Skip to content

Commit

Permalink
optionize logging in mdm-signature header handling (#87)
Browse files Browse the repository at this point in the history
  • Loading branch information
jessepeterson authored Nov 29, 2023
1 parent e9fcd9b commit 0e611e9
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 3 deletions.
6 changes: 5 additions & 1 deletion cmd/nanomdm/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,11 @@ func main() {
if *flCertHeader != "" {
h = httpmdm.CertExtractPEMHeaderMiddleware(h, *flCertHeader, logger.With("handler", "cert-extract"))
} else {
h = httpmdm.CertExtractMdmSignatureMiddleware(h, logger.With("handler", "cert-extract"))
opts := []httpmdm.SigLogOption{httpmdm.SigLogWithLogger(logger.With("handler", "cert-extract"))}
if *flDebug {
opts = append(opts, httpmdm.SigLogWithLogErrors(true))
}
h = httpmdm.CertExtractMdmSignatureMiddleware(h, opts...)
}
return h
}
Expand Down
44 changes: 42 additions & 2 deletions http/mdm/mdm_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,22 +68,60 @@ func CertExtractTLSMiddleware(next http.Handler, logger log.Logger) http.Handler
}
}

// sigLogConfig is a configuration struct for CertExtractMdmSignatureMiddleware.
type sigLogConfig struct {
logger log.Logger
always bool
errors bool
}

// SigLogOption sets configurations.
type SigLogOption func(*sigLogConfig)

// SigLogWithLogger sets the logger to use when logging with the MDM signature header.
func SigLogWithLogger(logger log.Logger) SigLogOption {
return func(c *sigLogConfig) {
c.logger = logger
}
}

// SigLogWithLogAlways always logs the raw Mdm-Signature header.
func SigLogWithLogAlways(always bool) SigLogOption {
return func(c *sigLogConfig) {
c.always = always
}
}

// SigLogWithLogErrors logs the raw Mdm-Signature header when errors occur.
func SigLogWithLogErrors(errors bool) SigLogOption {
return func(c *sigLogConfig) {
c.errors = errors
}
}

// CertExtractMdmSignatureMiddleware extracts the MDM enrollment
// identity certificate from the request into the HTTP request context.
// It tries to verify the Mdm-Signature header on the request.
//
// This middleware does not error if a certificate is not found. It
// will, however, error with an HTTP 400 status if the signature
// verification fails.
func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) http.HandlerFunc {
func CertExtractMdmSignatureMiddleware(next http.Handler, opts ...SigLogOption) http.HandlerFunc {
config := &sigLogConfig{logger: log.NopLogger}
for _, opt := range opts {
opt(config)
}
return func(w http.ResponseWriter, r *http.Request) {
logger := ctxlog.Logger(r.Context(), logger)
logger := ctxlog.Logger(r.Context(), config.logger)
mdmSig := r.Header.Get("Mdm-Signature")
if mdmSig == "" {
logger.Debug("msg", "empty Mdm-Signature header")
next.ServeHTTP(w, r)
return
}
if config.errors || config.always {
logger = logger.With("mdm-signature", mdmSig)
}
b, err := mdmhttp.ReadAllAndReplaceBody(r)
if err != nil {
logger.Info("msg", "reading body", "err", err)
Expand All @@ -95,6 +133,8 @@ func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) htt
logger.Info("msg", "verifying Mdm-Signature header", "err", err)
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
return
} else if config.always {
logger.Debug("msg", "verifying Mdm-Signature header")
}
ctx := context.WithValue(r.Context(), contextKeyCert{}, cert)
next.ServeHTTP(w, r.WithContext(ctx))
Expand Down

0 comments on commit 0e611e9

Please sign in to comment.