Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30

Add "generate-gitops" command (#28555)

Browse source 
For #27476

# Checklist for submitter

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

# Details

This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.

The general usage of the command is:

```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```

By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.

The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:

* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID

Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.

Other options that we may or may not choose to document at this time:

* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)

# Technical notes

The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.

Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.

When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.

# Known issues / TODOs:

* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.

---------

Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
This commit is contained in:
Scott Gress 2025-05-06 15:25:44 -05:00 committed by GitHub
parent 07869b8ad4
commit d716265641
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
42 changed files with 3816 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/27476-add-generate-gitops-cmd Normal file
View file

@ -0,0 +1 @@
- Added "generate-gitops" command to fleetctl

1
cmd/fleetctl/fleetctl.go
View file

@ -110,6 +110,7 @@ func createApp(
upgradePacksCommand(),
runScriptCommand(),
gitopsCommand(),
generateGitopsCommand(),
}
return app
}

1294
cmd/fleetctl/generate_gitops.go Normal file
View file

File diff suppressed because it is too large Load diff

948
cmd/fleetctl/generate_gitops_test.go Normal file
View file

@ -0,0 +1,948 @@
// filepath: cmd/fleetctl/generate_gitops_test.go
package main
import (
"bytes"
"encoding/json"
"errors"
"flag"
"fmt"
"os"
"path/filepath"
"testing"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/ptr"
"github.com/ghodss/yaml"
"github.com/google/uuid"
"github.com/stretchr/testify/require"
"github.com/urfave/cli/v2"
)
type MockClient struct {
IsFree bool
}
func (c *MockClient) GetAppConfig() (*fleet.EnrichedAppConfig, error) {
b, err := os.ReadFile("./testdata/generateGitops/appConfig.json")
if err != nil {
return nil, err
}
var appConfig fleet.EnrichedAppConfig
if err := json.Unmarshal(b, &appConfig); err != nil {
return nil, err
}
if c.IsFree == true {
appConfig.License.Tier = fleet.TierFree
}
return &appConfig, nil
}
func (MockClient) GetEnrollSecretSpec() (*fleet.EnrollSecretSpec, error) {
spec := &fleet.EnrollSecretSpec{
Secrets: []*fleet.EnrollSecret{
{
Secret: "some-secret-number-one",
},
{
Secret: "some-secret-number-two",
},
},
}
return spec, nil
}
func (MockClient) ListTeams(query string) ([]fleet.Team, error) {
b, err := os.ReadFile("./testdata/generateGitops/teamConfig.json")
if err != nil {
return nil, err
}
var config fleet.TeamConfig
if err := json.Unmarshal(b, &config); err != nil {
return nil, err
}
teams := []fleet.Team{
{
ID: 1,
Name: "Team A",
Config: config,
Secrets: []*fleet.EnrollSecret{
{
Secret: "some-team-secret",
},
},
},
}
return teams, nil
}
func (MockClient) ListScripts(query string) ([]*fleet.Script, error) {
switch query {
case "team_id=1":
return []*fleet.Script{{
ID: 2,
TeamID: ptr.Uint(1),
Name: "Script B.ps1",
ScriptContentID: 2,
}}, nil
case "team_id=0":
return []*fleet.Script{{
ID: 3,
TeamID: ptr.Uint(0),
Name: "Script Z.ps1",
ScriptContentID: 3,
}}, nil
default:
return nil, fmt.Errorf("unexpected query: %s", query)
}
}
func (MockClient) ListConfigurationProfiles(teamID *uint) ([]*fleet.MDMConfigProfilePayload, error) {
if teamID == nil {
return []*fleet.MDMConfigProfilePayload{
{
ProfileUUID: "global-macos-mobileconfig-profile-uuid",
Name: "Global MacOS MobileConfig Profile",
Platform: "darwin",
Identifier: "com.example.global-macos-mobileconfig-profile",
LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{
LabelName: "Label A",
}, {
LabelName: "Label B",
}},
},
{
ProfileUUID: "global-macos-json-profile-uuid",
Name: "Global MacOS JSON Profile",
Platform: "darwin",
Identifier: "com.example.global-macos-json-profile",
LabelsExcludeAny: []fleet.ConfigurationProfileLabel{{
LabelName: "Label C",
}},
},
{
ProfileUUID: "global-windows-profile-uuid",
Name: "Global Windows Profile",
Platform: "windows",
Identifier: "com.example.global-windows-profile",
LabelsIncludeAny: []fleet.ConfigurationProfileLabel{{
LabelName: "Label D",
}},
},
}, nil
}
if *teamID == 1 {
return []*fleet.MDMConfigProfilePayload{
{
ProfileUUID: "test-mobileconfig-profile-uuid",
Name: "Team MacOS MobileConfig Profile",
Platform: "darwin",
Identifier: "com.example.team-macos-mobileconfig-profile",
},
}, nil
}
if *teamID == 0 {
return nil, nil
}
return nil, fmt.Errorf("unexpected team ID: %v", *teamID)
}
func (MockClient) GetScriptContents(scriptID uint) ([]byte, error) {
if scriptID == 2 {
return []byte("pop goes the weasel!"), nil
}
if scriptID == 3 {
return []byte("#!/usr/bin/env pwsh\necho \"Hello from Script B!\""), nil
}
return nil, errors.New("script not found")
}
func (MockClient) GetProfileContents(profileID string) ([]byte, error) {
switch profileID {
case "global-macos-mobileconfig-profile-uuid":
return []byte("<xml>global macos mobileconfig profile</xml>"), nil
case "global-macos-json-profile-uuid":
return []byte(`{"profile": "global macos json profile"}`), nil
case "global-windows-profile-uuid":
return []byte("<xml>global windows profile</xml>"), nil
case "test-mobileconfig-profile-uuid":
return []byte("<xml>test mobileconfig profile</xml>"), nil
}
return nil, errors.New("profile not found")
}
func (MockClient) GetTeam(teamID uint) (*fleet.Team, error) {
if teamID == 1 {
b, err := os.ReadFile("./testdata/generateGitops/teamConfig.json")
if err != nil {
return nil, err
}
var config fleet.TeamConfig
if err := json.Unmarshal(b, &config); err != nil {
return nil, err
}
return &fleet.Team{
ID: 1,
Name: "Test Team",
Config: config,
Secrets: []*fleet.EnrollSecret{
{
Secret: "some-team-secret",
},
},
}, nil
}
return nil, errors.New("team not found")
}
func (MockClient) ListSoftwareTitles(query string) ([]fleet.SoftwareTitleListResult, error) {
switch query {
case "available_for_install=1&team_id=1":
return []fleet.SoftwareTitleListResult{
{
ID: 1,
Name: "My Software Package",
Versions: []fleet.SoftwareVersion{{
ID: 1,
Version: "1.0.0",
}, {
ID: 2,
Version: "2.0.0",
}},
HashSHA256: ptr.String("software-package-hash"),
SoftwarePackage: &fleet.SoftwarePackageOrApp{
Name: "my-software.pkg",
Platform: "darwin",
},
},
{
ID: 2,
Name: "My App Store App",
Versions: []fleet.SoftwareVersion{{
ID: 3,
Version: "5.6.7",
}, {
ID: 4,
Version: "8.9.10",
}},
AppStoreApp: &fleet.SoftwarePackageOrApp{
AppStoreID: "com.example.team-software",
},
HashSHA256: ptr.String("app-store-app-hash"),
},
}, nil
case "available_for_install=1&team_id=0":
return []fleet.SoftwareTitleListResult{}, nil
default:
return nil, fmt.Errorf("unexpected query: %s", query)
}
}
func (MockClient) GetPolicies(teamID *uint) ([]*fleet.Policy, error) {
if teamID == nil {
return []*fleet.Policy{
{
PolicyData: fleet.PolicyData{
ID: 1,
Name: "Global Policy",
Query: "SELECT * FROM global_policy WHERE id = 1",
Resolution: ptr.String("Do a global thing"),
Description: "This is a global policy",
Platform: "darwin",
LabelsIncludeAny: []fleet.LabelIdent{{
LabelName: "Label A",
}, {
LabelName: "Label B",
}},
},
InstallSoftware: &fleet.PolicySoftwareTitle{
SoftwareTitleID: 1,
},
},
}, nil
}
return []*fleet.Policy{
{
PolicyData: fleet.PolicyData{
ID: 1,
Name: "Team Policy",
Query: "SELECT * FROM team_policy WHERE id = 1",
Resolution: ptr.String("Do a team thing"),
Description: "This is a team policy",
Platform: "linux,windows",
},
RunScript: &fleet.PolicyScript{
ID: 1,
},
},
}, nil
}
func (MockClient) GetQueries(teamID *uint, name *string) ([]fleet.Query, error) {
if teamID == nil {
return []fleet.Query{
{
ID: 1,
Name: "Global Query",
Query: "SELECT * FROM global_query WHERE id = 1",
Description: "This is a global query",
Platform: "darwin",
Interval: 3600,
ObserverCanRun: true,
AutomationsEnabled: true,
LabelsIncludeAny: []fleet.LabelIdent{{
LabelName: "Label A",
}, {
LabelName: "Label B",
}},
MinOsqueryVersion: "1.2.3",
Logging: "stdout",
},
}, nil
}
return []fleet.Query{
{
ID: 1,
Name: "Team Query",
Query: "SELECT * FROM team_query WHERE id = 1",
Description: "This is a team query",
Platform: "linux,windows",
Interval: 1800,
ObserverCanRun: false,
AutomationsEnabled: true,
MinOsqueryVersion: "4.5.6",
Logging: "stderr",
},
}, nil
}
//nolint:gocritic // ignore captLocal
func (MockClient) GetSoftwareTitleByID(ID uint, teamID *uint) (*fleet.SoftwareTitle, error) {
switch ID {
case 1:
if *teamID != 1 {
return nil, errors.New("team ID mismatch")
}
return &fleet.SoftwareTitle{
ID: 1,
SoftwarePackage: &fleet.SoftwareInstaller{
LabelsIncludeAny: []fleet.SoftwareScopeLabel{{
LabelName: "Label A",
}, {
LabelName: "Label B",
}},
PreInstallQuery: "SELECT * FROM pre_install_query",
InstallScript: "foo",
PostInstallScript: "bar",
UninstallScript: "baz",
SelfService: true,
Platform: "darwin",
},
}, nil
case 2:
if *teamID != 1 {
return nil, errors.New("team ID mismatch")
}
return &fleet.SoftwareTitle{
ID: 2,
AppStoreApp: &fleet.VPPAppStoreApp{
LabelsExcludeAny: []fleet.SoftwareScopeLabel{{
