def _enroll_machine(self):
try:
enrollment = (Enrollment.objects.select_related(
"configuration",
"secret").get(secret__secret=self.enrollment_secret_secret))
except Enrollment.DoesNotExist:
raise PermissionDenied("Unknown enrollment secret")
if enrollment.configuration.client_certificate_auth and not self.client_cert_dn:
raise PermissionDenied("Missing client certificate")
try:
verify_enrollment_secret(
"santa_enrollment",
self.enrollment_secret_secret,
self.user_agent,
self.ip,
serial_number=self.request_data["serial_num"],
udid=self.hardware_uuid,
)
except EnrollmentSecretVerificationFailed:
raise PermissionDenied("Wrong enrollment secret")
# get or create enrolled machine
enrolled_machine, _ = EnrolledMachine.objects.update_or_create(
enrollment=enrollment,
hardware_uuid=self.hardware_uuid,
defaults=self._get_enrolled_machine_defaults(),
)
# apply enrollment secret tags
for tag in enrollment.secret.tags.all():
MachineTag.objects.get_or_create(
serial_number=enrolled_machine.serial_number, tag=tag)
# delete other enrolled machines
other_enrolled_machines = (EnrolledMachine.objects.exclude(
pk=enrolled_machine.pk).filter(hardware_uuid=self.hardware_uuid))
if other_enrolled_machines.count():
self.enrollment_action = 're-enrollment'
other_enrolled_machines.delete()
else:
self.enrollment_action = 'enrollment'
# post event
post_enrollment_event(
enrolled_machine.serial_number, self.user_agent, self.ip, {
'configuration':
enrollment.configuration.serialize_for_event(),
'action': self.enrollment_action
})
return enrolled_machine
def post(self, request, *args, **kwargs):
user_agent, ip = user_agent_and_ip_address_from_request(request)
try:
request_json = json.loads(request.body.decode("utf-8"))
secret = request_json["secret"]
serial_number = request_json["serial_number"]
uuid = request_json["uuid"]
es_request = verify_enrollment_secret("munki_enrollment", secret,
user_agent, ip,
serial_number, uuid)
except (KeyError, ValueError, EnrollmentSecretVerificationFailed):
raise SuspiciousOperation
else:
# get or create enrolled machine
enrolled_machine, enrolled_machine_created = EnrolledMachine.objects.get_or_create(
enrollment=es_request.enrollment_secret.munki_enrollment,
serial_number=serial_number,
defaults={"token": get_random_string(64)})
# apply enrollment secret tags
for tag in es_request.enrollment_secret.tags.all():
MachineTag.objects.get_or_create(serial_number=serial_number,
tag=tag)
# post event
post_munki_enrollment_event(
serial_number, user_agent, ip, {
'action':
"enrollment"
if enrolled_machine_created else "re-enrollment"
})
return JsonResponse({"token": enrolled_machine.token})
def post(self, request, *args, **kwargs):
self.user_agent, self.ip = user_agent_and_ip_address_from_request(request)
try:
request_json = json.loads(request.body.decode("utf-8"))
secret = request_json["secret"]
serial_number = request_json["serial_number"]
es_request = verify_enrollment_secret(
"filebeat_enrollment", secret,
self.user_agent, self.ip,
serial_number
)
except (ValueError, KeyError, EnrollmentSecretVerificationFailed):
raise SuspiciousOperation
else:
enrollment_session = EnrollmentSession.objects.create_from_enrollment(
enrollment=es_request.enrollment_secret.filebeat_enrollment,
serial_number=serial_number
)
# response
response = {
"scep": {
"cn": enrollment_session.get_common_name(),
"org": enrollment_session.get_organization(),
"challenge": enrollment_session.get_challenge(),
"url": "{}/scep".format(settings["api"]["tls_hostname"]), # TODO: hardcoded scep url
},
"secret": enrollment_session.enrollment_secret.secret,
}
