Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-21 07:58:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 110
fleet/server/service/handler.go

1387 lines
84 KiB
Go
Raw Normal View History

Organizing go code (#241)
2016-09-26 18:48:55 +00:00
package service
go-kit server layout
2016-08-28 03:59:17 +00:00
import (
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411.
2017-03-15 15:55:30 +00:00
"context"
Apply minimum OS version enforcement to MDM SSO endpoint (#23856)
2024-11-22 15:56:36 +00:00
"encoding/json"
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
"errors"
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
"fmt"
go-kit server layout
2016-08-28 03:59:17 +00:00
"net/http"
Allow to disable Apple MDM SCEP renewal/verification (#23660) https://github.com/fleetdm/confidential/issues/8528 Manual merge from special branch https://github.com/fleetdm/fleet/compare/rc-patch-fleet-v4.57.3...rh-patch-4.57.3, gated by env vars. No changes entry since this is a temporary feature for a customer, which we may not want to maintain.
2024-11-11 19:25:21 +00:00
"os"
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
"regexp"
Allow to disable Apple MDM SCEP renewal/verification (#23660) https://github.com/fleetdm/confidential/issues/8528 Manual merge from special branch https://github.com/fleetdm/fleet/compare/rc-patch-fleet-v4.57.3...rh-patch-4.57.3, gated by env vars. No changes entry since this is a temporary feature for a customer, which we may not want to maintain.
2024-11-11 19:25:21 +00:00
"strings"
Add custom SCEP configs (#27045) For #26603 This PR includes: - Refactoring of NDES/SCEP verify/timeout logic for easier testing (with dependency injection) - Custom SCEP configs - saving/deleting/updating of encrypted custom SCEP challenges - validation call to custom SCEP server to verify connection - Custom SCEP activities - unit and integration tests for all of the above This PR does not include the following: - Changes file (in later PR) # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-03-14 17:16:51 +00:00
"time"
go-kit server layout
2016-08-28 03:59:17 +00:00
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
eeservice "github.com/fleetdm/fleet/v4/ee/server/service"
Add v4 suffix in go.mod (#1224)
2021-06-26 04:46:51 +00:00
"github.com/fleetdm/fleet/v4/server/config"
Add public ip to hosts & derive geolocation when rendering host (#4652) * geoip wip * return nil if ip is empty string or if ParseIP returns nil * add ui component to render geolocation if available, address PR feedback * render public ip if available * add changes file, document geoip in deployment guide * update rest-api docs
2022-03-21 16:29:52 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/publicip"
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
"github.com/fleetdm/fleet/v4/server/datastore/redis"
Add v4 suffix in go.mod (#1224)
2021-06-26 04:46:51 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
Add Apple MDM functionality (#7940) * WIP * Adding DEP functionality to Fleet * Better organize additional MDM code * Add cmdr.py and amend API paths * Fix lint * Add demo file * Fix demo.md * go mod tidy * Add munki setup to Fleet * Add diagram to demo.md * Add fixes * Update TODOs and demo.md * Fix cmdr.py and add TODO * Add endpoints to demo.md * Add more Munki PoC/demo stuff * WIP * Remove proposals from PoC * Replace prepare commands with fleetctl commands * Update demo.md with current state * Remove config field * Amend demo * Remove Munki setup from MVP-Dogfood * Update demo.md * Add apple mdm commands (#7769) * fleetctl enqueue mdm command * fix deps * Fix build Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com> * Add command to upload installers * go mod tidy * fix subcommands help There is a bug in urfave/cli where help text is not generated properly when subcommands are nested too deep. * Add support for installing apps * Add a way to list enrolled devices * Add dep listing * Rearrange endpoints * Move DEP routine to schedule * Define paths globally * Add a way to list enrollments and installers * Parse device-ids as comma-separated string * Remove unused types * Add simple commands and nest under enqueue-command * Fix simple commands * Add help to enqueue-command * merge apple_mdm database * Fix commands * update nanomdm * Split nanomdm and nanodep schemas * Set 512 MB in memory for upload * Remove empty file * Amend profile * Add sample commands * Add delete installers and fix bug in DEP profile assigning * Add dogfood.md deployment guide * Update schema.sql * Dump schema with MySQL 5 * Set default value for authenticate_at * add tokens to enrollment profiles When a device downloads an MDM enrollment profile, verify the token passed as a query parameter. This ensures untrusted devices don't enroll with our MDM server. - Rename enrollments to enrollment profiles. Enrollments is used by nano to refer to devices that are enrolled with MDM - Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles - Generate a token for authentication when creating an enrollment profile - Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token= * remove mdm apple server url * update docs * make dump-test-schema * Update nanomdm with missing prefix table * Add docs and simplify changes * Add changes file * Add method docs * Fix compile and revert prepare.go changes * Revert migration status check change * Amend comments * Add more docs * Clarify storage of installers * Remove TODO * Remove unused * update dogfood.md * remove cmdr.py * Add authorization tests * Add TODO comment * use kitlog for nano logging * Add yaml tags * Remove unused flag * Remove changes file * Only run DEP routine if MDM is enabled * Add docs to all new exported types * Add docs * more nano logging changes * Fix unintentional removal * more nano logging changes * Fix compile test * Use string for configs and fix config test * Add docs and amend changes * revert changes to basicAuthHandler * remove exported BasicAuthHandler * rename rego authz type * Add more information to dep list * add db tag * update deps * Fix schema * Remove unimplemented Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 22:53:54 +00:00
apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
mdmcrypto "github.com/fleetdm/fleet/v4/server/mdm/crypto"
Update nanomdm dependency with latest bug fixes and improvements. (#23906) #23905 - Update with upstream nanomdm changes up to https://github.com/micromdm/nanomdm/tree/825f2979a2dc28c6cc57bb62aff16737978bd90e - Removed PostgeSQL folder from our nanomdm - Added nanomdm MySQL test job to our CI # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-11-20 17:47:11 +00:00
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/cryptoutil"
Move nanomdm dependency in monorepo (#16015) #15557 Following the precedent that Lucas used for other similar PRs, the best way to review is probably by commits. * The first one simply copies over the files from the fork to the monorepo * Second one adjusts all import paths * Third one tidies up the `go.mod` files * Last one fixes the linter issues in the nanomdm package # Checklist for submitter - ~~Changes file added for user-visible changes in `changes/` or `orbit/changes/`.~~ (not a user-visible change) - [x] Manual QA for all new/changed functionality (ran test suite, re-generated mocks) I also verified that our Go test suite did run the newly moved `nanomdm` package steps: ``` ok github.com/fleetdm/fleet/v4/server/mdm/nanomdm/cryptoutil 0.003s coverage: 0.0% of statements in github.com/fleetdm/fleet/v4/... ok github.com/fleetdm/fleet/v4/server/mdm/nanomdm/mdm 0.005s coverage: 46.2% of statements in github.com/fleetdm/fleet/v4/... ok github.com/fleetdm/fleet/v4/server/mdm/nanomdm/service/certauth 1.320s coverage: 20.7% of statements in github.com/fleetdm/fleet/v4/... ok github.com/fleetdm/fleet/v4/server/mdm/nanomdm/storage/file 0.007s coverage: 24.1% of statements in github.com/fleetdm/fleet/v4/... ```
2024-01-12 02:28:48 +00:00
httpmdm "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/http/mdm"
nanomdm_service "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/service"
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/service/certauth"
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/service/multi"
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/service/nanomdm"
Merge branch 'main' into 15919-vulnerabilities-page
2024-02-22 22:24:11 +00:00
scep_depot "github.com/fleetdm/fleet/v4/server/mdm/scep/depot"
scepserver "github.com/fleetdm/fleet/v4/server/mdm/scep/server"
Added scim/details endpoint (#28007) For #27281 This PR adds `/api/{version}/fleet/scim/details` endpoint, along with some frontend fixes. # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-10 19:08:45 +00:00
"github.com/fleetdm/fleet/v4/server/service/contract"
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/auth"
Android scaffold (#26274) Android scaffold code and refactorings - Android packages intended to be decoupled from other Fleet code Video explaining the PR: https://www.youtube.com/watch?v=cza-35Z9Wxk # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-13 20:32:19 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/endpoint_utils"
Added GET enterprise API endpoint. (#26555) For #26218 - Added `GET /api/_version_/fleet/android_enterprise` andpoint and tests - Set up some testing infrastructure for Android service tests -- see new README.md # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-26 16:47:05 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/log"
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/mdmconfigured"
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/otel"
Add v4 suffix in go.mod (#1224)
2021-06-26 04:46:51 +00:00
"github.com/fleetdm/fleet/v4/server/service/middleware/ratelimit"
go-kit server layout
2016-08-28 03:59:17 +00:00
kithttp "github.com/go-kit/kit/transport/http"
add consistent MDM host lifecycle management (#18510) The mantra for MDM lifecycle events is: > - Noah: When MDM is turned on, install fleetd, bootstrap package (if DEP), > and profiles. Don't clear host vitals (everything you see on the Host > details page) > - Noah: On re-enrollment, don't clear host vitals. > - Noah: On lock and wipe, don't clear host vitals. > - Noah: On delete, clear host vitals. This addresses issues: - https://github.com/fleetdm/fleet/issues/17243 - https://github.com/fleetdm/fleet/issues/17481 - https://github.com/fleetdm/fleet/issues/17292 - https://github.com/fleetdm/fleet/issues/18030 - https://github.com/fleetdm/fleet/issues/18031
2024-04-29 19:43:15 +00:00
kitlog "github.com/go-kit/log"
"github.com/go-kit/log/level"
go-kit server layout
2016-08-28 03:59:17 +00:00
"github.com/gorilla/mux"
Update nanomdm dependency with latest bug fixes and improvements. (#23906) #23905 - Update with upstream nanomdm changes up to https://github.com/micromdm/nanomdm/tree/825f2979a2dc28c6cc57bb62aff16737978bd90e - Removed PostgeSQL folder from our nanomdm - Added nanomdm MySQL test job to our CI # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-11-20 17:47:11 +00:00
nanomdm_log "github.com/micromdm/nanolib/log"
add prometheus metrics to every http endpoint in the app (#680) tracking the following metrics: http_request_duration_microseconds http_request_size_bytes http_response_size_bytes http_requests_total
2016-12-22 17:39:44 +00:00
"github.com/prometheus/client_golang/prometheus"
Update the prometheus go client library (#3140)
2021-12-20 14:20:58 +00:00
"github.com/prometheus/client_golang/prometheus/promhttp"
Add rate-limiting to login and password reset (#543) Prevent abuse of these endpoints with rate limiting backed by Redis. The limits assigned should be appropriate for almost any Fleet deployment. Closes #530
2021-03-26 18:23:29 +00:00
"github.com/throttled/throttled/v2"
APM Improvements (#11103) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-24 05:13:15 +00:00
"go.elastic.co/apm/module/apmgorilla/v2"
Add apm for testing apm (#4053) * Add apm for testing apm * Testing opentracing * testing * Testing * go fmt * Add config switch for tracing. * fixup * Update cmd/fleet/serve.go Co-authored-by: Tomas Touceda <chiiph@gmail.com> * Add support for both elasticapm and opentelemetry * Fix driver stuff and config options * Fixup * fixup * Add changes file * Add config for sql driver * fixup * Add doc to exported field * testing * fixup * fixup * Testing again * fixup * testing * Undo Co-authored-by: Tomas Touceda <chiiph@gmail.com>
2022-02-15 17:42:22 +00:00
otmiddleware "go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
microsoft_mdm "github.com/fleetdm/fleet/v4/server/mdm/microsoft"
go-kit server layout
2016-08-28 03:59:17 +00:00
)
Issue 1600 fleetctl license expiration (#1800) * Show banner in fleet and fleetctl if license expired * Ignore if license is nil or tier is core * Address review comments
2021-08-26 13:28:53 +00:00
func checkLicenseExpiration(svc fleet.Service) func(context.Context, http.ResponseWriter) context.Context {
return func(ctx context.Context, w http.ResponseWriter) context.Context {
license, err := svc.License(ctx)
if err != nil || license == nil {
return ctx
}
Rename core->free and basic->premium (#1870) * Rename core->free and basic->premium * Fix lint js * Comment out portion of test that seems to timeout * Rename tier to premium if basic is still loaded
2021-09-03 16:05:23 +00:00
if license.IsPremium() && license.IsExpired() {
Issue 1600 fleetctl license expiration (#1800) * Show banner in fleet and fleetctl if license expired * Ignore if license is nil or tier is core * Address review comments
2021-08-26 13:28:53 +00:00
w.Header().Set(fleet.HeaderLicenseKey, fleet.HeaderLicenseValueExpired)
}
return ctx
}
}
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
type extraHandlerOpts struct {
Allow overriding MDM SSO rate limit with an env var or config (#29640) Env var: `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE`. **Not** managed via GitOps. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality
2025-05-30 22:34:47 +00:00
loginRateLimit *throttled.Rate
mdmSsoRateLimit *throttled.Rate
Fleet server verifies HTTP signature (#30825) Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-16 18:08:27 +00:00
httpSigVerifier mux.MiddlewareFunc
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
}
// ExtraHandlerOption allows adding extra configuration to the HTTP handler.
type ExtraHandlerOption func(*extraHandlerOpts)
Allow overriding MDM SSO rate limit with an env var or config (#29640) Env var: `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE`. **Not** managed via GitOps. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality
2025-05-30 22:34:47 +00:00
// WithLoginRateLimit configures the rate limit for the login endpoints.
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
func WithLoginRateLimit(r throttled.Rate) ExtraHandlerOption {
return func(o *extraHandlerOpts) {
o.loginRateLimit = &r
}
}
Allow overriding MDM SSO rate limit with an env var or config (#29640) Env var: `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE`. **Not** managed via GitOps. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality
2025-05-30 22:34:47 +00:00
// WithMdmSsoRateLimit configures the rate limit for the MDM SSO endpoints (falls back to login rate limit otherwise).
func WithMdmSsoRateLimit(r throttled.Rate) ExtraHandlerOption {
return func(o *extraHandlerOpts) {
o.mdmSsoRateLimit = &r
}
}
Fleet server verifies HTTP signature (#30825) Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-16 18:08:27 +00:00
func WithHTTPSigVerifier(m mux.MiddlewareFunc) ExtraHandlerOption {
return func(o *extraHandlerOpts) {
o.httpSigVerifier = m
}
}
Replace uses of the term "Kolide" with "Fleet" (#1999) Almost two years ago, we began referring to the project as Fleet, but there are many occurences of the term "Kolide" throughout the UI and documentation. This PR attempts to clear up those uses where it is easily achievable. The term "Kolide" is used throughout the code as well, but modifying this would be more likely to introduce bugs.
2019-01-24 17:39:32 +00:00
// MakeHandler creates an HTTP handler for the Fleet server endpoints.
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
func MakeHandler(
svc fleet.Service,
config config.FleetConfig,
logger kitlog.Logger,
limitStore throttled.GCRAStore,
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
redisPool fleet.RedisPool,
Android scaffold (#26274) Android scaffold code and refactorings - Android packages intended to be decoupled from other Fleet code Video explaining the PR: https://www.youtube.com/watch?v=cza-35Z9Wxk # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-13 20:32:19 +00:00
featureRoutes []endpoint_utils.HandlerRoutesFunc,
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
extra ...ExtraHandlerOption,
) http.Handler {
var eopts extraHandlerOpts
for _, fn := range extra {
fn(&eopts)
}
Remove deprecated kolide names from API routes and configuration (#957) Closes #260
2021-06-04 23:51:18 +00:00
fleetAPIOptions := []kithttp.ServerOption{
Handler tests (#106)
2016-09-04 19:43:12 +00:00
kithttp.ServerBefore(
log the remote IP of the host making a request (#1653)
2017-12-01 00:52:23 +00:00
kithttp.PopulateRequestContext, // populate the request context with common fields
Refactoring service layer. Part 1 (#25945) Refactoring some functionality out of the service package so it can be reused by a different service package. - auth middleware - logging errors No functional changes.
2025-02-03 17:23:26 +00:00
auth.SetRequestsContexts(svc),
Handler tests (#106)
2016-09-04 19:43:12 +00:00
),
Android scaffold (#26274) Android scaffold code and refactorings - Android packages intended to be decoupled from other Fleet code Video explaining the PR: https://www.youtube.com/watch?v=cza-35Z9Wxk # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-13 20:32:19 +00:00
kithttp.ServerErrorHandler(&endpoint_utils.ErrorHandler{Logger: logger}),
kithttp.ServerErrorEncoder(endpoint_utils.EncodeError),
Handler tests (#106)
2016-09-04 19:43:12 +00:00
kithttp.ServerAfter(
kithttp.SetContentType("application/json; charset=utf-8"),
Added GET enterprise API endpoint. (#26555) For #26218 - Added `GET /api/_version_/fleet/android_enterprise` andpoint and tests - Set up some testing infrastructure for Android service tests -- see new README.md # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-26 16:47:05 +00:00
log.LogRequestEnd(logger),
Issue 1600 fleetctl license expiration (#1800) * Show banner in fleet and fleetctl if license expired * Ignore if license is nil or tier is core * Address review comments
2021-08-26 13:28:53 +00:00
checkLicenseExpiration(svc),
Handler tests (#106)
2016-09-04 19:43:12 +00:00
),
}
go-kit server layout
2016-08-28 03:59:17 +00:00
Handler tests (#106)
2016-09-04 19:43:12 +00:00
r := mux.NewRouter()
APM Improvements (#11103) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-24 05:13:15 +00:00
if config.Logging.TracingEnabled {
if config.Logging.TracingType == "opentelemetry" {
OpenTelemetry minor improvements (#32324) Fixes #32313 OpenTelemetry Tracing - Added tracing to async task collectors: FlushHostsLastSeen, collectHostsLastSeen, collectLabelQueryExecutions, collectPolicyQueryExecutions, collectScheduledQueryStats - Updated HTTP middleware to use OTEL semantic convention for span names ({method} {route}) - Added OTELEnabled() helper to FleetConfig Optimizations - Reduced OTEL batch size from 512 to 256 spans to prevent gRPC message size errors - Enabled gzip compression for trace exports NOTE: I tried to improve OTEL instrumentation for cron jobs, but it got too complicated due to goroutines in `schedule.go` so that effort should be separate. We do have SQL instrumentation for cron jobs, but we are missing root spans for cron jobs as a whole. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Expanded OpenTelemetry tracing for async tasks (host last seen, label membership, policy membership, scheduled query stats) to provide richer observability. * More descriptive HTTP span names using “METHOD /route” for clearer trace analysis. * **Bug Fixes** * Improved OTLP gRPC exporter reliability by enabling gzip compression and reducing export batch size, mitigating intermittent gRPC errors. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-08-29 00:32:46 +00:00
r.Use(otmiddleware.Middleware(
"service",
otmiddleware.WithSpanNameFormatter(func(route string, r *http.Request) string {
// Use the guideline for span names: {method} {target}
// See https://opentelemetry.io/docs/specs/semconv/http/http-spans/
return r.Method + " " + route
})))
APM Improvements (#11103) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-24 05:13:15 +00:00
} else {
apmgorilla.Instrument(r)
}
Add apm for testing apm (#4053) * Add apm for testing apm * Testing opentracing * testing * Testing * go fmt * Add config switch for tracing. * fixup * Update cmd/fleet/serve.go Co-authored-by: Tomas Touceda <chiiph@gmail.com> * Add support for both elasticapm and opentelemetry * Fix driver stuff and config options * Fixup * fixup * Add changes file * Add config for sql driver * fixup * Add doc to exported field * testing * fixup * fixup * Testing again * fixup * testing * Undo Co-authored-by: Tomas Touceda <chiiph@gmail.com>
2022-02-15 17:42:22 +00:00
}
Deprecate /api/v1/kolide routes (#297) - Support both /api/v1/fleet and /api/v1/kolide routes in server. - Add logging for use of deprecated routes. - Rename routes in frontend JS. - Rename routes and add notes in documentation.
2021-02-10 20:13:11 +00:00
Add public ip to hosts & derive geolocation when rendering host (#4652) * geoip wip * return nil if ip is empty string or if ParseIP returns nil * add ui component to render geolocation if available, address PR feedback * render public ip if available * add changes file, document geoip in deployment guide * update rest-api docs
2022-03-21 16:29:52 +00:00
r.Use(publicIP)
Fleet server verifies HTTP signature (#30825) Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-16 18:08:27 +00:00
if eopts.httpSigVerifier != nil {
r.Use(eopts.httpSigVerifier)
}
Add public ip to hosts & derive geolocation when rendering host (#4652) * geoip wip * return nil if ip is empty string or if ParseIP returns nil * add ui component to render geolocation if available, address PR feedback * render public ip if available * add changes file, document geoip in deployment guide * update rest-api docs
2022-03-21 16:29:52 +00:00
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
attachFleetAPIRoutes(r, svc, config, logger, limitStore, redisPool, fleetAPIOptions, eopts)
Android scaffold (#26274) Android scaffold code and refactorings - Android packages intended to be decoupled from other Fleet code Video explaining the PR: https://www.youtube.com/watch?v=cza-35Z9Wxk # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-13 20:32:19 +00:00
for _, featureRoute := range featureRoutes {
featureRoute(r, fleetAPIOptions)
}
Add dev infrastructure and docs for Prometheus monitoring (#33) - Set up a simple example of Prometheus monitoring in the development docker-compose.yml. - Add documentation for configuring Prometheus.
2020-11-13 03:06:56 +00:00
addMetrics(r)
go-kit server layout
2016-08-28 03:59:17 +00:00
return r
}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
Add public ip to hosts & derive geolocation when rendering host (#4652) * geoip wip * return nil if ip is empty string or if ParseIP returns nil * add ui component to render geolocation if available, address PR feedback * render public ip if available * add changes file, document geoip in deployment guide * update rest-api docs
2022-03-21 16:29:52 +00:00
func publicIP(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Android scaffold (#26274) Android scaffold code and refactorings - Android packages intended to be decoupled from other Fleet code Video explaining the PR: https://www.youtube.com/watch?v=cza-35Z9Wxk # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-02-13 20:32:19 +00:00
ip := endpoint_utils.ExtractIP(r)
Add public ip to hosts & derive geolocation when rendering host (#4652) * geoip wip * return nil if ip is empty string or if ParseIP returns nil * add ui component to render geolocation if available, address PR feedback * render public ip if available * add changes file, document geoip in deployment guide * update rest-api docs
2022-03-21 16:29:52 +00:00
if ip != "" {
r.RemoteAddr = ip
}
handler.ServeHTTP(w, r.WithContext(publicip.NewContext(r.Context(), ip)))
})
}
Add http basic auth to /metrics (#4974) * Add http basic auth to /metrics * Fixes after testing applying of a --config sample.yml * Add unit test
2022-04-07 12:40:53 +00:00
// PrometheusMetricsHandler wraps the provided handler with prometheus metrics
Update the prometheus go client library (#3140)
2021-12-20 14:20:58 +00:00
// middleware and returns the resulting handler that should be mounted for that
// route.