LabelName: "Label C",
}, {
LabelName: "Label D",
}},
},
}, nil
default:
return nil, errors.New("software title not found")
}
}
func (MockClient) GetLabels() ([]*fleet.LabelSpec, error) {
return []*fleet.LabelSpec{{
Name: "Label A",
Platform: "linux,macos",
Description: "Label A description",
LabelMembershipType: fleet.LabelMembershipTypeDynamic,
Query: "SELECT * FROM osquery_info",
}, {
Name: "Label B",
Description: "Label B description",
LabelMembershipType: fleet.LabelMembershipTypeManual,
Hosts: []string{"host1", "host2"},
}}, nil
}
func (MockClient) Me() (*fleet.User, error) {
return &fleet.User{
ID: 1,
Name: "Test User",
Email: "test@example.com",
GlobalRole: ptr.String("admin"),
}, nil
}
func compareDirs(t *testing.T, sourceDir, targetDir string) {
err := filepath.WalkDir(sourceDir, func(srcPath string, d os.DirEntry, walkErr error) error {
if d.IsDir() {
return nil
}
relPath, err := filepath.Rel(sourceDir, srcPath)
require.NoError(t, err, "Error getting relative path: %v", err)
tgtPath := filepath.Join(targetDir, relPath)
targetInfo, err := os.Stat(tgtPath)
require.NoError(t, err, "Error getting target file info: %v", err)
require.False(t, targetInfo.IsDir(), "Expected file but found directory: %s", tgtPath)
srcData, err := os.ReadFile(srcPath)
require.NoError(t, err, "Error reading source file: %v", err)
tgtData, err := os.ReadFile(tgtPath)
require.NoError(t, err, "Error reading target file: %v", err)
require.Equal(t, string(srcData), string(tgtData), "File contents do not match for %s", relPath)
return nil
})
if err != nil {
t.Fatalf("Error walking source directory: %v", err)
}
}
func TestGenerateGitops(t *testing.T) {
fleetClient := &MockClient{}
action := createGenerateGitopsAction(fleetClient)
buf := new(bytes.Buffer)
tempDir := os.TempDir() + "/" + uuid.New().String()
flagSet := flag.NewFlagSet("test", flag.ContinueOnError)
flagSet.String("dir", tempDir, "")
cliContext := cli.NewContext(&cli.App{
Name: "test",
Usage: "test",
Writer: buf,
ErrWriter: buf,
}, flagSet, nil)
err := action(cliContext)
require.NoError(t, err, buf.String())
compareDirs(t, "./testdata/generateGitops/test_dir_premium", tempDir)
t.Cleanup(func() {
if err := os.RemoveAll(tempDir); err != nil {
t.Fatalf("failed to remove temp dir: %v", err)
}
})
}
func TestGenerateGitopsFree(t *testing.T) {
fleetClient := &MockClient{}
fleetClient.IsFree = true
action := createGenerateGitopsAction(fleetClient)
buf := new(bytes.Buffer)
tempDir := os.TempDir() + "/" + uuid.New().String()
flagSet := flag.NewFlagSet("test", flag.ContinueOnError)
flagSet.String("dir", tempDir, "")
cliContext := cli.NewContext(&cli.App{
Name: "test",
Usage: "test",
Writer: buf,
ErrWriter: buf,
}, flagSet, nil)
err := action(cliContext)
require.NoError(t, err, buf.String())
compareDirs(t, "./testdata/generateGitops/test_dir_free", tempDir)
t.Cleanup(func() {
if err := os.RemoveAll(tempDir); err != nil {
t.Fatalf("failed to remove temp dir: %v", err)
}
})
}
func TestGenerateOrgSettings(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(&cli.App{}, nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
}
// Generate the org settings.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
orgSettingsRaw, err := cmd.generateOrgSettings()
require.NoError(t, err)
require.NotNil(t, orgSettingsRaw)
var orgSettings map[string]interface{}
b, err := yaml.Marshal(orgSettingsRaw)
require.NoError(t, err)
fmt.Println("Org settings raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &orgSettings)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedOrgSettings.yaml")
require.NoError(t, err)
var expectedAppConfig map[string]interface{}
err = yaml.Unmarshal(b, &expectedAppConfig)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedAppConfig, orgSettings)
}
func TestGenerateOrgSettingsInsecure(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
flagSet := flag.NewFlagSet("test", flag.ContinueOnError)
flagSet.Bool("insecure", true, "Output sensitive information in plaintext.")
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(&cli.App{}, flagSet, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
}
// Generate the org settings.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
orgSettingsRaw, err := cmd.generateOrgSettings()
require.NoError(t, err)
require.NotNil(t, orgSettingsRaw)
var orgSettings map[string]interface{}
b, err := yaml.Marshal(orgSettingsRaw)
require.NoError(t, err)
fmt.Println("Org settings raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &orgSettings)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedOrgSettings-insecure.yaml")
require.NoError(t, err)
var expectedAppConfig map[string]interface{}
err = yaml.Unmarshal(b, &expectedAppConfig)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedAppConfig, orgSettings)
}
func TestGenerateTeamSettings(t *testing.T) {
// Get the test team.
fleetClient := &MockClient{}
team, err := fleetClient.GetTeam(1)
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(&cli.App{}, nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: nil,
}
// Generate the org settings.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
TeamSettingsRaw, err := cmd.generateTeamSettings("team.yml", team)
require.NoError(t, err)
require.NotNil(t, TeamSettingsRaw)
var TeamSettings map[string]interface{}
b, err := yaml.Marshal(TeamSettingsRaw)
require.NoError(t, err)
fmt.Println("Team settings raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &TeamSettings)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamSettings.yaml")
require.NoError(t, err)
var expectedAppConfig map[string]interface{}
err = yaml.Unmarshal(b, &expectedAppConfig)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedAppConfig, TeamSettings)
}
func TestGenerateTeamSettingsInsecure(t *testing.T) {
// Get the test team.
fleetClient := &MockClient{}
team, err := fleetClient.GetTeam(1)
require.NoError(t, err)
flagSet := flag.NewFlagSet("test", flag.ContinueOnError)
flagSet.Bool("insecure", true, "Output sensitive information in plaintext.")
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(&cli.App{}, flagSet, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: nil,
}
// Generate the org settings.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
TeamSettingsRaw, err := cmd.generateTeamSettings("team.yml", team)
require.NoError(t, err)
require.NotNil(t, TeamSettingsRaw)
var TeamSettings map[string]interface{}
b, err := yaml.Marshal(TeamSettingsRaw)
require.NoError(t, err)
fmt.Println("Team settings raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &TeamSettings)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamSettings-insecure.yaml")
require.NoError(t, err)
var expectedAppConfig map[string]interface{}
err = yaml.Unmarshal(b, &expectedAppConfig)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedAppConfig, TeamSettings)
}
func TestGenerateControls(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(cli.NewApp(), nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
ScriptList: make(map[uint]string),
}
// Generate global controls.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
mdmConfig := fleet.TeamMDM{
EnableDiskEncryption: appConfig.MDM.EnableDiskEncryption.Value,
MacOSUpdates: appConfig.MDM.MacOSUpdates,
IOSUpdates: appConfig.MDM.IOSUpdates,
IPadOSUpdates: appConfig.MDM.IPadOSUpdates,
WindowsUpdates: appConfig.MDM.WindowsUpdates,
MacOSSetup: appConfig.MDM.MacOSSetup,
}
controlsRaw, err := cmd.generateControls(nil, "", &mdmConfig)
require.NoError(t, err)
require.NotNil(t, controlsRaw)
var controls map[string]interface{}
b, err := yaml.Marshal(controlsRaw)
require.NoError(t, err)
fmt.Println("Controls raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &controls)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedGlobalControls.yaml")
require.NoError(t, err)
var expectedControls map[string]interface{}
err = yaml.Unmarshal(b, &expectedControls)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedControls, controls)
// Generate controls for a team.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
controlsRaw, err = cmd.generateControls(ptr.Uint(1), "some_team", nil)
require.NoError(t, err)
require.NotNil(t, controlsRaw)
b, err = yaml.Marshal(controlsRaw)
require.NoError(t, err)
fmt.Println("Controls raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &controls)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamControls.yaml")
require.NoError(t, err)
err = yaml.Unmarshal(b, &expectedControls)
require.NoError(t, err)
if fileContents, ok := cmd.FilesToWrite["lib/profiles/global-macos-mobileconfig-profile.mobileconfig"]; ok {
require.Equal(t, "<xml>global macos mobileconfig profile</xml>", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/profiles/global-macos-json-profile.json"]; ok {
require.Equal(t, `{"profile": "global macos json profile"}`, fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/profiles/global-windows-profile.xml"]; ok {
require.Equal(t, "<xml>global windows profile</xml>", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/some_team/profiles/team-macos-mobileconfig-profile.mobileconfig"]; ok {
require.Equal(t, "<xml>test mobileconfig profile</xml>", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/some_team/scripts/Script B.ps1"]; ok {
require.Equal(t, "pop goes the weasel!", fileContents)
} else {
t.Fatalf("Expected file not found")
}
// Compare.
