Skip to content

Commit

Permalink
Merge branch 'main' into gkarr-fix-linux-desktop
Browse files Browse the repository at this point in the history
  • Loading branch information
georgekarrv authored Nov 2, 2023
2 parents 4de0fa3 + b04b20f commit 41a3067
Show file tree
Hide file tree
Showing 9 changed files with 128 additions and 18 deletions.
11 changes: 11 additions & 0 deletions changes/12274-return-code-for-password-reset
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
Fixed 500 return code from several endpoints.

/api/v1/fleet/perform_required_password_reset
- Now returns 403 when Authorization token is missing

/api/v1/fleet/hosts_summary
- Now returns 400 when low_disk_space parameter is invalid

/api/v1/fleet/sessions/*
- Now returns 404 when session cannot be found

4 changes: 4 additions & 0 deletions cmd/fleetctl/mdm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,11 @@ func TestMDMRunCommand(t *testing.T) {
}
return hosts, nil
}
winCmds := map[string]struct{}{}
ds.MDMWindowsInsertCommandForHostsFunc = func(ctx context.Context, deviceIDs []string, cmd *fleet.MDMWindowsCommand) error {
// every command uuid is different
require.NotContains(t, winCmds, cmd.CommandUUID)
winCmds[cmd.CommandUUID] = struct{}{}
return nil
}
ds.GetMDMWindowsBitLockerStatusFunc = func(ctx context.Context, host *fleet.Host) (*fleet.HostMDMDiskEncryption, error) {
Expand Down
19 changes: 18 additions & 1 deletion server/service/client_mdm.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"path/filepath"
"strings"

"github.com/beevik/etree"
"github.com/fleetdm/fleet/v4/pkg/file"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/google/uuid"
Expand Down Expand Up @@ -334,7 +335,23 @@ func (c *Client) prepareWindowsMDMCommand(rawCmd []byte) ([]byte, error) {
if _, err := fleet.ParseWindowsMDMCommand(rawCmd); err != nil {
return nil, err
}
return rawCmd, nil

// ensure there's a CmdID with a random UUID value, we're manipulating
// the document this way to make sure we don't introduce any unintended
// changes to the command XML.
doc := etree.NewDocument()
if err := doc.ReadFromBytes(rawCmd); err != nil {
return nil, err
}
element := doc.FindElement("//CmdID")
// if we can't find a CmdID, just add one.
if element == nil {
root := doc.Root()
element = root.CreateElement("CmdID")
}
element.SetText(uuid.NewString())

return doc.WriteToBytes()
}

func (c *Client) prepareAppleMDMCommand(rawCmd []byte) ([]byte, error) {
Expand Down
66 changes: 66 additions & 0 deletions server/service/client_mdm_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package service

import (
"testing"

"github.com/beevik/etree"
"github.com/stretchr/testify/assert"
)

func TestPrepareWindowsMDMCommand(t *testing.T) {
c := &Client{}

validXML := []byte(`
<Exec>
<CmdID>some-id</CmdID>
<Item></Item>
</Exec>
`)

invalidCmdXML := []byte(`
<Add>
<CmdID>some-id</Cmd>
<Item></Item>
</Add>
`)

noCmdIDXML := []byte(`
<Exec>
<Item></Item>
</Exec>
`)

t.Run("Modifies valid CmdID", func(t *testing.T) {
modified, err := c.prepareWindowsMDMCommand(validXML)
assert.Nil(t, err)

doc := etree.NewDocument()
err = doc.ReadFromBytes(modified)
assert.Nil(t, err)

element := doc.FindElement("//CmdID")
assert.NotNil(t, element)
assert.NotEmpty(t, element.Text())
})

t.Run("Adds CmdID if missing", func(t *testing.T) {
modified, err := c.prepareWindowsMDMCommand(noCmdIDXML)
assert.Nil(t, err)

doc := etree.NewDocument()
err = doc.ReadFromBytes(modified)
assert.Nil(t, err)

element := doc.FindElement("//CmdID")
assert.NotNil(t, element)
assert.NotEmpty(t, element.Text())
})

t.Run("Returns error on invalid XML", func(t *testing.T) {
_, err := c.prepareWindowsMDMCommand(invalidCmdXML)
assert.NotNil(t, err)

_, err = c.prepareWindowsMDMCommand([]byte("<Exec><Exec"))
assert.NotNil(t, err)
})
}
15 changes: 8 additions & 7 deletions server/service/hosts.go
Original file line number Diff line number Diff line change
Expand Up @@ -456,13 +456,6 @@ func (r getHostSummaryResponse) error() error { return r.Err }

func getHostSummaryEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
req := request.(*getHostSummaryRequest)
if req.LowDiskSpace != nil {
if *req.LowDiskSpace < 1 || *req.LowDiskSpace > 100 {
err := ctxerr.Errorf(ctx, "invalid low_disk_space threshold, must be between 1 and 100: %d", *req.LowDiskSpace)
return getHostSummaryResponse{Err: err}, nil
}
}

summary, err := svc.GetHostSummary(ctx, req.TeamID, req.Platform, req.LowDiskSpace)
if err != nil {
return getHostSummaryResponse{Err: err}, nil
Expand All @@ -475,6 +468,14 @@ func getHostSummaryEndpoint(ctx context.Context, request interface{}, svc fleet.
}

func (svc *Service) GetHostSummary(ctx context.Context, teamID *uint, platform *string, lowDiskSpace *int) (*fleet.HostSummary, error) {
if lowDiskSpace != nil {
if *lowDiskSpace < 1 || *lowDiskSpace > 100 {
svc.authz.SkipAuthorization(ctx)
return nil, ctxerr.Wrap(
ctx, badRequest(fmt.Sprintf("invalid low_disk_space threshold, must be between 1 and 100: %d", *lowDiskSpace)),
)
}
}
if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionList); err != nil {
return nil, err
}
Expand Down
24 changes: 15 additions & 9 deletions server/service/integration_core_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1774,7 +1774,7 @@ func (s *integrationTestSuite) TestGetHostSummary() {
require.Len(t, resp.Platforms, 0)