Add http basic auth to /metrics (#4974) * Add http basic auth to /metrics * Fixes after testing applying of a --config sample.yml * Add unit test
2022-04-07 12:40:53 +00:00
func PrometheusMetricsHandler(name string, handler http.Handler) http.Handler {
Update the prometheus go client library (#3140)
2021-12-20 14:20:58 +00:00
reg := prometheus.DefaultRegisterer
registerOrExisting := func(coll prometheus.Collector) prometheus.Collector {
if err := reg.Register(coll); err != nil {
if are, ok := err.(prometheus.AlreadyRegisteredError); ok {
return are.ExistingCollector
}
panic(err)
}
return coll
}
// this configuration is to keep prometheus metrics as close as possible to
// what the v0.9.3 (that we used to use) provided via the now-deprecated
// prometheus.InstrumentHandler.
reqCnt := registerOrExisting(prometheus.NewCounterVec(
prometheus.CounterOpts{
Subsystem: "http",
Name: "requests_total",
Help: "Total number of HTTP requests made.",
ConstLabels: prometheus.Labels{"handler": name},
},
[]string{"method", "code"},
)).(*prometheus.CounterVec)
reqDur := registerOrExisting(prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Subsystem: "http",
Name: "request_duration_seconds",
Help: "The HTTP request latencies in seconds.",
ConstLabels: prometheus.Labels{"handler": name},
// Use default buckets, as they are suited for durations.
},
nil,
)).(*prometheus.HistogramVec)
// 1KB, 100KB, 1MB, 100MB, 1GB
sizeBuckets := []float64{1024, 100 * 1024, 1024 * 1024, 100 * 1024 * 1024, 1024 * 1024 * 1024}
resSz := registerOrExisting(prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Subsystem: "http",
Name: "response_size_bytes",
Help: "The HTTP response sizes in bytes.",
ConstLabels: prometheus.Labels{"handler": name},
Buckets: sizeBuckets,
},
nil,
)).(*prometheus.HistogramVec)
reqSz := registerOrExisting(prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Subsystem: "http",
Name: "request_size_bytes",
Help: "The HTTP request sizes in bytes.",
ConstLabels: prometheus.Labels{"handler": name},
Buckets: sizeBuckets,
},
nil,
)).(*prometheus.HistogramVec)
return promhttp.InstrumentHandlerDuration(reqDur,
promhttp.InstrumentHandlerCounter(reqCnt,
promhttp.InstrumentHandlerResponseSize(resSz,
promhttp.InstrumentHandlerRequestSize(reqSz, handler))))
}
// addMetrics decorates each handler with prometheus instrumentation
add prometheus metrics to every http endpoint in the app (#680) tracking the following metrics: http_request_duration_microseconds http_request_size_bytes http_response_size_bytes http_requests_total
2016-12-22 17:39:44 +00:00
func addMetrics(r *mux.Router) {
walkFn := func(route *mux.Route, router *mux.Router, ancestors []*mux.Route) error {
Add http basic auth to /metrics (#4974) * Add http basic auth to /metrics * Fixes after testing applying of a --config sample.yml * Add unit test
2022-04-07 12:40:53 +00:00
route.Handler(PrometheusMetricsHandler(route.GetName(), route.GetHandler()))
add prometheus metrics to every http endpoint in the app (#680) tracking the following metrics: http_request_duration_microseconds http_request_size_bytes http_response_size_bytes http_requests_total
2016-12-22 17:39:44 +00:00
return nil
}
Enable `errcheck` linter for `golangci-lint` (#8899)
2022-12-05 22:50:49 +00:00
r.Walk(walkFn) //nolint:errcheck
add prometheus metrics to every http endpoint in the app (#680) tracking the following metrics: http_request_duration_microseconds http_request_size_bytes http_response_size_bytes http_requests_total
2016-12-22 17:39:44 +00:00
}
If the fleet/forgot_password endpoint is rate limited, it should return the proper status code (#12323) Return proper HTTP status code if endpoint is rate limited.
2023-06-15 19:41:04 +00:00
// These are defined as const so that they can be used in tests.
const (
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
forgotPasswordRateLimitMaxBurst = 9 // Max burst used for rate limiting on the the forgot_password endpoint.
// Fleet Desktop API endpoints rate limiting:
//
// Allow up to 1_000 consecutive failing requests per minute.
// If the threshold of 1_000 consecutive failures is reached for an IP,
// ban requests from such IP for a duration of 1 minute.
//
deviceIPAllowedConsecutiveFailingRequestsCount = 1_000
deviceIPAllowedConsecutiveFailingRequestsTimeWindow = 1 * time.Minute
deviceIPBanTime = 1 * time.Minute
If the fleet/forgot_password endpoint is rate limited, it should return the proper status code (#12323) Return proper HTTP status code if endpoint is rate limited.
2023-06-15 19:41:04 +00:00
)
Set authz checked when rate limiting device endpoints (#6702) * Set authz checked when rate limiting device endpoints * Unexport var and attempt to fix flaky test
2022-07-18 17:22:49 +00:00
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
func attachFleetAPIRoutes(r *mux.Router, svc fleet.Service, config config.FleetConfig,
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
logger kitlog.Logger, limitStore throttled.GCRAStore, redisPool fleet.RedisPool, opts []kithttp.ServerOption,
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
extra extraHandlerOpts,
Add read replica testing helpers and fix non-sso login bug (#4908) not set on the INSERT. - OUT: Only sets the ID on the passed session and returns it. (`CreatedAt`, `AccessedAt`, are not set.) New version: ```go func (ds *Datastore) NewSession(ctx context.Context, userID uint, sessionKey string) (*fleet.Session, error) { sqlStatement := ` INSERT INTO sessions ( user_id, ` + "`key`" + ` ) VALUES(?,?) ` result, err := ds.writer.ExecContext(ctx, sqlStatement, userID, sessionKey) if err != nil { return nil, ctxerr.Wrap(ctx, err, "inserting session") } id, _ := result.LastInsertId() // cannot fail with the mysql driver return ds.sessionByID(ctx, ds.writer, uint(id)) } ``` - IN: Define arguments that are truly used when creating a session. - OUT: Load and return the fleet.Session struct with all values set (using the `ds.writer` to support read replicas correctly). PS: The new `NewSession` version mimics what we already do with other entities, like policies (`Datastore.NewGlobalPolicy`).
2022-04-04 23:52:05 +00:00
) {
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
apiVersions := []string{"v1", "2022-04"}
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
// user-authenticated endpoints
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue := newUserAuthenticatedEndpointer(svc, opts, r, apiVersions...)
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
Use POST instead of GET for trigger endpoint (#8888)
2022-11-30 17:57:42 +00:00
ue.POST("/api/_version_/fleet/trigger", triggerEndpoint, triggerRequest{})
Implement schedule triggers (#8747)
2022-11-28 19:28:06 +00:00
API, datastore, migration for new "user settings", with `"hidden_hosts_table_columns" setting (#25184) ## For #25033 - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Added/updated automated tests - [ ] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-01-09 18:04:47 +00:00
ue.GET("/api/_version_/fleet/me", meEndpoint, getMeRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/sessions/{id:[0-9]+}", getInfoAboutSessionEndpoint, getInfoAboutSessionRequest{})
ue.DELETE("/api/_version_/fleet/sessions/{id:[0-9]+}", deleteSessionEndpoint, deleteSessionRequest{})
ue.GET("/api/_version_/fleet/config/certificate", getCertificateEndpoint, nil)
ue.GET("/api/_version_/fleet/config", getAppConfigEndpoint, nil)
ue.PATCH("/api/_version_/fleet/config", modifyAppConfigEndpoint, modifyAppConfigRequest{})
ue.POST("/api/_version_/fleet/spec/enroll_secret", applyEnrollSecretSpecEndpoint, applyEnrollSecretSpecRequest{})
ue.GET("/api/_version_/fleet/spec/enroll_secret", getEnrollSecretSpecEndpoint, nil)
ue.GET("/api/_version_/fleet/version", versionEndpoint, nil)
ue.POST("/api/_version_/fleet/users/roles/spec", applyUserRoleSpecsEndpoint, applyUserRoleSpecsRequest{})
ue.POST("/api/_version_/fleet/translate", translatorEndpoint, translatorRequest{})
ue.POST("/api/_version_/fleet/spec/teams", applyTeamSpecsEndpoint, applyTeamSpecsRequest{})
ue.PATCH("/api/_version_/fleet/teams/{team_id:[0-9]+}/secrets", modifyTeamEnrollSecretsEndpoint, modifyTeamEnrollSecretsRequest{})
ue.POST("/api/_version_/fleet/teams", createTeamEndpoint, createTeamRequest{})
ue.GET("/api/_version_/fleet/teams", listTeamsEndpoint, listTeamsRequest{})
ue.GET("/api/_version_/fleet/teams/{id:[0-9]+}", getTeamEndpoint, getTeamRequest{})
ue.PATCH("/api/_version_/fleet/teams/{id:[0-9]+}", modifyTeamEndpoint, modifyTeamRequest{})
ue.DELETE("/api/_version_/fleet/teams/{id:[0-9]+}", deleteTeamEndpoint, deleteTeamRequest{})
ue.POST("/api/_version_/fleet/teams/{id:[0-9]+}/agent_options", modifyTeamAgentOptionsEndpoint, modifyTeamAgentOptionsRequest{})
ue.GET("/api/_version_/fleet/teams/{id:[0-9]+}/users", listTeamUsersEndpoint, listTeamUsersRequest{})
ue.PATCH("/api/_version_/fleet/teams/{id:[0-9]+}/users", addTeamUsersEndpoint, modifyTeamUsersRequest{})
ue.DELETE("/api/_version_/fleet/teams/{id:[0-9]+}/users", deleteTeamUsersEndpoint, modifyTeamUsersRequest{})
ue.GET("/api/_version_/fleet/teams/{id:[0-9]+}/secrets", teamEnrollSecretsEndpoint, teamEnrollSecretsRequest{})
Finish first draft of API versions (#3216) * Finish first draft of API versions * wip * Finalize tests * Revert change in handler * Remove made up version * Update versioning with aliases * Add changes file * Address review comments * Revert overupdated routes * Expand life time of deprecated APIs * Fix test * Comment out problematic part of test * Revert bad path changes
2021-12-21 15:23:12 +00:00
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/users", listUsersEndpoint, listUsersRequest{})
ue.POST("/api/_version_/fleet/users/admin", createUserEndpoint, createUserRequest{})
ue.GET("/api/_version_/fleet/users/{id:[0-9]+}", getUserEndpoint, getUserRequest{})
ue.PATCH("/api/_version_/fleet/users/{id:[0-9]+}", modifyUserEndpoint, modifyUserRequest{})
ue.DELETE("/api/_version_/fleet/users/{id:[0-9]+}", deleteUserEndpoint, deleteUserRequest{})
ue.POST("/api/_version_/fleet/users/{id:[0-9]+}/require_password_reset", requirePasswordResetEndpoint, requirePasswordResetRequest{})
ue.GET("/api/_version_/fleet/users/{id:[0-9]+}/sessions", getInfoAboutSessionsForUserEndpoint, getInfoAboutSessionsForUserRequest{})
ue.DELETE("/api/_version_/fleet/users/{id:[0-9]+}/sessions", deleteSessionsForUserEndpoint, deleteSessionsForUserRequest{})
ue.POST("/api/_version_/fleet/change_password", changePasswordEndpoint, changePasswordRequest{})
ue.GET("/api/_version_/fleet/email/change/{token}", changeEmailEndpoint, changeEmailRequest{})
Improve live query UX (#5749)
2022-06-10 18:29:45 +00:00
// TODO: searchTargetsEndpoint will be removed in Fleet 5.0
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.POST("/api/_version_/fleet/targets", searchTargetsEndpoint, searchTargetsRequest{})
Improve live query UX (#5749)
2022-06-10 18:29:45 +00:00
ue.POST("/api/_version_/fleet/targets/count", countTargetsEndpoint, countTargetsRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.POST("/api/_version_/fleet/invites", createInviteEndpoint, createInviteRequest{})
ue.GET("/api/_version_/fleet/invites", listInvitesEndpoint, listInvitesRequest{})
ue.DELETE("/api/_version_/fleet/invites/{id:[0-9]+}", deleteInviteEndpoint, deleteInviteRequest{})
ue.PATCH("/api/_version_/fleet/invites/{id:[0-9]+}", updateInviteEndpoint, updateInviteRequest{})
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue.EndingAtVersion("v1").POST("/api/_version_/fleet/global/policies", globalPolicyEndpoint, globalPolicyRequest{})
ue.StartingAtVersion("2022-04").POST("/api/_version_/fleet/policies", globalPolicyEndpoint, globalPolicyRequest{})
paginate the policies API (#13459)
2023-08-30 22:30:17 +00:00
ue.EndingAtVersion("v1").GET("/api/_version_/fleet/global/policies", listGlobalPoliciesEndpoint, listGlobalPoliciesRequest{})
ue.StartingAtVersion("2022-04").GET("/api/_version_/fleet/policies", listGlobalPoliciesEndpoint, listGlobalPoliciesRequest{})
ue.GET("/api/_version_/fleet/policies/count", countGlobalPoliciesEndpoint, countGlobalPoliciesRequest{})
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue.EndingAtVersion("v1").GET("/api/_version_/fleet/global/policies/{policy_id}", getPolicyByIDEndpoint, getPolicyByIDRequest{})
ue.StartingAtVersion("2022-04").GET("/api/_version_/fleet/policies/{policy_id}", getPolicyByIDEndpoint, getPolicyByIDRequest{})
ue.EndingAtVersion("v1").POST("/api/_version_/fleet/global/policies/delete", deleteGlobalPoliciesEndpoint, deleteGlobalPoliciesRequest{})
ue.StartingAtVersion("2022-04").POST("/api/_version_/fleet/policies/delete", deleteGlobalPoliciesEndpoint, deleteGlobalPoliciesRequest{})
ue.EndingAtVersion("v1").PATCH("/api/_version_/fleet/global/policies/{policy_id}", modifyGlobalPolicyEndpoint, modifyGlobalPolicyRequest{})
ue.StartingAtVersion("2022-04").PATCH("/api/_version_/fleet/policies/{policy_id}", modifyGlobalPolicyEndpoint, modifyGlobalPolicyRequest{})
Fire automations for hosts that failed before automation enabled (#9028)
2022-12-16 21:00:54 +00:00
ue.POST("/api/_version_/fleet/automations/reset", resetAutomationEndpoint, resetAutomationRequest{})
Finish first draft of API versions (#3216) * Finish first draft of API versions * wip * Finalize tests * Revert change in handler * Remove made up version * Update versioning with aliases * Add changes file * Address review comments * Revert overupdated routes * Expand life time of deprecated APIs * Fix test * Comment out problematic part of test * Revert bad path changes
2021-12-21 15:23:12 +00:00
// Alias /api/_version_/fleet/team/ -> /api/_version_/fleet/teams/
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/policies").
POST("/api/_version_/fleet/teams/{team_id}/policies", teamPolicyEndpoint, teamPolicyRequest{})
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/policies").
GET("/api/_version_/fleet/teams/{team_id}/policies", listTeamPoliciesEndpoint, listTeamPoliciesRequest{})
paginate the policies API (#13459)
2023-08-30 22:30:17 +00:00
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/policies/count").
GET("/api/_version_/fleet/teams/{team_id}/policies/count", countTeamPoliciesEndpoint, countTeamPoliciesRequest{})
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/policies/{policy_id}").
GET("/api/_version_/fleet/teams/{team_id}/policies/{policy_id}", getTeamPolicyByIDEndpoint, getTeamPolicyByIDRequest{})
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/policies/delete").
POST("/api/_version_/fleet/teams/{team_id}/policies/delete", deleteTeamPoliciesEndpoint, deleteTeamPoliciesRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.PATCH("/api/_version_/fleet/teams/{team_id}/policies/{policy_id}", modifyTeamPolicyEndpoint, modifyTeamPolicyRequest{})
ue.POST("/api/_version_/fleet/spec/policies", applyPolicySpecsEndpoint, applyPolicySpecsRequest{})
ue.GET("/api/_version_/fleet/queries/{id:[0-9]+}", getQueryEndpoint, getQueryRequest{})
ue.GET("/api/_version_/fleet/queries", listQueriesEndpoint, listQueriesRequest{})
Save Query Results to DB (#14335) # Checklist for submitter #13486 If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Eric <eashaw@sailsjs.com> Co-authored-by: Sampfluger88 <108141731+Sampfluger88@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Tyler Diderich <15862572+tdiderich@users.noreply.github.com> Co-authored-by: Dave Herder <27025660+dherder@users.noreply.github.com> Co-authored-by: Rachael Shaw <r@rachael.wtf> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> Co-authored-by: Nathanael Holliday <100959072+hollidayn@users.noreply.github.com> Co-authored-by: Katheryn Satterlee <me@ksatter.com> Co-authored-by: Mo Zhu <mo@fleetdm.com> Co-authored-by: Mo Zhu <mozhu888@gmail.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com> Co-authored-by: Sabrina Coy <13890648+sabrinabuckets@users.noreply.github.com> Co-authored-by: Isabell Reedy <113355639+ireedy@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Alex Mitchell <105945793+alexmitchelliii@users.noreply.github.com>
2023-10-10 12:44:03 +00:00
ue.GET("/api/_version_/fleet/queries/{id:[0-9]+}/report", getQueryReportEndpoint, getQueryReportRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.POST("/api/_version_/fleet/queries", createQueryEndpoint, createQueryRequest{})
ue.PATCH("/api/_version_/fleet/queries/{id:[0-9]+}", modifyQueryEndpoint, modifyQueryRequest{})
ue.DELETE("/api/_version_/fleet/queries/{name}", deleteQueryEndpoint, deleteQueryRequest{})
ue.DELETE("/api/_version_/fleet/queries/id/{id:[0-9]+}", deleteQueryByIDEndpoint, deleteQueryByIDRequest{})
ue.POST("/api/_version_/fleet/queries/delete", deleteQueriesEndpoint, deleteQueriesRequest{})
ue.POST("/api/_version_/fleet/spec/queries", applyQuerySpecsEndpoint, applyQuerySpecsRequest{})
Combine Schedules and Queries: API changes (#12778) Combining schedules and queries API changes.
2023-07-25 00:17:20 +00:00
ue.GET("/api/_version_/fleet/spec/queries", getQuerySpecsEndpoint, getQuerySpecsRequest{})
ue.GET("/api/_version_/fleet/spec/queries/{name}", getQuerySpecEndpoint, getQuerySpecRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/packs/{id:[0-9]+}", getPackEndpoint, getPackRequest{})
ue.POST("/api/_version_/fleet/packs", createPackEndpoint, createPackRequest{})
ue.PATCH("/api/_version_/fleet/packs/{id:[0-9]+}", modifyPackEndpoint, modifyPackRequest{})
ue.GET("/api/_version_/fleet/packs", listPacksEndpoint, listPacksRequest{})
ue.DELETE("/api/_version_/fleet/packs/{name}", deletePackEndpoint, deletePackRequest{})
ue.DELETE("/api/_version_/fleet/packs/id/{id:[0-9]+}", deletePackByIDEndpoint, deletePackByIDRequest{})
ue.POST("/api/_version_/fleet/spec/packs", applyPackSpecsEndpoint, applyPackSpecsRequest{})
ue.GET("/api/_version_/fleet/spec/packs", getPackSpecsEndpoint, nil)
ue.GET("/api/_version_/fleet/spec/packs/{name}", getPackSpecEndpoint, getGenericSpecRequest{})
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
ue.GET("/api/_version_/fleet/software/versions", listSoftwareVersionsEndpoint, listSoftwareRequest{})
ue.GET("/api/_version_/fleet/software/versions/{id:[0-9]+}", getSoftwareEndpoint, getSoftwareRequest{})
// DEPRECATED: use /api/_version_/fleet/software/versions instead
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/software", listSoftwareEndpoint, listSoftwareRequest{})
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
// DEPRECATED: use /api/_version_/fleet/software/versions{id:[0-9]+} instead
Include CVE scores when listing software (#5673)
2022-05-20 16:58:40 +00:00
ue.GET("/api/_version_/fleet/software/{id:[0-9]+}", getSoftwareEndpoint, getSoftwareRequest{})
Add `GET software/versions` and `GET software/versions/:id` endpoints (#15450)
2023-12-06 14:30:49 +00:00
// DEPRECATED: software version counts are now included directly in the software version list
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/software/count", countSoftwareEndpoint, countSoftwareRequest{})
Add list/detail endpoints for software titles (#15464) related to #15228
2023-12-06 18:28:31 +00:00
ue.GET("/api/_version_/fleet/software/titles", listSoftwareTitlesEndpoint, listSoftwareTitlesRequest{})
ue.GET("/api/_version_/fleet/software/titles/{id:[0-9]+}", getSoftwareTitleEndpoint, getSoftwareTitleRequest{})
install API change, integration test and bug fixes.
2024-09-09 16:13:20 +00:00
ue.POST("/api/_version_/fleet/hosts/{host_id:[0-9]+}/software/{software_title_id:[0-9]+}/install", installSoftwareTitleEndpoint,
installSoftwareRequest{})
Can run install scripts now.
2024-09-05 19:20:36 +00:00
ue.POST("/api/_version_/fleet/hosts/{host_id:[0-9]+}/software/{software_title_id:[0-9]+}/uninstall", uninstallSoftwareTitleEndpoint,
uninstallSoftwareRequest{})
Add list/detail endpoints for software titles (#15464) related to #15228
2023-12-06 18:28:31 +00:00
20404: Edit packages feature (#21812) ## Issue Cerra #20404 ## Description - Add frontend/API backend for editing software packages. GitOps will be a separate PR. ## More - Please see subtasks for change lists - #21611 - #21613 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Manual QA for all new/changed functionality Automated tests will follow in another PR. --------- Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Luke Heath <luke@fleetdm.com> Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
2024-09-17 13:40:47 +00:00
// Software installers
VPP: fix download package path, implement delete VPP app support (#20530)
2024-07-17 18:19:13 +00:00
ue.GET("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/package", getSoftwareInstallerEndpoint, getSoftwareInstallerRequest{})
Downloading a software installer package now shows the browser's built-in progress bar (#21341) #19561 In Fleet GUI, downloading a software installer package now shows the browser's built-in progress bar. New API endpoints: https://github.com/fleetdm/fleet/pull/21346 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-08-20 17:37:29 +00:00
ue.POST("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/package/token", getSoftwareInstallerTokenEndpoint,
getSoftwareInstallerRequest{})
Add backend to upload/delete software installers (#18660) Issue #18320
2024-05-02 13:20:54 +00:00
ue.POST("/api/_version_/fleet/software/package", uploadSoftwareInstallerEndpoint, uploadSoftwareInstallerRequest{})
Add experimental software title name update endpoint for titles with a bundle ID (#26938) For #26933. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-03-07 17:36:17 +00:00
ue.PATCH("/api/_version_/fleet/software/titles/{id:[0-9]+}/name", updateSoftwareNameEndpoint, updateSoftwareNameRequest{})
20404: Edit packages feature (#21812) ## Issue Cerra #20404 ## Description - Add frontend/API backend for editing software packages. GitOps will be a separate PR. ## More - Please see subtasks for change lists - #21611 - #21613 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Manual QA for all new/changed functionality Automated tests will follow in another PR. --------- Co-authored-by: Ian Littman <iansltx@gmail.com> Co-authored-by: Luke Heath <luke@fleetdm.com> Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
2024-09-17 13:40:47 +00:00
ue.PATCH("/api/_version_/fleet/software/titles/{id:[0-9]+}/package", updateSoftwareInstallerEndpoint, updateSoftwareInstallerRequest{})
VPP: fix download package path, implement delete VPP app support (#20530)
2024-07-17 18:19:13 +00:00
ue.DELETE("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/available_for_install", deleteSoftwareInstallerEndpoint, deleteSoftwareInstallerRequest{})
Final API changes and test updates.