require.Equal(t, expectedControls, controls)
}
func TestGenerateSoftware(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(cli.NewApp(), nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
SoftwareList: make(map[uint]Software),
}
softwareRaw, err := cmd.generateSoftware("team.yml", 1, "some-team")
require.NoError(t, err)
require.NotNil(t, softwareRaw)
var software map[string]interface{}
b, err := yaml.Marshal(softwareRaw)
require.NoError(t, err)
fmt.Println("software raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &software)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamSoftware.yaml")
require.NoError(t, err)
var expectedSoftware map[string]interface{}
err = yaml.Unmarshal(b, &expectedSoftware)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedSoftware, software)
if fileContents, ok := cmd.FilesToWrite["lib/some-team/scripts/my-software-package-darwin-install"]; ok {
require.Equal(t, "foo", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/some-team/scripts/my-software-package-darwin-postinstall"]; ok {
require.Equal(t, "bar", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/some-team/scripts/my-software-package-darwin-uninstall"]; ok {
require.Equal(t, "baz", fileContents)
} else {
t.Fatalf("Expected file not found")
}
if fileContents, ok := cmd.FilesToWrite["lib/some-team/queries/my-software-package-darwin-preinstallquery.yml"]; ok {
require.Equal(t, []map[string]interface{}{{
"query": "SELECT * FROM pre_install_query",
}}, fileContents)
} else {
t.Fatalf("Expected file not found")
}
}
func TestGeneratePolicies(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(cli.NewApp(), nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
SoftwareList: map[uint]Software{
1: {
Hash: "team-software-hash",
Comment: "__TEAM_SOFTWARE_COMMENT_TOKEN__",
},
},
ScriptList: map[uint]string{
1: "/path/to/script1.sh",
},
}
policiesRaw, err := cmd.generatePolicies(nil, "default.yml")
require.NoError(t, err)
require.NotNil(t, policiesRaw)
var policies []map[string]interface{}
b, err := yaml.Marshal(policiesRaw)
require.NoError(t, err)
fmt.Println("policies raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &policies)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedGlobalPolicies.yaml")
require.NoError(t, err)
var expectedPolicies []map[string]interface{}
err = yaml.Unmarshal(b, &expectedPolicies)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedPolicies, policies)
// Generate policies for a team.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
policiesRaw, err = cmd.generatePolicies(ptr.Uint(1), "some_team")
require.NoError(t, err)
require.NotNil(t, policiesRaw)
b, err = yaml.Marshal(policiesRaw)
require.NoError(t, err)
fmt.Println("policies raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &policies)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamPolicies.yaml")
require.NoError(t, err)
err = yaml.Unmarshal(b, &expectedPolicies)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedPolicies, policies)
}
func TestGenerateQueries(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(cli.NewApp(), nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
}
queriesRaw, err := cmd.generateQueries(nil)
require.NoError(t, err)
require.NotNil(t, queriesRaw)
var queries []map[string]interface{}
b, err := yaml.Marshal(queriesRaw)
require.NoError(t, err)
fmt.Println("queries raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &queries)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedGlobalQueries.yaml")
require.NoError(t, err)
var expectedQueries []map[string]interface{}
err = yaml.Unmarshal(b, &expectedQueries)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedQueries, queries)
// Generate queries for a team.
// Note that nested keys here may be strings,
// so we'll JSON marshal and unmarshal to a map for comparison.
queriesRaw, err = cmd.generateQueries(ptr.Uint(1))
require.NoError(t, err)
require.NotNil(t, queriesRaw)
b, err = yaml.Marshal(queriesRaw)
require.NoError(t, err)
fmt.Println("queries raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &queries)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedTeamQueries.yaml")
require.NoError(t, err)
err = yaml.Unmarshal(b, &expectedQueries)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedQueries, queries)
}
func TestGenerateLabels(t *testing.T) {
// Get the test app config.
fleetClient := &MockClient{}
appConfig, err := fleetClient.GetAppConfig()
require.NoError(t, err)
// Create the command.
cmd := &GenerateGitopsCommand{
Client: fleetClient,
CLI: cli.NewContext(cli.NewApp(), nil, nil),
Messages: Messages{},
FilesToWrite: make(map[string]interface{}),
AppConfig: appConfig,
}
labelsRaw, err := cmd.generateLabels()
require.NoError(t, err)
require.NotNil(t, labelsRaw)
var labels []map[string]interface{}
b, err := yaml.Marshal(labelsRaw)
require.NoError(t, err)
fmt.Println("labels raw:\n", string(b)) // Debugging line
err = yaml.Unmarshal(b, &labels)
require.NoError(t, err)
// Get the expected org settings YAML.
b, err = os.ReadFile("./testdata/generateGitops/expectedLabels.yaml")
require.NoError(t, err)
var expectedlabels []map[string]interface{}
err = yaml.Unmarshal(b, &expectedlabels)
require.NoError(t, err)
// Compare.
require.Equal(t, expectedlabels, labels)
}

308
cmd/fleetctl/testdata/generateGitops/appConfig.json vendored Normal file
View file

@ -0,0 +1,308 @@
{
"update_interval": {
"osquery_detail": 3600000000000,
"osquery_policy": 3600000000000
},
"vulnerabilities": {
"databases_path": "/home/fleet",
"periodicity": 3600000000000,
"cpe_database_url": "",
"cpe_translations_url": "",
"cve_feed_prefix_url": "",
"current_instance_checks": "auto",
"disable_data_sync": false,
"recent_vulnerability_max_age": 2592000000000000,
"disable_win_os_vulnerabilities": false
},
"license": {
"tier": "premium",
"organization": "fleet",
"device_count": 1000000,
"expiration": "2031-10-16T00:00:00Z",
"note": "dogfood env license"
},
"logging": {
"debug": true,
"json": true,
"result": {
"plugin": "firehose",
"config": {
"region": "us-east-2",
"status_stream": "osquery_status",
"result_stream": "osquery_results",
"audit_stream": "fleet_audit"
}
},
"status": {
"plugin": "firehose",
"config": {
"region": "us-east-2",
"status_stream": "osquery_status",
"result_stream": "osquery_results",
"audit_stream": "fleet_audit"
}
},
"audit": {
"plugin": "firehose",
"config": {
"region": "us-east-2",
"status_stream": "osquery_status",
"result_stream": "osquery_results",
"audit_stream": "fleet_audit"
}
}
},
"email": {
"backend": "ses",
"config": {
"region": "",
"source_arn": "some-ses-arn"
}
},
"android_enabled": true,
"org_info": {
"org_name": "Fleet",
"org_logo_url": "http://some-org-logo-url.com",
"org_logo_url_light_background": "http://some-org-logo-url-light-background.com",
"contact_url": "https://fleetdm.com/company/contact"
},
"server_settings": {
"server_url": "https://dogfood.fleetdm.com",
"live_query_disabled": false,
"enable_analytics": true,
"debug_host_ids": [
1,
3
],
"deferred_save_host": false,
"query_reports_disabled": false,
"scripts_disabled": false,
"ai_features_disabled": false,
"query_report_cap": 1
},
"smtp_settings": {
"enable_smtp": false,
"configured": false,
"sender_address": "",
"server": "localhost",
"port": 587,
"authentication_type": "authtype_username_password",
"user_name": "",
"password": "",
"enable_ssl_tls": false,
"authentication_method": "authmethod_plain",
"domain": "",
"verify_ssl_certs": false,
"enable_start_tls": false
},
"host_expiry_settings": {
"host_expiry_enabled": false,
"host_expiry_window": 59995
},
"activity_expiry_settings": {
"activity_expiry_enabled": false,
"activity_expiry_window": 30
},
"features": {
"enable_host_users": true,
"enable_software_inventory": true,
"additional_queries": {
"time": "SELECT * FROM time",
"macs": "SELECT mac FROM interface_details"
},
"detail_query_overrides": {
"users": null,
"mdm": "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
}
},
"agent_options": {
"config": {
"options": {
"pack_delimiter": "/",
"logger_tls_period": 10,
"distributed_plugin": "tls",
"disable_distributed": false,
"logger_tls_endpoint": "/api/osquery/log",
"distributed_interval": 10,
"distributed_tls_max_attempts": 3
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hostname AS hostname FROM system_info;"
]
}
}
},
"sso_settings": {
"entity_id": "dogfood.fleetdm.com",
"issuer_uri": "https://some-sso-issuer-uri.com",
"metadata": "some-sso-metadata",
"metadata_url": "http://some-sso-metadata-url.com",