# post event
post_enrollment_event(serial_number, self.user_agent, self.ip, enrollment_session.serialize_for_event())
return JsonResponse(response)
def verify_dep_profile_enrollment_secret(self):
try:
es_request = verify_enrollment_secret(
"dep_profile", self.kwargs["dep_profile_secret"],
self.user_agent, self.ip, self.serial_number, self.udid)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(e.err_msg))
else:
return es_request, es_request.enrollment_secret.dep_profile
def verify_enrollment_secret(self):
try:
es_request = verify_enrollment_secret("user_enrollment",
self.kwargs["secret"],
self.user_agent, self.ip)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(e.err_msg))
else:
self.user_enrollment = es_request.enrollment_secret.user_enrollment
if not self.user_enrollment.realm:
self.abort("This user enrollment has no realm")
def authenticate(self):
self.serial_number = self.get_serial_number()
try:
self.es_request = verify_enrollment_secret(
"osquery_enrollment",
self.get_enroll_secret(),
self.user_agent, self.ip,
self.serial_number,
self.get_uuid()
)
except EnrollmentSecretVerificationFailed:
raise PermissionDenied("Wrong enrollment secret")
def verify_enrollment_secret(self, enroll_secret, serial_number, uuid):
try:
es_request = verify_enrollment_secret("osquery_enrollment",
enroll_secret,
self.user_agent, self.ip,
serial_number, uuid)
except EnrollmentSecretVerificationFailed:
raise APIAuthError("Unknown enrolled machine")
else:
self.enrollment = es_request.enrollment_secret.osquery_enrollment
self.machine_serial_number = serial_number
self.business_unit = self.enrollment.secret.get_api_enrollment_business_unit(
)
def post(self, request, *args, **kwargs):
# DN => serial_number + meta_business_unit
dn = request.META.get("HTTP_X_SSL_CLIENT_S_DN")
if not dn:
raise SuspiciousOperation("missing DN in request headers")
dn_d = parse_dn(dn)
cn = dn_d.get("CN")
try:
cn_prefix, enrollment_secret_secret = cn.split("$")
except (AttributeError, ValueError):
raise SuspiciousOperation("missing or bad CN in client certificate DN")
# verify prefix
if cn_prefix != "FLBT":
raise SuspiciousOperation("bad CN prefix in client certificate")
self.user_agent, self.ip = user_agent_and_ip_address_from_request(request)
try:
request_json = json.loads(request.body.decode("utf-8"))
secret = request_json["secret"]
serial_number = request_json["serial_number"]
es_request = verify_enrollment_secret(
"filebeat_enrollment_session", secret,
self.user_agent, self.ip,
serial_number,
filebeat_enrollment_session__status__in=(EnrollmentSession.STARTED, EnrollmentSession.SCEP_VERIFIED)
)
certificate = request_json["certificate"]
key = request_json["key"]
certificate_authority = request_json["certificate_authority"]
except (ValueError, KeyError, EnrollmentSecretVerificationFailed):
raise SuspiciousOperation("Could not verify enrollment session secret")
else:
# update enrollment session
enrollment_session = es_request.enrollment_secret.filebeat_enrollment_session
enrolled_machine, _ = EnrolledMachine.objects.get_or_create(serial_number=serial_number)
enrollment_session.set_completed(enrolled_machine)
# apply enrollment secret tags
for tag in es_request.enrollment_secret.tags.all():
MachineTag.objects.get_or_create(serial_number=serial_number, tag=tag)
# post event
post_enrollment_event(serial_number, self.user_agent, self.ip, enrollment_session.serialize_for_event())
# response
response = {
"filebeat.yml": build_filebeat_yml(enrollment_session.enrollment.configuration,
certificate=certificate, key=key,
certificate_authority=certificate_authority)
}
return JsonResponse(response)
def do_post(self, data):
