fleet/server/service/software.go

package service

import (
	"context"
	"fmt"
	"net/http"
	"time"

	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"

	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/ptr"
)

/////////////////////////////////////////////////////////////////////////////////
// List
/////////////////////////////////////////////////////////////////////////////////

type listSoftwareRequest struct {
	fleet.SoftwareListOptions
}

// Deprecated: listSoftwareResponse is the response struct for the deprecated
// listSoftwareEndpoint. It differs from listSoftwareVersionsResponse in that
// the latter includes a count of the total number of software items.
type listSoftwareResponse struct {
	CountsUpdatedAt *time.Time       `json:"counts_updated_at"`
	Software        []fleet.Software `json:"software,omitempty"`
	Err             error            `json:"error,omitempty"`
}

func (r listSoftwareResponse) Error() error { return r.Err }

// Deprecated: use listSoftwareVersionsEndpoint instead
func listSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
	req := request.(*listSoftwareRequest)
	resp, _, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
	if err != nil {
		return listSoftwareResponse{Err: err}, nil
	}

	// calculate the latest counts_updated_at
	var latest time.Time
	for _, sw := range resp {
		if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
			latest = sw.CountsUpdatedAt
		}
	}
	listResp := listSoftwareResponse{Software: resp}
	if !latest.IsZero() {
		listResp.CountsUpdatedAt = &latest
	}

	return listResp, nil
}

type listSoftwareVersionsResponse struct {
	Count           int                       `json:"count"`
	CountsUpdatedAt *time.Time                `json:"counts_updated_at"`
	Software        []fleet.Software          `json:"software,omitempty"`
	Meta            *fleet.PaginationMetadata `json:"meta"`
	Err             error                     `json:"error,omitempty"`
}

func (r listSoftwareVersionsResponse) Error() error { return r.Err }

func listSoftwareVersionsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
	req := request.(*listSoftwareRequest)

	// always include pagination for new software versions endpoint (not included by default in
	// legacy endpoint for backwards compatibility)
	req.SoftwareListOptions.ListOptions.IncludeMetadata = true

	resp, meta, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
	if err != nil {
		return listSoftwareVersionsResponse{Err: err}, nil
	}

	// calculate the latest counts_updated_at
	var latest time.Time
	for _, sw := range resp {
		if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
			latest = sw.CountsUpdatedAt
		}
	}
	listResp := listSoftwareVersionsResponse{Software: resp, Meta: meta}
	if !latest.IsZero() {
		listResp.CountsUpdatedAt = &latest
	}

	c, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
	if err != nil {
		return listSoftwareVersionsResponse{Err: err}, nil
	}
	listResp.Count = c

	return listResp, nil
}

func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
	if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
		TeamID: opt.TeamID,
	}, fleet.ActionRead); err != nil {
		return nil, nil, err
	}

	// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
	lic, err := svc.License(ctx)
	if err != nil {
		return nil, nil, err
	}
	if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
		return nil, nil, fleet.ErrMissingLicense
	}

	// default sort order to hosts_count descending
	if opt.ListOptions.OrderKey == "" {
		opt.ListOptions.OrderKey = "hosts_count"
		opt.ListOptions.OrderDirection = fleet.OrderDescending
	}
	opt.WithHostCounts = true

	softwares, meta, err := svc.ds.ListSoftware(ctx, opt)
	if err != nil {
		return nil, nil, err
	}

	return softwares, meta, nil
}

/////////////////////////////////////////////////////////////////////////////////
// Get Software
/////////////////////////////////////////////////////////////////////////////////

type getSoftwareRequest struct {
	ID     uint  `url:"id"`
	TeamID *uint `query:"team_id,optional"`
}

type getSoftwareResponse struct {
	Software *fleet.Software `json:"software,omitempty"`
	Err      error           `json:"error,omitempty"`
}

func (r getSoftwareResponse) Error() error { return r.Err }

func getSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
	req := request.(*getSoftwareRequest)

	software, err := svc.SoftwareByID(ctx, req.ID, req.TeamID, false)
	if err != nil {
		return getSoftwareResponse{Err: err}, nil
	}

	return getSoftwareResponse{Software: software}, nil
}

func (svc *Service) SoftwareByID(ctx context.Context, id uint, teamID *uint, includeCVEScores bool) (*fleet.Software, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionList); err != nil {
		return nil, err
	}