"idp_name": "some-idp-name",
"idp_image_url": "http://some-sso-idp-image-url.com",
"enable_sso": true,
"enable_sso_idp_login": false,
"enable_jit_provisioning": true,
"enable_jit_role_sync": false
},
"fleet_desktop": {
"transparency_url": "https://fleetdm.com/transparency"
},
"vulnerability_settings": {
"databases_path": ""
},
"webhook_settings": {
"activities_webhook": {
"enable_activities_webhook": true,
"destination_url": "https://some-activities-webhook-url.com"
},
"host_status_webhook": {
"enable_host_status_webhook": true,
"destination_url": "https://some-host-status-webhook-url.com",
"host_percentage": 20,
"days_count": 5
},
"failing_policies_webhook": {
"enable_failing_policies_webhook": true,
"destination_url": "https://some-failing-policies-webhook-url.com",
"policy_ids": [],
"host_batch_size": 2
},
"vulnerabilities_webhook": {
"enable_vulnerabilities_webhook": true,
"destination_url": "https://some-vulerabilities-webhook-url.com",
"host_batch_size": 3
},
"interval": "6h0m0s"
},
"integrations": {
"jira": [
{
"url": "https://some-jira-url.com",
"username": "some-jira-username",
"api_token": "some-jira-api-token",
"project_key": "some-jira-project-key"
}
],
"zendesk": [
{
"url": "https://some-zendesk-url.com",
"email": "some-zendesk-email@example.com",
"api_token": "some-zendesk-api-token",
"group_id": 123456789
}
],
"google_calendar": [
{
"domain": "fleetdm.com",
"api_key_json": {
"owl": "hoot"
}
}
],
"digicert": [
{
"name": "some-digicert-name",
"url": "https://some-digicert-url.com",
"api_token": "some-digicert-api-token",
"profile_id": "some-digicert-profile-id",
"certificate_common_name": "some-digicert-certificate-common-name",
"certificate_user_principal_names": [
"some-digicert-certificate-user-principal-name",
"some-other-digicert-certificate-user-principal-name"
],
"certificate_seat_id": "some-digicert-certificate-seat-id"
}
],
"ndes_scep_proxy": {
"url": "https://some-ndes-scep-proxy-url.com",
"admin_url": "https://some-ndes-admin-url.com",
"username": "some-ndes-username",
"password": "some-ndes-password"
},
"custom_scep_proxy": [
{
"name": "some-custom-scep-proxy-name",
"url": "https://some-custom-scep-proxy-url.com",
"challenge": "some-custom-scep-proxy-challenge"
}
]
},
"mdm": {
"apple_server_url": "http://some-apple-server-url.com",
"apple_business_manager": [
{
"organization_name": "Fleet Device Management Inc.",
"macos_team": "💻 Workstations",
"ios_team": "📱🏢 Company-owned mobile devices",
"ipados_team": "📱🏢 Company-owned mobile devices"
}
],
"apple_bm_enabled_and_configured": true,
"apple_bm_terms_expired": false,
"enabled_and_configured": true,
"macos_updates": {
"minimum_version": "15.1",
"deadline": "2024-12-31"
},
"ios_updates": {
"minimum_version": "18.1",
"deadline": "2025-12-31"
},
"ipados_updates": {
"minimum_version": "18.2",
"deadline": "2026-12-31"
},
"windows_updates": {
"deadline_days": 5,
"grace_period_days": 2
},
"macos_settings": {
"custom_settings": null
},
"macos_setup": {
"bootstrap_package": "some-bootstrap-package",
"enable_end_user_authentication": true,
"macos_setup_assistant": "",
"enable_release_device_manually": false,
"script": "",
"software": []
},
"macos_migration": {
"enable": true,
"mode": "voluntary",
"webhook_url": "https://some-macos-migration-webhook-url.com"
},
"windows_migration_enabled": true,
"end_user_authentication": {
"entity_id": "some-mdm-entity-id.com",
"issuer_uri": "https://some-mdm-issuer-uri.com",
"metadata": "some-mdm-metadata",
"metadata_url": "http://some-mdm-metadata-url.com",
"idp_name": "some-other-idp-name"
},
"windows_enabled_and_configured": true,
"enable_disk_encryption": true,
"windows_settings": {
"custom_settings": []
},
"volume_purchasing_program": [
{
"location": "Fleet Device Management Inc.",
"teams": [
"💻 Workstations",
"💻🐣 Workstations (canary)",
"📱🏢 Company-owned mobile devices",
"📱🔐 Personal mobile devices"
]
}
],
"android_enabled_and_configured": true
},
"gitops": {
"gitops_mode_enabled": false,
"repository_url": "https://github.com/fleetdm/fleet/tree/main/it-and-security"
},
"scripts": []
}

34
cmd/fleetctl/testdata/generateGitops/expectedGlobalControls.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
macos_settings:
custom_settings:
- labels_include_all:
- Label A
- Label B
path: ./lib/profiles/global-macos-mobileconfig-profile.mobileconfig
- labels_exclude_any:
- Label C
path: ./lib/profiles/global-macos-json-profile.json
windows_settings:
custom_settings:
- labels_include_any:
- Label D
path: ./lib/profiles/global-windows-profile.xml
macos_updates:
minimum_version: "15.1"
deadline: "2024-12-31"
ios_updates:
minimum_version: "18.1"
deadline: "2025-12-31"
ipados_updates:
minimum_version: "18.2"
deadline: "2026-12-31"
windows_updates:
deadline_days: 5
grace_period_days: 2
windows_enabled_and_configured: true
windows_migration_enabled: true
enable_disk_encryption: true
macos_setup: "TODO: update with your macos_setup configuration"
macos_migration: # Available in Fleet Premium
enable: true
mode: voluntary
webhook_url: https://some-macos-migration-webhook-url.com

12
cmd/fleetctl/testdata/generateGitops/expectedGlobalPolicies.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
- calendar_events_enabled: false
critical: false
description: This is a global policy
install_software:
hash_sha256: team-software-hash __TEAM_SOFTWARE_COMMENT_TOKEN__
labels_include_any:
- Label A
- Label B
name: Global Policy
platform: darwin
query: SELECT * FROM global_policy WHERE id = 1
resolution: Do a global thing

13
cmd/fleetctl/testdata/generateGitops/expectedGlobalQueries.yaml vendored Normal file
View file

@ -0,0 +1,13 @@
- automations_enabled: true
logging: stdout
min_osquery_version: 1.2.3
description: This is a global query
interval: 3600
labels_include_any:
- Label A
- Label B
name: Global Query
observer_can_run: true
platform: darwin
query: SELECT * FROM global_query WHERE id = 1
discard_data: false

11
cmd/fleetctl/testdata/generateGitops/expectedLabels.yaml vendored Normal file
View file

@ -0,0 +1,11 @@
- name: Label A
description: Label A description
label_membership_type: dynamic
query: SELECT * FROM osquery_info
platform: linux,macos
- name: Label B
description: Label B description
label_membership_type: manual
hosts:
- host1
- host2

121
cmd/fleetctl/testdata/generateGitops/expectedOrgSettings-insecure.yaml vendored Normal file
View file

@ -0,0 +1,121 @@
features:
enable_host_users: true
enable_software_inventory: true
additional_queries:
time: "SELECT * FROM time"
macs: "SELECT mac FROM interface_details"
detail_query_overrides:
users:
mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
fleet_desktop:
transparency_url: https://fleetdm.com/transparency
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 59995
integrations:
custom_scep_proxy:
- challenge: some-custom-scep-proxy-challenge
name: some-custom-scep-proxy-name
url: https://some-custom-scep-proxy-url.com
digicert:
- api_token: some-digicert-api-token
certificate_common_name: some-digicert-certificate-common-name
certificate_seat_id: some-digicert-certificate-seat-id
certificate_user_principal_names:
- some-digicert-certificate-user-principal-name
- some-other-digicert-certificate-user-principal-name
name: some-digicert-name
profile_id: some-digicert-profile-id
url: https://some-digicert-url.com
google_calendar:
- api_key_json:
owl: hoot
domain: fleetdm.com
jira:
- api_token: some-jira-api-token
enable_failing_policies: false
enable_software_vulnerabilities: false
project_key: some-jira-project-key
url: https://some-jira-url.com
username: some-jira-username
ndes_scep_proxy:
admin_url: https://some-ndes-admin-url.com
password: some-ndes-password
url: https://some-ndes-scep-proxy-url.com
username: some-ndes-username
zendesk:
- api_token: some-zendesk-api-token
email: some-zendesk-email@example.com
enable_failing_policies: false
enable_software_vulnerabilities: false
group_id: 123456789
url: https://some-zendesk-url.com
mdm:
apple_business_manager:
- ios_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
ipados_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
macos_team: "\U0001F4BB Workstations"
organization_name: Fleet Device Management Inc.
apple_server_url: http://some-apple-server-url.com
end_user_authentication:
entity_id: some-mdm-entity-id.com
idp_name: some-other-idp-name
issuer_uri: https://some-mdm-issuer-uri.com
metadata: some-mdm-metadata
metadata_url: http://some-mdm-metadata-url.com
volume_purchasing_program:
- location: Fleet Device Management Inc.
