npm - @openmdm/core - Versions diffs - 0.7.0 → 0.9.0 - Mend

@openmdm/core 0.7.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { randomUUID, createHmac, timingSafeEqual } from 'crypto';
+import { randomUUID, createHmac, createPublicKey, verify, timingSafeEqual } from 'crypto';
 // src/index.ts
@@ -72,14 +72,69 @@ var ValidationError = class extends MDMError {
     super(message, "VALIDATION_ERROR", 400, details);
   }
 };
+// src/logger.ts
+function normalize(...args) {
+  if (args.length === 1) {
+    return { context: void 0, message: args[0] };
+  }
+  return { context: args[0], message: args[1] };
+}
+function createConsoleLogger(scope = []) {
+  const prefix = scope.length > 0 ? `[openmdm:${scope.join(":")}]` : "[openmdm]";
+  const render = (context) => {
+    if (!context || Object.keys(context).length === 0) return "";
+    try {
+      return " " + JSON.stringify(context);
+    } catch {
+      return " " + String(context);
+    }
+  };
+  return {
+    debug: (...args) => {
+      const { context, message } = normalize(...args);
+      if (!process.env.DEBUG) return;
+      console.debug(`${prefix} ${message}${render(context)}`);
+    },
+    info: (...args) => {
+      const { context, message } = normalize(...args);
+      console.log(`${prefix} ${message}${render(context)}`);
+    },
+    warn: (...args) => {
+      const { context, message } = normalize(...args);
+      console.warn(`${prefix} ${message}${render(context)}`);
+    },
+    error: (...args) => {
+      const { context, message } = normalize(...args);
+      console.error(`${prefix} ${message}${render(context)}`);
+    },
+    child: (bindings) => {
+      const componentPart = typeof bindings.component === "string" ? [bindings.component] : [];
+      return createConsoleLogger([...scope, ...componentPart]);
+    }
+  };
+}
+function createSilentLogger() {
+  const silent = {
+    debug: () => void 0,
+    info: () => void 0,
+    warn: () => void 0,
+    error: () => void 0,
+    child: () => silent
+  };
+  return silent;
+}
+// src/webhooks.ts
 var DEFAULT_RETRY_CONFIG = {
   maxRetries: 3,
   initialDelay: 1e3,
   maxDelay: 3e4
 };
-function createWebhookManager(config) {
+function createWebhookManager(config, logger = createSilentLogger()) {
   const endpoints = /* @__PURE__ */ new Map();
   const retryConfig = { ...DEFAULT_RETRY_CONFIG, ...config.retry };
+  const log = logger.child({ component: "webhooks" });
   if (config.endpoints) {
     for (const endpoint of config.endpoints) {
       endpoints.set(endpoint.id, endpoint);
@@ -181,9 +236,14 @@ function createWebhookManager(config) {
       const results = await Promise.all(deliveryPromises);
       for (const result of results) {
         if (!result.success) {
-          console.error(
-            `[OpenMDM] Webhook delivery failed to endpoint ${result.endpointId}:`,
-            result.error
+          log.error(
+            {
+              endpointId: result.endpointId,
+              statusCode: result.statusCode,
+              retryCount: result.retryCount,
+              err: result.error
+            },
+            "Webhook delivery failed"
           );
         }
       }
@@ -1033,12 +1093,20 @@ function createMessageQueueManager(db) {
 }
 // src/dashboard.ts
+function assertNoTenantScopeRequested(tenantId, method) {
+  if (tenantId) {
+    throw new Error(
+      `DashboardManager.${method} was called with a tenantId but the database adapter does not implement tenant-scoped dashboard queries. Implement the matching DatabaseAdapter method, or omit tenantId to accept global stats. See docs/proposals/tenant-rbac-audit.md for context.`
+    );
+  }
+}
 function createDashboardManager(db) {
   return {
     async getStats(_tenantId) {
       if (db.getDashboardStats) {
         return db.getDashboardStats(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getStats");
       const devices = await db.listDevices({
         limit: 1e4
         // Get all for counting
@@ -1096,6 +1164,7 @@ function createDashboardManager(db) {
       if (db.getDeviceStatusBreakdown) {
         return db.getDeviceStatusBreakdown(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getDeviceStatusBreakdown");
       const devices = await db.listDevices({
         limit: 1e4
       });
@@ -1128,6 +1197,7 @@ function createDashboardManager(db) {
       if (db.getEnrollmentTrend) {
         return db.getEnrollmentTrend(days, _tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getEnrollmentTrend");
