2018-05-04 16:53:21 +00:00
package service
import (
"bytes"
2021-08-24 12:50:03 +00:00
"context"
2018-05-04 16:53:21 +00:00
"encoding/json"
2021-11-22 14:13:26 +00:00
"errors"
2018-05-04 16:53:21 +00:00
"fmt"
2021-02-03 02:55:16 +00:00
"io"
2018-05-04 16:53:21 +00:00
"net/http"
2021-02-03 02:55:16 +00:00
"os"
2023-02-15 18:01:44 +00:00
"path/filepath"
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
"slices"
2023-11-15 21:04:24 +00:00
"strings"
2021-02-03 02:55:16 +00:00
"time"
2025-07-29 13:15:23 +00:00
"unicode/utf8"
2018-05-04 16:53:21 +00:00
2024-03-28 17:39:27 +00:00
"golang.org/x/text/unicode/norm"
2024-08-01 18:36:40 +00:00
"gopkg.in/yaml.v2"
2024-03-28 17:39:27 +00:00
2023-04-25 13:36:01 +00:00
"github.com/fleetdm/fleet/v4/pkg/optjson"
2022-08-05 22:07:32 +00:00
"github.com/fleetdm/fleet/v4/pkg/spec"
2021-11-22 14:13:26 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
2021-08-26 13:28:53 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
2023-11-15 21:04:24 +00:00
"github.com/fleetdm/fleet/v4/server/mdm"
2024-09-06 22:10:28 +00:00
"github.com/fleetdm/fleet/v4/server/ptr"
2023-06-07 17:29:36 +00:00
kithttp "github.com/go-kit/kit/transport/http"
2018-05-04 16:53:21 +00:00
)
2024-03-28 17:39:27 +00:00
const batchSize = 100
2022-06-01 23:05:05 +00:00
// Client is used to consume Fleet APIs from Go code
2018-05-04 16:53:21 +00:00
type Client struct {
2022-06-01 23:05:05 +00:00
* baseClient
2022-06-07 20:00:09 +00:00
addr string
token string
customHeaders map [ string ] string
2021-08-26 13:28:53 +00:00
2023-06-15 17:13:41 +00:00
outputWriter io . Writer
errWriter io . Writer
2018-05-04 16:53:21 +00:00
}
2021-02-03 02:55:16 +00:00
type ClientOption func ( * Client ) error
func NewClient ( addr string , insecureSkipVerify bool , rootCA , urlPrefix string , options ... ClientOption ) ( * Client , error ) {
// TODO #265 refactor all optional parameters to functional options
// API breaking change, needs a major version release
2025-07-18 13:19:05 +00:00
baseClient , err := newBaseClient ( addr , insecureSkipVerify , rootCA , urlPrefix , nil , fleet . CapabilityMap { } , nil )
2022-06-01 23:05:05 +00:00
if err != nil {
return nil , err
2018-10-01 22:23:46 +00:00
}
2021-02-03 02:55:16 +00:00
client := & Client {
2022-06-01 23:05:05 +00:00
baseClient : baseClient ,
addr : addr ,
2021-02-03 02:55:16 +00:00
}
for _ , option := range options {
err := option ( client )
if err != nil {
return nil , err
}
}
Fix panic on some tools that use service.NewClient (#32462)
Fixes the following panic found by @AndreyKizimenko while doing
loadtesting using the `./tools/loadtest/scripts_and_profiles/` tool.
```
2025-08-29T15:57:56Z: Creating 7 teams... (press enter to proceed)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x18 pc=0x1047fd598]
goroutine 1 [running]:
fmt.Fprint({0x0, 0x0}, {0x140001fb378, 0x1, 0x1})
/Users/andrey/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.6.darwin-arm64/src/fmt/print.go:263 +0x48
github.com/fatih/color.(*Color).SetWriter(0x140005141a0, {0x0, 0x0})
/Users/andrey/go/pkg/mod/github.com/fatih/color@v1.16.0/color.go:197 +0x88
github.com/fatih/color.(*Color).Fprintf(0x140005141a0, {0x0, 0x0}, {0x10515a87a, 0xf9}, {0x0, 0x0, 0x0})
/Users/andrey/go/pkg/mod/github.com/fatih/color@v1.16.0/color.go:251 +0x50
github.com/fleetdm/fleet/v4/server/fleet.WriteExpiredLicenseBanner({0x0, 0x0})
/Users/andrey/repositories/fleet/server/fleet/utils.go:17 +0x70
github.com/fleetdm/fleet/v4/server/service.(*Client).doContextWithBodyAndHeaders(0x140001fd810, {0x10599fde8, 0x1062ae040}, {0x1050ea452, 0x4}, {0x1051043a7?, 0x140000c61a0?}, {0x0, 0x0}, {0x140001aaf30, ...}, ...)
/Users/andrey/repositories/fleet/server/service/client.go:134 +0x408
github.com/fleetdm/fleet/v4/server/service.(*Client).doContextWithHeaders(0x140001fd810?, {0x10599fde8?, 0x1062ae040?}, {0x1050ea452?, 0x4?}, {0x1051043a7?, 0x17?}, {0x0?, 0x0?}, {0x10580b160?, ...}, ...)
/Users/andrey/repositories/fleet/server/service/client.go:156 +0x1a0
github.com/fleetdm/fleet/v4/server/service.(*Client).AuthenticatedDo(0x140001fd810, {0x1050ea452, 0x4}, {0x1051043a7, 0x17}, {0x0, 0x0}, {0x10580b160, 0x140001fd860})
/Users/andrey/repositories/fleet/server/service/client.go:183 +0x204
github.com/fleetdm/fleet/v4/server/service.(*Client).authenticatedRequestWithQuery(0x140001fd810, {0x10580b160?, 0x140001fd860?}, {0x1050ea452, 0x4}, {0x1051043a7, 0x17}, {0x1057a8e80, 0x1400000ea20}, {0x0?, ...})
/Users/andrey/repositories/fleet/server/service/client.go:263 +0x74
github.com/fleetdm/fleet/v4/server/service.(*Client).authenticatedRequest(...)
/Users/andrey/repositories/fleet/server/service/client.go:273
github.com/fleetdm/fleet/v4/server/service.(*Client).CreateTeam(0x140001fd810, {0x140003584e0, 0x0, {0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0})
/Users/andrey/repositories/fleet/server/service/client_teams.go:30 +0xe0
main.main()
/Users/andrey/repositories/fleet/tools/loadtest/scripts_and_profiles/main.go:74 +0x530
exit status 2
```
2025-09-01 09:50:11 +00:00
if client . errWriter == nil {
client . errWriter = os . Stderr
}
2021-02-03 02:55:16 +00:00
return client , nil
}
func EnableClientDebug ( ) ClientOption {
return func ( c * Client ) error {
httpClient , ok := c . http . ( * http . Client )
if ! ok {
return errors . New ( "client is not *http.Client" )
}
httpClient . Transport = & logRoundTripper { roundtripper : httpClient . Transport }
return nil
}
2018-05-04 16:53:21 +00:00
}
2023-06-15 17:13:41 +00:00
func SetClientOutputWriter ( w io . Writer ) ClientOption {
2021-08-26 13:28:53 +00:00
return func ( c * Client ) error {
2023-06-15 17:13:41 +00:00
c . outputWriter = w
return nil
}
}
func SetClientErrorWriter ( w io . Writer ) ClientOption {
return func ( c * Client ) error {
c . errWriter = w
2021-08-26 13:28:53 +00:00
return nil
}
}
2022-06-07 20:00:09 +00:00
// WithCustomHeaders sets custom headers to be sent with every request made
// with the client.
func WithCustomHeaders ( headers map [ string ] string ) ClientOption {
return func ( c * Client ) error {
// clone the map to prevent any changes in the original affecting the client
m := make ( map [ string ] string , len ( headers ) )
for k , v := range headers {
m [ k ] = v
}
c . customHeaders = m
return nil
}
}
2022-10-05 22:53:54 +00:00
func ( c * Client ) doContextWithBodyAndHeaders ( ctx context . Context , verb , path , rawQuery string , bodyBytes [ ] byte , headers map [ string ] string ) ( * http . Response , error ) {
2021-08-24 12:50:03 +00:00
request , err := http . NewRequestWithContext (
ctx ,
2018-05-04 16:53:21 +00:00
verb ,
2020-11-05 04:45:16 +00:00
c . url ( path , rawQuery ) . String ( ) ,
2018-05-07 19:44:40 +00:00
bytes . NewBuffer ( bodyBytes ) ,
2018-05-04 16:53:21 +00:00
)
if err != nil {
2021-11-22 14:13:26 +00:00
return nil , ctxerr . Wrap ( ctx , err , "creating request object" )
2018-05-04 16:53:21 +00:00
}
2022-06-07 20:00:09 +00:00
// set the custom headers first, they should not override the actual headers
// we set explicitly.
for k , v := range c . customHeaders {
request . Header . Set ( k , v )
}
2018-05-04 16:53:21 +00:00
for k , v := range headers {
request . Header . Set ( k , v )
}
2021-08-26 13:28:53 +00:00
resp , err := c . http . Do ( request )
if err != nil {
2021-11-22 14:13:26 +00:00
return nil , ctxerr . Wrap ( ctx , err , "do request" )
2021-08-26 13:28:53 +00:00
}
if resp . Header . Get ( fleet . HeaderLicenseKey ) == fleet . HeaderLicenseValueExpired {
2023-06-15 17:13:41 +00:00
fleet . WriteExpiredLicenseBanner ( c . errWriter )
2021-08-26 13:28:53 +00:00
}
return resp , nil
2018-05-04 16:53:21 +00:00
}
2022-10-05 22:53:54 +00:00
func ( c * Client ) doContextWithHeaders ( ctx context . Context , verb , path , rawQuery string , params interface { } , headers map [ string ] string ) ( * http . Response , error ) {
var bodyBytes [ ] byte
var err error
if params != nil {
2025-07-29 13:15:23 +00:00
switch p := params . ( type ) {
case * bytes . Buffer :
bodyBytes = p . Bytes ( )
case [ ] byte :
bodyBytes = p
default :
bodyBytes , err = json . Marshal ( params )
if err != nil {
return nil , ctxerr . Wrap ( ctx , err , "marshaling json" )
}
2022-10-05 22:53:54 +00:00
}
}
return c . doContextWithBodyAndHeaders ( ctx , verb , path , rawQuery , bodyBytes , headers )
}
2020-11-05 04:45:16 +00:00
func ( c * Client ) Do ( verb , path , rawQuery string , params interface { } ) ( * http . Response , error ) {
2021-08-24 12:50:03 +00:00
return c . DoContext ( context . Background ( ) , verb , path , rawQuery , params )
}
func ( c * Client ) DoContext ( ctx context . Context , verb , path , rawQuery string , params interface { } ) ( * http . Response , error ) {
2018-05-04 16:53:21 +00:00
headers := map [ string ] string {
"Content-type" : "application/json" ,
"Accept" : "application/json" ,
}
2021-08-24 12:50:03 +00:00
return c . doContextWithHeaders ( ctx , verb , path , rawQuery , params , headers )
2018-05-04 16:53:21 +00:00
}
2020-11-05 04:45:16 +00:00
func ( c * Client ) AuthenticatedDo ( verb , path , rawQuery string , params interface { } ) ( * http . Response , error ) {
2018-05-04 16:53:21 +00:00
if c . token == "" {
return nil , errors . New ( "authentication token is empty" )
}
headers := map [ string ] string {
"Content-Type" : "application/json" ,
"Accept" : "application/json" ,
"Authorization" : fmt . Sprintf ( "Bearer %s" , c . token ) ,
}
2021-08-24 12:50:03 +00:00
return c . doContextWithHeaders ( context . Background ( ) , verb , path , rawQuery , params , headers )
2018-05-04 16:53:21 +00:00
}
2024-05-07 16:22:05 +00:00
func ( c * Client ) AuthenticatedDoCustomHeaders ( verb , path , rawQuery string , params interface { } , customHeaders map [ string ] string ) ( * http . Response , error ) {
if c . token == "" {
return nil , errors . New ( "authentication token is empty" )
}
headers := map [ string ] string {
"Content-Type" : "application/json" ,
"Accept" : "application/json" ,
"Authorization" : fmt . Sprintf ( "Bearer %s" , c . token ) ,
}
for key , value := range customHeaders {
headers [ key ] = value
}
return c . doContextWithHeaders ( context . Background ( ) , verb , path , rawQuery , params , headers )
}
2018-05-04 16:53:21 +00:00
func ( c * Client ) SetToken ( t string ) {
c . token = t
}
2021-02-03 02:55:16 +00:00
// http.RoundTripper that will log debug information about the request and
// response, including paths, timing, and body.
//
// Inspired by https://stackoverflow.com/a/39528716/491710 and
// github.com/motemen/go-loghttp
type logRoundTripper struct {
roundtripper http . RoundTripper
}
// RoundTrip implements http.RoundTripper
func ( l * logRoundTripper ) RoundTrip ( req * http . Request ) ( * http . Response , error ) {
// Log request
fmt . Fprintf ( os . Stderr , "%s %s\n" , req . Method , req . URL )
reqBody , err := req . GetBody ( )
if err != nil {
fmt . Fprintf ( os . Stderr , "GetBody error: %v\n" , err )
} else {
defer reqBody . Close ( )
2025-07-29 13:15:23 +00:00
buf := & bytes . Buffer { }
_ , _ = io . Copy ( buf , reqBody )
if utf8 . Valid ( buf . Bytes ( ) ) {
fmt . Fprintf ( os . Stderr , "[body length: %d bytes]\n" , buf . Len ( ) )
if _ , err := io . Copy ( os . Stderr , buf ) ; err != nil {
fmt . Fprintf ( os . Stderr , "Copy body error: %v\n" , err )
}
} else {
fmt . Fprintf ( os . Stderr , "[binary output suppressed: %d bytes]\n" , buf . Len ( ) )
2021-02-03 02:55:16 +00:00
}
}
fmt . Fprintf ( os . Stderr , "\n" )
// Perform request using underlying roundtripper
start := time . Now ( )
res , err := l . roundtripper . RoundTrip ( req )
if err != nil {
fmt . Fprintf ( os . Stderr , "RoundTrip error: %v" , err )
return nil , err
}
// Log response
2021-05-17 17:29:50 +00:00
took := time . Since ( start ) . Truncate ( time . Millisecond )
2021-02-03 02:55:16 +00:00
fmt . Fprintf ( os . Stderr , "%s %s %s (%s)\n" , res . Request . Method , res . Request . URL , res . Status , took )
resBody := & bytes . Buffer { }
2025-08-20 16:16:53 +00:00
if _ , err := io . Copy ( resBody , res . Body ) ; err != nil {
return nil , fmt . Errorf ( "response buffer copy: %w" , err )
2021-02-03 02:55:16 +00:00
}
2021-09-15 19:27:53 +00:00
res . Body = io . NopCloser ( resBody )
2021-02-03 02:55:16 +00:00
2025-08-20 16:16:53 +00:00
// Only print text output, don't flood the terminal with binary content
if utf8 . Valid ( resBody . Bytes ( ) ) {
fmt . Fprintf ( os . Stderr , "[body length: %d bytes]\n" , resBody . Len ( ) )
fmt . Fprint ( os . Stderr , resBody . String ( ) )
} else {
fmt . Fprintf ( os . Stderr , "[binary output suppressed: %d bytes]\n" , resBody . Len ( ) )
}
2021-02-03 02:55:16 +00:00
return res , nil
}
2021-07-16 18:28:13 +00:00
2021-09-14 13:58:48 +00:00
func ( c * Client ) authenticatedRequestWithQuery ( params interface { } , verb string , path string , responseDest interface { } , query string ) error {
response , err := c . AuthenticatedDo ( verb , path , query , params )
2021-07-16 18:28:13 +00:00
if err != nil {
2021-11-22 14:13:26 +00:00
return fmt . Errorf ( "%s %s: %w" , verb , path , err )
2021-07-16 18:28:13 +00:00
}
defer response . Body . Close ( )
2022-06-01 23:05:05 +00:00
return c . parseResponse ( verb , path , response , responseDest )
2021-07-16 18:28:13 +00:00
}
2021-09-14 13:58:48 +00:00
func ( c * Client ) authenticatedRequest ( params interface { } , verb string , path string , responseDest interface { } ) error {
return c . authenticatedRequestWithQuery ( params , verb , path , responseDest , "" )
}
2022-08-05 22:07:32 +00:00
2023-11-01 14:13:12 +00:00
func ( c * Client ) CheckAnyMDMEnabled ( ) error {
return c . runAppConfigChecks ( func ( ac * fleet . EnrichedAppConfig ) error {
2025-09-22 15:29:57 +00:00
if ! ac . MDM . EnabledAndConfigured && ! ac . MDM . WindowsEnabledAndConfigured && ! ac . MDM . AndroidEnabledAndConfigured {
2023-11-01 14:13:12 +00:00
return errors . New ( fleet . MDMNotConfiguredMessage )
}
return nil
} )
}
func ( c * Client ) CheckAppleMDMEnabled ( ) error {
2023-06-07 17:29:36 +00:00
return c . runAppConfigChecks ( func ( ac * fleet . EnrichedAppConfig ) error {
if ! ac . MDM . EnabledAndConfigured {
2023-11-01 14:13:12 +00:00
return errors . New ( fleet . AppleMDMNotConfiguredMessage )
2023-06-07 17:29:36 +00:00
}
return nil
} )
2023-04-07 20:31:02 +00:00
}
2023-05-02 19:03:10 +00:00
func ( c * Client ) CheckPremiumMDMEnabled ( ) error {
2023-06-07 17:29:36 +00:00
return c . runAppConfigChecks ( func ( ac * fleet . EnrichedAppConfig ) error {
if ac . License == nil || ! ac . License . IsPremium ( ) {
return errors . New ( "missing or invalid license" )
}
if ! ac . MDM . EnabledAndConfigured {
2023-11-01 14:13:12 +00:00
return errors . New ( fleet . AppleMDMNotConfiguredMessage )
2023-06-07 17:29:36 +00:00
}
return nil
} )
}
func ( c * Client ) runAppConfigChecks ( fn func ( ac * fleet . EnrichedAppConfig ) error ) error {
2023-05-02 19:03:10 +00:00
appCfg , err := c . GetAppConfig ( )
if err != nil {
2023-06-07 17:29:36 +00:00
var sce kithttp . StatusCoder
if errors . As ( err , & sce ) && sce . StatusCode ( ) == http . StatusForbidden {
// do not return an error, user may not have permission to read app
// config (e.g. gitops) and those appconfig checks are just convenience
// to avoid the round-trip with potentially large payload to the server.
// Those will still be validated with the actual API call.
return nil
}
2023-05-02 19:03:10 +00:00
return err
}
2023-06-07 17:29:36 +00:00
return fn ( appCfg )
2023-05-02 19:03:10 +00:00
}
2024-01-26 16:00:58 +00:00
// getProfilesContents takes file paths and creates a slice of profile payloads
// ready to batch-apply.