teams:
- "\U0001F4BB Workstations"
- "\U0001F4BB\U0001F423 Workstations (canary)"
- "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
- "\U0001F4F1\U0001F510 Personal mobile devices"
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: http://some-org-logo-url.com
org_logo_url_light_background: http://some-org-logo-url-light-background.com
org_name: Fleet
secrets:
- secret: some-secret-number-one
- secret: some-secret-number-two
server_settings:
ai_features_disabled: false
debug_host_ids:
- 1
- 3
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 1
query_reports_disabled: false
scripts_disabled: false
server_url: https://dogfood.fleetdm.com
sso_settings:
enable_jit_provisioning: true
enable_sso: true
enable_sso_idp_login: false
entity_id: dogfood.fleetdm.com
idp_image_url: http://some-sso-idp-image-url.com
idp_name: some-idp-name
metadata: some-sso-metadata
metadata_url: http://some-sso-metadata-url.com
webhook_settings:
activities_webhook:
destination_url: https://some-activities-webhook-url.com
enable_activities_webhook: true
failing_policies_webhook:
destination_url: https://some-failing-policies-webhook-url.com
enable_failing_policies_webhook: true
host_batch_size: 2
policy_ids: []
host_status_webhook:
days_count: 5
destination_url: https://some-host-status-webhook-url.com
enable_host_status_webhook: true
host_percentage: 20
interval: 6h0m0s
vulnerabilities_webhook:
destination_url: https://some-vulerabilities-webhook-url.com
enable_vulnerabilities_webhook: true
host_batch_size: 3
yara_rules: {}

121
cmd/fleetctl/testdata/generateGitops/expectedOrgSettings.yaml vendored Normal file
View file

@ -0,0 +1,121 @@
features:
enable_host_users: true
enable_software_inventory: true
additional_queries:
time: "SELECT * FROM time"
macs: "SELECT mac FROM interface_details"
detail_query_overrides:
users:
mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
fleet_desktop:
transparency_url: https://fleetdm.com/transparency
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 59995
integrations:
custom_scep_proxy:
- challenge: ___GITOPS_COMMENT_5___
name: some-custom-scep-proxy-name
url: https://some-custom-scep-proxy-url.com
digicert:
- api_token: ___GITOPS_COMMENT_3___
certificate_common_name: some-digicert-certificate-common-name
certificate_seat_id: some-digicert-certificate-seat-id
certificate_user_principal_names:
- some-digicert-certificate-user-principal-name
- some-other-digicert-certificate-user-principal-name
name: some-digicert-name
profile_id: some-digicert-profile-id
url: https://some-digicert-url.com
google_calendar:
- api_key_json:
owl: hoot
private_key: ___GITOPS_COMMENT_0___
domain: fleetdm.com
jira:
- api_token: ___GITOPS_COMMENT_1___
enable_failing_policies: false
enable_software_vulnerabilities: false
project_key: some-jira-project-key
url: https://some-jira-url.com
username: some-jira-username
ndes_scep_proxy:
admin_url: https://some-ndes-admin-url.com
password: ___GITOPS_COMMENT_4___
url: https://some-ndes-scep-proxy-url.com
username: some-ndes-username
zendesk:
- api_token: ___GITOPS_COMMENT_2___
email: some-zendesk-email@example.com
enable_failing_policies: false
enable_software_vulnerabilities: false
group_id: 123456789
url: https://some-zendesk-url.com
mdm:
apple_business_manager:
- ios_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
ipados_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
macos_team: "\U0001F4BB Workstations"
organization_name: Fleet Device Management Inc.
apple_server_url: http://some-apple-server-url.com
end_user_authentication:
entity_id: some-mdm-entity-id.com
idp_name: some-other-idp-name
issuer_uri: https://some-mdm-issuer-uri.com
metadata: ___GITOPS_COMMENT_6___
metadata_url: ___GITOPS_COMMENT_7___
volume_purchasing_program:
- location: Fleet Device Management Inc.
teams:
- "\U0001F4BB Workstations"
- "\U0001F4BB\U0001F423 Workstations (canary)"
- "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
- "\U0001F4F1\U0001F510 Personal mobile devices"
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: http://some-org-logo-url.com
org_logo_url_light_background: http://some-org-logo-url-light-background.com
org_name: Fleet
secrets:
- secret: ___GITOPS_COMMENT_8___
server_settings:
ai_features_disabled: false
debug_host_ids:
- 1
- 3
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 1
query_reports_disabled: false
scripts_disabled: false
server_url: https://dogfood.fleetdm.com
sso_settings:
enable_jit_provisioning: true
enable_sso: true
enable_sso_idp_login: false
entity_id: dogfood.fleetdm.com
idp_image_url: http://some-sso-idp-image-url.com
idp_name: some-idp-name
metadata: ___GITOPS_COMMENT_9___
metadata_url: ___GITOPS_COMMENT_10___
webhook_settings:
activities_webhook:
destination_url: https://some-activities-webhook-url.com
enable_activities_webhook: true
failing_policies_webhook:
destination_url: https://some-failing-policies-webhook-url.com
enable_failing_policies_webhook: true
host_batch_size: 2
policy_ids: []
host_status_webhook:
days_count: 5
destination_url: https://some-host-status-webhook-url.com
enable_host_status_webhook: true
host_percentage: 20
interval: 6h0m0s
vulnerabilities_webhook:
destination_url: https://some-vulerabilities-webhook-url.com
enable_vulnerabilities_webhook: true
host_batch_size: 3
yara_rules: {}

5
cmd/fleetctl/testdata/generateGitops/expectedTeamControls.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
macos_settings:
custom_settings:
- path: ../lib/some_team/profiles/team-macos-mobileconfig-profile.mobileconfig
scripts:
- path: ../lib/some_team/scripts/Script B.ps1

9
cmd/fleetctl/testdata/generateGitops/expectedTeamPolicies.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
- calendar_events_enabled: false
critical: false
description: This is a team policy
name: Team Policy
platform: linux,windows
query: SELECT * FROM team_policy WHERE id = 1
resolution: Do a team thing
run_script:
path: /path/to/script1.sh

10
cmd/fleetctl/testdata/generateGitops/expectedTeamQueries.yaml vendored Normal file
View file

@ -0,0 +1,10 @@
- automations_enabled: true
logging: stderr
min_osquery_version: 4.5.6
discard_data: false
description: This is a team query
interval: 1800
name: Team Query
observer_can_run: false
platform: linux,windows
query: SELECT * FROM team_query WHERE id = 1

26
cmd/fleetctl/testdata/generateGitops/expectedTeamSettings-insecure.yaml vendored Normal file
View file

@ -0,0 +1,26 @@
features:
enable_host_users: true
enable_software_inventory: true
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 1
integrations:
google_calendar:
enable_calendar_events: true
webhook_url: https://some-team-google-calendar-webhook.com
secrets:
- secret: some-team-secret
webhook_settings:
failing_policies_webhook:
destination_url: https://some-team-failing_policies-webhook.com
enable_failing_policies_webhook: false
host_batch_size: 4
policy_ids:
- 1
- 2
- 3
host_status_webhook:
days_count: 3
destination_url: https://some-team-host-status-webhook.com
enable_host_status_webhook: false
host_percentage: 2

26
cmd/fleetctl/testdata/generateGitops/expectedTeamSettings.yaml vendored Normal file
View file

@ -0,0 +1,26 @@
features:
enable_host_users: true
enable_software_inventory: true
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 1
integrations:
google_calendar:
enable_calendar_events: true
webhook_url: https://some-team-google-calendar-webhook.com
secrets:
- secret: ___GITOPS_COMMENT_0___
webhook_settings:
failing_policies_webhook:
destination_url: https://some-team-failing_policies-webhook.com
enable_failing_policies_webhook: false
host_batch_size: 4
policy_ids:
- 1
- 2
- 3
host_status_webhook:
days_count: 3
destination_url: https://some-team-host-status-webhook.com
enable_host_status_webhook: false
host_percentage: 2

19
cmd/fleetctl/testdata/generateGitops/expectedTeamSoftware.yaml vendored Normal file
View file

@ -0,0 +1,19 @@
packages:
- hash_sha256: software-package-hash ___GITOPS_COMMENT_0___
install_script:
path: ../lib/some-team/scripts/my-software-package-darwin-install
labels_include_any:
- Label A
- Label B
post_install_script:
path: ../lib/some-team/scripts/my-software-package-darwin-postinstall
pre_install_query:
path: ../lib/some-team/queries/my-software-package-darwin-preinstallquery.yml
self_service: true
uninstall_script:
path: ../lib/some-team/scripts/my-software-package-darwin-uninstall
app_store_apps:
- app_store_id: com.example.team-software
labels_exclude_any:
- Label C
- Label D

242
cmd/fleetctl/testdata/generateGitops/teamConfig.json vendored Normal file
View file

@ -0,0 +1,242 @@
{
"id": 1,
"created_at": "2025-02-05T23:33:39Z",
"name": "Test Team",
"description": "A test team",
"agent_options": {
"config": {
"options": {
"pack_delimiter": "/",
"logger_tls_period": 10,
"distributed_plugin": "tls",
"disable_distributed": false,
"logger_tls_endpoint": "/api/osquery/log",
"distributed_interval": 10,
"distributed_tls_max_attempts": 3
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hostname AS hostname FROM system_info;"
]
}
},
"update_channels": {
"orbit": "edge",
"desktop": "edge",
"osqueryd": "edge"
}
},
"host_expiry_settings": {
"host_expiry_enabled": false,
"host_expiry_window": 1
},
"webhook_settings": {
"host_status_webhook": {
"enable_host_status_webhook": false,
"destination_url": "https://some-team-host-status-webhook.com",
"host_percentage": 2,
"days_count": 3
},
"failing_policies_webhook": {
"enable_failing_policies_webhook": false,
"destination_url": "https://some-team-failing_policies-webhook.com",
"policy_ids": [
1,
2,
3
],
"host_batch_size": 4
}
},
"integrations": {
"jira": [
{
"url": "https://some-team-jira-url.com",
"username": "some-team-jira-username",
"api_token": "some-team-jira-api-token",
"project_key": "some-team-jira-project-key"
}
],
"zendesk": [
{
"url": "https://some-team-zendesk-url.com",
"email": "some-team-zendesk-email@example.com",
"api_token": "some-team-zendesk-api-token",
"group_id": 123456789
}
],
"google_calendar": {
"enable_calendar_events": true,
"webhook_url": "https://some-team-google-calendar-webhook.com"
},
"digicert": [
{
"name": "some-team-digicert-name",
"url": "https://some-team-digicert-url.com",
"api_token": "some-team-digicert-api-token",
"profile_id": "some-team-digicert-profile-id",
"certificate_common_name": "some-team-digicert-certificate-common-name",
"certificate_user_principal_names": [
"some-team-digicert-certificate-user-principal-name",
"some-team-other-digicert-certificate-user-principal-name"
],
"certificate_seat_id": "some-team-digicert-certificate-seat-id"
}
],
"ndes_scep_proxy": {
"url": "https://some-team-ndes-scep-proxy-url.com",
"admin_url": "https://some-team-ndes-admin-url.com",
"username": "some-team-ndes-username",
"password": "some-team-ndes-password"
},
"custom_scep_proxy": [
{
"name": "some-team-custom-scep-proxy-name",
"url": "https://some-team-custom-scep-proxy-url.com",
