2025-12-15 14:26:33 +00:00
|
|
|
|
import { useContext, useMemo } from "react";
|
|
|
|
|
|
import { AppContext } from "context/app";
|
Remove UI gating in GitOps mode for excepted entities (#42486)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 14:10:56 +00:00
|
|
|
|
import useGitOpsMode from "hooks/useGitOpsMode";
|
2025-12-15 14:26:33 +00:00
|
|
|
|
import { isAndroid } from "interfaces/platform";
|
|
|
|
|
|
import {
|
|
|
|
|
|
ISoftwareTitleDetails,
|
|
|
|
|
|
ISoftwarePackage,
|
|
|
|
|
|
IAppStoreApp,
|
|
|
|
|
|
isSoftwarePackage,
|
|
|
|
|
|
isIpadOrIphoneSoftwareSource,
|
|
|
|
|
|
InstallerType,
|
|
|
|
|
|
} from "interfaces/software";
|
|
|
|
|
|
import {
|
|
|
|
|
|
getInstallerCardInfo,
|
|
|
|
|
|
InstallerCardInfo,
|
|
|
|
|
|
} from "pages/SoftwarePage/SoftwareTitleDetailsPage/helpers";
|
2026-03-03 16:21:56 +00:00
|
|
|
|
import { isAndroidWebApp } from "pages/SoftwarePage/helpers";
|
2026-02-24 19:00:32 +00:00
|
|
|
|
import { compareVersions } from "utilities/helpers";
|
2025-12-15 14:26:33 +00:00
|
|
|
|
|
|
|
|
|
|
export interface SoftwareInstallerMeta {
|
|
|
|
|
|
installerType: InstallerType;
|
2026-03-03 16:21:56 +00:00
|
|
|
|
/** Includes both Google Play Store apps and Google Play Store web apps */
|
2025-12-15 14:26:33 +00:00
|
|
|
|
isAndroidPlayStoreApp: boolean;
|
2026-03-03 16:21:56 +00:00
|
|
|
|
/** Only includes Google Play Store web apps */
|
|
|
|
|
|
isAndroidPlayStoreWebApp: boolean;
|
2025-12-15 14:26:33 +00:00
|
|
|
|
isFleetMaintainedApp: boolean;
|
2026-02-24 19:00:32 +00:00
|
|
|
|
isLatestFmaVersion: boolean;
|
2025-12-15 14:26:33 +00:00
|
|
|
|
isCustomPackage: boolean;
|
|
|
|
|
|
isIosOrIpadosApp: boolean;
|
|
|
|
|
|
sha256?: string;
|
|
|
|
|
|
androidPlayStoreId?: string;
|
2026-03-13 20:47:09 +00:00
|
|
|
|
patchPolicy?: ISoftwarePackage["patch_policy"]; // Only available on FMA packages
|
2025-12-15 14:26:33 +00:00
|
|
|
|
automaticInstallPolicies:
|
|
|
|
|
|
| ISoftwarePackage["automatic_install_policies"]
|
|
|
|
|
|
| IAppStoreApp["automatic_install_policies"];
|
|
|
|
|
|
gitOpsModeEnabled: boolean;
|
|
|
|
|
|
repoURL?: string;
|
|
|
|
|
|
canManageSoftware: boolean;
|
|
|
|
|
|
/** Raw ISoftwarePackage | IAppStoreApp data */
|
|
|
|
|
|
softwareInstaller: ISoftwarePackage | IAppStoreApp;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
export interface UseSoftwareInstallerResult {
|
|
|
|
|
|
cardInfo: InstallerCardInfo;
|
|
|
|
|
|
meta: SoftwareInstallerMeta;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/** This is used to extract software installer data
|
|
|
|
|
|
* (FMA, VPP, Google Playstore Apps, custom packages)
|
|
|
|
|
|
* from ISoftwareTitleDetails to be used in the UI */
|
|
|
|
|
|
export const useSoftwareInstaller = (
|
|
|
|
|
|
softwareTitle: ISoftwareTitleDetails
|
|
|
|
|
|
): UseSoftwareInstallerResult | undefined => {
|
|
|
|
|
|
const appContext = useContext(AppContext);
|
Remove UI gating in GitOps mode for excepted entities (#42486)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 14:10:56 +00:00
|
|
|
|
const { gitOpsModeEnabled, repoURL } = useGitOpsMode("software");
|
2025-12-15 14:26:33 +00:00
|
|
|
|
|
|
|
|
|
|
return useMemo(() => {
|
|
|
|
|
|
if (!softwareTitle.software_package && !softwareTitle.app_store_app) {
|
|
|
|
|
|
return undefined;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
const cardInfo = getInstallerCardInfo(softwareTitle);
|
|
|
|
|
|
const { softwareInstaller, source } = cardInfo;
|
|
|
|
|
|
|
|
|
|
|
|
const isIosOrIpadosApp = isIpadOrIphoneSoftwareSource(source);
|
|
|
|
|
|
|
|
|
|
|
|
const installerType: InstallerType = isSoftwarePackage(softwareInstaller)
|
|
|
|
|
|
? "package"
|
|
|
|
|
|
: "app-store";
|
|
|
|
|
|
|
|
|
|
|
|
const isAndroidPlayStoreApp =
|
|
|
|
|
|
"platform" in softwareInstaller && isAndroid(softwareInstaller.platform);
|
|
|
|
|
|
|
2026-03-03 16:21:56 +00:00
|
|
|
|
const isAndroidPlayStoreWebApp =
|
|
|
|
|
|
isAndroidPlayStoreApp && "app_store_id" in softwareInstaller
|
|
|
|
|
|
? isAndroidWebApp(softwareInstaller.app_store_id)
|
|
|
|
|
|
: false;
|
|
|
|
|
|
|
2025-12-15 14:26:33 +00:00
|
|
|
|
const isFleetMaintainedApp =
|
|
|
|
|
|
"fleet_maintained_app_id" in softwareInstaller &&
|
|
|
|
|
|
!!softwareInstaller.fleet_maintained_app_id;
|
|
|
|
|
|
|
2026-02-24 19:00:32 +00:00
|
|
|
|
const isLatestFmaVersion =
|
|
|
|
|
|
isFleetMaintainedApp &&
|
|
|
|
|
|
"fleet_maintained_versions" in softwareInstaller &&
|
|
|
|
|
|
!!softwareInstaller.fleet_maintained_versions &&
|
|
|
|
|
|
softwareInstaller.fleet_maintained_versions.every(
|
|
|
|
|
|
(fma) =>
|
|
|
|
|
|
// Verify that the installer version is not older than any known
|
|
|
|
|
|
// Fleet‑maintained version by requiring compareVersions to return
|
|
|
|
|
|
// 0 (equal) or 1 (greater) for every entry.