csr_data = base64.b64decode(data["csr"].encode("ascii"))
csr_info = csr.CertificationRequest.load(
csr_data)["certification_request_info"]
csr_d = {}
# subject
for rdn_idx, rdn in enumerate(csr_info["subject"].chosen):
for type_val_idx, type_val in enumerate(rdn):
csr_d[type_val["type"].native] = type_val['value'].native
kwargs = {"user_agent": self.user_agent, "public_ip_address": self.ip}
serial_number = csr_d.pop(
"serial_number",
None) # TODO: better system to find this attr in csr_d
if serial_number:
kwargs["serial_number"] = serial_number
# meta business
organization_name = csr_d.get("organization_name")
if not organization_name or not organization_name.startswith("MBU$"):
self.abort("Unknown organization name format")
meta_business_unit_id = int(organization_name.split("$", 1)[-1])
kwargs["meta_business_unit"] = get_object_or_404(
MetaBusinessUnit, pk=meta_business_unit_id)
# type and session secret
try:
cn_prefix, kwargs["secret"] = csr_d["common_name"].rsplit("$", 1)
except (KeyError, ValueError, AttributeError):
self.abort("Unknown common name format")
model, status, update_status_method = self.get_enrollment_session_info(
cn_prefix)
kwargs["model"] = model
kwargs["{}__status".format(model)] = status
try:
es_request = verify_enrollment_secret(**kwargs)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(e.err_msg))
else:
# update the enrollment session status
enrollment_session = getattr(es_request.enrollment_secret, model)
getattr(enrollment_session, update_status_method)(es_request)
self.post_event("success",
**enrollment_session.serialize_for_event())
# OK
return {"status": 0}
def enroll_machine(self, data):
try:
enrollment = (Enrollment.objects.select_related(
"configuration",
"secret").get(secret__secret=self.enrollment_secret_secret))
except Enrollment.DoesNotExist:
raise PermissionDenied("Unknown enrollment secret")
if enrollment.configuration.client_certificate_auth and self.get_client_cert(
) is None:
raise PermissionDenied("Missing client certificate")
try:
verify_enrollment_secret(
"santa_enrollment",
self.enrollment_secret_secret,
self.user_agent,
self.ip,
serial_number=self.machine_serial_number,
udid=self.hardware_uuid,
)
except EnrollmentSecretVerificationFailed:
raise PermissionDenied("Wrong enrollment secret")
# get or create enrolled machine
self.enrolled_machine, _ = EnrolledMachine.objects.get_or_create(
enrollment=enrollment,
hardware_uuid=self.hardware_uuid,
defaults={"serial_number": self.machine_serial_number})
# apply enrollment secret tags
for tag in enrollment.secret.tags.all():
MachineTag.objects.get_or_create(
serial_number=self.machine_serial_number, tag=tag)
# post event
post_enrollment_event(self.machine_serial_number, self.user_agent,
self.ip, {'action': 'enrollment'})
def post(self, request, *args, **kwargs):
self.user_agent, self.ip = user_agent_and_ip_address_from_request(
request)
try:
request_json = json.loads(request.body.decode("utf-8"))
secret = request_json["secret"]
serial_number = request_json["serial_number"]
uuid = request_json["uuid"]
es_request = verify_enrollment_secret("santa_enrollment", secret,
self.user_agent, self.ip,
serial_number, uuid)
except (ValueError, KeyError, EnrollmentSecretVerificationFailed):
raise SuspiciousOperation
else:
# get or create enrolled machine
enrolled_machine, enrolled_machine_created = EnrolledMachine.objects.get_or_create(
enrollment=es_request.enrollment_secret.santa_enrollment,
serial_number=serial_number,
defaults={"machine_id": get_random_string(64)})
# apply enrollment secret tags
for tag in es_request.enrollment_secret.tags.all():
MachineTag.objects.get_or_create(serial_number=serial_number,