2024-09-09 19:43:52 +00:00
ue.GET("/api/_version_/fleet/software/install/{install_uuid}/results", getSoftwareInstallResultsEndpoint,
getSoftwareInstallResultsRequest{})
Make software batch endpoint asynchronous (#22258) #22069 API changes: https://github.com/fleetdm/fleet/pull/22259 QAd by applying 10 pieces of software on a team, which took 3+ minutes in total (which, before these changes was timing out at 100s.) With this approach, a GitOps CI run timing out might leave the background process running (which will eventually be applied to the database). The team discussed and agreed that we can fix this edge case later. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2024-09-20 14:55:47 +00:00
// POST /api/_version_/fleet/software/batch is asynchronous, meaning it will start the process of software download+upload in the background
// and will return a request UUID to be used in GET /api/_version_/fleet/software/batch/{request_uuid} to query for the status of the operation.
add CLI and endpoints to set software via fleetctl apply (#18876) for #18325 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2024-05-14 18:06:33 +00:00
ue.POST("/api/_version_/fleet/software/batch", batchSetSoftwareInstallersEndpoint, batchSetSoftwareInstallersRequest{})
Make software batch endpoint asynchronous (#22258) #22069 API changes: https://github.com/fleetdm/fleet/pull/22259 QAd by applying 10 pieces of software on a team, which took 3+ minutes in total (which, before these changes was timing out at 100s.) With this approach, a GitOps CI run timing out might leave the background process running (which will eventually be applied to the database). The team discussed and agreed that we can fix this edge case later. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2024-09-20 14:55:47 +00:00
ue.GET("/api/_version_/fleet/software/batch/{request_uuid}", batchSetSoftwareInstallersResultEndpoint, batchSetSoftwareInstallersResultRequest{})
Add backend to upload/delete software installers (#18660) Issue #18320
2024-05-02 13:20:54 +00:00
Add custom software icons (#32652) For #29478, sans GitOps. --------- Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
2025-09-05 22:31:03 +00:00
// software title custom icons
ue.GET("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/icon", getSoftwareTitleIconsEndpoint, getSoftwareTitleIconsRequest{})
ue.PUT("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/icon", putSoftwareTitleIconEndpoint, putSoftwareTitleIconRequest{})
ue.DELETE("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/icon", deleteSoftwareTitleIconEndpoint, deleteSoftwareTitleIconRequest{})
feat: get app store apps, add app store app to Fleet (#20362) > Related issue: #19867 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - [x] Manual QA for all new/changed functionality
2024-07-11 20:09:30 +00:00
// App store software
ue.GET("/api/_version_/fleet/software/app_store_apps", getAppStoreAppsEndpoint, getAppStoreAppsRequest{})
ue.POST("/api/_version_/fleet/software/app_store_apps", addAppStoreAppEndpoint, addAppStoreAppRequest{})
Add labels and editing for VPP apps (#25979) For #24609 --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Jahziel Villasana-Espinoza <jahzielv@gmail.com>
2025-02-03 17:16:21 +00:00
ue.PATCH("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/app_store_app", updateAppStoreAppEndpoint, updateAppStoreAppRequest{})
feat: get app store apps, add app store app to Fleet (#20362) > Related issue: #19867 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - [x] Manual QA for all new/changed functionality
2024-07-11 20:09:30 +00:00
Setup experience software API (#22507)
2024-10-08 20:41:57 +00:00
// Setup Experience
API endpoints for Linux setup experience (#32493) For #32040. --- Backend changes to unblock the development of the orbit and frontend changes. New GET and PUT APIs for setting/getting software for Linux Setup Experience: ``` curl -k -X GET -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software?team_id=8&per_page=3000 curl -k -X PUT -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software -d '{"team_id":8,"software_title_ids":[3000, 3001, 3007]}' ``` New setup_experience/init API called by orbit to trigger the Linux setup experience on the device: ``` curl -v -k -X POST -H "Content-Type: application/json" "https://localhost:8080/api/fleet/orbit/setup_experience/init" -d '{"orbit_node_key": "ynYEtFsvv9xZ7rX619UE8of1I28H+GCj"}' ``` Get status API to call on "My device": ``` curl -v -k -X POST "https://localhost:8080/api/latest/fleet/device/7d940b6e-130a-493b-b58a-2b6e9f9f8bfc/setup_experience/status" ``` --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [X] Verified that the setting is exported via `fleetctl generate-gitops` - [X] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [X] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added Linux support for Setup Experience alongside macOS. - Introduced platform-specific admin APIs to configure and retrieve Setup Experience software (macOS/Linux). - Added device API to report Setup Experience status and an Orbit API to initialize Setup Experience on non-macOS devices. - Setup Experience now gates policy queries on Linux until setup is complete. - New activity log entry when Setup Experience software is edited (includes platform and team). - Documentation - Updated audit logs reference to include the new “edited setup experience software” event. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-04 15:58:47 +00:00
//
// Setup experience software endpoints:
Setup experience software API (#22507)
2024-10-08 20:41:57 +00:00
ue.PUT("/api/_version_/fleet/setup_experience/software", putSetupExperienceSoftware, putSetupExperienceSoftwareRequest{})
ue.GET("/api/_version_/fleet/setup_experience/software", getSetupExperienceSoftware, getSetupExperienceSoftwareRequest{})
API endpoints for Linux setup experience (#32493) For #32040. --- Backend changes to unblock the development of the orbit and frontend changes. New GET and PUT APIs for setting/getting software for Linux Setup Experience: ``` curl -k -X GET -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software?team_id=8&per_page=3000 curl -k -X PUT -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software -d '{"team_id":8,"software_title_ids":[3000, 3001, 3007]}' ``` New setup_experience/init API called by orbit to trigger the Linux setup experience on the device: ``` curl -v -k -X POST -H "Content-Type: application/json" "https://localhost:8080/api/fleet/orbit/setup_experience/init" -d '{"orbit_node_key": "ynYEtFsvv9xZ7rX619UE8of1I28H+GCj"}' ``` Get status API to call on "My device": ``` curl -v -k -X POST "https://localhost:8080/api/latest/fleet/device/7d940b6e-130a-493b-b58a-2b6e9f9f8bfc/setup_experience/status" ``` --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [X] Verified that the setting is exported via `fleetctl generate-gitops` - [X] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [X] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added Linux support for Setup Experience alongside macOS. - Introduced platform-specific admin APIs to configure and retrieve Setup Experience software (macOS/Linux). - Added device API to report Setup Experience status and an Orbit API to initialize Setup Experience on non-macOS devices. - Setup Experience now gates policy queries on Linux until setup is complete. - New activity log entry when Setup Experience software is edited (includes platform and team). - Documentation - Updated audit logs reference to include the new “edited setup experience software” event. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-04 15:58:47 +00:00
// Setup experience script endpoints:
Add endpoints for setup experience script CRUD (#22604) Issue #22378
2024-10-09 16:43:12 +00:00
ue.GET("/api/_version_/fleet/setup_experience/script", getSetupExperienceScriptEndpoint, getSetupExperienceScriptRequest{})
ue.POST("/api/_version_/fleet/setup_experience/script", setSetupExperienceScriptEndpoint, setSetupExperienceScriptRequest{})
ue.DELETE("/api/_version_/fleet/setup_experience/script", deleteSetupExperienceScriptEndpoint, deleteSetupExperienceScriptRequest{})
Setup experience software API (#22507)
2024-10-08 20:41:57 +00:00
feat: add fleet-maintained software (#22031) > Related issue: #21776 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-09-18 16:21:53 +00:00
// Fleet-maintained apps
ue.POST("/api/_version_/fleet/software/fleet_maintained_apps", addFleetMaintainedAppEndpoint, addFleetMaintainedAppRequest{})
Add count and apps_updated_at data to `GET /fleet_maintained_apps` and UI (#22778) relates to #22732 This adds the `counts` and `apps_updated_at` response data on the `GET /fleet_maintained_apps` endpoint. We then add that to the UI to show the counts and last time fleet maintained app data has been updated: ![image](https://github.com/user-attachments/assets/bb4d3819-2274-4782-a56b-b1868122cce0) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 14:49:06 +00:00
ue.GET("/api/_version_/fleet/software/fleet_maintained_apps", listFleetMaintainedAppsEndpoint, listFleetMaintainedAppsRequest{})
Fleet maintained apps get app (#22241) #22234
2024-09-20 14:42:43 +00:00
ue.GET("/api/_version_/fleet/software/fleet_maintained_apps/{app_id}", getFleetMaintainedApp, getFleetMaintainedAppRequest{})
feat: add fleet-maintained software (#22031) > Related issue: #21776 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-09-18 16:21:53 +00:00
2 of 2: List Vulnerabilities API (#16695)
2024-02-10 03:54:44 +00:00
// Vulnerabilities
ue.GET("/api/_version_/fleet/vulnerabilities", listVulnerabilitiesEndpoint, listVulnerabilitiesRequest{})
16475 vuln detail api (#16828)
2024-02-14 21:42:16 +00:00
ue.GET("/api/_version_/fleet/vulnerabilities/{cve}", getVulnerabilityEndpoint, getVulnerabilityRequest{})
2 of 2: List Vulnerabilities API (#16695)
2024-02-10 03:54:44 +00:00
// Hosts
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/host_summary", getHostSummaryEndpoint, getHostSummaryRequest{})
ue.GET("/api/_version_/fleet/hosts", listHostsEndpoint, listHostsRequest{})
ue.POST("/api/_version_/fleet/hosts/delete", deleteHostsEndpoint, deleteHostsRequest{})
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}", getHostEndpoint, getHostRequest{})
ue.GET("/api/_version_/fleet/hosts/count", countHostsEndpoint, countHostsRequest{})
Improve live query UX (#5749)
2022-06-10 18:29:45 +00:00
ue.POST("/api/_version_/fleet/hosts/search", searchHostsEndpoint, searchHostsRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/hosts/identifier/{identifier}", hostByIdentifierEndpoint, hostByIdentifierRequest{})
New live query API endpoint for custom query SQL. (#16810) #16805 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2024-02-14 04:45:07 +00:00
ue.POST("/api/_version_/fleet/hosts/identifier/{identifier}/query", runLiveQueryOnHostEndpoint, runLiveQueryOnHostRequest{})
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/query", runLiveQueryOnHostByIDEndpoint, runLiveQueryOnHostByIDRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.DELETE("/api/_version_/fleet/hosts/{id:[0-9]+}", deleteHostEndpoint, deleteHostRequest{})
ue.POST("/api/_version_/fleet/hosts/transfer", addHostsToTeamEndpoint, addHostsToTeamRequest{})
ue.POST("/api/_version_/fleet/hosts/transfer/filter", addHostsToTeamByFilterEndpoint, addHostsToTeamByFilterRequest{})
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/refetch", refetchHostEndpoint, refetchHostRequest{})
SCIM + host integration (#27880) For #27284 This PR: - Adds SCIM as a fallback for username during macOS end user authentication during setup experience - Adds SCIM/endUsers details to host details # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-08 14:35:06 +00:00
// Deprecated: Emails are now included in host details endpoint: /api/_version_/fleet/hosts/{id}
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/device_mapping", listHostDeviceMappingEndpoint, listHostDeviceMappingRequest{})
Improve MDM device-to-user mapping for Apple devices (#29239)
2025-05-19 18:29:46 +00:00
// Deprecated: Because the corresponding GET endpoint is deprecated.
// /api/fleet/orbit/device_mapping can be used instead.
// FIXME(sarah): Is this really deprecated? The orbit-authenticated endpoint is not a substitute
// for the user-authenticated endpoint?
Custom email device-mapping: implement the REST API changes (#15748)
2023-12-21 17:21:39 +00:00
ue.PUT("/api/_version_/fleet/hosts/{id:[0-9]+}/device_mapping", putHostDeviceMappingEndpoint, putHostDeviceMappingRequest{})
Add support for downloading a list of hosts in CSV format (#4596)
2022-03-15 19:14:42 +00:00
ue.GET("/api/_version_/fleet/hosts/report", hostsReportEndpoint, hostsReportRequest{})
Add os versions endpoint (#4749)
2022-03-28 15:15:45 +00:00
ue.GET("/api/_version_/fleet/os_versions", osVersionsEndpoint, osVersionsRequest{})
Implement OS Version ID (#16463)
2024-01-31 17:14:24 +00:00
ue.GET("/api/_version_/fleet/os_versions/{id:[0-9]+}", getOSVersionEndpoint, getOSVersionRequest{})
15381 host query report api (#15441)
2023-12-11 22:33:31 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/queries/{query_id:[0-9]+}", getHostQueryReportEndpoint, getHostQueryReportRequest{})
feat: device health endpoint (#15432) > #14920 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2023-12-06 19:42:29 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/health", getHostHealthEndpoint, getHostHealthRequest{})
New APIs to add/remove manual labels to/from a host (#18283) #16767 To create a manual label: ```sh cat labels.yml --- apiVersion: v1 kind: label spec: name: Manually Managed Example label_membership_type: manual hosts: - lucass-macbook-pro.local ``` To add/delete a manual label to/from a host: ``` curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}' ``` API draft changes: https://github.com/fleetdm/fleet/pull/16979/files Figma with error strings: https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - ~[ ] If database migrations are included, checked table schema to confirm autoupdate~ - ~For database migrations:~ - ~[ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.~ - ~[ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.~ - ~[ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).~ - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2024-04-16 09:37:58 +00:00
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/labels", addLabelsToHostEndpoint, addLabelsToHostRequest{})
ue.DELETE("/api/_version_/fleet/hosts/{id:[0-9]+}/labels", removeLabelsFromHostEndpoint, removeLabelsFromHostRequest{})
Add API endpoint to list host/device software (#18676)
2024-05-01 18:37:52 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/software", getHostSoftwareEndpoint, getHostSoftwareRequest{})
CHV: implement paginated list certificates endpoints (#26554)
2025-02-24 17:52:39 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/certificates", listHostCertificatesEndpoint, listHostCertificatesRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
Add MDM detection for windows and mdm endpoints (#8479)
2022-11-01 17:22:07 +00:00
ue.GET("/api/_version_/fleet/hosts/summary/mdm", getHostMDMSummary, getHostMDMSummaryRequest{})
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/mdm", getHostMDM, getHostMDMRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.POST("/api/_version_/fleet/labels", createLabelEndpoint, createLabelRequest{})
ue.PATCH("/api/_version_/fleet/labels/{id:[0-9]+}", modifyLabelEndpoint, modifyLabelRequest{})
ue.GET("/api/_version_/fleet/labels/{id:[0-9]+}", getLabelEndpoint, getLabelRequest{})
ue.GET("/api/_version_/fleet/labels", listLabelsEndpoint, listLabelsRequest{})
Improve live query UX (#5749)
2022-06-10 18:29:45 +00:00
ue.GET("/api/_version_/fleet/labels/summary", getLabelsSummaryEndpoint, nil)
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/labels/{id:[0-9]+}/hosts", listHostsInLabelEndpoint, listHostsInLabelRequest{})
ue.DELETE("/api/_version_/fleet/labels/{name}", deleteLabelEndpoint, deleteLabelRequest{})
ue.DELETE("/api/_version_/fleet/labels/id/{id:[0-9]+}", deleteLabelByIDEndpoint, deleteLabelByIDRequest{})
ue.POST("/api/_version_/fleet/spec/labels", applyLabelSpecsEndpoint, applyLabelSpecsRequest{})
ue.GET("/api/_version_/fleet/spec/labels", getLabelSpecsEndpoint, nil)
ue.GET("/api/_version_/fleet/spec/labels/{name}", getLabelSpecEndpoint, getGenericSpecRequest{})
Added a new synchronous live query endpoint: POST /api/v1/fleet/queries/:id/run (#15860) Added a new synchronous live query endpoint: POST /api/v1/fleet/queries/:id/run #14800 All relevant integration tests have been updated to work with the old endpoint and new endpoint. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-01-03 15:39:16 +00:00
// This endpoint runs live queries synchronously (with a configured timeout).
ue.POST("/api/_version_/fleet/queries/{id:[0-9]+}/run", runOneLiveQueryEndpoint, runOneLiveQueryRequest{})
// Old endpoint, removed from docs. This GET endpoint runs live queries synchronously (with a configured timeout).
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/queries/run", runLiveQueryEndpoint, runLiveQueryRequest{})
Update live query selector logic (OR -> AND) (#9559) See requirements in #8682. Two assumptions on the implementation (@zayhanlon please take a look): - Hosts explicitly selected to run always run the live query (no matter the values on the selectors). - When selecting `All hosts`, selecting any other platform or label is kind of a no-op. We should look into graying out all the selectors if the user selects `All hosts`. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-30 21:35:56 +00:00
// The following two POST APIs are the asynchronous way to run live queries.
// The live queries are created with these two endpoints and their results can be queried via
// websockets via the `GET /api/_version_/fleet/results/` endpoint.
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.POST("/api/_version_/fleet/queries/run", createDistributedQueryCampaignEndpoint, createDistributedQueryCampaignRequest{})
`fleetctl`, API, copy updates around host identifiers (#20220) ## Addresses #19127 ![Screenshot 2024-07-08 at 4 49 33 PM](https://github.com/fleetdm/fleet/assets/61553566/b4704eb9-9707-4cbf-8959-ec67dde57103) - Also replace all ocurrences of "comma separated" with "comma-separated" - [x] Changes file added for user-visible changes in `changes/` - [x] `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-07-09 17:25:01 +00:00
ue.POST("/api/_version_/fleet/queries/run_by_identifiers", createDistributedQueryCampaignByIdentifierEndpoint, createDistributedQueryCampaignByIdentifierRequest{})
// This endpoint is deprecated and maintained for backwards compatibility. This and above endpoint are functionally equivalent
ue.POST("/api/_version_/fleet/queries/run_by_names", createDistributedQueryCampaignByIdentifierEndpoint, createDistributedQueryCampaignByIdentifierRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/activities", listActivitiesEndpoint, listActivitiesRequest{})
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ue.GET("/api/_version_/fleet/packs/{id:[0-9]+}/scheduled", getScheduledQueriesInPackEndpoint, getScheduledQueriesInPackRequest{})
ue.EndingAtVersion("v1").POST("/api/_version_/fleet/schedule", scheduleQueryEndpoint, scheduleQueryRequest{})
ue.StartingAtVersion("2022-04").POST("/api/_version_/fleet/packs/schedule", scheduleQueryEndpoint, scheduleQueryRequest{})
ue.GET("/api/_version_/fleet/schedule/{id:[0-9]+}", getScheduledQueryEndpoint, getScheduledQueryRequest{})
ue.EndingAtVersion("v1").PATCH("/api/_version_/fleet/schedule/{id:[0-9]+}", modifyScheduledQueryEndpoint, modifyScheduledQueryRequest{})
ue.StartingAtVersion("2022-04").PATCH("/api/_version_/fleet/packs/schedule/{id:[0-9]+}", modifyScheduledQueryEndpoint, modifyScheduledQueryRequest{})
ue.EndingAtVersion("v1").DELETE("/api/_version_/fleet/schedule/{id:[0-9]+}", deleteScheduledQueryEndpoint, deleteScheduledQueryRequest{})
ue.StartingAtVersion("2022-04").DELETE("/api/_version_/fleet/packs/schedule/{id:[0-9]+}", deleteScheduledQueryEndpoint, deleteScheduledQueryRequest{})
ue.EndingAtVersion("v1").GET("/api/_version_/fleet/global/schedule", getGlobalScheduleEndpoint, getGlobalScheduleRequest{})
ue.StartingAtVersion("2022-04").GET("/api/_version_/fleet/schedule", getGlobalScheduleEndpoint, getGlobalScheduleRequest{})
ue.EndingAtVersion("v1").POST("/api/_version_/fleet/global/schedule", globalScheduleQueryEndpoint, globalScheduleQueryRequest{})
ue.StartingAtVersion("2022-04").POST("/api/_version_/fleet/schedule", globalScheduleQueryEndpoint, globalScheduleQueryRequest{})
ue.EndingAtVersion("v1").PATCH("/api/_version_/fleet/global/schedule/{id:[0-9]+}", modifyGlobalScheduleEndpoint, modifyGlobalScheduleRequest{})
ue.StartingAtVersion("2022-04").PATCH("/api/_version_/fleet/schedule/{id:[0-9]+}", modifyGlobalScheduleEndpoint, modifyGlobalScheduleRequest{})
ue.EndingAtVersion("v1").DELETE("/api/_version_/fleet/global/schedule/{id:[0-9]+}", deleteGlobalScheduleEndpoint, deleteGlobalScheduleRequest{})
ue.StartingAtVersion("2022-04").DELETE("/api/_version_/fleet/schedule/{id:[0-9]+}", deleteGlobalScheduleEndpoint, deleteGlobalScheduleRequest{})
// Alias /api/_version_/fleet/team/ -> /api/_version_/fleet/teams/
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/schedule").
GET("/api/_version_/fleet/teams/{team_id}/schedule", getTeamScheduleEndpoint, getTeamScheduleRequest{})
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/schedule").
POST("/api/_version_/fleet/teams/{team_id}/schedule", teamScheduleQueryEndpoint, teamScheduleQueryRequest{})
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/schedule/{scheduled_query_id}").
PATCH("/api/_version_/fleet/teams/{team_id}/schedule/{scheduled_query_id}", modifyTeamScheduleEndpoint, modifyTeamScheduleRequest{})
ue.WithAltPaths("/api/_version_/fleet/team/{team_id}/schedule/{scheduled_query_id}").