       const now = /* @__PURE__ */ new Date();
       const startDate = new Date(now.getTime() - days * 24 * 60 * 60 * 1e3);
       const events = await db.listEvents({
@@ -1184,6 +1254,7 @@ function createDashboardManager(db) {
       if (db.getCommandSuccessRates) {
         return db.getCommandSuccessRates(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getCommandSuccessRates");
       const now = /* @__PURE__ */ new Date();
       const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
       const commands = await db.listCommands({ limit: 1e4 });
@@ -1232,6 +1303,7 @@ function createDashboardManager(db) {
       if (db.getAppInstallationSummary) {
         return db.getAppInstallationSummary(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getAppInstallationSummary");
       const apps = await db.listApplications();
       const appMap = new Map(apps.map((a) => [a.packageName, a]));
       const byStatus = {
@@ -1277,7 +1349,6 @@ function createPluginStorageAdapter(db) {
         const value = await db.getPluginValue(pluginName, key);
         return value;
       }
-      console.warn("Plugin storage not supported by database adapter");
       return null;
     },
     async set(pluginName, key, value) {
@@ -1285,20 +1356,17 @@ function createPluginStorageAdapter(db) {
         await db.setPluginValue(pluginName, key, value);
         return;
       }
-      console.warn("Plugin storage not supported by database adapter");
     },
     async delete(pluginName, key) {
       if (db.deletePluginValue) {
         await db.deletePluginValue(pluginName, key);
         return;
       }
-      console.warn("Plugin storage not supported by database adapter");
     },
     async list(pluginName, prefix) {
       if (db.listPluginKeys) {
         return db.listPluginKeys(pluginName, prefix);
       }
-      console.warn("Plugin storage not supported by database adapter");
       return [];
     },
     async clear(pluginName) {
@@ -1306,7 +1374,6 @@ function createPluginStorageAdapter(db) {
         await db.clearPluginData(pluginName);
         return;
       }
-      console.warn("Plugin storage not supported by database adapter");
     }
   };
 }
@@ -1352,6 +1419,135 @@ function parsePluginKey(key) {
   const [namespace, ...parts] = key.split(":");
   return { namespace, parts };
 }
+function importPublicKeyFromSpki(spkiBase64) {
+  let buffer;
+  try {
+    buffer = Buffer.from(spkiBase64, "base64");
+  } catch (err) {
+    throw new InvalidPublicKeyError(
+      "Public key is not valid base64",
+      err instanceof Error ? err : void 0
+    );
+  }
+  if (buffer.length === 0) {
+    throw new InvalidPublicKeyError("Public key is empty");
+  }
+  try {
+    const key = createPublicKey({
+      key: buffer,
+      format: "der",
+      type: "spki"
+    });
+    const asymmetricKeyType = key.asymmetricKeyType;
+    if (asymmetricKeyType !== "ec") {
+      throw new InvalidPublicKeyError(
+        `Expected EC key, got ${asymmetricKeyType ?? "unknown"}`
+      );
+    }
+    const curve = key.asymmetricKeyDetails?.namedCurve;
+    if (curve && curve !== "prime256v1" && curve !== "P-256") {
+      throw new InvalidPublicKeyError(
+        `Unsupported EC curve: ${curve}. Only P-256 is accepted.`
+      );
+    }
+    return key;
+  } catch (err) {
+    if (err instanceof InvalidPublicKeyError) throw err;
+    throw new InvalidPublicKeyError(
+      "Failed to parse SPKI public key",
+      err instanceof Error ? err : void 0
+    );
+  }
+}
+function verifyEcdsaSignature(publicKey, message, signatureBase64) {
+  const key = typeof publicKey === "string" ? importPublicKeyFromSpki(publicKey) : publicKey;
+  let signatureBuffer;
+  try {
+    signatureBuffer = Buffer.from(signatureBase64, "base64");
+  } catch {
+    return false;
+  }
+  if (signatureBuffer.length === 0) return false;
+  try {
+    return verify("sha256", Buffer.from(message, "utf8"), key, signatureBuffer);
+  } catch {
+    return false;
+  }
+}
+function canonicalEnrollmentMessage(parts) {
+  return [
+    parts.publicKey,
+    parts.model,
+    parts.manufacturer,
+    parts.osVersion,
+    parts.serialNumber ?? "",
+    parts.imei ?? "",
+    parts.macAddress ?? "",
+    parts.androidId ?? "",
+    parts.method,
+    parts.timestamp,
+    parts.challenge
+  ].join("|");
+}
+function canonicalDeviceRequestMessage(parts) {
+  return [parts.deviceId, parts.timestamp, parts.body, parts.nonce ?? ""].join("|");
+}
+async function verifyDeviceRequest(opts) {
+  const device = await opts.mdm.devices.get(opts.deviceId);
