Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/server/service/software.go

280 lines
9 KiB
Go
Raw Normal View History

Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
package service
import (
"context"
Fixing tests. (#17073) Fixed failing tests after recent merge with main. Also includes updated migration date.
2024-02-22 22:03:13 +00:00
"fmt"
"net/http"
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
"time"
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
"github.com/fleetdm/fleet/v4/server/ptr"
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
)
/////////////////////////////////////////////////////////////////////////////////
// List
/////////////////////////////////////////////////////////////////////////////////
type listSoftwareRequest struct {
Add vulnerable filter for software and also wire up the query search (#2604) * Add vulnerable filter for software and also wire up the query search * Add documentation * Update to use software list options
2021-10-20 21:01:20 +00:00
fleet.SoftwareListOptions
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
}
Updating golangci-lint to 1.61.0 (#22973)
2024-10-18 17:38:26 +00:00
// Deprecated: listSoftwareResponse is the response struct for the deprecated
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
// listSoftwareEndpoint. It differs from listSoftwareVersionsResponse in that
// the latter includes a count of the total number of software items.
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
type listSoftwareResponse struct {
Return a null timestamp when there are no software counts available (#3955)
2022-01-31 22:08:03 +00:00
CountsUpdatedAt *time.Time `json:"counts_updated_at"`
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
Software []fleet.Software `json:"software,omitempty"`
Err error `json:"error,omitempty"`
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
}
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
func (r listSoftwareResponse) Error() error { return r.Err }
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
Updating golangci-lint to 1.61.0 (#22973)
2024-10-18 17:38:26 +00:00
// Deprecated: use listSoftwareVersionsEndpoint instead
service.errorer to fleet.Errorer (#26362)
2025-02-14 22:19:34 +00:00
func listSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
req := request.(*listSoftwareRequest)
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
resp, _, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
if err != nil {
return listSoftwareResponse{Err: err}, nil
}
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
// calculate the latest counts_updated_at
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
var latest time.Time
for _, sw := range resp {
if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
latest = sw.CountsUpdatedAt
}
}
Return a null timestamp when there are no software counts available (#3955)
2022-01-31 22:08:03 +00:00
listResp := listSoftwareResponse{Software: resp}
if !latest.IsZero() {
listResp.CountsUpdatedAt = &latest
}
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
Return a null timestamp when there are no software counts available (#3955)
2022-01-31 22:08:03 +00:00
return listResp, nil
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
}
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
type listSoftwareVersionsResponse struct {
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
Count int `json:"count"`
CountsUpdatedAt *time.Time `json:"counts_updated_at"`
Software []fleet.Software `json:"software,omitempty"`
Meta *fleet.PaginationMetadata `json:"meta"`
Err error `json:"error,omitempty"`
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
}
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
func (r listSoftwareVersionsResponse) Error() error { return r.Err }
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
service.errorer to fleet.Errorer (#26362)
2025-02-14 22:19:34 +00:00
func listSoftwareVersionsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
req := request.(*listSoftwareRequest)
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
// always include pagination for new software versions endpoint (not included by default in
// legacy endpoint for backwards compatibility)
req.SoftwareListOptions.ListOptions.IncludeMetadata = true
resp, meta, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
if err != nil {
return listSoftwareVersionsResponse{Err: err}, nil
}
// calculate the latest counts_updated_at
var latest time.Time
for _, sw := range resp {
if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
latest = sw.CountsUpdatedAt
}
}
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
listResp := listSoftwareVersionsResponse{Software: resp, Meta: meta}
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
if !latest.IsZero() {
listResp.CountsUpdatedAt = &latest
}
c, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return listSoftwareVersionsResponse{Err: err}, nil
}
listResp.Count = c
return listResp, nil
}
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
Merge pull request from GHSA-pr2g-j78h-84cr * Fix access control issues with users * Fix access control issues with packs * Fix access control issues with software * Changes suggested by Martin * All users can access the global schedule * Restrict access to activities * Add explicit test for team admin escalation vuln * All global users should be able to read all software * Handbook editor pass - Security - GitHub Security (#5108) * Update security.md All edits are recorded by line: 395 replaced “open-source” with “open source” 411 replaced “open-source” with “open source” 439 added “the” before “comment”; replaced “repositories,” with “repositories” 445 deleted “being” before “located” 458 added “and” after “PR” 489 replaced “on” with “in” 493 replaced “open-source” with “open source”; Replaced “privileges,” with “privileges” * Update security.md line 479 * Update security.md added (static analysis tools used to identify problems in code) to line 479 * Fix UI * Fix UI * revert api v1 to latest in documentation (#5149) * revert api v1 to latest in documentation * Update fleetctl doc page Co-authored-by: Noah Talerman <noahtal@umich.edu> * Add team admin team policy automation; fix e2e * Update to company page of the handbook (#5164) Updated "Why do we use a wireframe-first approach?" section of company.md * removed extra data on smaller screens (#5154) * Update for team automations; e2e * Jira Integration: Cypress e2e tests only (#5055) * Update company.md (#5170) This is to update the formatting under "empathy" and to fix the spelling of "help text." This was done as per @mikermcneil . This is related to #https://github.com/fleetdm/fleet/pull/4941 and https://github.com/fleetdm/fleet/issues/4902 * fix update updated_at for aggregated_stats (#5112) Update the updated_at column when using ON DUPLICATE UPDATE so that the counts_updated_at is up to date * basic sql formatting in code ie whitespace around operators * Fix e2e test * Fix tests in server/authz Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com> Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
2022-04-18 17:27:30 +00:00
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
TeamID: opt.TeamID,
}, fleet.ActionRead); err != nil {
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
return nil, nil, err
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
}
Add Software Vulnerability Filters (#21312)
2024-08-15 18:36:47 +00:00
// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
Fixed bug when using `without_vulnerability_details` and vulnerability filters (#24769) https://github.com/fleetdm/fleet/issues/24765 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests
2024-12-13 22:39:21 +00:00
lic, err := svc.License(ctx)
if err != nil {
return nil, nil, err
}
if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
Add Software Vulnerability Filters (#21312)
2024-08-15 18:36:47 +00:00
return nil, nil, fleet.ErrMissingLicense
}
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
// default sort order to hosts_count descending
Added ListOptions validation to fleet/software endpoint. (#14838) #14554 For the following endpoints: /api/v1/fleet/software /api/v1/fleet/software/count - added validation on `page`, `per_page`, `order_key`, `order_direction` -- invalid values will now return 400 HTTP status code # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2023-11-01 14:56:27 +00:00
if opt.ListOptions.OrderKey == "" {
opt.ListOptions.OrderKey = "hosts_count"
opt.ListOptions.OrderDirection = fleet.OrderDescending
Add `hosts_count` field to "list software" endpoint (#3873)
2022-01-26 14:47:56 +00:00
}
opt.WithHostCounts = true
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
softwares, meta, err := svc.ds.ListSoftware(ctx, opt)
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
if err != nil {
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
return nil, nil, err
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
}
Add pagination meta to software versions endpoint (#15550)
2023-12-12 18:24:20 +00:00
return softwares, meta, nil
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
}
/////////////////////////////////////////////////////////////////////////////////
// Get Software
/////////////////////////////////////////////////////////////////////////////////
type getSoftwareRequest struct {
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
ID uint `url:"id"`
Add `renameto` tags to prepare for deprecating team and query API params (#39847) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** For #39344 # Details As a first step to deprecating API params like `team_id` in favor of `fleet_id` and `query_id` in favor of `report_id`, this PR adds `renameto` tags to all deprecated keys. There is no logic in this PR to actually use these tags in any way. The logic and test fixes will be in the next PR, but in the interest of keeping things manageable I'm pushing this out first. There were definitely params with "query" in them that we don't want to change (mainly osquery-related), and I think I kept them all out but it's worth double-checking here. The team -> fleet changes are pretty safe in comparison. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. Deferring changelog to PR with logic changes ## Testing - [ ] Added/updated automated tests This should be a no-op. All existing tests shoud pass. - [X] QA'd all new/changed functionality manually
2026-02-17 16:00:59 +00:00
TeamID *uint `query:"team_id,optional" renameto:"fleet_id"`
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
}
type getSoftwareResponse struct {
Software *fleet.Software `json:"software,omitempty"`
Err error `json:"error,omitempty"`
}
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
func (r getSoftwareResponse) Error() error { return r.Err }
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
service.errorer to fleet.Errorer (#26362)
2025-02-14 22:19:34 +00:00
func getSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
req := request.(*getSoftwareRequest)
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
software, err := svc.SoftwareByID(ctx, req.ID, req.TeamID, false)
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
if err != nil {
return getSoftwareResponse{Err: err}, nil
}
return getSoftwareResponse{Software: software}, nil
}
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
func (svc *Service) SoftwareByID(ctx context.Context, id uint, teamID *uint, includeCVEScores bool) (*fleet.Software, error) {
Fixing tests. (#17073) Fixed failing tests after recent merge with main. Also includes updated migration date.
2024-02-22 22:03:13 +00:00
if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionList); err != nil {
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
return nil, err
}
Add No Team to Software Backend (#20822)
2024-07-30 17:19:05 +00:00
if teamID != nil && *teamID > 0 {
Fixing tests. (#17073) Fixed failing tests after recent merge with main. Also includes updated migration date.