DELETE("/api/_version_/fleet/teams/{team_id}/schedule/{scheduled_query_id}", deleteTeamScheduleEndpoint, deleteTeamScheduleRequest{})
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
ue.GET("/api/_version_/fleet/carves", listCarvesEndpoint, listCarvesRequest{})
ue.GET("/api/_version_/fleet/carves/{id:[0-9]+}", getCarveEndpoint, getCarveRequest{})
ue.GET("/api/_version_/fleet/carves/{id:[0-9]+}/block/{block_id}", getCarveBlockEndpoint, getCarveBlockRequest{})
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/macadmins", getMacadminsDataEndpoint, getMacadminsDataRequest{})
ue.GET("/api/_version_/fleet/macadmins", getAggregatedMacadminsDataEndpoint, getAggregatedMacadminsDataRequest{})
ue.GET("/api/_version_/fleet/status/result_store", statusResultStoreEndpoint, nil)
ue.GET("/api/_version_/fleet/status/live_query", statusLiveQueryEndpoint, nil)
Add `/scripts/run` and `scripts/run/sync` API endpoints to run scripts (part 1) (#13417)
2023-08-21 18:47:19 +00:00
ue.POST("/api/_version_/fleet/scripts/run", runScriptEndpoint, runScriptRequest{})
Update API and CLI to enable running scripts by name and team id (#17322) TODO: - Integration tests # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-03-05 14:53:17 +00:00
ue.POST("/api/_version_/fleet/scripts/run/sync", runScriptSyncEndpoint, runScriptSyncRequest{})
Bulk script execution backend (#28299) #28158
2025-04-30 16:54:46 +00:00
ue.POST("/api/_version_/fleet/scripts/run/batch", batchScriptRunEndpoint, batchScriptRunRequest{})
Feat api get script results (#13701) relates to #13306 implements the GET `scripts/results/{id}` endpoint. API docs @ https://github.com/fleetdm/fleet/pull/13720
2023-09-05 20:38:53 +00:00
ue.GET("/api/_version_/fleet/scripts/results/{execution_id}", getScriptResultEndpoint, getScriptResultRequest{})
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
ue.POST("/api/_version_/fleet/scripts", createScriptEndpoint, createScriptRequest{})
ue.GET("/api/_version_/fleet/scripts", listScriptsEndpoint, listScriptsRequest{})
ue.GET("/api/_version_/fleet/scripts/{script_id:[0-9]+}", getScriptEndpoint, getScriptRequest{})
Edible Scripts Backend (#25739) #24602
2025-01-30 18:01:51 +00:00
ue.PATCH("/api/_version_/fleet/scripts/{script_id:[0-9]+}", updateScriptEndpoint, updateScriptRequest{})
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
ue.DELETE("/api/_version_/fleet/scripts/{script_id:[0-9]+}", deleteScriptEndpoint, deleteScriptRequest{})
ue.POST("/api/_version_/fleet/scripts/batch", batchSetScriptsEndpoint, batchSetScriptsRequest{})
Cancel batch execution API (#31757) #31532
2025-08-11 19:17:57 +00:00
ue.POST("/api/_version_/fleet/scripts/batch/{batch_execution_id:[a-zA-Z0-9-]+}/cancel", batchScriptCancelEndpoint, batchScriptCancelRequest{})
Add "batch script execution status" and "list batch script executions" endpoints (#31689) for #31623 for #31526 # Details This PR adds two new endpoints: * `GET /scripts/batch/:batch_execution_id` returns the status of a single batch script execution * `GET /scripts/batch` returns a paginated list of batch script executions, filtered by team and status # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually Added new batch script runs in UI, used Postman to list them and get details.
2025-08-08 18:24:48 +00:00
// Deprecated, will remove in favor of batchScriptExecutionStatusEndpoint when batch script details page is ready.
Add batch script execution summary endpoint (#29312) # Checklist for submitter - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated automated tests - [X] Manual QA for all new/changed functionality ## Details This PR adds a new `GET /scripts/batch/summary/:batch_execution_id` endpoint that returns a summary of the current state of a batch script execution, including some basic info about the script being executed and a breakdown of how hosts have responded. See https://github.com/fleetdm/fleet/pull/29200 for API response.
2025-05-22 20:07:35 +00:00
ue.GET("/api/_version_/fleet/scripts/batch/summary/{batch_execution_id:[a-zA-Z0-9-]+}", batchScriptExecutionSummaryEndpoint, batchScriptExecutionSummaryRequest{})
Add "batch script host results" API (#32174) for #31536 # Details This PR adds a new API as specced in [the API PR](https://github.com/fleetdm/fleet/blob/9bf150580ba75fdfb6f5273e59cc14de45c7813d/docs/REST%20API/rest-api.md#list-hosts-targeted-in-batch-script) for scheduled scripts. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually ran a batch script on 100 hosts and ran the API in Postman for each status, then canceled the batch and ran the API to check the canceled status. --------- Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2025-08-27 21:39:43 +00:00
ue.GET("/api/_version_/fleet/scripts/batch/{batch_execution_id:[a-zA-Z0-9-]+}/host-results", batchScriptExecutionHostResultsEndpoint, batchScriptExecutionHostResultsRequest{})
Add "batch script execution status" and "list batch script executions" endpoints (#31689) for #31623 for #31526 # Details This PR adds two new endpoints: * `GET /scripts/batch/:batch_execution_id` returns the status of a single batch script execution * `GET /scripts/batch` returns a paginated list of batch script executions, filtered by team and status # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually Added new batch script runs in UI, used Postman to list them and get details.
2025-08-08 18:24:48 +00:00
ue.GET("/api/_version_/fleet/scripts/batch/{batch_execution_id:[a-zA-Z0-9-]+}", batchScriptExecutionStatusEndpoint, batchScriptExecutionStatusRequest{})
ue.GET("/api/_version_/fleet/scripts/batch", batchScriptExecutionListEndpoint, batchScriptExecutionListRequest{})
Feat: saved scripts (#14409) For #9537
2023-10-10 22:00:45 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/scripts", getHostScriptDetailsEndpoint, getHostScriptDetailsRequest{})
Queued scripts feature (#16300) This is the feature branch for the [queued scripts](https://github.com/fleetdm/fleet/issues/15529) story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2024-01-29 14:37:54 +00:00
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/activities/upcoming", listHostUpcomingActivitiesEndpoint, listHostUpcomingActivitiesRequest{})
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/activities", listHostPastActivitiesEndpoint, listHostPastActivitiesRequest{})
Cancel upcoming activities: DB schema and backend (#27710)
2025-04-01 18:08:56 +00:00
ue.DELETE("/api/_version_/fleet/hosts/{id:[0-9]+}/activities/upcoming/{activity_id}", cancelHostUpcomingActivityEndpoint, cancelHostUpcomingActivityRequest{})
Feature: Remote Lock for macOS, Windows and Linux (#16783) Feature branch for the #9949 story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <sarah@fleetdm.com>
2024-02-13 18:03:53 +00:00
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/lock", lockHostEndpoint, lockHostRequest{})
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/unlock", unlockHostEndpoint, unlockHostRequest{})
Remote wipe: add API endpoint and activity (#17060)
2024-02-26 16:31:00 +00:00
ue.POST("/api/_version_/fleet/hosts/{id:[0-9]+}/wipe", wipeHostEndpoint, wipeHostRequest{})
Add `/scripts/run` and `scripts/run/sync` API endpoints to run scripts (part 1) (#13417)
2023-08-21 18:47:19 +00:00
AI-generated calendar backend changes (#18571) #18464 Added `/fleet/autofill/policy` endpoint to get autogenerated policy description and resolution for a given SQL query. Added `server_settings.ai_features_disabled` setting to disable the above endpoint. For Google calendar integration, - changed the event title to: "💻 🚫 Scheduled maintenance" - updated event description to include policy description and resolution if only one policy is failing # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Luke Heath <luke@fleetdm.com>
2024-05-01 22:07:36 +00:00
// Generative AI
ue.POST("/api/_version_/fleet/autofill/policy", autofillPoliciesEndpoint, autofillPoliciesRequest{})
Added migration and secret variables API. (#24594) #24545 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-10 21:32:51 +00:00
// Secret variables
Add backend APIs for adding, deleting and listing secret variables (#31936) For #31055. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [X] Added/updated automated tests - [x] QA'd all new/changed functionality manually
2025-08-14 22:33:47 +00:00
ue.PUT("/api/_version_/fleet/spec/secret_variables", createSecretVariablesEndpoint, createSecretVariablesRequest{})
ue.POST("/api/_version_/fleet/custom_variables", createSecretVariableEndpoint, createSecretVariableRequest{})
ue.GET("/api/_version_/fleet/custom_variables", listSecretVariablesEndpoint, listSecretVariablesRequest{})
ue.DELETE("/api/_version_/fleet/custom_variables/{id:[0-9]+}", deleteSecretVariableEndpoint, deleteSecretVariableRequest{})
Added migration and secret variables API. (#24594) #24545 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-10 21:32:51 +00:00
Added scim/details endpoint (#28007) For #27281 This PR adds `/api/{version}/fleet/scim/details` endpoint, along with some frontend fixes. # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-10 19:08:45 +00:00
// Scim details
ue.GET("/api/_version_/fleet/scim/details", getScimDetailsEndpoint, nil)
Microsoft Compliance Partner backend changes (#29540) For #27042. Ready for review, just missing integration tests that I will be writing today. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [X] If database migrations are included, checked table schema to confirm autoupdate - For new Fleet configuration settings - [X] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. If managing via Gitops: - [X] Verified that the setting is exported via `fleetctl generate-gitops` - [X] Added the setting to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [X] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [x] Verified that any relevant UI is disabled when GitOps mode is enabled - For database migrations: - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [X] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com> Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-06-11 17:22:46 +00:00
// Microsoft Compliance Partner
ue.POST("/api/_version_/fleet/conditional-access/microsoft", conditionalAccessMicrosoftCreateEndpoint, conditionalAccessMicrosoftCreateRequest{})
ue.POST("/api/_version_/fleet/conditional-access/microsoft/confirm", conditionalAccessMicrosoftConfirmEndpoint, conditionalAccessMicrosoftConfirmRequest{})
ue.DELETE("/api/_version_/fleet/conditional-access/microsoft", conditionalAccessMicrosoftDeleteEndpoint, conditionalAccessMicrosoftDeleteRequest{})
Add note to docs indicating Fleet MDM specific endpoints. (#9473)
2023-01-24 16:57:22 +00:00
// Only Fleet MDM specific endpoints should be within the root /mdm/ path.
add CRUD for EULA (#11274) https://github.com/fleetdm/fleet/issues/10741
2023-05-02 13:09:33 +00:00
// NOTE: remember to update
maintenance merge of `main` into feature branch (#14393) maintenance merge of `main` into feature branch
2023-10-09 21:28:35 +00:00
// `service.mdmConfigurationRequiredEndpoints` when you add an
add CRUD for EULA (#11274) https://github.com/fleetdm/fleet/issues/10741
2023-05-02 13:09:33 +00:00
// endpoint that's behind the mdmConfiguredMiddleware, this applies
// both to this set of endpoints and to any public/token-authenticated
// endpoints using `neMDM` below in this file.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmConfiguredMiddleware := mdmconfigured.NewMDMConfigMiddleware(svc)
mdmAppleMW := ue.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyAppleMDM())
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
// Deprecated: POST /mdm/apple/enqueue is now deprecated, replaced by the
// platform-agnostic POST /mdm/commands/run. It is still supported
// indefinitely for backwards compatibility.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/enqueue", enqueueMDMAppleCommandEndpoint, enqueueMDMAppleCommandRequest{})
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
// Deprecated: POST /mdm/apple/commandresults is now deprecated, replaced by the
// platform-agnostic POST /mdm/commands/commandresults. It is still supported
// indefinitely for backwards compatibility.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/commandresults", getMDMAppleCommandResultsEndpoint, getMDMAppleCommandResultsRequest{})
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
// Deprecated: POST /mdm/apple/commands is now deprecated, replaced by the
// platform-agnostic POST /mdm/commands/commands. It is still supported
// indefinitely for backwards compatibility.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/commands", listMDMAppleCommandsEndpoint, listMDMAppleCommandsRequest{})
Add endpoint to upload an MDM custom profile for Windows and macOS (#15150)
2023-11-15 15:58:59 +00:00
// Deprecated: those /mdm/apple/profiles/... endpoints are now deprecated,
// replaced by the platform-agnostic /mdm/profiles/... It is still supported
// indefinitely for backwards compatibility.
Update authorization for MDM profiles to be platform-independent (#15023)
2023-11-08 16:36:57 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/profiles/{profile_id:[0-9]+}", getMDMAppleConfigProfileEndpoint, getMDMAppleConfigProfileRequest{})
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/apple/profiles/{profile_id:[0-9]+}", deleteMDMAppleConfigProfileEndpoint, deleteMDMAppleConfigProfileRequest{})
Add endpoint to upload an MDM custom profile for Windows and macOS (#15150)
2023-11-15 15:58:59 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/profiles", newMDMAppleConfigProfileEndpoint, newMDMAppleConfigProfileRequest{})
Add endpoint to list macOS and Windows profiles combined, paginated (#15165)
2023-11-15 20:36:20 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/profiles", listMDMAppleConfigProfilesEndpoint, listMDMAppleConfigProfilesRequest{})
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
Add `GET /mdm/profiles/summary` endpoint (#15077)
2023-11-17 16:49:30 +00:00
// Deprecated: GET /mdm/apple/filevault/summary is now deprecated, replaced by the
// platform-agnostic GET /mdm/disk_encryption/summary. It is still supported indefinitely
// for backwards compatibility.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/filevault/summary", getMdmAppleFileVaultSummaryEndpoint, getMDMAppleFileVaultSummaryRequest{})
Add `GET /mdm/profiles/summary` endpoint (#15077)
2023-11-17 16:49:30 +00:00
// Deprecated: GET /mdm/apple/profiles/summary is now deprecated, replaced by the
// platform-agnostic GET /mdm/profiles/summary. It is still supported indefinitely
// for backwards compatibility.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/profiles/summary", getMDMAppleProfilesSummaryEndpoint, getMDMAppleProfilesSummaryRequest{})
Add `GET /mdm/profiles/summary` endpoint (#15077)
2023-11-17 16:49:30 +00:00
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: POST /mdm/apple/enrollment_profile is now deprecated, replaced by the
// POST /enrollment_profiles/automatic endpoint.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/enrollment_profile", createMDMAppleSetupAssistantEndpoint, createMDMAppleSetupAssistantRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.POST("/api/_version_/fleet/enrollment_profiles/automatic", createMDMAppleSetupAssistantEndpoint, createMDMAppleSetupAssistantRequest{})
// Deprecated: GET /mdm/apple/enrollment_profile is now deprecated, replaced by the
// GET /enrollment_profiles/automatic endpoint.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/enrollment_profile", getMDMAppleSetupAssistantEndpoint, getMDMAppleSetupAssistantRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/enrollment_profiles/automatic", getMDMAppleSetupAssistantEndpoint, getMDMAppleSetupAssistantRequest{})
// Deprecated: DELETE /mdm/apple/enrollment_profile is now deprecated, replaced by the
// DELETE /enrollment_profiles/automatic endpoint.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/apple/enrollment_profile", deleteMDMAppleSetupAssistantEndpoint, deleteMDMAppleSetupAssistantRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/enrollment_profiles/automatic", deleteMDMAppleSetupAssistantEndpoint, deleteMDMAppleSetupAssistantRequest{})
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
Add `fleetctl get mdm-commands` command and supporting API endpoint (#11163)
2023-04-17 15:45:16 +00:00
// TODO: are those undocumented endpoints still needed? I think they were only used
// by 'fleetctl apple-mdm' sub-commands.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/installers", uploadAppleInstallerEndpoint, uploadAppleInstallerRequest{})
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/installers/{installer_id:[0-9]+}", getAppleInstallerEndpoint, getAppleInstallerDetailsRequest{})
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/apple/installers/{installer_id:[0-9]+}", deleteAppleInstallerEndpoint, deleteAppleInstallerDetailsRequest{})
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/installers", listMDMAppleInstallersEndpoint, listMDMAppleInstallersRequest{})
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/devices", listMDMAppleDevicesEndpoint, listMDMAppleDevicesRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/manual_enrollment_profile is now deprecated, replaced by the
// GET /enrollment_profiles/manual endpoint.
Add config for custom MDM URL (#22878)
2024-10-22 17:05:35 +00:00
// Ref: https://github.com/fleetdm/fleet/issues/16252
feat: add manual enrollment profile endpoint (#16357) > Related issue: #16252 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-01-27 00:57:19 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/manual_enrollment_profile", getManualEnrollmentProfileEndpoint, getManualEnrollmentProfileRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/enrollment_profiles/manual", getManualEnrollmentProfileEndpoint, getManualEnrollmentProfileRequest{})
Add `fleetctl get mdm-commands` command and supporting API endpoint (#11163)
2023-04-17 15:45:16 +00:00
implement bootstrap packages during DEP enrollment (#11052) #10213
2023-04-07 20:31:02 +00:00
// bootstrap-package routes
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: POST /mdm/bootstrap is now deprecated, replaced by the
// POST /bootstrap endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/bootstrap", uploadBootstrapPackageEndpoint, uploadBootstrapPackageRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.POST("/api/_version_/fleet/bootstrap", uploadBootstrapPackageEndpoint, uploadBootstrapPackageRequest{})
// Deprecated: GET /mdm/bootstrap/:team_id/metadata is now deprecated, replaced by the
// GET /bootstrap/:team_id/metadata endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/bootstrap/{team_id:[0-9]+}/metadata", bootstrapPackageMetadataEndpoint, bootstrapPackageMetadataRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/bootstrap/{team_id:[0-9]+}/metadata", bootstrapPackageMetadataEndpoint, bootstrapPackageMetadataRequest{})
// Deprecated: DELETE /mdm/bootstrap/:team_id is now deprecated, replaced by the
// DELETE /bootstrap/:team_id endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/bootstrap/{team_id:[0-9]+}", deleteBootstrapPackageEndpoint, deleteBootstrapPackageRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/bootstrap/{team_id:[0-9]+}", deleteBootstrapPackageEndpoint, deleteBootstrapPackageRequest{})
// Deprecated: GET /mdm/bootstrap/summary is now deprecated, replaced by the
// GET /bootstrap/summary endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/bootstrap/summary", getMDMAppleBootstrapPackageSummaryEndpoint, getMDMAppleBootstrapPackageSummaryRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/bootstrap/summary", getMDMAppleBootstrapPackageSummaryEndpoint, getMDMAppleBootstrapPackageSummaryRequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: POST /mdm/apple/bootstrap is now deprecated, replaced by the platform agnostic /mdm/bootstrap
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/bootstrap", uploadBootstrapPackageEndpoint, uploadBootstrapPackageRequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: GET /mdm/apple/bootstrap/:team_id/metadata is now deprecated, replaced by the platform agnostic /mdm/bootstrap/:team_id/metadata
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/bootstrap/{team_id:[0-9]+}/metadata", bootstrapPackageMetadataEndpoint, bootstrapPackageMetadataRequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: DELETE /mdm/apple/bootstrap/:team_id is now deprecated, replaced by the platform agnostic /mdm/bootstrap/:team_id
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/apple/bootstrap/{team_id:[0-9]+}", deleteBootstrapPackageEndpoint, deleteBootstrapPackageRequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: GET /mdm/apple/bootstrap/summary is now deprecated, replaced by the platform agnostic /mdm/bootstrap/summary
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/bootstrap/summary", getMDMAppleBootstrapPackageSummaryEndpoint, getMDMAppleBootstrapPackageSummaryRequest{})
implement bootstrap packages during DEP enrollment (#11052) #10213
2023-04-07 20:31:02 +00:00
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
// host-specific mdm routes
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: PATCH /mdm/hosts/:id/unenroll is now deprecated, replaced by
// DELETE /hosts/:id/mdm.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.PATCH("/api/_version_/fleet/mdm/hosts/{id:[0-9]+}/unenroll", mdmAppleCommandRemoveEnrollmentProfileEndpoint, mdmAppleCommandRemoveEnrollmentProfileRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/hosts/{id:[0-9]+}/mdm", mdmAppleCommandRemoveEnrollmentProfileEndpoint, mdmAppleCommandRemoveEnrollmentProfileRequest{})
maintenance merge of `main` into feature branch (#14393) maintenance merge of `main` into feature branch
2023-10-09 21:28:35 +00:00
Added view_pin param. (#19788) #19545 `/api/latest/fleet/hosts/:id/lock` returns `unlock_pin` for Apple hosts when query parameter `view_pin=true` is set The lock host activity now has a `view_pin` parameter. Frontend change is needed to reflect this in the UI. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-06-17 16:30:53 +00:00
// Deprecated: POST /mdm/hosts/:id/lock is now deprecated, replaced by
// POST /hosts/:id/lock.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/hosts/{id:[0-9]+}/lock", deviceLockEndpoint, deviceLockRequest{})
mdmAppleMW.POST("/api/_version_/fleet/mdm/hosts/{id:[0-9]+}/wipe", deviceWipeEndpoint, deviceWipeRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/hosts/:id/profiles is now deprecated, replaced by
// GET /hosts/:id/configuration_profiles.
properly report changed profiles in the Puppet module (#12719) For #12480
2023-07-14 15:53:03 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/hosts/{id:[0-9]+}/profiles", getHostProfilesEndpoint, getHostProfilesRequest{})
Add backend to resend host MDM profiles (#18212) Issue #17897 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-04-12 19:34:54 +00:00
// TODO: Confirm if response should be updated to include Windows profiles and use mdmAnyMW
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/configuration_profiles", getHostProfilesEndpoint, getHostProfilesRequest{})
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: PATCH /mdm/apple/setup is now deprecated, replaced by the
// PATCH /setup_experience endpoint.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.PATCH("/api/_version_/fleet/mdm/apple/setup", updateMDMAppleSetupEndpoint, updateMDMAppleSetupRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.PATCH("/api/_version_/fleet/setup_experience", updateMDMAppleSetupEndpoint, updateMDMAppleSetupRequest{})
// Deprecated: GET /mdm/apple is now deprecated, replaced by the
// GET /apns endpoint.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple", getAppleMDMEndpoint, nil)
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/apns", getAppleMDMEndpoint, nil)
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// EULA routes
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: POST /mdm/setup/eula is now deprecated, replaced by the
// POST /setup_experience/eula endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/setup/eula", createMDMEULAEndpoint, createMDMEULARequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.POST("/api/_version_/fleet/setup_experience/eula", createMDMEULAEndpoint, createMDMEULARequest{})
// Deprecated: GET /mdm/setup/eula/metadata is now deprecated, replaced by the
// GET /setup_experience/eula/metadata endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.GET("/api/_version_/fleet/mdm/setup/eula/metadata", getMDMEULAMetadataEndpoint, getMDMEULAMetadataRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.GET("/api/_version_/fleet/setup_experience/eula/metadata", getMDMEULAMetadataEndpoint, getMDMEULAMetadataRequest{})
// Deprecated: DELETE /mdm/setup/eula/:token is now deprecated, replaced by the
// DELETE /setup_experience/eula/:token endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/setup/eula/{token}", deleteMDMEULAEndpoint, deleteMDMEULARequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAppleMW.DELETE("/api/_version_/fleet/setup_experience/eula/{token}", deleteMDMEULAEndpoint, deleteMDMEULARequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: POST /mdm/apple/setup/eula is now deprecated, replaced by the platform agnostic /mdm/setup/eula
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/setup/eula", createMDMEULAEndpoint, createMDMEULARequest{})
// Deprecated: GET /mdm/apple/setup/eula/metadata is now deprecated, replaced by the platform agnostic /mdm/setup/eula/metadata
mdmAppleMW.GET("/api/_version_/fleet/mdm/apple/setup/eula/metadata", getMDMEULAMetadataEndpoint, getMDMEULAMetadataRequest{})
// Deprecated: DELETE /mdm/apple/setup/eula/:token is now deprecated, replaced by the platform agnostic /mdm/setup/eula/:token
mdmAppleMW.DELETE("/api/_version_/fleet/mdm/apple/setup/eula/{token}", deleteMDMEULAEndpoint, deleteMDMEULARequest{})
add CRUD for EULA (#11274) https://github.com/fleetdm/fleet/issues/10741
2023-05-02 13:09:33 +00:00
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/profiles/preassign", preassignMDMAppleProfileEndpoint, preassignMDMAppleProfileRequest{})
mdmAppleMW.POST("/api/_version_/fleet/mdm/apple/profiles/match", matchMDMApplePreassignmentEndpoint, matchMDMApplePreassignmentRequest{})
Implement preassign endpoint as first step to match profiles and hosts to teams (#12046)
2023-05-31 13:24:22 +00:00
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
mdmAnyMW := ue.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyAppleOrWindowsMDM())
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: POST /mdm/commands/run is now deprecated, replaced by the
// POST /commands/run endpoint.