"challenge": "some-team-custom-scep-proxy-challenge"
}
]
},
"features": {
"enable_host_users": true,
"enable_software_inventory": true
},
"mdm": {
"enable_disk_encryption": true,
"macos_updates": {
"minimum_version": "95.1",
"deadline": "2020-12-31"
},
"ios_updates": {
"minimum_version": "98.1",
"deadline": "2021-12-31"
},
"ipados_updates": {
"minimum_version": "98.2",
"deadline": "2022-12-31"
},
"windows_updates": {
"deadline_days": 95,
"grace_period_days": 92
},
"macos_settings": {
"custom_settings": null
},
"macos_setup": {
"bootstrap_package": "",
"enable_end_user_authentication": false,
"macos_setup_assistant": "",
"enable_release_device_manually": false,
"script": "",
"software": []
},
"windows_settings": {
"custom_settings": null
}
},
"scripts": [
"/home/runner/work/fleet/fleet/it-and-security/lib/macos/scripts/uninstall-fleetd-macos.sh",
"/home/runner/work/fleet/fleet/it-and-security/lib/windows/scripts/uninstall-fleetd-windows.ps1",
"/home/runner/work/fleet/fleet/it-and-security/lib/linux/scripts/uninstall-fleetd-linux.sh",
"/home/runner/work/fleet/fleet/it-and-security/lib/linux/scripts/install-fleet-desktop-required-extension.sh"
],
"software": {
"packages": [
{
"url": "https://zoom.us/client/6.3.10.7150/zoom_amd64.deb",
"self_service": true,
"pre_install_query": {
"path": ""
},
"install_script": {
"path": ""
},
"post_install_script": {
"path": ""
},
"uninstall_script": {
"path": ""
},
"labels_include_any": [
"Debian-based Linux hosts"
],
"labels_exclude_any": null,
"referenced_yaml_path": "/home/runner/work/fleet/fleet/it-and-security/lib/linux/software/zoom-deb.yml"
},
{
"url": "https://zoom.us/client/6.3.10.7150/zoom_x86_64.rpm",
"self_service": true,
"pre_install_query": {
"path": ""
},
"install_script": {
"path": ""
},
"post_install_script": {
"path": ""
},
"uninstall_script": {
"path": ""
},
"labels_include_any": [
"RPM-based Linux hosts"
],
"labels_exclude_any": null,
"referenced_yaml_path": "/home/runner/work/fleet/fleet/it-and-security/lib/linux/software/zoom-rpm.yml"
},
{
"url": "https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-desktop-4.41.105-amd64.deb",
"self_service": true,
"pre_install_query": {
"path": ""
},
"install_script": {
"path": ""
},
"post_install_script": {
"path": ""
},
"uninstall_script": {
"path": ""
},
"labels_include_any": [
"Debian-based Linux hosts"
],
"labels_exclude_any": null,
"referenced_yaml_path": "/home/runner/work/fleet/fleet/it-and-security/lib/linux/software/slack-deb.yml"
},
{
"url": "https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-4.41.105-0.1.el8.x86_64.rpm",
"self_service": true,
"pre_install_query": {
"path": ""
},
"install_script": {
"path": ""
},
"post_install_script": {
"path": ""
},
"uninstall_script": {
"path": ""
},
"labels_include_any": [
"RPM-based Linux hosts"
],
"labels_exclude_any": null,
"referenced_yaml_path": "/home/runner/work/fleet/fleet/it-and-security/lib/linux/software/slack-rpm.yml"
}
],
"app_store_apps": null
},
"user_count": 5,
"host_count": 24,
"secrets": [
{
"secret": "some-team-secret",
"created_at": "2025-02-05T23:33:40Z",
"team_id": 270
}
]
}

178
cmd/fleetctl/testdata/generateGitops/test_dir_free/default.yml vendored Normal file
View file

@ -0,0 +1,178 @@
agent_options:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/osquery/log
logger_tls_period: 10
pack_delimiter: /
controls:
macos_settings:
custom_settings:
- labels_include_all:
- Label A
- Label B
path: ./lib/profiles/global-macos-mobileconfig-profile.mobileconfig
- labels_exclude_any:
- Label C
path: ./lib/profiles/global-macos-json-profile.json
windows_settings:
custom_settings:
- labels_include_any:
- Label D
path: ./lib/profiles/global-windows-profile.xml
labels:
- description: Label A description
label_membership_type: dynamic
name: Label A
platform: linux,macos
query: SELECT * FROM osquery_info
- description: Label B description
hosts:
- host1
- host2
label_membership_type: manual
name: Label B
org_settings:
features:
additional_queries:
macs: SELECT mac FROM interface_details
time: SELECT * FROM time
detail_query_overrides:
mdm: SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM
mdm;
users:
enable_host_users: true
enable_software_inventory: true
fleet_desktop:
transparency_url: https://fleetdm.com/transparency
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 59995
integrations:
custom_scep_proxy:
- challenge: # TODO: Add your custom SCEP proxy challenge here
name: some-custom-scep-proxy-name
url: https://some-custom-scep-proxy-url.com
digicert:
- api_token: # TODO: Add your Digicert API token here
certificate_common_name: some-digicert-certificate-common-name
certificate_seat_id: some-digicert-certificate-seat-id
certificate_user_principal_names:
- some-digicert-certificate-user-principal-name
- some-other-digicert-certificate-user-principal-name
name: some-digicert-name
profile_id: some-digicert-profile-id
url: https://some-digicert-url.com
google_calendar:
- api_key_json:
owl: hoot
private_key: # TODO: Add your Google Calendar API key JSON here
domain: fleetdm.com
jira:
- api_token: # TODO: Add your Jira API token here
enable_failing_policies: false
enable_software_vulnerabilities: false
project_key: some-jira-project-key
url: https://some-jira-url.com
username: some-jira-username
ndes_scep_proxy:
admin_url: https://some-ndes-admin-url.com
password: # TODO: Add your NDES SCEP proxy password here
url: https://some-ndes-scep-proxy-url.com
username: some-ndes-username
zendesk:
- api_token: # TODO: Add your Zendesk API token here
email: some-zendesk-email@example.com
enable_failing_policies: false
enable_software_vulnerabilities: false
group_id: 123456789
url: https://some-zendesk-url.com
mdm:
apple_server_url: http://some-apple-server-url.com
end_user_authentication:
entity_id: some-mdm-entity-id.com
idp_name: some-other-idp-name
issuer_uri: https://some-mdm-issuer-uri.com
metadata: # TODO: Add your MDM end user auth metadata here
metadata_url: # TODO: Add your MDM end user auth metadata URL here
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: http://some-org-logo-url.com
org_logo_url_light_background: http://some-org-logo-url-light-background.com
org_name: Fleet
secrets:
- secret: # TODO: Add your enroll secrets here
server_settings:
ai_features_disabled: false
debug_host_ids:
- 1
- 3
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 1
query_reports_disabled: false
scripts_disabled: false
server_url: https://dogfood.fleetdm.com
sso_settings:
enable_sso: true
enable_sso_idp_login: false
entity_id: dogfood.fleetdm.com
idp_image_url: http://some-sso-idp-image-url.com
idp_name: some-idp-name
metadata: # TODO: Add your SSO metadata here
metadata_url: # TODO: Add your SSO metadata URL here
webhook_settings:
activities_webhook:
destination_url: https://some-activities-webhook-url.com
enable_activities_webhook: true
failing_policies_webhook:
destination_url: https://some-failing-policies-webhook-url.com
enable_failing_policies_webhook: true
host_batch_size: 2
policy_ids:
host_status_webhook:
days_count: 5
destination_url: https://some-host-status-webhook-url.com
enable_host_status_webhook: true
host_percentage: 20
interval: 6h0m0s
vulnerabilities_webhook:
destination_url: https://some-vulerabilities-webhook-url.com
enable_vulnerabilities_webhook: true
host_batch_size: 3
yara_rules:
policies:
- calendar_events_enabled: false
critical: false
description: This is a global policy
install_software:
hash_sha256: ___GITOPS_COMMENT_11___
labels_include_any:
- Label A
- Label B
name: Global Policy
platform: darwin
query: SELECT * FROM global_policy WHERE id = 1
resolution: Do a global thing
queries:
- automations_enabled: true
description: This is a global query
discard_data: false
interval: 3600
labels_include_any:
- Label A
- Label B
logging: stdout
min_osquery_version: 1.2.3
name: Global Query
observer_can_run: true
platform: darwin
query: SELECT * FROM global_query WHERE id = 1

1
cmd/fleetctl/testdata/generateGitops/test_dir_free/lib/profiles/global-macos-json-profile.json vendored Normal file
View file

@ -0,0 +1 @@
{"profile": "global macos json profile"}

1
cmd/fleetctl/testdata/generateGitops/test_dir_free/lib/profiles/global-macos-mobileconfig-profile.mobileconfig vendored Normal file
View file

@ -0,0 +1 @@
<xml>global macos mobileconfig profile</xml>

1
cmd/fleetctl/testdata/generateGitops/test_dir_free/lib/profiles/global-windows-profile.xml vendored Normal file
View file

@ -0,0 +1 @@
<xml>global windows profile</xml>

176
cmd/fleetctl/testdata/generateGitops/test_dir_premium/default.yml vendored Normal file
View file

@ -0,0 +1,176 @@
agent_options:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/osquery/log
logger_tls_period: 10
pack_delimiter: /
labels:
- description: Label A description
label_membership_type: dynamic
name: Label A
platform: linux,macos
query: SELECT * FROM osquery_info
- description: Label B description
hosts:
- host1
- host2
label_membership_type: manual
name: Label B
org_settings:
features:
additional_queries:
macs: SELECT mac FROM interface_details
time: SELECT * FROM time
detail_query_overrides:
mdm: SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM
mdm;
users:
enable_host_users: true
enable_software_inventory: true
fleet_desktop:
transparency_url: https://fleetdm.com/transparency
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 59995
integrations:
custom_scep_proxy:
- challenge: # TODO: Add your custom SCEP proxy challenge here
name: some-custom-scep-proxy-name
url: https://some-custom-scep-proxy-url.com
digicert:
- api_token: # TODO: Add your Digicert API token here
certificate_common_name: some-digicert-certificate-common-name
certificate_seat_id: some-digicert-certificate-seat-id
certificate_user_principal_names:
- some-digicert-certificate-user-principal-name
- some-other-digicert-certificate-user-principal-name
name: some-digicert-name
profile_id: some-digicert-profile-id
url: https://some-digicert-url.com
google_calendar:
- api_key_json:
owl: hoot
private_key: # TODO: Add your Google Calendar API key JSON here
domain: fleetdm.com
jira:
- api_token: # TODO: Add your Jira API token here
enable_failing_policies: false
enable_software_vulnerabilities: false
project_key: some-jira-project-key
url: https://some-jira-url.com
username: some-jira-username
ndes_scep_proxy:
admin_url: https://some-ndes-admin-url.com
password: # TODO: Add your NDES SCEP proxy password here
url: https://some-ndes-scep-proxy-url.com
username: some-ndes-username
zendesk:
- api_token: # TODO: Add your Zendesk API token here
email: some-zendesk-email@example.com
enable_failing_policies: false
enable_software_vulnerabilities: false
group_id: 123456789
url: https://some-zendesk-url.com
mdm:
apple_business_manager:
- ios_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
ipados_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
macos_team: "\U0001F4BB Workstations"
organization_name: Fleet Device Management Inc.
