mirror of
https://github.com/fleetdm/fleet
synced 2026-05-21 07:58:31 +00:00
3d2171d2d9
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #37192 - Move /server/service/middleware/endpoint_utils to /server/platform/endpointer - Move /server/service/middleware/authzcheck to /server/platform/middleware/authzcheck - Move /server/service/middleware/ratelimit to /server/platform/middleware/ratelimit # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Refactor** * Reorganized internal endpoint utilities to a centralized platform location for improved code organization and maintainability. No functional changes to existing features or APIs. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
246 lines
7.2 KiB
Go
246 lines
7.2 KiB
Go
package service
|
|
|
|
import (
|
|
"fmt"
|
|
"html/template"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
|
|
assetfs "github.com/elazarl/go-bindata-assetfs"
|
|
shared_mdm "github.com/fleetdm/fleet/v4/pkg/mdm"
|
|
"github.com/fleetdm/fleet/v4/server/bindata"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/platform/endpointer"
|
|
"github.com/go-kit/log"
|
|
"github.com/klauspost/compress/gzhttp"
|
|
)
|
|
|
|
func newBinaryFileSystem(root string) *assetfs.AssetFS {
|
|
return &assetfs.AssetFS{
|
|
Asset: bindata.Asset,
|
|
AssetDir: bindata.AssetDir,
|
|
AssetInfo: bindata.AssetInfo,
|
|
Prefix: root,
|
|
}
|
|
}
|
|
|
|
func ServeFrontend(urlPrefix string, sandbox bool, logger log.Logger) http.Handler {
|
|
herr := func(w http.ResponseWriter, err string) {
|
|
logger.Log("err", err)
|
|
http.Error(w, err, http.StatusInternalServerError)
|
|
}
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
endpointer.WriteBrowserSecurityHeaders(w)
|
|
|
|
// The following check is to prevent a misconfigured osquery from submitting
|
|
// data to the root endpoint (the osquery remote API uses POST for all its endpoints).
|
|
// See https://github.com/fleetdm/fleet/issues/16182.
|
|
if r.Method == "POST" {
|
|
http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
fs := newBinaryFileSystem("/frontend")
|
|
file, err := fs.Open("templates/react.tmpl")
|
|
if err != nil {
|
|
herr(w, "load react template: "+err.Error())
|
|
return
|
|
}
|
|
data, err := io.ReadAll(file)
|
|
if err != nil {
|
|
herr(w, "read bindata file: "+err.Error())
|
|
return
|
|
}
|
|
t, err := template.New("react").Parse(string(data))
|
|
if err != nil {
|
|
herr(w, "create react template: "+err.Error())
|
|
return
|
|
}
|
|
serverType := "on-premise"
|
|
if sandbox {
|
|
serverType = "sandbox"
|
|
}
|
|
if err := t.Execute(w, struct {
|
|
URLPrefix string
|
|
ServerType string
|
|
}{
|
|
URLPrefix: urlPrefix,
|
|
ServerType: serverType,
|
|
}); err != nil {
|
|
herr(w, "execute react template: "+err.Error())
|
|
return
|
|
}
|
|
})
|
|
}
|
|
|
|
// ServeEndUserEnrollOTA implements the entrypoint handler for the /enroll
|
|
// path, used to add hosts in "BYOD" mode (currently, iPhone/iPad/Android).
|
|
func ServeEndUserEnrollOTA(
|
|
svc fleet.Service,
|
|
urlPrefix string,
|
|
ds fleet.Datastore,
|
|
logger log.Logger,
|
|
) http.Handler {
|
|
herr := func(w http.ResponseWriter, err string) {
|
|
logger.Log("err", err)
|
|
http.Error(w, err, http.StatusInternalServerError)
|
|
}
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
endpointer.WriteBrowserSecurityHeaders(w)
|
|
setupRequired, err := svc.SetupRequired(r.Context())
|
|
if err != nil {
|
|
herr(w, "setup required err: "+err.Error())
|
|
return
|
|
}
|
|
if setupRequired {
|
|
herr(w, "fleet instance not setup")
|
|
return
|
|
}
|
|
|
|
appCfg, err := ds.AppConfig(r.Context())
|
|
if err != nil {
|
|
herr(w, "load appconfig err: "+err.Error())
|
|
return
|
|
}
|
|
|
|
errorMsg := r.URL.Query().Get("error")
|
|
if errorMsg != "" {
|
|
if err := renderEnrollPage(w, appCfg, urlPrefix, "", errorMsg); err != nil {
|
|
herr(w, err.Error())
|
|
}
|
|
return
|
|
}
|
|
|
|
enrollSecret := r.URL.Query().Get("enroll_secret")
|
|
if enrollSecret == "" {
|
|
if err := renderEnrollPage(w, appCfg, urlPrefix, "", "This URL is invalid. : Enroll secret is invalid. Please contact your IT admin."); err != nil {
|
|
herr(w, err.Error())
|
|
}
|
|
return
|
|
}
|
|
|
|
authRequired, err := shared_mdm.RequiresEnrollOTAAuthentication(r.Context(), ds,
|
|
enrollSecret, appCfg.MDM.MacOSSetup.EnableEndUserAuthentication)
|
|
if err != nil {
|
|
herr(w, "check if authentication is required err: "+err.Error())
|
|
return
|
|
}
|
|
|
|
if authRequired {
|
|
// check if authentication cookie is present, in which case we go ahead with
|
|
// offering the enrollment profile to download.