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
mdmAnyMW.POST("/api/_version_/fleet/mdm/commands/run", runMDMCommandEndpoint, runMDMCommandRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.POST("/api/_version_/fleet/commands/run", runMDMCommandEndpoint, runMDMCommandRequest{})
// Deprecated: GET /mdm/commandresults is now deprecated, replaced by the
// GET /commands/results endpoint.
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
mdmAnyMW.GET("/api/_version_/fleet/mdm/commandresults", getMDMCommandResultsEndpoint, getMDMCommandResultsRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.GET("/api/_version_/fleet/commands/results", getMDMCommandResultsEndpoint, getMDMCommandResultsRequest{})
// Deprecated: GET /mdm/commands is now deprecated, replaced by the
// GET /commands endpoint.
Feat windows msmdm (#14837) for #13069 --------- Co-authored-by: Marcos Oviedo <marcos@fleetdm.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 14:13:12 +00:00
mdmAnyMW.GET("/api/_version_/fleet/mdm/commands", listMDMCommandsEndpoint, listMDMCommandsRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.GET("/api/_version_/fleet/commands", listMDMCommandsEndpoint, listMDMCommandsRequest{})
// Deprecated: GET /mdm/disk_encryption/summary is now deprecated, replaced by the
// GET /disk_encryption endpoint.
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714) ## Addresses #22702, #23713, #23756, #23746, #23747, and #23876 _-Note that much of this code as is will render as expected only once integrated with the backend or if manipulated manually for testing purposes_ **Frontend**: - Update banners on my device page, tests - Build new logic for calling endpoint to trigger linux key escrow on clicking `Create key` - Add `CreateLinuxKeyModal` to inform user of next steps after clicking `Create key` - Update banners on host details page, tests - Update the Controls > OS settings section with new logic related to linux disk encryption - Expect and include counts of Linux hosts in aggregate disk encryption stats UI - Add "Linux" column to the disk encryption table - Show disk encryption related UI for supported Linux platforms - TODO: confirm platform string matching functionality in manual e2e testing - Expand capabilities of `SectionHeader` component, apply to new UI - Flash "missing private key" error, with clickable link, when trying to update disk encryption enabled while no server private key is present. - TODO: QA this once other endpoints on Controls > Disk encryption are enabled even when MDM not turned on - Update Disk encryption key modal copy -Other TODO: - Confirm when integrated with API: - Aggregate disk encryption counts - Disk encryption table Linux column - Show disk encryption key action on host details page when expected - Opens Disk encryption key modal, displays key as expected **Backend**: - For "No team" and teams, error when trying to update disk encryption enabled while no server private key is present. - Remove requirement of mdm being enabled for use of various endpoints related to Linux disk encryption - Update tests _________ **Host details and my device page banners** ![banners](https://github.com/user-attachments/assets/b76fbfbd-0969-40eb-b8b1-9fd0d4fd0f4f) **Create key modal** <img width="1799" alt="create-key-modal" src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0"> **Enabling disk encryption** ![turning-on-enforcement](https://github.com/user-attachments/assets/005010b9-2238-46f8-9579-f07823898a78) **Disk encryption: Fleet free** <img width="1912" alt="free" src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a"> **Custom settings: turn on MDM** <img width="1912" alt="turn on mdm" src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4"> **Device status indicators** ![host-status-indicators](https://github.com/user-attachments/assets/5fc72c1e-816b-45b3-a650-5c1fcc48f09e) **Encryption key action and modal** ![de-key-action-and-modal](https://github.com/user-attachments/assets/632f7b2c-c07e-4e30-87ef-e6437ae42a78) - [x] Changes file added for user-visible changes in `changes/` - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - [ ] Full e2e testing to do when integrated with backend --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
ue.GET("/api/_version_/fleet/mdm/disk_encryption/summary", getMDMDiskEncryptionSummaryEndpoint, getMDMDiskEncryptionSummaryRequest{})
ue.GET("/api/_version_/fleet/disk_encryption", getMDMDiskEncryptionSummaryEndpoint, getMDMDiskEncryptionSummaryRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/hosts/:id/encryption_key is now deprecated, replaced by
// GET /hosts/:id/encryption_key.
remove MDM middleware from 2 endpoints (#23997) - Integration tests upcoming with https://app.zenhub.com/workspaces/g-endpoint-ops-current-sprint-63bd7e0bf75dba002a2343ac/issues/gh/fleetdm/fleet/23587 Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-11-21 00:51:00 +00:00
ue.GET("/api/_version_/fleet/mdm/hosts/{id:[0-9]+}/encryption_key", getHostEncryptionKey, getHostEncryptionKeyRequest{})
ue.GET("/api/_version_/fleet/hosts/{id:[0-9]+}/encryption_key", getHostEncryptionKey, getHostEncryptionKeyRequest{})
Add endpoint to get or download a profile (Windows and macOS) (#15105)
2023-11-14 13:19:29 +00:00
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/profiles/summary is now deprecated, replaced by the
// GET /configuration_profiles/summary endpoint.
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714) ## Addresses #22702, #23713, #23756, #23746, #23747, and #23876 _-Note that much of this code as is will render as expected only once integrated with the backend or if manipulated manually for testing purposes_ **Frontend**: - Update banners on my device page, tests - Build new logic for calling endpoint to trigger linux key escrow on clicking `Create key` - Add `CreateLinuxKeyModal` to inform user of next steps after clicking `Create key` - Update banners on host details page, tests - Update the Controls > OS settings section with new logic related to linux disk encryption - Expect and include counts of Linux hosts in aggregate disk encryption stats UI - Add "Linux" column to the disk encryption table - Show disk encryption related UI for supported Linux platforms - TODO: confirm platform string matching functionality in manual e2e testing - Expand capabilities of `SectionHeader` component, apply to new UI - Flash "missing private key" error, with clickable link, when trying to update disk encryption enabled while no server private key is present. - TODO: QA this once other endpoints on Controls > Disk encryption are enabled even when MDM not turned on - Update Disk encryption key modal copy -Other TODO: - Confirm when integrated with API: - Aggregate disk encryption counts - Disk encryption table Linux column - Show disk encryption key action on host details page when expected - Opens Disk encryption key modal, displays key as expected **Backend**: - For "No team" and teams, error when trying to update disk encryption enabled while no server private key is present. - Remove requirement of mdm being enabled for use of various endpoints related to Linux disk encryption - Update tests _________ **Host details and my device page banners** ![banners](https://github.com/user-attachments/assets/b76fbfbd-0969-40eb-b8b1-9fd0d4fd0f4f) **Create key modal** <img width="1799" alt="create-key-modal" src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0"> **Enabling disk encryption** ![turning-on-enforcement](https://github.com/user-attachments/assets/005010b9-2238-46f8-9579-f07823898a78) **Disk encryption: Fleet free** <img width="1912" alt="free" src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a"> **Custom settings: turn on MDM** <img width="1912" alt="turn on mdm" src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4"> **Device status indicators** ![host-status-indicators](https://github.com/user-attachments/assets/5fc72c1e-816b-45b3-a650-5c1fcc48f09e) **Encryption key action and modal** ![de-key-action-and-modal](https://github.com/user-attachments/assets/632f7b2c-c07e-4e30-87ef-e6437ae42a78) - [x] Changes file added for user-visible changes in `changes/` - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - [ ] Full e2e testing to do when integrated with backend --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
ue.GET("/api/_version_/fleet/mdm/profiles/summary", getMDMProfilesSummaryEndpoint, getMDMProfilesSummaryRequest{})
ue.GET("/api/_version_/fleet/configuration_profiles/summary", getMDMProfilesSummaryEndpoint, getMDMProfilesSummaryRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/profiles/:profile_uuid is now deprecated, replaced by
// GET /configuration_profiles/:profile_uuid.
Unify profiles database identifier to `profile_uuid` for macOS and Windows profiles. (#15297)
2023-12-04 15:04:06 +00:00
mdmAnyMW.GET("/api/_version_/fleet/mdm/profiles/{profile_uuid}", getMDMConfigProfileEndpoint, getMDMConfigProfileRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.GET("/api/_version_/fleet/configuration_profiles/{profile_uuid}", getMDMConfigProfileEndpoint, getMDMConfigProfileRequest{})
// Deprecated: DELETE /mdm/profiles/:profile_uuid is now deprecated, replaced by
// DELETE /configuration_profiles/:profile_uuid.
Unify profiles database identifier to `profile_uuid` for macOS and Windows profiles. (#15297)
2023-12-04 15:04:06 +00:00
mdmAnyMW.DELETE("/api/_version_/fleet/mdm/profiles/{profile_uuid}", deleteMDMConfigProfileEndpoint, deleteMDMConfigProfileRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.DELETE("/api/_version_/fleet/configuration_profiles/{profile_uuid}", deleteMDMConfigProfileEndpoint, deleteMDMConfigProfileRequest{})
// Deprecated: GET /mdm/profiles is now deprecated, replaced by the
// GET /configuration_profiles endpoint.
feature: windows profiles (#15349)
2023-11-29 14:32:42 +00:00
mdmAnyMW.GET("/api/_version_/fleet/mdm/profiles", listMDMConfigProfilesEndpoint, listMDMConfigProfilesRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
mdmAnyMW.GET("/api/_version_/fleet/configuration_profiles", listMDMConfigProfilesEndpoint, listMDMConfigProfilesRequest{})
// Deprecated: POST /mdm/profiles is now deprecated, replaced by the
// POST /configuration_profiles endpoint.
mdmAnyMW.POST("/api/_version_/fleet/mdm/profiles", newMDMConfigProfileEndpoint, newMDMConfigProfileRequest{})
mdmAnyMW.POST("/api/_version_/fleet/configuration_profiles", newMDMConfigProfileEndpoint, newMDMConfigProfileRequest{})
create public endpoint for batch modify mdm config profiles (#32578) resolves #24706 this creates a new public endpoint for batch modify of mdm config profiles - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually
2025-09-08 13:52:30 +00:00
mdmAnyMW.POST("/api/_version_/fleet/configuration_profiles/batch", batchModifyMDMConfigProfilesEndpoint, batchModifyMDMConfigProfilesRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
Fleet API: Update resending configuration profiles API URL (#24211)
2024-11-27 20:39:55 +00:00
// Deprecated: POST /hosts/{host_id:[0-9]+}/configuration_profiles/resend/{profile_uuid} is now deprecated, replaced by the
// POST /hosts/{host_id:[0-9]+}/configuration_profiles/{profile_uuid}/resend endpoint.
Add backend to resend host MDM profiles (#18212) Issue #17897 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-04-12 19:34:54 +00:00
mdmAnyMW.POST("/api/_version_/fleet/hosts/{host_id:[0-9]+}/configuration_profiles/resend/{profile_uuid}", resendHostMDMProfileEndpoint, resendHostMDMProfileRequest{})
Fleet API: Update resending configuration profiles API URL (#24211)
2024-11-27 20:39:55 +00:00
mdmAnyMW.POST("/api/_version_/fleet/hosts/{host_id:[0-9]+}/configuration_profiles/{profile_uuid}/resend", resendHostMDMProfileEndpoint, resendHostMDMProfileRequest{})
BRP: add batch-resend profile to hosts endpoint based on status (#28871)
2025-05-07 20:48:18 +00:00
mdmAnyMW.POST("/api/_version_/fleet/configuration_profiles/resend/batch", batchResendMDMProfileToHostsEndpoint, batchResendMDMProfileToHostsRequest{})
BRP: implement API endpoint for host status summary of single profile (#29039)
2025-05-13 12:49:08 +00:00
mdmAnyMW.GET("/api/_version_/fleet/configuration_profiles/{profile_uuid}/status", getMDMConfigProfileStatusEndpoint, getMDMConfigProfileStatusRequest{})
Add backend to resend host MDM profiles (#18212) Issue #17897 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-04-12 19:34:54 +00:00
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: PATCH /mdm/apple/settings is deprecated, replaced by POST /disk_encryption.
// It was only used to set disk encryption.
Fix a bug that didn't allow to enable team disk encryption if macOS MDM is not configured (#15886) for #15817
2024-01-03 19:15:09 +00:00
mdmAnyMW.PATCH("/api/_version_/fleet/mdm/apple/settings", updateMDMAppleSettingsEndpoint, updateMDMAppleSettingsRequest{})
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714) ## Addresses #22702, #23713, #23756, #23746, #23747, and #23876 _-Note that much of this code as is will render as expected only once integrated with the backend or if manipulated manually for testing purposes_ **Frontend**: - Update banners on my device page, tests - Build new logic for calling endpoint to trigger linux key escrow on clicking `Create key` - Add `CreateLinuxKeyModal` to inform user of next steps after clicking `Create key` - Update banners on host details page, tests - Update the Controls > OS settings section with new logic related to linux disk encryption - Expect and include counts of Linux hosts in aggregate disk encryption stats UI - Add "Linux" column to the disk encryption table - Show disk encryption related UI for supported Linux platforms - TODO: confirm platform string matching functionality in manual e2e testing - Expand capabilities of `SectionHeader` component, apply to new UI - Flash "missing private key" error, with clickable link, when trying to update disk encryption enabled while no server private key is present. - TODO: QA this once other endpoints on Controls > Disk encryption are enabled even when MDM not turned on - Update Disk encryption key modal copy -Other TODO: - Confirm when integrated with API: - Aggregate disk encryption counts - Disk encryption table Linux column - Show disk encryption key action on host details page when expected - Opens Disk encryption key modal, displays key as expected **Backend**: - For "No team" and teams, error when trying to update disk encryption enabled while no server private key is present. - Remove requirement of mdm being enabled for use of various endpoints related to Linux disk encryption - Update tests _________ **Host details and my device page banners** ![banners](https://github.com/user-attachments/assets/b76fbfbd-0969-40eb-b8b1-9fd0d4fd0f4f) **Create key modal** <img width="1799" alt="create-key-modal" src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0"> **Enabling disk encryption** ![turning-on-enforcement](https://github.com/user-attachments/assets/005010b9-2238-46f8-9579-f07823898a78) **Disk encryption: Fleet free** <img width="1912" alt="free" src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a"> **Custom settings: turn on MDM** <img width="1912" alt="turn on mdm" src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4"> **Device status indicators** ![host-status-indicators](https://github.com/user-attachments/assets/5fc72c1e-816b-45b3-a650-5c1fcc48f09e) **Encryption key action and modal** ![de-key-action-and-modal](https://github.com/user-attachments/assets/632f7b2c-c07e-4e30-87ef-e6437ae42a78) - [x] Changes file added for user-visible changes in `changes/` - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - [ ] Full e2e testing to do when integrated with backend --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
ue.POST("/api/_version_/fleet/disk_encryption", updateDiskEncryptionEndpoint, updateDiskEncryptionRequest{})
maintenance merge of `main` into feature branch (#14393) maintenance merge of `main` into feature branch
2023-10-09 21:28:35 +00:00
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
// the following set of mdm endpoints must always be accessible (even
// if MDM is not configured) as it bootstraps the setup of MDM
// (generates CSR request for APNs, plus the SCEP and ABM keypairs).
add logic to manage ABM assets (#19293) for #19179 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-05-28 15:10:32 +00:00
// Deprecated: this endpoint shouldn't be used anymore in favor of the
// new flow described in https://github.com/fleetdm/fleet/issues/10383
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
ue.POST("/api/_version_/fleet/mdm/apple/request_csr", requestMDMAppleCSREndpoint, requestMDMAppleCSRRequest{})
add logic to manage ABM assets (#19293) for #19179 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-05-28 15:10:32 +00:00
// Deprecated: this endpoint shouldn't be used anymore in favor of the
// new flow described in https://github.com/fleetdm/fleet/issues/10383
Wire up UI and server for correct ABM credentials download (#9660) Final alignment of UI and server for ABM credential downloads - [x] Added/updated test inventory - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2023-02-03 19:02:50 +00:00
ue.POST("/api/_version_/fleet/mdm/apple/dep/key_pair", newMDMAppleDEPKeyPairEndpoint, nil)
add logic to manage ABM assets (#19293) for #19179 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-05-28 15:10:32 +00:00
ue.GET("/api/_version_/fleet/mdm/apple/abm_public_key", generateABMKeyPairEndpoint, nil)
feat: enable multiple ABM and VPP tokens (#21693) > Related issue: #9956 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2024-08-29 22:51:46 +00:00
ue.POST("/api/_version_/fleet/abm_tokens", uploadABMTokenEndpoint, uploadABMTokenRequest{})
ue.DELETE("/api/_version_/fleet/abm_tokens/{id:[0-9]+}", deleteABMTokenEndpoint, deleteABMTokenRequest{})
ue.GET("/api/_version_/fleet/abm_tokens", listABMTokensEndpoint, nil)
Fixed gitops issue with gitops role. (#24297) #24288 PR for API docs: https://github.com/fleetdm/fleet/pull/24303 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-12-03 16:12:07 +00:00
ue.GET("/api/_version_/fleet/abm_tokens/count", countABMTokensEndpoint, nil)
feat: enable multiple ABM and VPP tokens (#21693) > Related issue: #9956 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2024-08-29 22:51:46 +00:00
ue.PATCH("/api/_version_/fleet/abm_tokens/{id:[0-9]+}/teams", updateABMTokenTeamsEndpoint, updateABMTokenTeamsRequest{})
ue.PATCH("/api/_version_/fleet/abm_tokens/{id:[0-9]+}/renew", renewABMTokenEndpoint, renewABMTokenRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
feat: upload and delete APNS certs (#19275) > Related issue: #19014 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Roberto Dip <rroperzh@gmail.com>
2024-05-27 14:13:08 +00:00
ue.GET("/api/_version_/fleet/mdm/apple/request_csr", getMDMAppleCSREndpoint, getMDMAppleCSRRequest{})
ue.POST("/api/_version_/fleet/mdm/apple/apns_certificate", uploadMDMAppleAPNSCertEndpoint, uploadMDMAppleAPNSCertRequest{})
ue.DELETE("/api/_version_/fleet/mdm/apple/apns_certificate", deleteMDMAppleAPNSCertEndpoint, deleteMDMAppleAPNSCertRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
feat: enable multiple ABM and VPP tokens (#21693) > Related issue: #9956 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2024-08-29 22:51:46 +00:00
// VPP Tokens
ue.GET("/api/_version_/fleet/vpp_tokens", getVPPTokens, getVPPTokensRequest{})
ue.POST("/api/_version_/fleet/vpp_tokens", uploadVPPTokenEndpoint, uploadVPPTokenRequest{})
ue.PATCH("/api/_version_/fleet/vpp_tokens/{id}/teams", patchVPPTokensTeams, patchVPPTokensTeamsRequest{})
ue.PATCH("/api/_version_/fleet/vpp_tokens/{id}/renew", patchVPPTokenRenewEndpoint, patchVPPTokenRenewRequest{})
ue.DELETE("/api/_version_/fleet/vpp_tokens/{id}", deleteVPPToken, deleteVPPTokenRequest{})
// Batch VPP Associations
VPP Batch API (#20351) #20278
2024-07-22 17:19:19 +00:00
ue.POST("/api/_version_/fleet/software/app_store_apps/batch", batchAssociateAppStoreAppsEndpoint, batchAssociateAppStoreAppsRequest{})
feat: VPP token CRUD (#20108) # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-07-02 15:46:59 +00:00
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/apple_bm is now deprecated, replaced by the
// GET /abm endpoint.
Add command `get mdm-apple-bm` to fleetctl (#8949)
2022-12-12 20:45:53 +00:00
ue.GET("/api/_version_/fleet/mdm/apple_bm", getAppleBMEndpoint, nil)
feat: enable multiple ABM and VPP tokens (#21693) > Related issue: #9956 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2024-08-29 22:51:46 +00:00
// Deprecated: GET /abm is now deprecated, replaced by the GET /abm_tokens endpoint.
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
ue.GET("/api/_version_/fleet/abm", getAppleBMEndpoint, nil)
implement endpoint to batch set windows profiles (#15127) for #14361. Avoiding a changelog entry intentionally since this API is for contributors only.
2023-11-15 12:37:19 +00:00
// Deprecated: POST /mdm/apple/profiles/batch is now deprecated, replaced by the
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// platform-agnostic POST /mdm/profiles/batch. It is still supported
implement endpoint to batch set windows profiles (#15127) for #14361. Avoiding a changelog entry intentionally since this API is for contributors only.
2023-11-15 12:37:19 +00:00
// indefinitely for backwards compatibility.