tag=tag)
# response
response = {"machine_id": enrolled_machine.machine_id}
cp_name, cp_content = build_configuration_profile(enrolled_machine)
cp_content = base64.b64encode(cp_content).decode("utf-8")
response["configuration_profile"] = {
"name": cp_name,
"content": cp_content
}
cpl_name, cpl_content = build_config_plist(enrolled_machine)
response["config_plist"] = {
"name": cpl_name,
"content": cpl_content
}
# post event
post_enrollment_event(
serial_number, self.user_agent, self.ip, {
'action':
"enrollment"
if enrolled_machine_created else "re-enrollment"
})
return JsonResponse(response)
def post(self, request, *args, **kwargs):
# Verify payload signature, extract signed payload
try:
certificates, payload = verify_signed_payload(request.read())
except ValueError as error:
self.abort("posted data is not signed", signature_error=str(error))
for certificate_i_cn, certificate_bytes, signing_certificate in certificates:
if verify_apple_iphone_device_ca_issuer_openssl(certificate_bytes):
break
payload = plistlib.loads(payload)
self.serial_number = payload["SERIAL"]
self.udid = payload["UDID"]
try:
es_request = verify_enrollment_secret(
"dep_profile", self.kwargs["dep_profile_secret"],
self.user_agent, self.ip, self.serial_number, self.udid)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(e.err_msg))
# Start a DEP enrollment session
dep_enrollment_session = DEPEnrollmentSession.objects.create_from_dep_profile(
es_request.enrollment_secret.dep_profile, self.serial_number,
self.udid, payload)
# Get the MDM push certificate
push_certificate = (
dep_enrollment_session.enrollment_secret.meta_business_unit.
metabusinessunitpushcertificate.push_certificate)
configuration_profile = build_mdm_configuration_profile(
dep_enrollment_session, push_certificate)
configuration_profile_filename = "zentral_mdm"
self.post_event("success",
**dep_enrollment_session.serialize_for_event())
return build_configuration_profile_response(
configuration_profile, configuration_profile_filename)
def enroll_machine(self):
try:
request = verify_enrollment_secret(
"jamf_protect_enrollment",
self.token,
self.user_agent,
self.ip,
serial_number=self.serial_number)
except EnrollmentSecretVerificationFailed:
raise PermissionDenied("Invalid enrollment secret")
else:
# get or create enrolled machine
enrollment_secret = request.enrollment_secret
self.enrolled_machine, _ = EnrolledMachine.objects.get_or_create(
enrollment=enrollment_secret.jamf_protect_enrollment,
serial_number=self.serial_number)
# apply enrollment secret tags
for tag in enrollment_secret.tags.all():
MachineTag.objects.get_or_create(
serial_number=self.serial_number, tag=tag)
post_enrollment_event(self.serial_number, self.user_agent, self.ip,
{'action': 'enrollment'})
def post(self, request, *args, **kwargs):
# Verify payload signature, extract signed payload
try:
certificates, payload = verify_signed_payload(request.read())
except ValueError:
self.abort("posted data is not signed")
# find out which CA signed the certificate used to sign the payload
# if iPhone CA: phase 2
# if SCEP CA: phase 3
for certificate_i_cn, certificate_bytes, signing_certificate in certificates:
if verify_apple_iphone_device_ca_issuer(certificate_bytes):
phase = 2
break
elif verify_zentral_scep_ca_issuer(certificate_bytes):
phase = 3
break
else:
self.abort(
f"Unknown signing certificate issuer: {certificate_i_cn}")
payload = plistlib.loads(payload)
self.serial_number = payload["SERIAL"]
self.udid = payload["UDID"]
if phase == 2:
# Verify the challenge
challenge = payload.get("CHALLENGE")
if not challenge:
self.abort("missing challenge", phase=phase)