	if teamID != nil && *teamID > 0 {
		// This auth check ensures we return 403 if the user doesn't have access to the team
		if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
			return nil, err
		}
		exists, err := svc.ds.TeamExists(ctx, *teamID)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "checking if team exists")
		} else if !exists {
			return nil, fleet.NewInvalidArgumentError("team_id", fmt.Sprintf("team %d does not exist", *teamID)).
				WithStatus(http.StatusNotFound)
		}
	}
	vc, ok := viewer.FromContext(ctx)
	if !ok {
		return nil, fleet.ErrNoContext
	}

	software, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &fleet.TeamFilter{
		User:            vc.User,
		IncludeObserver: true,
	})
	if err != nil {
		if fleet.IsNotFound(err) && teamID == nil {
			// here we use a global admin as filter because we want
			// to check if the software version exists
			filter := fleet.TeamFilter{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}}

			if _, err = svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &filter); err != nil {
				return nil, ctxerr.Wrap(ctx, err, "checked using a global admin")
			}

			return nil, fleet.NewPermissionError("Error: You don’t have permission to view specified software. It is installed on hosts that belong to team you don’t have permissions to view.")
		}

		return nil, ctxerr.Wrap(ctx, err, "getting software version by id")
	}

	return software, nil
}

/////////////////////////////////////////////////////////////////////////////////
// Count
/////////////////////////////////////////////////////////////////////////////////

type countSoftwareRequest struct {
	fleet.SoftwareListOptions
}

type countSoftwareResponse struct {
	Count int   `json:"count"`
	Err   error `json:"error,omitempty"`
}

func (r countSoftwareResponse) Error() error { return r.Err }

// Deprecated: counts are now included directly in the listSoftwareVersionsResponse. This
// endpoint is retained for backwards compatibility.
func countSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
	req := request.(*countSoftwareRequest)
	count, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
	if err != nil {
		return countSoftwareResponse{Err: err}, nil
	}
	return countSoftwareResponse{Count: count}, nil
}

func (svc Service) CountSoftware(ctx context.Context, opt fleet.SoftwareListOptions) (int, error) {
	if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
		TeamID: opt.TeamID,
	}, fleet.ActionRead); err != nil {
		return 0, err
	}

	lic, err := svc.License(ctx)
	if err != nil {
		return 0, ctxerr.Wrap(ctx, err, "get license")
	}

	// Vulnerability filters are only available in premium
	if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
		return 0, fleet.ErrMissingLicense
	}

	// required for vulnerability filters
	if lic.IsPremium() {
		opt.IncludeCVEScores = true
	}

	return svc.ds.CountSoftware(ctx, opt)
}
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								package service
 								import (
 									"context"
-												Fixing tests. (#17073)

Fixed failing tests after recent merge with main.
Also includes updated migration date.
											
										
										
											2024-02-22 22:03:13 +00:00
+									"fmt"
 									"net/http"
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
+									"time"
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+									"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+									"github.com/fleetdm/fleet/v4/server/contexts/viewer"
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+									"github.com/fleetdm/fleet/v4/server/fleet"
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+									"github.com/fleetdm/fleet/v4/server/ptr"
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								)
 								/////////////////////////////////////////////////////////////////////////////////
 								// List
 								/////////////////////////////////////////////////////////////////////////////////
 								type listSoftwareRequest struct {
-												Add vulnerable filter for software and also wire up the query search (#2604)

* Add vulnerable filter for software and also wire up the query search

* Add documentation

* Update to use software list options
											
										
										
											2021-10-20 21:01:20 +00:00
+									fleet.SoftwareListOptions
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								}
-												Updating golangci-lint to 1.61.0 (#22973)


											
										
										
											2024-10-18 17:38:26 +00:00
+								// Deprecated: listSoftwareResponse is the response struct for the deprecated
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+								// listSoftwareEndpoint. It differs from listSoftwareVersionsResponse in that
 								// the latter includes a count of the total number of software items.
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								type listSoftwareResponse struct {
-												Return a null timestamp when there are no software counts available (#3955)


											
										
										
											2022-01-31 22:08:03 +00:00
+									CountsUpdatedAt *time.Time       `json:"counts_updated_at"`
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
+									Software        []fleet.Software `json:"software,omitempty"`
 									Err             error            `json:"error,omitempty"`
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								}
-												Refactoring service layer. Part 1 (#25945)

Refactoring some functionality out of the service package so it can be
reused by a different service package.
- auth middleware
- logging errors

No functional changes.
											
