Merge pull request #60 from hazcod/feat/ws1/oauth2

Switch Workspace ONE integration to oauth2

Author: hazcod

Makefile

@@ -1,3 +1,5 @@
+all: run
+
 clean:
 	rm slacker || true
 
@@ -6,5 +8,4 @@ build:
 	chmod +x slacker
 
 run:
-	chmod +x slacker
-	./slacker -dry -config=test.yml
+	go run ./cmd/ -dry -config=test.yml -noreport -log=trace

README.md

@@ -54,10 +54,15 @@ falcon:
 
 # vmware workspace one
 ws1:
+  # the api endpoint of your Workspace ONE instance, eg. "https://asXXXX.awmdm.com/api/"
   api_url: "https://xxx.awmdm.com/api/"
-  api_key: "XXX"
-  user: "XXX"
-  password: "XXX"
+  # your Workspace ONE oauth2 credentials
+  # Groups & Settings > Configurations > Search for "oauth" > Click > Add with a Reader role
+  client_id: "XXX"
+  client_secret: "XXX"
+  # the location of your Workspace ONE tenant, see 'Region-specific Token URLs'
+  # https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/UEM_ConsoleBasics/GUID-BF20C949-5065-4DCF-889D-1E0151016B5A.html
+  auth_location: "emea"
   # what policies you want to skip
   # leave user or policy blank to ignore it
   skip:
@@ -135,6 +140,6 @@ templates:
     {{ end }}
     {{ end }}
 ```
-4. Run `css -config=your-config.yml -log=debug -dry` to test.
-5. See the security overview popup to you in Slack!
-6. Now run it for real with `css -config=your-config.yml`.
+7. Run `css -config=your-config.yml -log=debug -dry` to test.
+8. See the security overview popup to you in Slack!
+9. Now run it for real with `css -config=your-config.yml`.

config/config.go

@@ -35,9 +35,11 @@ type Config struct {
 
 	WS1 struct {
 		Endpoint string `yaml:"api_url" env:"WS1_API_URL"`
-		APIKey   string `yaml:"api_key" env:"WS1_API_KEY"`
-		User     string `yaml:"user" env:"WS1_USER"`
-		Password string `yaml:"password" env:"WS1_PASSWORD"`
+		// from https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/UEM_ConsoleBasics/GUID-BF20C949-5065-4DCF-889D-1E0151016B5A.html
+		// e.g. 'emea'
+		AuthLocation string `yaml:"auth_location" env:"WS1_AUTH_LOCATION"`
+		ClientID     string `yaml:"client_id" env:"WS1_CLIENT_ID"`
+		ClientSecret string `yaml:"client_secret" env:"WS1_CLIENT_SECRET"`
 
 		SkipFilters []struct {
 			Policy string `yaml:"policy"`
@@ -104,5 +106,13 @@ func (c *Config) Validate() error {
 		return errors.New("missing message")
 	}
 
+	if c.WS1.ClientSecret == "" || c.WS1.ClientID == "" {
+		return errors.New("missing WS1 client_id or client_secret")
+	}
+
+	if c.WS1.AuthLocation == "" {
+		return errors.New("missing WS1 auth_location")
+	}
+
 	return nil
 }

pkg/ws1/extractor.go

@@ -3,12 +3,13 @@ package ws1
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"github.com/hazcod/crowdstrike-spotlight-slacker/config"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"io/ioutil"
+	"golang.org/x/oauth2/clientcredentials"
+	"io"
 	"net/http"
 	"strconv"
 	"strings"
@@ -31,46 +32,41 @@ type UserDeviceFinding struct {
 	ComplianceName string
 }
 
-func basicAuth(username, password string) string {
-	auth := username + ":" + password
-	return base64.StdEncoding.EncodeToString([]byte(auth))
-}
-
-func doAuthRequest(user, pass, apiKey, url, method string, payload interface{}) (respBytes []byte, err error) {
+func doAuthRequest(ctx context.Context, ws1AuthLocation, clientID, secret, url, method string, payload interface{}) (respBytes []byte, err error) {
 	var reqPayload []byte
 	if payload != nil {
 		if reqPayload, err = json.Marshal(&payload); err != nil {
 			return nil, errors.Wrap(err, "coult not encode request body")
 		}
 	}
 
+	oauth2Config := clientcredentials.Config{ClientID: clientID, ClientSecret: secret,
+		TokenURL: fmt.Sprintf("https://%s.uemauth.vmwservices.com/connect/token", ws1AuthLocation)}
+	httpClient := oauth2Config.Client(ctx)
+	httpClient.Timeout = time.Second * 10
+
 	req, err := http.NewRequest(method, url, bytes.NewReader(reqPayload))
+	req = req.WithContext(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "request failed")
 	}
 
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("aw-tenant-code", apiKey)
-	req.Header.Set("Authorization", "Basic "+basicAuth(user, pass))
-
-	httpClient := http.Client{
-		Timeout: time.Second * 10,
-	}
 
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return nil, errors.Wrap(err, "http request failed")
 	}
 
 	if resp.StatusCode > 399 {
-		respB, _ := ioutil.ReadAll(resp.Body)
+		respB, _ := io.ReadAll(resp.Body)
 		logrus.WithField("response", string(respB)).Warn("invalid response")
 		return nil, errors.New("invalid response code: " + strconv.Itoa(resp.StatusCode))
 	}
 
 	defer resp.Body.Close()
 
-	if respBytes, err = ioutil.ReadAll(resp.Body); err != nil {
+	if respBytes, err = io.ReadAll(resp.Body); err != nil {
 		return nil, errors.New("could not read response body")
 	}
 
@@ -79,7 +75,8 @@ func doAuthRequest(user, pass, apiKey, url, method string, payload interface{})
 
 func GetMessages(config *config.Config, ctx context.Context) (map[string]WS1Result, []string, error) {
 	deviceResponseB, err := doAuthRequest(
-		config.WS1.User, config.WS1.Password, config.WS1.APIKey,
+		ctx,
+		config.WS1.AuthLocation, config.WS1.ClientID, config.WS1.ClientSecret,
 		strings.TrimRight(config.WS1.Endpoint, "/")+"/mdm/devices/search?compliance_status=NonCompliant",
 		http.MethodGet,
 		nil,
@@ -89,7 +86,7 @@ func GetMessages(config *config.Config, ctx context.Context) (map[string]WS1Resu
 		return nil, nil, errors.Wrap(err, "could not fetch WS1 devices")
 	}
 
-	usersWithDevices := []string{}
+	usersWithDevices := make([]string, 0)
 
 	var devicesResponse DevicesResponse
 	if err := json.Unmarshal(deviceResponseB, &devicesResponse); err != nil {