# Pre-authenticated session ?
session_enrollment = kwargs.pop("session")
if session_enrollment:
# running off a realm user authenticated existing ota enrollment session
try:
es_request = verify_enrollment_secret(
"ota_enrollment_session", challenge, self.user_agent,
self.ip, self.serial_number, self.udid)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(
e.err_msg),
phase=phase)
ota_enrollment_session = es_request.enrollment_secret.ota_enrollment_session
# for PostEventMixin
self.realm_user = ota_enrollment_session.realm_user
# update the OTA enrollment session
ota_enrollment_session.set_phase2_status(
es_request, self.serial_number, self.udid)
else:
# running off a simple ota enrollment
try:
es_request = verify_enrollment_secret(
"ota_enrollment", challenge, self.user_agent, self.ip,
self.serial_number, self.udid)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(
e.err_msg),
phase=phase)
ota_enrollment = es_request.enrollment_secret.ota_enrollment
if ota_enrollment.realm:
self.abort(
"cannot use ota enrollment secret on ota enrollment with realm",
phase=phase)
# Start an OTA enrollment session directly in phase 2
ota_enrollment_session = OTAEnrollmentSession.objects.create_from_machine_info(
ota_enrollment, self.serial_number, self.udid)
configuration_profile = build_ota_scep_configuration_profile(
ota_enrollment_session)
configuration_profile_filename = "zentral_ota_scep"
elif phase == 3:
# get the serial number from the DN of the payload signing certificate
serial_number = signing_certificate.subject.get_attributes_for_oid(
NameOID.SERIAL_NUMBER)[0].value
if self.serial_number != serial_number:
self.abort(
"signing certificate DN serial number != payload serial number",
phase=phase)
# get the ota enrollment session from the DN of the payload signing certificate
cn = signing_certificate.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
_, ota_enrollment_session_secret = cn.split("$")
try:
ota_enrollment_session = (
OTAEnrollmentSession.objects.select_for_update(
).select_related("ota_enrollment",
"enrollment_secret__meta_business_unit").
get(enrollment_secret__secret=ota_enrollment_session_secret
))
except OTAEnrollmentSession.DoesNotExist:
self.abort(
"could not find ota enrollment session from payload signing certificate",
phase=phase)
# for PostEventMixin
self.realm_user = ota_enrollment_session.realm_user
# verify and update ota enrollment session status
try:
ota_enrollment_session.set_phase3_status()
except EnrollmentSessionStatusError:
self.abort("ota enrollment session has wrong status",
phase=phase)
# verify DN mbu
ota_enrollment_session_mbu = ota_enrollment_session.enrollment_secret.meta_business_unit
o = signing_certificate.subject.get_attributes_for_oid(
NameOID.ORGANIZATION_NAME)[0]
if int(o.value.split("$")[-1]) != ota_enrollment_session_mbu.pk:
self.abort("DN mbu doesn't match ota enrollment session mbu",
phase=phase)
# Get the MDM push certificate
push_certificate = ota_enrollment_session.ota_enrollment.push_certificate
configuration_profile = build_mdm_configuration_profile(
ota_enrollment_session, push_certificate)
configuration_profile_filename = "zentral_mdm"
self.post_event("success", phase=phase)
return build_configuration_profile_response(
configuration_profile, configuration_profile_filename)
def do_post(self, data):
csr_data = base64.b64decode(data["csr"].encode("ascii"))
csr_info = csr.CertificationRequest.load(
csr_data)["certification_request_info"]
csr_d = {}
# subject
for rdn_idx, rdn in enumerate(csr_info["subject"].chosen):
for type_val_idx, type_val in enumerate(rdn):
csr_d[type_val["type"].native] = type_val['value'].native
kwargs = {"user_agent": self.user_agent, "public_ip_address": self.ip}
# serial number
self.serial_number = csr_d.get("serial_number")
if not self.serial_number:
self.abort("Could not get serial number")
kwargs["serial_number"] = self.serial_number