										
										
											2025-02-03 17:23:26 +00:00
+								func (r listSoftwareResponse) Error() error { return r.Err }
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
-												Updating golangci-lint to 1.61.0 (#22973)


											
										
										
											2024-10-18 17:38:26 +00:00
+								// Deprecated: use listSoftwareVersionsEndpoint instead
-												service.errorer to fleet.Errorer (#26362)


											
										
										
											2025-02-14 22:19:34 +00:00
+								func listSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+									req := request.(*listSoftwareRequest)
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+									resp, _, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+									if err != nil {
 										return listSoftwareResponse{Err: err}, nil
 									}
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									// calculate the latest counts_updated_at
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
+									var latest time.Time
 									for _, sw := range resp {
 										if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
 											latest = sw.CountsUpdatedAt
 										}
 									}
-												Return a null timestamp when there are no software counts available (#3955)


											
										
										
											2022-01-31 22:08:03 +00:00
+									listResp := listSoftwareResponse{Software: resp}
 									if !latest.IsZero() {
 										listResp.CountsUpdatedAt = &latest
 									}
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
-												Return a null timestamp when there are no software counts available (#3955)


											
										
										
											2022-01-31 22:08:03 +00:00
+									return listResp, nil
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								}
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+								type listSoftwareVersionsResponse struct {
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+									Count           int                       `json:"count"`
 									CountsUpdatedAt *time.Time                `json:"counts_updated_at"`
 									Software        []fleet.Software          `json:"software,omitempty"`
 									Meta            *fleet.PaginationMetadata `json:"meta"`
 									Err             error                     `json:"error,omitempty"`
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+								}
-												Refactoring service layer. Part 1 (#25945)

Refactoring some functionality out of the service package so it can be
reused by a different service package.
- auth middleware
- logging errors

No functional changes.
											
										
										
											2025-02-03 17:23:26 +00:00
+								func (r listSoftwareVersionsResponse) Error() error { return r.Err }
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
-												service.errorer to fleet.Errorer (#26362)


											
										
										
											2025-02-14 22:19:34 +00:00
+								func listSoftwareVersionsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+									req := request.(*listSoftwareRequest)
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
 									// always include pagination for new software versions endpoint (not included by default in
 									// legacy endpoint for backwards compatibility)
 									req.SoftwareListOptions.ListOptions.IncludeMetadata = true
 									resp, meta, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+									if err != nil {
 										return listSoftwareVersionsResponse{Err: err}, nil
 									}
 									// calculate the latest counts_updated_at
 									var latest time.Time
 									for _, sw := range resp {
 										if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
 											latest = sw.CountsUpdatedAt
 										}
 									}
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+									listResp := listSoftwareVersionsResponse{Software: resp, Meta: meta}
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+									if !latest.IsZero() {
 										listResp.CountsUpdatedAt = &latest
 									}
 									c, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
 									if err != nil {
 										return listSoftwareVersionsResponse{Err: err}, nil
 									}
 									listResp.Count = c
 									return listResp, nil
 								}
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+								func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
-												Merge pull request from GHSA-pr2g-j78h-84cr

* Fix access control issues with users

* Fix access control issues with packs

* Fix access control issues with software

* Changes suggested by Martin

* All users can access the global schedule

* Restrict access to activities

* Add explicit test for team admin escalation vuln

* All global users should be able to read all software

* Handbook editor pass - Security - GitHub Security (#5108)

* Update security.md

All edits are recorded by line:

395 replaced “open-source” with “open source”
411 replaced “open-source” with “open source”
439 added “the” before “comment”; replaced “repositories,” with “repositories”
445 deleted “being” before “located”
458 added “and” after “PR”
489 replaced “on” with “in”
493 replaced “open-source” with “open source”; Replaced “privileges,” with “privileges”

* Update security.md

line 479

* Update security.md

added (static analysis tools used to identify problems in code) to line 479

* Fix UI

* Fix UI

* revert api v1 to latest in documentation (#5149)

* revert api v1 to latest in documentation

* Update fleetctl doc page

Co-authored-by: Noah Talerman <noahtal@umich.edu>

* Add team admin team policy automation; fix e2e

* Update to company page of the handbook (#5164)

