Closed zwass closed 1 year ago
@noahtalerman what authorization checks do we want for someone to get the certificate information (basically, which user types should be able to run fleetctl get mdm-apple
)?
which user types should be able to run
fleetctl get mdm-apple
@zwass only users with the admin role in Fleet should be able to generate certificates (fleetctl generate mdm-apple
) get certificate information (fleetctl get mdm-apple
).
I updated the epic's description to call this out: #7456
FYI I added a Related section in this issue's and #8595's description. This section includes links to the related issues.
@mna Assigning to you for specifications.
@noahtalerman @zwass regarding the Common Name
information, this is a deprecated field in SSL certificates and Go deprecated it as of Go 1.15 (https://golang.google.cn/doc/go1.15#commonname).
From https://support.dnsimple.com/articles/what-is-common-name/:
the SAN extension was introduced to integrate the common name. Since HTTPS was first introduced in 2000 (and defined by the RFC 2818), the use of the commonName field has been considered deprecated, because it’s ambiguous and untyped. The CA/Browser Forum has since mandated that the SAN would also include any value present in the common name, effectively making the SAN the only required reference for a certificate match with the server name. The notion of the common name survives mostly as a legacy of the past.
Maybe we should label that information differently, as technically, anyway, this would be the first SAN listed? (or maybe we should list all SANs)
It seems fine to me to store the CN also in the SAN field and then use that value. Does that seem reasonable to you @mna?
It seems fine to me to store the CN also in the SAN field and then use that value.
@zwass I think so, I'm not too familiar with how much control we have over those values when we generate the cert , but I'll check with @michalnicp .
The cert issued by apple contains the cn. Until Apple changes this, I think it's fine to use it even though it's "deprecated".
@mna heads up, we removed the Apple ID requirement from the parent issue:
This is a separate problem that we'll address later. Here's the issue:
This means that, for now, we won't store and present Apple ID information.
cc @michalnicp
Output from the command:
No MDM certificate provided to fleet serve
:
Valid MDM certificate:
Soon to be expired:
Already expired:
@noahtalerman for confirmation (especially for the colored warning/error messages).
@mna looks good!
FYI I'm tracking updating the "TODO link to documentation" in this issue: #8799
@mna As part of building the UI for managing Apple MDM information in #8855 we are going to need two endpoints:
1) One endpoint to retrieve data for the "Apple Push Certificates Portal" and "Apple Business Manager" sections:
2) One endpoint to change the default team for Apple MDM hosts.
My question: Do these endpoints exist (or will they exist) as part of the fleetctl
work currently happening? If so, would you please point me to where they are documented (or will be documented)? Thanks!
@lukeheath They do/will exist. Note that to get the APNs and Apple BM sections, it is two separate endpoints:
GET /mdm/apple
for APNs, see task 1) here: https://github.com/fleetdm/fleet/issues/8596GET /mdm/apple_bm
for Apple BM, see task 1) here: https://github.com/fleetdm/fleet/issues/8726And to change the default team, it's a new setting mdm.apple_bm_default_team
in the AppConfig, so it is modified via the same old PATCH /config
endpoint: https://github.com/fleetdm/fleet/issues/8733 (and the value will be retrieved using GET /config
).
All 3 are works in progress, none of those are merged yet (only GET /mdm/apple
is actually ready in a PR as of this writing), so the only proper endpoint documentation is in this PR here: https://github.com/fleetdm/fleet/pull/8786/files#diff-831a63ebb3cab9b4e6b82d803d9ffcdc3722b12d486dcd7b13e9576643bb50b0R528
Implement "Apple Push Certificates Portal - See status" from https://github.com/fleetdm/fleet/issues/7456.
Implement an API that returns the information as shown in the output examples of the parent issue. This should be based on the certificate configured in the
mdm_apple_apns_cert
config. Only users with the admin role can read this information.Implement the
fleetctl get mdm-apple
command with output as described in the parent issue.Related
8595
Tasks
(spec'd by @mna)
1
[x] Add API endpoint to retrieve the Apple MDM information
GET /mdm/apple
. Make sure we're aligned with the endpoints created by the generation ticket: https://github.com/fleetdm/fleet/issues/8594.Supports both free and premium
[x] Retrieve the metadata to return from this API call (as JSON)
Common Name
,Serial Number
,Issuer
andRenew Date
.Serial Number
,Issuer
andRenew Date
information can be extracted from the certificate itself (https://pkg.go.dev/crypto/x509#Certificate), they correspond to theSerialNumber
,Issuer
andNotAfter
fields, respectively.Common Name
field is available in theSubject
field of the certificate:Subject: UID=com.apple.mgmt.External.<uuid>, CN=APSP:<uuid>, C=US
, stored in theCommonName
field (https://pkg.go.dev/crypto/x509/pkix#Name).Apple ID
will not be returned for now (see https://github.com/fleetdm/fleet/issues/8596#issuecomment-1314495501)2
fleetctl get mdm-apple
command3
fleetctl
, andfleetctl
is the recommended use.4
[ ] Document the use offleetctl
to generate mdm apple and view its information