# meta business
organization_name = csr_d.get("organization_name")
if not organization_name or not organization_name.startswith("MBU$"):
self.abort("Unknown organization name format")
meta_business_unit_id = int(organization_name.split("$", 1)[-1])
kwargs["meta_business_unit"] = get_object_or_404(
MetaBusinessUnit, pk=meta_business_unit_id)
# type and session secret
try:
cn_prefix, kwargs["secret"] = csr_d["common_name"].rsplit("$", 1)
except (KeyError, ValueError, AttributeError):
self.abort("Unknown common name format")
# CN prefix => OTA enrollment phase
if cn_prefix == "OTA" or cn_prefix == "MDM$OTA":
kwargs["model"] = "ota_enrollment_session"
if cn_prefix == "OTA":
kwargs[
"ota_enrollment_session__status"] = OTAEnrollmentSession.PHASE_2
update_status_method = "set_phase2_scep_verified_status"
else:
kwargs[
"ota_enrollment_session__status"] = OTAEnrollmentSession.PHASE_3
update_status_method = "set_phase3_scep_verified_status"
elif cn_prefix == "MDM$DEP":
kwargs["model"] = "dep_enrollment_session"
kwargs[
"dep_enrollment_session__status"] = DEPEnrollmentSession.STARTED
update_status_method = "set_scep_verified_status"
else:
self.abort("Unknown CN prefix {}".format(cn_prefix))
try:
es_request = verify_enrollment_secret(**kwargs)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(e.err_msg))
else:
# update the enrollment session status
enrollment_session = getattr(es_request.enrollment_secret,
kwargs["model"])
getattr(enrollment_session, update_status_method)(es_request)
self.post_event("success",
**enrollment_session.serialize_for_event())
# OK
return {"status": 0}
def post(self, request, *args, **kwargs):
# Verify payload signature, extract signed payload
try:
certificates, payload = verify_signed_payload(request.read())
except ValueError:
self.abort("posted data is not signed")
# find out which CA signed the certificate used to sign the payload
# if iPhone CA: phase 2
# if SCEP CA: phase 3
# if unknown: phase 2 # TODO: verify. seen with self signed cert in 10.13 beta in VMWare.
for certificate_i_cn, certificate_bytes, signing_certificate in certificates:
if verify_apple_iphone_device_ca_issuer_openssl(certificate_bytes):
phase = 2
break
elif verify_zentral_scep_ca_issuer_openssl(certificate_bytes):
phase = 3
break
else:
self.post_event(
"warning",
reason="unknown signing certificate issuer '{}'".format(
certificate_i_cn))
phase = 2
payload = plistlib.loads(payload)
self.serial_number = payload["SERIAL"]
self.udid = payload["UDID"]
if phase == 2:
# Verify the challenge
challenge = payload.get("CHALLENGE")
if not challenge:
self.abort("missing challenge", phase=phase)
try:
es_request = verify_enrollment_secret("ota_enrollment",
challenge,
self.user_agent, self.ip,
self.serial_number,
self.udid)
except EnrollmentSecretVerificationFailed as e:
self.abort("secret verification failed: '{}'".format(
e.err_msg),
phase=phase)
# Start an OTA enrollment session
ota_enrollment_session = OTAEnrollmentSession.objects.create_from_ota_enrollment(
es_request.enrollment_secret.ota_enrollment,
self.serial_number, self.udid, payload)
payload = build_ota_scep_payload(ota_enrollment_session)
filename = "zentral_ota_scep"
elif phase == 3:
# get the serial number from the DN of the payload signing certificate
serial_number = signing_certificate.subject.get_attributes_for_oid(
NameOID.SERIAL_NUMBER)[0].value
if self.serial_number != serial_number:
self.abort(
"signing certificate DN serial number != payload serial number",
phase=phase)
# get the ota enrollment session from the DN of the payload signing certificate
cn = signing_certificate.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
_, ota_enrollment_session_secret = cn.split("$")
try:
ota_enrollment_session = (
OTAEnrollmentSession.objects.select_for_update(
).select_related("ota_enrollment",
"enrollment_secret__meta_business_unit").