Updated "Why do we use a wireframe-first approach?" section of company.md

* removed extra data on smaller screens (#5154)

* Update for team automations; e2e

* Jira Integration: Cypress e2e tests only (#5055)

* Update company.md (#5170)

This is to update the formatting under "empathy" and to fix the spelling of "help text."
This was done as per @mikermcneil .
This is related to #https://github.com/fleetdm/fleet/pull/4941 and https://github.com/fleetdm/fleet/issues/4902

* fix update updated_at for aggregated_stats (#5112)

Update the updated_at column when using ON DUPLICATE UPDATE so that
the counts_updated_at is up to date

* basic sql formatting in code ie whitespace around operators

* Fix e2e test

* Fix tests in server/authz

Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com>
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
											
										
										
											2022-04-18 17:27:30 +00:00
+									if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
 										TeamID: opt.TeamID,
 									}, fleet.ActionRead); err != nil {
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+										return nil, nil, err
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+									}
-												Add Software Vulnerability Filters (#21312)


											
										
										
											2024-08-15 18:36:47 +00:00
+									// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
-												Fixed bug when using `without_vulnerability_details` and vulnerability filters (#24769)

https://github.com/fleetdm/fleet/issues/24765

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated tests
											
										
										
											2024-12-13 22:39:21 +00:00
+									lic, err := svc.License(ctx)
 									if err != nil {
 										return nil, nil, err
 									}
 									if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
-												Add Software Vulnerability Filters (#21312)


											
										
										
											2024-08-15 18:36:47 +00:00
+										return nil, nil, fleet.ErrMissingLicense
 									}
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
+									// default sort order to hosts_count descending
-												Added ListOptions validation to fleet/software endpoint. (#14838)

#14554 

For the following endpoints:
/api/v1/fleet/software
/api/v1/fleet/software/count
- added validation on `page`, `per_page`, `order_key`, `order_direction`
-- invalid values will now return 400 HTTP status code

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
											
										
										
											2023-11-01 14:56:27 +00:00
+									if opt.ListOptions.OrderKey == "" {
 										opt.ListOptions.OrderKey = "hosts_count"
 										opt.ListOptions.OrderDirection = fleet.OrderDescending
-												Add `hosts_count` field to "list software" endpoint (#3873)


											
										
										
											2022-01-26 14:47:56 +00:00
+									}
 									opt.WithHostCounts = true
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+									softwares, meta, err := svc.ds.ListSoftware(ctx, opt)
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									if err != nil {
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+										return nil, nil, err
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									}
-												Add pagination meta to software versions endpoint (#15550)


											
										
										
											2023-12-12 18:24:20 +00:00
+									return softwares, meta, nil
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+								}
 								/////////////////////////////////////////////////////////////////////////////////
 								// Get Software
 								/////////////////////////////////////////////////////////////////////////////////
 								type getSoftwareRequest struct {
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+									ID     uint  `url:"id"`
 									TeamID *uint `query:"team_id,optional"`
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+								}
 								type getSoftwareResponse struct {
 									Software *fleet.Software `json:"software,omitempty"`
 									Err      error           `json:"error,omitempty"`
 								}
-												Refactoring service layer. Part 1 (#25945)

Refactoring some functionality out of the service package so it can be
reused by a different service package.
- auth middleware
- logging errors

No functional changes.
											
										
										
											2025-02-03 17:23:26 +00:00
+								func (r getSoftwareResponse) Error() error { return r.Err }
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
-												service.errorer to fleet.Errorer (#26362)


											
										
										
											2025-02-14 22:19:34 +00:00
+								func getSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									req := request.(*getSoftwareRequest)
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+									software, err := svc.SoftwareByID(ctx, req.ID, req.TeamID, false)
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									if err != nil {
 										return getSoftwareResponse{Err: err}, nil
 									}
 									return getSoftwareResponse{Software: software}, nil
 								}
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+								func (svc *Service) SoftwareByID(ctx context.Context, id uint, teamID *uint, includeCVEScores bool) (*fleet.Software, error) {
-												Fixing tests. (#17073)

Fixed failing tests after recent merge with main.
Also includes updated migration date.
											
										
										
											2024-02-22 22:03:13 +00:00
+									if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionList); err != nil {
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+										return nil, err
 									}
-												Add No Team to Software Backend (#20822)


											
										
										
											2024-07-30 17:19:05 +00:00
+									if teamID != nil && *teamID > 0 {
-												Fixing tests. (#17073)

Fixed failing tests after recent merge with main.
Also includes updated migration date.
											
