Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 31
fleet/server/mdm/scep/client/client.go
Lucas Manuel Rodriguez 4948325892
fleetd generate TPM key and issue SCEP certificate (#30932) 
#30461

This PR contains the changes for the happy path.
On a separate PR we will be adding tests and further fixes for edge
cases.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added support for using a TPM-backed key and SCEP-issued certificate
to sign HTTP requests, enhancing security through hardware-based key
management.
* Introduced new CLI and environment flags to enable TPM-backed client
certificates for Linux packages and Orbit.
* Added a local HTTPS proxy that automatically signs requests using the
TPM-backed key.

* **Bug Fixes**
* Improved cleanup and restart behavior when authentication fails with a
host identity certificate.

* **Tests**
* Added comprehensive tests for SCEP client functionality and TPM
integration.

* **Chores**
* Updated scripts and documentation to support TPM-backed client
certificate packaging and configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-18 11:31:52 -03:00

74 lines
1.7 KiB
Go
Raw Blame History

package scepclient
import (
"time"
scepserver "github.com/fleetdm/fleet/v4/server/mdm/scep/server"
"github.com/go-kit/log"
"github.com/go-kit/log/level"
)
// Client is a SCEP Client
type Client interface {
scepserver.Service
Supports(capacity string) bool
}
type clientOpts struct {
timeout *time.Duration
rootCA string
insecure bool
}
// Option is a functional option for configuring a SCEP Client
type Option func(*clientOpts)
// WithRootCA sets the root CA file to use when connecting to the SCEP server.
func WithRootCA(rootCA string) Option {
return func(c *clientOpts) {
c.rootCA = rootCA
}
}
// Insecure configures the client to not verify server certificates.
// Only used for tests.
func Insecure() Option {
return func(c *clientOpts) {
c.insecure = true
}
}
// WithTimeout configures the timeout for SCEP client requests.
func WithTimeout(timeout *time.Duration) Option {
return func(c *clientOpts) {
c.timeout = timeout
}
}
// New creates a SCEP Client.
func New(
serverURL string,
logger log.Logger,
opts ...Option,
) (Client, error) {
var co clientOpts
for _, fn := range opts {
fn(&co)
}
clientOpts := []scepserver.ClientOption{
scepserver.WithClientTimeout(co.timeout),
scepserver.WithClientRootCA(co.rootCA),
}
if co.insecure {
clientOpts = append(clientOpts, scepserver.ClientInsecure())
}
endpoints, err := scepserver.MakeClientEndpoints(serverURL, clientOpts...)
if err != nil {
return nil, err
}
logger = level.Info(logger)
endpoints.GetEndpoint = scepserver.EndpointLoggingMiddleware(logger)(endpoints.GetEndpoint)
endpoints.PostEndpoint = scepserver.EndpointLoggingMiddleware(logger)(endpoints.PostEndpoint)
return endpoints, nil
}
Reference in a new issue View git blame Copy permalink