POST /api/v1/fleet/mdm/apple/profiles/batch for Team returning HTTP-403 with Team Admin User API Token

[jrreed]

Fleet version: 4.30.1

Operating system: macOS 12.6

Web browser: Chrome 112.0.5615.137

---

🧑‍💻  Expected behavior

Issuing a POST /api/v1/fleet/mdm/apple/profiles/batch API with:

• a valid team_id
• Authorization: Bearer <API_TOKEN> from a User with an 'admin' role for the same team_id

should result in an HTTP-2XX response

💥  Actual behavior

API responds with an HTTP-403 and the following JSON in the response body:

{
  "message": "forbidden",
  "errors": [
    {
      "name": "base",
      "reason": "forbidden"
    }
  ],
  "uuid": "70ab5d55-45e9-4b35-b885-f8a9ac719127"
}

👣 Reproduction steps

• Create a Team: POST /api/v1/fleet/teams
• Create an API only admin User for the Team: POST /api/v1/fleet/users/admin with the following request body:

  "admin_forced_password_reset": false,
  "api_only": true,
  "teams": [{ id: <TEAM_ID>, "role": "admin"}]

• Obtain an API token for the Team admin User: POST /api/v1/fleet/login
• Batch-apply Apple MDM custom settings to the Team using the User API token: (verbose request log output from our API client)

  POST https://harmonize-stg.cloud.fleetdm.com/api/v1/fleet/mdm/apple/profiles/batch
  Accept: "application/json"
  User-Agent: "Faraday v1.10.3"
  Authorization: "Bearer <API_TOKEN>"
  Content-Type: "application/json"
  Request Body:
  {
  "team_id":36,
  "profiles":["<BASE64_ENCODED_PROFILE_CONTENT"]
  }

• Observe an HTTP-403 response 💥 (verbose response log output from our API client)

  date: "Fri, 28 Apr 2023 15:40:40 GMT"
  content-type: "application/json; charset=utf-8"
  content-length: "160"
  connection: "keep-alive"
  {
  "message": "forbidden",
  "errors": [
  {
    "name": "base",
    "reason": "forbidden"
  }
  ],
  "uuid": "70ab5d55-45e9-4b35-b885-f8a9ac719127"
  }

• Retry the request using an API token from a Global 'admin' User
• Observe an HTTP-204 response ✅
• List the configuration profiles for the Team: GET /api/v1/fleet/mdm/apple/profiles?team_id=<TEAM_ID>
• Observe that the response contains an empty list of configuration profiles: ❌

  {
  "profiles": null
  }

More info

Hi!

I'm currently implementing a service to bootstrap and sync Apple MDM configuration profiles across our Fleet Team records using the Batch-apply Apple MDM custom settings API.

Our current implementation pairs each Team record with a dedicated API-only 'admin' User record. All API requests for a Team are issued using the API token from that Team's dedicated API-only 'admin' User record.

I can get a successful HTTP-2XX response from the server if I use an API token for a Global 'admin' User, but it doesn't appear to be creating the profiles because when I then attempt to retrieve the profiles I just created I get an empty list.

I'm not quite sure what I'm doing wrong...

I don't think it's a problem with the Base64 encoded profiles because I can create Apple MDM configuration profiles with the same files, but using the Add custom macOS setting API instead:

POST /api/v1/fleet/mdm/apple/profiles

I don't think it's a problem with the dedicated API-only 'admin' User record for the Team because I can make other Team specific API requests using the dedicated API-only 'admin' User API token and get receive expected successful results.

Any help would be much appreciated.

Thanks in advance!

[jrreed]

Sorry, I did not read the API docs correctly.

So the issue here was that I was submitting the request with the team_id as a field in the request body, which the API was just ignoring because it's supposed to be a query param.

Altering the request to submit the team_id as a query param resolved the issue, which is documented in the API correctly -- thats my fault, sorry 🤦

POST https://harmonize-stg.cloud.fleetdm.com/api/v1/fleet/mdm/apple/profiles/batch?team_id=<TEAM_ID>

The HTTP-403 was because the server thought my dedicated API-only 'admin' User for a Team was trying to create global profiles, which it was not authorized to do because it did not have global 'admin' permissions.

Perhaps a couple suggestions:

• Submitting the team_id as a query param on a POST is unexpected both for REST and for the rest of the FleetDM APIs.
  • The other FleetDM APIs expect the team_id as a field in the request body JSON
  • submitting team_id as either a URL path parameter _(api/v1/fleet/teams/{team_id}/mdm/apple/profiles/batch)_ or a field in the request body would be more consistent
• If the server rejects unrecognized body fields with an HTTP-400 then this would be easier to identify

[fleet-release]

Forbidden no more, Profiles batched as they soar, Cloud city endures.