mirror of
https://github.com/fleetdm/fleet
synced 2026-05-18 14:38:53 +00:00
13eeebe548
Changes: - Created a new database model: `MicrosoftComplianceTenant`. A model that stores information about complaince tenants - Added `/policies/is-cloud-customer`: a policy that blocks requests to microsoft proxy endpoints if a `MS API KEY` header is missing or does not match a new config variable (`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`) - Added `microsoft-proxy/create-compliance-partner-tenant`: an action that creates a database record for a new compliance tenant and generates an API key that is used to authenticate future requests to microsoft proxy endpoints for an entra tenant. - Added `microsoft-proxy/get-compliance-partner-settings`: an action that returns information about Fleet's complaince partner entra application and the entra tenant's admin consent status (whether or not a tenant's entra admin has granted permissions to Fleet's compliance partner application) - Added `microsoft-proxy/get-tenants-admin-consent-status`: an action that updates the admin consent status of a compliance tenant record. - Added `microsoft-proxy/setup-compliance-partner-tenant`: an action that provisions a compliance tenant, creates a complaince policy for macOS devices assigns the created policy to the built-in "All users" user group on the tenants entra instance. - Added `microsoft-proxy/update-one-devices-compliance-status`: an action that receives information about a device on a compliance tenant's Fleet instance, sends that information to their Entra instance, and returns the messsage ID returned by the asynchronus Entra API. - Added `microsoft-proxy/get-one-compliance-status-result`: an action that returns the result of a compliance status update from the Entra API. - Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A helper that gets an access token for a tenant's entra instance and the URLs of the API endpoints the microsoft proxy actions use for a tenant. - Added `scripts/send-entra-heartbeat-requests` A script that will run daily to keep all microsoft compliance integrations provisioned. - --------- Co-authored-by: Lucas Rodriguez <[email protected]>
61 lines
2.2 KiB
JavaScript
Vendored
61 lines
2.2 KiB
JavaScript
Vendored
module.exports = {
|
|
|
|
|
|
friendlyName: 'Create compliance partner tenant',
|
|
|
|
|
|
description: 'Creates a new Microsoft compliance partner tenant record for a provided tenant ID and returns a generated secret.',
|
|
|
|
|
|
inputs: {
|
|
entraTenantId: {
|
|
type: 'string',
|
|
required: true,
|
|
},
|
|
},
|
|
|
|
|
|
exits: {
|
|
success: { description: 'Details about a new Microsoft complaince tsenant have been returned to a Fleet isntance' },
|
|
connectionAlreadyExists: {description: 'A Microsoft compliance tenant already exists for the provided entra tenant id.', statusCode: 409},
|
|
missingOriginHeader: { description: 'No Origin header set', responseType: 'badRequest'},
|
|
},
|
|
|
|
|
|
fn: async function ({entraTenantId}) {
|
|
|
|
// Return a badRequest response if the origin header is missing.
|
|
if(!this.req.get('origin')) {// Note: req.get() is case insensitive.
|
|
throw 'missingOriginHeader';
|
|
}
|
|
|
|
// Look for an existing microsoftComplianceTenant record using the requesting Fleet instances URL.
|
|
let existingComplianceTenant = await MicrosoftComplianceTenant.findOne({fleetInstanceUrl: this.req.get('origin')});
|
|
if(existingComplianceTenant) {
|
|
// If we found one with the provided tenant ID, and setup was not completed, delete the incomplete compliance tenant and create a new one.
|
|
if(!existingComplianceTenant.setupCompleted) {
|
|
await MicrosoftComplianceTenant.destroyOne({id: existingComplianceTenant.id});
|
|
} else {
|
|
// If setup was already completed for the existing tenant, return a 409 response. (The user will need to delete the existing integration in the Fleet UI before creating a new one.)
|
|
throw 'connectionAlreadyExists';
|
|
}
|
|
}
|
|
|
|
// Create a new database record for this tenant.
|
|
let newTenant = await MicrosoftComplianceTenant.create({
|
|
fleetServerSecret: sails.helpers.strings.random.with({len: 30}),
|
|
entraTenantId: entraTenantId,
|
|
fleetInstanceUrl: this.req.get('origin'),
|
|
setupCompleted: false,
|
|
}).fetch();
|
|
|
|
|
|
return {
|
|
fleet_server_secret: newTenant.fleetServerSecret,// eslint-disable-line camelcase
|
|
entra_tenant_id: entraTenantId,// eslint-disable-line camelcase
|
|
};
|
|
|
|
}
|
|
|
|
|
|
};
|