+  if (!device) {
+    return { ok: false, reason: "not-found" };
+  }
+  if (!device.publicKey) {
+    return { ok: false, reason: "no-pinned-key", device };
+  }
+  let verified;
+  try {
+    verified = verifyEcdsaSignature(
+      device.publicKey,
+      opts.canonicalMessage,
+      opts.signatureBase64
+    );
+  } catch (err) {
+    opts.mdm.logger.child({ component: "device-identity" }).error(
+      {
+        deviceId: opts.deviceId,
+        err: err instanceof Error ? err.message : String(err)
+      },
+      "Pinned public key failed to parse"
+    );
+    return { ok: false, reason: "signature-invalid", device };
+  }
+  if (!verified) {
+    return { ok: false, reason: "signature-invalid", device };
+  }
+  return { ok: true, device };
+}
+var InvalidPublicKeyError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "InvalidPublicKeyError";
+  }
+  code = "INVALID_PUBLIC_KEY";
+};
+var PublicKeyMismatchError = class extends Error {
+  constructor(deviceId) {
+    super(
+      `Device ${deviceId} is already enrolled with a different pinned public key`
+    );
+    this.deviceId = deviceId;
+    this.name = "PublicKeyMismatchError";
+  }
+  code = "PUBLIC_KEY_MISMATCH";
+};
+var ChallengeInvalidError = class extends Error {
+  constructor(message, challenge) {
+    super(message);
+    this.challenge = challenge;
+    this.name = "ChallengeInvalidError";
+  }
+  code = "CHALLENGE_INVALID";
+};
 // src/schema.ts
 var mdmSchema = {
@@ -2042,9 +2238,19 @@ function wantsAgentProtocolV2(headerValue) {
 // src/index.ts
 function createMDM(config) {
   const { database, push, enrollment, webhooks: webhooksConfig, plugins = [] } = config;
+  const logger = config.logger ?? createConsoleLogger();
+  const errorMessage = (err) => {
+    if (err instanceof Error) return err.message;
+    if (typeof err === "string") return err;
+    try {
+      return JSON.stringify(err);
+    } catch {
+      return String(err);
+    }
+  };
   const eventHandlers = /* @__PURE__ */ new Map();
-  const pushAdapter = push ? createPushAdapter(push, database) : createStubPushAdapter();
-  const webhookManager = webhooksConfig ? createWebhookManager(webhooksConfig) : void 0;
+  const pushAdapter = push ? createPushAdapter(push, database, logger) : createStubPushAdapter(logger);
+  const webhookManager = webhooksConfig ? createWebhookManager(webhooksConfig, logger) : void 0;
   const tenantManager = config.multiTenancy?.enabled ? createTenantManager(database) : void 0;
   const authorizationManager = config.authorization?.enabled ? createAuthorizationManager(database) : void 0;
   const auditManager = config.audit?.enabled ? createAuditManager(database) : void 0;
@@ -2078,11 +2284,14 @@ function createMDM(config) {
         payload: eventRecord.payload
       });
     } catch (error) {
-      console.error("[OpenMDM] Failed to persist event:", error);
+      logger.error({ err: errorMessage(error), event }, "Failed to persist event");
     }
     if (webhookManager) {
       webhookManager.deliver(eventRecord).catch((error) => {
-        console.error("[OpenMDM] Webhook delivery error:", error);
+        logger.error(
+          { err: errorMessage(error), event },
+          "Webhook delivery error"
+        );
       });
     }
     if (handlers) {
@@ -2090,7 +2299,10 @@ function createMDM(config) {
         try {
           await handler(eventRecord);
         } catch (error) {
-          console.error(`[OpenMDM] Event handler error for ${event}:`, error);
+          logger.error(
+            { err: errorMessage(error), event },
+            "Event handler threw"
+          );
         }
       }
     }
@@ -2098,7 +2310,7 @@ function createMDM(config) {
       try {
         await config.onEvent(eventRecord);
       } catch (error) {
-        console.error("[OpenMDM] onEvent hook error:", error);
+        logger.error({ err: errorMessage(error) }, "onEvent hook threw");
       }
     }
   };
@@ -2579,7 +2791,13 @@ function createMDM(config) {
         `Enrollment method '${request.method}' is not allowed`
       );
     }
-    if (enrollment?.deviceSecret) {
+    const isPinnedKeyPath = Boolean(request.publicKey);
+    if (!isPinnedKeyPath && enrollment?.pinnedKey?.required) {
+      throw new EnrollmentError(
+        "Pinned-key enrollment is required but the request carried no publicKey. The agent must generate a Keystore keypair and submit the SPKI public key alongside an ECDSA signature over the canonical enrollment message."