get(enrollment_secret__secret=ota_enrollment_session_secret
))
except OTAEnrollmentSession.DoesNotExist:
self.abort(
"could not find ota enrollment session from payload signing certificate",
phase=phase)
# verify and update ota enrollment session status
try:
ota_enrollment_session.set_phase3_status()
except EnrollmentSessionStatusError:
self.abort("ota enrollment session has wrong status",
phase=phase)
# verify DN mbu
ota_enrollment_session_mbu = ota_enrollment_session.enrollment_secret.meta_business_unit
o = signing_certificate.subject.get_attributes_for_oid(
NameOID.ORGANIZATION_NAME)[0]
if int(o.value.split("$")[-1]) != ota_enrollment_session_mbu.pk:
self.abort("DN mbu doesn't match ota enrollment session mbu",
phase=phase)
# Get the MDM push certificate
push_certificate = ota_enrollment_session_mbu.metabusinessunitpushcertificate.push_certificate
payload = build_mdm_payload(ota_enrollment_session,
push_certificate)
filename = "zentral_mdm"
self.post_event("success", phase=phase)
return build_payload_response(sign_payload_openssl(payload), filename)
return HttpResponse()
def do_post(self, data):
csr_data = base64.b64decode(data["csr"].encode("ascii"))
csr_info = csr.CertificationRequest.load(
csr_data)["certification_request_info"]
csr_d = {}
# subject
for rdn_idx, rdn in enumerate(csr_info["subject"].chosen):
for type_val_idx, type_val in enumerate(rdn):
csr_d[type_val["type"].native] = type_val['value'].native
kwargs = {"user_agent": self.user_agent, "public_ip_address": self.ip}
# serial number
serial_number = csr_d.get("serial_number")
if not serial_number:
raise SuspiciousOperation("Could not get serial number")
kwargs["serial_number"] = serial_number
# meta business
organization_name = csr_d.get("organization_name")
if not organization_name or not organization_name.startswith("MBU$"):
raise SuspiciousOperation("Unknown organization name format")
meta_business_unit_id = int(organization_name.split("$", 1)[-1])
kwargs["meta_business_unit"] = get_object_or_404(
MetaBusinessUnit, pk=meta_business_unit_id)
# type and session secret
try:
cn_prefix, ota_enrollment_session_secret = csr_d[
"common_name"].split("$")
except (KeyError, ValueError, AttributeError):
raise SuspiciousOperation("Unknown common name format")
# CN prefix => OTA enrollment phase
if cn_prefix == "OTA":
ota_enrollment_session_status = OTAEnrollmentSession.PHASE_2
elif cn_prefix == "MDM":
ota_enrollment_session_status = OTAEnrollmentSession.PHASE_3
else:
raise SuspiciousOperation("Unknown CN prefix {}".format(cn_prefix))
kwargs["model"] = "ota_enrollment_session"
kwargs[
"ota_enrollment_session__status"] = ota_enrollment_session_status
kwargs["secret"] = ota_enrollment_session_secret
try:
es_request = verify_enrollment_secret(**kwargs)
except EnrollmentSecretVerificationFailed as e:
raise SuspiciousOperation(
"secret verification failed: '{}'".format(e.err_msg))
else:
# update ota enrollment session
ota_enrollment_session = es_request.enrollment_secret.ota_enrollment_session
if ota_enrollment_session_status == OTAEnrollmentSession.PHASE_2:
ota_enrollment_session.set_phase2_scep_verified_status(
es_request)
if ota_enrollment_session_status == OTAEnrollmentSession.PHASE_3:
ota_enrollment_session.set_phase3_scep_verified_status(
es_request)
# OK
return {"status": 0}
