NM-304: MDM posture check integration

[abhishek9686]

Describe your changes

Provide Issue ticket number if applicable/not in title

Provide testing steps

Checklist before requesting a review

• My changes affect only 10 files or less.
• I have performed a self-review of my code and tested it.
• If it is a new feature, I have added thorough tests, my code is <= 1450 lines.
• If it is a bugfix, my code is <= 200 lines.
• My functions are <= 80 lines.
• I have had my code reviewed by a peer.
• My unit tests pass locally.
• Netmaker is awesome.

[tenki-reviewer]

Review Complete

Files Reviewed: 43
Findings: 10

By Severity:

• 🟠 High: 2
• 🟡 Medium: 8

---

PR introduces MDM integration providers (Intune, Jamf, JumpCloud, Iru), SIEM refactoring, and device posture checks. 12 findings identified including 3 high-severity issues: stale compliance state never cleared, host update path wipes MDM identifiers, and wrong provider snapshot used for posture evaluation.

Files Reviewed (43 files)

controllers/hosts.go
controllers/server.go
logic/hosts.go
models/host.go
models/posture_status.go
models/structs.go
mq/handlers.go
pro/controllers/integrations.go
pro/controllers/posture_check.go
pro/initialize.go
pro/integration/mdm/active.go
pro/integration/mdm/config.go
pro/integration/mdm/errors.go
pro/integration/mdm/intune/intune.go
pro/integration/mdm/intune/intune_test.go
pro/integration/mdm/intune/lookup.go
pro/integration/mdm/iru/compliance.go
pro/integration/mdm/iru/compliance_test.go
pro/integration/mdm/iru/iru.go
pro/integration/mdm/jamf/compliance.go
pro/integration/mdm/jamf/compliance_test.go
pro/integration/mdm/jamf/jamf.go
pro/integration/mdm/jumpcloud/compliance.go
pro/integration/mdm/jumpcloud/compliance_test.go
pro/integration/mdm/jumpcloud/jumpcloud.go
pro/integration/mdm/lookup.go
pro/integration/mdm/registry.go
pro/integration/mdm/sync.go
pro/integration/mdm/sync_test.go
pro/integration/mdm_provider.go
pro/integration/providers.go
pro/integration/siem/client.go
pro/integration/siem/datadog.go
pro/integration/siem/elastic.go
pro/integration/siem/sentinel.go
pro/integration/siem/splunk.go
pro/logic/posture_check.go
pro/logic/posture_check_mdm_test.go
schema/event.go
schema/hosts.go
schema/mdm_device_state.go
schema/models.go
schema/posture_check.go

[tenki-reviewer]

Risk: 🟠 High (78/100) — 2 high findings, 8 medium · 3735 LOC across 43 files

---

High-Severity Issues

Stale compliance state (sync.go) — The sync() function updates compliance status for matched devices but never clears it for devices no longer found at the provider, leaving hosts with stale compliance data indefinitely. HardwareUUID is also unused in the serial-number matching path.

Host update wipes MDM identifiers (logic/hosts.go:148) — The UpdateHost handler unconditionally overwrites DeviceID and PlatformInfo, destroying the MDM-to-host link on every unrelated host update.

Wrong provider snapshot (posture_check.go:356) — MDM state fallback logic can silently select a different provider's snapshot, causing posture evaluations to use incorrect compliance data.

Medium-Severity Issues

• TOCTOU race in sync rate-limiting (sync.go:40) — The rate-limit check is non-atomic, allowing concurrent sync operations to bypass the limiter.
• Jamf error handling (jamf.go:147,179) — HTTP status codes are checked after JSON decoding, making it impossible to distinguish network errors from legitimate error responses.
• Intune backup lookup (lookup.go:71) — The backup path hardcodes Enrolled=true without verifying actual enrollment fields, producing false-positive device matches.
• Authorization missing on posture endpoint (controllers/hosts.go:73) — The /api/hosts/{hostid}/posture UI endpoint lacks host-level access control.
• Error body leaks (iru.go:170, jumpcloud.go:263) — MDM provider Test endpoints leak raw upstream API error bodies to authenticated callers.
• Orphaned MDM rows (logic/hosts.go:362) — Deleting a host does not cascade-delete associated MDM device state rows.
• MDM list returns 500 for not-found (integrations.go:396) — Single-record lookups return HTTP 500 instead of 404 when no device state exists.