										
										
											2024-02-22 22:03:13 +00:00
+										// This auth check ensures we return 403 if the user doesn't have access to the team
 										if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
 											return nil, err
 										}
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+										exists, err := svc.ds.TeamExists(ctx, *teamID)
 										if err != nil {
 											return nil, ctxerr.Wrap(ctx, err, "checking if team exists")
 										} else if !exists {
-												Fixing tests. (#17073)

Fixed failing tests after recent merge with main.
Also includes updated migration date.
											
										
										
											2024-02-22 22:03:13 +00:00
+											return nil, fleet.NewInvalidArgumentError("team_id", fmt.Sprintf("team %d does not exist", *teamID)).
 												WithStatus(http.StatusNotFound)
-												Add team filter to software detail APIs (#16876)

#16787
											
										
										
											2024-02-18 13:14:20 +00:00
+										}
 									}
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+									vc, ok := viewer.FromContext(ctx)
 									if !ok {
 										return nil, fleet.ErrNoContext
 									}
-												Merge branch 'main' into 15919-vulnerabilities-page

											
										
										
											2024-02-21 18:42:21 +00:00
+									software, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &fleet.TeamFilter{
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+										User:            vc.User,
 										IncludeObserver: true,
 									})
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									if err != nil {
-												Fixing tests. (#17073)

Fixed failing tests after recent merge with main.
Also includes updated migration date.
											
										
										
											2024-02-22 22:03:13 +00:00
+										if fleet.IsNotFound(err) && teamID == nil {
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+											// here we use a global admin as filter because we want
 											// to check if the software version exists
 											filter := fleet.TeamFilter{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}}
-												Merge branch 'main' into 15919-vulnerabilities-page

											
										
										
											2024-02-21 18:42:21 +00:00
+											if _, err = svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &filter); err != nil {
-												add permission check to software titles/versions endpoints (#16561)

relates to #16052

This adds a team permission check the `GET software/titles/:id`
endpoint. If the user should not be able to get the software title if it
is not on a host that is on the same team as the user (e.g. software
title 1 is on host 1, which is on team 1. A user who is only on team 2
should get a 403 response)

The UI is also updated to show the access denied error page when the we
receive a 403 response for the software title

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: Roberto Dip <me@roperzh.com>
											
										
										
											2024-02-15 20:22:27 +00:00
+												return nil, ctxerr.Wrap(ctx, err, "checked using a global admin")
 											}
 											return nil, fleet.NewPermissionError("Error: You don’t have permission to view specified software. It is installed on hosts that belong to team you don’t have permissions to view.")
 										}
 										return nil, ctxerr.Wrap(ctx, err, "getting software version by id")
-												Include CVE scores when listing software (#5673)


											
										
										
											2022-05-20 16:58:40 +00:00
+									}
 									return software, nil
-												Implement fleetctl get software and the underlying API (#1999)

* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
											
										
										
											2021-09-14 13:58:48 +00:00
+								}
-												Add software count API (#3105)

* Add software count API

* Fix makefile

* Fine no mock generating at this point

* Actually, one last try

* Use go install instead

* Fix go sum/mod

* Improve documentation

* Try setting node to 14
											
										
										
											2021-12-03 13:54:17 +00:00
 								/////////////////////////////////////////////////////////////////////////////////
 								// Count
 								/////////////////////////////////////////////////////////////////////////////////
 								type countSoftwareRequest struct {
 									fleet.SoftwareListOptions
 								}
 								type countSoftwareResponse struct {
 									Count int   `json:"count"`
 									Err   error `json:"error,omitempty"`
 								}
-												Refactoring service layer. Part 1 (#25945)

Refactoring some functionality out of the service package so it can be
reused by a different service package.
- auth middleware
- logging errors

No functional changes.
											
