Add sandbox fleet serve config (#6619)

* Add sandbox fleet serve config

* Update docs

* Maybe fix lint issues

* Add lint dep

.golangci.yml

@@ -22,7 +22,7 @@ linters-settings:
     include-go-root: false
     packages-with-error-message:
       - github.com/pkg/errors: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
-  
+
   gosec:
     config:
       G306: "0644"
@@ -33,6 +33,7 @@ linters-settings:
     settings:
       ruleguard:
         rules: "./tools/ci/rules.go"
+        failOn: all # NEW
 
   gofmt:
     # simplify code: gofmt with `-s` option, true by default
@@ -81,7 +82,7 @@ issues:
         - gosec
     - path: cmd/fleetctl/preview.go
       linters:
-        - gosec  
+        - gosec
     # Orbit gosec exclusions https://github.com/fleetdm/fleet/issues/4452
     - path: orbit/pkg/update/update.go
       linters:
@@ -109,10 +110,10 @@ issues:
         - gosec
     - path: pkg/certificate/certificate.go
       linters:
-        - gosec 
+        - gosec
     - path: pkg/download/download.go
       linters:
-        - gosec  
+        - gosec
     # server gosec exclusions https://github.com/fleetdm/fleet/issues/4455
     - path: server/mail/mail.go
       linters:
@@ -164,10 +165,10 @@ issues:
         - gosec
     - path: server/logging/kinesis_test.go
       linters:
-        - gosec    
+        - gosec
     - path: server/config/config.go
       linters:
-        - gosec  
+        - gosec
     - path: server/datastore/redis/ratelimit_store.go
       linters:
         - gosec
@@ -182,19 +183,19 @@ issues:
         - gosec
     - path: server/service/client.go
       linters:
-        - gosec  
+        - gosec
     - path: server/service/users.go
       linters:
-        - gosec    
+        - gosec
     - path: server/service/appconfig_test.go
       linters:
-        - gosec        
+        - gosec
     - path: server/service/service_campaign_test.go
       linters:
-        - gosec  
+        - gosec
     - path: server/datastore/mysql/software_test.go
       linters:
-        - gosec  
+        - gosec
     # tools gosec exclusions https://github.com/fleetdm/fleet/issues/4456
     - path: tools/dbutils/schema_generator.go
       linters:

Makefile

@@ -183,6 +183,7 @@ deps-js:
 
 deps-go:
 	go mod download
+	go get github.com/quasilyte/go-ruleguard/dsl
 
 migration:
 	go run github.com/fleetdm/goose/cmd/goose -dir server/datastore/mysql/migrations/tables create $(name)

changes/issue-6597-add-sandbox-config

@@ -0,0 +1 @@
+	* Add a new fleet serve configuration to define whether fleet is running in sandbox mode or not

docs/Using-Fleet/REST-API.md

@@ -824,6 +824,7 @@ None.
     "org_name": "fleet",
     "org_logo_url": ""
   },
+  "sandbox_enabled": true,
   "server_settings": {
     "server_url": "https://localhost:8080",
     "live_query_disabled": false,

go.mod

@@ -239,6 +239,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.21 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

go.sum

@@ -1474,6 +1474,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/quasilyte/go-ruleguard/dsl v0.3.21 h1:vNkC6fC6qMLzCOGbnIHOd5ixUGgTbp3Z4fGnUgULlDA=
+github.com/quasilyte/go-ruleguard/dsl v0.3.21/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=

server/config/config.go

@@ -76,13 +76,14 @@ const (
 
 // ServerConfig defines configs related to the Fleet server
 type ServerConfig struct {
-	Address    string
-	Cert       string
-	Key        string
-	TLS        bool
-	TLSProfile string `yaml:"tls_compatibility"`
-	URLPrefix  string `yaml:"url_prefix"`
-	Keepalive  bool   `yaml:"keepalive"`
+	Address        string
+	Cert           string
+	Key            string
+	TLS            bool
+	TLSProfile     string `yaml:"tls_compatibility"`
+	URLPrefix      string `yaml:"url_prefix"`
+	Keepalive      bool   `yaml:"keepalive"`
+	SandboxEnabled bool   `yaml:"sandbox_enabled"`
 }
 
