Is it possible to authenticate the BigFix server somehow when prefetching assets?
The use case would be scripts etc in private souce-code repositories, which require authentication, for example Azure DevOps or GitHub.
One idea might be the execute prefetch plug-in, an external that authenticates the BigFix server to the repo and allows all subsequent downloads from that IP for some time.
A workaround might be to clone repositories to an on-prem server which allows unauthenticated downloads fromt the BigFix server but is not otherwise public.
A different approach might be GitHub actions or Azure DevOps pipelines which push files to the BigFix server and create fixlets via the API, a whole other level of automation.
Does anyone have any experience fetching from private repos in the cloud with BigFix?
There is an idea in for what you are after and even further (Git-based sites), so any change to a fixlet is automatically tracked as commit giving ability to revert back changes; version control; etc. https://bigfix-ideas.hcltechsw.com/ideas/BFPTCH-I-142. It’s not committed to but hopefully it will be soon. Welcome to vote.
I’m not sure there’s a good approach using a prefetch-plugin ; that would execute on each individual endpoint, so if that’s performing authentication then you’d have to distribute credentials to all the clients.
I think a better approach would be a Download Plug-In, like the SWDDownloadPlugin or RHSMPlugin; these execute on the server and are used for things like authenticating to Red Hat or IBM or Oracle.
I don’t know whether we have public docs on writing download plug-ins but it’s worth a search.
How would you want the download to behave / interact with git? Would you expect it to always download the latest version of a file dynamically, or would it download specific tag versions? Would it download only the file, or would it clone the whole repo?
Ah, thanks for clearing that up, I thought the plug-in was executed on the server as part of prefetching.
As for behaviour, I firstly want to solve the access to a repo that requires authentication, as the code is not public. I typically write prefetch statements targetting specific commits or tags, including checksums, so no change there. At present the only way to allow the BigFix server but keep the world out is by filtering on IP, which works on-prem but not with external services like GitHub.
Would a download plug-in that uses a GitHub Personal Access Token work for you? My own GitHub account has 2-factor auth turned on, which would make testing a username/password plugin difficult for me, and I think all GitHub accounts are switching to 2-Factor soon.
Last night I made some progress on a download plug-in script that’s working with my GitHub token. When I open up my repo, understand that this is not officially supported, and our Support team won’t know anything about it if you call them, but if you’re already rolling your own CI/CD tools it may be a useful reference on how to make it work with BigFix.
Edit: also I haven’t set up Azure Devops yet for myself yet. I’d assume it could work work with a service token, but it would possibly be a different HTTP header to send.
Yes. I’m using the fine-grained Personal Access Tokens in scripts today to download customised PsAppDeploy scripts on clients which don’t have an endpoint management sytem like BigFix that can transfer files.
We could create a token specifically for the BigFix server, and renew it as needed. If the BigFix server needed access to different organisations in GitHub the plug-in would need to be able to select a particular PAT for a given org or repo, but that would be a nice-to-have. Maybe the server should have it’s own GitHub account
First off, for anyone reading this thread in the future, custom Download Plug-Ins are not for the feint of heart. If you’re going to use custom Download Plug-Ins, you may expect to have to read some some source code and perform some troubleshooting. Custom Plug-Ins are not supported by the BigFix Support team, and they won’t be able to answer questions on how to write or use them.
That said, 'tis the season for giving, and in my spare time I’ve written a Download Plug-In that I think might be useful in this case; either as-is, or as a useful starting point toward writing your own. As this is not an official supported tool, I’m hosting it in my personal github at https://github.com/Jwalker107/BESTokenAuthDownloadPlugin
As with anything you find on GitHub, please do review & understand the code before you consider using it.
The repo contains a README.md that I hope is sufficient to explain how to build, install, configure, and use the plug-in. If you have suggestions for fixes or improvements either contact me here, or send me a Pull Request for your changes. This is still a spare-time project for me so please do have some patience if it takes me some time to incorporate changes, and if anyone wants to spend more time on it actively feel free to fork the project.
At this point the plug-in does allow for storing multiple tokens and selecting which token to use based on regular-expression matching URL patterns in the config.json file. I’ve tested on Windows with the fine-grained Personal Access Tokens from github.com that @sryn describes above. At this point I’ve not tested with Azure DevOps, or with compiling the Python script to run on RHEL root servers.
In any case, I hope this is helpful and welcome any feedback you can give.
