xolo-server 1.0.0

data/lib/xolo/server/mixins/version_ted_access.rb

@@ -0,0 +1,373 @@
+# Copyright 2025 Pixar
+#
+#    Licensed under the terms set forth in the LICENSE.txt file available at
+#    at the root of this project.
+#
+#
+
+# frozen_string_literal: true
+
+# main module
+module Xolo
+
+  module Server
+
+    module Mixins
+
+      # This is mixed in to Xolo::Server::Version
+      # to define Version/Patch-related access to the Title Edit server
+      #
+      module VersionTedAccess
+
+        # Module methods
+        #
+        # These are available as module methods but not as 'helper'
+        # methods in sinatra routes & views.
+        #
+        ##############################
+        ##############################
+
+        # when this module is included
+        ##############################
+        def self.included(includer)
+          Xolo.verbose_include includer, self
+        end
+
+        # Instance methods
+        #
+        # These are available directly in sinatra routes and views
+        #
+        ##############################
+        ##############################
+
+        # Create a new version in the title editor
+        #
+        # TODO: allow specification of version_order, probably by accepting a value
+        # for the 'previous_version'?
+        #
+        # @return [void]
+        ##########################
+        def create_patch_in_ted
+          progress "Title Editor: Creating Patch '#{version}' of SoftwareTitle '#{title}'", log: :info
+          ted_title.patches.add_patch(
+            version: version,
+            minimumOperatingSystem: min_os,
+            releaseDate: publish_date,
+            reboot: reboot,
+            standalone: standalone
+          )
+          new_patch = ted_title.patches.patch version
+
+          set_patch_killapps
+          set_patch_capabilites
+          set_ted_patch_component_criteria ttl_obj: title_object
+
+          self.ted_id_number = new_patch.patchId
+        end
+
+        # Update version/patch in the title editor directly.
+        # This never called when updating versions via changes to
+        # the title - that process calls the sub-methods directly.
+        #
+        # @return [void]
+        ##########################
+        def update_patch_in_ted
+          progress "Title Editor: Updating Patch '#{version}' SoftwareTitle '#{title}'", log: :info
+
+          Xolo::Server::Version::ATTRIBUTES.each do |attr, deets|
+            ted_attribute = deets[:ted_attribute]
+            next unless ted_attribute
+
+            new_val = new_data_for_update[attr]
+            old_val = send(attr)
+            next if new_val == old_val
+
+            # These changes happen in real time on the Title Editor server, no need to #save
+            log_debug "Title Editor: Updating patch attribute '#{ted_attribute}': #{old_val} -> #{new_val}"
+            ted_patch.send "#{ted_attribute}=", new_val
+          end
+
+          set_patch_killapps if changes_for_update[:killapps]
+          set_patch_capabilites if changes_for_update[:min_os] || changes_for_update[:max_os]
+
+          # This should not be needed here - its only affected by changes to the title, and
+          # those are handled by the title object calling the same method
+          #
+          # set_ted_patch_component_criteria ttl_obj: title_object
+        end
+
+        # Set any killapps for this version in the title editor.
+        #
+        # @return [void]
+        ##########################
+        def set_patch_killapps
+          # creating a new patch
+          if creating?
+            kapps = killapps
+
+          # updating - delete and replace with any new ones
+          elsif updating?
+            return unless changes_for_update.key? :killapps
+
+            kapps = changes_for_update[:killapps][:new]
+            ted_patch.killApps.delete_all_killApps
+
+          # repairing delete and replace with current, to ensure values are correct.
+          elsif repairing?
+            kapps = killapps
+            ted_patch.killApps.delete_all_killApps
+          else
+            return
+          end
+          return if kapps.pix_empty?
+
+          # set the current values
+          kapps.each do |ka_str|
+            msg = "Title Editor: Setting killApp '#{ka_str}' for Patch '#{version}' of SoftwareTitle '#{title}'"
+            progress msg, log: :info
+
+            name, bundleid = ka_str.split(Xolo::SEMICOLON_SEP_RE)
+            ted_patch.killApps.add_killApp(
+              appName: name,
+              bundleId: bundleid
+            )
+          end
+        end
+
+        # Set the capabilities for this version in the title editor.