|
|
var cookieIdPRef string
|
|
if byodCookie, _ := r.Cookie(shared_mdm.BYODIdpCookieName); byodCookie != nil {
|
|
cookieIdPRef = byodCookie.Value
|
|
|
|
// if the cookie is present, we should also receive a (matching) enroll reference
|
|
if cookieIdPRef != "" {
|
|
enrollRef := r.URL.Query().Get("enrollment_reference")
|
|
if cookieIdPRef != enrollRef {
|
|
cookieIdPRef = "" // cookie does not match the enroll reference, so we ignore it and require authentication
|
|
}
|
|
}
|
|
}
|
|
|
|
if cookieIdPRef == "" {
|
|
// IdP authentication has not been completed yet, initiate it by
|
|
// redirecting to the configured IdP provider.
|
|
if err := initiateOTAEnrollSSO(svc, w, r, enrollSecret); err != nil {
|
|
herr(w, "initiate IdP SSO authentication err: "+err.Error())
|
|
return
|
|
}
|
|
return
|
|
}
|
|
}
|
|
|
|
// if we get here, IdP SSO authentication is either not required, or has
|
|
// been successfully completed (we have a cookie with the IdP account
|
|
// reference).
|
|
if err := renderEnrollPage(w, appCfg, urlPrefix, enrollSecret, ""); err != nil {
|
|
herr(w, err.Error())
|
|
return
|
|
}
|
|
})
|
|
}
|
|
|
|
func generateEnrollOTAURL(fleetURL string, enrollSecret string) (string, error) {
|
|
path, err := url.JoinPath(fleetURL, "/api/v1/fleet/enrollment_profiles/ota")
|
|
if err != nil {
|
|
return "", fmt.Errorf("creating path for end user ota enrollment url: %w", err)
|
|
}
|
|
|
|
enrollURL, err := url.Parse(path)
|
|
if err != nil {
|
|
return "", fmt.Errorf("parsing end user ota enrollment url: %w", err)
|
|
}
|
|
|
|
q := enrollURL.Query()
|
|
q.Set("enroll_secret", enrollSecret)
|
|
enrollURL.RawQuery = q.Encode()
|
|
return enrollURL.String(), nil
|
|
}
|
|
|
|
func renderEnrollPage(w io.Writer, appCfg *fleet.AppConfig, urlPrefix, enrollSecret, errorMessage string) error {
|
|
fs := newBinaryFileSystem("/frontend")
|
|
file, err := fs.Open("templates/enroll-ota.html")
|
|
if err != nil {
|
|
return fmt.Errorf("load enroll ota template: %w", err)
|
|
}
|
|
|
|
data, err := io.ReadAll(file)
|
|
if err != nil {
|
|
return fmt.Errorf("read bindata file: %w", err)
|
|
}
|
|
|
|
t, err := template.New("enroll-ota").Parse(string(data))
|
|
if err != nil {
|
|
return fmt.Errorf("create react template: %w", err)
|
|
}
|
|
|
|
enrollURL, err := generateEnrollOTAURL(urlPrefix, enrollSecret)
|
|
if err != nil {
|
|
return fmt.Errorf("generate enroll ota url: %w", err)
|
|
}
|
|
if err := t.Execute(w, struct {
|
|
EnrollURL string
|
|
URLPrefix string
|
|
ErrorMessage string
|
|
AndroidMDMEnabled bool
|
|
MacMDMEnabled bool
|
|
AndroidFeatureEnabled bool
|
|
}{
|
|
URLPrefix: urlPrefix,
|
|
EnrollURL: enrollURL,
|
|
ErrorMessage: errorMessage,
|
|
AndroidMDMEnabled: appCfg.MDM.AndroidEnabledAndConfigured,
|
|
MacMDMEnabled: appCfg.MDM.EnabledAndConfigured,
|
|
AndroidFeatureEnabled: true,
|
|
}); err != nil {
|
|
return fmt.Errorf("execute react template: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func initiateOTAEnrollSSO(svc fleet.Service, w http.ResponseWriter, r *http.Request, enrollSecret string) error {
|
|
ssnID, ssnDurationSecs, idpURL, err := svc.InitiateMDMSSO(r.Context(), "ota_enroll", "/enroll?enroll_secret="+url.QueryEscape(enrollSecret), "")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
setSSOCookie(w, ssnID, ssnDurationSecs)
|
|
http.Redirect(w, r, idpURL, http.StatusSeeOther)
|
|
return nil
|
|
}
|
|
|
|
func ServeStaticAssets(path string) http.Handler {
|
|
contentTypes := []string{"text/javascript", "text/css"}
|
|
withoutGzip := http.StripPrefix(path, http.FileServer(newBinaryFileSystem("/assets")))
|
|
|
|
withOpts, err := gzhttp.NewWrapper(gzhttp.ContentTypes(contentTypes))
|
|
if err != nil { // fall back to serving without gzip if serving with gzip somehow fails
|
|
return withoutGzip
|
|
}
|
|
|
|
return withOpts(withoutGzip)
|
|
}
|