2025-09-22 15:29:57 +00:00
func getProfilesContents ( baseDir string , macProfiles , windowsProfiles , androidProfiles [ ] fleet . MDMProfileSpec , expandEnv bool ) ( [ ] fleet . MDMProfileBatchPayload , error ) {
2024-06-14 17:48:00 +00:00
// map to check for duplicate names across all profiles
extByName := make ( map [ string ] string , len ( macProfiles ) )
result := make ( [ ] fleet . MDMProfileBatchPayload , 0 , len ( macProfiles ) )
// iterate over the profiles for each platform
for platform , profiles := range map [ string ] [ ] fleet . MDMProfileSpec {
"macos" : macProfiles ,
"windows" : windowsProfiles ,
2025-09-22 15:29:57 +00:00
"android" : androidProfiles ,
2024-06-14 17:48:00 +00:00
} {
for _ , profile := range profiles {
filePath := resolveApplyRelativePath ( baseDir , profile . Path )
fileContents , err := os . ReadFile ( filePath )
2024-05-28 16:44:43 +00:00
if err != nil {
2024-06-14 17:48:00 +00:00
return nil , fmt . Errorf ( "applying custom settings: %w" , err )
2024-05-28 16:44:43 +00:00
}
2024-06-14 17:48:00 +00:00
if expandEnv {
2024-12-13 21:41:23 +00:00
// Secrets are handled earlier in the flow when config files are initially read
fileContents , err = spec . ExpandEnvBytesIgnoreSecrets ( fileContents )
2024-06-14 17:48:00 +00:00
if err != nil {
return nil , fmt . Errorf ( "expanding environment on file %q: %w" , profile . Path , err )
}
2023-11-15 21:04:24 +00:00
}
2024-06-14 17:48:00 +00:00
ext := filepath . Ext ( filePath )
// by default, use the file name (for macOS mobileconfig profiles, we'll switch to
// their PayloadDisplayName when we parse the profile below)
name := strings . TrimSuffix ( filepath . Base ( filePath ) , ext )
// for validation errors, we want to include the platform and file name in the error message
prefixErrMsg := fmt . Sprintf ( "Couldn't edit %s_settings.custom_settings (%s%s)" , platform , name , ext )
// validate macOS profiles
if platform == "macos" {
switch ext {
case ".mobileconfig" , ".xml" : // allowing .xml for backwards compatibility
2025-08-22 14:37:12 +00:00
// For validation, we need to expand FLEET_SECRET_ variables in <data> tags so the XML parser
// can properly validate the profile structure. However, we must be careful not to expose
// secrets in the profile name.
containsSecrets := len ( fleet . ContainsPrefixVars ( string ( fileContents ) , fleet . ServerSecretPrefix ) ) > 0
if containsSecrets {
// If profile contains secrets, check for secrets in PayloadDisplayName first
if err := fleet . ValidateNoSecretsInProfileName ( fileContents ) ; err != nil {
return nil , fmt . Errorf ( "%s: %w" , prefixErrMsg , err )
2024-06-14 17:48:00 +00:00
}
2025-08-22 14:37:12 +00:00
// Expand secrets for validation
validationContents , expandErr := spec . ExpandEnvBytesIncludingSecrets ( fileContents )
if expandErr != nil {
return nil , fmt . Errorf ( "%s: expanding secrets for validation: %w" , prefixErrMsg , expandErr )
}
// Validate the profile structure with expanded secrets
mcExpanded , validationErr := fleet . NewMDMAppleConfigProfile ( validationContents , nil )
if validationErr != nil {
errForMsg := errors . Unwrap ( validationErr )
if errForMsg == nil {
errForMsg = validationErr
}
return nil , fmt . Errorf ( "%s: %w" , prefixErrMsg , errForMsg )
}
name = strings . TrimSpace ( mcExpanded . Name )
} else {
// No secrets, parse normally
mc , err := fleet . NewMDMAppleConfigProfile ( fileContents , nil )
if err != nil {
errForMsg := errors . Unwrap ( err )
if errForMsg == nil {
errForMsg = err
}
return nil , fmt . Errorf ( "%s: %w" , prefixErrMsg , errForMsg )
}
name = strings . TrimSpace ( mc . Name )
2024-06-14 17:48:00 +00:00
}
case ".json" :
if mdm . GetRawProfilePlatform ( fileContents ) != "darwin" {
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "Declaration profiles should include valid JSON." )
}
default :
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "macOS configuration profiles must be .mobileconfig or .json files." )
}
}
2025-09-22 15:29:57 +00:00
if platform == "android" {
switch ext {
case ".json" :
if mdm . GetRawProfilePlatform ( fileContents ) != "android" {
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "Android profiles should include valid JSON." )
}
default :
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "Android configuration profiles must be .json files." )
}
}
2024-06-14 17:48:00 +00:00
// validate windows profiles
if platform == "windows" {
switch ext {
case ".xml" :
if mdm . GetRawProfilePlatform ( fileContents ) != "windows" {
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "Windows configuration profiles can only have <Replace> or <Add> top level elements" )
}
default :
return nil , fmt . Errorf ( "%s: %s" , prefixErrMsg , "Windows configuration profiles must be .xml files." )
}
}
// check for duplicate names across all profiles
2025-01-30 11:17:36 +00:00
if _ , isDuplicate := extByName [ name ] ; isDuplicate {
return nil , errors . New ( fmtDuplicateNameErrMsg ( name ) )
2024-06-14 17:48:00 +00:00
}
extByName [ name ] = ext
result = append ( result , fleet . MDMProfileBatchPayload {
2024-06-25 19:26:28 +00:00
Name : name ,
Contents : fileContents ,
Labels : profile . Labels ,
LabelsIncludeAll : profile . LabelsIncludeAll ,
2024-11-05 20:13:44 +00:00
LabelsIncludeAny : profile . LabelsIncludeAny ,
2024-06-25 19:26:28 +00:00
LabelsExcludeAny : profile . LabelsExcludeAny ,
2024-06-14 17:48:00 +00:00
} )
}
2024-01-26 16:00:58 +00:00
}
return result , nil
2023-11-15 21:04:24 +00:00
}
2024-10-23 18:51:02 +00:00
// fileContent is used to store the name of a file and its content.
type fileContent struct {
Filename string
Content [ ] byte
}
2025-09-03 18:52:25 +00:00
type errConflictingSoftwareSetupExperienceDeclarations struct {
URL string
}
func ( e errConflictingSoftwareSetupExperienceDeclarations ) Error ( ) string {
return fmt . Sprintf ( "Couldn't edit software (%s). Setup experience may only be specified directly on software or within macos_setup, but not both. See https://fleetdm.com/learn-more-about/yaml-software-setup-experience." , e . URL )
}
var errConflictingVPPSetupExperienceDeclarations = errors . New ( "Couldn't edit app store apps. Setup experience may only be specified directly on software or within macos_setup, but not both. See https://fleetdm.com/learn-more-about/yaml-software-setup-experience." )
2024-10-23 18:51:02 +00:00
// TODO: as confirmed by Noah and Marko on Slack:
//
// > from Noah: "We want to support existing features w/ fleetctl apply for
// > backwards compatibility GitOps but we don’
//
// We should deprecate ApplyGroup and use it only for `fleetctl apply` (and
// its current minimal use in `preview`), and have a distinct implementation
// that is `gitops`-only, because both uses have subtle differences in
// behaviour that make it hard to reuse a single implementation (e.g. a missing
// key in gitops means "remove what is absent" while in apply it means "leave
// as-is").
//
// For now I'm just passing a "gitops" bool for a quick fix, but we should
// properly plan that separation and refactor so that gitops can be
// significantly cleaned up and simplified going forward.
2022-08-05 22:07:32 +00:00
// ApplyGroup applies the given spec group to Fleet.
2023-02-22 16:14:53 +00:00
func ( c * Client ) ApplyGroup (
ctx context . Context ,
2025-09-04 16:39:41 +00:00
viaGitOps bool , // TODO: should we fail if this gets called for CAs outside of gitops?
2023-02-22 16:14:53 +00:00
specs * spec . Group ,
baseDir string ,
logf func ( format string , args ... interface { } ) ,
2024-08-05 17:39:10 +00:00
appconfig * fleet . EnrichedAppConfig ,
2024-05-28 16:44:43 +00:00
opts fleet . ApplyClientSpecOptions ,
2024-10-10 11:12:24 +00:00
teamsSoftwareInstallers map [ string ] [ ] fleet . SoftwarePackageResponse ,
2025-01-14 18:52:39 +00:00
teamsVPPApps map [ string ] [ ] fleet . VPPAppResponse ,
2024-10-10 11:12:24 +00:00
teamsScripts map [ string ] [ ] fleet . ScriptResponse ,
2025-01-14 18:52:39 +00:00
) ( map [ string ] uint , map [ string ] [ ] fleet . SoftwarePackageResponse , map [ string ] [ ] fleet . VPPAppResponse , map [ string ] [ ] fleet . ScriptResponse , error ) {
2022-08-05 22:07:32 +00:00
logfn := func ( format string , args ... interface { } ) {
if logf != nil {
logf ( format , args ... )
}
}
2023-07-25 00:17:20 +00:00
// specs.Queries must be applied before specs.Packs because packs reference queries.
2022-08-05 22:07:32 +00:00
if len ( specs . Queries ) > 0 {
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[!] ignoring queries, dry run mode only supported for 'config' and 'team' specs\n" )
} else {
if err := c . ApplyQueries ( specs . Queries ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying queries: %w" , err )
2022-09-19 17:53:44 +00:00
}
logfn ( "[+] applied %d queries\n" , len ( specs . Queries ) )
2022-08-05 22:07:32 +00:00
}
}
if len ( specs . Labels ) > 0 {
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[!] ignoring labels, dry run mode only supported for 'config' and 'team' specs\n" )
} else {
2025-06-09 17:05:11 +00:00
for _ , label := range specs . Labels {
if label . LabelType == fleet . LabelTypeBuiltIn {
return nil , nil , nil , nil , errors . New ( "Cannot import built-in labels. Please remove labels with a label_type of builtin and try again." )
}
}
2022-09-19 17:53:44 +00:00
if err := c . ApplyLabels ( specs . Labels ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying labels: %w" , err )
2022-09-19 17:53:44 +00:00
}
logfn ( "[+] applied %d labels\n" , len ( specs . Labels ) )
2022-08-05 22:07:32 +00:00
}
}
if len ( specs . Packs ) > 0 {
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[!] ignoring packs, dry run mode only supported for 'config' and 'team' specs\n" )
} else {
if err := c . ApplyPacks ( specs . Packs ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying packs: %w" , err )
2022-09-19 17:53:44 +00:00
}
logfn ( "[+] applied %d packs\n" , len ( specs . Packs ) )
2022-08-05 22:07:32 +00:00
}
}
2025-09-04 16:39:41 +00:00
if specs . CertificateAuthorities != nil {
if err := c . ApplyCertificateAuthoritiesSpec ( * specs . CertificateAuthorities , opts . ApplySpecOptions ) ; err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "applying certificate authorities: %w" , err )
}
// TODO(hca): is more detailed logging a hard requirement or can it be a follow up improvement?
if opts . DryRun {
logfn ( "[+] would've applied certificate authorities\n" )
} else {
logfn ( "[+] applied certificate authorities\n" )
}
}
2022-08-05 22:07:32 +00:00
if specs . AppConfig != nil {
2023-11-29 14:32:42 +00:00
windowsCustomSettings := extractAppCfgWindowsCustomSettings ( specs . AppConfig )
2023-11-15 21:04:24 +00:00
macosCustomSettings := extractAppCfgMacOSCustomSettings ( specs . AppConfig )
2025-09-22 15:29:57 +00:00
androidCustomSettings := extractAppCfgAndroidCustomSettings ( specs . AppConfig )
2023-11-15 21:04:24 +00:00
2023-04-07 20:31:02 +00:00
if macosSetup := extractAppCfgMacOSSetup ( specs . AppConfig ) ; macosSetup != nil {
2025-02-07 20:35:51 +00:00
switch {
case macosSetup . BootstrapPackage . Value != "" :
2023-04-26 21:09:21 +00:00
pkg , err := c . ValidateBootstrapPackageFromURL ( macosSetup . BootstrapPackage . Value )
2023-04-07 20:31:02 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2023-04-07 20:31:02 +00:00
}
2025-06-02 21:17:06 +00:00
if err := c . UploadBootstrapPackageIfNeeded ( pkg , uint ( 0 ) , opts . DryRun ) ; err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2023-04-25 13:36:01 +00:00
}
2025-06-02 21:17:06 +00:00
case macosSetup . BootstrapPackage . Valid && appconfig != nil && appconfig . MDM . EnabledAndConfigured && appconfig . License . IsPremium ( ) :
2025-02-07 20:35:51 +00:00
// bootstrap package is explicitly empty (only for GitOps)
2025-06-02 21:17:06 +00:00
if err := c . DeleteBootstrapPackageIfNeeded ( uint ( 0 ) , opts . DryRun ) ; err != nil {
2025-02-07 20:35:51 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
}
2023-04-25 13:36:01 +00:00
}
2025-02-07 20:35:51 +00:00
switch {
case macosSetup . MacOSSetupAssistant . Value != "" :
2023-04-25 13:36:01 +00:00
content , err := c . validateMacOSSetupAssistant ( resolveApplyRelativePath ( baseDir , macosSetup . MacOSSetupAssistant . Value ) )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2023-04-25 13:36:01 +00:00
}
if ! opts . DryRun {
if err := c . uploadMacOSSetupAssistant ( content , nil , macosSetup . MacOSSetupAssistant . Value ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2023-04-07 20:31:02 +00:00
}
}
2025-02-07 20:35:51 +00:00
case macosSetup . MacOSSetupAssistant . Valid && ! opts . DryRun &&
appconfig != nil && appconfig . MDM . EnabledAndConfigured && appconfig . License . IsPremium ( ) :
// setup assistant is explicitly empty (only for GitOps)
if err := c . deleteMacOSSetupAssistant ( nil ) ; err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "deleting macOS enrollment profile: %w" , err )
}
2023-04-07 20:31:02 +00:00
}
}
2023-10-10 22:00:45 +00:00
if scripts := extractAppCfgScripts ( specs . AppConfig ) ; scripts != nil {
2024-10-09 22:57:08 +00:00
scriptPayloads := make ( [ ] fleet . ScriptPayload , len ( scripts ) )
for i , f := range scripts {
2023-10-10 22:00:45 +00:00
b , err := os . ReadFile ( f )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying no-team scripts: %w" , err )
2023-10-10 22:00:45 +00:00
}
scriptPayloads [ i ] = fleet . ScriptPayload {
ScriptContents : b ,
Name : filepath . Base ( f ) ,
}
}
2024-10-04 01:03:40 +00:00
noTeamScripts , err := c . ApplyNoTeamScripts ( scriptPayloads , opts . ApplySpecOptions )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying no-team scripts: %w" , err )
2023-10-10 22:00:45 +00:00
}
2024-10-10 11:12:24 +00:00
teamsScripts [ "No team" ] = noTeamScripts
2023-10-10 22:00:45 +00:00
}
2024-11-13 17:01:08 +00:00
rules , err := extractAppCfgYaraRules ( specs . AppConfig )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying yara rules: %w" , err )
2024-11-13 17:01:08 +00:00
}
if rules != nil {
rulePayloads := make ( [ ] fleet . YaraRule , len ( rules ) )
for i , f := range rules {
path := resolveApplyRelativePath ( baseDir , f . Path )
b , err := os . ReadFile ( path )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying yara rules: %w" , err )
2024-11-13 17:01:08 +00:00
}
rulePayloads [ i ] = fleet . YaraRule {
Contents : string ( b ) ,
Name : filepath . Base ( f . Path ) ,
}
}
specs . AppConfig . ( map [ string ] interface { } ) [ "yara_rules" ] = rulePayloads
}
2025-03-06 22:42:58 +00:00
// Keep any existing GitOps mode config rather than attempting to set via GitOps.
if appconfig != nil {
specs . AppConfig . ( map [ string ] interface { } ) [ "gitops" ] = fleet . UIGitOpsModeConfig {
GitopsModeEnabled : appconfig . UIGitOpsMode . GitopsModeEnabled ,
RepositoryURL : appconfig . UIGitOpsMode . RepositoryURL ,
}
}
2024-05-28 16:44:43 +00:00
if err := c . ApplyAppConfig ( specs . AppConfig , opts . ApplySpecOptions ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2022-08-05 22:07:32 +00:00
}
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[+] would've applied fleet config\n" )
} else {
logfn ( "[+] applied fleet config\n" )
}
2025-03-20 16:36:00 +00:00
// We apply profiles after the main AppConfig org_settings because profiles may
// contain Fleet variables that are set in org_settings, such as $FLEET_VAR_DIGICERT_PASSWORD_My_CA
//
// if there is no custom setting but the windows and mac settings are
// non-nil, this means that we want to clear the existing custom settings,
// so we still go on with calling the batch-apply endpoint.
//
// TODO(mna): shouldn't that be an || instead of && ? I.e. if there are no
// custom settings but windows is present and empty (but mac is absent),
// shouldn't that clear the windows ones?
2025-09-22 15:29:57 +00:00
if ( windowsCustomSettings != nil || macosCustomSettings != nil || androidCustomSettings != nil ) || len ( windowsCustomSettings ) + len ( macosCustomSettings ) + len ( androidCustomSettings ) > 0 {
fileContents , err := getProfilesContents ( baseDir , macosCustomSettings , windowsCustomSettings , androidCustomSettings , opts . ExpandEnvConfigProfiles )
2025-03-20 16:36:00 +00:00
if err != nil {
return nil , nil , nil , nil , err
}
// Figure out if MDM should be enabled.
assumeEnabled := false
// This cast is safe because we've already checked AppConfig when extracting custom settings
mdmConfigMap , ok := specs . AppConfig . ( map [ string ] interface { } ) [ "mdm" ] . ( map [ string ] interface { } )
if ok {
mdmEnabled , ok := mdmConfigMap [ "windows_enabled_and_configured" ]
if ok {
assumeEnabled , ok = mdmEnabled . ( bool )
assumeEnabled = ok && assumeEnabled
}
}
profilesSpecOptions := opts . ApplySpecOptions
// Since we just updated AppConfig, we don't want to get a stale (cached) AppConfig on the server if
// this HTTP request gets routed to another Fleet server.
profilesSpecOptions . NoCache = true
if err := c . ApplyNoTeamProfiles ( fileContents , profilesSpecOptions , assumeEnabled ) ; err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "applying custom settings: %w" , err )
}
if opts . DryRun {
logfn ( "[+] would've applied MDM profiles\n" )
} else {
logfn ( "[+] applied MDM profiles\n" )
}
}
2022-08-05 22:07:32 +00:00
}
if specs . EnrollSecret != nil {
2024-05-31 12:01:13 +00:00
if err := c . ApplyEnrollSecretSpec ( specs . EnrollSecret , opts . ApplySpecOptions ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying enroll secrets: %w" , err )
2024-05-31 12:01:13 +00:00
}
2022-09-19 17:53:44 +00:00
if opts . DryRun {
2024-02-09 19:34:57 +00:00
logfn ( "[+] would've applied enroll secrets\n" )
2022-09-19 17:53:44 +00:00
} else {
logfn ( "[+] applied enroll secrets\n" )
2022-08-05 22:07:32 +00:00
}
}
2024-02-09 19:34:57 +00:00
var teamIDsByName map [ string ] uint
2022-08-05 22:07:32 +00:00
if len ( specs . Teams ) > 0 {
2023-02-15 18:01:44 +00:00
// extract the teams' custom settings and resolve the files immediately, so
// that any non-existing file error is found before applying the specs.
