feature: Bootstrapper secure server discovery

2026-01-22 15:26:23 +11:00
parent 71fa53bfb2
commit e1f1973520
40 changed files with 2094 additions and 460 deletions
@@ -1,5 +1,6 @@
 using Disco.Data.Repository;
 using Disco.Models.ClientServices;
+using Disco.Models.Services.Devices;
 using Disco.Services;
 using Disco.Services.Authorization;
 using Disco.Services.Devices.Enrolment;
@@ -22,11 +23,21 @@ namespace Disco.Web.Areas.Services.Controllers

        public virtual ActionResult PreparationClient()
        {
+            var discoveryMethodHeader = Request.Headers["X-DiscoICT-Discovery"];
+            if (!string.IsNullOrEmpty(discoveryMethodHeader) && Enum.TryParse<DeviceEnrolmentServerDiscoveryMethod>(discoveryMethodHeader, out var discoveryMethod))
+                WindowsDeviceEnrolment.IncrementDiscoveryMethod(discoveryMethod);
+
+            if (!CheckLegacyEnrollmentDiscovery())
+                return BadRequest("Enrollment Legacy Discovery is disabled. Please use secure connection (HTTPS) for device enrollment.");
+
            return File(Links.ClientBin.PreparationClient_zip, "application/x-msdownload", "PreparationClient.zip");
        }

        public virtual ActionResult Unauthenticated(string feature)
        {
+            if (!CheckLegacyEnrollmentDiscovery())
+                return BadRequest("Enrollment Legacy Discovery is disabled. Please use secure connection (HTTPS) for device enrollment.");
+
            if (string.IsNullOrEmpty(feature))
            {
                return Json(null);
@@ -64,6 +75,7 @@ namespace Disco.Web.Areas.Services.Controllers
                    }
                case "macenrol":
                    {
+                        WindowsDeviceEnrolment.IncrementDiscoveryMethod(DeviceEnrolmentServerDiscoveryMethod.Mac);
                        var Binder = ModelBinders.Binders.GetBinder(typeof(MacEnrol));
                        var BinderContext = new ModelBindingContext()
                        {
@@ -78,6 +90,7 @@ namespace Disco.Web.Areas.Services.Controllers
                    }
                case "macsecureenrol":
                    {
+                        WindowsDeviceEnrolment.IncrementDiscoveryMethod(DeviceEnrolmentServerDiscoveryMethod.MacSecure);
                        using (var database = new DiscoDataContext())
                        {
                            var host = HttpContext.Request.UserHostAddress;
@@ -93,6 +106,9 @@ namespace Disco.Web.Areas.Services.Controllers
        [Authorize]
        public virtual ActionResult Authenticated(string feature)
        {
+            if (!CheckLegacyEnrollmentDiscovery())
+                return BadRequest("Enrollment Legacy Discovery is disabled. Please use secure connection (HTTPS) for device enrollment.");
+
            if (string.IsNullOrEmpty(feature))
            {
                WhoAmIResponse whoAmIResponse = new WhoAmI().BuildResponse();
@@ -171,5 +187,21 @@ namespace Disco.Web.Areas.Services.Controllers
            return Content("Error Message Logged");
        }

+        private bool CheckLegacyEnrollmentDiscovery()
+        {
+            if (!Request.IsSecureConnection)
+            {
+                using (DiscoDataContext database = new DiscoDataContext())
+                {
+                    if (database.DiscoConfiguration.Devices.EnrollmentLegacyDiscoveryDisabled)
+                    {
+                        EnrolmentLog.LogClientError(Request.UserHostAddress, Request.UserHostName, string.Empty, "Enrollment Legacy Discovery is disabled. Please use secure connection (HTTPS) for device enrollment.", string.Empty);
+                        return false;
+                    }
+                }
+            }
+            return true;
+        }
+
    }
 }