//
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
// batch-apply is accessible even though MDM is not enabled, it needs
// to support the case where `fleetctl get config`'s output is used as
// input to `fleetctl apply`
Add macos custom profiles support via `fleetctl apply` (#9824)
2023-02-15 18:01:44 +00:00
ue.POST("/api/_version_/fleet/mdm/apple/profiles/batch", batchSetMDMAppleProfilesEndpoint, batchSetMDMAppleProfilesRequest{})
Add Apple MDM functionality (#7940) * WIP * Adding DEP functionality to Fleet * Better organize additional MDM code * Add cmdr.py and amend API paths * Fix lint * Add demo file * Fix demo.md * go mod tidy * Add munki setup to Fleet * Add diagram to demo.md * Add fixes * Update TODOs and demo.md * Fix cmdr.py and add TODO * Add endpoints to demo.md * Add more Munki PoC/demo stuff * WIP * Remove proposals from PoC * Replace prepare commands with fleetctl commands * Update demo.md with current state * Remove config field * Amend demo * Remove Munki setup from MVP-Dogfood * Update demo.md * Add apple mdm commands (#7769) * fleetctl enqueue mdm command * fix deps * Fix build Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com> * Add command to upload installers * go mod tidy * fix subcommands help There is a bug in urfave/cli where help text is not generated properly when subcommands are nested too deep. * Add support for installing apps * Add a way to list enrolled devices * Add dep listing * Rearrange endpoints * Move DEP routine to schedule * Define paths globally * Add a way to list enrollments and installers * Parse device-ids as comma-separated string * Remove unused types * Add simple commands and nest under enqueue-command * Fix simple commands * Add help to enqueue-command * merge apple_mdm database * Fix commands * update nanomdm * Split nanomdm and nanodep schemas * Set 512 MB in memory for upload * Remove empty file * Amend profile * Add sample commands * Add delete installers and fix bug in DEP profile assigning * Add dogfood.md deployment guide * Update schema.sql * Dump schema with MySQL 5 * Set default value for authenticate_at * add tokens to enrollment profiles When a device downloads an MDM enrollment profile, verify the token passed as a query parameter. This ensures untrusted devices don't enroll with our MDM server. - Rename enrollments to enrollment profiles. Enrollments is used by nano to refer to devices that are enrolled with MDM - Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles - Generate a token for authentication when creating an enrollment profile - Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token= * remove mdm apple server url * update docs * make dump-test-schema * Update nanomdm with missing prefix table * Add docs and simplify changes * Add changes file * Add method docs * Fix compile and revert prepare.go changes * Revert migration status check change * Amend comments * Add more docs * Clarify storage of installers * Remove TODO * Remove unused * update dogfood.md * remove cmdr.py * Add authorization tests * Add TODO comment * use kitlog for nano logging * Add yaml tags * Remove unused flag * Remove changes file * Only run DEP routine if MDM is enabled * Add docs to all new exported types * Add docs * more nano logging changes * Fix unintentional removal * more nano logging changes * Fix compile test * Use string for configs and fix config test * Add docs and amend changes * revert changes to basicAuthHandler * remove exported BasicAuthHandler * rename rego authz type * Add more information to dep list * add db tag * update deps * Fix schema * Remove unimplemented Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 22:53:54 +00:00
feature: windows profiles (#15349)
2023-11-29 14:32:42 +00:00
// batch-apply is accessible even though MDM is not enabled, it needs
// to support the case where `fleetctl get config`'s output is used as
// input to `fleetctl apply`
ue.POST("/api/_version_/fleet/mdm/profiles/batch", batchSetMDMProfilesEndpoint, batchSetMDMProfilesRequest{})
Hydrant CA Feature Branch (#31807) There are still some TODOs particularly within Gitops test code which will be worked on in a followup PR # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results - [x] Alerted the release DRI if additional load testing is needed ## Database migrations - [x] Checked table schema to confirm autoupdate - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). ## New Fleet configuration settings - [ ] Setting(s) is/are explicitly excluded from GitOps If you didn't check the box above, follow this checklist for GitOps-enabled settings: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [x] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [x] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [x] Verified that any relevant UI is disabled when GitOps mode is enabled --------- Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
2025-09-04 16:39:41 +00:00
// Certificate Authority endpoints
ue.POST("/api/_version_/fleet/certificate_authorities", createCertificateAuthorityEndpoint, createCertificateAuthorityRequest{})
ue.GET("/api/_version_/fleet/certificate_authorities", listCertificateAuthoritiesEndpoint, listCertificateAuthoritiesRequest{})
ue.GET("/api/_version_/fleet/certificate_authorities/{id:[0-9]+}", getCertificateAuthorityEndpoint, getCertificateAuthorityRequest{})
ue.DELETE("/api/_version_/fleet/certificate_authorities/{id:[0-9]+}", deleteCertificateAuthorityEndpoint, deleteCertificateAuthorityRequest{})
ue.PATCH("/api/_version_/fleet/certificate_authorities/{id:[0-9]+}", updateCertificateAuthorityEndpoint, updateCertificateAuthorityRequest{})
ue.POST("/api/_version_/fleet/certificate_authorities/{id:[0-9]+}/request_certificate", requestCertificateEndpoint, requestCertificateRequest{})
ue.POST("/api/_version_/fleet/spec/certificate_authorities", batchApplyCertificateAuthoritiesEndpoint, batchApplyCertificateAuthoritiesRequest{})
ue.GET("/api/_version_/fleet/spec/certificate_authorities", getCertificateAuthoritiesSpecEndpoint, getCertificateAuthoritiesSpecRequest{})
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
ipBanner := redis.NewIPBanner(redisPool, "ipbanner::",
deviceIPAllowedConsecutiveFailingRequestsCount,
deviceIPAllowedConsecutiveFailingRequestsTimeWindow,
deviceIPBanTime,
)
errorLimiter := ratelimit.NewErrorMiddleware(ipBanner).Limit(logger)
Add rate limits for device authed endpoints (#6529) * Add rate limits for device authed endpoints * Fix lint * Add missing test * Fix test * Increase the quota for desktop endpoints * Add comment about quota
2022-07-11 13:49:05 +00:00
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
// Device-authenticated endpoints.
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
de := newDeviceAuthenticatedEndpointer(svc, logger, opts, r, apiVersions...)
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}", getDeviceHostEndpoint, getDeviceHostRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/desktop", getFleetDesktopEndpoint, getFleetDesktopRequest{})
de.WithCustomMiddleware(errorLimiter).HEAD("/api/_version_/fleet/device/{token}/ping", devicePingEndpoint, deviceAuthPingRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/refetch", refetchDeviceHostEndpoint, refetchDeviceHostRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/device_mapping", listDeviceHostDeviceMappingEndpoint, listDeviceHostDeviceMappingRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/macadmins", getDeviceMacadminsDataEndpoint, getDeviceMacadminsDataRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/policies", listDevicePoliciesEndpoint, listDevicePoliciesRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/transparency", transparencyURL, transparencyURLRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/debug/errors", fleetdError, fleetdErrorRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/software", getDeviceSoftwareEndpoint, getDeviceSoftwareRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/software/install/{software_title_id}", submitSelfServiceSoftwareInstall, fleetSelfServiceSoftwareInstallRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/software/uninstall/{software_title_id}", submitDeviceSoftwareUninstall, fleetDeviceSoftwareUninstallRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/software/install/{install_uuid}/results", getDeviceSoftwareInstallResultsEndpoint, getDeviceSoftwareInstallResultsRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/software/uninstall/{execution_id}/results", getDeviceSoftwareUninstallResultsEndpoint, getDeviceSoftwareUninstallResultsRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/certificates", listDeviceCertificatesEndpoint, listDeviceCertificatesRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/setup_experience/status", getDeviceSetupExperienceStatusEndpoint, getDeviceSetupExperienceStatusRequest{})
de.WithCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/software/titles/{software_title_id}/icon", getDeviceSoftwareIconEndpoint, getDeviceSoftwareIconRequest{})
de.WithCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/mdm/linux/trigger_escrow", triggerLinuxDiskEncryptionEscrowEndpoint, triggerLinuxDiskEncryptionEscrowRequest{})
// Device authenticated, Apple MDM endpoints.
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
demdm := de.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyAppleMDM())
New rate limit algorithm for Fleet Desktop endpoints (#33344) Resolves #31890 This new approach allows up to 1000 consecutive failing requests per minute. If the threshold of 1000 consecutive failures is reached for an IP, then we ban request (return 429) from such IP for a duration of 1 minute. (Any successful request for an IP clears the count.) This supports the scenario where all hosts are behind a NAT (same IP) AND still provides protection against brute force attacks (attackers can only probe 1k requests per minute). This approach was discussed in Slack with @rfairburn: https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced IP-based rate limiting for Fleet Desktop endpoints to better support many hosts behind a single public IP (NAT). Requests from abusive IPs may be temporarily blocked, returning 429 Too Many Requests with a retry-after hint. - Documentation - Added README for a new desktop rate-limit tester, describing usage and expected behavior. - Tests - Added integration tests covering desktop endpoint rate limiting and Redis-backed banning logic. - Chores - Added a command-line tool to stress-test desktop endpoints and verify rate limiting behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 18:03:50 +00:00
demdm.AppendCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/mdm/apple/manual_enrollment_profile", getDeviceMDMManualEnrollProfileEndpoint, getDeviceMDMManualEnrollProfileRequest{})
demdm.AppendCustomMiddleware(errorLimiter).GET("/api/_version_/fleet/device/{token}/software/commands/{command_uuid}/results", getDeviceMDMCommandResultsEndpoint, getDeviceMDMCommandResultsRequest{})
demdm.AppendCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/configuration_profiles/{profile_uuid}/resend", resendDeviceConfigurationProfileEndpoint, resendDeviceConfigurationProfileRequest{})
demdm.AppendCustomMiddleware(errorLimiter).POST("/api/_version_/fleet/device/{token}/migrate_mdm", migrateMDMDeviceEndpoint, deviceMigrateMDMRequest{})
Add LUKS escrow trigger and orbit config endpoints, persist/retrieve LUKS passphrase (#23763) #23583, #23584 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [ ] Manual QA for all new/changed functionality -- should be tested end-to-end --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-11-18 22:44:25 +00:00
Migrate host-authenticated endpoints to new pattern (#4403)
2022-03-07 18:10:55 +00:00
// host-authenticated endpoints
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
he := newHostAuthenticatedEndpointer(svc, logger, opts, r, apiVersions...)
// Note that the /osquery/ endpoints are *not* versioned, i.e. there is no
// `_version_` placeholder in the path. This is deliberate, see
// https://github.com/fleetdm/fleet/pull/4731#discussion_r838931732 For now
// we add an alias to `/api/v1/osquery` so that it is backwards compatible,
// but even that `v1` is *not* part of the standard versioning, it will still
// work even after we remove support for the `v1` version for the rest of the
// API. This allows us to deprecate osquery endpoints separately.
he.WithAltPaths("/api/v1/osquery/config").
POST("/api/osquery/config", getClientConfigEndpoint, getClientConfigRequest{})
he.WithAltPaths("/api/v1/osquery/distributed/read").
POST("/api/osquery/distributed/read", getDistributedQueriesEndpoint, getDistributedQueriesRequest{})
he.WithAltPaths("/api/v1/osquery/distributed/write").
POST("/api/osquery/distributed/write", submitDistributedQueryResultsEndpoint, submitDistributedQueryResultsRequestShim{})
he.WithAltPaths("/api/v1/osquery/carve/begin").
POST("/api/osquery/carve/begin", carveBeginEndpoint, carveBeginRequest{})
he.WithAltPaths("/api/v1/osquery/log").
POST("/api/osquery/log", submitLogsEndpoint, submitLogsRequest{})
Add capability to serve YARA rules via authenticated Fleet endpoints (#23343) Implements the Fleet side of #14899 - Add new endpoints to update and retrieve yara rules - Add support in fleetctl for applying the rules # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [x] Added/updated tests - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-11-13 17:01:08 +00:00
he.WithAltPaths("/api/v1/osquery/yara/{name}").
POST("/api/osquery/yara/{name}", getYaraEndpoint, getYaraRequest{})
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
Orbit remote management for flags (#7246) Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2022-09-23 19:00:23 +00:00
// orbit authenticated endpoints
oe := newOrbitAuthenticatedEndpointer(svc, logger, opts, r, apiVersions...)
token rotation for fleet desktop (#7779) This implements what's described in detail here https://github.com/fleetdm/fleet/blob/main/proposals/fleet-desktop-token-rotation.md
2022-10-10 20:15:35 +00:00
oe.POST("/api/fleet/orbit/device_token", setOrUpdateDeviceTokenEndpoint, setOrUpdateDeviceTokenRequest{})
Orbit remote management for flags (#7246) Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2022-09-23 19:00:23 +00:00
oe.POST("/api/fleet/orbit/config", getOrbitConfigEndpoint, orbitGetConfigRequest{})
Add orbit notification and API endpoints to send/receive scripts to hosts (part 2 of ticket) (#13447)
2023-08-23 20:47:47 +00:00
// using POST to get a script execution request since all authenticated orbit
// endpoints are POST due to passing the device token in the JSON body.
oe.POST("/api/fleet/orbit/scripts/request", getOrbitScriptEndpoint, orbitGetScriptRequest{})
oe.POST("/api/fleet/orbit/scripts/result", postOrbitScriptResultEndpoint, orbitPostScriptResultRequest{})
Custom email device-mapping: implement the REST API changes (#15748)
2023-12-21 17:21:39 +00:00
oe.PUT("/api/fleet/orbit/device_mapping", putOrbitDeviceMappingEndpoint, orbitPutDeviceMappingRequest{})
Add orbit endpoint to receive results of a software installation attempt (#18689) #18675
2024-05-03 16:03:59 +00:00
oe.POST("/api/fleet/orbit/software_install/result", postOrbitSoftwareInstallResultEndpoint, orbitPostSoftwareInstallResultRequest{})
Add backend to download software installers (#18693)
2024-05-03 00:08:20 +00:00
oe.POST("/api/fleet/orbit/software_install/package", orbitDownloadSoftwareInstallerEndpoint, orbitDownloadSoftwareInstallerRequest{})
Orbit software info endpoint (#18690) #18674
2024-05-06 19:19:45 +00:00
oe.POST("/api/fleet/orbit/software_install/details", getOrbitSoftwareInstallDetails, orbitGetSoftwareInstallRequest{})
API endpoints for Linux setup experience (#32493) For #32040. --- Backend changes to unblock the development of the orbit and frontend changes. New GET and PUT APIs for setting/getting software for Linux Setup Experience: ``` curl -k -X GET -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software?team_id=8&per_page=3000 curl -k -X PUT -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/setup_experience/linux/software -d '{"team_id":8,"software_title_ids":[3000, 3001, 3007]}' ``` New setup_experience/init API called by orbit to trigger the Linux setup experience on the device: ``` curl -v -k -X POST -H "Content-Type: application/json" "https://localhost:8080/api/fleet/orbit/setup_experience/init" -d '{"orbit_node_key": "ynYEtFsvv9xZ7rX619UE8of1I28H+GCj"}' ``` Get status API to call on "My device": ``` curl -v -k -X POST "https://localhost:8080/api/latest/fleet/device/7d940b6e-130a-493b-b58a-2b6e9f9f8bfc/setup_experience/status" ``` --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [X] Verified that the setting is exported via `fleetctl generate-gitops` - [X] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [X] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added Linux support for Setup Experience alongside macOS. - Introduced platform-specific admin APIs to configure and retrieve Setup Experience software (macOS/Linux). - Added device API to report Setup Experience status and an Orbit API to initialize Setup Experience on non-macOS devices. - Setup Experience now gates policy queries on Linux until setup is complete. - New activity log entry when Setup Experience software is edited (includes platform and team). - Documentation - Updated audit logs reference to include the new “edited setup experience software” event. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-04 15:58:47 +00:00
oe.POST("/api/fleet/orbit/setup_experience/init", orbitSetupExperienceInitEndpoint, orbitSetupExperienceInitRequest{})
Orbit software info endpoint (#18690) #18674
2024-05-06 19:19:45 +00:00
Changes to not rely on Fleet Desktop for Linux setup experience (#33018) For #32788. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [X] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Enhanced Linux setup experience: persists status on disk, resumes automatically, and completes when software/scripts finish. - Opens the “My Device” page only when desktop is enabled, using a user-aware launcher on Linux. - Linux setup status now focuses on software progress for faster, clearer feedback. - Bug Fixes - Corrected auth/MDM checks: macOS requires Apple MDM; Linux no longer blocked by MDM configuration on shared endpoints. - Improved reliability and logging around software installation and temporary directory cleanup. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:26:00 +00:00
// POST /api/fleet/orbit/setup_experience/status is used by macOS and Linux hosts.
// For macOS hosts we verify Apple MDM is enabled and configured.
oeAppleMDM := oe.WithCustomMiddlewareAfterAuth(mdmConfiguredMiddleware.VerifyAppleMDMOnMacOSHosts())
SE: update /status endpoint to add bootstrap package, profiles, control automatic release (#22783)
2024-10-09 19:38:13 +00:00
oeAppleMDM.POST("/api/fleet/orbit/setup_experience/status", getOrbitSetupExperienceStatusEndpoint, getOrbitSetupExperienceStatusRequest{})
feat: orbit SE status endpoint (#22678) > Related issue: #22637 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-07 21:16:32 +00:00
maintenance merge of `main` into feature branch (#14393) maintenance merge of `main` into feature branch
2023-10-09 21:28:35 +00:00
oeWindowsMDM := oe.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyWindowsMDM())
oeWindowsMDM.POST("/api/fleet/orbit/disk_encryption_key", postOrbitDiskEncryptionKeyEndpoint, orbitPostDiskEncryptionKeyRequest{})
Add LUKS escrow trigger and orbit config endpoints, persist/retrieve LUKS passphrase (#23763) #23583, #23584 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [ ] Manual QA for all new/changed functionality -- should be tested end-to-end --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-11-18 22:44:25 +00:00
oe.POST("/api/fleet/orbit/luks_data", postOrbitLUKSEndpoint, orbitPostLUKSRequest{})
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
// unauthenticated endpoints - most of those are either login-related,
// invite-related or host-enrolling. So they typically do some kind of
// one-time authentication by verifying that a valid secret token is provided
// with the request.
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ne := newNoAuthEndpointer(svc, opts, r, apiVersions...)
ne.WithAltPaths("/api/v1/osquery/enroll").
Fleet server verifies HTTP signature (#30825) Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-16 18:08:27 +00:00
POST("/api/osquery/enroll", enrollAgentEndpoint, contract.EnrollOsqueryAgentRequest{})
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
remove feature flags to enable MDM (#10746) https://github.com/fleetdm/fleet/issues/10025
2023-03-27 19:30:29 +00:00
// These endpoint are token authenticated.
add CRUD for EULA (#11274) https://github.com/fleetdm/fleet/issues/10741
2023-05-02 13:09:33 +00:00
// NOTE: remember to update
maintenance merge of `main` into feature branch (#14393) maintenance merge of `main` into feature branch
2023-10-09 21:28:35 +00:00
// `service.mdmConfigurationRequiredEndpoints` when you add an
add CRUD for EULA (#11274) https://github.com/fleetdm/fleet/issues/10741
2023-05-02 13:09:33 +00:00
// endpoint that's behind the mdmConfiguredMiddleware, this applies
// both to this set of endpoints and to any user authenticated
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
// endpoints using `mdmAppleMW.*` above in this file.
neAppleMDM := ne.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyAppleMDM())
neAppleMDM.GET(apple_mdm.EnrollPath, mdmAppleEnrollEndpoint, mdmAppleEnrollRequest{})
Remove webview when IdP not enabled. (#29283) For #26996 and #28452 Demo video: https://www.youtube.com/shorts/WGS3JmKiZTs The device/machine info is extracted from the PKCS7 signed body of the POST request. I did manual QA on iPhone since I don't have an ADE macOS device with me. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-05-20 19:50:48 +00:00
neAppleMDM.POST(apple_mdm.EnrollPath, mdmAppleEnrollEndpoint, mdmAppleEnrollRequest{})
Managed Apple account user enrollment - integrate PoC changes (#30755) Fixes 30636 I am adding a handful of additional unit tests but this is ready for review now. Integrates changes from Victor's PoC for Account Driven User Enrollment including a nice end to end integration test including the SAML portion # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-07-15 19:02:11 +00:00
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
neAppleMDM.GET(apple_mdm.InstallerPath, mdmAppleGetInstallerEndpoint, mdmAppleGetInstallerRequest{})
neAppleMDM.HEAD(apple_mdm.InstallerPath, mdmAppleHeadInstallerEndpoint, mdmAppleHeadInstallerRequest{})
implement OTA enrollment (#21942) for #21019 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-09-10 19:52:17 +00:00
neAppleMDM.POST("/api/_version_/fleet/ota_enrollment", mdmAppleOTAEndpoint, mdmAppleOTARequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/bootstrap is now deprecated, replaced by the
// GET /bootstrap endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
neAppleMDM.GET("/api/_version_/fleet/mdm/bootstrap", downloadBootstrapPackageEndpoint, downloadBootstrapPackageRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
neAppleMDM.GET("/api/_version_/fleet/bootstrap", downloadBootstrapPackageEndpoint, downloadBootstrapPackageRequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: GET /mdm/apple/bootstrap is now deprecated, replaced by the platform agnostic /mdm/bootstrap
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
neAppleMDM.GET("/api/_version_/fleet/mdm/apple/bootstrap", downloadBootstrapPackageEndpoint, downloadBootstrapPackageRequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
// Deprecated: GET /mdm/setup/eula/:token is now deprecated, replaced by the
// GET /setup_experience/eula/:token endpoint.
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
neAppleMDM.GET("/api/_version_/fleet/mdm/setup/eula/{token}", getMDMEULAEndpoint, getMDMEULARequest{})
Recategorize MDM endpoints to new mdm-less paths (#17372)
2024-03-13 14:27:29 +00:00
neAppleMDM.GET("/api/_version_/fleet/setup_experience/eula/{token}", getMDMEULAEndpoint, getMDMEULARequest{})
bootstrap package and eula endpoints platform agnosic (#16631) for #15082 - POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula - GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata - DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token - POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap - GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata - DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id - GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
2024-02-07 12:24:24 +00:00
// Deprecated: GET /mdm/apple/setup/eula/:token is now deprecated, replaced by the platform agnostic /mdm/setup/eula/:token
neAppleMDM.GET("/api/_version_/fleet/mdm/apple/setup/eula/{token}", getMDMEULAEndpoint, getMDMEULARequest{})
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
add ability for end users to enrol their device into fleet mdm (#21751) relates to #21559 This adds the ability for end users to enrol their own device in fleet mdm. > NOTE: this new byod HTML page is a separate HTML asset that contains all styles and scripts needed for the page to work. We do not send the fleet UI assets and this drastically cuts down the response time to the users who will be visiting this page on mobile devices There are two sides included in this: **Adding a new add host modal ios and iPad section for IT admins** ![image](https://github.com/user-attachments/assets/1008b190-9c38-4a0e-9b02-19df5da7937d) **delivering a new byod HTML page to end users that will allow end users to download the config profile to enrol into fleet mdm** ![image](https://github.com/user-attachments/assets/58d790e4-233b-4b03-ab36-9971aac075de) <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-09-05 11:47:34 +00:00
// Get OTA profile
neAppleMDM.GET("/api/_version_/fleet/enrollment_profiles/ota", getOTAProfileEndpoint, getOTAProfileRequest{})
Managed Apple account user enrollment - integrate PoC changes (#30755) Fixes 30636 I am adding a handful of additional unit tests but this is ready for review now. Integrates changes from Victor's PoC for Account Driven User Enrollment including a nice end to end integration test including the SAML portion # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-07-15 19:02:11 +00:00
// This is the account-driven enrollment endpoint for BYoD Apple devices, also known as User Enrollment.
