api: allow nil command for push-only mode; comment and text fixes

Author: jessepeterson

api/api.go

@@ -69,7 +69,7 @@ func (pe *PushEnqueuer) Push(ctx context.Context, ids []string) (*APIResult, int
 // contained within the API result.
 // A 500 value indicates only errors (with no successes).
 // A 207 value indicates some sucesses and some failures.
-// A 200 value indicates no errors (with only accesses).
+// A 200 value indicates no errors (with only successes).
 // Any other value is undefined.
 func (pe *PushEnqueuer) EnqueueWithPush(ctx context.Context, command *mdm.Command, ids []string, noPush bool) (*APIResult, int, error) {
 	// setup our result accumulator
@@ -130,9 +130,12 @@ func code(r *APIResult, idCount int) int {
 // RawCommandEnqueueWithPush enqueues rawCommand and can send APNs pushes to ids.
 // See [EnqueueWithPush] for calling semantics.
 func (pe *PushEnqueuer) RawCommandEnqueueWithPush(ctx context.Context, rawCommand []byte, ids []string, noPush bool) (*APIResult, int, error) {
-	command, err := mdm.DecodeCommand(rawCommand)
-	if err != nil {
-		return nil, 500, fmt.Errorf("decoding command: %w", err)
+	var command *mdm.Command
+	if len(rawCommand) > 0 {
+		var err error
+		if command, err = mdm.DecodeCommand(rawCommand); err != nil {
+			return nil, 500, fmt.Errorf("decoding command: %w", err)
+		}
 	}
 	return pe.EnqueueWithPush(ctx, command, ids, noPush)
 }

cmd/nanomdm/main.go

@@ -69,7 +69,7 @@ func main() {
 		flDump       = flag.Bool("dump", false, "dump MDM requests and responses to stdout")
 		flDisableMDM = flag.Bool("disable-mdm", false, "disable MDM HTTP endpoint")
 		flCheckin    = flag.Bool("checkin", false, "enable separate HTTP endpoint for MDM check-ins")
-		flMigration  = flag.Bool("migration", false, "HTTP endpoint for enrollment migrations")
+		flMigration  = flag.Bool("migration", false, "enable HTTP endpoint for enrollment migrations")
 		flRetro      = flag.Bool("retro", false, "Allow retroactive certificate-authorization association")
 		flDMURLPfx   = flag.String("dm", "", "URL to send Declarative Management requests to")
 		flAuthProxy  = flag.String("auth-proxy-url", "", "Reverse proxy URL target for MDM-authenticated HTTP requests")

docs/operations-guide.md

@@ -172,7 +172,7 @@ Note that the URL should likely have a trailing slash. Otherwise path elements o
 
 ### -migration
 
-* HTTP endpoint for enrollment migrations
+* enable HTTP endpoint for enrollment migrations
 
 NanoMDM supports a lossy form of MDM enrollment "migration." Essentially if a source MDM server can assemble enough of both Authenticate and TokenUpdate messages for an enrollment you can "migrate" enrollments by sending those Plist requests to the migration endpoint. Importantly this transfers the needed Push topic, token, and push magic to continue to send APNs push notifications to enrollments.