mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
c1c078795e
for #30502 # Details This PR fixes an issue where `fleetctl generate-gitops` would not always add a `macos_setup` setting to a .yml file even if the team had a setup experience configured. This was due to relying on the `MacOSSetup` config returned by app/team config APIs to have this data populated, which turned out to be an incorrect assumption. Instead, we now utilize various APIs to check for the presence of setup software, scripts, bootstrap packages and profiles. Note that for now, `generate-gitops` will only output a `TODO` line if setup experience is detected; https://github.com/fleetdm/fleet/issues/30210 is open to flesh this out. In the meantime `fleetctl gitops` will fail if this TODO is inserted, so that the user must go and fix it manually. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [X] Added/updated automated tests - [X] Manual QA for all new/changed functionality # Testing I set up MDM on a local instance and tried the following both on No Team and a regular team: * Turned "End user authentication on", verified that `fleetctl generate-gitops` output a `macos_setup` setting for the team. Turned it back off and verified that `macos_setup` was no longer exported by `fleetctl generate-gitops`. * Did the same for bootstrap package. * Did the same for install software, and additionally verified that having software available but _not_ selected did not cause `macos_setup` to be exported. Same for teams with no software available at all. * Did the same for setup assistant. I also tested that changes to No Team didn't affect the output when exporting a regular team. --------- Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
167 lines
5 KiB
Go
167 lines
5 KiB
Go
package service
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"mime/multipart"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
)
|
|
|
|
// TODO(mna): those methods are unused except for an internal tool, remove or
|
|
// migrate to new endpoints (those apple-specific endpoints are deprecated)?
|
|
|
|
func (c *Client) DeleteProfile(profileID uint) error {
|
|
verb, path := "DELETE", "/api/latest/fleet/mdm/apple/profiles/"+strconv.FormatUint(uint64(profileID), 10)
|
|
var responseBody deleteMDMAppleConfigProfileResponse
|
|
return c.authenticatedRequest(nil, verb, path, &responseBody)
|
|
}
|
|
|
|
func (c *Client) ListProfiles(teamID *uint) ([]*fleet.MDMAppleConfigProfile, error) {
|
|
verb, path := "GET", "/api/latest/fleet/mdm/apple/profiles"
|
|
query := make(url.Values)
|
|
if teamID != nil {
|
|
query.Add("team_id", strconv.FormatUint(uint64(*teamID), 10))
|
|
}
|
|
var responseBody listMDMAppleConfigProfilesResponse
|
|
if err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query.Encode()); err != nil {
|
|
return nil, err
|
|
}
|
|
return responseBody.ConfigProfiles, nil
|
|
}
|
|
|
|
func (c *Client) ListConfigurationProfiles(teamID *uint) ([]*fleet.MDMConfigProfilePayload, error) {
|
|
verb, path := "GET", "/api/latest/fleet/configuration_profiles"
|
|
query := make(url.Values)
|
|
if teamID != nil {
|
|
query.Add("team_id", strconv.FormatUint(uint64(*teamID), 10))
|
|
}
|
|
var responseBody listMDMConfigProfilesResponse
|
|
if err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query.Encode()); err != nil {
|
|
return nil, err
|
|
}
|
|
return responseBody.Profiles, nil
|
|
}
|
|
|
|
// Get the contents of a saved profile.
|
|
func (c *Client) GetProfileContents(profileID string) ([]byte, error) {
|
|
verb, path := "GET", "/api/latest/fleet/mdm/profiles/"+profileID
|
|
response, err := c.AuthenticatedDo(verb, path, "alt=media", nil)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
|
|
}
|
|
defer response.Body.Close()
|
|
err = c.parseResponse(verb, path, response, nil)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
|
|
}
|
|
if response.StatusCode != http.StatusNoContent {
|
|
b, err := io.ReadAll(response.Body)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("reading response body: %w", err)
|
|
}
|
|
return b, nil
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (c *Client) AddProfile(teamID uint, configurationProfile []byte) (uint, error) {
|
|
if c.token == "" {
|
|
return 0, errors.New("authentication token is empty")
|
|
}
|
|
body := &bytes.Buffer{}
|
|
writer := multipart.NewWriter(body)
|
|
teamIDField, err := writer.CreateFormField("team_id")
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
if _, err := teamIDField.Write([]byte(strconv.FormatUint(uint64(teamID), 10))); err != nil {
|
|
return 0, err
|
|
}
|
|
profileField, err := writer.CreateFormFile("profile", "mobileconfig")
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
if _, err := profileField.Write(configurationProfile); err != nil {
|
|
return 0, err
|
|
}
|
|
if err := writer.Close(); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
request, err := http.NewRequest(
|
|
"POST",
|
|
c.baseURL.String()+"/api/latest/fleet/mdm/apple/profiles",
|
|
body,
|
|
)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
request.Header.Set("Content-Type", writer.FormDataContentType())
|
|
request.Header.Set("Accept", "application/json")
|
|
request.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.token))
|
|
|
|
response, err := c.http.Do(request)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
defer response.Body.Close()
|
|
|
|
if response.Header.Get(fleet.HeaderLicenseKey) == fleet.HeaderLicenseValueExpired {
|
|
fleet.WriteExpiredLicenseBanner(c.errWriter)
|
|
}
|
|
|
|
if response.StatusCode != http.StatusOK {
|
|
return 0, fmt.Errorf("request failed: %s", response.Status)
|
|
}
|
|
|
|
responseBody, err := io.ReadAll(response.Body)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var addProfileResponse *newMDMAppleConfigProfileResponse
|
|
if err := json.Unmarshal(responseBody, &addProfileResponse); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return addProfileResponse.ProfileID, nil
|
|
}
|
|
|
|
func (c *Client) GetConfigProfilesSummary(teamID *uint) (*fleet.MDMProfilesSummary, error) {
|
|
verb, path := "GET", "/api/latest/fleet/mdm/profiles/summary"
|
|
query := make(url.Values)
|
|
if teamID != nil {
|
|
query.Add("team_id", strconv.FormatUint(uint64(*teamID), 10))
|
|
}
|
|
var responseBody getMDMProfilesSummaryResponse
|
|
if err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query.Encode()); err != nil {
|
|
return nil, err
|
|
}
|
|
return &responseBody.MDMProfilesSummary, nil
|
|
}
|
|
|
|
// Get the Apple setup assistant profile for the given team, if any.
|
|
func (c *Client) GetAppleMDMEnrollmentProfile(teamID uint) (*fleet.MDMAppleSetupAssistant, error) {
|
|
verb, path := "GET", "/api/latest/fleet/enrollment_profiles/automatic"
|
|
var query string
|
|
if teamID != 0 {
|
|
query = fmt.Sprintf("team_id=%d", teamID)
|
|
}
|
|
var responseBody createMDMAppleSetupAssistantResponse
|
|
if err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query); err != nil {
|
|
var notFoundErr notFoundErr
|
|
if errors.As(err, ¬FoundErr) {
|
|
// If the profile is not found, return nil instead of an error.
|
|
return nil, nil
|
|
}
|
|
return nil, err
|
|
}
|
|
return &responseBody.MDMAppleSetupAssistant, nil
|
|
}
|