Bootstrap Token (micromdm#781)

* Partial implementation of Bootstrap Token Fetching the token from the db and sending it back to the client when the client asks for it ie sends the GetBootstrapTokenRequest is not implemented Also earlier code for Bootstrap Token from commit 58c3782 "mdm: add SetBootstrapToken command." is removed * implements rest of the bootstrap token feature - micromdm now sends bootstrap token back to the client, when client requests it * regenerate some proto files * use original proto generator versions checkin.pb.go: golang/[email protected] mdm.pb.go: gogo/[email protected] device.pb.go: golang/[email protected] * cleanup syntax * use more idiomatic naming * clean up BootstrapToken storage * add GetBootstrapToken test * remove extra newline Co-authored-by: Jesse Peterson <[email protected]> * add doc comments Co-authored-by: Ilkka Vanhatalo <[email protected]> Co-authored-by: Jesse Peterson <[email protected]>
Grimal · Oct 5, 2021 · fcf1d18 · fcf1d18
1 parent 6dc4fac
commit fcf1d18
Show file tree

Hide file tree

Showing 25 changed files with 751 additions and 413 deletions.
diff --git a/mdm/checkin.go b/mdm/checkin.go
@@ -7,9 +7,15 @@ import (
 
 	"github.com/go-kit/kit/endpoint"
 	"github.com/google/uuid"
+	"github.com/groob/plist"
 	"github.com/pkg/errors"
 )
 
+// BootstrapToken holds MDM Bootstrap Token data
+type BootstrapToken struct {
+	BootstrapToken []byte
+}
+
 func (svc *MDMService) Checkin(ctx context.Context, event CheckinEvent) ([]byte, error) {
 	// reject user settings at the loginwindow.
 	// https://github.com/micromdm/micromdm/pull/379
@@ -33,8 +39,26 @@ func (svc *MDMService) Checkin(ctx context.Context, event CheckinEvent) ([]byte,
 		}
 	}
 
+	var resp []byte
+
+	if topic == GetBootstrapTokenTopic {
+		udid := event.Command.UDID
+
+		btBytes, err := svc.dev.GetBootstrapToken(ctx, udid)
+		if err != nil {
+			return nil, errors.Wrap(err, "fetching bootstrap token")
+		}
+
+		bt := &BootstrapToken{BootstrapToken: btBytes}
+
+		resp, err = plist.Marshal(bt)
+		if err != nil {
+			return nil, errors.Wrap(err, "marshal bootstrap token")
+		}
+	}
+
 	err = svc.pub.Publish(ctx, topic, msg)
-	return nil, errors.Wrapf(err, "publish checkin on topic: %s", topic)
+	return resp, errors.Wrapf(err, "publish checkin on topic: %s", topic)
 }
 
 func topicFromMessage(messageType string) (string, error) {
@@ -45,6 +69,10 @@ func topicFromMessage(messageType string) (string, error) {
 		return TokenUpdateTopic, nil
 	case "CheckOut":
 		return CheckoutTopic, nil
+	case "GetBootstrapToken":
+		return GetBootstrapTokenTopic, nil
+	case "SetBootstrapToken":
+		return SetBootstrapTokenTopic, nil
 	default:
 		return "", errors.Errorf("unknown checkin message type %s", messageType)
 	}

diff --git a/mdm/checkin_event.go b/mdm/checkin_event.go
@@ -19,14 +19,17 @@ type CheckinEvent struct {
 
 // CheckinRequest represents an MDM checkin command struct.
 type CheckinCommand struct {
-	// MessageType can be either Authenticate,
-	// TokenUpdate or CheckOut
+	// MessageType can be either
+	// Authenticate, CheckOut, TokenUpdate,
+	// GetBootstrapToken, or SetBootstrapToken
 	MessageType  string
 	Topic        string
 	UDID         string
 	EnrollmentID string
 	auth
 	update
+	getBootstrap
+	setBootstrap
 }
 
 // Authenticate Message Type
@@ -60,6 +63,17 @@ type userTokenUpdate struct {
 	NotOnConsole  bool   `plist:",omitempty"`
 }
 
+// GetBootstrapToken Message Type
+type getBootstrap struct {
+	GetAwaitingConfiguration bool
+}
+
+// SetBootstrapToken Message Type
+type setBootstrap struct {
+	SetAwaitingConfiguration bool
+	BootstrapToken           []byte
+}
+
 // data decodes to []byte,
 // we can then attach a string method to the type
 // Tokens are encoded as Hex Strings
@@ -102,6 +116,15 @@ func MarshalCheckinEvent(e *CheckinEvent) ([]byte, error) {
 			UserShortName:         e.Command.UserShortName,
 			NotOnConsole:          e.Command.NotOnConsole,
 		}
+	case "GetBootstrapToken":
+		command.GetBootstrapToken = &checkinproto.GetBootstrapToken{
+			GetAwaitingConfiguration: e.Command.GetAwaitingConfiguration,
+		}
+	case "SetBootstrapToken":
+		command.SetBootstrapToken = &checkinproto.SetBootstrapToken{
+			BootstrapToken:           e.Command.BootstrapToken,
+			SetAwaitingConfiguration: e.Command.SetAwaitingConfiguration,
+		}
 	}
 	return proto.Marshal(&checkinproto.Event{
 		Id:      e.ID,
@@ -151,6 +174,11 @@ func UnmarshalCheckinEvent(data []byte, e *CheckinEvent) error {
 		e.Command.UserLongName = pb.Command.TokenUpdate.UserLongName
 		e.Command.UserShortName = pb.Command.TokenUpdate.UserShortName
 		e.Command.NotOnConsole = pb.Command.TokenUpdate.NotOnConsole
+	case "GetBootstrapToken":
+		e.Command.GetAwaitingConfiguration = pb.Command.GetBootstrapToken.GetAwaitingConfiguration
+	case "SetBootstrapToken":
+		e.Command.BootstrapToken = pb.Command.SetBootstrapToken.BootstrapToken
+		e.Command.SetAwaitingConfiguration = pb.Command.SetBootstrapToken.SetAwaitingConfiguration
 	}
 	e.Raw = pb.GetRaw()
 	e.Params = pb.GetParams()

diff --git a/mdm/enroll/service.go b/mdm/enroll/service.go
@@ -165,6 +165,7 @@ func (svc *service) Enroll(ctx context.Context) (profile.Mobileconfig, error) {
 }
 
 const perUserConnections = "com.apple.mdm.per-user-connections"
+const bootstrapToken = "com.apple.mdm.bootstraptoken"
 
 func (svc *service) MakeEnrollmentProfile() (Profile, error) {
 	profile := NewProfile()
@@ -192,7 +193,7 @@ func (svc *service) MakeEnrollmentProfile() (Profile, error) {
 		ServerURL:           svc.URL + "/mdm/connect",
 		Topic:               topic,
 		SignMessage:         true,
-		ServerCapabilities:  []string{perUserConnections},
+		ServerCapabilities:  []string{perUserConnections, bootstrapToken},
 	}
 
 	payloadContent := []interface{}{}

diff --git a/mdm/internal/checkinproto/checkin.pb.go b/mdm/internal/checkinproto/checkin.pb.go