Website: don't require an API key on Microsoft compliance proxy requests#49434
Website: don't require an API key on Microsoft compliance proxy requests#49434lucasmrod wants to merge 1 commit into
Conversation
Entra conditional access is becoming available to self-hosted Fleet Premium instances, which don't have the shared MS-API-KEY that cloud-managed customers use. Make the microsoft-proxy endpoints reachable without that key by removing the is-cloud-customer policy gate. Related to #47699 (auth replacement tracked in #47702).
There was a problem hiding this comment.
Pull request overview
Updates the Fleet website (Sails) policy configuration for the Microsoft compliance proxy so self-hosted Fleet Premium instances can use the proxy endpoints without requiring the shared MS-API-KEY header, and removes now-unused shared-secret configuration comments/policy.
Changes:
- Removes the
is-cloud-customerpolicy gate frommicrosoft-proxy/*routes. - Deletes the
is-cloud-customerpolicy implementation and removes unused shared-secret config comments. - Keeps the Microsoft compliance proxy endpoints reachable without a website session.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| website/config/policies.js | Makes microsoft-proxy/* requests bypass the default is-logged-in policy. |
| website/config/custom.js | Removes obsolete commented config entries for shared secrets. |
| website/api/policies/is-cloud-customer.js | Deletes the no-longer-used policy that validated MS-API-KEY. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 'admin/*': 'is-super-admin', | ||
| 'query-generator/*': 'has-query-generator-access', | ||
| 'microsoft-proxy/*': 'is-cloud-customer', | ||
| 'microsoft-proxy/*': true, |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
💤 Files with no reviewable changes (2)
WalkthroughThe Microsoft proxy route policy is changed from Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Related issue: Resolves #47699
Testing
What & why
Entra conditional access is becoming available to self-hosted Fleet Premium instances, which don't have the shared
MS-API-KEYthat cloud-managed customers use. This makes themicrosoft-proxy/*endpoints reachable without that key by dropping theis-cloud-customerpolicy gate (and the now-unused shared-secret config comments / policy file).A replacement auth mechanism for the proxy is tracked separately in #47702.
Summary by CodeRabbit