From 11d205f6c401a1c7cc24a8cb3dc0553ffbfa5ac5 Mon Sep 17 00:00:00 2001 From: Nick Khyl Date: Wed, 4 Sep 2024 12:01:55 -0500 Subject: [PATCH] control/controlclient,posture,util/syspolicy: use predefined syspolicy keys instead of string literals With the upcoming syspolicy changes, it's imperative that all syspolicy keys are defined in the syspolicy package for proper registration. Otherwise, the corresponding policy settings will not be read. This updates a couple of places where we still use string literals rather than syspolicy consts. Updates #12687 Signed-off-by: Nick Khyl --- control/controlclient/sign_supported.go | 2 +- posture/serialnumber_ios.go | 2 +- util/syspolicy/policy_keys.go | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/control/controlclient/sign_supported.go b/control/controlclient/sign_supported.go index 3f696dbcd..0e3dd038e 100644 --- a/control/controlclient/sign_supported.go +++ b/control/controlclient/sign_supported.go @@ -38,7 +38,7 @@ // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA" func getMachineCertificateSubject() string { getMachineCertificateSubjectOnce.Do(func() { - getMachineCertificateSubjectOnce.v, _ = syspolicy.GetString("MachineCertificateSubject", "") + getMachineCertificateSubjectOnce.v, _ = syspolicy.GetString(syspolicy.MachineCertificateSubject, "") }) return getMachineCertificateSubjectOnce.v diff --git a/posture/serialnumber_ios.go b/posture/serialnumber_ios.go index b5aa09056..55d0e438b 100644 --- a/posture/serialnumber_ios.go +++ b/posture/serialnumber_ios.go @@ -14,7 +14,7 @@ // MDM solution. It requires configuration via the DeviceSerialNumber system policy. // This is the only way to gather serial numbers on iOS and tvOS. func GetSerialNumbers(_ logger.Logf) ([]string, error) { - s, err := syspolicy.GetString("DeviceSerialNumber", "") + s, err := syspolicy.GetString(syspolicy.DeviceSerialNumber, "") if err != nil { return nil, fmt.Errorf("failed to get serial number from MDM: %v", err) } diff --git a/util/syspolicy/policy_keys.go b/util/syspolicy/policy_keys.go index 1aa137386..ec0556a94 100644 --- a/util/syspolicy/policy_keys.go +++ b/util/syspolicy/policy_keys.go @@ -98,6 +98,14 @@ // automatically authenticate managed devices, without requiring user interaction. AuthKey Key = "AuthKey" + // MachineCertificateSubject is the exact name of a Subject that needs + // to be present in an identity's certificate chain to sign a RegisterRequest, + // formatted as per pkix.Name.String(). The Subject may be that of the identity + // itself, an intermediate CA or the root CA. + // + // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA" + MachineCertificateSubject Key = "MachineCertificateSubject" + // Keys with a string array value. // AllowedSuggestedExitNodes's string array value is a list of exit node IDs that restricts which exit nodes are considered when generating suggestions for exit nodes. AllowedSuggestedExitNodes Key = "AllowedSuggestedExitNodes"