It returns a string representing the determined file extension ("xml",
// "json", or "") based on the profile's content.
func GuessProfileExtension(profile []byte) string {
trimmedProfile := bytes.TrimSpace(profile)
switch {
case prefixMatches(trimmedProfile, "<?xml"),
prefixMatches(trimmedProfile, "<replace"),
prefixMatches(trimmedProfile, "<add"):
return "xml"
case prefixMatches(trimmedProfile, "{"):
return "json"
default:
return ""
}
}
func EncryptAndEncode(plainText string, symmetricKey string) (string, error) {
block, err := aes.NewCipher([]byte(symmetricKey))
if err != nil {
return "", fmt.Errorf("create new cipher: %w", err)
}
aesGCM, err := cipher.NewGCM(block)
if err != nil {
return "", fmt.Errorf("create new gcm: %w", err)
}
nonce := make([]byte, aesGCM.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
return "", fmt.Errorf("generate nonce: %w", err)
}
return base64.StdEncoding.EncodeToString(aesGCM.Seal(nonce, nonce, []byte(plainText), nil)), nil
}
func DecodeAndDecrypt(base64CipherText string, symmetricKey string) (string, error) {
encrypted, err := base64.StdEncoding.DecodeString(base64CipherText)
if err != nil {
return "", fmt.Errorf("base64 decode: %w", err)
}
block, err := aes.NewCipher([]byte(symmetricKey))
if err != nil {
return "", fmt.Errorf("create new cipher: %w", err)
}
aesGCM, err := cipher.NewGCM(block)
if err != nil {
return "", fmt.Errorf("create new gcm: %w", err)
}
// Get the nonce size
nonceSize := aesGCM.NonceSize()
// Extract the nonce from the encrypted data
nonce, ciphertext := encrypted[:nonceSize], encrypted[nonceSize:]
decrypted, err := aesGCM.Open(nil, nonce, ciphertext, nil)
if err != nil {
return "", fmt.Errorf("decrypting: %w", err)
}
return string(decrypted), nil
}
const (
// FleetdConfigProfileName is the value for the PayloadDisplayName used by
// fleetd to read configuration values from the system.
FleetdConfigProfileName = "Fleetd configuration"
// FleetCAConfigProfileName is the value for the PayloadDisplayName used by
// fleetd to read configuration values from the system.
FleetCAConfigProfileName = "Fleet root certificate authority (CA)"
// FleetdFileVaultProfileName is the value for the PayloadDisplayName used
// by Fleet to configure FileVault and FileVault Escrow.
FleetFileVaultProfileName = "Disk encryption"
// FleetWindowsOSUpdatesProfileName is the name of the profile used by Fleet
// to configure Windows OS updates.
FleetWindowsOSUpdatesProfileName = "Windows OS Updates"
// FleetMacOSUpdatesProfileName is the name of the DDM profile used by Fleet
// to configure macOS OS updates.
FleetMacOSUpdatesProfileName = "Fleet macOS OS Updates"
// FleetIOSUpdatesProfileName is the name of the DDM profile used by Fleet
// to configure iOS OS updates.
FleetIOSUpdatesProfileName = "Fleet iOS OS Updates"
// FleetIPadOSUpdatesProfileName is the name of the DDM profile used by Fleet
// to configure iPadOS OS updates.
FleetIPadOSUpdatesProfileName = "Fleet iPadOS OS Updates"
)
// FleetReservedProfileNames returns a map of PayloadDisplayName or profile
// name strings that are reserved by Fleet.
func FleetReservedProfileNames() map[string]struct{} {
return map[string]struct{}{
FleetdConfigProfileName: {},
FleetFileVaultProfileName: {},
FleetWindowsOSUpdatesProfileName: {},
FleetMacOSUpdatesProfileName: {},
FleetIOSUpdatesProfileName: {},
FleetIPadOSUpdatesProfileName: {},
FleetCAConfigProfileName: {},
}
}
// ListFleetReservedWindowsProfileNames returns a list of PayloadDisplayName strings
// that are reserved by Fleet for Windows.
func ListFleetReservedWindowsProfileNames() []string {
return []string{FleetWindowsOSUpdatesProfileName}
}
// ListFleetReservedMacOSProfileNames returns a list of PayloadDisplayName strings
// that are reserved by Fleet for macOS.
func ListFleetReservedMacOSProfileNames() []string {
return []string{FleetFileVaultProfileName, FleetdConfigProfileName, FleetCAConfigProfileName}
}
// ListFleetReservedMacOSDeclarationNames returns a list of declaration names
// that are reserved by Fleet for Apple DDM declarations.
func ListFleetReservedMacOSDeclarationNames() []string {
return []string{
FleetMacOSUpdatesProfileName,
FleetIOSUpdatesProfileName,
FleetIPadOSUpdatesProfileName,
}
}
Reference in a new issue View git blame Copy permalink