zwass
commented
1 year ago @noahtalerman what authorization checks do we want for someone to get the certificate information (basically, which user types should be able to run fleetctl get mdm-apple)?
Closed zwass closed 1 year ago
zwass
commented
1 year ago @noahtalerman what authorization checks do we want for someone to get the certificate information (basically, which user types should be able to run fleetctl get mdm-apple)?
noahtalerman
commented
1 year ago which user types should be able to run
fleetctl get mdm-apple
@zwass only users with the admin role in Fleet should be able to generate certificates (fleetctl generate mdm-apple) get certificate information (fleetctl get mdm-apple).
I updated the epic's description to call this out: #7456
FYI I added a Related section in this issue's and #8595's description. This section includes links to the related issues.
lukeheath
commented
1 year ago @mna Assigning to you for specifications.
mna
commented
1 year ago @noahtalerman @zwass regarding the Common Name information, this is a deprecated field in SSL certificates and Go deprecated it as of Go 1.15 (https://golang.google.cn/doc/go1.15#commonname).
From https://support.dnsimple.com/articles/what-is-common-name/:
the SAN extension was introduced to integrate the common name. Since HTTPS was first introduced in 2000 (and defined by the RFC 2818), the use of the commonName field has been considered deprecated, because it’s ambiguous and untyped. The CA/Browser Forum has since mandated that the SAN would also include any value present in the common name, effectively making the SAN the only required reference for a certificate match with the server name. The notion of the common name survives mostly as a legacy of the past.
Maybe we should label that information differently, as technically, anyway, this would be the first SAN listed? (or maybe we should list all SANs)
zwass
commented
1 year ago It seems fine to me to store the CN also in the SAN field and then use that value. Does that seem reasonable to you @mna?
mna
commented
1 year ago It seems fine to me to store the CN also in the SAN field and then use that value.
@zwass I think so, I'm not too familiar with how much control we have over those values when we generate the cert , but I'll check with @michalnicp .
michalnicp
commented
1 year ago The cert issued by apple contains the cn. Until Apple changes this, I think it's fine to use it even though it's "deprecated".
noahtalerman
commented
1 year ago @mna heads up, we removed the Apple ID requirement from the parent issue:
This is a separate problem that we'll address later. Here's the issue:
This means that, for now, we won't store and present Apple ID information.
cc @michalnicp
mna
commented
1 year ago Output from the command:
No MDM certificate provided to fleet serve:
Valid MDM certificate:
Soon to be expired:
Already expired:
@noahtalerman for confirmation (especially for the colored warning/error messages).
noahtalerman
commented
1 year ago @mna looks good!
FYI I'm tracking updating the "TODO link to documentation" in this issue: #8799
lukeheath
commented
1 year ago @mna As part of building the UI for managing Apple MDM information in #8855 we are going to need two endpoints:
1) One endpoint to retrieve data for the "Apple Push Certificates Portal" and "Apple Business Manager" sections:
2) One endpoint to change the default team for Apple MDM hosts.
My question: Do these endpoints exist (or will they exist) as part of the fleetctl work currently happening? If so, would you please point me to where they are documented (or will be documented)? Thanks!
mna
commented
1 year ago @lukeheath They do/will exist. Note that to get the APNs and Apple BM sections, it is two separate endpoints:
GET /mdm/apple for APNs, see task 1) here: https://github.com/fleetdm/fleet/issues/8596GET /mdm/apple_bm for Apple BM, see task 1) here: https://github.com/fleetdm/fleet/issues/8726And to change the default team, it's a new setting mdm.apple_bm_default_team in the AppConfig, so it is modified via the same old PATCH /config endpoint: https://github.com/fleetdm/fleet/issues/8733 (and the value will be retrieved using GET /config).
All 3 are works in progress, none of those are merged yet (only GET /mdm/apple is actually ready in a PR as of this writing), so the only proper endpoint documentation is in this PR here: https://github.com/fleetdm/fleet/pull/8786/files#diff-831a63ebb3cab9b4e6b82d803d9ffcdc3722b12d486dcd7b13e9576643bb50b0R528
Implement "Apple Push Certificates Portal - See status" from https://github.com/fleetdm/fleet/issues/7456.
Implement an API that returns the information as shown in the output examples of the parent issue. This should be based on the certificate configured in the
mdm_apple_apns_certconfig. Only users with the admin role can read this information.Implement the
fleetctl get mdm-applecommand with output as described in the parent issue.Related
8595
Tasks
(spec'd by @mna)
1
[x] Add API endpoint to retrieve the Apple MDM information
GET /mdm/apple. Make sure we're aligned with the endpoints created by the generation ticket: https://github.com/fleetdm/fleet/issues/8594.Supports both free and premium
[x] Retrieve the metadata to return from this API call (as JSON)
Common Name,Serial Number,IssuerandRenew Date.Serial Number,IssuerandRenew Dateinformation can be extracted from the certificate itself (https://pkg.go.dev/crypto/x509#Certificate), they correspond to theSerialNumber,IssuerandNotAfterfields, respectively.Common Namefield is available in theSubjectfield of the certificate:Subject: UID=com.apple.mgmt.External.<uuid>, CN=APSP:<uuid>, C=US, stored in theCommonNamefield (https://pkg.go.dev/crypto/x509/pkix#Name).Apple IDwill not be returned for now (see https://github.com/fleetdm/fleet/issues/8596#issuecomment-1314495501)2
fleetctl get mdm-applecommand3
fleetctl, andfleetctlis the recommended use.4
[ ] Document the use offleetctlto generate mdm apple and view its information