|
|
|
|
|
|
compareVersions(softwareInstaller.version ?? "", fma.version ?? "") >=
|
|
|
|
|
|
0
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
const fmaVersions =
|
|
|
|
|
|
isFleetMaintainedApp && "fleet_maintained_versions" in softwareInstaller
|
|
|
|
|
|
? softwareInstaller.fleet_maintained_versions
|
|
|
|
|
|
: [];
|
|
|
|
|
|
|
2025-12-15 14:26:33 +00:00
|
|
|
|
const isCustomPackage =
|
|
|
|
|
|
installerType === "package" && !isFleetMaintainedApp;
|
|
|
|
|
|
|
|
|
|
|
|
const sha256 =
|
|
|
|
|
|
("hash_sha256" in softwareInstaller && softwareInstaller.hash_sha256) ||
|
|
|
|
|
|
undefined;
|
|
|
|
|
|
|
|
|
|
|
|
const androidPlayStoreId =
|
|
|
|
|
|
isAndroidPlayStoreApp && "app_store_id" in softwareInstaller
|
|
|
|
|
|
? softwareInstaller?.app_store_id
|
|
|
|
|
|
: undefined;
|
|
|
|
|
|
|
|
|
|
|
|
const {
|
|
|
|
|
|
automatic_install_policies: automaticInstallPolicies,
|
|
|
|
|
|
} = softwareInstaller;
|
|
|
|
|
|
|
2026-03-13 20:47:09 +00:00
|
|
|
|
const patchPolicy =
|
|
|
|
|
|
"patch_policy" in softwareInstaller
|
|
|
|
|
|
? softwareInstaller.patch_policy
|
|
|
|
|
|
: undefined;
|
|
|
|
|
|
|
2025-12-15 14:26:33 +00:00
|
|
|
|
const {
|
|
|
|
|
|
isGlobalAdmin,
|
|
|
|
|
|
isGlobalMaintainer,
|
|
|
|
|
|
isTeamAdmin,
|
|
|
|
|
|
isTeamMaintainer,
|
|
|
|
|
|
} = appContext;
|
|
|
|
|
|
|
|
|
|
|
|
const canManageSoftware = !!(
|
|
|
|
|
|
isGlobalAdmin ||
|
|
|
|
|
|
isGlobalMaintainer ||
|
|
|
|
|
|
isTeamAdmin ||
|
|
|
|
|
|
isTeamMaintainer
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
|
cardInfo,
|
|
|
|
|
|
meta: {
|
|
|
|
|
|
installerType,
|
|
|
|
|
|
isAndroidPlayStoreApp,
|
2026-03-03 16:21:56 +00:00
|
|
|
|
isAndroidPlayStoreWebApp,
|
2025-12-15 14:26:33 +00:00
|
|
|
|
isFleetMaintainedApp,
|
2026-02-24 19:00:32 +00:00
|
|
|
|
isLatestFmaVersion,
|
|
|
|
|
|
fmaVersions,
|
2025-12-15 14:26:33 +00:00
|
|
|
|
isCustomPackage,
|
|
|
|
|
|
isIosOrIpadosApp,
|
|
|
|
|
|
sha256,
|
|
|
|
|
|
androidPlayStoreId,
|
2026-03-13 20:47:09 +00:00
|
|
|
|
patchPolicy,
|
2025-12-15 14:26:33 +00:00
|
|
|
|
automaticInstallPolicies,
|
|
|
|
|
|
gitOpsModeEnabled,
|
|
|
|
|
|
repoURL,
|
|
|
|
|
|
canManageSoftware,
|
|
|
|
|
|
softwareInstaller,
|
|
|
|
|
|
},
|
|
|
|
|
|
};
|
Remove UI gating in GitOps mode for excepted entities (#42486)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 14:10:56 +00:00
|
|
|
|
}, [softwareTitle, appContext, gitOpsModeEnabled, repoURL]);
|
2025-12-15 14:26:33 +00:00
|
|
|
|
};
|