apple_server_url: http://some-apple-server-url.com
end_user_authentication:
entity_id: some-mdm-entity-id.com
idp_name: some-other-idp-name
issuer_uri: https://some-mdm-issuer-uri.com
metadata: # TODO: Add your MDM end user auth metadata here
metadata_url: # TODO: Add your MDM end user auth metadata URL here
volume_purchasing_program:
- location: Fleet Device Management Inc.
teams:
- "\U0001F4BB Workstations"
- "\U0001F4BB\U0001F423 Workstations (canary)"
- "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
- "\U0001F4F1\U0001F510 Personal mobile devices"
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: http://some-org-logo-url.com
org_logo_url_light_background: http://some-org-logo-url-light-background.com
org_name: Fleet
secrets:
- secret: # TODO: Add your enroll secrets here
server_settings:
ai_features_disabled: false
debug_host_ids:
- 1
- 3
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 1
query_reports_disabled: false
scripts_disabled: false
server_url: https://dogfood.fleetdm.com
sso_settings:
enable_jit_provisioning: true
enable_sso: true
enable_sso_idp_login: false
entity_id: dogfood.fleetdm.com
idp_image_url: http://some-sso-idp-image-url.com
idp_name: some-idp-name
metadata: # TODO: Add your SSO metadata here
metadata_url: # TODO: Add your SSO metadata URL here
webhook_settings:
activities_webhook:
destination_url: https://some-activities-webhook-url.com
enable_activities_webhook: true
failing_policies_webhook:
destination_url: https://some-failing-policies-webhook-url.com
enable_failing_policies_webhook: true
host_batch_size: 2
policy_ids:
host_status_webhook:
days_count: 5
destination_url: https://some-host-status-webhook-url.com
enable_host_status_webhook: true
host_percentage: 20
interval: 6h0m0s
vulnerabilities_webhook:
destination_url: https://some-vulerabilities-webhook-url.com
enable_vulnerabilities_webhook: true
host_batch_size: 3
yara_rules:
policies:
- calendar_events_enabled: false
critical: false
description: This is a global policy
install_software:
hash_sha256: software-package-hash ___GITOPS_COMMENT_1___
labels_include_any:
- Label A
- Label B
name: Global Policy
platform: darwin
query: SELECT * FROM global_policy WHERE id = 1
resolution: Do a global thing
queries:
- automations_enabled: true
description: This is a global query
discard_data: false
interval: 3600
labels_include_any:
- Label A
- Label B
logging: stdout
min_osquery_version: 1.2.3
name: Global Query
observer_can_run: true
platform: darwin
query: SELECT * FROM global_query WHERE id = 1

2
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/no-team/scripts/Script Z.ps1 vendored Normal file
View file

@ -0,0 +1,2 @@
#!/usr/bin/env pwsh
echo "Hello from Script B!"

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/profiles/team-macos-mobileconfig-profile.mobileconfig vendored Normal file
View file

@ -0,0 +1 @@
<xml>test mobileconfig profile</xml>

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/queries/my-software-package-darwin-preinstallquery.yml vendored Normal file
View file

@ -0,0 +1 @@
- query: SELECT * FROM pre_install_query

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/scripts/Script B.ps1 vendored Normal file
View file

@ -0,0 +1 @@
pop goes the weasel!

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/scripts/my-software-package-darwin-install vendored Normal file
View file

@ -0,0 +1 @@
foo

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/scripts/my-software-package-darwin-postinstall vendored Normal file
View file

@ -0,0 +1 @@
bar

1
cmd/fleetctl/testdata/generateGitops/test_dir_premium/lib/team-a/scripts/my-software-package-darwin-uninstall vendored Normal file
View file

@ -0,0 +1 @@
baz

33
cmd/fleetctl/testdata/generateGitops/test_dir_premium/teams/no-team.yml vendored Normal file
View file

@ -0,0 +1,33 @@
controls:
enable_disk_encryption: true
ios_updates:
deadline: "2025-12-31"
minimum_version: "18.1"
ipados_updates:
deadline: "2026-12-31"
minimum_version: "18.2"
macos_migration:
enable: true
mode: voluntary
webhook_url: https://some-macos-migration-webhook-url.com
macos_setup: 'TODO: update with your macos_setup configuration'
macos_updates:
deadline: "2024-12-31"
minimum_version: "15.1"
scripts:
- path: ../lib/no-team/scripts/Script Z.ps1
windows_enabled_and_configured: true
windows_migration_enabled: true
windows_updates:
deadline_days: 5
grace_period_days: 2
name: No team
policies:
- calendar_events_enabled: false
critical: false
description: This is a team policy
name: Team Policy
platform: linux,windows
query: SELECT * FROM team_policy WHERE id = 1
resolution: Do a team thing
software:

105
cmd/fleetctl/testdata/generateGitops/test_dir_premium/teams/team-a.yml vendored Normal file
View file

@ -0,0 +1,105 @@
agent_options:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/osquery/log
logger_tls_period: 10
pack_delimiter: /
update_channels:
desktop: edge
orbit: edge
osqueryd: edge
controls:
enable_disk_encryption: true
ios_updates:
deadline: "2021-12-31"
minimum_version: "98.1"
ipados_updates:
deadline: "2022-12-31"
minimum_version: "98.2"
macos_settings:
custom_settings:
- path: ../lib/team-a/profiles/team-macos-mobileconfig-profile.mobileconfig
macos_updates:
deadline: "2020-12-31"
minimum_version: "95.1"
scripts:
- path: ../lib/team-a/scripts/Script B.ps1
windows_enabled_and_configured: true
windows_updates:
deadline_days: 95
grace_period_days: 92
name: Team A
policies:
- calendar_events_enabled: false
critical: false
description: This is a team policy
name: Team Policy
platform: linux,windows
query: SELECT * FROM team_policy WHERE id = 1
resolution: Do a team thing
queries:
- automations_enabled: true
description: This is a team query
discard_data: false
interval: 1800
logging: stderr
min_osquery_version: 4.5.6
name: Team Query
observer_can_run: false
platform: linux,windows
query: SELECT * FROM team_query WHERE id = 1
software:
app_store_apps:
- app_store_id: com.example.team-software
labels_exclude_any:
- Label C
- Label D
packages:
- hash_sha256: software-package-hash # My Software Package (my-software.pkg) version 1.0.0, 2.0.0
install_script:
path: ../lib/team-a/scripts/my-software-package-darwin-install
labels_include_any:
- Label A
- Label B
post_install_script:
path: ../lib/team-a/scripts/my-software-package-darwin-postinstall
pre_install_query:
path: ../lib/team-a/queries/my-software-package-darwin-preinstallquery.yml
self_service: true
uninstall_script:
path: ../lib/team-a/scripts/my-software-package-darwin-uninstall
team_settings:
features:
enable_host_users: true
enable_software_inventory: true
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 1
integrations:
google_calendar:
enable_calendar_events: true
webhook_url: https://some-team-google-calendar-webhook.com
secrets:
- secret: # TODO: Add your enroll secrets here
webhook_settings:
failing_policies_webhook:
destination_url: https://some-team-failing_policies-webhook.com
enable_failing_policies_webhook: false
host_batch_size: 4
policy_ids:
- 1
- 2
- 3
host_status_webhook:
days_count: 3
destination_url: https://some-team-host-status-webhook.com
enable_host_status_webhook: false
host_percentage: 2

13
pkg/spec/gitops.go
View file

@ -76,6 +76,7 @@ type PolicyRunScript struct {
type PolicyInstallSoftware struct {
PackagePath string `json:"package_path"`
AppStoreID string `json:"app_store_id"`
HashSHA256 string `json:"hash_sha256"`
}
type Query struct {
@ -94,8 +95,9 @@ type SoftwarePackage struct {
}
type Software struct {
Packages []SoftwarePackage `json:"packages"`
AppStoreApps []fleet.TeamSpecAppStoreApp `json:"app_store_apps"`
