2021-09-14 13:58:48 +00:00
|
|
|
package service
|
|
|
|
|
|
|
|
|
|
import (
|
2024-09-20 14:55:47 +00:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2024-08-05 17:39:10 +00:00
|
|
|
"net/url"
|
2024-09-20 14:55:47 +00:00
|
|
|
"time"
|
2024-08-05 17:39:10 +00:00
|
|
|
|
2021-09-14 13:58:48 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
|
|
|
)
|
|
|
|
|
|
2023-12-06 21:07:03 +00:00
|
|
|
// ListSoftwareVersions retrieves the software versions installed on hosts.
|
|
|
|
|
func (c *Client) ListSoftwareVersions(query string) ([]fleet.Software, error) {
|
2023-12-06 14:30:49 +00:00
|
|
|
verb, path := "GET", "/api/latest/fleet/software/versions"
|
|
|
|
|
var responseBody listSoftwareVersionsResponse
|
2021-09-14 13:58:48 +00:00
|
|
|
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return responseBody.Software, nil
|
|
|
|
|
}
|
2023-12-06 21:07:03 +00:00
|
|
|
|
|
|
|
|
// ListSoftwareTitles retrieves the software titles installed on hosts.
|
2024-05-15 17:41:35 +00:00
|
|
|
func (c *Client) ListSoftwareTitles(query string) ([]fleet.SoftwareTitleListResult, error) {
|
2023-12-06 21:07:03 +00:00
|
|
|
verb, path := "GET", "/api/latest/fleet/software/titles"
|
|
|
|
|
var responseBody listSoftwareTitlesResponse
|
|
|
|
|
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return responseBody.SoftwareTitles, nil
|
|
|
|
|
}
|
2024-08-05 17:39:10 +00:00
|
|
|
|
Fix macos_setup not always being exported correctly by generate-gitops (#30504)
for #30502
# Details
This PR fixes an issue where `fleetctl generate-gitops` would not always
add a `macos_setup` setting to a .yml file even if the team had a setup
experience configured. This was due to relying on the `MacOSSetup`
config returned by app/team config APIs to have this data populated,
which turned out to be an incorrect assumption. Instead, we now utilize
various APIs to check for the presence of setup software, scripts,
bootstrap packages and profiles.
Note that for now, `generate-gitops` will only output a `TODO` line if
setup experience is detected;
https://github.com/fleetdm/fleet/issues/30210 is open to flesh this out.
In the meantime `fleetctl gitops` will fail if this TODO is inserted, so
that the user must go and fix it manually.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Testing
I set up MDM on a local instance and tried the following both on No Team
and a regular team:
* Turned "End user authentication on", verified that `fleetctl
generate-gitops` output a `macos_setup` setting for the team. Turned it
back off and verified that `macos_setup` was no longer exported by
`fleetctl generate-gitops`.
* Did the same for bootstrap package.
* Did the same for install software, and additionally verified that
having software available but _not_ selected did not cause `macos_setup`
to be exported. Same for teams with no software available at all.
* Did the same for setup assistant.
I also tested that changes to No Team didn't affect the output when
exporting a regular team.
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2025-07-02 12:07:58 +00:00
|
|
|
// Get the software titles available for the setup experience.
|
2025-09-04 15:58:47 +00:00
|
|
|
func (c *Client) GetSetupExperienceSoftware(platform string, teamID uint) ([]fleet.SoftwareTitleListResult, error) {
|
2025-09-05 21:01:00 +00:00
|
|
|
verb, path := "GET", "/api/latest/fleet/setup_experience/software"
|
Fix macos_setup not always being exported correctly by generate-gitops (#30504)
for #30502
# Details
This PR fixes an issue where `fleetctl generate-gitops` would not always
add a `macos_setup` setting to a .yml file even if the team had a setup
experience configured. This was due to relying on the `MacOSSetup`
config returned by app/team config APIs to have this data populated,
which turned out to be an incorrect assumption. Instead, we now utilize
various APIs to check for the presence of setup software, scripts,
bootstrap packages and profiles.
Note that for now, `generate-gitops` will only output a `TODO` line if
setup experience is detected;
https://github.com/fleetdm/fleet/issues/30210 is open to flesh this out.
In the meantime `fleetctl gitops` will fail if this TODO is inserted, so
that the user must go and fix it manually.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Testing
I set up MDM on a local instance and tried the following both on No Team
and a regular team:
* Turned "End user authentication on", verified that `fleetctl
generate-gitops` output a `macos_setup` setting for the team. Turned it
back off and verified that `macos_setup` was no longer exported by
`fleetctl generate-gitops`.
* Did the same for bootstrap package.
* Did the same for install software, and additionally verified that
having software available but _not_ selected did not cause `macos_setup`
to be exported. Same for teams with no software available at all.
* Did the same for setup assistant.
I also tested that changes to No Team didn't affect the output when
exporting a regular team.
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2025-07-02 12:07:58 +00:00
|
|
|
var responseBody getSetupExperienceSoftwareResponse
|
2025-09-05 21:01:00 +00:00
|
|
|
query := fmt.Sprintf("platform=%s&team_id=%d", platform, teamID)
|
Fix macos_setup not always being exported correctly by generate-gitops (#30504)
for #30502
# Details
This PR fixes an issue where `fleetctl generate-gitops` would not always
add a `macos_setup` setting to a .yml file even if the team had a setup
experience configured. This was due to relying on the `MacOSSetup`
config returned by app/team config APIs to have this data populated,
which turned out to be an incorrect assumption. Instead, we now utilize
various APIs to check for the presence of setup software, scripts,
bootstrap packages and profiles.