 // AuthConfig defines configs related to user authorization
@@ -449,7 +450,9 @@ func (man Manager) addConfigs() {
 	man.addConfigString("server.url_prefix", "",
 		"URL prefix used on server and frontend endpoints")
 	man.addConfigBool("server.keepalive", true,
-		"Controls wether HTTP keep-alives are enabled.")
+		"Controls whether HTTP keep-alives are enabled.")
+	man.addConfigBool("server.sandbox_enabled", false,
+		"When enabled, Fleet limits some features for the Sandbox")
 
 	// Auth
 	man.addConfigInt("auth.bcrypt_cost", 12,
@@ -694,13 +697,14 @@ func (man Manager) LoadConfig() FleetConfig {
 			ReadTimeout:               man.getConfigDuration("redis.read_timeout"),
 		},
 		Server: ServerConfig{
-			Address:    man.getConfigString("server.address"),
-			Cert:       man.getConfigString("server.cert"),
-			Key:        man.getConfigString("server.key"),
-			TLS:        man.getConfigBool("server.tls"),
-			TLSProfile: man.getConfigTLSProfile(),
-			URLPrefix:  man.getConfigString("server.url_prefix"),
-			Keepalive:  man.getConfigBool("server.keepalive"),
+			Address:        man.getConfigString("server.address"),
+			Cert:           man.getConfigString("server.cert"),
+			Key:            man.getConfigString("server.key"),
+			TLS:            man.getConfigBool("server.tls"),
+			TLSProfile:     man.getConfigTLSProfile(),
+			URLPrefix:      man.getConfigString("server.url_prefix"),
+			Keepalive:      man.getConfigBool("server.keepalive"),
+			SandboxEnabled: man.getConfigBool("server.sandbox_enabled"),
 		},
 		Auth: AuthConfig{
 			BcryptCost:  man.getConfigInt("auth.bcrypt_cost"),

server/fleet/service.go

@@ -285,6 +285,7 @@ type Service interface {
 	NewAppConfig(ctx context.Context, p AppConfig) (info *AppConfig, err error)
 	AppConfig(ctx context.Context) (info *AppConfig, err error)
 	ModifyAppConfig(ctx context.Context, p []byte) (info *AppConfig, err error)
+	SandboxEnabled() bool
 
 	// ApplyEnrollSecretSpec adds and updates the enroll secrets specified in the spec.
 	ApplyEnrollSecretSpec(ctx context.Context, spec *EnrollSecretSpec) error

server/service/appconfig.go

@@ -33,7 +33,10 @@ type appConfigResponse struct {
 	License *fleet.LicenseInfo `json:"license,omitempty"`
 	// Logging is loaded on the fly rather than from the database.
 	Logging *fleet.Logging `json:"logging,omitempty"`
-	Err     error          `json:"error,omitempty"`
+	// SandboxEnabled is true if fleet serve was ran with server.sandbox_enabled=true
+	SandboxEnabled bool `json:"sandbox_enabled,omitempty"`
+
+	Err error `json:"error,omitempty"`
 }
 
 func (r appConfigResponse) error() error { return r.Err }
@@ -105,10 +108,15 @@ func getAppConfigEndpoint(ctx context.Context, request interface{}, svc fleet.Se
 		Vulnerabilities: vulnConfig,
 		License:         license,
 		Logging:         loggingConfig,
+		SandboxEnabled:  svc.SandboxEnabled(),
 	}
 	return response, nil
 }
 
+func (svc *Service) SandboxEnabled() bool {
+	return svc.config.Server.SandboxEnabled
+}
+
 func (svc *Service) AppConfig(ctx context.Context) (*fleet.AppConfig, error) {
 	if !svc.authz.IsAuthenticatedWith(ctx, authz_ctx.AuthnDeviceToken) {
 		if err := svc.authz.Authorize(ctx, &fleet.AppConfig{}, fleet.ActionRead); err != nil {