+        # This is a collection of criteria that define which computers
+        # can install this version.
+        #
+        # At the very least we enforce the required minimum OS.
+        # and optional maximim OS.
+        #
+        # TODO: Allow xadm to specify other capability criteria?
+        #
+        # @return [void]
+        ##########################
+        def set_patch_capabilites
+          # creating a new patch? Just use the current values
+          if creating?
+            min = min_os
+            max = max_os
+
+          # updating an existing patch? Use the new values if they exist
+          # noting that a nil new value for max_os means its being removed
+          elsif updating?
+            return unless changes_for_update&.key?(:max_os) || changes_for_update&.key?(:min_os)
+
+            # min gets reset even if it didn't change and it can't be empty.
+            min = changes_for_update.dig(:min_os, :new) || min_os
+
+            # if max is changing and its nil, its being removed, so won't be re-added
+            # if its not changing, keep the current value
+            max = changes_for_update&.key?(:max_os) ? changes_for_update[:max_os][:new] : max_os
+
+            # delete the existing criteria
+            ted_patch.capabilities.delete_all_criteria
+
+          elsif repairing?
+            min = min_os
+            max = max_os
+            # delete the existing criteria
+            ted_patch.capabilities.delete_all_criteria
+
+          else
+            return
+          end
+          return unless min || max
+
+          msg = "Title Editor: Setting min_os capability for Patch '#{version}' of SoftwareTitle '#{title}' to '#{min}'"
+          progress msg, log: :info
+
+          # min os - one is always required
+          ted_patch.capabilities.add_criterion(
+            name: 'Operating System Version',
+            operator: 'greater than or equal',
+            value: min
+          )
+
+          return unless max
+
+          msg = "Title Editor: Setting max_os capability for Patch '#{version}' of SoftwareTitle '#{title}' to '#{max}'"
+          progress msg, log: :debug
+
+          ted_patch.capabilities.add_criterion(
+            name: 'Operating System Version',
+            operator: 'less than or equal',
+            value: max
+          )
+        end
+
+        # Set the component criteria for this version in the title editor.
+        #
+        # @param app_name [String] the name of the app to use in app-based requirements,
+        #   must be used with app_bundle_id, cannot be used with ea_name
+        #
+        # @param app_bundle_id [String] the bundle id of the app to use in app-based requirements
+        #   must be used with app_name, cannot be used with ea_name
+        #
+        # @param ea_name [String] the name of the EA to use in EA-based requirements (the ted_ea_key)
+        #   Cannot be used with app_name or app_bundle_id
+        #
+        # @param ttl_obj [Xolo::Server::Title]  the title object with the values
+        #
+        # This is a collection of criteria that define which computers
+        # have this version installed
+        #
+        # @return [void]
+        ##########################
+        def set_ted_patch_component_criteria(app_name: nil, app_bundle_id: nil, ea_name: nil, ttl_obj: nil)
+          if ttl_obj
+            app_name, app_bundle_id, ea_name = get_patch_component_criteria_params(ttl_obj)
+
+          elsif !((app_name && app_bundle_id) || ea_name)
+            raise Xolo::MissingDataError, 'Must provide either ea_name or app_name & app_bundle_id, or ttl_obj'
+          end
+
+          type = ea_name ? 'Extension Attribute (version_script)' : 'App'
+          msg = "Title Editor: Setting #{type}-based component criteria for Patch '#{version}' of SoftwareTitle '#{title}'"
+          progress msg, log: :info
+
+          # delete any already there and make a new one
+          ted_patch.delete_component
+          ted_patch.add_component name: title, version: version
+          comp = ted_patch.component
+
+          ea_name ? set_ea_component(comp, ea_name) : set_app_component(comp, app_name, app_bundle_id)
+
+          # SHouldn't be needed here, is called in both create and update
+          # enable_ted_patch
+        end
+
+        # get the param values for patch component criteria from the title object,
+        # which may be setting them via an update
+        #
+        # @param ttl_obj [Xolo::Server::Title] the title object with the values
+        # @return [Array] the values for the component criteria
+        ##########################
+        def get_patch_component_criteria_params(ttl_obj)
+          app_name, app_bundle_id, ea_name = nil
+
+          if ttl_obj.updating?
