Merge branch 'main' into rah/cel-rules-4

russellhancox · russellhancox · commit fd2ebf470ceb · 2025-06-20T16:56:29.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -40,8 +40,16 @@ jobs:
           bazelisk-cache: true
           disk-cache: ${{ matrix.os }}
           repository-cache: true
+      - name: Setup Xcode
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # ratchet:maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: latest-stable
       - name: Build Userspace
-        run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
+        if: matrix.os != 'macos-13'
+        run: bazel build --verbose_failures --sandbox_debug --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
+      - name: Build Userspace 13
+        if: matrix.os == 'macos-13'
+        run: bazel build --verbose_failures --sandbox_debug --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc --define=SANTA_XCODE_VERSION=missing_xcode_16
   check_localization:
     runs-on: macos-latest
     steps:
@@ -71,4 +79,4 @@ jobs:
           disk-cache: ${{ matrix.os }}
           repository-cache: true
       - name: Run All Tests
-        run: bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
+        run: bazel test :unit_tests --verbose_failures --sandbox_debug --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
diff --git a/BUILD b/BUILD
@@ -61,6 +61,12 @@ config_setting(
     values = {"compilation_mode": "opt"},
 )
 
+config_setting(
+    name = "missing_xcode_16",
+    values = {"define": "SANTA_XCODE_VERSION=missing_xcode_16"},
+    visibility = [":santa_package_group"],
+)
+
 package_group(
     name = "santa_package_group",
     packages = ["//..."],
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -2,8 +2,8 @@ module(name = "santa")
 
 bazel_dep(name = "abseil-cpp", version = "20250127.1")
 bazel_dep(name = "apple_support", version = "1.22.0")
-bazel_dep(name = "googletest", version = "1.16.0")
-bazel_dep(name = "protobuf", version = "30.2")
+bazel_dep(name = "googletest", version = "1.17.0")
+bazel_dep(name = "protobuf", version = "31.1")
 bazel_dep(name = "rules_apple", version = "3.21.0")
 bazel_dep(name = "rules_cc", version = "0.1.1")
 bazel_dep(name = "rules_fuzzing", version = "0.5.2")
@@ -15,10 +15,18 @@ bazel_dep(name = "xxhash", version = "0.8.2")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "547a10d6b2e0502af11d54368a74c3b128715223",
+    commit = "704246489aa55e6e2b60b47133a8668bc3656105",
     remote = "https://github.com/northpolesec/protos",
 )
 
+# North Pole Rednose
+bazel_dep(name = "rednose", version = "1.0.0", repo_name = "northpolesec_rednose")
+git_override(
+    module_name = "rednose",
+    commit = "e5dbe6eb8ee55b306e953959ce85f672adce4aff",
+    remote = "https://github.com/northpolesec/rednose",
+)
+
 # cel-cpp
 # The 0.11.0 release has a bug in it that was fixed a few weeks later but hasn't
 # been released yet.
diff --git a/Source/common/SNTConfigurator.h b/Source/common/SNTConfigurator.h
@@ -496,6 +496,11 @@
 ///
 @property(nullable, readonly, nonatomic) NSString *machineOwner;
 
+///
+///  The machine owner's groups.
+///
+@property(nullable, readonly, nonatomic) NSArray<NSString *> *machineOwnerGroups;
+
 ///
 ///  The last date of a successful full sync.
 ///
diff --git a/Source/common/SNTConfigurator.m b/Source/common/SNTConfigurator.m
@@ -95,9 +95,11 @@ @implementation SNTConfigurator
 static NSString *const kStatsOrganizationID = @"StatsOrganizationID";
 
 static NSString *const kMachineOwnerKey = @"MachineOwner";
+static NSString *const kMachineOwnerGroupsKey = @"MachineOwnerGroups";
 static NSString *const kMachineIDKey = @"MachineID";
 static NSString *const kMachineOwnerPlistFileKey = @"MachineOwnerPlist";
 static NSString *const kMachineOwnerPlistKeyKey = @"MachineOwnerKey";
+static NSString *const kMachineOwnerGroupsPlistKeyKey = @"MachineOwnerGroupsKey";
 static NSString *const kMachineIDPlistFileKey = @"MachineIDPlist";
 static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 
@@ -284,9 +286,11 @@ - (instancetype)initWithSyncStateFile:(NSString *)syncStateFilePath
       kEnableStatsCollectionKey : number,
       kStatsOrganizationID : string,
       kMachineOwnerKey : string,
+      kMachineOwnerGroupsKey : array,
       kMachineIDKey : string,
       kMachineOwnerPlistFileKey : string,
       kMachineOwnerPlistKeyKey : string,
+      kMachineOwnerGroupsPlistKeyKey : string,
       kMachineIDPlistFileKey : string,
       kMachineIDPlistKeyKey : string,
       kEventLogType : string,
@@ -542,6 +546,10 @@ + (NSSet *)keyPathsForValuesAffectingMachineOwner {
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingMachineOwnerGroups {
+  return [self configStateSet];
+}
+
 + (NSSet *)keyPathsForValuesAffectingMachineID {
   return [self configStateSet];
 }
@@ -1031,14 +1039,34 @@ - (NSString *)machineOwner {
 