+      );
+    }
+    if (!isPinnedKeyPath && enrollment?.deviceSecret) {
       const isValid = verifyEnrollmentSignature(
         request,
         enrollment.deviceSecret
@@ -2588,6 +2806,65 @@ function createMDM(config) {
         throw new EnrollmentError("Invalid enrollment signature");
       }
     }
+    let challengeRecord = null;
+    let importedPublicKey = null;
+    if (isPinnedKeyPath) {
+      if (!request.attestationChallenge) {
+        throw new EnrollmentError(
+          "Pinned-key enrollment requires attestationChallenge. Fetch a fresh challenge from /agent/enroll/challenge first."
+        );
+      }
+      if (!database.consumeEnrollmentChallenge) {
+        throw new EnrollmentError(
+          "Pinned-key enrollment requires an adapter that implements enrollment challenge storage. Upgrade to a database adapter that supports it, or submit an HMAC-signed enrollment instead."
+        );
+      }
+      try {
+        importedPublicKey = importPublicKeyFromSpki(request.publicKey);
+      } catch (err) {
+        throw new EnrollmentError(
+          err instanceof Error ? `Invalid enrollment public key: ${err.message}` : "Invalid enrollment public key"
+        );
+      }
+      challengeRecord = await database.consumeEnrollmentChallenge(
+        request.attestationChallenge
+      );
+      if (!challengeRecord) {
+        throw new ChallengeInvalidError(
+          "Enrollment challenge is missing, expired, or already consumed",
+          request.attestationChallenge
+        );
+      }
+      if (challengeRecord.expiresAt.getTime() < Date.now()) {
+        throw new ChallengeInvalidError(
+          "Enrollment challenge has expired",
+          request.attestationChallenge
+        );
+      }
+      const canonical = canonicalEnrollmentMessage({
+        publicKey: request.publicKey,
+        model: request.model,
+        manufacturer: request.manufacturer,
+        osVersion: request.osVersion,
+        serialNumber: request.serialNumber,
+        imei: request.imei,
+        macAddress: request.macAddress,
+        androidId: request.androidId,
+        method: request.method,
+        timestamp: request.timestamp,
+        challenge: request.attestationChallenge
+      });
+      const verified = verifyEcdsaSignature(
+        importedPublicKey,
+        canonical,
+        request.signature
+      );
+      if (!verified) {
+        throw new EnrollmentError(
+          "Invalid enrollment signature (device-pinned-key path)"
+        );
+      }
+    }
     if (enrollment?.validate) {
       const isValid = await enrollment.validate(request);
       if (!isValid) {
@@ -2602,13 +2879,23 @@ function createMDM(config) {
     }
     let device = await database.findDeviceByEnrollmentId(enrollmentId);
     if (device) {
-      device = await database.updateDevice(device.id, {
+      if (isPinnedKeyPath && device.publicKey) {
+        if (device.publicKey !== request.publicKey) {
+          throw new PublicKeyMismatchError(device.id);
+        }
+      }
+      const updateInput = {
         status: "enrolled",
         model: request.model,
         manufacturer: request.manufacturer,
         osVersion: request.osVersion,
         lastSync: /* @__PURE__ */ new Date()
-      });
+      };
+      if (isPinnedKeyPath && !device.publicKey) {
+        updateInput.publicKey = request.publicKey;
+        updateInput.enrollmentMethod = "pinned-key";
+      }
+      device = await database.updateDevice(device.id, updateInput);
     } else if (enrollment?.autoEnroll) {
       device = await database.createDevice({
         enrollmentId,
@@ -2621,6 +2908,12 @@ function createMDM(config) {
         androidId: request.androidId,
         policyId: request.policyId || enrollment.defaultPolicyId
       });
+      if (isPinnedKeyPath) {
+        device = await database.updateDevice(device.id, {
+          publicKey: request.publicKey,
+          enrollmentMethod: "pinned-key"
+        });
+      }
       if (enrollment.defaultGroupId) {
         await database.addDeviceToGroup(device.id, enrollment.defaultGroupId);
       }
@@ -2635,6 +2928,12 @@ function createMDM(config) {
         macAddress: request.macAddress,
         androidId: request.androidId
       });
+      if (isPinnedKeyPath) {
+        device = await database.updateDevice(device.id, {
+          publicKey: request.publicKey,