2023-11-15 21:04:24 +00:00
tmMDMSettings := extractTmSpecsMDMCustomSettings ( specs . Teams )
2023-02-15 18:01:44 +00:00
2024-01-26 16:00:58 +00:00
tmFileContents := make ( map [ string ] [ ] fleet . MDMProfileBatchPayload , len ( tmMDMSettings ) )
2024-06-14 17:48:00 +00:00
for k , profileSpecs := range tmMDMSettings {
2025-09-22 15:29:57 +00:00
fileContents , err := getProfilesContents ( baseDir , profileSpecs . macos , profileSpecs . windows , profileSpecs . android , opts . ExpandEnvConfigProfiles )
2023-11-15 21:04:24 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
// TODO: consider adding team name to improve error messages generally for other parts of the config because multiple team configs can be processed at once
return nil , nil , nil , nil , fmt . Errorf ( "Team %s: %w" , k , err )
2023-02-15 18:01:44 +00:00
}
tmFileContents [ k ] = fileContents
}
2023-04-07 20:31:02 +00:00
tmMacSetup := extractTmSpecsMacOSSetup ( specs . Teams )
tmBootstrapPackages := make ( map [ string ] * fleet . MDMAppleBootstrapPackage , len ( tmMacSetup ) )
2023-04-25 13:36:01 +00:00
tmMacSetupAssistants := make ( map [ string ] [ ] byte , len ( tmMacSetup ) )
2024-10-23 18:51:02 +00:00
// those are gitops-only features
tmMacSetupScript := make ( map [ string ] fileContent , len ( tmMacSetup ) )
tmMacSetupSoftware := make ( map [ string ] [ ] * fleet . MacOSSetupSoftware , len ( tmMacSetup ) )
// this is a set of software packages or VPP apps that are configured as
// install_during_setup, by team. This is a gitops-only setting, so it will
// only be filled when called via this command.
tmSoftwareMacOSSetup := make ( map [ string ] map [ fleet . MacOSSetupSoftware ] struct { } , len ( tmMacSetup ) )
2023-04-07 20:31:02 +00:00
for k , setup := range tmMacSetup {
2025-02-07 20:35:51 +00:00
switch {
case setup . BootstrapPackage . Value != "" :
2023-04-26 21:09:21 +00:00
bp , err := c . ValidateBootstrapPackageFromURL ( setup . BootstrapPackage . Value )
2023-04-07 20:31:02 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying teams: %w" , err )
2023-04-07 20:31:02 +00:00
}
tmBootstrapPackages [ k ] = bp
2025-02-07 20:35:51 +00:00
case setup . BootstrapPackage . Valid : // explicitly empty
tmBootstrapPackages [ k ] = nil
2023-04-07 20:31:02 +00:00
}
2025-02-07 20:35:51 +00:00
switch {
case setup . MacOSSetupAssistant . Value != "" :
2023-04-25 13:36:01 +00:00
b , err := c . validateMacOSSetupAssistant ( resolveApplyRelativePath ( baseDir , setup . MacOSSetupAssistant . Value ) )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying teams: %w" , err )
2023-04-25 13:36:01 +00:00
}
tmMacSetupAssistants [ k ] = b
2025-02-07 20:35:51 +00:00
case setup . MacOSSetupAssistant . Valid : // explicitly empty
tmMacSetupAssistants [ k ] = nil
2023-04-25 13:36:01 +00:00
}
2024-10-23 18:51:02 +00:00
if setup . Script . Value != "" {
b , err := c . validateMacOSSetupScript ( resolveApplyRelativePath ( baseDir , setup . Script . Value ) )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying teams: %w" , err )
2024-10-23 18:51:02 +00:00
}
tmMacSetupScript [ k ] = fileContent { Filename : filepath . Base ( setup . Script . Value ) , Content : b }
}
if viaGitOps {
m , err := extractTeamOrNoTeamMacOSSetupSoftware ( baseDir , setup . Software . Value )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , err
2024-10-23 18:51:02 +00:00
}
tmSoftwareMacOSSetup [ k ] = m
tmMacSetupSoftware [ k ] = setup . Software . Value
}
2023-04-07 20:31:02 +00:00
}
2023-10-10 22:00:45 +00:00
tmScripts := extractTmSpecsScripts ( specs . Teams )
tmScriptsPayloads := make ( map [ string ] [ ] fleet . ScriptPayload , len ( tmScripts ) )
for k , paths := range tmScripts {
2024-10-09 22:57:08 +00:00
scriptPayloads := make ( [ ] fleet . ScriptPayload , len ( paths ) )
for i , f := range paths {
2023-10-10 22:00:45 +00:00
b , err := os . ReadFile ( f )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying fleet config: %w" , err )
2023-10-10 22:00:45 +00:00
}
scriptPayloads [ i ] = fleet . ScriptPayload {
ScriptContents : b ,
Name : filepath . Base ( f ) ,
}
}
tmScriptsPayloads [ k ] = scriptPayloads
}
2024-07-22 17:19:19 +00:00
tmSoftwarePackages := extractTmSpecsSoftwarePackages ( specs . Teams )
2024-09-06 22:10:28 +00:00
tmSoftwarePackagesPayloads := make ( map [ string ] [ ] fleet . SoftwareInstallerPayload , len ( tmSoftwarePackages ) )
2025-09-05 13:38:00 +00:00
tmSoftwarePackagesWithPaths := make ( map [ string ] map [ string ] struct { } , len ( tmSoftwarePackages ) )
2024-07-10 18:53:03 +00:00
for tmName , software := range tmSoftwarePackages {
2024-10-23 18:51:02 +00:00
installDuringSetupKeys := tmSoftwareMacOSSetup [ tmName ]
2024-11-07 17:22:08 +00:00
softwarePayloads , err := buildSoftwarePackagesPayload ( software , installDuringSetupKeys )
2024-08-05 17:39:10 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying software installers for team %q: %w" , tmName , err )
2024-05-14 18:06:33 +00:00
}
2024-07-22 17:19:19 +00:00
tmSoftwarePackagesPayloads [ tmName ] = softwarePayloads
2024-10-23 18:51:02 +00:00
for _ , swSpec := range software {
if swSpec . ReferencedYamlPath != "" {
// can be referenced by macos_setup.software.package_path
2025-09-05 13:38:00 +00:00
if tmSoftwarePackagesWithPaths [ tmName ] == nil {
tmSoftwarePackagesWithPaths [ tmName ] = make ( map [ string ] struct { } , len ( software ) )
2024-10-23 18:51:02 +00:00
}
2025-09-05 13:38:00 +00:00
tmSoftwarePackagesWithPaths [ tmName ] [ swSpec . ReferencedYamlPath ] = struct { } { }
2024-10-23 18:51:02 +00:00
}
}
2024-07-22 17:19:19 +00:00
}
2025-05-07 23:16:08 +00:00
tmFleetMaintainedApps := extractTmSpecsFleetMaintainedApps ( specs . Teams )
for tmName , apps := range tmFleetMaintainedApps {
installDuringSetupKeys := tmSoftwareMacOSSetup [ tmName ]
softwarePayloads , err := buildSoftwarePackagesPayload ( apps , installDuringSetupKeys )
if err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "applying software installers for team %q: %w" , tmName , err )
}
if existingPayloads , ok := tmSoftwarePackagesPayloads [ tmName ] ; ok {
tmSoftwarePackagesPayloads [ tmName ] = append ( existingPayloads , softwarePayloads ... )
} else {
tmSoftwarePackagesPayloads [ tmName ] = softwarePayloads
}
}
2024-07-22 17:19:19 +00:00
tmSoftwareApps := extractTmSpecsSoftwareApps ( specs . Teams )
tmSoftwareAppsPayloads := make ( map [ string ] [ ] fleet . VPPBatchPayload )
2024-10-23 18:51:02 +00:00
tmSoftwareAppsByAppID := make ( map [ string ] map [ string ] fleet . TeamSpecAppStoreApp , len ( tmSoftwareApps ) )
2024-07-22 17:19:19 +00:00
for tmName , apps := range tmSoftwareApps {
2024-10-23 18:51:02 +00:00
installDuringSetupKeys := tmSoftwareMacOSSetup [ tmName ]
2024-07-22 17:19:19 +00:00
appPayloads := make ( [ ] fleet . VPPBatchPayload , 0 , len ( apps ) )
for _ , app := range apps {
2024-10-23 18:51:02 +00:00
var installDuringSetup * bool
if installDuringSetupKeys != nil {
_ , ok := installDuringSetupKeys [ fleet . MacOSSetupSoftware { AppStoreID : app . AppStoreID } ]
installDuringSetup = & ok
}
2025-09-03 18:32:11 +00:00
if app . InstallDuringSetup . Valid {
if len ( installDuringSetupKeys ) > 0 {
2025-09-03 18:52:25 +00:00
return nil , nil , nil , nil , errConflictingVPPSetupExperienceDeclarations
2025-09-03 18:32:11 +00:00
}
installDuringSetup = & app . InstallDuringSetup . Value
}
2024-10-23 18:51:02 +00:00
appPayloads = append ( appPayloads , fleet . VPPBatchPayload {
AppStoreID : app . AppStoreID ,
SelfService : app . SelfService ,
InstallDuringSetup : installDuringSetup ,
2025-02-03 17:16:21 +00:00
LabelsExcludeAny : app . LabelsExcludeAny ,
LabelsIncludeAny : app . LabelsIncludeAny ,
2025-05-07 15:19:33 +00:00
Categories : app . Categories ,
2024-10-23 18:51:02 +00:00
} )
// can be referenced by macos_setup.software.app_store_id
if tmSoftwareAppsByAppID [ tmName ] == nil {
tmSoftwareAppsByAppID [ tmName ] = make ( map [ string ] fleet . TeamSpecAppStoreApp , len ( apps ) )
}
tmSoftwareAppsByAppID [ tmName ] [ app . AppStoreID ] = app
2024-07-22 17:19:19 +00:00
}
tmSoftwareAppsPayloads [ tmName ] = appPayloads
2024-05-14 18:06:33 +00:00
}
2024-10-23 18:51:02 +00:00
// if macos_setup.software has some values, they must exist in the software
// packages or vpp apps.
for tmName , setupSw := range tmMacSetupSoftware {
2025-09-05 13:38:00 +00:00
if err := validateTeamOrNoTeamMacOSSetupSoftware ( tmName , setupSw , tmSoftwarePackagesWithPaths [ tmName ] , tmSoftwareAppsByAppID [ tmName ] ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , err
2024-10-23 18:51:02 +00:00
}
}
2023-02-15 18:01:44 +00:00
// Next, apply the teams specs before saving the profiles, so that any
// non-existing team gets created.
2024-02-09 19:34:57 +00:00
var err error
2024-05-03 13:03:00 +00:00
teamOpts := fleet . ApplyTeamSpecOptions {
2024-05-28 16:44:43 +00:00
ApplySpecOptions : opts . ApplySpecOptions ,
2024-05-03 13:03:00 +00:00
DryRunAssumptions : specs . TeamsDryRunAssumptions ,
}
2024-06-27 21:10:49 +00:00
// In dry-run, the team names returned are the old team names (when team name is modified via gitops)
2024-05-03 13:03:00 +00:00
teamIDsByName , err = c . ApplyTeams ( specs . Teams , teamOpts )
2023-06-07 17:29:36 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying teams: %w" , err )
2022-08-05 22:07:32 +00:00
}
2023-02-15 18:01:44 +00:00
2024-06-27 21:10:49 +00:00
// When using GitOps, the team name could change, so we need to check for that
getTeamName := func ( teamName string ) string {
return teamName
}
if len ( specs . Teams ) == 1 && len ( teamIDsByName ) == 1 {
for key := range teamIDsByName {
if key != extractTeamName ( specs . Teams [ 0 ] ) {
getTeamName = func ( teamName string ) string {
return key
}
}
}
}
2023-02-15 18:01:44 +00:00
if len ( tmFileContents ) > 0 {
for tmName , profs := range tmFileContents {
2024-06-27 21:10:49 +00:00
// For non-dry run, currentTeamName and tmName are the same
currentTeamName := getTeamName ( tmName )
teamID , ok := teamIDsByName [ currentTeamName ]
2024-02-09 19:34:57 +00:00
if opts . DryRun && ( teamID == 0 || ! ok ) {
logfn ( "[+] would've applied MDM profiles for new team %s\n" , tmName )
} else {
logfn ( "[+] applying MDM profiles for team %s\n" , tmName )
2024-06-27 21:10:49 +00:00
if err := c . ApplyTeamProfiles ( currentTeamName , profs , teamOpts ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying custom settings for team %q: %w" , tmName , err )
2024-02-09 19:34:57 +00:00
}
2023-02-15 18:01:44 +00:00
}
}
}
2023-04-25 13:36:01 +00:00
if len ( tmBootstrapPackages ) + len ( tmMacSetupAssistants ) > 0 && ! opts . DryRun {
2023-06-07 17:29:36 +00:00
for tmName , tmID := range teamIDsByName {
if bp , ok := tmBootstrapPackages [ tmName ] ; ok {
2025-02-07 20:35:51 +00:00
switch {
case bp != nil :
2025-06-02 21:17:06 +00:00
if err := c . UploadBootstrapPackageIfNeeded ( bp , tmID , opts . DryRun ) ; err != nil {
2025-02-07 20:35:51 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "uploading bootstrap package for team %q: %w" , tmName , err )
}
case appconfig != nil && appconfig . MDM . EnabledAndConfigured && appconfig . License . IsPremium ( ) : // explicitly empty (only for GitOps)
2025-06-02 21:17:06 +00:00
if err := c . DeleteBootstrapPackageIfNeeded ( tmID , opts . DryRun ) ; err != nil {
2025-02-07 20:35:51 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "deleting bootstrap package for team %q: %w" , tmName , err )
}
2023-04-07 20:31:02 +00:00
}
}
2023-06-07 17:29:36 +00:00
if b , ok := tmMacSetupAssistants [ tmName ] ; ok {
2025-02-07 20:35:51 +00:00
switch {
case b != nil :
if err := c . uploadMacOSSetupAssistant ( b , & tmID , tmMacSetup [ tmName ] . MacOSSetupAssistant . Value ) ; err != nil {
2025-03-20 20:44:09 +00:00
if strings . Contains ( err . Error ( ) , "Couldn't add" ) {
2025-02-07 20:35:51 +00:00
// Then the error should look something like this:
2025-03-20 20:44:09 +00:00
// "Couldn't add. CONFIG_NAME_INVALID"
2025-02-07 20:35:51 +00:00
// We want the part after the period (this is the error name from Apple)
// to render a more helpful error message.
parts := strings . Split ( err . Error ( ) , "." )
if len ( parts ) < 2 {
return nil , nil , nil , nil , fmt . Errorf ( "unexpected error while uploading macOS setup assistant for team %q: %w" ,
tmName , err )
}
return nil , nil , nil , nil , fmt . Errorf ( "Couldn't edit macos_setup_assistant. Response from Apple: %s. Learn more at %s" ,
strings . Trim ( parts [ 1 ] , " " ) , "https://fleetdm.com/learn-more-about/dep-profile" )
2024-09-10 22:44:58 +00:00
}
2025-02-07 20:35:51 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "uploading macOS setup assistant for team %q: %w" , tmName , err )
}
case appconfig != nil && appconfig . MDM . EnabledAndConfigured && appconfig . License . IsPremium ( ) : // explicitly empty (only for GitOps)
if err := c . deleteMacOSSetupAssistant ( & tmID ) ; err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "deleting macOS enrollment profile for team %q: %w" , tmName , err )
2024-09-10 22:44:58 +00:00
}
2023-04-25 13:36:01 +00:00
}
}
2023-04-07 20:31:02 +00:00
}
}
2024-10-23 18:51:02 +00:00
if viaGitOps && ! opts . DryRun {
for tmName , tmID := range teamIDsByName {
if fc , ok := tmMacSetupScript [ tmName ] ; ok {
if err := c . uploadMacOSSetupScript ( fc . Filename , fc . Content , & tmID ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "uploading setup experience script for team %q: %w" , tmName , err )
2024-10-23 18:51:02 +00:00
}
} else {
if err := c . deleteMacOSSetupScript ( & tmID ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "deleting setup experience script for team %q: %w" , tmName , err )
2024-10-23 18:51:02 +00:00
}
}
}
}
2023-10-10 22:00:45 +00:00
if len ( tmScriptsPayloads ) > 0 {
for tmName , scripts := range tmScriptsPayloads {
2024-06-27 21:10:49 +00:00
// For non-dry run, currentTeamName and tmName are the same
currentTeamName := getTeamName ( tmName )
2024-10-04 01:03:40 +00:00
scriptResponses , err := c . ApplyTeamScripts ( currentTeamName , scripts , opts . ApplySpecOptions )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying scripts for team %q: %w" , tmName , err )
2023-10-10 22:00:45 +00:00
}
2024-10-10 11:12:24 +00:00
teamsScripts [ tmName ] = scriptResponses
2023-10-10 22:00:45 +00:00
}
}
2024-07-22 17:19:19 +00:00
if len ( tmSoftwarePackagesPayloads ) > 0 {
for tmName , software := range tmSoftwarePackagesPayloads {
2024-06-27 21:10:49 +00:00
// For non-dry run, currentTeamName and tmName are the same
currentTeamName := getTeamName ( tmName )
2024-09-12 17:23:25 +00:00
logfn ( "[+] applying %d software packages for team %s\n" , len ( software ) , tmName )
2024-09-06 22:10:28 +00:00
installers , err := c . ApplyTeamSoftwareInstallers ( currentTeamName , software , opts . ApplySpecOptions )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying software installers for team %q: %w" , tmName , err )
2024-05-14 18:06:33 +00:00
}
2024-10-10 11:12:24 +00:00
teamsSoftwareInstallers [ tmName ] = installers
2024-05-14 18:06:33 +00:00
}
}
2024-07-22 17:19:19 +00:00
if len ( tmSoftwareAppsPayloads ) > 0 {
for tmName , apps := range tmSoftwareAppsPayloads {
// For non-dry run, currentTeamName and tmName are the same
currentTeamName := getTeamName ( tmName )
2024-10-23 18:51:02 +00:00
logfn ( "[+] applying %d app store apps for team %s\n" , len ( apps ) , tmName )
2025-01-14 18:52:39 +00:00
appsResponse , err := c . ApplyTeamAppStoreAppsAssociation ( currentTeamName , apps , opts . ApplySpecOptions )
if err != nil {
return nil , nil , nil , nil , fmt . Errorf ( "applying app store apps for team: %q: %w" , tmName , err )
2024-07-22 17:19:19 +00:00
}
2025-01-14 18:52:39 +00:00
teamsVPPApps [ tmName ] = appsResponse
2024-07-22 17:19:19 +00:00
}
}
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[+] would've applied %d teams\n" , len ( specs . Teams ) )
} else {
logfn ( "[+] applied %d teams\n" , len ( specs . Teams ) )
}
2022-08-05 22:07:32 +00:00
}
2024-09-06 22:10:28 +00:00
// Policies can reference software installers thus they are applied at this point.
if len ( specs . Policies ) > 0 {
// Policy names must be unique, return error if duplicate policy names are found
if policyName := fleet . FirstDuplicatePolicySpecName ( specs . Policies ) ; policyName != "" {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf (
2024-09-06 22:10:28 +00:00
"applying policies: policy names must be unique. Please correct policy %q and try again." , policyName ,
)
}
if opts . DryRun {
logfn ( "[!] ignoring policies, dry run mode only supported for 'config' and 'team' specs\n" )
} else {
// If set, override the team in all the policies.