   NSString *plistPath = self.configState[kMachineOwnerPlistFileKey];
   NSString *plistKey = self.configState[kMachineOwnerPlistKeyKey];
-  if (plistPath && plistKey) {
+  if (plistPath.length && plistKey.length) {
     NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
     machineOwner = [plist[plistKey] isKindOfClass:[NSString class]] ? plist[plistKey] : nil;
   }
 
   return machineOwner ?: @"";
 }
 
+- (NSArray<NSString *> *)machineOwnerGroups {
+  NSArray<NSString *> *machineOwnerGroups = self.configState[kMachineOwnerGroupsKey];
+  if (machineOwnerGroups.count) return machineOwnerGroups;
+
+  NSString *plistPath = self.configState[kMachineOwnerPlistFileKey];
+  NSString *plistKey = self.configState[kMachineOwnerGroupsPlistKeyKey];
+  if (plistPath.length && plistKey.length) {
+    NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
+    machineOwnerGroups = [plist[plistKey] isKindOfClass:[NSArray class]] ? plist[plistKey] : nil;
+    for (NSString *group in machineOwnerGroups) {
+      if (![group isKindOfClass:[NSString class]]) {
+        machineOwnerGroups = nil;
+        break;
+      }
+    }
+  }
+
+  return machineOwnerGroups;
+}
+
 - (NSString *)machineID {
   NSString *machineId = self.configState[kMachineIDKey];
   if (machineId) return machineId;
diff --git a/Source/common/SNTXPCSyncServiceInterface.h b/Source/common/SNTXPCSyncServiceInterface.h
@@ -32,6 +32,7 @@
                               reply:(void (^)(SNTBundleEventAction))reply;
 - (void)pushNotificationStatus:(void (^)(SNTPushNotificationStatus))reply;
 - (void)exportTelemetryFile:(NSFileHandle *)fd
+                   fileName:(NSString *)fileName
                      config:(SNTExportConfiguration *)config
                       reply:(void (^)(BOOL))reply;
 
diff --git a/Source/santad/BUILD b/Source/santad/BUILD
@@ -799,6 +799,7 @@ objc_library(
         "//Source/common:SNTExportConfiguration",
         "//Source/common:SNTLogging",
         "//Source/common:SNTStoredEvent",
+        "//Source/common:SNTSystemInfo",
         "//Source/common:TelemetryEventMap",
         "//Source/common:Timer",
         "@abseil-cpp//absl/container:flat_hash_map",
diff --git a/Source/santad/Logs/EndpointSecurity/Logger.mm b/Source/santad/Logs/EndpointSecurity/Logger.mm
@@ -24,6 +24,7 @@
 #import "Source/common/SNTExportConfiguration.h"
 #include "Source/common/SNTLogging.h"
 #include "Source/common/SNTStoredEvent.h"
+#include "Source/common/SNTSystemInfo.h"
 #include "Source/common/TelemetryEventMap.h"
 #include "Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h"
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Empty.h"
@@ -169,8 +170,12 @@
     // in case the export times out.
     tracker_.Track(*file_to_export);
 
+    NSString *fileName = [NSString
+        stringWithFormat:@"%@-%@", [SNTSystemInfo bootSessionUUID], [path lastPathComponent]];
+
     dispatch_group_enter(group);
     [syncd_queue_ exportTelemetryFile:handle
+                             fileName:fileName
                                config:export_config
                     completionHandler:^(BOOL success) {
                       [handle closeFile];
diff --git a/Source/santad/SNTSyncdQueue.h b/Source/santad/SNTSyncdQueue.h
@@ -28,6 +28,7 @@
 - (void)addEvents:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle;
 - (void)addBundleEvent:(SNTStoredEvent *)event reply:(void (^)(SNTBundleEventAction))reply;
 - (void)exportTelemetryFile:(NSFileHandle *)telemetryFile
+                   fileName:(NSString *)fileName
                      config:(SNTExportConfiguration *)config
           completionHandler:(void (^)(BOOL))completionHandler;
 
diff --git a/Source/santad/SNTSyncdQueue.mm b/Source/santad/SNTSyncdQueue.mm
@@ -189,11 +189,13 @@ - (void)dispatchBlockOnSyncdQueue:(void (^)(void))block {
 }
 
