jmpsec · javuto · Sep 8, 2024 · Sep 8, 2024
diff --git a/api/handlers-environments.go b/api/handlers-environments.go
@@ -225,22 +225,26 @@ func apiEnvEnrollActionsHandler(w http.ResponseWriter, r *http.Request) {
 	// Extract environment
 	envVar := r.PathValue("env")
 	if envVar == "" {
-		apiErrorResponse(w, "error with environment", http.StatusInternalServerError, nil)
-		incMetric(metricAPIQueriesErr)
+		apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, nil)
+		incMetric(metricAPIEnvsErr)
 		return
 	}
-	// Get environment
+	// Get environment by name
 	env, err := envs.Get(envVar)
 	if err != nil {
-		apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, nil)
-		incMetric(metricAPIQueriesErr)
+		if err.Error() == "record not found" {
+			apiErrorResponse(w, "environment not found", http.StatusNotFound, err)
+		} else {
+			apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, err)
+		}
+		incMetric(metricAPIEnvsErr)
 		return
 	}
 	// Get context data and check access
 	ctx := r.Context().Value(contextKey(contextAPI)).(contextValue)
 	if !apiUsers.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
 		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
-		incMetric(metricAPIQueriesErr)
+		incMetric(metricAPIEnvsErr)
 		return
 	}
 	// Extract action
@@ -315,6 +319,10 @@ func apiEnvEnrollActionsHandler(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		msgReturn = "RPM updated successfully"
+	default:
+		apiErrorResponse(w, "invalid action", http.StatusBadRequest, fmt.Errorf("invalid action %s", actionVar))
+		incMetric(metricAPIEnvsErr)
+		return
 	}
 	// Return query name as serialized response
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})
@@ -328,15 +336,19 @@ func apiEnvRemoveActionsHandler(w http.ResponseWriter, r *http.Request) {
 	// Extract environment
 	envVar := r.PathValue("env")
 	if envVar == "" {
-		apiErrorResponse(w, "error with environment", http.StatusInternalServerError, nil)
-		incMetric(metricAPIQueriesErr)
+		apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, nil)
+		incMetric(metricAPIEnvsErr)
 		return
 	}
-	// Get environment
+	// Get environment by name
 	env, err := envs.Get(envVar)
 	if err != nil {
-		apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, nil)
-		incMetric(metricAPIQueriesErr)
+		if err.Error() == "record not found" {
+			apiErrorResponse(w, "environment not found", http.StatusNotFound, err)
+		} else {
+			apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, err)
+		}
+		incMetric(metricAPIEnvsErr)
 		return
 	}
 	// Get context data and check access
@@ -389,6 +401,10 @@ func apiEnvRemoveActionsHandler(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		msgReturn = "remove set to not expire"
+	default:
+		apiErrorResponse(w, "invalid action", http.StatusBadRequest, fmt.Errorf("invalid action %s", actionVar))
+		incMetric(metricAPIEnvsErr)
+		return
 	}
 	// Return query name as serialized response
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})

diff --git a/osctrl-api.yaml b/osctrl-api.yaml
@@ -909,6 +909,122 @@ paths:
       security:
         - Authorization:
             - read
+    post:
+      tags:
+        - environments
+      summary: Get enroll values for an environment
+      description: Returns each of the node enrollment values (secret, certificate, flags, one-liner) for the requested osctrl environment
+      operationId: apiEnvEnrollActionsHandler
+      parameters:
+        - name: env
+          in: path
+          description: Name or UUID of the requested osctrl environment
+          required: true
+          schema:
+            type: string
+        - name: target
+          in: path
+          description: Target to retrieve (secret, cert, flags, enroll.sh, enroll.ps1)
+          required: true
+          schema:
+            type: string
+      responses:
+        200:
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/ApiDataResponse"
+        400:
+          description: bad request
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        403:
+          description: no access
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        404:
+          description: no environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        500:
+          description: error getting environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+      security:
+        - Authorization:
+            - read
+  /environments/{env}/enroll/{action}:
+    post:
+      tags:
+        - environments
+      summary: Perform enroll actions for an environment
+      description: Executes an action (extend/rotate/expire/notexpire) in the enrollment URL for the requested osctrl environment
+      operationId: apiEnvEnrollActionsHandler
+      parameters:
+        - name: env
+          in: path
+          description: Name or UUID of the requested osctrl environment
+          required: true
+          schema:
+            type: string
+        - name: action
+          in: path
+          description: Action to execute (extend, rotate, expire, notexpire)
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ApiActionsRequest"
+      responses:
+        200:
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/ApiDataResponse"
+        400:
+          description: bad request
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        403:
+          description: no access
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        404:
+          description: no environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        500:
+          description: error getting environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+      security:
+        - Authorization:
+            - admin
   /environments/{env}/remove/{target}:
     get:
       tags:
@@ -965,6 +1081,67 @@ paths:
       security:
         - Authorization:
             - read
+  /environments/{env}/remove/{action}:
+    post:
+      tags:
+        - environments
+      summary: Perform remove actions for an environment
+      description: Executes an action (extend/rotate/expire/notexpire) in the remove URL for the requested osctrl environment
+      operationId: apiEnvRemoveActionsHandler
+      parameters:
+        - name: env
+          in: path
+          description: Name or UUID of the requested osctrl environment
+          required: true
+          schema:
+            type: string
+        - name: action
+          in: path
+          description: Action to execute (extend, rotate, expire, notexpire)
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ApiActionsRequest"
+      responses:
+        200:
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/ApiDataResponse"
+        400:
+          description: bad request
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        403:
+          description: no access
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        404:
+          description: no environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+        500:
+          description: error getting environments
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiErrorResponse"
+      security:
+        - Authorization:
+            - admin
   /tags:
     get:
       tags:
@@ -1670,6 +1847,19 @@ components:
           format: int64
         Info:
           type: string
+    ApiActionsRequest:
+      type: object
+      properties:
+        Certificate:
+          type: string
+        MacPkgURL:
+          type: string
+        MsiPkgURL:
+          type: string
+        RpmPkgURL:
+          type: string
+        DebPkgURL:
+          type: string
   securitySchemes:
     Authorization:
       type: http