if opts . TeamForPolicies != "" {
for _ , policySpec := range specs . Policies {
policySpec . Team = opts . TeamForPolicies
}
}
if err := c . ApplyPolicies ( specs . Policies ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying policies: %w" , err )
2024-09-06 22:10:28 +00:00
}
logfn ( "[+] applied %d policies\n" , len ( specs . Policies ) )
}
}
2022-08-05 22:07:32 +00:00
if specs . UsersRoles != nil {
2022-09-19 17:53:44 +00:00
if opts . DryRun {
logfn ( "[!] ignoring user roles, dry run mode only supported for 'config' and 'team' specs\n" )
} else {
if err := c . ApplyUsersRoleSecretSpec ( specs . UsersRoles ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , nil , nil , fmt . Errorf ( "applying user roles: %w" , err )
2022-09-19 17:53:44 +00:00
}
logfn ( "[+] applied user roles\n" )
2022-08-05 22:07:32 +00:00
}
}
2024-09-06 22:10:28 +00:00
2025-01-14 18:52:39 +00:00
return teamIDsByName , teamsSoftwareInstallers , teamsVPPApps , teamsScripts , nil
2022-08-05 22:07:32 +00:00
}
2023-02-15 18:01:44 +00:00
2024-10-23 18:51:02 +00:00
func extractTeamOrNoTeamMacOSSetupSoftware ( baseDir string , software [ ] * fleet . MacOSSetupSoftware ) ( map [ fleet . MacOSSetupSoftware ] struct { } , error ) {
m := make ( map [ fleet . MacOSSetupSoftware ] struct { } , len ( software ) )
for _ , sw := range software {
if sw . AppStoreID != "" && sw . PackagePath != "" {
return nil , errors . New ( "applying teams: only one of app_store_id or package_path can be set" )
}
if sw . PackagePath != "" {
sw . PackagePath = resolveApplyRelativePath ( baseDir , sw . PackagePath )
}
m [ * sw ] = struct { } { }
}
return m , nil
}
2025-09-05 13:38:00 +00:00
func validateTeamOrNoTeamMacOSSetupSoftware ( teamName string , macOSSetupSoftware [ ] * fleet . MacOSSetupSoftware , pathsWithPackages map [ string ] struct { } , vppAppsByAppID map [ string ] fleet . TeamSpecAppStoreApp ) error {
2024-10-23 18:51:02 +00:00
// if macos_setup.software has some values, they must exist in the software
// packages or vpp apps.
for _ , ssw := range macOSSetupSoftware {
var valid bool
if ssw . AppStoreID != "" {
// check that it exists in the team's Apps
_ , valid = vppAppsByAppID [ ssw . AppStoreID ]
} else if ssw . PackagePath != "" {
// check that it exists in the team's Software installers (PackagePath is
// already resolved to abs dir)
2025-09-05 13:38:00 +00:00
_ , valid = pathsWithPackages [ ssw . PackagePath ]
2024-10-23 18:51:02 +00:00
}
if ! valid {
label := ssw . AppStoreID
if label == "" {
label = ssw . PackagePath
}
return fmt . Errorf ( "applying macOS setup experience software for team %q: software %q does not exist for that team" , teamName , label )
}
}
return nil
}
2024-11-07 17:22:08 +00:00
func buildSoftwarePackagesPayload ( specs [ ] fleet . SoftwarePackageSpec , installDuringSetupKeys map [ fleet . MacOSSetupSoftware ] struct { } ) ( [ ] fleet . SoftwareInstallerPayload , error ) {
2024-08-05 17:39:10 +00:00
softwarePayloads := make ( [ ] fleet . SoftwareInstallerPayload , len ( specs ) )
for i , si := range specs {
var qc string
var err error
2025-04-18 20:41:41 +00:00
2024-08-05 17:39:10 +00:00
if si . PreInstallQuery . Path != "" {
2024-11-07 17:22:08 +00:00
queryFile := si . PreInstallQuery . Path
2024-08-05 17:39:10 +00:00
rawSpec , err := os . ReadFile ( queryFile )
if err != nil {
return nil , fmt . Errorf ( "reading pre-install query: %w" , err )
}
rawSpecExpanded , err := spec . ExpandEnvBytes ( rawSpec )
if err != nil {
return nil , fmt . Errorf ( "Couldn't exit software (%s). Unable to expand environment variable in YAML file %s: %w" , si . URL , queryFile , err )
}
var top any
if err := yaml . Unmarshal ( rawSpecExpanded , & top ) ; err != nil {
return nil , fmt . Errorf ( "Couldn't exit software (%s). Unable to expand environment variable in YAML file %s: %w" , si . URL , queryFile , err )
}
if _ , ok := top . ( map [ any ] any ) ; ok {
// Old apply format
group , err := spec . GroupFromBytes ( rawSpecExpanded )
if err != nil {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Unable to parse pre-install apply format query YAML file %s: %w" , si . URL , queryFile , err )
}
if len ( group . Queries ) > 1 {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Pre-install query YAML file %s should have only one query." , si . URL , queryFile )
}
if len ( group . Queries ) == 0 {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Pre-install query YAML file %s doesn't have a query defined." , si . URL , queryFile )
}
qc = group . Queries [ 0 ] . Query
} else {
// Gitops format
var querySpecs [ ] fleet . QuerySpec
if err := yaml . Unmarshal ( rawSpecExpanded , & querySpecs ) ; err != nil {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Unable to parse pre-install query YAML file %s: %w" , si . URL , queryFile , err )
}
if len ( querySpecs ) > 1 {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Pre-install query YAML file %s should have only one query." , si . URL , queryFile )
}
if len ( querySpecs ) == 0 {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Pre-install query YAML file %s doesn't have a query defined." , si . URL , queryFile )
}
qc = querySpecs [ 0 ] . Query
}
}
var ic [ ] byte
if si . InstallScript . Path != "" {
2024-11-07 17:22:08 +00:00
installScriptFile := si . InstallScript . Path
2024-08-05 17:39:10 +00:00
ic , err = os . ReadFile ( installScriptFile )
if err != nil {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Unable to read install script file %s: %w" , si . URL , si . InstallScript . Path , err )
}
}
var pc [ ] byte
if si . PostInstallScript . Path != "" {
2024-11-07 17:22:08 +00:00
postInstallScriptFile := si . PostInstallScript . Path
2024-08-05 17:39:10 +00:00
pc , err = os . ReadFile ( postInstallScriptFile )
if err != nil {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Unable to read post-install script file %s: %w" , si . URL , si . PostInstallScript . Path , err )
}
}
2024-09-12 18:25:40 +00:00
var us [ ] byte
if si . UninstallScript . Path != "" {
2024-11-07 17:22:08 +00:00
uninstallScriptFile := si . UninstallScript . Path
2024-09-12 18:25:40 +00:00
us , err = os . ReadFile ( uninstallScriptFile )
if err != nil {
return nil , fmt . Errorf ( "Couldn't edit software (%s). Unable to read uninstall script file %s: %w" , si . URL ,
si . UninstallScript . Path , err )
}
}
2024-10-23 18:51:02 +00:00
var installDuringSetup * bool
if installDuringSetupKeys != nil {
_ , ok := installDuringSetupKeys [ fleet . MacOSSetupSoftware { PackagePath : si . ReferencedYamlPath } ]
installDuringSetup = & ok
}
2025-09-03 18:32:11 +00:00
if si . InstallDuringSetup . Valid {
if len ( installDuringSetupKeys ) > 0 {
2025-09-03 18:52:25 +00:00
return nil , errConflictingSoftwareSetupExperienceDeclarations { si . URL }
2025-09-03 18:32:11 +00:00
}
installDuringSetup = & si . InstallDuringSetup . Value
}
2024-08-05 17:39:10 +00:00
softwarePayloads [ i ] = fleet . SoftwareInstallerPayload {
2024-10-23 18:51:02 +00:00
URL : si . URL ,
SelfService : si . SelfService ,
PreInstallQuery : qc ,
InstallScript : string ( ic ) ,
PostInstallScript : string ( pc ) ,
UninstallScript : string ( us ) ,
InstallDuringSetup : installDuringSetup ,
2024-12-17 19:28:17 +00:00
LabelsIncludeAny : si . LabelsIncludeAny ,
LabelsExcludeAny : si . LabelsExcludeAny ,
2025-04-18 20:41:41 +00:00
SHA256 : si . SHA256 ,
2025-05-07 15:19:33 +00:00
Categories : si . Categories ,
2024-08-05 17:39:10 +00:00
}
2025-05-07 23:16:08 +00:00
if si . Slug != nil {
softwarePayloads [ i ] . Slug = si . Slug
}
2024-08-05 17:39:10 +00:00
}
return softwarePayloads , nil
}
2023-04-07 20:31:02 +00:00
func extractAppCfgMacOSSetup ( appCfg any ) * fleet . MacOSSetup {
asMap , ok := appCfg . ( map [ string ] interface { } )
if ! ok {
return nil
}
mmdm , ok := asMap [ "mdm" ] . ( map [ string ] interface { } )
if ! ok {
return nil
}
2025-02-07 20:35:51 +00:00
// GitOps
mosGitOps , ok := mmdm [ "macos_setup" ] . ( * fleet . MacOSSetup )
if ok {
return mosGitOps
}
// Legacy fleetctl apply
2023-04-07 20:31:02 +00:00
mos , ok := mmdm [ "macos_setup" ] . ( map [ string ] interface { } )
if ! ok || mos == nil {
return nil
}
2023-04-25 13:36:01 +00:00
bp , _ := mos [ "bootstrap_package" ] . ( string ) // if not a string, bp == ""
msa , _ := mos [ "macos_setup_assistant" ] . ( string )
2023-04-07 20:31:02 +00:00
return & fleet . MacOSSetup {
2023-04-26 21:09:21 +00:00
BootstrapPackage : optjson . SetString ( bp ) ,
2023-04-25 13:36:01 +00:00
MacOSSetupAssistant : optjson . SetString ( msa ) ,
2023-04-07 20:31:02 +00:00
}
}
2023-04-25 13:36:01 +00:00
func resolveApplyRelativePath ( baseDir , path string ) string {
return resolveApplyRelativePaths ( baseDir , [ ] string { path } ) [ 0 ]
}
// resolves the paths to an absolute path relative to the baseDir, which should
// be the path of the YAML file where the relative paths were specified. If the
// path is already absolute, it is left untouched.
func resolveApplyRelativePaths ( baseDir string , paths [ ] string ) [ ] string {
2023-02-15 18:01:44 +00:00
if baseDir == "" {
return paths
}
resolved := make ( [ ] string , 0 , len ( paths ) )
for _ , p := range paths {
if ! filepath . IsAbs ( p ) {
p = filepath . Join ( baseDir , p )
}
resolved = append ( resolved , p )
}
return resolved
}
2024-01-26 16:00:58 +00:00
func extractAppCfgCustomSettings ( appCfg interface { } , platformKey string ) [ ] fleet . MDMProfileSpec {
2023-02-15 18:01:44 +00:00
asMap , ok := appCfg . ( map [ string ] interface { } )
if ! ok {
return nil
}
2023-02-28 20:34:46 +00:00
mmdm , ok := asMap [ "mdm" ] . ( map [ string ] interface { } )
if ! ok {
return nil
}
2025-02-06 22:39:15 +00:00
mos , ok := mmdm [ platformKey ] . ( fleet . WithMDMProfileSpecs )
if ! ok || mos == nil {
return legacyExtractAppCfgCustomSettings ( mmdm , platformKey )
}
return mos . GetMDMProfileSpecs ( )
}
// legacyExtractAppCfgCustomSettings is used to extract custom settings for legacy fleetctl apply use case
func legacyExtractAppCfgCustomSettings ( mmdm map [ string ] interface { } , platformKey string ) [ ] fleet . MDMProfileSpec {
2024-01-26 16:00:58 +00:00
mos , ok := mmdm [ platformKey ] . ( map [ string ] interface { } )
2023-02-15 18:01:44 +00:00
if ! ok || mos == nil {
return nil
}
cs , ok := mos [ "custom_settings" ]
if ! ok {
// custom settings is not present
return nil
}
csAny , ok := cs . ( [ ] interface { } )
if ! ok || csAny == nil {
// return a non-nil, empty slice instead, so the caller knows that the
// custom_settings key was actually provided.
2024-01-26 16:00:58 +00:00
return [ ] fleet . MDMProfileSpec { }
2023-02-15 18:01:44 +00:00
}
2024-06-25 19:26:28 +00:00
extractLabelField := func ( parentMap map [ string ] interface { } , fieldName string ) [ ] string {
var ret [ ] string
if labels , ok := parentMap [ fieldName ] . ( [ ] interface { } ) ; ok {
for _ , label := range labels {
if strLabel , ok := label . ( string ) ; ok {
ret = append ( ret , strLabel )
}
}
}
return ret
}
2024-01-26 16:00:58 +00:00
csSpecs := make ( [ ] fleet . MDMProfileSpec , 0 , len ( csAny ) )
2023-02-15 18:01:44 +00:00
for _ , v := range csAny {
2024-01-26 16:00:58 +00:00
if m , ok := v . ( map [ string ] interface { } ) ; ok {
var profSpec fleet . MDMProfileSpec
2023-02-15 18:01:44 +00:00
2024-01-26 16:00:58 +00:00
// extract the Path field
if path , ok := m [ "path" ] . ( string ) ; ok {
profSpec . Path = path
}
2023-11-29 14:32:42 +00:00
2024-06-25 19:26:28 +00:00
// at this stage we extract and return all supported label fields, the
// validations are done later on in the Fleet API endpoint.
profSpec . Labels = extractLabelField ( m , "labels" )
profSpec . LabelsIncludeAll = extractLabelField ( m , "labels_include_all" )
2024-11-05 20:13:44 +00:00
profSpec . LabelsIncludeAny = extractLabelField ( m , "labels_include_any" )
2024-06-25 19:26:28 +00:00
profSpec . LabelsExcludeAny = extractLabelField ( m , "labels_exclude_any" )
2023-11-29 14:32:42 +00:00
2024-01-26 16:00:58 +00:00
if profSpec . Path != "" {
csSpecs = append ( csSpecs , profSpec )
}
} else if m , ok := v . ( string ) ; ok { // for backwards compatibility with the old way to define profiles
if m != "" {
csSpecs = append ( csSpecs , fleet . MDMProfileSpec { Path : m } )
}
2023-11-29 14:32:42 +00:00
}
}
2024-01-26 16:00:58 +00:00
return csSpecs
}
func extractAppCfgMacOSCustomSettings ( appCfg interface { } ) [ ] fleet . MDMProfileSpec {
return extractAppCfgCustomSettings ( appCfg , "macos_settings" )
}
func extractAppCfgWindowsCustomSettings ( appCfg interface { } ) [ ] fleet . MDMProfileSpec {
return extractAppCfgCustomSettings ( appCfg , "windows_settings" )
2023-11-29 14:32:42 +00:00
}
2023-11-15 21:04:24 +00:00
2025-09-22 15:29:57 +00:00
func extractAppCfgAndroidCustomSettings ( appCfg interface { } ) [ ] fleet . MDMProfileSpec {
return extractAppCfgCustomSettings ( appCfg , "android_settings" )
}
2023-10-10 22:00:45 +00:00
func extractAppCfgScripts ( appCfg interface { } ) [ ] string {
asMap , ok := appCfg . ( map [ string ] interface { } )
if ! ok {
return nil
}
scripts , ok := asMap [ "scripts" ]
if ! ok {
// scripts is not present
return nil
}
scriptsAny , ok := scripts . ( [ ] interface { } )
if ! ok || scriptsAny == nil {
// return a non-nil, empty slice instead, so the caller knows that the
// scripts key was actually provided.
return [ ] string { }
}
scriptsStrings := make ( [ ] string , 0 , len ( scriptsAny ) )
for _ , v := range scriptsAny {
s , _ := v . ( string )
if s != "" {
scriptsStrings = append ( scriptsStrings , s )
}
}
return scriptsStrings
}
2024-11-13 17:01:08 +00:00
func extractAppCfgYaraRules ( appCfg interface { } ) ( [ ] fleet . YaraRuleSpec , error ) {
asMap , ok := appCfg . ( map [ string ] interface { } )
if ! ok {
return nil , errors . New ( "extract yara rules: app config is not a map" )
}
rules , ok := asMap [ "yara_rules" ]
if ! ok {
// yara_rules is not present. Return an empty slice so that the value is cleared.
return [ ] fleet . YaraRuleSpec { } , nil
}
rulesAny , ok := rules . ( [ ] interface { } )
if ! ok || rulesAny == nil {
// If nil, return an empty slice so the value will be cleared.
return [ ] fleet . YaraRuleSpec { } , nil
}
ruleSpecs := make ( [ ] fleet . YaraRuleSpec , 0 , len ( rulesAny ) )
for _ , v := range rulesAny {
smap , ok := v . ( map [ string ] interface { } )
if ! ok {
return nil , errors . New ( "extract yara rules: rule entry is not a map" )
}
pathEntry , ok := smap [ "path" ]
if ! ok {
return nil , errors . New ( "extract yara rules: rule entry missing path" )
}
path , ok := pathEntry . ( string )
if ! ok {
return nil , errors . New ( "extract yara rules: rule entry path is not string" )
}
ruleSpecs = append ( ruleSpecs , fleet . YaraRuleSpec { Path : path } )
}
return ruleSpecs , nil
}
2024-06-14 17:48:00 +00:00
type profileSpecsByPlatform struct {
macos [ ] fleet . MDMProfileSpec
windows [ ] fleet . MDMProfileSpec
2025-09-22 15:29:57 +00:00
android [ ] fleet . MDMProfileSpec
2024-06-14 17:48:00 +00:00
}
2024-06-27 21:10:49 +00:00
func extractTeamName ( tmSpec json . RawMessage ) string {
var s struct {
Name string ` json:"name" `
}
if err := json . Unmarshal ( tmSpec , & s ) ; err != nil {
return ""
}
return norm . NFC . String ( s . Name )
}
2025-09-22 15:29:57 +00:00
// returns the custom macOS, Windows and Android settings keyed by team name.
