fleet/cmd/fleetctl/apply.go

package main

import (
	"errors"
	"fmt"
	"os"
	"path/filepath"
	"strings"

	"github.com/fleetdm/fleet/v4/pkg/spec"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/urfave/cli/v2"
)

func applyCommand() *cli.Command {
	var (
		flFilename string
		flForce    bool
		flDryRun   bool
	)
	return &cli.Command{
		Name:      "apply",
		Usage:     "Apply files to declaratively manage osquery configurations",
		UsageText: `fleetctl apply [options]`,
		Flags: []cli.Flag{
			&cli.StringFlag{
				Name:        "f",
				EnvVars:     []string{"FILENAME"},
				Value:       "",
				Destination: &flFilename,
				Usage:       "A file to apply",
			},
			&cli.BoolFlag{
				Name:        "force",
				EnvVars:     []string{"FORCE"},
				Destination: &flForce,
				Usage:       "Force applying the file even if it raises validation errors (only supported for 'config' and 'team' specs)",
			},
			&cli.BoolFlag{
				Name:        "dry-run",
				EnvVars:     []string{"DRY_RUN"},
				Destination: &flDryRun,
				Usage:       "Do not apply the file, just validate it (only supported for 'config' and 'team' specs)",
			},
			&cli.StringFlag{
				Name:  "policies-team",
				Usage: "A team's name, this flag is only used on policies specs (overrides 'team' key in the policies file). This allows to easily import a group of policies to a team.",
			},
			configFlag(),
			contextFlag(),
			debugFlag(),
		},
		Action: func(c *cli.Context) error {
			if flFilename == "" {
				return errors.New("-f must be specified")
			}
			b, err := os.ReadFile(flFilename)
			if err != nil {
				return err
			}
			fleetClient, err := clientFromCLI(c)
			if err != nil {
				return err
			}

			// Check if the file has a .yml or .yaml extension
			ext := strings.ToLower(filepath.Ext(flFilename))
			if ext == "" {
				return errors.New("Missing file extension: only .yml or .yaml files can be applied")
			}
			if ext != ".yml" && ext != ".yaml" {
				return fmt.Errorf("Invalid file extension %s: only .yml or .yaml files can be applied", ext)
			}

			specs, err := spec.GroupFromBytes(b)
			if err != nil {
				return err
			}
			logf := func(format string, a ...interface{}) {
				fmt.Fprintf(c.App.Writer, format, a...)
			}

			opts := fleet.ApplyClientSpecOptions{
				ApplySpecOptions: fleet.ApplySpecOptions{
					Force:  flForce,
					DryRun: flDryRun,
				},
			}
			if policiesTeamName := c.String("policies-team"); policiesTeamName != "" {
				opts.TeamForPolicies = policiesTeamName
			}
			baseDir := filepath.Dir(flFilename)

			teamsSoftwareInstallers := make(map[string][]fleet.SoftwarePackageResponse)
			teamsScripts := make(map[string][]fleet.ScriptResponse)

			_, _, _, err = fleetClient.ApplyGroup(c.Context, false, specs, baseDir, logf, nil, opts, teamsSoftwareInstallers, teamsScripts)
			if err != nil {
				return err
			}
			return nil
		},
	}
}
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`package main`

			`import (`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"errors"`
			`"fmt"`
Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 22:07:32 +00:00			`"os"`
Add macos custom profiles support via `fleetctl apply` (#9824) 2023-02-15 18:01:44 +00:00			`"path/filepath"`
Fleetctl: Add YAML validation error for apply command (#20254) 2024-07-09 13:14:25 +00:00			`"strings"`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00
Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 22:07:32 +00:00			`"github.com/fleetdm/fleet/v4/pkg/spec"`
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731) 2022-09-19 17:53:44 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
Upgrade fleetctl github.com/urfave/cli to v2 (#471) This is intended to upgrade to the new API without changing fleetctl functionality. 2021-03-13 00:42:38 +00:00			`"github.com/urfave/cli/v2"`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`)`