+            if ttl_obj.changes_for_update.dig :app_name, :new
+              app_name = ttl_obj.changes_for_update[:app_name][:new]
+              app_bundle_id = ttl_obj.changes_for_update[:app_bundle_id][:new]
+            else
+              ea_name = ttl_obj.ted_ea_key
+            end
+          elsif ttl_obj.app_name
+            app_name = ttl_obj.app_name
+            app_bundle_id = ttl_obj.app_bundle_id
+          else
+            ea_name = ttl_obj.ted_ea_key
+          end
+
+          [app_name, app_bundle_id, ea_name]
+        end
+
+        # @return [void]
+        ##############################
+        def set_ea_component(comp, ea_name)
+          comp.criteria.add_criterion(
+            type: 'extensionAttribute',
+            name: ea_name,
+            operator: 'is',
+            value: version
+          )
+        end
+
+        # @return [void]
+        ##############################
+        def set_app_component(comp, app_name, app_bundle_id)
+          comp.criteria.add_criterion(
+            name: 'Application Title',
+            operator: 'is',
+            value: app_name
+          )
+
+          comp.criteria.add_criterion(
+            name: 'Application Bundle ID',
+            operator: 'is',
+            value: app_bundle_id
+          )
+
+          comp.criteria.add_criterion(
+            name: 'Application Version',
+            operator: 'is',
+            value: version
+          )
+        end
+
+        # For a patch to be enabled in the Title Editor, it needs at least a component criterion
+        # and one capability. Xolo enforces those when the patch is created, so from the title
+        # editor's view it should be OK from the start.
+        #
+        # But Xolo can't really do anything with it until there's a Jamf Package object and
+        # an uploaded installer.
+        # So once we have those, this method is called to enable the patch.
+        #
+        # @param version [Xolo::Server::Version] the version who's patch to enable
+        #
+        # @return [void]
+        ##############################
+        def enable_ted_patch
+          progress "Title Editor: (Re-)Enabling Patch '#{version}' of SoftwareTitle '#{title}'", log: :info
+          ted_patch(refresh: true).enable
+        end
+
+        # Delete from the title editor
+        # @return [Integer] title editor id
+        ###########################
+        def delete_patch_from_ted
+          patch_id = ted_title.patches.versions_to_patchIds[version]
+          if patch_id
+            progress "Title Editor: Deleting Patch '#{version}' of SoftwareTitle '#{title}'", log: :info
+            ted_title.patches.delete_patch patch_id
+
+          else
+            log_debug "Title Editor: No id for Patch '#{version}' of SoftwareTitle '#{title}', nothing to delete"
+          end
+
+          ted_id_number
+        rescue Windoo::NoSuchItemError
+          ted_id_number
+        end
+
+        # @return [String] the URL for the Title Editor Web App page for this patch
+        ###################################
+        def ted_patch_url
+          "https://#{Xolo::Server.config.ted_hostname}/patches/#{ted_id_number}"
+        end
+
+        # Ensure all the TEd items for this version are correct based on the server data.
+        #########################
+        def repair_ted_patch
+          progress "Title Editor: Repairing Patch '#{version}' of SoftwareTitle '#{title}'", log: :info
+
+          Xolo::Server::Version::ATTRIBUTES.each do |attr, deets|
+            ted_attribute = deets[:ted_attribute]
+            # if there's no ted_attribute, this isn't a value stored in the Title Editor
+            next unless ted_attribute
+
+            real_val = send(attr)
+            ted_val = ted_patch.send(ted_attribute)
+            next if ted_val == real_val
+
+            # These changes happen in real time on the Title Editor server, no need to #save
+            progress "Title Editor: Repairing patch attribute '#{ted_attribute}': #{ted_val} -> #{real_val}"
+            ted_patch.send "#{ted_attribute}=", real_val
+          end
+          set_patch_killapps
+          set_patch_capabilites
+          set_ted_patch_component_criteria ttl_obj: title_object
+          enable_ted_patch unless ted_patch(refresh: true).enabled?
+        end
+
+      end # VersionTedAccess
+
+    end # Mixins
+
+  end # Server
+
+end # module Xolo

data/lib/xolo/server/object_locks.rb

@@ -0,0 +1,102 @@
+# Copyright 2025 Pixar
+#
+#    Licensed under the terms set forth in the LICENSE.txt file available at
+#    at the root of this project.