2024-06-14 17:48:00 +00:00
func extractTmSpecsMDMCustomSettings ( tmSpecs [ ] json . RawMessage ) map [ string ] profileSpecsByPlatform {
var m map [ string ] profileSpecsByPlatform
2023-02-15 18:01:44 +00:00
for _ , tm := range tmSpecs {
var spec struct {
2023-02-28 20:34:46 +00:00
Name string ` json:"name" `
MDM struct {
MacOSSettings struct {
CustomSettings json . RawMessage ` json:"custom_settings" `
} ` json:"macos_settings" `
2023-11-15 21:04:24 +00:00
WindowsSettings struct {
2023-11-29 14:32:42 +00:00
CustomSettings json . RawMessage ` json:"custom_settings" `
2023-11-15 21:04:24 +00:00
} ` json:"windows_settings" `
2025-09-22 15:29:57 +00:00
AndroidSettings struct {
CustomSettings json . RawMessage ` json:"custom_settings" `
} ` json:"android_settings" `
2023-02-28 20:34:46 +00:00
} ` json:"mdm" `
2023-02-15 18:01:44 +00:00
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
2024-02-27 18:55:05 +00:00
spec . Name = norm . NFC . String ( spec . Name )
2023-11-15 21:04:24 +00:00
if spec . Name != "" {
2024-01-26 16:00:58 +00:00
var macOSSettings [ ] fleet . MDMProfileSpec
var windowsSettings [ ] fleet . MDMProfileSpec
2025-09-22 15:29:57 +00:00
var androidSettings [ ] fleet . MDMProfileSpec
2023-11-15 21:04:24 +00:00
// to keep existing bahavior, if any of the custom
// settings is provided, make the map a non-nil map
if len ( spec . MDM . MacOSSettings . CustomSettings ) > 0 ||
2025-09-22 15:29:57 +00:00
len ( spec . MDM . WindowsSettings . CustomSettings ) > 0 ||
len ( spec . MDM . AndroidSettings . CustomSettings ) > 0 {
2023-11-15 21:04:24 +00:00
if m == nil {
2024-06-14 17:48:00 +00:00
m = make ( map [ string ] profileSpecsByPlatform )
2023-11-15 21:04:24 +00:00
}
}
if len ( spec . MDM . MacOSSettings . CustomSettings ) > 0 {
if err := json . Unmarshal ( spec . MDM . MacOSSettings . CustomSettings , & macOSSettings ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if macOSSettings == nil {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
2024-01-26 16:00:58 +00:00
macOSSettings = [ ] fleet . MDMProfileSpec { }
2023-11-15 21:04:24 +00:00
}
2023-02-15 18:01:44 +00:00
}
2023-11-15 21:04:24 +00:00
if len ( spec . MDM . WindowsSettings . CustomSettings ) > 0 {
if err := json . Unmarshal ( spec . MDM . WindowsSettings . CustomSettings , & windowsSettings ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if windowsSettings == nil {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
2024-01-26 16:00:58 +00:00
windowsSettings = [ ] fleet . MDMProfileSpec { }
2023-11-15 21:04:24 +00:00
}
2023-02-15 18:01:44 +00:00
}
2025-09-22 15:29:57 +00:00
if len ( spec . MDM . AndroidSettings . CustomSettings ) > 0 {
if err := json . Unmarshal ( spec . MDM . AndroidSettings . CustomSettings , & androidSettings ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if androidSettings == nil {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
androidSettings = [ ] fleet . MDMProfileSpec { }
}
}
2023-11-15 21:04:24 +00:00
2024-01-26 16:00:58 +00:00
// TODO: validate equal names here and API?
2024-06-14 17:48:00 +00:00
var result profileSpecsByPlatform
if macOSSettings != nil {
result . macos = macOSSettings
}
if windowsSettings != nil {
result . windows = windowsSettings
}
2025-09-22 15:29:57 +00:00
if androidSettings != nil {
result . android = androidSettings
}
2024-06-14 17:48:00 +00:00
2025-09-22 15:29:57 +00:00
if macOSSettings != nil || windowsSettings != nil || androidSettings != nil {
2024-06-14 17:48:00 +00:00
m [ spec . Name ] = result
2023-02-15 18:01:44 +00:00
}
}
}
return m
}
2023-04-07 20:31:02 +00:00
2024-08-05 17:39:10 +00:00
func extractTmSpecsSoftwarePackages ( tmSpecs [ ] json . RawMessage ) map [ string ] [ ] fleet . SoftwarePackageSpec {
var m map [ string ] [ ] fleet . SoftwarePackageSpec
2024-05-14 18:06:33 +00:00
for _ , tm := range tmSpecs {
var spec struct {
Name string ` json:"name" `
Software json . RawMessage ` json:"software" `
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
spec . Name = norm . NFC . String ( spec . Name )
if spec . Name != "" && len ( spec . Software ) > 0 {
if m == nil {
2024-08-05 17:39:10 +00:00
m = make ( map [ string ] [ ] fleet . SoftwarePackageSpec )
2024-05-14 18:06:33 +00:00
}
2024-08-05 17:39:10 +00:00
var software fleet . SoftwareSpec
var packages [ ] fleet . SoftwarePackageSpec
2024-05-14 18:06:33 +00:00
if err := json . Unmarshal ( spec . Software , & software ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
2024-07-10 18:53:03 +00:00
if ! software . Packages . Valid {
2024-05-14 18:06:33 +00:00
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
2024-08-05 17:39:10 +00:00
packages = [ ] fleet . SoftwarePackageSpec { }
2024-07-10 18:53:03 +00:00
} else {
packages = software . Packages . Value
2024-05-14 18:06:33 +00:00
}
2024-07-10 18:53:03 +00:00
m [ spec . Name ] = packages
2024-05-14 18:06:33 +00:00
}
}
return m
}
2025-05-07 23:16:08 +00:00
func extractTmSpecsFleetMaintainedApps ( tmSpecs [ ] json . RawMessage ) map [ string ] [ ] fleet . SoftwarePackageSpec {
var m map [ string ] [ ] fleet . SoftwarePackageSpec
for _ , tm := range tmSpecs {
var spec struct {
Name string ` json:"name" `
Software json . RawMessage ` json:"software" `
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
spec . Name = norm . NFC . String ( spec . Name )
if spec . Name != "" && len ( spec . Software ) > 0 {
if m == nil {
m = make ( map [ string ] [ ] fleet . SoftwarePackageSpec )
}
var software fleet . SoftwareSpec
var packages [ ] fleet . SoftwarePackageSpec
if err := json . Unmarshal ( spec . Software , & software ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if ! software . FleetMaintainedApps . Valid {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
packages = [ ] fleet . SoftwarePackageSpec { }
} else {
for _ , app := range software . FleetMaintainedApps . Value {
2025-08-13 12:48:36 +00:00
packages = append ( packages , app . ToSoftwarePackageSpec ( ) )
2025-05-07 23:16:08 +00:00
}
}
m [ spec . Name ] = packages
}
}
return m
}
2024-07-22 17:19:19 +00:00
func extractTmSpecsSoftwareApps ( tmSpecs [ ] json . RawMessage ) map [ string ] [ ] fleet . TeamSpecAppStoreApp {
var m map [ string ] [ ] fleet . TeamSpecAppStoreApp
for _ , tm := range tmSpecs {
var spec struct {
Name string ` json:"name" `
Software json . RawMessage ` json:"software" `
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
spec . Name = norm . NFC . String ( spec . Name )
if spec . Name != "" && len ( spec . Software ) > 0 {
if m == nil {
m = make ( map [ string ] [ ] fleet . TeamSpecAppStoreApp )
}
2024-08-05 17:39:10 +00:00
var software fleet . SoftwareSpec
2024-07-22 17:19:19 +00:00
var apps [ ] fleet . TeamSpecAppStoreApp
if err := json . Unmarshal ( spec . Software , & software ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if ! software . AppStoreApps . Valid {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
apps = [ ] fleet . TeamSpecAppStoreApp { }
} else {
apps = software . AppStoreApps . Value
}
m [ spec . Name ] = apps
}
}
return m
}
2023-10-10 22:00:45 +00:00
func extractTmSpecsScripts ( tmSpecs [ ] json . RawMessage ) map [ string ] [ ] string {
var m map [ string ] [ ] string
for _ , tm := range tmSpecs {
var spec struct {
Name string ` json:"name" `
Scripts json . RawMessage ` json:"scripts" `
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
2024-02-27 18:55:05 +00:00
spec . Name = norm . NFC . String ( spec . Name )
2023-10-10 22:00:45 +00:00
if spec . Name != "" && len ( spec . Scripts ) > 0 {
if m == nil {
m = make ( map [ string ] [ ] string )
}
var scripts [ ] string
if err := json . Unmarshal ( spec . Scripts , & scripts ) ; err != nil {
// ignore, will fail in apply team specs call
continue
}
if scripts == nil {
// to be consistent with the AppConfig custom settings, set it to an
// empty slice if the provided custom settings are present but empty.
scripts = [ ] string { }
}
m [ spec . Name ] = scripts
}
}
return m
}
2023-04-07 20:31:02 +00:00
// returns the macos_setup keyed by team name.
func extractTmSpecsMacOSSetup ( tmSpecs [ ] json . RawMessage ) map [ string ] * fleet . MacOSSetup {
var m map [ string ] * fleet . MacOSSetup
for _ , tm := range tmSpecs {
var spec struct {
Name string ` json:"name" `
MDM struct {
MacOSSetup fleet . MacOSSetup ` json:"macos_setup" `
} ` json:"mdm" `
}
if err := json . Unmarshal ( tm , & spec ) ; err != nil {
// ignore, this will fail in the call to apply team specs
continue
}
2024-02-27 18:55:05 +00:00
spec . Name = norm . NFC . String ( spec . Name )
2023-04-07 20:31:02 +00:00
if spec . Name != "" {
if m == nil {
m = make ( map [ string ] * fleet . MacOSSetup )
}
m [ spec . Name ] = & spec . MDM . MacOSSetup
}
}
return m
}
2024-02-09 19:34:57 +00:00
2024-12-11 21:05:48 +00:00
func ( c * Client ) SaveEnvSecrets ( alreadySaved map [ string ] string , toSave map [ string ] string , dryRun bool ) error {
if len ( toSave ) == 0 {
return nil
}
// Figure out which secrets need to be saved
var secretsToSave [ ] fleet . SecretVariable
for key , value := range toSave {
if _ , ok := alreadySaved [ key ] ; ! ok {
secretsToSave = append ( secretsToSave , fleet . SecretVariable { Name : key , Value : value } )
alreadySaved [ key ] = value
}
}
if len ( secretsToSave ) == 0 {
return nil
}
return c . SaveSecretVariables ( secretsToSave , dryRun )
}
2024-02-09 19:34:57 +00:00
// DoGitOps applies the GitOps config to Fleet.
func ( c * Client ) DoGitOps (
ctx context . Context ,
2025-09-04 16:39:41 +00:00
incoming * spec . GitOps ,
2024-06-27 21:10:49 +00:00
fullFilename string ,
2024-02-09 19:34:57 +00:00
logf func ( format string , args ... interface { } ) ,
dryRun bool ,
2024-05-03 13:03:00 +00:00
teamDryRunAssumptions * fleet . TeamSpecsDryRunAssumptions ,
2025-08-26 17:23:24 +00:00
appConfig * fleet . EnrichedAppConfig , // pass-by-ref to build lists
2024-10-10 11:12:24 +00:00
teamsSoftwareInstallers map [ string ] [ ] fleet . SoftwarePackageResponse ,
2025-01-14 18:52:39 +00:00
teamsVPPApps map [ string ] [ ] fleet . VPPAppResponse ,
2024-10-10 11:12:24 +00:00
teamsScripts map [ string ] [ ] fleet . ScriptResponse ,
2025-05-14 00:16:16 +00:00
) ( * fleet . TeamSpecsDryRunAssumptions , [ ] func ( ) error , error ) {
2024-06-27 21:10:49 +00:00
baseDir := filepath . Dir ( fullFilename )
filename := filepath . Base ( fullFilename )
2024-05-03 13:03:00 +00:00
var teamAssumptions * fleet . TeamSpecsDryRunAssumptions
2024-02-09 19:34:57 +00:00
var err error
logFn := func ( format string , args ... interface { } ) {
if logf != nil {
logf ( format , args ... )
}
}
2025-09-04 16:39:41 +00:00
scripts := make ( [ ] interface { } , len ( incoming . Controls . Scripts ) )
for i , script := range incoming . Controls . Scripts {
2024-02-09 19:34:57 +00:00
scripts [ i ] = * script . Path
}
var mdmAppConfig map [ string ] interface { }
var team map [ string ] interface { }
2025-05-14 00:16:16 +00:00
var postOps [ ] func ( ) error
2025-09-04 16:39:41 +00:00
var eulaPath string
group := spec . Group { } // as we parse the incoming gitops spec, we'll build out various group specs that will each be applied separately
if incoming . TeamName == nil {
// OrgSettings is the basis of the group AppConfig, but we will be adding and removing some
// items because the GitOps structure is not the same as the AppConfig structure.
group . AppConfig = incoming . OrgSettings
// Agent options is a top-level key in the GitOps file but is also stored in the AppConfig.
group . AppConfig . ( map [ string ] interface { } ) [ "agent_options" ] = incoming . AgentOptions
// Enroll secrets are managed separately in Client.ApplyGroup, so we remove them from the
// OrgSettings so that they are not applied as part of the AppConfig.
group . EnrollSecret = & fleet . EnrollSecretSpec { Secrets : incoming . OrgSettings [ "secrets" ] . ( [ ] * fleet . EnrollSecret ) }
delete ( incoming . OrgSettings , "secrets" )
// Certificate authorities are managed separately in Client.ApplyGroup, so we remove them from the
// OrgSettings so that they are not applied as part of the AppConfig.
groupedCAs , err := fleet . ValidateCertificateAuthoritiesSpec ( incoming . OrgSettings [ "certificate_authorities" ] )
if err != nil {
return nil , nil , fmt . Errorf ( "invalid certificate_authorities: %w" , err )
}
group . CertificateAuthorities = groupedCAs
delete ( incoming . OrgSettings , "certificate_authorities" )
2024-03-13 15:05:46 +00:00
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
// Labels
2025-09-04 16:39:41 +00:00
if incoming . Labels == nil || len ( incoming . Labels ) > 0 {
labelsToDelete , err := c . doGitOpsLabels ( incoming , logFn , dryRun )
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , err
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
}
2025-05-14 00:16:16 +00:00
postOps = append ( postOps , func ( ) error {
for _ , labelToDelete := range labelsToDelete {
logFn ( "[-] deleting label '%s'\n" , labelToDelete )
if err := c . DeleteLabel ( labelToDelete ) ; err != nil {
return err
}
}
return nil
} )
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
}
2025-07-10 20:38:56 +00:00
// Features
var features any
var ok bool
if features , ok = group . AppConfig . ( map [ string ] any ) [ "features" ] ; ! ok || features == nil {
features = map [ string ] any { }
group . AppConfig . ( map [ string ] any ) [ "features" ] = features
}
features , ok = features . ( map [ string ] any )
if ! ok {
return nil , nil , errors . New ( "org_settings.features config is not a map" )
}
if enableSoftwareInventory , ok := features . ( map [ string ] any ) [ "enable_software_inventory" ] ; ! ok || enableSoftwareInventory == nil {
features . ( map [ string ] any ) [ "enable_software_inventory" ] = true
}
2024-03-13 15:05:46 +00:00
// Integrations
var integrations interface { }
if integrations , ok = group . AppConfig . ( map [ string ] interface { } ) [ "integrations" ] ; ! ok || integrations == nil {
integrations = map [ string ] interface { } { }
group . AppConfig . ( map [ string ] interface { } ) [ "integrations" ] = integrations
}
2024-10-16 16:12:48 +00:00
integrations , ok = integrations . ( map [ string ] interface { } )
if ! ok {
2025-05-14 00:16:16 +00:00
return nil , nil , errors . New ( "org_settings.integrations config is not a map" )
2024-10-16 16:12:48 +00:00
}
2024-03-13 15:05:46 +00:00
if jira , ok := integrations . ( map [ string ] interface { } ) [ "jira" ] ; ! ok || jira == nil {
integrations . ( map [ string ] interface { } ) [ "jira" ] = [ ] interface { } { }
}
if zendesk , ok := integrations . ( map [ string ] interface { } ) [ "zendesk" ] ; ! ok || zendesk == nil {
integrations . ( map [ string ] interface { } ) [ "zendesk" ] = [ ] interface { } { }
2024-02-09 19:34:57 +00:00
}
2024-03-13 15:05:46 +00:00
if googleCal , ok := integrations . ( map [ string ] interface { } ) [ "google_calendar" ] ; ! ok || googleCal == nil {
integrations . ( map [ string ] interface { } ) [ "google_calendar" ] = [ ] interface { } { }
2024-02-09 19:34:57 +00:00
}
2025-06-11 17:22:46 +00:00
if conditionalAccessEnabled , ok := integrations . ( map [ string ] interface { } ) [ "conditional_access_enabled" ] ; ! ok || conditionalAccessEnabled == nil {
integrations . ( map [ string ] interface { } ) [ "conditional_access_enabled" ] = false
}
2025-09-04 16:39:41 +00:00
// ensure that legacy certificate authorities are not set in integrations
if _ , ok := integrations . ( map [ string ] interface { } ) [ "ndes_scep_proxy" ] ; ok {
return nil , nil , errors . New ( "org_settings.integrations.ndes_scep_proxy is not supported, please use org_settings.certificate_authorities.ndes_scep_proxy instead" )
2024-10-16 16:12:48 +00:00
}
2025-09-04 16:39:41 +00:00
if _ , ok := integrations . ( map [ string ] interface { } ) [ "digicert" ] ; ok {
return nil , nil , errors . New ( "org_settings.integrations.digicert is not supported, please use org_settings.certificate_authorities.digicert instead" )
2025-03-20 16:36:00 +00:00
}
2025-09-04 16:39:41 +00:00
if _ , ok := integrations . ( map [ string ] interface { } ) [ "custom_scep_proxy" ] ; ok {
return nil , nil , errors . New ( "org_settings.integrations.custom_scep_proxy is not supported, please use org_settings.certificate_authorities.custom_scep_proxy instead" )
2025-03-20 16:36:00 +00:00
}
2024-03-13 15:05:46 +00:00
2025-01-15 16:31:48 +00:00
// Ensure webhooks settings exists
webhookSettings , ok := group . AppConfig . ( map [ string ] any ) [ "webhook_settings" ]
if ! ok || webhookSettings == nil {
webhookSettings = map [ string ] any { }
group . AppConfig . ( map [ string ] any ) [ "webhook_settings" ] = webhookSettings
}
activitiesWebhook , ok := webhookSettings . ( map [ string ] any ) [ "activities_webhook" ]
if ! ok || activitiesWebhook == nil {
activitiesWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "activities_webhook" ] = activitiesWebhook
}
// make sure the "enable" key either exists, or set to false
if _ , ok := activitiesWebhook . ( map [ string ] any ) [ "enable_activities_webhook" ] ; ! ok {
activitiesWebhook . ( map [ string ] any ) [ "enable_activities_webhook" ] = false
}
hostStatusWebhook , ok := webhookSettings . ( map [ string ] any ) [ "host_status_webhook" ]
if ! ok || hostStatusWebhook == nil {
hostStatusWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "host_status_webhook" ] = hostStatusWebhook
}
if _ , ok := hostStatusWebhook . ( map [ string ] any ) [ "enable_host_status_webhook" ] ; ! ok {
hostStatusWebhook . ( map [ string ] any ) [ "enable_host_status_webhook" ] = false
}
failingPoliciesWebhook , ok := webhookSettings . ( map [ string ] any ) [ "failing_policies_webhook" ]
if ! ok || failingPoliciesWebhook == nil {
failingPoliciesWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "failing_policies_webhook" ] = failingPoliciesWebhook
}
if _ , ok := failingPoliciesWebhook . ( map [ string ] any ) [ "enable_failing_policies_webhook" ] ; ! ok {
failingPoliciesWebhook . ( map [ string ] any ) [ "enable_failing_policies_webhook" ] = false
}
vulnerabilitiesWebhook , ok := webhookSettings . ( map [ string ] any ) [ "vulnerabilities_webhook" ]
if ! ok || vulnerabilitiesWebhook == nil {
vulnerabilitiesWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "vulnerabilities_webhook" ] = vulnerabilitiesWebhook
}
if _ , ok := vulnerabilitiesWebhook . ( map [ string ] any ) [ "enable_vulnerabilities_webhook" ] ; ! ok {
vulnerabilitiesWebhook . ( map [ string ] any ) [ "enable_vulnerabilities_webhook" ] = false
}
2024-02-12 23:27:48 +00:00
// Ensure mdm config exists
mdmConfig , ok := group . AppConfig . ( map [ string ] interface { } ) [ "mdm" ]
if ! ok || mdmConfig == nil {
mdmConfig = map [ string ] interface { } { }
group . AppConfig . ( map [ string ] interface { } ) [ "mdm" ] = mdmConfig
}
mdmAppConfig , ok = mdmConfig . ( map [ string ] interface { } )
if ! ok {
2025-05-14 00:16:16 +00:00
return nil , nil , errors . New ( "org_settings.mdm config is not a map" )
2024-02-12 23:27:48 +00:00
}
2025-02-18 20:08:06 +00:00
if _ , ok := mdmAppConfig [ "apple_bm_default_team" ] ; ! ok && appConfig . License . IsPremium ( ) {
if _ , ok := mdmAppConfig [ "apple_business_manager" ] ; ! ok {
mdmAppConfig [ "apple_business_manager" ] = [ ] interface { } { }
}
}
2024-10-25 13:01:18 +00:00
// Put in default value for volume_purchasing_program to clear the configuration if it's not set.