Upgrade fleetctl github.com/urfave/cli to v2 (#471) This is intended to upgrade to the new API without changing fleetctl functionality. 2021-03-13 00:42:38 +00:00			`func applyCommand() *cli.Command {`
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731) 2022-09-19 17:53:44 +00:00			`var (`
			`flFilename string`
			`flForce bool`
			`flDryRun bool`
			`)`
Upgrade fleetctl github.com/urfave/cli to v2 (#471) This is intended to upgrade to the new API without changing fleetctl functionality. 2021-03-13 00:42:38 +00:00			`return &cli.Command{`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`Name: "apply",`
			`Usage: "Apply files to declaratively manage osquery configurations",`
			UsageText: `fleetctl apply [options]`,
			`Flags: []cli.Flag{`
Upgrade fleetctl github.com/urfave/cli to v2 (#471) This is intended to upgrade to the new API without changing fleetctl functionality. 2021-03-13 00:42:38 +00:00			`&cli.StringFlag{`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`Name: "f",`
Upgrade fleetctl github.com/urfave/cli to v2 (#471) This is intended to upgrade to the new API without changing fleetctl functionality. 2021-03-13 00:42:38 +00:00			`EnvVars: []string{"FILENAME"},`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`Value: "",`
			`Destination: &flFilename,`
			`Usage: "A file to apply",`
			`},`
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731) 2022-09-19 17:53:44 +00:00			`&cli.BoolFlag{`
			`Name: "force",`
			`EnvVars: []string{"FORCE"},`
			`Destination: &flForce,`
			`Usage: "Force applying the file even if it raises validation errors (only supported for 'config' and 'team' specs)",`
			`},`
			`&cli.BoolFlag{`
			`Name: "dry-run",`
			`EnvVars: []string{"DRY_RUN"},`
			`Destination: &flDryRun,`
			`Usage: "Do not apply the file, just validate it (only supported for 'config' and 'team' specs)",`
			`},`
Workaround to set policy specs on a team (#9978) For the CIS benchmark feature, we need a way to import a group of policies (spec yml) into a team. This PR adds a flag to `apply -f` to allow setting a team name to a group of policies. Sample: ```sh fleetctl apply --context dogfood --policies-team "📊 CIS Benchmarks" -f ee/cis/macos-13/cis-policy-queries.yml ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [ ] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-02-22 16:14:53 +00:00			`&cli.StringFlag{`
			`Name: "policies-team",`
			`Usage: "A team's name, this flag is only used on policies specs (overrides 'team' key in the policies file). This allows to easily import a group of policies to a team.",`
			`},`
Add debug flag to fleetctl (#266) This flag enables logging of HTTP requests and responses to stderr. Closes #187 2021-02-03 02:55:16 +00:00			`configFlag(),`
			`contextFlag(),`
			`debugFlag(),`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`},`
			`Action: func(c *cli.Context) error {`
			`if flFilename == "" {`
			`return errors.New("-f must be specified")`
			`}`
Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 22:07:32 +00:00			`b, err := os.ReadFile(flFilename)`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`if err != nil {`
			`return err`
			`}`
Issue 1362 fleetctl user roles (#1397) * WIP * Add get user_roles and apply for a user_roles spec to fleetctl * Uncomment other tests * Update test to check output * Update test with the new struct * Mock token so that it doesn't pick up the one in the local machine * Address review comments * Fix printJSON and printYaml * Fix merge conflict error * If both roles are specified, fail * Fix test * Switch arguments around * Update test with the new rule * Fix other tests that fell through the cracks 2021-07-16 18:28:13 +00:00			`fleetClient, err := clientFromCLI(c)`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`if err != nil {`
			`return err`
			`}`
Fleetctl: Add YAML validation error for apply command (#20254) 2024-07-09 13:14:25 +00:00
			`// Check if the file has a .yml or .yaml extension`
			`ext := strings.ToLower(filepath.Ext(flFilename))`
			`if ext == "" {`
			`return errors.New("Missing file extension: only .yml or .yaml files can be applied")`
			`}`
			`if ext != ".yml" && ext != ".yaml" {`
			`return fmt.Errorf("Invalid file extension %s: only .yml or .yaml files can be applied", ext)`
			`}`

Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 22:07:32 +00:00			`specs, err := spec.GroupFromBytes(b)`
			`if err != nil {`
			`return err`
			`}`
			`logf := func(format string, a ...interface{}) {`
			`fmt.Fprintf(c.App.Writer, format, a...)`
			`}`
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731) 2022-09-19 17:53:44 +00:00
Support environment variables in config profiles (#18891) #17309 I added some missing env var replacement tests for policies, queries, etc. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2024-05-28 16:44:43 +00:00			`opts := fleet.ApplyClientSpecOptions{`
			`ApplySpecOptions: fleet.ApplySpecOptions{`
			`Force: flForce,`
			`DryRun: flDryRun,`
			`},`
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731) 2022-09-19 17:53:44 +00:00			`}`
Workaround to set policy specs on a team (#9978) For the CIS benchmark feature, we need a way to import a group of policies (spec yml) into a team. This PR adds a flag to `apply -f` to allow setting a team name to a group of policies. Sample: ```sh fleetctl apply --context dogfood --policies-team "📊 CIS Benchmarks" -f ee/cis/macos-13/cis-policy-queries.yml ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [ ] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-02-22 16:14:53 +00:00			`if policiesTeamName := c.String("policies-team"); policiesTeamName != "" {`
			`opts.TeamForPolicies = policiesTeamName`
			`}`
Add macos custom profiles support via `fleetctl apply` (#9824) 2023-02-15 18:01:44 +00:00			`baseDir := filepath.Dir(flFilename)`
Ensure scripts set in no-team.yml can be used in run-script actions for No Team (#22809) For #22787 Also revises the spec check to explain that scripts have to be defined "controls" when used in policies for the same team, with an explicit call-out for no-team.yml since this fix doesn't support pulling scripts from the global file. This is because parsing and script-matching happens early enough that we can't throw an error in the part of the code where we bail when controls are defined in both no-team and default files. To minimize diff size, we're both "passing-by-ref" and returning the maps-by-team of scripts and installers, though the former would be sufficient on its own. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - N/A Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests (sorta) - [x] Manual QA for all new/changed functionality 2024-10-10 11:12:24 +00:00
			`teamsSoftwareInstallers := make(map[string][]fleet.SoftwarePackageResponse)`
			`teamsScripts := make(map[string][]fleet.ScriptResponse)`

SE: CLI setup experience changes (#22956) 2024-10-23 18:51:02 +00:00			`_, _, _, err = fleetClient.ApplyGroup(c.Context, false, specs, baseDir, logf, nil, opts, teamsSoftwareInstallers, teamsScripts)`
Working prototype of fleetctl apply (#1762) 2018-05-07 23:50:20 +00:00			`if err != nil {`
			`return err`
			`}`
Apply whole yaml not just queries in preview (#3919) * Apply whole yaml not just queries in preview * Remove dev stuff 2022-01-28 19:28:07 +00:00			`return nil`
			`},`
			`}`
			`}`