Note that for now, `generate-gitops` will only output a `TODO` line if
setup experience is detected;
https://github.com/fleetdm/fleet/issues/30210 is open to flesh this out.
In the meantime `fleetctl gitops` will fail if this TODO is inserted, so
that the user must go and fix it manually.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Testing
I set up MDM on a local instance and tried the following both on No Team
and a regular team:
* Turned "End user authentication on", verified that `fleetctl
generate-gitops` output a `macos_setup` setting for the team. Turned it
back off and verified that `macos_setup` was no longer exported by
`fleetctl generate-gitops`.
* Did the same for bootstrap package.
* Did the same for install software, and additionally verified that
having software available but _not_ selected did not cause `macos_setup`
to be exported. Same for teams with no software available at all.
* Did the same for setup assistant.
I also tested that changes to No Team didn't affect the output when
exporting a regular team.
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2025-07-02 12:07:58 +00:00
|
|
|
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return responseBody.SoftwareTitles, nil
|
|
|
|
|
}
|
|
|
|
|
|
Add "generate-gitops" command (#28555)
For #27476
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
# Details
This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.
The general usage of the command is:
```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```
By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.
The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:
* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID
Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.
Other options that we may or may not choose to document at this time:
* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)
# Technical notes
The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.
Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.
When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.
# Known issues / TODOs:
* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 20:25:44 +00:00
|
|
|
// GetSoftwareTitleByID retrieves a software title by ID.
|
|
|
|
|
//
|
|
|
|
|
//nolint:gocritic // ignore captLocal
|
|
|
|
|
func (c *Client) GetSoftwareTitleByID(ID uint, teamID *uint) (*fleet.SoftwareTitle, error) {
|
|
|
|
|
var query string
|
|
|
|
|
if teamID != nil {
|
|
|
|
|
query = fmt.Sprintf("team_id=%d", *teamID)
|
|
|
|
|
}
|
|
|
|
|
verb, path := "GET", "/api/latest/fleet/software/titles/"+fmt.Sprint(ID)
|
|
|
|
|
var responseBody getSoftwareTitleResponse
|
|
|
|
|
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return responseBody.SoftwareTitle, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-17 16:30:27 +00:00
|
|
|
func (c *Client) ApplyNoTeamSoftwareInstallers(softwareInstallers []fleet.SoftwareInstallerPayload, opts fleet.ApplySpecOptions) ([]fleet.SoftwarePackageResponse, error) {
|
2024-08-05 17:39:10 +00:00
|
|
|
query, err := url.ParseQuery(opts.RawQuery())
|
|
|
|
|
if err != nil {
|
2024-09-06 22:10:28 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2024-09-20 14:55:47 +00:00
|
|
|
return c.applySoftwareInstallers(softwareInstallers, query, opts.DryRun)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Client) applySoftwareInstallers(softwareInstallers []fleet.SoftwareInstallerPayload, query url.Values, dryRun bool) ([]fleet.SoftwarePackageResponse, error) {
|
|
|
|
|
path := "/api/latest/fleet/software/batch"
|
2024-09-06 22:10:28 +00:00
|
|
|
var resp batchSetSoftwareInstallersResponse
|
2025-04-18 20:41:41 +00:00
|
|
|
if err := c.authenticatedRequestWithQuery(map[string]any{"software": softwareInstallers}, "POST", path, &resp, query.Encode()); err != nil {
|
2024-09-06 22:10:28 +00:00
|
|
|
return nil, err
|
2024-08-05 17:39:10 +00:00
|
|
|
}
|
2024-09-20 14:55:47 +00:00
|
|
|
if dryRun && resp.RequestUUID == "" {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requestUUID := resp.RequestUUID
|
|
|
|
|
for {
|
|
|
|
|
var resp batchSetSoftwareInstallersResultResponse
|
|
|
|
|
if err := c.authenticatedRequestWithQuery(nil, "GET", path+"/"+requestUUID, &resp, query.Encode()); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
switch {
|
|
|
|
|
case resp.Status == fleet.BatchSetSoftwareInstallersStatusProcessing:
|
2025-07-02 20:49:37 +00:00
|
|
|
time.Sleep(1 * time.Second)
|
2024-09-20 14:55:47 +00:00
|
|
|
case resp.Status == fleet.BatchSetSoftwareInstallersStatusFailed:
|
|
|
|
|
return nil, errors.New(resp.Message)
|
|
|
|
|
case resp.Status == fleet.BatchSetSoftwareInstallersStatusCompleted:
|
|
|
|
|
return resp.Packages, nil
|
|
|
|
|
default:
|
|
|
|
|
return nil, fmt.Errorf("unknown status: %q", resp.Status)
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-08-05 17:39:10 +00:00
|
|
|
}
|
2025-02-11 17:46:53 +00:00
|
|
|
|
|
|
|
|
// InstallSoftware triggers a software installation (VPP or software package)
|
|
|
|
|
// on the specified host.
|
|
|
|
|
func (c *Client) InstallSoftware(hostID uint, softwareTitleID uint) error {
|
|
|
|
|
verb, path := "POST", fmt.Sprintf("/api/latest/fleet/hosts/%d/software/%d/install", hostID, softwareTitleID)
|
|
|
|
|
var responseBody installSoftwareResponse
|
|
|
|
|
return c.authenticatedRequest(nil, verb, path, &responseBody)
|
|
|
|
|
}
|