 - (void)exportTelemetryFile:(NSFileHandle *)telemetryFile
+                   fileName:(NSString *)fileName
                      config:(SNTExportConfiguration *)config
           completionHandler:(void (^)(BOOL))completionHandler {
   [self dispatchBlockOnSyncdQueue:^{
     if (self.syncConnection.isConnected) {
       [self.syncConnection.remoteObjectProxy exportTelemetryFile:telemetryFile
+                                                        fileName:fileName
                                                           config:config
                                                            reply:completionHandler];
     } else {
diff --git a/Source/santasyncservice/BUILD b/Source/santasyncservice/BUILD
@@ -221,6 +221,10 @@ objc_library(
         "SNTSyncService.mm",
         "main.m",
     ],
+    defines = select({
+        "//:missing_xcode_16": ["MISSING_XCODE_16"],
+        "//conditions:default": [],
+    }),
     deps = [
         ":broadcaster_lib",
         ":sync_lib",
@@ -232,7 +236,10 @@ objc_library(
         "//Source/common:SNTStrengthify",
         "//Source/common:SNTXPCControlInterface",
         "//Source/common:SNTXPCSyncServiceInterface",
-    ],
+    ] + select({
+        "//:missing_xcode_16": [],
+        "//conditions:default": ["@northpolesec_rednose//rednose:export_bridge"],
+    }),
 )
 
 macos_command_line_application(
diff --git a/Source/santasyncservice/SNTSyncManager.m b/Source/santasyncservice/SNTSyncManager.m
@@ -398,6 +398,7 @@ - (SNTSyncState *)createSyncStateWithStatus:(SNTSyncStatusType *)status {
     syncState.machineOwner = @"";
     SLOGW(@"Missing Machine Owner.");
   }
+  syncState.machineOwnerGroups = config.machineOwnerGroups;
 
   syncState.xsrfToken = self.xsrfToken;
   syncState.xsrfTokenHeader = self.xsrfTokenHeader;
diff --git a/Source/santasyncservice/SNTSyncPreflight.mm b/Source/santasyncservice/SNTSyncPreflight.mm
@@ -92,6 +92,12 @@ - (BOOL)sync {
   req->set_model_identifier(NSStringToUTF8String([SNTSystemInfo modelIdentifier]));
   req->set_santa_version(NSStringToUTF8String([SNTSystemInfo santaFullVersion]));
   req->set_primary_user(NSStringToUTF8String(self.syncState.machineOwner));
+  if (self.syncState.machineOwnerGroups.count) {
+    google::protobuf::RepeatedPtrField<std::string> *groups = req->mutable_primary_user_groups();
+    for (NSString *group in self.syncState.machineOwnerGroups) {
+      groups->Add(NSStringToUTF8String(group));
+    }
+  }
   req->set_sip_status([SNTSIPStatus currentStatus]);
 
   if (self.syncState.pushNotificationsToken) {
diff --git a/Source/santasyncservice/SNTSyncService.mm b/Source/santasyncservice/SNTSyncService.mm
@@ -25,6 +25,9 @@
 #import "Source/santasyncservice/SNTPolaris.h"
 #import "Source/santasyncservice/SNTSyncBroadcaster.h"
 #import "Source/santasyncservice/SNTSyncManager.h"
+#ifndef MISSING_XCODE_16
+#include "rednose/src/export/bridge.rs.h"
+#endif
 
 @interface SNTSyncService ()
 @property(nonatomic, readonly) SNTSyncManager *syncManager;
@@ -99,11 +102,33 @@ - (void)pushNotificationStatus:(void (^)(SNTPushNotificationStatus))reply {
 }
 
 - (void)exportTelemetryFile:(NSFileHandle *)fd
+                   fileName:(NSString *)fileName
                      config:(SNTExportConfiguration *)config
                       reply:(void (^)(BOOL))reply {
-  // Note: For now, reply false so that spool files are not removed
-  LOGD(@"SNTSyncService: exportTelemetryFile:reply: - Got fd: %@, export cfg: %@", fd, config);
+#if MISSING_XCODE_16
   reply(NO);
+  return;
+#else
+  BOOL success = NO;
+  if (config.configType == SNTExportConfigurationTypeAWS &&
+      [config.config isKindOfClass:[SNTExportConfigurationAWS class]]) {
+    SNTExportConfigurationAWS *aws = (SNTExportConfigurationAWS *)config.config;
+    rednose::ExportStatus status = rednose::export_file_aws(
+        fd.fileDescriptor, aws.accessKey.UTF8String, aws.secretAccessKey.UTF8String,
+        aws.sessionToken.UTF8String, aws.bucketName.UTF8String, aws.objectKeyPrefix.UTF8String,
+        fileName.UTF8String);
+
+    if (status.code == rednose::ExportCode::Success) {
+      success = YES;
+      LOGD(@"Successfully exported telemetry file: %@", fileName);
+    } else {
+      LOGE(@"Failed to export file: %@, status: %d: error: %s", fileName,
+           static_cast<uint8_t>(status.code), status.error.c_str());
+    }
+  }
+
+  reply(success);
+#endif
 }
 
 - (void)syncWithLogListener:(NSXPCListenerEndpoint *)logListener
diff --git a/Source/santasyncservice/SNTSyncState.h b/Source/santasyncservice/SNTSyncState.h
@@ -58,6 +58,7 @@
 /// Machine identifier and owner.
 @property(copy) NSString *machineID;
 @property(copy) NSString *machineOwner;
+@property(copy) NSArray<NSString *> *machineOwnerGroups;
 
 /// Settings sent from server during preflight that are set during postflight.
 @property SNTClientMode clientMode;
