From 0e611e9c7db0f18f778fb42a9d97cccddacb3b93 Mon Sep 17 00:00:00 2001 From: Jesse Peterson Date: Wed, 29 Nov 2023 11:30:11 -0800 Subject: [PATCH] optionize logging in mdm-signature header handling (#87) --- cmd/nanomdm/main.go | 6 +++++- http/mdm/mdm_cert.go | 44 ++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/cmd/nanomdm/main.go b/cmd/nanomdm/main.go index 515bcba..01fecdc 100644 --- a/cmd/nanomdm/main.go +++ b/cmd/nanomdm/main.go @@ -144,7 +144,11 @@ func main() { if *flCertHeader != "" { h = httpmdm.CertExtractPEMHeaderMiddleware(h, *flCertHeader, logger.With("handler", "cert-extract")) } else { - h = httpmdm.CertExtractMdmSignatureMiddleware(h, logger.With("handler", "cert-extract")) + opts := []httpmdm.SigLogOption{httpmdm.SigLogWithLogger(logger.With("handler", "cert-extract"))} + if *flDebug { + opts = append(opts, httpmdm.SigLogWithLogErrors(true)) + } + h = httpmdm.CertExtractMdmSignatureMiddleware(h, opts...) } return h } diff --git a/http/mdm/mdm_cert.go b/http/mdm/mdm_cert.go index 10bf6f8..44b24ed 100644 --- a/http/mdm/mdm_cert.go +++ b/http/mdm/mdm_cert.go @@ -68,6 +68,37 @@ func CertExtractTLSMiddleware(next http.Handler, logger log.Logger) http.Handler } } +// sigLogConfig is a configuration struct for CertExtractMdmSignatureMiddleware. +type sigLogConfig struct { + logger log.Logger + always bool + errors bool +} + +// SigLogOption sets configurations. +type SigLogOption func(*sigLogConfig) + +// SigLogWithLogger sets the logger to use when logging with the MDM signature header. +func SigLogWithLogger(logger log.Logger) SigLogOption { + return func(c *sigLogConfig) { + c.logger = logger + } +} + +// SigLogWithLogAlways always logs the raw Mdm-Signature header. +func SigLogWithLogAlways(always bool) SigLogOption { + return func(c *sigLogConfig) { + c.always = always + } +} + +// SigLogWithLogErrors logs the raw Mdm-Signature header when errors occur. +func SigLogWithLogErrors(errors bool) SigLogOption { + return func(c *sigLogConfig) { + c.errors = errors + } +} + // CertExtractMdmSignatureMiddleware extracts the MDM enrollment // identity certificate from the request into the HTTP request context. // It tries to verify the Mdm-Signature header on the request. @@ -75,15 +106,22 @@ func CertExtractTLSMiddleware(next http.Handler, logger log.Logger) http.Handler // This middleware does not error if a certificate is not found. It // will, however, error with an HTTP 400 status if the signature // verification fails. -func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) http.HandlerFunc { +func CertExtractMdmSignatureMiddleware(next http.Handler, opts ...SigLogOption) http.HandlerFunc { + config := &sigLogConfig{logger: log.NopLogger} + for _, opt := range opts { + opt(config) + } return func(w http.ResponseWriter, r *http.Request) { - logger := ctxlog.Logger(r.Context(), logger) + logger := ctxlog.Logger(r.Context(), config.logger) mdmSig := r.Header.Get("Mdm-Signature") if mdmSig == "" { logger.Debug("msg", "empty Mdm-Signature header") next.ServeHTTP(w, r) return } + if config.errors || config.always { + logger = logger.With("mdm-signature", mdmSig) + } b, err := mdmhttp.ReadAllAndReplaceBody(r) if err != nil { logger.Info("msg", "reading body", "err", err) @@ -95,6 +133,8 @@ func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) htt logger.Info("msg", "verifying Mdm-Signature header", "err", err) http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) return + } else if config.always { + logger.Debug("msg", "verifying Mdm-Signature header") } ctx := context.WithValue(r.Context(), contextKeyCert{}, cert) next.ServeHTTP(w, r.WithContext(ctx))