2024-02-22 22:03:13 +00:00
// This auth check ensures we return 403 if the user doesn't have access to the team
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
return nil, err
}
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
exists, err := svc.ds.TeamExists(ctx, *teamID)
if err != nil {
return nil, ctxerr.Wrap(ctx, err, "checking if team exists")
} else if !exists {
Update backend error messages (#40364) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** For #40348 # Details This PR updates a number of error message on the server to use `fleet` and `report` instead of `team` or `query` where applicable. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. this is all internal, i don't think it warrants a changelog ## Testing - [X] Added/updated automated tests - [ ] QA'd all new/changed functionality manually I did not go trying to trigger all these errors. It's text changes.
2026-02-25 19:54:45 +00:00
return nil, fleet.NewInvalidArgumentError("team_id/fleet_id", fmt.Sprintf("fleet %d does not exist", *teamID)).
Fixing tests. (#17073) Fixed failing tests after recent merge with main. Also includes updated migration date.
2024-02-22 22:03:13 +00:00
WithStatus(http.StatusNotFound)
Add team filter to software detail APIs (#16876) #16787
2024-02-18 13:14:20 +00:00
}
}
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, fleet.ErrNoContext
}
Fleet UI: Allow users from other teams to see software title name (#32277) ## Issue Closes #30340 ## Description - Switching teams was dropping software name in the list host API if the team did not have that software title - Allow teams without a software title access to software title name - Also fixes FE to use `display_name` over `name` in host table filter UI # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
2026-01-26 23:11:59 +00:00
// NOTE: The following logic relaxes the restriction so that software metadata (e.g. id, name)
// can be returned even if the requesting user does not have permission to view any hosts where the software
// is installed. However, host-specific information remains protected and is only available if the
// user is authorized for the relevant teams. This ensures basic metadata visibility across all users
// while preserving team-based access control for sensitive, host-linked data.
Merge branch 'main' into 15919-vulnerabilities-page
2024-02-21 18:42:21 +00:00
software, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &fleet.TeamFilter{
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
User: vc.User,
IncludeObserver: true,
})
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
if err != nil {
Fixing tests. (#17073) Fixed failing tests after recent merge with main. Also includes updated migration date.
2024-02-22 22:03:13 +00:00
if fleet.IsNotFound(err) && teamID == nil {
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
// here we use a global admin as filter because we want
// to check if the software version exists
filter := fleet.TeamFilter{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}}
Fleet UI: Allow users from other teams to see software title name (#32277) ## Issue Closes #30340 ## Description - Switching teams was dropping software name in the list host API if the team did not have that software title - Allow teams without a software title access to software title name - Also fixes FE to use `display_name` over `name` in host table filter UI # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
2026-01-26 23:11:59 +00:00
sw, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &filter)
if err != nil {
// Not found anywhere
return nil, ctxerr.Wrap(ctx, err, "software not found for any team")
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
}
Fleet UI: Allow users from other teams to see software title name (#32277) ## Issue Closes #30340 ## Description - Switching teams was dropping software name in the list host API if the team did not have that software title - Allow teams without a software title access to software title name - Also fixes FE to use `display_name` over `name` in host table filter UI # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
2026-01-26 23:11:59 +00:00
// Found, but user has no permission to hosts it's installed on.
// Instead of PermissionError, return a stub with the name.
