optionize logging in mdm-signature header handling

micromdm · Nov 3, 2023 · e4ac1bb · e4ac1bb
1 parent 84b7273
commit e4ac1bb
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/cmd/nanomdm/main.go b/cmd/nanomdm/main.go
@@ -144,7 +144,11 @@ func main() {
  if *flCertHeader != "" {
  h = httpmdm.CertExtractPEMHeaderMiddleware(h, *flCertHeader, logger.With("handler", "cert-extract"))
  } else {
- h = httpmdm.CertExtractMdmSignatureMiddleware(h, logger.With("handler", "cert-extract"))
+ opts := []httpmdm.SigLogOption{httpmdm.SigLogWithLogger(logger.With("handler", "cert-extract"))}
+ if *flDebug {
+ opts = append(opts, httpmdm.SigLogWithLogErrors(true))
+ }
+ h = httpmdm.CertExtractMdmSignatureMiddleware(h, opts...)
  }
  return h
  }

diff --git a/http/mdm/mdm_cert.go b/http/mdm/mdm_cert.go
@@ -68,22 +68,60 @@ func CertExtractTLSMiddleware(next http.Handler, logger log.Logger) http.Handler
  }
 }
 
+// sigLogConfig is a configuration struct for CertExtractMdmSignatureMiddleware.
+type sigLogConfig struct {
+ logger log.Logger
+ always bool
+ errors bool
+}
+
+// SigLogOption sets configurations.
+type SigLogOption func(*sigLogConfig)
+
+// SigLogWithLogger sets the logger to use when logging with the MDM signature header.
+func SigLogWithLogger(logger log.Logger) SigLogOption {
+ return func(c *sigLogConfig) {
+ c.logger = logger
+ }
+}
+
+// SigLogWithLogAlways always logs the raw Mdm-Signature header.
+func SigLogWithLogAlways(always bool) SigLogOption {
+ return func(c *sigLogConfig) {
+ c.always = always
+ }
+}
+
+// SigLogWithLogErrors logs the raw Mdm-Signature header when errors occur.
+func SigLogWithLogErrors(errors bool) SigLogOption {
+ return func(c *sigLogConfig) {
+ c.errors = errors
+ }
+}
+
 // CertExtractMdmSignatureMiddleware extracts the MDM enrollment
 // identity certificate from the request into the HTTP request context.
 // It tries to verify the Mdm-Signature header on the request.
 //
 // This middleware does not error if a certificate is not found. It
 // will, however, error with an HTTP 400 status if the signature
 // verification fails.
-func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) http.HandlerFunc {
+func CertExtractMdmSignatureMiddleware(next http.Handler, opts ...SigLogOption) http.HandlerFunc {
+ config := &sigLogConfig{logger: log.NopLogger}
+ for _, opt := range opts {
+ opt(config)
+ }
  return func(w http.ResponseWriter, r *http.Request) {
- logger := ctxlog.Logger(r.Context(), logger)
+ logger := ctxlog.Logger(r.Context(), config.logger)
  mdmSig := r.Header.Get("Mdm-Signature")
  if mdmSig == "" {
  logger.Debug("msg", "empty Mdm-Signature header")
  next.ServeHTTP(w, r)
  return
  }
+ if config.errors || config.always {
+ logger = logger.With("mdm-signature", mdmSig)
+ }
  b, err := mdmhttp.ReadAllAndReplaceBody(r)
  if err != nil {
  logger.Info("msg", "reading body", "err", err)
@@ -95,6 +133,8 @@ func CertExtractMdmSignatureMiddleware(next http.Handler, logger log.Logger) htt
  logger.Info("msg", "verifying Mdm-Signature header", "err", err)
  http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
  return
+ } else if config.always {
+ logger.Debug("msg", "verifying Mdm-Signature header")
  }
  ctx := context.WithValue(r.Context(), contextKeyCert{}, cert)
  next.ServeHTTP(w, r.WithContext(ctx))