if v , ok := mdmAppConfig [ "volume_purchasing_program" ] ; ! ok || v == nil {
mdmAppConfig [ "volume_purchasing_program" ] = [ ] interface { } { }
}
2024-03-07 19:20:14 +00:00
// Put in default values for macos_migration
2025-09-04 16:39:41 +00:00
if incoming . Controls . MacOSMigration != nil {
mdmAppConfig [ "macos_migration" ] = incoming . Controls . MacOSMigration
2024-03-07 19:20:14 +00:00
} else {
mdmAppConfig [ "macos_migration" ] = map [ string ] interface { } { }
}
macOSMigration := mdmAppConfig [ "macos_migration" ] . ( map [ string ] interface { } )
if enable , ok := macOSMigration [ "enable" ] ; ! ok || enable == nil {
macOSMigration [ "enable" ] = false
}
// Put in default values for windows_enabled_and_configured
2025-09-04 16:39:41 +00:00
mdmAppConfig [ "windows_enabled_and_configured" ] = incoming . Controls . WindowsEnabledAndConfigured
if incoming . Controls . WindowsEnabledAndConfigured != nil {
mdmAppConfig [ "windows_enabled_and_configured" ] = incoming . Controls . WindowsEnabledAndConfigured
2024-03-07 19:20:14 +00:00
} else {
mdmAppConfig [ "windows_enabled_and_configured" ] = false
}
2024-11-26 16:52:56 +00:00
// Put in default values for windows_migration_enabled
2025-09-04 16:39:41 +00:00
mdmAppConfig [ "windows_migration_enabled" ] = incoming . Controls . WindowsMigrationEnabled
if incoming . Controls . WindowsMigrationEnabled == nil {
2024-11-26 16:52:56 +00:00
mdmAppConfig [ "windows_migration_enabled" ] = false
}
2024-05-03 13:03:00 +00:00
if windowsEnabledAndConfiguredAssumption , ok := mdmAppConfig [ "windows_enabled_and_configured" ] . ( bool ) ; ok {
teamAssumptions = & fleet . TeamSpecsDryRunAssumptions {
WindowsEnabledAndConfigured : optjson . SetBool ( windowsEnabledAndConfiguredAssumption ) ,
}
}
2025-07-07 17:20:17 +00:00
2025-09-22 15:29:57 +00:00
mdmAppConfig [ "android_enabled_and_configured" ] = incoming . Controls . AndroidEnabledAndConfigured
if incoming . Controls . AndroidEnabledAndConfigured != nil {
mdmAppConfig [ "android_enabled_and_configured" ] = incoming . Controls . AndroidEnabledAndConfigured
} else {
mdmAppConfig [ "android_enabled_and_configured" ] = false
}
if androidEnabledAndConfiguredAssumption , ok := mdmAppConfig [ "android_enabled_and_configured" ] . ( bool ) ; ok {
if teamAssumptions == nil {
teamAssumptions = & fleet . TeamSpecsDryRunAssumptions {
AndroidEnabledAndConfigured : optjson . SetBool ( androidEnabledAndConfiguredAssumption ) ,
}
} else {
teamAssumptions . AndroidEnabledAndConfigured = optjson . SetBool ( androidEnabledAndConfiguredAssumption )
}
}
2025-07-07 17:20:17 +00:00
// check for the eula in the mdmAppConfig. If it exists we want to assign it
// to eulaPath so that it will be applied later. We always delete it from
// mdmAppConfig so it will not be applied to the group/team though the
// ApplyGroup method.
if endUserLicenseAgreement , exists := mdmAppConfig [ "end_user_license_agreement" ] ; ! exists || endUserLicenseAgreement == nil || ( endUserLicenseAgreement == "" ) {
eulaPath = ""
} else if eulaStr , ok := endUserLicenseAgreement . ( string ) ; ok && len ( eulaStr ) > 0 {
eulaPath = eulaStr
2025-07-01 16:28:13 +00:00
}
2025-07-07 17:20:17 +00:00
delete ( mdmAppConfig , "end_user_license_agreement" )
2025-07-01 16:28:13 +00:00
2024-02-09 19:34:57 +00:00
group . AppConfig . ( map [ string ] interface { } ) [ "scripts" ] = scripts
2025-07-01 16:28:13 +00:00
// we want to apply the EULA only for the global settings
if appConfig . License . IsPremium ( ) && appConfig . MDM . EnabledAndConfigured {
2025-09-17 12:25:23 +00:00
if eulaPath != "" {
eulaPath = resolveApplyRelativePath ( baseDir , eulaPath )
}
2025-07-01 16:28:13 +00:00
err = c . doGitOpsEULA ( eulaPath , logFn , dryRun )
if err != nil {
return nil , nil , err
}
}
2025-09-04 16:39:41 +00:00
} else if ! incoming . IsNoTeam ( ) {
2024-02-09 19:34:57 +00:00
team = make ( map [ string ] interface { } )
2025-09-04 16:39:41 +00:00
team [ "name" ] = * incoming . TeamName
team [ "agent_options" ] = incoming . AgentOptions
if hostExpirySettings , ok := incoming . TeamSettings [ "host_expiry_settings" ] ; ok {
2024-02-09 19:34:57 +00:00
team [ "host_expiry_settings" ] = hostExpirySettings
}
2025-09-04 16:39:41 +00:00
if features , ok := incoming . TeamSettings [ "features" ] ; ok {
2024-02-09 19:34:57 +00:00
team [ "features" ] = features
}
team [ "scripts" ] = scripts
2024-07-10 18:53:03 +00:00
team [ "software" ] = map [ string ] any { }
2025-09-04 16:39:41 +00:00
team [ "software" ] . ( map [ string ] any ) [ "app_store_apps" ] = incoming . Software . AppStoreApps
team [ "software" ] . ( map [ string ] any ) [ "packages" ] = incoming . Software . Packages
team [ "software" ] . ( map [ string ] any ) [ "fleet_maintained_apps" ] = incoming . Software . FleetMaintainedApps
team [ "secrets" ] = incoming . TeamSettings [ "secrets" ]
2025-01-30 17:21:43 +00:00
// Ensure webhooks settings exists
2025-09-04 16:39:41 +00:00
webhookSettings , ok := incoming . TeamSettings [ "webhook_settings" ]
2025-01-30 17:21:43 +00:00
if ! ok || webhookSettings == nil {
webhookSettings = map [ string ] any { }
}
hostStatusWebhook , ok := webhookSettings . ( map [ string ] any ) [ "host_status_webhook" ]
if ! ok || hostStatusWebhook == nil {
hostStatusWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "host_status_webhook" ] = hostStatusWebhook
}
if _ , ok := hostStatusWebhook . ( map [ string ] any ) [ "enable_host_status_webhook" ] ; ! ok {
hostStatusWebhook . ( map [ string ] any ) [ "enable_host_status_webhook" ] = false
Enabling setting host status webhook at the team level via REST API and fleetctl apply/gitops. (#17186)
Enabling setting host status webhook at the team level via REST API and
fleetctl apply/gitops.
#14916
Example payload:
```json
{
"data": {
"days_unseen": 3,
"host_ids": [
10724,
10726,
10738,
10739,
10740,
10741,
10742,
10744,
10745,
10746,
10747,
10748,
10749
],
"team_id": 3,
"total_hosts": 15,
"unseen_hosts": 13
},
"text": "More than 86.67% of your hosts have not checked into Fleet for more than 3 days. You've been sent this message because the Host status webhook is enabled in your Fleet instance."
}
```
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2024-03-04 18:35:27 +00:00
}
2025-01-30 17:21:43 +00:00
failingPoliciesWebhook , ok := webhookSettings . ( map [ string ] any ) [ "failing_policies_webhook" ]
if ! ok || failingPoliciesWebhook == nil {
failingPoliciesWebhook = map [ string ] any { }
webhookSettings . ( map [ string ] any ) [ "failing_policies_webhook" ] = failingPoliciesWebhook
Enabling setting host status webhook at the team level via REST API and fleetctl apply/gitops. (#17186)
Enabling setting host status webhook at the team level via REST API and
fleetctl apply/gitops.
#14916
Example payload:
```json
{
"data": {
"days_unseen": 3,
"host_ids": [
10724,
10726,
10738,
10739,
10740,
10741,
10742,
10744,
10745,
10746,
10747,
10748,
10749
],
"team_id": 3,
"total_hosts": 15,
"unseen_hosts": 13
},
"text": "More than 86.67% of your hosts have not checked into Fleet for more than 3 days. You've been sent this message because the Host status webhook is enabled in your Fleet instance."
}
```
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2024-03-04 18:35:27 +00:00
}
2025-01-30 17:21:43 +00:00
if _ , ok := failingPoliciesWebhook . ( map [ string ] any ) [ "enable_failing_policies_webhook" ] ; ! ok {
failingPoliciesWebhook . ( map [ string ] any ) [ "enable_failing_policies_webhook" ] = false
}
team [ "webhook_settings" ] = webhookSettings
2025-07-10 20:38:56 +00:00
// Features
var features any
if features , ok = team [ "features" ] ; ! ok || features == nil {
features = map [ string ] any { }
team [ "features" ] = features
}
features , ok = features . ( map [ string ] any )
if ! ok {
2025-09-04 16:39:41 +00:00
return nil , nil , fmt . Errorf ( "Team %s features config is not a map" , * incoming . TeamName )
2025-07-10 20:38:56 +00:00
}
if enableSoftwareInventory , ok := features . ( map [ string ] any ) [ "enable_software_inventory" ] ; ! ok || enableSoftwareInventory == nil {
features . ( map [ string ] any ) [ "enable_software_inventory" ] = true
}
2024-03-13 15:05:46 +00:00
// Integrations
var integrations interface { }
2025-09-04 16:39:41 +00:00
if integrations , ok = incoming . TeamSettings [ "integrations" ] ; ! ok || integrations == nil {
2024-03-13 15:05:46 +00:00
integrations = map [ string ] interface { } { }
}
team [ "integrations" ] = integrations
_ , ok = integrations . ( map [ string ] interface { } )
if ! ok {
2025-05-14 00:16:16 +00:00
return nil , nil , errors . New ( "team_settings.integrations config is not a map" )
2024-03-13 15:05:46 +00:00
}
2025-06-11 17:22:46 +00:00
2024-03-15 00:00:51 +00:00
if googleCal , ok := integrations . ( map [ string ] interface { } ) [ "google_calendar" ] ; ! ok || googleCal == nil {
integrations . ( map [ string ] interface { } ) [ "google_calendar" ] = map [ string ] interface { } { }
} else {
_ , ok = googleCal . ( map [ string ] interface { } )
2024-03-13 15:05:46 +00:00
if ! ok {
2025-05-14 00:16:16 +00:00
return nil , nil , errors . New ( "team_settings.integrations.google_calendar config is not a map" )
2024-03-13 15:05:46 +00:00
}
}
2025-06-11 17:22:46 +00:00
if conditionalAccessEnabled , ok := integrations . ( map [ string ] interface { } ) [ "conditional_access_enabled" ] ; ! ok || conditionalAccessEnabled == nil {
integrations . ( map [ string ] interface { } ) [ "conditional_access_enabled" ] = false
} else {
_ , ok = conditionalAccessEnabled . ( bool )
if ! ok {
return nil , nil , errors . New ( "team_settings.integrations.conditional_access_enabled config is not a bool" )
}
}
2024-02-09 19:34:57 +00:00
team [ "mdm" ] = map [ string ] interface { } { }
mdmAppConfig = team [ "mdm" ] . ( map [ string ] interface { } )
}
2024-09-12 17:23:25 +00:00
2025-09-04 16:39:41 +00:00
if ! incoming . IsNoTeam ( ) {
2024-09-12 17:23:25 +00:00
// Common controls settings between org and team settings
// Put in default values for macos_settings
2025-09-04 16:39:41 +00:00
if incoming . Controls . MacOSSettings != nil {
mdmAppConfig [ "macos_settings" ] = incoming . Controls . MacOSSettings
2024-09-12 17:23:25 +00:00
} else {
2025-05-09 15:11:38 +00:00
mdmAppConfig [ "macos_settings" ] = fleet . MacOSSettings {
CustomSettings : [ ] fleet . MDMProfileSpec { } ,
}
2024-03-07 19:20:14 +00:00
}
2024-09-12 17:23:25 +00:00
// Put in default values for macos_updates
2025-09-04 16:39:41 +00:00
if incoming . Controls . MacOSUpdates != nil {
mdmAppConfig [ "macos_updates" ] = incoming . Controls . MacOSUpdates
2024-09-12 17:23:25 +00:00
} else {
mdmAppConfig [ "macos_updates" ] = map [ string ] interface { } { }
}
macOSUpdates := mdmAppConfig [ "macos_updates" ] . ( map [ string ] interface { } )
if minimumVersion , ok := macOSUpdates [ "minimum_version" ] ; ! ok || minimumVersion == nil {
macOSUpdates [ "minimum_version" ] = ""
}
if deadline , ok := macOSUpdates [ "deadline" ] ; ! ok || deadline == nil {
macOSUpdates [ "deadline" ] = ""
}
// Put in default values for ios_updates
2025-09-04 16:39:41 +00:00
if incoming . Controls . IOSUpdates != nil {
mdmAppConfig [ "ios_updates" ] = incoming . Controls . IOSUpdates
2024-09-12 17:23:25 +00:00
} else {
mdmAppConfig [ "ios_updates" ] = map [ string ] interface { } { }
}
iOSUpdates := mdmAppConfig [ "ios_updates" ] . ( map [ string ] interface { } )
if minimumVersion , ok := iOSUpdates [ "minimum_version" ] ; ! ok || minimumVersion == nil {
iOSUpdates [ "minimum_version" ] = ""
}
if deadline , ok := iOSUpdates [ "deadline" ] ; ! ok || deadline == nil {
iOSUpdates [ "deadline" ] = ""
}
// Put in default values for ipados_updates
2025-09-04 16:39:41 +00:00
if incoming . Controls . IPadOSUpdates != nil {
mdmAppConfig [ "ipados_updates" ] = incoming . Controls . IPadOSUpdates
2024-09-12 17:23:25 +00:00
} else {
mdmAppConfig [ "ipados_updates" ] = map [ string ] interface { } { }
}
iPadOSUpdates := mdmAppConfig [ "ipados_updates" ] . ( map [ string ] interface { } )
if minimumVersion , ok := iPadOSUpdates [ "minimum_version" ] ; ! ok || minimumVersion == nil {
iPadOSUpdates [ "minimum_version" ] = ""
}
if deadline , ok := iPadOSUpdates [ "deadline" ] ; ! ok || deadline == nil {
iPadOSUpdates [ "deadline" ] = ""
}
// Put in default values for macos_setup
2025-09-04 16:39:41 +00:00
if incoming . Controls . MacOSSetup != nil {
incoming . Controls . MacOSSetup . SetDefaultsIfNeeded ( )
mdmAppConfig [ "macos_setup" ] = incoming . Controls . MacOSSetup
2024-09-12 17:23:25 +00:00
} else {
2025-02-07 20:35:51 +00:00
mdmAppConfig [ "macos_setup" ] = fleet . NewMacOSSetupWithDefaults ( )
2024-09-12 17:23:25 +00:00
}
// Put in default values for windows_settings
2025-09-04 16:39:41 +00:00
if incoming . Controls . WindowsSettings != nil {
mdmAppConfig [ "windows_settings" ] = incoming . Controls . WindowsSettings
2024-09-12 17:23:25 +00:00
} else {
2025-05-09 15:11:38 +00:00
mdmAppConfig [ "windows_settings" ] = fleet . WindowsSettings {
CustomSettings : optjson . Slice [ fleet . MDMProfileSpec ] { Value : [ ] fleet . MDMProfileSpec { } } ,
}
2024-09-12 17:23:25 +00:00
}
2025-09-22 15:29:57 +00:00
// Put in default values for android_settings
if incoming . Controls . AndroidSettings != nil {
mdmAppConfig [ "android_settings" ] = incoming . Controls . AndroidSettings
} else {
mdmAppConfig [ "android_settings" ] = fleet . AndroidSettings {
CustomSettings : optjson . Slice [ fleet . MDMProfileSpec ] { Value : [ ] fleet . MDMProfileSpec { } } ,
}
}
2024-09-12 17:23:25 +00:00
// Put in default values for windows_updates
2025-09-04 16:39:41 +00:00
if incoming . Controls . WindowsUpdates != nil {
mdmAppConfig [ "windows_updates" ] = incoming . Controls . WindowsUpdates
2024-09-12 17:23:25 +00:00
} else {
mdmAppConfig [ "windows_updates" ] = map [ string ] interface { } { }
}
if appConfig . License . IsPremium ( ) {
windowsUpdates := mdmAppConfig [ "windows_updates" ] . ( map [ string ] interface { } )
if deadlineDays , ok := windowsUpdates [ "deadline_days" ] ; ! ok || deadlineDays == nil {
windowsUpdates [ "deadline_days" ] = nil
}
if gracePeriodDays , ok := windowsUpdates [ "grace_period_days" ] ; ! ok || gracePeriodDays == nil {
windowsUpdates [ "grace_period_days" ] = nil
}
}
2025-08-26 17:23:24 +00:00
2024-09-12 17:23:25 +00:00
// Put in default value for enable_disk_encryption
2025-08-26 17:23:24 +00:00
enableDiskEncryption := false
requireBitLockerPIN := false
2025-09-04 16:39:41 +00:00
if incoming . Controls . EnableDiskEncryption != nil {
enableDiskEncryption = incoming . Controls . EnableDiskEncryption . ( bool )
2024-09-12 17:23:25 +00:00
}
2025-09-04 16:39:41 +00:00
if incoming . Controls . RequireBitLockerPIN != nil {
requireBitLockerPIN = incoming . Controls . RequireBitLockerPIN . ( bool )
2025-07-23 19:38:49 +00:00
}
2025-08-26 17:23:24 +00:00
if ! enableDiskEncryption && requireBitLockerPIN {
return nil , nil , errors . New ( "enable_disk_encryption cannot be false if windows_require_bitlocker_pin is true" )
}
mdmAppConfig [ "enable_disk_encryption" ] = enableDiskEncryption
mdmAppConfig [ "windows_require_bitlocker_pin" ] = requireBitLockerPIN
2024-09-12 17:23:25 +00:00
2025-09-04 16:39:41 +00:00
if incoming . TeamName != nil {
2024-09-12 17:23:25 +00:00
team [ "gitops_filename" ] = filename
rawTeam , err := json . Marshal ( team )
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , fmt . Errorf ( "error marshalling team spec: %w" , err )
2024-09-12 17:23:25 +00:00
}
group . Teams = [ ] json . RawMessage { rawTeam }
group . TeamsDryRunAssumptions = teamDryRunAssumptions
2024-02-09 19:34:57 +00:00
}
}
2025-09-04 16:39:41 +00:00
// Apply org settings, scripts, enroll secrets, certificate authorities, team entities (software, scripts, etc.), and controls.