+#
+
+# frozen_string_literal: true
+
+# main module
+module Xolo
+
+  # Server Module
+  module Server
+
+    # Code for locking titles and versions as they are being modified
+    ##################################
+    module ObjectLocks
+
+      # when this module is included
+      def self.included(includer)
+        Xolo.verbose_include includer, self
+      end
+
+      # when this module is extended
+      def self.extended(extender)
+        Xolo.verbose_extend extender, self
+      end
+
+      # How many seconds are update locks valid for?
+      OBJECT_LOCK_LIMIT = 60 * 60
+
+      # The locks for titles and versions - when they are being created or updated
+      # they appear in this data structure with an expiration timestamp.
+      # During that time, no other updates can be made to the same title or version.
+      #
+      # Keys are the title names, values are hashes with these sub-keys:
+      # - expires: the time the title lock expires, time locked plus OBJECT_LOCK_LIMIT
+      # - versions: Hash of versions_that_are_locked => expiration_time
+      #
+      # @return [Concurrent::Hash] The locks
+      ################################
+      def object_locks
+        @object_locks ||= Concurrent::Hash.new
+      end
+
+      # Remove any expired locks from the object_locks
+      ################################
+      def remove_expired_object_locks
+        now = Time.now
+
+        # first delete any expired version locks
+        object_locks.each_value do |locks|
+          locks[:versions] ||= {}
+
+          locks[:versions].delete_if do |vers, exp|
+            if exp < now
+              log_debug "Removing expired lock on version #{vers} of title #{title}"
+              true
+            else
+              false
+            end
+          end
+        end
+
+        # now delete any expired title locks that have no versions locked
+        object_locks.delete_if do |_title, locks|
+          # keep it if there are versions locked
+          if !locks[:versions].empty?
+            false
+
+          # if there's a title lock expiration time, check it
+          elsif locks[:expires]
+            if locks[:expires] < now
+              log_debug "Removing expired lock on title #{title}"
+              true
+            else
+              false
+            end
+
+          # no title-lock expiration time
+          else
+            true
+          end
+        end
+      end
+
+      # Testing Concurrent::ReentrantReadWriteLock for titles and versions
+      # to be acquired and released in the route blocks
+      #
+      def rw_lock(title, version = nil)
+        @rw_locks ||= Concurrent::Hash.new
+        @rw_locks[title] ||= { lock: Concurrent::ReentrantReadWriteLock.new }
+        return @rw_locks[title] unless version
+
+        @rw_locks[title][version] ||= Concurrent::ReentrantReadWriteLock.new
+      end
+
+    end #  ObjectLocks
+
+  end #  Server
+
+end # module Xolo

data/lib/xolo/server/routes/auth.rb

@@ -0,0 +1,89 @@
+# Copyright 2025 Pixar
+#
+#    Licensed under the terms set forth in the LICENSE.txt file available at
+#    at the root of this project.