neAppleMDM.POST(apple_mdm.AccountDrivenEnrollPath, mdmAppleAccountEnrollEndpoint, mdmAppleAccountEnrollRequest{})
// This is for OAUTH2 token based auth
// ne.POST(apple_mdm.EnrollPath+"/token", mdmAppleAccountEnrollTokenEndpoint, mdmAppleAccountEnrollTokenRequest{})
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
// These endpoint are used by Microsoft devices during MDM device enrollment phase
Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-06-27 15:59:33 +00:00
neWindowsMDM := ne.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyWindowsMDM())
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2023-06-22 20:31:17 +00:00
12613 Azure AD JWT Auth token support (#12817) This PR adds support to parse Azure JWT tokens, and it also adds the STS endpoint ([Section 3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a) on the MS-MDE2 spec) This relates to #12614 and #12613 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-07-19 16:30:24 +00:00
// Microsoft MS-MDE2 Endpoints
// This endpoint is unauthenticated and is used by Microsoft devices to discover the MDM server endpoints
Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-06-27 15:59:33 +00:00
neWindowsMDM.POST(microsoft_mdm.MDE2DiscoveryPath, mdmMicrosoftDiscoveryEndpoint, SoapRequestContainer{})
12613 Azure AD JWT Auth token support (#12817) This PR adds support to parse Azure JWT tokens, and it also adds the STS endpoint ([Section 3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a) on the MS-MDE2 spec) This relates to #12614 and #12613 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-07-19 16:30:24 +00:00
// This endpoint is unauthenticated and is used by Microsoft devices to retrieve the opaque STS auth token
neWindowsMDM.GET(microsoft_mdm.MDE2AuthPath, mdmMicrosoftAuthEndpoint, SoapRequestContainer{})
Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-06-27 15:59:33 +00:00
// This endpoint is authenticated using the BinarySecurityToken header field
neWindowsMDM.POST(microsoft_mdm.MDE2PolicyPath, mdmMicrosoftPolicyEndpoint, SoapRequestContainer{})
Add Apple MDM functionality (#7940) * WIP * Adding DEP functionality to Fleet * Better organize additional MDM code * Add cmdr.py and amend API paths * Fix lint * Add demo file * Fix demo.md * go mod tidy * Add munki setup to Fleet * Add diagram to demo.md * Add fixes * Update TODOs and demo.md * Fix cmdr.py and add TODO * Add endpoints to demo.md * Add more Munki PoC/demo stuff * WIP * Remove proposals from PoC * Replace prepare commands with fleetctl commands * Update demo.md with current state * Remove config field * Amend demo * Remove Munki setup from MVP-Dogfood * Update demo.md * Add apple mdm commands (#7769) * fleetctl enqueue mdm command * fix deps * Fix build Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com> * Add command to upload installers * go mod tidy * fix subcommands help There is a bug in urfave/cli where help text is not generated properly when subcommands are nested too deep. * Add support for installing apps * Add a way to list enrolled devices * Add dep listing * Rearrange endpoints * Move DEP routine to schedule * Define paths globally * Add a way to list enrollments and installers * Parse device-ids as comma-separated string * Remove unused types * Add simple commands and nest under enqueue-command * Fix simple commands * Add help to enqueue-command * merge apple_mdm database * Fix commands * update nanomdm * Split nanomdm and nanodep schemas * Set 512 MB in memory for upload * Remove empty file * Amend profile * Add sample commands * Add delete installers and fix bug in DEP profile assigning * Add dogfood.md deployment guide * Update schema.sql * Dump schema with MySQL 5 * Set default value for authenticate_at * add tokens to enrollment profiles When a device downloads an MDM enrollment profile, verify the token passed as a query parameter. This ensures untrusted devices don't enroll with our MDM server. - Rename enrollments to enrollment profiles. Enrollments is used by nano to refer to devices that are enrolled with MDM - Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles - Generate a token for authentication when creating an enrollment profile - Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token= * remove mdm apple server url * update docs * make dump-test-schema * Update nanomdm with missing prefix table * Add docs and simplify changes * Add changes file * Add method docs * Fix compile and revert prepare.go changes * Revert migration status check change * Amend comments * Add more docs * Clarify storage of installers * Remove TODO * Remove unused * update dogfood.md * remove cmdr.py * Add authorization tests * Add TODO comment * use kitlog for nano logging * Add yaml tags * Remove unused flag * Remove changes file * Only run DEP routine if MDM is enabled * Add docs to all new exported types * Add docs * more nano logging changes * Fix unintentional removal * more nano logging changes * Fix compile test * Use string for configs and fix config test * Add docs and amend changes * revert changes to basicAuthHandler * remove exported BasicAuthHandler * rename rego authz type * Add more information to dep list * add db tag * update deps * Fix schema * Remove unimplemented Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 22:53:54 +00:00
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555) This relates to #12263 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests --------- Co-authored-by: Roberto Dip <me@roperzh.com>
2023-07-05 13:06:37 +00:00
// This endpoint is authenticated using the BinarySecurityToken header field
neWindowsMDM.POST(microsoft_mdm.MDE2EnrollPath, mdmMicrosoftEnrollEndpoint, SoapRequestContainer{})
Adding temporary MS-MDM implementation (#12852) This is the prototype implementation for MS-MDM. Most of the code here will change in the upcoming sprints once https://github.com/fleetdm/fleet/issues/12839, https://github.com/fleetdm/fleet/issues/12840, https://github.com/fleetdm/fleet/issues/12841 get implemented. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-07-20 14:54:04 +00:00
// This endpoint is unauthenticated for now
// It should be authenticated through TLS headers once proper implementation is in place
neWindowsMDM.POST(microsoft_mdm.MDE2ManagementPath, mdmMicrosoftManagementEndpoint, SyncMLReqMsgContainer{})
Windows mdm TOS endpoint (#12900) This relates to https://github.com/fleetdm/fleet/issues/12604 and https://github.com/fleetdm/fleet/issues/12600 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality
2023-07-21 17:36:26 +00:00
// This endpoint is unauthenticated and is used by to retrieve the MDM enrollment Terms of Use
neWindowsMDM.GET(microsoft_mdm.MDE2TOSPath, mdmMicrosoftTOSEndpoint, MDMWebContainer{})
Fleet server verifies HTTP signature (#30825) Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-16 18:08:27 +00:00
ne.POST("/api/fleet/orbit/enroll", enrollOrbitEndpoint, contract.EnrollOrbitRequest{})
Orbit remote management for flags (#7246) Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2022-09-23 19:00:23 +00:00
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
// For some reason osquery does not provide a node key with the block data.
// Instead the carve session ID should be verified in the service method.
Introduce API version 2022-04, deprecate use of `/global` in paths (#4731)
2022-04-05 15:35:53 +00:00
ne.WithAltPaths("/api/v1/osquery/carve/block").
POST("/api/osquery/carve/block", carveBlockEndpoint, carveBlockRequest{})
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
Downloading a software installer package now shows the browser's built-in progress bar (#21341) #19561 In Fleet GUI, downloading a software installer package now shows the browser's built-in progress bar. New API endpoints: https://github.com/fleetdm/fleet/pull/21346 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-08-20 17:37:29 +00:00
ne.GET("/api/_version_/fleet/software/titles/{title_id:[0-9]+}/package/token/{token}", downloadSoftwareInstallerEndpoint,
downloadSoftwareInstallerRequest{})
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
ne.POST("/api/_version_/fleet/perform_required_password_reset", performRequiredPasswordResetEndpoint, performRequiredPasswordResetRequest{})
ne.POST("/api/_version_/fleet/users", createUserFromInviteEndpoint, createUserRequest{})
ne.GET("/api/_version_/fleet/invites/{token}", verifyInviteEndpoint, verifyInviteRequest{})
ne.POST("/api/_version_/fleet/reset_password", resetPasswordEndpoint, resetPasswordRequest{})
ne.POST("/api/_version_/fleet/logout", logoutEndpoint, nil)
Fix SSO paths to always use `/v1/` instead of `/latest/` (#5246)
2022-04-20 16:46:45 +00:00
ne.POST("/api/v1/fleet/sso", initiateSSOEndpoint, initiateSSORequest{})
ne.POST("/api/v1/fleet/sso/callback", makeCallbackSSOEndpoint(config.Server.URLPrefix), callbackSSORequest{})
ne.GET("/api/v1/fleet/sso", settingsSSOEndpoint, nil)
Add server support for Fleet Sandbox demo login (#6387) * Add server support for Fleet Sandbox demo login This adds an endpoint `/api/latest/fleet/demologin` that provides a redirect for the fleetdm.com portion of Fleet Sandbox to automatically log in a user. The username and password must be provided as form values. The endpoint is only enabled if `FLEET_DEMO=1` is set in the server environment. This was tested locally with the following HTML served by `python3 -m http.server`, and the Fleet server running with `FLEET_DEMO=1 ./build/fleet serve --dev`: ``` <!DOCTYPE html> <body> <form method="post" action="https://localhost:8080/api/latest/fleet/demologin" id="demologin" > <input type="hidden" name="email" value="admin@example.com" /> <input type="hidden" name="password" value="admin123123#" /> <input type="submit"/> </form> <script type="text/javascript"> document.forms["demologin"].submit(); </script> </body> </html> ``` For Fleet sandbox purposes, the `action` should be set to the correct hostname for the sandbox instance, while the `email` and `password` should be set to the same credentials that were provided when creating the instance. * lucas comments * Add integration tests * Fix status codes and add comments Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2022-07-01 19:52:55 +00:00
Unversion the /setup endpoint, version the websocket endpoint (#5104)
2022-04-20 19:57:26 +00:00
// the websocket distributed query results endpoint is a bit different - the
// provided path is a prefix, not an exact match, and it is not a go-kit
// endpoint but a raw http.Handler. It uses the NoAuthEndpointer because
// authentication is done when the websocket session is established, inside
// the handler.
Refactoring endpoint_utils (#26342) For #26218 Refactoring service/android endpoint_utils to remove duplication. No functional changes. - [x] Manual QA for all new/changed functionality
2025-02-18 17:09:43 +00:00
ne.UsePathPrefix().PathHandler("GET", "/api/_version_/fleet/results/",
makeStreamDistributedQueryCampaignResultsHandler(config.Server, svc, logger))
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
If the fleet/forgot_password endpoint is rate limited, it should return the proper status code (#12323) Return proper HTTP status code if endpoint is rate limited.
2023-06-15 19:41:04 +00:00
quota := throttled.RateQuota{MaxRate: throttled.PerHour(10), MaxBurst: forgotPasswordRateLimitMaxBurst}
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
limiter := ratelimit.NewMiddleware(limitStore)
ne.
Add rate limits for device authed endpoints (#6529) * Add rate limits for device authed endpoints * Fix lint * Add missing test * Fix test * Increase the quota for desktop endpoints * Add comment about quota
2022-07-11 13:49:05 +00:00
WithCustomMiddleware(limiter.Limit("forgot_password", quota)).
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
POST("/api/_version_/fleet/forgot_password", forgotPasswordEndpoint, forgotPasswordRequest{})
When MDM SSO rate limit is supplied, split rate limit bucket (#29663) Also adds some more rate limiter tests to make sure separate rate limit buckets interact as expected. Fixes #29614. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. (excluded; env var or YAML) - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality --------- Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-06-02 22:18:58 +00:00
// By default, MDM SSO shares the login rate limit bucket; if MDM SSO limit is overridden, MDM SSO gets its
// own rate limit bucket.
loginRateLimit := throttled.PerMin(10)
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
if extra.loginRateLimit != nil {
loginRateLimit = *extra.loginRateLimit
}
When MDM SSO rate limit is supplied, split rate limit bucket (#29663) Also adds some more rate limiter tests to make sure separate rate limit buckets interact as expected. Fixes #29614. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. (excluded; env var or YAML) - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality --------- Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-06-02 22:18:58 +00:00
loginLimiter := limiter.Limit("login", throttled.RateQuota{MaxRate: loginRateLimit, MaxBurst: 9})
mdmSsoLimiter := loginLimiter
Allow overriding MDM SSO rate limit with an env var or config (#29640) Env var: `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE`. **Not** managed via GitOps. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality
2025-05-30 22:34:47 +00:00
if extra.mdmSsoRateLimit != nil {
When MDM SSO rate limit is supplied, split rate limit bucket (#29663) Also adds some more rate limiter tests to make sure separate rate limit buckets interact as expected. Fixes #29614. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. (excluded; env var or YAML) - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality --------- Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-06-02 22:18:58 +00:00
mdmSsoLimiter = limiter.Limit("mdm_sso", throttled.RateQuota{MaxRate: *extra.mdmSsoRateLimit, MaxBurst: 9})
Allow overriding MDM SSO rate limit with an env var or config (#29640) Env var: `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE`. **Not** managed via GitOps. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality
2025-05-30 22:34:47 +00:00
}
Fix race condition in tests when using global var loginRateLimit (#5197)
2022-04-19 13:35:53 +00:00
When MDM SSO rate limit is supplied, split rate limit bucket (#29663) Also adds some more rate limiter tests to make sure separate rate limit buckets interact as expected. Fixes #29614. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. (excluded; env var or YAML) - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality --------- Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-06-02 22:18:58 +00:00
ne.WithCustomMiddleware(loginLimiter).
Added scim/details endpoint (#28007) For #27281 This PR adds `/api/{version}/fleet/scim/details` endpoint, along with some frontend fixes. # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-10 19:08:45 +00:00
POST("/api/_version_/fleet/login", loginEndpoint, contract.LoginRequest{})
Allow opting in users to email verification on login (#24273) #22790 Changes file is on the FE PR. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-05 14:37:10 +00:00
ne.WithCustomMiddleware(limiter.Limit("mfa", throttled.RateQuota{MaxRate: loginRateLimit, MaxBurst: 9})).
POST("/api/_version_/fleet/sessions", sessionCreateEndpoint, sessionCreateRequest{})
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
Remove ineffective rate limit to `/api/fleet/device/ping` and `api/fleet/orbit/ping` endpoints (#16334) #16076 This change removes ineffective rate limit to `/api/fleet/device/ping` and `api/fleet/orbit/ping`. Currently these endpoints are not rate limited, because the rate limiting used in these was the `errorLimiter` which only takes effect if the request fails and the ping endpoints never fail. So... we were making ineffective Redis accesses on every `/api/fleet/device/ping` and `api/fleet/orbit/ping` requests (we use Redis as the limiter store). - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality
2024-01-25 18:05:52 +00:00
ne.HEAD("/api/fleet/device/ping", devicePingEndpoint, devicePingRequest{})
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
Remove ineffective rate limit to `/api/fleet/device/ping` and `api/fleet/orbit/ping` endpoints (#16334) #16076 This change removes ineffective rate limit to `/api/fleet/device/ping` and `api/fleet/orbit/ping`. Currently these endpoints are not rate limited, because the rate limiting used in these was the `errorLimiter` which only takes effect if the request fails and the ping endpoints never fail. So... we were making ineffective Redis accesses on every `/api/fleet/device/ping` and `api/fleet/orbit/ping` requests (we use Redis as the limiter store). - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality
2024-01-25 18:05:52 +00:00
ne.HEAD("/api/fleet/orbit/ping", orbitPingEndpoint, orbitPingRequest{})
gate DEP enrollment behind SSO when configured (#11309) #10739 Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-04-27 12:43:20 +00:00
Check for calendar updates after callbacks from Google (#20156) #19352 Video explaining code changes: https://www.loom.com/share/370200a276b84aa388effd6ebd762e01?sid=038508c4-f3c2-40c0-baf6-6b6df682d1f0 In maintenance windows using Google Calendar, calendar event is now recreated within 30 seconds if deleted or moved to the past. - Added new endpoint for Google Calendar: `/api/_version_/fleet/calendar/webhook/{event_uuid}` - Added UUID to `calendar_events` table to make webhook lookup more efficient - webhook endpoint will only recreate event if needed -- it will not fire webhook. Webhook is still done by the cron job. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2024-07-08 15:20:03 +00:00
// This is a callback endpoint for calendar integration -- it is called to notify an event change in a user calendar
Fix calendar duplicated events and other issues (#20443) #19352 Includes the following changes: - Re-enable calendar callback - Introduced a new Redis key that indicates event was updated by calendar callback. In that case, we ignore subsequent callbacks for 10 seconds. - This reduces the amount of Google API calls, including handling of the unneeded callback generated by our own event change. - Read event from DB after acquiring lock. This is critical since we get the updated ETag of the Google Calendar event from our DB. Using the previous ETag when fetching event sometimes returns stale data, resulting in duplicate events. - Fixed bug in getCalendarLock where calendar cron would always think it got the lock - Do not refetch timezone during calendar callback to reduce Google API load - Watch for calendar event changes for 1 week after event end (to account for user moving event into the future) - #20442: Speculative improvement for Google callback latency by keeping the same notification channel (callback URL). - processCalendarAsync now takes at least 1 sec to process all events, to reduce CPU/Redis load - Increased lock expiration time from 1 minute to 20 minutes to account for potential Google API retries, fixing occasional duplicate events. - Added `get-events.go` helper script that gets maintenance events from user calendars, and checks for duplicates # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-07-24 11:40:33 +00:00
ne.POST("/api/_version_/fleet/calendar/webhook/{event_uuid}", calendarWebhookEndpoint, calendarWebhookRequest{})
Check for calendar updates after callbacks from Google (#20156) #19352 Video explaining code changes: https://www.loom.com/share/370200a276b84aa388effd6ebd762e01?sid=038508c4-f3c2-40c0-baf6-6b6df682d1f0 In maintenance windows using Google Calendar, calendar event is now recreated within 30 seconds if deleted or moved to the past. - Added new endpoint for Google Calendar: `/api/_version_/fleet/calendar/webhook/{event_uuid}` - Added UUID to `calendar_events` table to make webhook lookup more efficient - webhook endpoint will only recreate event if needed -- it will not fire webhook. Webhook is still done by the cron job. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes:
2024-07-08 15:20:03 +00:00
When MDM SSO rate limit is supplied, split rate limit bucket (#29663) Also adds some more rate limiter tests to make sure separate rate limit buckets interact as expected. Fixes #29614. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - For new Fleet configuration settings - [x] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. (excluded; env var or YAML) - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality --------- Co-authored-by: George Karr <georgekarrv@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-06-02 22:18:58 +00:00
neAppleMDM.WithCustomMiddleware(mdmSsoLimiter).
IdP Authentication before BYOD (#32017) fixes: #29222 This is a feature branch that was completed last week, but did not get merged in time. All pr's going in was approved, and reviewed. I will after this is merged, do a cherry pick onto the RC 4.73 branch, and initiate the FR merge process. --------- Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
2025-08-18 16:31:53 +00:00
POST("/api/_version_/fleet/mdm/sso", initiateMDMSSOEndpoint, initiateMDMSSORequest{})
ne.WithCustomMiddleware(mdmSsoLimiter).
POST("/api/_version_/fleet/mdm/sso/callback", callbackMDMSSOEndpoint, callbackMDMSSORequest{})
Issue 1362 fleetctl user roles (#1397) * WIP * Add get user_roles and apply for a user_roles spec to fleetctl * Uncomment other tests * Update test to check output * Update test with the new struct * Mock token so that it doesn't pick up the one in the local machine * Address review comments * Fix printJSON and printYaml * Fix merge conflict error * If both roles are specified, fail * Fix test * Switch arguments around * Update test with the new rule * Fix other tests that fell through the cracks
2021-07-16 18:28:13 +00:00
}
Minor code/comment cleanups (#47) - Fixes an initialization error panic to a fatal log
2020-11-18 19:10:55 +00:00
// WithSetup is an http middleware that checks if setup procedures have been completed.
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
// If setup hasn't been completed it serves the API with a setup middleware.
create first time setup endpoint (#436) The endpoint is only active if there are no users in the datastore. While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}` for #378
2016-11-09 17:19:07 +00:00
// If the server is already configured, the default API handler is exposed.
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet`
2021-06-06 22:07:29 +00:00
func WithSetup(svc fleet.Service, logger kitlog.Logger, next http.Handler) http.HandlerFunc {
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
rxOsquery := regexp.MustCompile(`^/api/[^/]+/osquery`)
enbable API route after setup is complete (#564) Fixes #563
2016-12-02 18:46:31 +00:00
return func(w http.ResponseWriter, r *http.Request) {
configRouter := http.NewServeMux()
Unversion the /setup endpoint, version the websocket endpoint (#5104)
2022-04-20 19:57:26 +00:00
srv := kithttp.NewServer(
Add read replica testing helpers and fix non-sso login bug (#4908) not set on the INSERT. - OUT: Only sets the ID on the passed session and returns it. (`CreatedAt`, `AccessedAt`, are not set.) New version: ```go func (ds *Datastore) NewSession(ctx context.Context, userID uint, sessionKey string) (*fleet.Session, error) { sqlStatement := ` INSERT INTO sessions ( user_id, ` + "`key`" + ` ) VALUES(?,?) ` result, err := ds.writer.ExecContext(ctx, sqlStatement, userID, sessionKey) if err != nil { return nil, ctxerr.Wrap(ctx, err, "inserting session") } id, _ := result.LastInsertId() // cannot fail with the mysql driver return ds.sessionByID(ctx, ds.writer, uint(id)) } ``` - IN: Define arguments that are truly used when creating a session. - OUT: Load and return the fleet.Session struct with all values set (using the `ds.writer` to support read replicas correctly). PS: The new `NewSession` version mimics what we already do with other entities, like policies (`Datastore.NewGlobalPolicy`).
2022-04-04 23:52:05 +00:00
makeSetupEndpoint(svc, logger),
enbable API route after setup is complete (#564) Fixes #563
2016-12-02 18:46:31 +00:00
decodeSetupRequest,
encodeResponse,
Unversion the /setup endpoint, version the websocket endpoint (#5104)
2022-04-20 19:57:26 +00:00
)
// NOTE: support setup on both /v1/ and version-less, in the future /v1/
// will be dropped.
configRouter.Handle("/api/v1/setup", srv)
configRouter.Handle("/api/setup", srv)
allow osqueryd endpoints to enroll before app setup is complete (#931) Closes #929
2017-01-12 00:40:58 +00:00
// whitelist osqueryd endpoints
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
if rxOsquery.MatchString(r.URL.Path) {
allow osqueryd endpoints to enroll before app setup is complete (#931) Closes #929
2017-01-12 00:40:58 +00:00
next.ServeHTTP(w, r)
return
}
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints.
2021-06-03 23:24:15 +00:00
requireSetup, err := svc.SetupRequired(context.Background())
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
if err != nil {
logger.Log("msg", "fetching setup info from db", "err", err)
w.WriteHeader(http.StatusInternalServerError)
return
}
if requireSetup {
enbable API route after setup is complete (#564) Fixes #563
2016-12-02 18:46:31 +00:00
configRouter.ServeHTTP(w, r)
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
return
enbable API route after setup is complete (#564) Fixes #563
2016-12-02 18:46:31 +00:00
}
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
next.ServeHTTP(w, r)
create first time setup endpoint (#436) The endpoint is only active if there are no users in the datastore. While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}` for #378
2016-11-09 17:19:07 +00:00
}
}
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
// RedirectLoginToSetup detects if the setup endpoint should be used. If setup is required it redirect all
// frontend urls to /setup, otherwise the frontend router is used.
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet`
2021-06-06 22:07:29 +00:00
func RedirectLoginToSetup(svc fleet.Service, logger kitlog.Logger, next http.Handler, urlPrefix string) http.HandlerFunc {
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
return func(w http.ResponseWriter, r *http.Request) {
redirect := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
removing license code (#1551)
2017-09-01 16:42:46 +00:00
if r.URL.Path == "/setup" {
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
next.ServeHTTP(w, r)
return
}
newURL := r.URL
Add ability to prefix Fleet URLs (#2112) - Add the server_url_prefix flag for configuring this functionality - Add prefix handling to the server routes - Refactor JS to use appropriate paths from modules - Use JS template to get URL prefix into JS environment - Update webpack config to support prefixing Thanks to securityonion.net for sponsoring the development of this feature. Closes #1661
2019-10-16 23:40:45 +00:00
newURL.Path = urlPrefix + "/setup"
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
http.Redirect(w, r, newURL.String(), http.StatusTemporaryRedirect)
})
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints.