										
										
											2025-02-03 17:23:26 +00:00
+								func (r countSoftwareResponse) Error() error { return r.Err }
-												Add software count API (#3105)

* Add software count API

* Fix makefile

* Fine no mock generating at this point

* Actually, one last try

* Use go install instead

* Fix go sum/mod

* Improve documentation

* Try setting node to 14
											
										
										
											2021-12-03 13:54:17 +00:00
-												Updating golangci-lint to 1.61.0 (#22973)


											
										
										
											2024-10-18 17:38:26 +00:00
+								// Deprecated: counts are now included directly in the listSoftwareVersionsResponse. This
-												Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)


											
										
										
											2023-12-06 14:30:49 +00:00
+								// endpoint is retained for backwards compatibility.
-												service.errorer to fleet.Errorer (#26362)


											
										
										
											2025-02-14 22:19:34 +00:00
+								func countSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
-												Add software count API (#3105)

* Add software count API

* Fix makefile

* Fine no mock generating at this point

* Actually, one last try

* Use go install instead

* Fix go sum/mod

* Improve documentation

* Try setting node to 14
											
										
										
											2021-12-03 13:54:17 +00:00
+									req := request.(*countSoftwareRequest)
 									count, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
 									if err != nil {
 										return countSoftwareResponse{Err: err}, nil
 									}
 									return countSoftwareResponse{Count: count}, nil
 								}
 								func (svc Service) CountSoftware(ctx context.Context, opt fleet.SoftwareListOptions) (int, error) {
-												Merge pull request from GHSA-pr2g-j78h-84cr

* Fix access control issues with users

* Fix access control issues with packs

* Fix access control issues with software

* Changes suggested by Martin

* All users can access the global schedule

* Restrict access to activities

* Add explicit test for team admin escalation vuln

* All global users should be able to read all software

* Handbook editor pass - Security - GitHub Security (#5108)

* Update security.md

All edits are recorded by line:

395 replaced “open-source” with “open source”
411 replaced “open-source” with “open source”
439 added “the” before “comment”; replaced “repositories,” with “repositories”
445 deleted “being” before “located”
458 added “and” after “PR”
489 replaced “on” with “in”
493 replaced “open-source” with “open source”; Replaced “privileges,” with “privileges”

* Update security.md

line 479

* Update security.md

added (static analysis tools used to identify problems in code) to line 479

* Fix UI

* Fix UI

* revert api v1 to latest in documentation (#5149)

* revert api v1 to latest in documentation

* Update fleetctl doc page

Co-authored-by: Noah Talerman <noahtal@umich.edu>

* Add team admin team policy automation; fix e2e

* Update to company page of the handbook (#5164)

Updated "Why do we use a wireframe-first approach?" section of company.md

* removed extra data on smaller screens (#5154)

* Update for team automations; e2e

* Jira Integration: Cypress e2e tests only (#5055)

* Update company.md (#5170)

This is to update the formatting under "empathy" and to fix the spelling of "help text."
This was done as per @mikermcneil .
This is related to #https://github.com/fleetdm/fleet/pull/4941 and https://github.com/fleetdm/fleet/issues/4902

* fix update updated_at for aggregated_stats (#5112)

Update the updated_at column when using ON DUPLICATE UPDATE so that
the counts_updated_at is up to date

* basic sql formatting in code ie whitespace around operators

* Fix e2e test

* Fix tests in server/authz

Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com>
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
											
										
										
											2022-04-18 17:27:30 +00:00
+									if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
 										TeamID: opt.TeamID,
 									}, fleet.ActionRead); err != nil {
-												Add software count API (#3105)

* Add software count API

* Fix makefile

* Fine no mock generating at this point

* Actually, one last try

* Use go install instead

* Fix go sum/mod

* Improve documentation

* Try setting node to 14
											
										
										
											2021-12-03 13:54:17 +00:00
+										return 0, err
 									}
-												Add Software Vulnerability Filters (#21312)


											
										
										
											2024-08-15 18:36:47 +00:00
+									lic, err := svc.License(ctx)
 									if err != nil {
 										return 0, ctxerr.Wrap(ctx, err, "get license")
 									}
 									// Vulnerability filters are only available in premium
 									if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
 										return 0, fleet.ErrMissingLicense
 									}
-												Bugfix: add filter to counts (#21411)


											
										
										
											2024-08-19 22:55:59 +00:00
+									// required for vulnerability filters
 									if lic.IsPremium() {
 										opt.IncludeCVEScores = true
 									}
-												Add software count API (#3105)

* Add software count API

* Fix makefile

* Fine no mock generating at this point

* Actually, one last try

* Use go install instead

* Fix go sum/mod

* Improve documentation

* Try setting node to 14
											
										
										
											2021-12-03 13:54:17 +00:00
+									return svc.ds.CountSoftware(ctx, opt)
 								}