+#
+
+# frozen_string_literal: true
+
+# main module
+module Xolo
+
+  # Server Module
+  module Server
+
+    module Routes
+
+      module Auth
+
+        # This is how we 'mix in' modules to Sinatra servers:
+        # We make them extentions here with
+        #    extend Sinatra::Extension (from sinatra-contrib)
+        # and then 'register' them in the server with
+        #    register Xolo::Server::<Module>
+        # Doing it this way allows us to split the code into a logical
+        # file structure, without re-opening the Sinatra::Base server app,
+        extend Sinatra::Extension
+
+        # when this module is included
+        def self.included(includer)
+          Xolo.verbose_include includer, self
+        end
+
+        # Auth a Xolo Admin via Jamf API login
+        # Must be a member of the Jamf Admin group
+        # named in Xolo::Server.config.admin_jamf_group
+        # before
+        ###################
+        post '/auth/login' do
+          request.body.rewind
+          payload = parse_json request.body.read
+          admin = payload[:admin]
+          pw = payload[:password]
+
+          err =
+            if !member_of_admin_jamf_group?(admin)
+              "'#{admin}' is not allowed to use the Xolo server"
+            elsif !authenticated_via_jamf?(admin, pw)
+              "Incorrect xolo admin username or password for '#{admin}'"
+            end
+
+          if err
+            log_info "Authentication failed: #{err}"
+            halt 401, { status: 401, error: err }
+          end
+
+          # Set the session values
+          session[:xolo_id] = "#{Time.now.to_i}#{SecureRandom.alphanumeric 3}"
+          session[:admin] = payload[:proxy_admin] ? "#{payload[:proxy_admin]}-via-#{admin}" : admin
+          session[:authenticated] = true
+          log_info "Authenticated admin '#{session[:admin]}' from #{request.ip}"
+
+          body({ admin: admin, authenticated: true, proxy_admin: payload[:proxy_admin] })
+        end
+
+        # Log out the current admin
+        ###################
+        post '/auth/logout' do
+          log_info "Logging out admin '#{session[:admin]}' from #{request.ip}"
+          session.clear
+          body({ authenticated: false })
+        end
+
+        # check if the current admin is allowed to set a title's release groups to 'all'
+        ###################
+        get '/auth/release_to_all_allowed' do
+          data = {
+            allowed: allowed_to_release_to_all?(session[:admin]),
+            msg: "Please contact #{Xolo::Server.config.release_to_all_contact} to set release groups to '#{Xolo::TARGET_ALL}'. Let us know why you think the title should be deployed to all computers. Until then you can leave the release groups empty, or use actual Jamf groups."
+          }
+          body data
+        end
+
+      end # module auth
+
+    end #  Routes
+
+  end #  Server
+
+end # module Xolo

data/lib/xolo/server/routes/jamf_pro.rb

@@ -0,0 +1,89 @@
+# Copyright 2025 Pixar
+#
+#    Licensed under the terms set forth in the LICENSE.txt file available at
+#    at the root of this project.
+#
+
+# frozen_string_literal: true
+
+# main module
+module Xolo
+
+  # Server Module
+  module Server
+
+    module Routes
+
+      module JamfPro
+
+        # This is how we 'mix in' modules to Sinatra servers
+        # for route definitions and similar things
+        #
+        # (things to be 'included' for use in route and view processing
+        # are mixed in by delcaring them to be helpers)
+        #
+        # We make them extentions here with
+        #    extend Sinatra::Extension (from sinatra-contrib)
+        # and then 'register' them in the server with
+        #    register Xolo::Server::<Module>
+        # Doing it this way allows us to split the code into a logical
+        # file structure, without re-opening the Sinatra::Base server app,
+        # and let xeitwork do the requiring of those files
+        extend Sinatra::Extension
+
+        # Module methods
+        #
+        ##############################
+        ##############################
+
+        # when this module is included
+        def self.included(includer)
+          Xolo.verbose_include includer, self
+        end
+
+        # when this module is extended
+        def self.extended(extender)
+          Xolo.verbose_extend extender, self
+        end
+
+        # Routes
+        #
+        ##############################
+        ##############################
+
+        # We probably don't need this - just for testing for now.
+        ###############
+        get '/jamf/package-names' do
+          log_debug "Jamf: Fetching Jamf Package Names for #{session[:admin]}"
+          jamf_cnx
+          body Jamf::JPackage.all_names(:refresh, cnx: jamf_cnx).sort
+        ensure
+          jamf_cnx&.disconnect
+        end
+
+        # A list of all current computer groups
+        ###############
+        get '/jamf/computer-group-names' do
+          log_debug "Jamf: Fetching Jamf ComputerGroup Names for #{session[:admin]}"
+          body Jamf::ComputerGroup.all_names(:refresh, cnx: jamf_cnx).sort
+        ensure
+          jamf_cnx&.disconnect
+        end
+
+        # A list of all current categories
+        ###############
+        get '/jamf/category-names' do
+          log_debug "Jamf: Fetching Jamf Category Names for #{session[:admin]}"
+          jcnx = jamf_cnx
+          body Jamf::Category.all_names(:refresh, cnx: jcnx).sort
+        ensure
+          jcnx&.disconnect
+        end
+
+      end # Module
+
+    end #  Routes
+
+  end #  Server
+
+end # module Xolo