stub := &fleet.Software{
ID: id,
Name: sw.Name,
}
return stub, nil
add permission check to software titles/versions endpoints (#16561) relates to #16052 This adds a team permission check the `GET software/titles/:id` endpoint. If the user should not be able to get the software title if it is not on a host that is on the same team as the user (e.g. software title 1 is on host 1, which is on team 1. A user who is only on team 2 should get a 403 response) The UI is also updated to show the access denied error page when the we receive a 403 response for the software title <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> Co-authored-by: Roberto Dip <me@roperzh.com>
2024-02-15 20:22:27 +00:00
}
return nil, ctxerr.Wrap(ctx, err, "getting software version by id")
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
}
return software, nil
Implement fleetctl get software and the underlying API (#1999) * Implement fleetctl get software and the underlying API * Add documentation * Simplify list software implementation * Lint fixes * Make team name unique * Address review comments * Fix lint * Fix tests
2021-09-14 13:58:48 +00:00
}
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
Return light software metadata when listing hosts filtered by software present only on a different team (#42519) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #39190 https://www.loom.com/share/3c1828f03c584756b7ed8f3ba75a1038 <img width="1840" height="1196" alt="Screenshot 2026-03-30 at 1 08 32 PM" src="https://github.com/user-attachments/assets/592c9396-65b4-4723-99e7-63f9ee0264c1" /> - [x] Changes file added for user-visible changes in `changes/` - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Resolved host filtering by software version when the version is not available on the selected team; now returns software information instead of an error. * Fixed a related UI issue caused by the original filtering behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 04:33:21 +00:00
func (svc *Service) SoftwareLiteByID(
ctx context.Context,
id uint,
) (fleet.SoftwareLite, error) {
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{}, fleet.ActionRead); err != nil {
return fleet.SoftwareLite{}, err
}
swLite, err := svc.ds.SoftwareLiteByID(ctx, id)
if err != nil {
return fleet.SoftwareLite{}, err
}
return swLite, nil
}
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
/////////////////////////////////////////////////////////////////////////////////
// Count
/////////////////////////////////////////////////////////////////////////////////
type countSoftwareRequest struct {
fleet.SoftwareListOptions
}
type countSoftwareResponse struct {
Count int `json:"count"`
Err error `json:"error,omitempty"`
}
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
func (r countSoftwareResponse) Error() error { return r.Err }
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
Updating golangci-lint to 1.61.0 (#22973)
2024-10-18 17:38:26 +00:00
// Deprecated: counts are now included directly in the listSoftwareVersionsResponse. This
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
// endpoint is retained for backwards compatibility.
service.errorer to fleet.Errorer (#26362)
2025-02-14 22:19:34 +00:00
func countSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
req := request.(*countSoftwareRequest)
count, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return countSoftwareResponse{Err: err}, nil
}
return countSoftwareResponse{Count: count}, nil
}
func (svc Service) CountSoftware(ctx context.Context, opt fleet.SoftwareListOptions) (int, error) {
Merge pull request from GHSA-pr2g-j78h-84cr * Fix access control issues with users * Fix access control issues with packs * Fix access control issues with software * Changes suggested by Martin * All users can access the global schedule * Restrict access to activities * Add explicit test for team admin escalation vuln * All global users should be able to read all software * Handbook editor pass - Security - GitHub Security (#5108) * Update security.md All edits are recorded by line: 395 replaced “open-source” with “open source” 411 replaced “open-source” with “open source” 439 added “the” before “comment”; replaced “repositories,” with “repositories” 445 deleted “being” before “located” 458 added “and” after “PR” 489 replaced “on” with “in” 493 replaced “open-source” with “open source”; Replaced “privileges,” with “privileges” * Update security.md line 479 * Update security.md added (static analysis tools used to identify problems in code) to line 479 * Fix UI * Fix UI * revert api v1 to latest in documentation (#5149) * revert api v1 to latest in documentation * Update fleetctl doc page Co-authored-by: Noah Talerman <noahtal@umich.edu> * Add team admin team policy automation; fix e2e * Update to company page of the handbook (#5164) Updated "Why do we use a wireframe-first approach?" section of company.md * removed extra data on smaller screens (#5154) * Update for team automations; e2e * Jira Integration: Cypress e2e tests only (#5055) * Update company.md (#5170) This is to update the formatting under "empathy" and to fix the spelling of "help text." This was done as per @mikermcneil . This is related to #https://github.com/fleetdm/fleet/pull/4941 and https://github.com/fleetdm/fleet/issues/4902 * fix update updated_at for aggregated_stats (#5112) Update the updated_at column when using ON DUPLICATE UPDATE so that the counts_updated_at is up to date * basic sql formatting in code ie whitespace around operators * Fix e2e test * Fix tests in server/authz Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com> Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Noah Talerman <noahtal@umich.edu> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com> Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
2022-04-18 17:27:30 +00:00
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
TeamID: opt.TeamID,
}, fleet.ActionRead); err != nil {
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
return 0, err
}
Add Software Vulnerability Filters (#21312)
2024-08-15 18:36:47 +00:00
lic, err := svc.License(ctx)
if err != nil {
return 0, ctxerr.Wrap(ctx, err, "get license")
}
// Vulnerability filters are only available in premium
if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
return 0, fleet.ErrMissingLicense
}
Bugfix: add filter to counts (#21411)
2024-08-19 22:55:59 +00:00
// required for vulnerability filters
if lic.IsPremium() {
opt.IncludeCVEScores = true
}
Add software count API (#3105) * Add software count API * Fix makefile * Fine no mock generating at this point * Actually, one last try * Use go install instead * Fix go sum/mod * Improve documentation * Try setting node to 14
2021-12-03 13:54:17 +00:00
return svc.ds.CountSoftware(ctx, opt)
}
Reference in a new issue Copy permalink