2025-01-14 18:52:39 +00:00
teamIDsByName , teamsSoftwareInstallers , teamsVPPApps , teamsScripts , err := c . ApplyGroup ( ctx , true , & group , baseDir , logf , appConfig , fleet . ApplyClientSpecOptions {
2024-05-28 16:44:43 +00:00
ApplySpecOptions : fleet . ApplySpecOptions {
Allow GitOps to clear global settings more easily using overwrite option (#29215)
for #28118
# Checklist for submitter
- [X] Manual QA for all new/changed functionality
## Details
This PR adds an `overwrite` option to the "modify app config" API which,
if set, causes the code to replace certain keys in the existing config
with keys from the incoming config, without attempting any merge. This
is then used by GitOps to allow it to easily clear settings that were
otherwise being merged together or ignored entirely due to the PATCH
semantics expected for the `fleetctl apply` use case.
The new setting is utilized in this first pass for the following
settings:
* `sso_settings`
* `smtp_settings`
* `features`
* `mdm.end_user_authentication`
It could be expanded to several more keys that we currently handle
piecemeal in the GitOps code by attempting to send empty values to the
server (with varying success).
Targeting `mdm.end_user_authentication` vs. all of `mdm` is based on
[this bug](https://github.com/fleetdm/fleet/issues/26175) being opened.
The concern with doing all of `mdm` would be that anyone who had e.g.
VPP set up in their app and hadn't set it up in GitOps would have it
wiped out. If we're comfortable with that risk I can update that here
and update the warning accordingly.
### More detail
**The way this code works _without_ Overwrite mode on**
1. We unmarshall the incoming JSON from GitOps into a fresh AppConfig
struct `newAppConfig`. Anything keys not present in the incoming JSON
will result in default values being set in `newAppConfig`
2. We unmarshall the incoming JSON from GitOps into the current
`appConfig`. This uses an internal merge algorithm where keys not
present in the JSON will generally leave the matching keys in
`appConfig` untouched. We've been dealing with this by having GitOps
find missing keys and explicitly set them to non-nil empty states. When
arrays are encountered, they are _merged_, not replaced, which is
problematic for the `features.additional_queries` use case and probably
others.
3. We piecemeal replace certain data in `appConfig` with data from
`newAppConfig`, and save it to the db.
**The way this works _with_ Overwrite mode on**
Between steps 1 and 2 above, we _copy_ certain keys from `newAppConfig`
to `appConfig`. If the incoming JSON didn't have a key, the effect will
be that `appConfig` now has default values for that key. For nested
arrays like `features.additionalQueries`, the value in `appConfig` will
be precisely what the user put in GitOps.
## Testing
I tested adding/removing these settings with GitOps manually via
`fleetctl gitops`. On the main branch I could reproduce the issue where
omitting out these keys in my YAML did not lead to the settings being
reset on my instance. With the Features settings, the issue was more
granular, with inconsistent behavior when trying to remove individual
nested settings. On this branch, the settings are cleared as expected at
all levels of granularity.
I also added some new automated tests to verify the expected behavior
for these keys. All existing tests pass.
If accepted this PR would supercede
https://github.com/fleetdm/fleet/pull/29180 which approaches the issue
from the GitOps side for sso, smtp and mdm. Adapting that approach for
`features` would require custom logic to declare nested properties as
"cleared".
2025-05-19 16:18:28 +00:00
DryRun : dryRun ,
Overwrite : true ,
2024-05-28 16:44:43 +00:00
} ,
ExpandEnvConfigProfiles : true ,
2025-01-14 18:52:39 +00:00
} , teamsSoftwareInstallers , teamsVPPApps , teamsScripts )
2024-02-09 19:34:57 +00:00
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , err
2024-02-09 19:34:57 +00:00
}
2024-09-12 17:23:25 +00:00
2024-09-17 16:30:27 +00:00
var teamSoftwareInstallers [ ] fleet . SoftwarePackageResponse
2025-01-14 18:52:39 +00:00
var teamVPPApps [ ] fleet . VPPAppResponse
2024-10-04 01:03:40 +00:00
var teamScripts [ ] fleet . ScriptResponse
2025-01-14 18:52:39 +00:00
2025-09-04 16:39:41 +00:00
if incoming . TeamName != nil {
if ! incoming . IsNoTeam ( ) {
2024-09-12 17:23:25 +00:00
if len ( teamIDsByName ) != 1 {
2025-05-14 00:16:16 +00:00
return nil , nil , fmt . Errorf ( "expected 1 team spec to be applied, got %d" , len ( teamIDsByName ) )
2024-09-12 17:23:25 +00:00
}
2025-09-04 16:39:41 +00:00
teamID , ok := teamIDsByName [ * incoming . TeamName ]
2024-09-12 17:23:25 +00:00
if ok && teamID == 0 {
if dryRun {
2025-09-04 16:39:41 +00:00
logFn ( "[+] would've added any policies/queries to new team %s\n" , * incoming . TeamName )
2025-05-14 00:16:16 +00:00
return nil , postOps , nil
2024-09-12 17:23:25 +00:00
}
2025-09-04 16:39:41 +00:00
return nil , nil , fmt . Errorf ( "team %s not created" , * incoming . TeamName )
2024-02-09 19:34:57 +00:00
}
2024-09-12 17:23:25 +00:00
for _ , teamID = range teamIDsByName {
2025-09-04 16:39:41 +00:00
incoming . TeamID = & teamID
2024-09-12 17:23:25 +00:00
}
2025-09-04 16:39:41 +00:00
teamSoftwareInstallers = teamsSoftwareInstallers [ * incoming . TeamName ]
teamVPPApps = teamsVPPApps [ * incoming . TeamName ]
teamScripts = teamsScripts [ * incoming . TeamName ]
2024-09-12 17:23:25 +00:00
} else {
2025-09-04 16:39:41 +00:00
noTeamSoftwareInstallers , noTeamVPPApps , err := c . doGitOpsNoTeamSetupAndSoftware ( incoming , baseDir , appConfig , logFn , dryRun )
2024-09-12 17:23:25 +00:00
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , err
2024-09-12 17:23:25 +00:00
}
Allow configuring webhook policy automations for "No team" (#32129)
Fixes #32060
This PR adds:
- new default_team_config_json table
- caching of config from that table, including deep copy methods -- all
of this is not absolutely needed for this change since we are only using
`webhook_settings.failing_policies_webhook` here but added for
completeness/future
- teams/0 API updates
- GitOps updates
- generate gitops updates
Future PRs will add:
- ticket automation
- primo mode migration
- frontend changes
- documentation
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked table schema to confirm autoupdate
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Configure failing-policy webhooks for “No team” via GitOps
(no-team.yml) and API, including enable/disable, destination URL, policy
IDs, and batch size; settings clear when omitted.
- GitOps and CLI now read/apply the real “No team” settings with dry-run
support.
- Policy automation evaluates hosts without a team and triggers “No
team” webhooks when applicable.
- GET/PATCH team 0 returns/accepts a minimal, webhook-focused config.
- Chores
- Added persistence and caching for the default “No team” configuration.
- Introduced a database table to store the default configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2025-08-28 21:38:27 +00:00
// Apply webhook settings for "No Team"
2025-09-04 16:39:41 +00:00
if err := c . doGitOpsNoTeamWebhookSettings ( incoming , appConfig , logFn , dryRun ) ; err != nil {
Allow configuring webhook policy automations for "No team" (#32129)
Fixes #32060
This PR adds:
- new default_team_config_json table
- caching of config from that table, including deep copy methods -- all
of this is not absolutely needed for this change since we are only using
`webhook_settings.failing_policies_webhook` here but added for
completeness/future
- teams/0 API updates
- GitOps updates
- generate gitops updates
Future PRs will add:
- ticket automation
- primo mode migration
- frontend changes
- documentation
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked table schema to confirm autoupdate
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Configure failing-policy webhooks for “No team” via GitOps
(no-team.yml) and API, including enable/disable, destination URL, policy
IDs, and batch size; settings clear when omitted.
- GitOps and CLI now read/apply the real “No team” settings with dry-run
support.
- Policy automation evaluates hosts without a team and triggers “No
team” webhooks when applicable.
- GET/PATCH team 0 returns/accepts a minimal, webhook-focused config.
- Chores
- Added persistence and caching for the default “No team” configuration.
- Introduced a database table to store the default configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2025-08-28 21:38:27 +00:00
return nil , nil , fmt . Errorf ( "applying no team webhook settings: %w" , err )
}
2024-09-12 17:23:25 +00:00
teamSoftwareInstallers = noTeamSoftwareInstallers
2025-01-14 18:52:39 +00:00
teamVPPApps = noTeamVPPApps
2024-10-04 01:03:40 +00:00
teamScripts = teamsScripts [ "No team" ]
2024-06-27 21:10:49 +00:00
}
2024-02-09 19:34:57 +00:00
}
2024-03-13 15:05:46 +00:00
2025-09-04 16:39:41 +00:00
err = c . doGitOpsPolicies ( incoming , teamSoftwareInstallers , teamVPPApps , teamScripts , logFn , dryRun )
2024-02-09 19:34:57 +00:00
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , err
2024-02-09 19:34:57 +00:00
}
2024-09-18 17:16:59 +00:00
// We currently don't support queries for "No team" thus
// we just do GitOps for queries for global and team files.
2025-09-04 16:39:41 +00:00
if ! incoming . IsNoTeam ( ) {
err = c . doGitOpsQueries ( incoming , logFn , dryRun )
2024-09-18 17:16:59 +00:00
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , nil , err
2024-09-18 17:16:59 +00:00
}
2024-08-05 17:39:10 +00:00
}
2025-05-14 00:16:16 +00:00
return teamAssumptions , postOps , nil
2024-02-09 19:34:57 +00:00
}
2025-02-07 20:35:51 +00:00
func ( c * Client ) doGitOpsNoTeamSetupAndSoftware (
2024-10-23 18:51:02 +00:00
config * spec . GitOps ,
baseDir string ,
appconfig * fleet . EnrichedAppConfig ,
logFn func ( format string , args ... interface { } ) ,
dryRun bool ,
2025-01-14 18:52:39 +00:00
) ( [ ] fleet . SoftwarePackageResponse , [ ] fleet . VPPAppResponse , error ) {
2024-10-23 18:51:02 +00:00
if ! config . IsNoTeam ( ) || appconfig == nil || ! appconfig . License . IsPremium ( ) {
2025-01-14 18:52:39 +00:00
return nil , nil , nil
2024-10-23 18:51:02 +00:00
}
var macOSSetup fleet . MacOSSetup
2025-02-07 20:35:51 +00:00
if config . Controls . MacOSSetup == nil {
config . Controls . MacOSSetup = & macOSSetup
2024-10-23 18:51:02 +00:00
}
2025-02-07 20:35:51 +00:00
macOSSetup = * config . Controls . MacOSSetup
2024-10-23 18:51:02 +00:00
// load the no-team macos_setup.script if any
var macosSetupScript * fileContent
if macOSSetup . Script . Value != "" {
b , err := c . validateMacOSSetupScript ( resolveApplyRelativePath ( baseDir , macOSSetup . Script . Value ) )
2024-09-06 22:10:28 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , fmt . Errorf ( "applying no team macos_setup.script: %w" , err )
2024-08-05 17:39:10 +00:00
}
2024-10-23 18:51:02 +00:00
macosSetupScript = & fileContent { Filename : filepath . Base ( macOSSetup . Script . Value ) , Content : b }
}
2024-08-05 17:39:10 +00:00
2024-10-23 18:51:02 +00:00
noTeamSoftwareMacOSSetup , err := extractTeamOrNoTeamMacOSSetupSoftware ( baseDir , macOSSetup . Software . Value )
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , err
2024-10-23 18:51:02 +00:00
}
2024-10-28 14:35:57 +00:00
var softwareInstallers [ ] fleet . SoftwarePackageResponse
packages := make ( [ ] fleet . SoftwarePackageSpec , 0 , len ( config . Software . Packages ) )
2025-09-05 13:38:00 +00:00
packagesWithPaths := make ( map [ string ] struct { } , len ( config . Software . Packages ) )
2024-10-28 14:35:57 +00:00
for _ , software := range config . Software . Packages {
if software != nil {
packages = append ( packages , * software )
if software . ReferencedYamlPath != "" {
// can be referenced by macos_setup.software
2025-09-05 13:38:00 +00:00
packagesWithPaths [ software . ReferencedYamlPath ] = struct { } { }
2024-10-28 14:35:57 +00:00
}
}
}
2025-05-07 23:16:08 +00:00
for _ , software := range config . Software . FleetMaintainedApps {
if software != nil {
2025-08-13 12:48:36 +00:00
packages = append ( packages , software . ToSoftwarePackageSpec ( ) )
2025-05-07 23:16:08 +00:00
}
}
2024-10-28 14:35:57 +00:00
var appsPayload [ ] fleet . VPPBatchPayload
appsByAppID := make ( map [ string ] fleet . TeamSpecAppStoreApp , len ( config . Software . AppStoreApps ) )
for _ , vppApp := range config . Software . AppStoreApps {
if vppApp != nil {
// can be referenced by macos_setup.software
appsByAppID [ vppApp . AppStoreID ] = * vppApp
_ , installDuringSetup := noTeamSoftwareMacOSSetup [ fleet . MacOSSetupSoftware { AppStoreID : vppApp . AppStoreID } ]
2025-09-03 18:32:11 +00:00
if vppApp . InstallDuringSetup . Valid {
if len ( noTeamSoftwareMacOSSetup ) > 0 {
2025-09-03 18:52:25 +00:00
return nil , nil , errConflictingVPPSetupExperienceDeclarations
2025-09-03 18:32:11 +00:00
}
installDuringSetup = vppApp . InstallDuringSetup . Value
}
2024-10-28 14:35:57 +00:00
appsPayload = append ( appsPayload , fleet . VPPBatchPayload {
AppStoreID : vppApp . AppStoreID ,
SelfService : vppApp . SelfService ,
InstallDuringSetup : & installDuringSetup ,
} )
}
}
2025-09-05 13:38:00 +00:00
if err := validateTeamOrNoTeamMacOSSetupSoftware ( * config . TeamName , macOSSetup . Software . Value , packagesWithPaths , appsByAppID ) ; err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , err
2024-10-23 18:51:02 +00:00
}
2024-11-07 17:22:08 +00:00
swPkgPayload , err := buildSoftwarePackagesPayload ( packages , noTeamSoftwareMacOSSetup )
2024-10-23 18:51:02 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , fmt . Errorf ( "applying software installers: %w" , err )
2024-10-23 18:51:02 +00:00
}
2025-05-16 18:05:33 +00:00
if ! dryRun {
if macosSetupScript != nil {
logFn ( "[+] applying macos setup experience script for 'No team'\n" )
if err := c . uploadMacOSSetupScript ( macosSetupScript . Filename , macosSetupScript . Content , nil ) ; err != nil {
return nil , nil , fmt . Errorf ( "uploading setup experience script for No team: %w" , err )
}
} else if err := c . deleteMacOSSetupScript ( nil ) ; err != nil {
return nil , nil , fmt . Errorf ( "deleting setup experience script for No team: %w" , err )
2024-08-05 17:39:10 +00:00
}
2024-10-23 18:51:02 +00:00
}
2024-10-28 14:35:57 +00:00
logFn ( "[+] applying %d software packages for 'No team'\n" , len ( swPkgPayload ) )
softwareInstallers , err = c . ApplyNoTeamSoftwareInstallers ( swPkgPayload , fleet . ApplySpecOptions { DryRun : dryRun } )
2024-10-23 18:51:02 +00:00
if err != nil {
2025-01-14 18:52:39 +00:00
return nil , nil , fmt . Errorf ( "applying software installers: %w" , err )
2024-10-23 18:51:02 +00:00
}
2024-10-28 14:35:57 +00:00
logFn ( "[+] applying %d app store apps for 'No team'\n" , len ( appsPayload ) )
2025-01-14 18:52:39 +00:00
vppApps , err := c . ApplyNoTeamAppStoreAppsAssociation ( appsPayload , fleet . ApplySpecOptions { DryRun : dryRun } )
if err != nil {
return nil , nil , fmt . Errorf ( "applying app store apps: %w" , err )
2024-10-28 14:35:57 +00:00
}
2024-10-23 18:51:02 +00:00
if dryRun {
logFn ( "[+] would've applied 'No Team' software packages\n" )
} else {
logFn ( "[+] applied 'No Team' software packages\n" )
2024-08-05 17:39:10 +00:00
}
2025-01-14 18:52:39 +00:00
return softwareInstallers , vppApps , nil
2024-08-05 17:39:10 +00:00
}
Allow configuring webhook policy automations for "No team" (#32129)
Fixes #32060
This PR adds:
- new default_team_config_json table
- caching of config from that table, including deep copy methods -- all
of this is not absolutely needed for this change since we are only using
`webhook_settings.failing_policies_webhook` here but added for
completeness/future
- teams/0 API updates
- GitOps updates
- generate gitops updates
Future PRs will add:
- ticket automation
- primo mode migration
- frontend changes
- documentation
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked table schema to confirm autoupdate
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Configure failing-policy webhooks for “No team” via GitOps
(no-team.yml) and API, including enable/disable, destination URL, policy
IDs, and batch size; settings clear when omitted.
- GitOps and CLI now read/apply the real “No team” settings with dry-run
support.
- Policy automation evaluates hosts without a team and triggers “No
team” webhooks when applicable.
- GET/PATCH team 0 returns/accepts a minimal, webhook-focused config.
- Chores
- Added persistence and caching for the default “No team” configuration.
