Skip to content

Commit

Permalink
add support for client_certificate_v2 posture rule
Browse files Browse the repository at this point in the history
  • Loading branch information
jlu-cloudflare committed Jul 17, 2024
1 parent 7a9a8ef commit bbc7d15
Show file tree
Hide file tree
Showing 3 changed files with 112 additions and 35 deletions.
3 changes: 3 additions & 0 deletions .changelog/1685.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
device_posture_rule: support extended_key_usage, check_private_key, and locations for client_certificate_v2 posture rule
```
79 changes: 44 additions & 35 deletions device_posture_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,41 +165,50 @@ type DevicePostureRuleMatch struct {

// DevicePostureRuleInput represents the value to be checked against.
type DevicePostureRuleInput struct {
ID string `json:"id,omitempty"`
Path string `json:"path,omitempty"`
Exists bool `json:"exists,omitempty"`
Thumbprint string `json:"thumbprint,omitempty"`
Sha256 string `json:"sha256,omitempty"`
Running bool `json:"running,omitempty"`
RequireAll bool `json:"requireAll,omitempty"`
CheckDisks []string `json:"checkDisks,omitempty"`
Enabled bool `json:"enabled,omitempty"`
Version string `json:"version,omitempty"`
VersionOperator string `json:"versionOperator,omitempty"`
Overall string `json:"overall,omitempty"`
SensorConfig string `json:"sensor_config,omitempty"`
Os string `json:"os,omitempty"`
OsDistroName string `json:"os_distro_name,omitempty"`
OsDistroRevision string `json:"os_distro_revision,omitempty"`
OSVersionExtra string `json:"os_version_extra,omitempty"`
Operator string `json:"operator,omitempty"`
Domain string `json:"domain,omitempty"`
ComplianceStatus string `json:"compliance_status,omitempty"`
ConnectionID string `json:"connection_id,omitempty"`
IssueCount string `json:"issue_count,omitempty"`
CountOperator string `json:"countOperator,omitempty"`
TotalScore int `json:"total_score,omitempty"`
ScoreOperator string `json:"scoreOperator,omitempty"`
CertificateID string `json:"certificate_id,omitempty"`
CommonName string `json:"cn,omitempty"`
ActiveThreats int `json:"active_threats,omitempty"`
NetworkStatus string `json:"network_status,omitempty"`
Infected bool `json:"infected,omitempty"`
IsActive bool `json:"is_active,omitempty"`
EidLastSeen string `json:"eid_last_seen,omitempty"`
RiskLevel string `json:"risk_level,omitempty"`
State string `json:"state,omitempty"`
LastSeen string `json:"last_seen,omitempty"`
ID string `json:"id,omitempty"`
Path string `json:"path,omitempty"`
Exists bool `json:"exists,omitempty"`
Thumbprint string `json:"thumbprint,omitempty"`
Sha256 string `json:"sha256,omitempty"`
Running bool `json:"running,omitempty"`
RequireAll bool `json:"requireAll,omitempty"`
CheckDisks []string `json:"checkDisks,omitempty"`
Enabled bool `json:"enabled,omitempty"`
Version string `json:"version,omitempty"`
VersionOperator string `json:"versionOperator,omitempty"`
Overall string `json:"overall,omitempty"`
SensorConfig string `json:"sensor_config,omitempty"`
Os string `json:"os,omitempty"`
OsDistroName string `json:"os_distro_name,omitempty"`
OsDistroRevision string `json:"os_distro_revision,omitempty"`
OSVersionExtra string `json:"os_version_extra,omitempty"`
Operator string `json:"operator,omitempty"`
Domain string `json:"domain,omitempty"`
ComplianceStatus string `json:"compliance_status,omitempty"`
ConnectionID string `json:"connection_id,omitempty"`
IssueCount string `json:"issue_count,omitempty"`
CountOperator string `json:"countOperator,omitempty"`
TotalScore int `json:"total_score,omitempty"`
ScoreOperator string `json:"scoreOperator,omitempty"`
CertificateID string `json:"certificate_id,omitempty"`
CommonName string `json:"cn,omitempty"`
ActiveThreats int `json:"active_threats,omitempty"`
NetworkStatus string `json:"network_status,omitempty"`
Infected bool `json:"infected,omitempty"`
IsActive bool `json:"is_active,omitempty"`
EidLastSeen string `json:"eid_last_seen,omitempty"`
RiskLevel string `json:"risk_level,omitempty"`
State string `json:"state,omitempty"`
LastSeen string `json:"last_seen,omitempty"`
ExtendedKeyUsage []string `json:"extended_key_usage,omitempty"`
CheckPrivateKey *bool `json:"check_private_key,omitempty"`
Locations CertificateLocations `json:"locations,omitempty"`
}

// Locations struct for client certificate rule v2
type CertificateLocations struct {
Paths []string `json:"paths,omitempty"`
TrustStores []string `json:"trust_stores,omitempty"`
}

// DevicePostureRuleListResponse represents the response from the list
Expand Down
65 changes: 65 additions & 0 deletions device_posture_rule_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -645,6 +645,71 @@ func TestDevicePostureClientCertificateRule(t *testing.T) {
}
}

func TestDevicePostureClientCertificateRuleV2(t *testing.T) {
setup()
defer teardown()

handler := func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, http.MethodGet, r.Method, "Expected method 'GET', got %s", r.Method)
w.Header().Set("content-type", "application/json")
fmt.Fprintf(w, `{
"success": true,
"errors": [],
"messages": [],
"result": {
"id": "480f4f69-1a28-4fdd-9240-1ed29f0ac1db",
"schedule": "1h",
"expiration": "1h",
"type": "client_certificate_v2",
"name": "My rule name",
"description": "My description",
"match": [
{
"platform": "windows"
}
],
"input": {
"certificate_id": "d2c04b78-3ba2-4294-8efa-4e85aef0777f",
"cn": "example.com",
"extended_key_usage": ["clientAuth", "emailProtection"],
"locations": {"trust_stores": ["system"]},
"check_private_key": true
}
}
}
`)
}

checkPrivateKey := true

want := DevicePostureRule{
ID: "480f4f69-1a28-4fdd-9240-1ed29f0ac1db",
Name: "My rule name",
Description: "My description",
Type: "client_certificate_v2",
Schedule: "1h",
Expiration: "1h",
Match: []DevicePostureRuleMatch{{Platform: "windows"}},
Input: DevicePostureRuleInput{
CertificateID: "d2c04b78-3ba2-4294-8efa-4e85aef0777f",
CommonName: "example.com",
CheckPrivateKey: &checkPrivateKey,
ExtendedKeyUsage: []string{"clientAuth", "emailProtection"},
Locations: CertificateLocations{
TrustStores: []string{"system"},
},
},
}

mux.HandleFunc("/accounts/"+testAccountID+"/devices/posture/480f4f69-1a28-4fdd-9240-1ed29f0ac1db", handler)

actual, err := client.DevicePostureRule(context.Background(), testAccountID, "480f4f69-1a28-4fdd-9240-1ed29f0ac1db")

if assert.NoError(t, err) {
assert.Equal(t, want, actual)
}
}

func TestCreateDevicePostureRule(t *testing.T) {
setup()
defer teardown()
Expand Down

0 comments on commit bbc7d15

Please sign in to comment.