// invalid low_disk_space value is still validated and results in error
s.DoJSON("GET", "/api/latest/fleet/host_summary", nil, http.StatusInternalServerError, &resp, "low_disk_space", "1234") // TODO: should be 400, see #4406
s.DoJSON("GET", "/api/latest/fleet/host_summary", nil, http.StatusBadRequest, &resp, "low_disk_space", "1234")
}

func (s *integrationTestSuite) TestGlobalPoliciesProprietary() {
Expand Down Expand Up @@ -3413,10 +3413,18 @@ func (s *integrationTestSuite) TestUsers() {
}
s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/users/%d", u.ID+1), params, http.StatusNotFound, &modResp)

// perform a required password change as the user themselves
s.token = s.getTestToken(u.Email, userRawPwd)
var perfPwdResetResp performRequiredPasswordResetResponse
newRawPwd := test.GoodPassword2
// Try a required password change without authentication
s.DoJSON(
"POST", "/api/latest/fleet/perform_required_password_reset", performRequiredPasswordResetRequest{
Password: newRawPwd,
ID: u.ID,
}, http.StatusForbidden, &perfPwdResetResp,
)

// perform a required password change as the user themselves
s.token = s.getTestToken(u.Email, userRawPwd)
s.DoJSON("POST", "/api/latest/fleet/perform_required_password_reset", performRequiredPasswordResetRequest{
Password: newRawPwd,
ID: u.ID,
Expand Down Expand Up @@ -4836,17 +4844,15 @@ func (s *integrationTestSuite) TestSessionInfo() {
assert.Equal(t, ssn.ID, getResp.SessionID)
assert.Equal(t, uint(1), getResp.UserID)

// get info about session - non-existing: appears to deliberately return 500 due to forbidden,
// which takes precedence vs the not found returned by the datastore (it still shouldn't be a
// 500 though).
s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/sessions/%d", ssn.ID+1), nil, http.StatusInternalServerError, &getResp)
// get info about session
s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/sessions/%d", ssn.ID+1), nil, http.StatusNotFound, &getResp)

// delete session
var delResp deleteSessionResponse
s.DoJSON("DELETE", fmt.Sprintf("/api/latest/fleet/sessions/%d", ssn.ID), nil, http.StatusOK, &delResp)

// delete session - non-existing: again, 500 due to forbidden instead of 404.
s.DoJSON("DELETE", fmt.Sprintf("/api/latest/fleet/sessions/%d", ssn.ID), nil, http.StatusInternalServerError, &delResp)
// delete session - non-existing
s.DoJSON("DELETE", fmt.Sprintf("/api/latest/fleet/sessions/%d", ssn.ID), nil, http.StatusNotFound, &delResp)
}

func (s *integrationTestSuite) TestAppConfig() {
Expand Down
1 change: 1 addition & 0 deletions server/service/middleware/authzcheck/authzcheck.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func (m *Middleware) AuthzCheck() endpoint.Middleware {
// If authorization was not checked, return a response that will
// marshal to a generic error and log that the check was missed.
if !authzctx.Checked() {
// Getting to here means there is an authorization-related bug in our code.
return nil, authz.CheckMissingWithResponse(response)
}

Expand Down
2 changes: 2 additions & 0 deletions server/service/sessions.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ func getInfoAboutSessionEndpoint(ctx context.Context, request interface{}, svc f
func (svc *Service) GetInfoAboutSession(ctx context.Context, id uint) (*fleet.Session, error) {
session, err := svc.ds.SessionByID(ctx, id)
if err != nil {
svc.authz.SkipAuthorization(ctx)
return nil, err
}

Expand Down Expand Up @@ -96,6 +97,7 @@ func deleteSessionEndpoint(ctx context.Context, request interface{}, svc fleet.S
func (svc *Service) DeleteSession(ctx context.Context, id uint) error {
session, err := svc.ds.SessionByID(ctx, id)
if err != nil {
svc.authz.SkipAuthorization(ctx)
return err
}

Expand Down
4 changes: 3 additions & 1 deletion server/service/users.go
Original file line number Diff line number Diff line change
Expand Up @@ -832,7 +832,9 @@ func performRequiredPasswordResetEndpoint(ctx context.Context, request interface
func (svc *Service) PerformRequiredPasswordReset(ctx context.Context, password string) (*fleet.User, error) {
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, fleet.ErrNoContext
// No user in the context -- authentication issue
svc.authz.SkipAuthorization(ctx)
return nil, authz.ForbiddenWithInternal("No user in the context", nil, nil, nil)
}
if !vc.CanPerformPasswordReset() {
svc.authz.SkipAuthorization(ctx)
Expand Down

0 comments on commit 41a3067

Please sign in to comment.