- Introduced a database table to store the default configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2025-08-28 21:38:27 +00:00
// extractFailingPoliciesWebhook extracts and processes failing policies webhook settings from a map
func extractFailingPoliciesWebhook ( webhookSettings interface { } ) fleet . FailingPoliciesWebhookSettings {
// Marshal the interface{} to JSON, which handles type conversions
jsonBytes , err := json . Marshal ( webhookSettings )
if err != nil {
return fleet . FailingPoliciesWebhookSettings { Enable : false }
}
// Unmarshal into a wrapper struct to extract failing_policies_webhook
var ws struct {
FailingPoliciesWebhook fleet . FailingPoliciesWebhookSettings ` json:"failing_policies_webhook" `
}
if err := json . Unmarshal ( jsonBytes , & ws ) ; err != nil {
return fleet . FailingPoliciesWebhookSettings { Enable : false }
}
return ws . FailingPoliciesWebhook
}
func ( c * Client ) doGitOpsNoTeamWebhookSettings (
config * spec . GitOps ,
appCfg * fleet . EnrichedAppConfig ,
logFn func ( format string , args ... interface { } ) ,
dryRun bool ,
) error {
// Check if premium license is available for No Team webhook settings
if ! config . IsNoTeam ( ) || appCfg == nil || appCfg . License == nil || ! appCfg . License . IsPremium ( ) {
return nil
}
// Apply webhook settings for "No Team"
// If webhook_settings are not specified, they will be applied as nil to clear existing settings
teamPayload := fleet . TeamPayload {
WebhookSettings : & fleet . TeamWebhookSettings {
FailingPoliciesWebhook : fleet . FailingPoliciesWebhookSettings {
Enable : false ,
} ,
} ,
}
// Extract webhook settings if they exist
if config . TeamSettings != nil {
if webhookSettings , ok := config . TeamSettings [ "webhook_settings" ] ; ok {
fpw := extractFailingPoliciesWebhook ( webhookSettings )
teamPayload . WebhookSettings . FailingPoliciesWebhook = fpw
}
}
logFn ( "[+] applying webhook settings for 'No team'\n" )
if ! dryRun {
// Apply the webhook settings to team ID 0 using the PATCH endpoint
var teamResp interface { }
err := c . authenticatedRequest ( teamPayload , "PATCH" , "/api/latest/fleet/teams/0" , & teamResp )
if err != nil {
return fmt . Errorf ( "applying no team webhook settings: %w" , err )
}
logFn ( "[+] applied webhook settings for 'No team'\n" )
} else {
logFn ( "[+] would've applied webhook settings for 'No team'\n" )
}
return nil
}
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
func pluralize ( count int , ifSingle string , ifPlural string ) string {
if count == 1 {
return ifSingle
}
return ifPlural
}
2025-05-14 00:16:16 +00:00
func ( c * Client ) doGitOpsLabels ( config * spec . GitOps , logFn func ( format string , args ... interface { } ) , dryRun bool ) ( [ ] string , error ) {
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
persistedLabels , err := c . GetLabels ( )
if err != nil {
2025-05-14 00:16:16 +00:00
return nil , err
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
}
var numUpdates int
var labelsToDelete [ ] string
for _ , persistedLabel := range persistedLabels {
if persistedLabel . LabelType == fleet . LabelTypeBuiltIn {
continue
}
if slices . IndexFunc ( config . Labels , func ( configLabel * fleet . LabelSpec ) bool { return configLabel . Name == persistedLabel . Name } ) == - 1 {
labelsToDelete = append ( labelsToDelete , persistedLabel . Name )
} else {
numUpdates ++
}
}
numNew := len ( config . Labels ) - numUpdates
if dryRun {
for _ , labelToDelete := range labelsToDelete {
logFn ( "[-] would've deleted label '%s'\n" , labelToDelete )
}
if numNew > 0 {
logFn ( "[+] would've created %d label%s\n" , numNew , pluralize ( numNew , "" , "s" ) )
}
if numUpdates > 0 {
logFn ( "[+] would've updated %d label%s\n" , numUpdates , pluralize ( numUpdates , "" , "s" ) )
}
2025-05-14 00:16:16 +00:00
return nil , nil
}
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
2025-05-14 00:16:16 +00:00
logFn ( "[+] syncing %d label%s (%d new and %d updated)\n" , len ( config . Labels ) , pluralize ( len ( config . Labels ) , "" , "s" ) , len ( config . Labels ) - numUpdates , numUpdates )
err = c . ApplyLabels ( config . Labels )
if err != nil {
return nil , err
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
}
2025-05-14 00:16:16 +00:00
return labelsToDelete , nil
Manage labels in GitOps (#27038)
For #24473
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
## Details
This PR adds the ability to manage labels via GitOps. Usage is as
follows:
* If a top-level `labels:` key is provided in the global YAML file
provided to GitOps, then any labels in this list will be created (if
using a new name) or updated (if using an existing name).
* If no top-level `labels:` key is provided, no changes will be made to
labels. This allows backwards-compatibility; customers won't blow away
all of their labels if they don't immediately use `labels:` in their
YAML
Additionally, some new validation has been added so that label usage is
checked prior to application. This means that when the gitops command is
run, it will verify that any labels referenced elsewhere in the YAML
(e.g. by software installers or mdm profiles) exist, and will bail with
an error message if they don't.
## Testing
**Test label deletion**
1. Add some labels via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, and verify that it doesn't say it will update or delete
any labels
2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in
it, and verify that it doesn't modify or remove your labels
4. Run `fleetctl gitops --dry-run` with a default.yml file with
`labels:` in it and nothing underneath, and verify that it says that it
will delete your labels
4. Run `fleetctl gitops` with a default.yml file with `labels:` in it
and nothing underneath, and verify that it removes all your labels
**Test label create/update**
1. Add a label "foo" via the UI
2. Run `fleetctl gitops --dry-run` with a default.yml file with two
`labels:` in it, one named "foo" and one named "bar". Verify that the
output says that one label will be created and one will be updated.
2. Run `fleetctl gitops` with a default.yml file with two `labels:` in
it, one named "foo" and one named "bar". Verify that the two labels now
exist in the UI with the configuration you specified.
**Test label usage**
1. Add a label "foo" in the UI.
1. Run `fleetctl gitops --dry-run` with a default.yml file _without_
`labels:` in it, where a software installer or mdm profile uses the
"foo" label via `labels_include_any`. Verify that the output doesn't
complain about unknown labels.
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with nothing underneath, and a software installer or mdm
profile uses the "foo" label via `labels_include_any`. Verify that the
output complains about unknown label "foo"
1. Run `fleetctl gitops --dry-run` with a default.yml file _with_
`labels:` in it with a "foo" label defined underneath, and a software
installer or mdm profile uses the "foo" label via `labels_include_any`.
Verify that the output doesn't complain about unknown labels.
2025-03-19 21:35:11 +00:00
}
2025-01-14 18:52:39 +00:00
func ( c * Client ) doGitOpsPolicies ( config * spec . GitOps , teamSoftwareInstallers [ ] fleet . SoftwarePackageResponse , teamVPPApps [ ] fleet . VPPAppResponse , teamScripts [ ] fleet . ScriptResponse , logFn func ( format string , args ... interface { } ) , dryRun bool ) error {
2024-09-12 17:23:25 +00:00
var teamID * uint // Global policies (nil)
switch {
case config . TeamID != nil : // Team policies
teamID = config . TeamID
case config . IsNoTeam ( ) : // "No team" policies
teamID = ptr . Uint ( 0 )
}
if teamID != nil {
2024-10-04 01:03:40 +00:00
// Get software titles of packages for the team.
2025-01-14 18:52:39 +00:00
softwareTitleIDsByInstallerURL := make ( map [ string ] uint )
softwareTitleIDsByAppStoreAppID := make ( map [ string ] uint )
Add "generate-gitops" command (#28555)
For #27476
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
# Details
This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.
The general usage of the command is:
```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```
By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.
The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:
* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID
Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.
Other options that we may or may not choose to document at this time:
* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)
# Technical notes
The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.
Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.
When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.
# Known issues / TODOs:
* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 20:25:44 +00:00
softwareTitleIDsByHash := make ( map [ string ] uint )
2024-09-06 22:10:28 +00:00
for _ , softwareInstaller := range teamSoftwareInstallers {
if softwareInstaller . TitleID == nil {
// Should not happen, but to not panic we just log a warning.
2024-09-17 16:30:27 +00:00
logFn ( "[!] software installer without title id: team_id=%d, url=%s\n" , * teamID , softwareInstaller . URL )
continue
}
Add "generate-gitops" command (#28555)
For #27476
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
# Details
This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.
The general usage of the command is:
```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```
By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.
The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:
* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID
Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.
Other options that we may or may not choose to document at this time:
* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)
# Technical notes
The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.
Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.
When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.
# Known issues / TODOs:
* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 20:25:44 +00:00
if softwareInstaller . URL == "" && softwareInstaller . HashSHA256 == "" {
2024-09-17 16:30:27 +00:00
// Should not happen because we previously applied packages via gitops, but to not panic we just log a warning.
logFn ( "[!] software installer without url: team_id=%d, title_id=%d\n" , * teamID , * softwareInstaller . TitleID )
2024-09-06 22:10:28 +00:00
continue
}
2025-01-14 18:52:39 +00:00
softwareTitleIDsByInstallerURL [ softwareInstaller . URL ] = * softwareInstaller . TitleID
Add "generate-gitops" command (#28555)
For #27476
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
# Details
This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.
The general usage of the command is:
```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```
By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.
The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:
* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID
Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.
Other options that we may or may not choose to document at this time:
* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)
# Technical notes
The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.
Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.
When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.
# Known issues / TODOs:
* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 20:25:44 +00:00
softwareTitleIDsByHash [ softwareInstaller . HashSHA256 ] = * softwareInstaller . TitleID
2025-01-14 18:52:39 +00:00
}
for _ , vppApp := range teamVPPApps {
if vppApp . Platform != fleet . MacOSPlatform {
continue // ignore iPad/iPhone VPP apps as they aren't relevant for policies
}
if vppApp . TitleID == nil {
// Should not happen, but to not panic we just log a warning.
logFn ( "[!] VPP app without title id: team_id=%d, app_store_id=%s\n" , * teamID , vppApp . AppStoreID )
continue
}
if vppApp . AppStoreID == "" {
// Should not happen because we previously applied apps via gitops, but to not panic we just log a warning.
logFn ( "[!] VPP app without app ID: team_id=%d, title_id=%d\n" , * teamID , * vppApp . TitleID )
continue
}
softwareTitleIDsByAppStoreAppID [ vppApp . AppStoreID ] = * vppApp . TitleID
2024-09-06 22:10:28 +00:00
}
2025-01-14 18:52:39 +00:00
2024-09-06 22:10:28 +00:00
for i := range config . Policies {
config . Policies [ i ] . SoftwareTitleID = ptr . Uint ( 0 ) // 0 unsets the installer
if config . Policies [ i ] . InstallSoftware == nil {
continue
}
2025-01-14 18:52:39 +00:00
if config . Policies [ i ] . InstallSoftwareURL != "" {
softwareTitleID , ok := softwareTitleIDsByInstallerURL [ config . Policies [ i ] . InstallSoftwareURL ]
if ! ok {
// Should not happen because software packages are uploaded first.
if ! dryRun {
logFn ( "[!] software URL without software title ID: %s\n" , config . Policies [ i ] . InstallSoftwareURL )
}
continue
2024-09-06 22:10:28 +00:00
}
2025-01-14 18:52:39 +00:00
config . Policies [ i ] . SoftwareTitleID = & softwareTitleID
}
if config . Policies [ i ] . InstallSoftware . AppStoreID != "" {
softwareTitleID , ok := softwareTitleIDsByAppStoreAppID [ config . Policies [ i ] . InstallSoftware . AppStoreID ]
if ! ok {
// Should not happen because app store apps are uploaded first.
if ! dryRun {
logFn ( "[!] software app store app ID without software title ID: %s\n" , config . Policies [ i ] . InstallSoftware . AppStoreID )
}
continue
}
config . Policies [ i ] . SoftwareTitleID = & softwareTitleID
2024-09-06 22:10:28 +00:00
}
Add "generate-gitops" command (#28555)
For #27476
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
# Details
This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.
The general usage of the command is:
```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```
By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.
The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:
* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID
Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.
Other options that we may or may not choose to document at this time:
* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)
# Technical notes
The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.
Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.
When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.
# Known issues / TODOs:
* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 20:25:44 +00:00
if config . Policies [ i ] . InstallSoftware . HashSHA256 != "" {
softwareTitleID , ok := softwareTitleIDsByHash [ config . Policies [ i ] . InstallSoftware . HashSHA256 ]
if ! ok {
// Should not happen because software packages are uploaded first.
if ! dryRun {
logFn ( "[!] software hash without software title ID: %s\n" , config . Policies [ i ] . InstallSoftware . HashSHA256 )
}
continue
}
config . Policies [ i ] . SoftwareTitleID = & softwareTitleID
}
2024-09-06 22:10:28 +00:00
}
2024-10-04 01:03:40 +00:00
// Get scripts for the team.
scriptIDsByName := make ( map [ string ] uint )
for _ , script := range teamScripts {
scriptIDsByName [ script . Name ] = script . ID
}
for i := range config . Policies {
config . Policies [ i ] . ScriptID = ptr . Uint ( 0 ) // 0 unsets the script
if config . Policies [ i ] . RunScript == nil {
continue
}
scriptID , ok := scriptIDsByName [ * config . Policies [ i ] . RunScriptName ]
if ! ok {
if ! dryRun { // this shouldn't happen
logFn ( "[!] reference to an unknown script: %s\n" , * config . Policies [ i ] . RunScriptName )
}
continue
}
config . Policies [ i ] . ScriptID = & scriptID
}
2024-09-06 22:10:28 +00:00
}
2024-02-09 19:34:57 +00:00
// Get the ids and names of current policies to figure out which ones to delete
2024-09-12 17:23:25 +00:00
policies , err := c . GetPolicies ( teamID )
2024-02-09 19:34:57 +00:00
if err != nil {
return fmt . Errorf ( "error getting current policies: %w" , err )
}
2024-09-06 22:10:28 +00:00
2024-02-09 19:34:57 +00:00
if len ( config . Policies ) > 0 {
numPolicies := len ( config . Policies )
logFn ( "[+] syncing %d policies\n" , numPolicies )
if ! dryRun {
2024-03-28 17:39:27 +00:00
totalApplied := 0
for i := 0 ; i < len ( config . Policies ) ; i += batchSize {
end := i + batchSize
if end > len ( config . Policies ) {
end = len ( config . Policies )
}
totalApplied += end - i
// Note: We are reusing the spec flow here for adding/updating policies, instead of creating a new flow for GitOps.
2024-09-06 22:10:28 +00:00
policiesToApply := config . Policies [ i : end ]
policiesSpec := make ( [ ] * fleet . PolicySpec , len ( policiesToApply ) )
for i := range policiesToApply {
policiesSpec [ i ] = & policiesToApply [ i ] . PolicySpec
}
if err := c . ApplyPolicies ( policiesSpec ) ; err != nil {
2024-03-28 17:39:27 +00:00
return fmt . Errorf ( "error applying policies: %w" , err )
}
logFn ( "[+] synced %d policies\n" , totalApplied )
2024-02-09 19:34:57 +00:00
}
}
}
var policiesToDelete [ ] uint
for _ , oldItem := range policies {
found := false
for _ , newItem := range config . Policies {
if oldItem . Name == newItem . Name {
found = true
break
}
}
if ! found {
policiesToDelete = append ( policiesToDelete , oldItem . ID )
2024-09-12 17:23:25 +00:00
if ! dryRun {
logFn ( "[-] deleting policy %s\n" , oldItem . Name )
} else {
logFn ( "[-] would've deleted policy %s\n" , oldItem . Name )
}
2024-02-09 19:34:57 +00:00
}
}
if len ( policiesToDelete ) > 0 {
logFn ( "[-] deleting %d policies\n" , len ( policiesToDelete ) )
if ! dryRun {
2024-03-28 17:39:27 +00:00
totalDeleted := 0
for i := 0 ; i < len ( policiesToDelete ) ; i += batchSize {
end := i + batchSize
if end > len ( policiesToDelete ) {
end = len ( policiesToDelete )
}
totalDeleted += end - i
2024-09-12 17:23:25 +00:00
var teamID * uint
switch {
case config . TeamID != nil : // Team policies
teamID = config . TeamID
case config . IsNoTeam ( ) : // No team policies
teamID = ptr . Uint ( fleet . PolicyNoTeamID )
default : // Global policies
teamID = nil
}
if err := c . DeletePolicies ( teamID , policiesToDelete [ i : end ] ) ; err != nil {
2024-03-28 17:39:27 +00:00
return fmt . Errorf ( "error deleting policies: %w" , err )
}
logFn ( "[-] deleted %d policies\n" , totalDeleted )
2024-02-09 19:34:57 +00:00
}
}
}
return nil
}
func ( c * Client ) doGitOpsQueries ( config * spec . GitOps , logFn func ( format string , args ... interface { } ) , dryRun bool ) error {
2024-03-28 17:39:27 +00:00
batchSize := 100
2024-02-09 19:34:57 +00:00
// Get the ids and names of current queries to figure out which ones to delete
queries , err := c . GetQueries ( config . TeamID , nil )
if err != nil {
return fmt . Errorf ( "error getting current queries: %w" , err )
}
if len ( config . Queries ) > 0 {
numQueries := len ( config . Queries )
logFn ( "[+] syncing %d queries\n" , numQueries )
if ! dryRun {
2024-03-28 17:39:27 +00:00
appliedCount := 0
for i := 0 ; i < len ( config . Queries ) ; i += batchSize {
end := i + batchSize
if end > len ( config . Queries ) {
end = len ( config . Queries )
}
appliedCount += end - i
// Note: We are reusing the spec flow here for adding/updating queries, instead of creating a new flow for GitOps.
if err := c . ApplyQueries ( config . Queries [ i : end ] ) ; err != nil {
return fmt . Errorf ( "error applying queries: %w" , err )
}
logFn ( "[+] synced %d queries\n" , appliedCount )
2024-02-09 19:34:57 +00:00
}
}
}
var queriesToDelete [ ] uint
for _ , oldQuery := range queries {
found := false
for _ , newQuery := range config . Queries {
if oldQuery . Name == newQuery . Name {
found = true
break
}
}
if ! found {
queriesToDelete = append ( queriesToDelete , oldQuery . ID )
2024-10-25 18:35:53 +00:00
if ! dryRun {
fmt . Printf ( "[-] deleting query %s\n" , oldQuery . Name )
} else {
fmt . Printf ( "[-] would've deleted query %s\n" , oldQuery . Name )
}
2024-02-09 19:34:57 +00:00
}
}
if len ( queriesToDelete ) > 0 {
logFn ( "[-] deleting %d queries\n" , len ( queriesToDelete ) )
if ! dryRun {
2024-03-28 17:39:27 +00:00
deleteCount := 0
for i := 0 ; i < len ( queriesToDelete ) ; i += batchSize {
end := i + batchSize
if end > len ( queriesToDelete ) {
end = len ( queriesToDelete )
}
deleteCount += end - i
if err := c . DeleteQueries ( queriesToDelete [ i : end ] ) ; err != nil {
return fmt . Errorf ( "error deleting queries: %w" , err )
}
logFn ( "[-] deleted %d queries\n" , deleteCount )
2024-02-09 19:34:57 +00:00
}
}
}
return nil
}
2024-05-31 12:01:13 +00:00
2025-07-01 16:28:13 +00:00
func ( c * Client ) doGitOpsEULA ( eulaPath string , logFn func ( format string , args ... interface { } ) , dryRun bool ) error {
if eulaPath == "" {
err := c . DeleteEULAIfNeeded ( dryRun )
if err != nil {
return fmt . Errorf ( "error deleting EULA: %w" , err )
}
} else {
err := c . UploadEULAIfNeeded ( eulaPath , dryRun )
if err != nil {
return fmt . Errorf ( "error uploading EULA: %w" , err )
}
}
if dryRun {
logFn ( "[+] would've applied EULA\n" )
} else {
logFn ( "[+] applied EULA\n" )
}
return nil
}
2024-05-31 12:01:13 +00:00
func ( c * Client ) GetGitOpsSecrets (
config * spec . GitOps ,
) [ ] string {
if config . TeamName == nil {
orgSecrets , ok := config . OrgSettings [ "secrets" ]
if ok {
secrets , ok := orgSecrets . ( [ ] * fleet . EnrollSecret )
if ok {
secretValues := make ( [ ] string , 0 , len ( secrets ) )
for _ , secret := range secrets {
secretValues = append ( secretValues , secret . Secret )
}
return secretValues
}
}
} else {
teamSecrets , ok := config . TeamSettings [ "secrets" ]
if ok {
secrets , ok := teamSecrets . ( [ ] * fleet . EnrollSecret )
if ok {
secretValues := make ( [ ] string , 0 , len ( secrets ) )
for _ , secret := range secrets {
secretValues = append ( secretValues , secret . Secret )
}
return secretValues
}
}
}
return nil
}