2021-06-03 23:24:15 +00:00
setupRequired, err := svc.SetupRequired(context.Background())
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
if err != nil {
removing license code (#1551)
2017-09-01 16:42:46 +00:00
logger.Log("msg", "fetching setupinfo from db", "err", err)
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
w.WriteHeader(http.StatusInternalServerError)
return
}
if setupRequired {
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
redirect.ServeHTTP(w, r)
Licensed endpoints (#1188)
2017-02-09 18:43:45 +00:00
return
Redirect frontend routes to setup if setup is not configured. (#721) Closes #617
2016-12-29 23:36:36 +00:00
}
Add ability to prefix Fleet URLs (#2112) - Add the server_url_prefix flag for configuring this functionality - Add prefix handling to the server routes - Refactor JS to use appropriate paths from modules - Use JS template to get URL prefix into JS environment - Update webpack config to support prefixing Thanks to securityonion.net for sponsoring the development of this feature. Closes #1661
2019-10-16 23:40:45 +00:00
RedirectSetupToLogin(svc, logger, next, urlPrefix).ServeHTTP(w, r)
create first time setup endpoint (#436) The endpoint is only active if there are no users in the datastore. While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}` for #378
2016-11-09 17:19:07 +00:00
}
}
removing license code (#1551)
2017-09-01 16:42:46 +00:00
// RedirectSetupToLogin forces the /setup path to be redirected to login. This middleware is used after
add middleware to redirect setup to login if the app has an admin (#900) user.
2017-01-11 19:05:07 +00:00
// the app has been setup.
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet`
2021-06-06 22:07:29 +00:00
func RedirectSetupToLogin(svc fleet.Service, logger kitlog.Logger, next http.Handler, urlPrefix string) http.HandlerFunc {
add middleware to redirect setup to login if the app has an admin (#900) user.
2017-01-11 19:05:07 +00:00
return func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/setup" {
newURL := r.URL
Add ability to prefix Fleet URLs (#2112) - Add the server_url_prefix flag for configuring this functionality - Add prefix handling to the server routes - Refactor JS to use appropriate paths from modules - Use JS template to get URL prefix into JS environment - Update webpack config to support prefixing Thanks to securityonion.net for sponsoring the development of this feature. Closes #1661
2019-10-16 23:40:45 +00:00
newURL.Path = urlPrefix + "/login"
add middleware to redirect setup to login if the app has an admin (#900) user.
2017-01-11 19:05:07 +00:00
http.Redirect(w, r, newURL.String(), http.StatusTemporaryRedirect)
return
}
next.ServeHTTP(w, r)
}
}
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
// RegisterAppleMDMProtocolServices registers the HTTP handlers that serve
// the MDM services to Apple devices.
func RegisterAppleMDMProtocolServices(
mux *http.ServeMux,
Normalize the naming of mdm settings, update docs and document missing ones (#10681) #10408
2023-03-23 10:30:28 +00:00
scepConfig config.MDMConfig,
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
mdmStorage fleet.MDMAppleStore,
add mocks + tests and move things around (#9574) #8948 - Add more go:generate commands for MDM mocks - Add unit and integration tests for MDM code - Move interfaces from their PoC location to match existing patterns
2023-01-31 14:46:01 +00:00
scepStorage scep_depot.Depot,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
logger kitlog.Logger,
checkinAndCommandService nanomdm_service.CheckinAndCommandService,
Add DDM service struct, basic handlers, and test client (#17671)
2024-03-15 18:20:15 +00:00
ddmService nanomdm_service.DeclarativeManagement,
Full support of secret variables in Apple configuration profiles (#24925) For secrets subtask #24548 Fixed secret variables support in Apple configuration profiles. # Checklist for submitter - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-20 21:40:23 +00:00
profileService nanomdm_service.ProfileService,
Add service discovery API endpoint (#31089) relates to #31057 adds an endpoint to expose the fleet handled service discovery endpoint. > NOTE: test will be done in a follow up PR - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information.
2025-07-23 11:11:32 +00:00
serverURLPrefix string,
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
fleetConfig config.FleetConfig,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
) error {
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
if err := registerSCEP(mux, scepConfig, scepStorage, mdmStorage, logger, fleetConfig); err != nil {
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
return fmt.Errorf("scep: %w", err)
}
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
if err := registerMDM(mux, mdmStorage, checkinAndCommandService, ddmService, profileService, logger, fleetConfig); err != nil {
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
return fmt.Errorf("mdm: %w", err)
}
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
if err := registerMDMServiceDiscovery(mux, logger, serverURLPrefix, fleetConfig); err != nil {
Add service discovery API endpoint (#31089) relates to #31057 adds an endpoint to expose the fleet handled service discovery endpoint. > NOTE: test will be done in a follow up PR - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information.
2025-07-23 11:11:32 +00:00
return fmt.Errorf("service discovery: %w", err)
}
return nil
}
func registerMDMServiceDiscovery(
mux *http.ServeMux,
logger kitlog.Logger,
serverURLPrefix string,
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
fleetConfig config.FleetConfig,
Add service discovery API endpoint (#31089) relates to #31057 adds an endpoint to expose the fleet handled service discovery endpoint. > NOTE: test will be done in a follow up PR - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information.
2025-07-23 11:11:32 +00:00
) error {
serviceDiscoveryLogger := kitlog.With(logger, "component", "mdm-apple-service-discovery")
fullMDMEnrollmentURL := fmt.Sprintf("%s%s", serverURLPrefix, apple_mdm.AccountDrivenEnrollPath)
serviceDiscoveryHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
serviceDiscoveryLogger.Log("msg", "serving MDM service discovery response", "url", fullMDMEnrollmentURL)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_, err := fmt.Fprintf(w, `{"Servers":[{"Version": "mdm-byod", "BaseURL": "%s"}]}`, fullMDMEnrollmentURL)
if err != nil {
serviceDiscoveryLogger.Log("err", "error writing service discovery response", "err", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
})
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
mux.Handle(apple_mdm.ServiceDiscoveryPath, otel.WrapHandler(serviceDiscoveryHandler, apple_mdm.ServiceDiscoveryPath, fleetConfig))
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
return nil
}
// registerSCEP registers the HTTP handler for SCEP service needed for enrollment to MDM.
// Returns the SCEP CA certificate that can be used by verifiers.
func registerSCEP(
mux *http.ServeMux,
Normalize the naming of mdm settings, update docs and document missing ones (#10681) #10408
2023-03-23 10:30:28 +00:00
scepConfig config.MDMConfig,
add mocks + tests and move things around (#9574) #8948 - Add more go:generate commands for MDM mocks - Add unit and integration tests for MDM code - Move interfaces from their PoC location to match existing patterns
2023-01-31 14:46:01 +00:00
scepStorage scep_depot.Depot,
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
mdmStorage fleet.MDMAppleStore,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
logger kitlog.Logger,
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
fleetConfig config.FleetConfig,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
) error {
Updating scep package with latest fixes (#22372) Updating scep package with changes up to github.com/micromdm/scep@781f8042a79cabcf61a5e6c01affdbadcb785932 Fixes needed for NDES client for #21955 Manually pulled in the recent changes. You can view the changes in the remote like: https://github.com/getvictor/scep/compare/fleet...micromdm%3Ascep%3Amain
2024-09-27 12:04:11 +00:00
var signer scepserver.CSRSignerContext = scepserver.SignCSRAdapter(scep_depot.NewSigner(
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
scepStorage,
Normalize the naming of mdm settings, update docs and document missing ones (#10681) #10408
2023-03-23 10:30:28 +00:00
scep_depot.WithValidityDays(scepConfig.AppleSCEPSignerValidityDays),
scep_depot.WithAllowRenewalDays(scepConfig.AppleSCEPSignerAllowRenewalDays),
Updating scep package with latest fixes (#22372) Updating scep package with changes up to github.com/micromdm/scep@781f8042a79cabcf61a5e6c01affdbadcb785932 Fixes needed for NDES client for #21955 Manually pulled in the recent changes. You can view the changes in the remote like: https://github.com/getvictor/scep/compare/fleet...micromdm%3Ascep%3Amain
2024-09-27 12:04:11 +00:00
))
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
assets, err := mdmStorage.GetAllMDMConfigAssetsByName(context.Background(), []fleet.MDMAssetName{fleet.MDMAssetSCEPChallenge}, nil)
generate/ingest SCEP challenges and improve error messages (#19468) for #19454
2024-06-03 21:33:52 +00:00
if err != nil {
return fmt.Errorf("retrieving SCEP challenge: %w", err)
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
}
generate/ingest SCEP challenges and improve error messages (#19468) for #19454
2024-06-03 21:33:52 +00:00
scepChallenge := string(assets[fleet.MDMAssetSCEPChallenge].Value)
Updating scep package with latest fixes (#22372) Updating scep package with changes up to github.com/micromdm/scep@781f8042a79cabcf61a5e6c01affdbadcb785932 Fixes needed for NDES client for #21955 Manually pulled in the recent changes. You can view the changes in the remote like: https://github.com/getvictor/scep/compare/fleet...micromdm%3Ascep%3Amain
2024-09-27 12:04:11 +00:00
signer = scepserver.StaticChallengeMiddleware(scepChallenge, signer)
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
scepService := NewSCEPService(
mdmStorage,
signer,
kitlog.With(logger, "component", "mdm-apple-scep"),
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
)
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
scepLogger := kitlog.With(logger, "component", "http-mdm-apple-scep")
e := scepserver.MakeServerEndpoints(scepService)
e.GetEndpoint = scepserver.EndpointLoggingMiddleware(scepLogger)(e.GetEndpoint)
e.PostEndpoint = scepserver.EndpointLoggingMiddleware(scepLogger)(e.PostEndpoint)
scepHandler := scepserver.MakeHTTPHandler(e, scepService, scepLogger)
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
mux.Handle(apple_mdm.SCEPPath, otel.WrapHandler(scepHandler, apple_mdm.SCEPPath, fleetConfig))
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
return nil
}
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
func RegisterSCEPProxy(
rootMux *http.ServeMux,
ds fleet.Datastore,
logger kitlog.Logger,
Add custom SCEP configs (#27045) For #26603 This PR includes: - Refactoring of NDES/SCEP verify/timeout logic for easier testing (with dependency injection) - Custom SCEP configs - saving/deleting/updating of encrypted custom SCEP challenges - validation call to custom SCEP server to verify connection - Custom SCEP activities - unit and integration tests for all of the above This PR does not include the following: - Changes file (in later PR) # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-03-14 17:16:51 +00:00
timeout *time.Duration,
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
fleetConfig *config.FleetConfig,
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
) error {
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
if fleetConfig == nil {
return errors.New("fleet config is nil")
}
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
scepService := eeservice.NewSCEPProxyService(
ds,
kitlog.With(logger, "component", "scep-proxy-service"),
Add custom SCEP configs (#27045) For #26603 This PR includes: - Refactoring of NDES/SCEP verify/timeout logic for easier testing (with dependency injection) - Custom SCEP configs - saving/deleting/updating of encrypted custom SCEP challenges - validation call to custom SCEP server to verify connection - Custom SCEP activities - unit and integration tests for all of the above This PR does not include the following: - Changes file (in later PR) # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-03-14 17:16:51 +00:00
timeout,
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
)
scepLogger := kitlog.With(logger, "component", "http-scep-proxy")
e := scepserver.MakeServerEndpointsWithIdentifier(scepService)
e.GetEndpoint = scepserver.EndpointLoggingMiddleware(scepLogger)(e.GetEndpoint)
e.PostEndpoint = scepserver.EndpointLoggingMiddleware(scepLogger)(e.PostEndpoint)
scepHandler := scepserver.MakeHTTPHandlerWithIdentifier(e, apple_mdm.SCEPProxyPath, scepLogger)
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
// Not using OTEL dynamic wrapper so as not to expose {identifier} in the span name
scepHandler = otel.WrapHandler(scepHandler, apple_mdm.SCEPProxyPath, *fleetConfig)
NDES SCEP proxy backend (#22542) #21955 <div> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <p>[Demo] Deploy SCEP certificates from Network Device Enrollment Service (NDES) #21955 - Watch Video</p> </a> <a href="https://www.loom.com/share/ba40b440502845d2861fd3ec7611bade"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/ba40b440502845d2861fd3ec7611bade-84f2d88c9f5106c2-full-play.gif"> </a> </div> Note: A few remaining subtasks will be done in a follow-up PR. See #22123 for a detailed list. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-10-09 18:47:27 +00:00
rootMux.Handle(apple_mdm.SCEPProxyPath, scepHandler)
return nil
}
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
// NanoMDMLogger is a logger adapter for nanomdm.
type NanoMDMLogger struct {
logger kitlog.Logger
}
func NewNanoMDMLogger(logger kitlog.Logger) *NanoMDMLogger {
return &NanoMDMLogger{
logger: logger,
}
}
func (l *NanoMDMLogger) Info(keyvals ...interface{}) {
level.Info(l.logger).Log(keyvals...)
}
func (l *NanoMDMLogger) Debug(keyvals ...interface{}) {
level.Debug(l.logger).Log(keyvals...)
}
func (l *NanoMDMLogger) With(keyvals ...interface{}) nanomdm_log.Logger {
newLogger := kitlog.With(l.logger, keyvals...)
return &NanoMDMLogger{
logger: newLogger,
}
}
// registerMDM registers the HTTP handlers that serve core MDM services (like checking in for MDM commands).
func registerMDM(
mux *http.ServeMux,
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
mdmStorage fleet.MDMAppleStore,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
checkinAndCommandService nanomdm_service.CheckinAndCommandService,
Add DDM service struct, basic handlers, and test client (#17671)
2024-03-15 18:20:15 +00:00
ddmService nanomdm_service.DeclarativeManagement,
Full support of secret variables in Apple configuration profiles (#24925) For secrets subtask #24548 Fixed secret variables support in Apple configuration profiles. # Checklist for submitter - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-20 21:40:23 +00:00
profileService nanomdm_service.ProfileService,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
logger kitlog.Logger,
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
fleetConfig config.FleetConfig,
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
) error {
19016 ingest certs on start (#19360) For #19016 This changes all the places where we previously assumed that certs were hardcoded when the Fleet server started to query the database instead. The plan is to loadtest afterwards, but as a first preemptive measure, this adds a caching layer on top the mysql datastore. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-05-30 21:18:42 +00:00
certVerifier := mdmcrypto.NewSCEPVerifier(mdmStorage)
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
mdmLogger := NewNanoMDMLogger(kitlog.With(logger, "component", "http-mdm-apple-mdm"))
// As usual, handlers are applied from bottom to top:
// 1. Extract and verify MDM signature.
// 2. Verify signer certificate with CA.
// 3. Verify new or enrolled certificate (certauth.CertAuth which wraps the MDM service).
// 4. Pass a copy of the request to Fleet middleware that ingests new hosts from pending MDM
// enrollments and updates the Fleet hosts table accordingly with the UDID and serial number of
// the device.
// 5. Run actual MDM service operation (checkin handler or command and results handler).
Full support of secret variables in Apple configuration profiles (#24925) For secrets subtask #24548 Fixed secret variables support in Apple configuration profiles. # Checklist for submitter - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
2024-12-20 21:40:23 +00:00
coreMDMService := nanomdm.New(mdmStorage, nanomdm.WithLogger(mdmLogger), nanomdm.WithDeclarativeManagement(ddmService),
Return 410 Gone to UserAuthenticate (#32354) Fixes #31974 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually
2025-09-16 20:04:05 +00:00
nanomdm.WithProfileService(profileService), nanomdm.WithUserAuthenticate(checkinAndCommandService))
Update host MDM profile status to pending in response to triggering events (#10443)
2023-03-27 18:43:01 +00:00
// NOTE: it is critical that the coreMDMService runs first, as the first
// service in the multi-service feature is run to completion _before_ running
// the other ones in parallel. This way, subsequent services have access to
// the result of the core service, e.g. the device is enrolled, etc.
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
var mdmService nanomdm_service.CheckinAndCommandService = multi.New(mdmLogger, coreMDMService, checkinAndCommandService)
Skip bootstrap package and other setup items when renewing Apple MDM enrollment profiles (#27560)
2025-03-28 21:33:22 +00:00
mdmService = certauth.New(mdmService, mdmStorage, certauth.WithLogger(mdmLogger.With("handler", "cert-auth")))
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
var mdmHandler http.Handler = httpmdm.CheckinAndCommandHandler(mdmService, mdmLogger.With("handler", "checkin-command"))
Allow to disable Apple MDM SCEP renewal/verification (#23660) https://github.com/fleetdm/confidential/issues/8528 Manual merge from special branch https://github.com/fleetdm/fleet/compare/rc-patch-fleet-v4.57.3...rh-patch-4.57.3, gated by env vars. No changes entry since this is a temporary feature for a customer, which we may not want to maintain.
2024-11-11 19:25:21 +00:00
verifyDisable, exists := os.LookupEnv("FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE")
if exists && (strings.EqualFold(verifyDisable, "true") || verifyDisable == "1") {
level.Info(logger).Log("msg",
"disabling verification of macOS SCEP certificates as FLEET_MDM_APPLE_SCEP_VERIFY_DISABLE is set to true")
} else {
mdmHandler = httpmdm.CertVerifyMiddleware(mdmHandler, certVerifier, mdmLogger.With("handler", "cert-verify"))
}
Update nanomdm dependency with latest bug fixes and improvements. (#23906) #23905 - Update with upstream nanomdm changes up to https://github.com/micromdm/nanomdm/tree/825f2979a2dc28c6cc57bb62aff16737978bd90e - Removed PostgeSQL folder from our nanomdm - Added nanomdm MySQL test job to our CI # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-11-20 17:47:11 +00:00
mdmHandler = httpmdm.CertExtractMdmSignatureMiddleware(mdmHandler, httpmdm.MdmSignatureVerifierFunc(cryptoutil.VerifyMdmSignature),
httpmdm.SigLogWithLogger(mdmLogger.With("handler", "cert-extract")))
Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) Fixes #32331 Manually tested all paths. `/test` path removed in https://github.com/fleetdm/fleet/pull/32962 Also added support for sending errors to OpenTelemetry, like we do for APM/Sentry. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry tracing across core HTTP endpoints (health, version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM) with dynamic per-request route instrumentation. * Enhanced error reporting to include OpenTelemetry spans/events with contextual user/host attributes. * **Tests** * Added unit tests validating SCIM and error-handling telemetry, span naming, and sensitive-data redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-16 16:10:33 +00:00
mux.Handle(apple_mdm.MDMPath, otel.WrapHandler(mdmHandler, apple_mdm.MDMPath, fleetConfig))
use nanomdm's multi service + integration tests and fixes (#9269) **Use nano's multi service** This allows us to integrate more seamlessly with nano and to run our custom MDM logic _after_ the request was handled by nano, which gives us more flexibility (for example: now we can issue commands after a TokenUpdate message) From nano's code: > MultiService executes multiple services for the same service calls. > The first service returns values or errors to the caller. We give the > first service a chance to alter any 'core' request data (say, the > Enrollment ID) by waiting for it to finish then we run the remaining > services' calls in parallel. **Integration tests + fixes** - Move some of the service logic from `cmd/` to `server/service` - Add integration tests for the MDM enrollment flow, including SCEP authentication. - Fixed a bug that set `host_mdm.mdm_id = 0` during MDM enrollment due to how MySQL reports the last insert id when `ON DUPLICATE KEY` is used. - Completely remove the host row from `host_mdm` when a device is unenrolled from MDM to match the behavior of how we ingest MDM data from osquery Related to https://github.com/fleetdm/fleet/issues/8708, https://github.com/fleetdm/fleet/issues/9034
2023-01-16 20:06:30 +00:00
return nil
}
Apply minimum OS version enforcement to MDM SSO endpoint (#23856)
2024-11-22 15:56:36 +00:00
func WithMDMEnrollmentMiddleware(svc fleet.Service, logger kitlog.Logger, next http.Handler) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
Managed Apple account user enrollment - integrate PoC changes (#30755) Fixes 30636 I am adding a handful of additional unit tests but this is ready for review now. Integrates changes from Victor's PoC for Account Driven User Enrollment including a nice end to end integration test including the SAML portion # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2025-07-15 19:02:11 +00:00
if r.URL.Path != "/mdm/sso" && r.URL.Path != "/account_driven_enroll/sso" {
Improve MDM device-to-user mapping for Apple devices (#29239)
2025-05-19 18:29:46 +00:00
// TODO: redirects for non-SSO config web url?
Apply minimum OS version enforcement to MDM SSO endpoint (#23856)
2024-11-22 15:56:36 +00:00
next.ServeHTTP(w, r)
return
}
// if x-apple-aspen-deviceinfo custom header is present, we need to check for minimum os version
di := r.Header.Get("x-apple-aspen-deviceinfo")
if di != "" {
parsed, err := apple_mdm.ParseDeviceinfo(di, false) // FIXME: use verify=true when we have better parsing for various Apple certs (https://github.com/fleetdm/fleet/issues/20879)
if err != nil {
// just log the error and continue to next
level.Error(logger).Log("msg", "parsing x-apple-aspen-deviceinfo", "err", err)
next.ServeHTTP(w, r)
return
}
Improve MDM device-to-user mapping for Apple devices (#29239)
2025-05-19 18:29:46 +00:00
// TODO: skip os version check if deviceinfo query param is present? or find another way
// to avoid polling the DB and Apple endpoint twice for each enrollment.
Apply minimum OS version enforcement to MDM SSO endpoint (#23856)
2024-11-22 15:56:36 +00:00
sur, err := svc.CheckMDMAppleEnrollmentWithMinimumOSVersion(r.Context(), parsed)
if err != nil {
// just log the error and continue to next
level.Error(logger).Log("msg", "checking minimum os version for mdm", "err", err)
next.ServeHTTP(w, r)
return
}
if sur != nil {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusForbidden)
if err := json.NewEncoder(w).Encode(sur); err != nil {
level.Error(logger).Log("msg", "failed to encode software update required", "err", err)
http.Redirect(w, r, r.URL.String()+"?error=true", http.StatusSeeOther)
}
return
}
Improve MDM device-to-user mapping for Apple devices (#29239)
2025-05-19 18:29:46 +00:00
// TODO: Do non-Apple devices ever use this route? If so, we probably need to change the
// approach below so we don't endlessly redirect non-Apple clients to the same URL.
// if we get here, the minimum os version is satisfied, so we continue with SSO flow
q := r.URL.Query()
v, ok := q["deviceinfo"]
if !ok || len(v) == 0 {
// If the deviceinfo query param is empty, we add the deviceinfo to the URL and
// redirect.
//
// Note: We'll apply this redirect only if query params are empty because want to
// redirect to the same URL with added query params after parsing the x-apple-aspen-deviceinfo
// header. Whenever we see a request with any query params already present, we'll
// skip this step and just continue to the next handler.
newURL := *r.URL
q.Set("deviceinfo", di)
newURL.RawQuery = q.Encode()
level.Info(logger).Log("msg", "handling mdm sso: redirect with deviceinfo", "host_uuid", parsed.UDID, "serial", parsed.Serial)
http.Redirect(w, r, newURL.String(), http.StatusTemporaryRedirect)
return
}
if len(v) > 0 && v[0] != di {
// something is wrong, the device info in the query params does not match
// the one in the header, so we just log the error and continue to next
level.Error(logger).Log("msg", "device info in query params does not match header", "header", di, "query", v[0])
}
level.Info(logger).Log("msg", "handling mdm sso: proceed to next", "host_uuid", parsed.UDID, "serial", parsed.Serial)
Apply minimum OS version enforcement to MDM SSO endpoint (#23856)
2024-11-22 15:56:36 +00:00
}
next.ServeHTTP(w, r)
}
}
Reference in a new issue Copy permalink