+          enrollmentMethod: "pinned-key"
+        });
+      }
     } else {
       throw new EnrollmentError(
         "Device not registered and auto-enroll is disabled"
@@ -2775,6 +3074,7 @@ function createMDM(config) {
     push: pushAdapter,
     webhooks: webhookManager,
     db: database,
+    logger,
     config,
     on,
     emit,
@@ -2797,11 +3097,11 @@ function createMDM(config) {
       if (plugin.onInit) {
         try {
           await plugin.onInit(instance);
-          console.log(`[OpenMDM] Plugin initialized: ${plugin.name}`);
+          logger.info({ plugin: plugin.name }, "Plugin initialized");
         } catch (error) {
-          console.error(
-            `[OpenMDM] Failed to initialize plugin ${plugin.name}:`,
-            error
+          logger.error(
+            { plugin: plugin.name, err: errorMessage(error) },
+            "Failed to initialize plugin"
           );
         }
       }
@@ -2809,21 +3109,23 @@ function createMDM(config) {
   })();
   return instance;
 }
-function createPushAdapter(config, database) {
+function createPushAdapter(config, database, logger) {
   if (!config) {
-    return createStubPushAdapter();
+    return createStubPushAdapter(logger);
   }
+  const pushLogger = logger.child({ component: "push" });
   return {
     async send(deviceId, message) {
-      console.log(
-        `[OpenMDM] Push to ${deviceId}: ${message.type}`,
-        message.payload
+      pushLogger.debug(
+        { deviceId, type: message.type, payload: message.payload },
+        "send"
       );
       return { success: true, messageId: randomUUID() };
     },
     async sendBatch(deviceIds, message) {
-      console.log(
-        `[OpenMDM] Push to ${deviceIds.length} devices: ${message.type}`
+      pushLogger.debug(
+        { count: deviceIds.length, type: message.type },
+        "sendBatch"
       );
       const results = deviceIds.map((deviceId) => ({
         deviceId,
@@ -2853,15 +3155,17 @@ function createPushAdapter(config, database) {
     }
   };
 }
-function createStubPushAdapter() {
+function createStubPushAdapter(logger) {
+  const stubLogger = logger.child({ component: "push-stub" });
   return {
     async send(deviceId, message) {
-      console.log(`[OpenMDM] Push (stub): ${deviceId} <- ${message.type}`);
+      stubLogger.debug({ deviceId, type: message.type }, "send (stub)");
       return { success: true, messageId: "stub" };
     },
     async sendBatch(deviceIds, message) {
-      console.log(
-        `[OpenMDM] Push (stub): ${deviceIds.length} devices <- ${message.type}`
+      stubLogger.debug(
+        { count: deviceIds.length, type: message.type },
+        "sendBatch (stub)"
       );
       return {
         successCount: deviceIds.length,
@@ -2917,6 +3221,6 @@ function generateDeviceToken(deviceId, secret, expirationSeconds) {
   return `${header}.${payload}.${signature}`;
 }
-export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, ApplicationNotFoundError, AuthenticationError, AuthorizationError, CommandNotFoundError, DeviceNotFoundError, EnrollmentError, GroupNotFoundError, MDMError, PolicyNotFoundError, RoleNotFoundError, TenantNotFoundError, UserNotFoundError, ValidationError, agentFail, agentOk, camelToSnake, createAuditManager, createAuthorizationManager, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createTenantManager, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, mdmSchema, parsePluginKey, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };
+export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, ApplicationNotFoundError, AuthenticationError, AuthorizationError, ChallengeInvalidError, CommandNotFoundError, DeviceNotFoundError, EnrollmentError, GroupNotFoundError, InvalidPublicKeyError, MDMError, PolicyNotFoundError, PublicKeyMismatchError, RoleNotFoundError, TenantNotFoundError, UserNotFoundError, ValidationError, agentFail, agentOk, camelToSnake, canonicalDeviceRequestMessage, canonicalEnrollmentMessage, createAuditManager, createAuthorizationManager, createConsoleLogger, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createSilentLogger, createTenantManager, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, importPublicKeyFromSpki, mdmSchema, parsePluginKey, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyDeviceRequest, verifyEcdsaSignature, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map