Packages []SoftwarePackage `json:"packages"`
AppStoreApps []fleet.TeamSpecAppStoreApp `json:"app_store_apps"`
FleetMaintainedApps []fleet.MaintainedApp `json:"fleet_maintained_apps"`
}
type GitOps struct {
@ -816,8 +818,8 @@ func parsePolicyInstallSoftware(baseDir string, teamName *string, policy *Policy
if policy.InstallSoftware != nil && (policy.InstallSoftware.PackagePath != "" || policy.InstallSoftware.AppStoreID != "") && teamName == nil {
return errors.New("install_software can only be set on team policies")
}
if policy.InstallSoftware.PackagePath == "" && policy.InstallSoftware.AppStoreID == "" {
return errors.New("install_software must include either a package path or app store app ID")
if policy.InstallSoftware.PackagePath == "" && policy.InstallSoftware.AppStoreID == "" && policy.InstallSoftware.HashSHA256 == "" {
return errors.New("install_software must include either a package_path, an app_store_id or a hash_sha256")
}
if policy.InstallSoftware.PackagePath != "" && policy.InstallSoftware.AppStoreID != "" {
return errors.New("install_software must have only one of package_path or app_store_id")
@ -967,6 +969,9 @@ func parseSoftware(top map[string]json.RawMessage, result *GitOps, baseDir strin
return multierror.Append(multiError, fmt.Errorf("failed to unmarshall softwarespec: %v", err))
}
}
if software.FleetMaintainedApps != nil {
return multierror.Append(multiError, errors.New("Fleet maintained apps are not currently supported in GitOps"))
}
for _, item := range software.AppStoreApps {
item := item
if item.AppStoreID == "" {

2
pkg/spec/gitops_test.go
View file

@ -929,7 +929,7 @@ policies:
package_path:
`
_, err = gitOpsFromString(t, config)
assert.ErrorContains(t, err, "must include either a package path or app store app ID")
assert.ErrorContains(t, err, "install_software must include either a package_path, an app_store_id or a hash_sha256")
config = getTeamConfig([]string{"policies"})
config += `

5
server/datastore/mysql/software_installers.go
View file

@ -654,6 +654,7 @@ SELECT
si.team_id,
si.title_id,
si.storage_id,
si.fleet_maintained_app_id,
si.package_ids,
si.filename,
si.extension,
@ -2166,7 +2167,9 @@ func (ds *Datastore) GetSoftwareInstallers(ctx context.Context, teamID uint) ([]
SELECT
team_id,
title_id,
url
url,
storage_id as hash_sha256,
fleet_maintained_app_id
FROM
software_installers
WHERE global_or_team_id = ?

3
server/datastore/mysql/software_titles.go
View file

@ -321,6 +321,7 @@ SELECT
si.url AS package_url,
si.install_during_setup as package_install_during_setup,
si.storage_id as package_storage_id,
si.fleet_maintained_app_id,
vat.self_service as vpp_app_self_service,
vat.adam_id as vpp_app_adam_id,
vat.install_during_setup as vpp_install_during_setup,
@ -338,7 +339,7 @@ LEFT JOIN software_titles_host_counts sthc ON sthc.software_title_id = st.id AND
WHERE %s
-- placeholder for filter based on software installed on hosts + software installers
AND (%s)
GROUP BY st.id, package_self_service, package_name, package_version, package_platform, package_url, package_install_during_setup, package_storage_id, vpp_app_self_service, vpp_app_adam_id, vpp_app_version, vpp_app_platform, vpp_app_icon_url, vpp_install_during_setup`
GROUP BY st.id, package_self_service, package_name, package_version, package_platform, package_url, package_install_during_setup, package_storage_id, fleet_maintained_app_id, vpp_app_self_service, vpp_app_adam_id, vpp_app_version, vpp_app_platform, vpp_app_icon_url, vpp_install_during_setup`
cveJoinType := "LEFT"
if opt.VulnerableOnly {

5
server/fleet/software.go
View file

@ -239,8 +239,9 @@ type SoftwareTitleListResult struct {
// BundleIdentifier is used by Apple installers to uniquely identify
// the software installed. It's surfaced in software_titles to match
// with existing software entries.
BundleIdentifier *string `json:"bundle_identifier,omitempty" db:"bundle_identifier"`
HashSHA256 *string `json:"hash_sha256,omitempty" db:"package_storage_id"`
BundleIdentifier *string `json:"bundle_identifier,omitempty" db:"bundle_identifier"`
HashSHA256 *string `json:"hash_sha256,omitempty" db:"package_storage_id"`
FleetMaintainedAppID *uint `json:"fleet_maintained_app_id,omitempty" db:"fleet_maintained_app_id"`
}
type SoftwareTitleListOptions struct {

6
server/fleet/software_installer.go
View file

@ -137,7 +137,7 @@ type SoftwareInstaller struct {
// URL is the source URL for this installer (set when uploading via batch/gitops).
URL string `json:"url" db:"url"`
// FleetMaintainedAppID is the related Fleet-maintained app for this installer (if not nil).
FleetMaintainedAppID *uint `json:"-" db:"fleet_maintained_app_id"`
FleetMaintainedAppID *uint `json:"fleet_maintained_app_id" db:"fleet_maintained_app_id"`
// AutomaticInstallPolicies is the list of policies that trigger automatic
// installation of this software.
AutomaticInstallPolicies []AutomaticInstallPolicy `json:"automatic_install_policies" db:"-"`
@ -161,6 +161,10 @@ type SoftwarePackageResponse struct {
TitleID *uint `json:"title_id" db:"title_id"`
// URL is the source URL for this installer (set when uploading via batch/gitops).
URL string `json:"url" db:"url"`
// HashSHA256 is the SHA256 hash of the software installer.
HashSHA256 string `json:"hash_sha256" db:"hash_sha256"`
// ID of the Fleet Maintained App this package uses, if any
FleetMaintainedAppID *uint `json:"fleet_maintained_app_id" db:"fleet_maintained_app_id"`
}
// VPPAppResponse is the response type used when applying app store apps by batch.

15
server/service/client.go
View file

@ -2097,18 +2097,20 @@ func (c *Client) doGitOpsPolicies(config *spec.GitOps, teamSoftwareInstallers []
// Get software titles of packages for the team.
softwareTitleIDsByInstallerURL := make(map[string]uint)
softwareTitleIDsByAppStoreAppID := make(map[string]uint)
softwareTitleIDsByHash := make(map[string]uint)
for _, softwareInstaller := range teamSoftwareInstallers {
if softwareInstaller.TitleID == nil {
// Should not happen, but to not panic we just log a warning.
logFn("[!] software installer without title id: team_id=%d, url=%s\n", *teamID, softwareInstaller.URL)
continue
}
if softwareInstaller.URL == "" {
if softwareInstaller.URL == "" && softwareInstaller.HashSHA256 == "" {
// Should not happen because we previously applied packages via gitops, but to not panic we just log a warning.
logFn("[!] software installer without url: team_id=%d, title_id=%d\n", *teamID, *softwareInstaller.TitleID)
continue
}
softwareTitleIDsByInstallerURL[softwareInstaller.URL] = *softwareInstaller.TitleID
softwareTitleIDsByHash[softwareInstaller.HashSHA256] = *softwareInstaller.TitleID
}
for _, vppApp := range teamVPPApps {
if vppApp.Platform != fleet.MacOSPlatform {
@ -2155,6 +2157,17 @@ func (c *Client) doGitOpsPolicies(config *spec.GitOps, teamSoftwareInstallers []
}
config.Policies[i].SoftwareTitleID = &softwareTitleID
}
if config.Policies[i].InstallSoftware.HashSHA256 != "" {
softwareTitleID, ok := softwareTitleIDsByHash[config.Policies[i].InstallSoftware.HashSHA256]
if !ok {
// Should not happen because software packages are uploaded first.
if !dryRun {
logFn("[!] software hash without software title ID: %s\n", config.Policies[i].InstallSoftware.HashSHA256)
}
continue
}
config.Policies[i].SoftwareTitleID = &softwareTitleID
}
}
// Get scripts for the team.

35
server/service/client_profiles.go
View file

@ -36,6 +36,41 @@ func (c *Client) ListProfiles(teamID *uint) ([]*fleet.MDMAppleConfigProfile, err
return responseBody.ConfigProfiles, nil
}
func (c *Client) ListConfigurationProfiles(teamID *uint) ([]*fleet.MDMConfigProfilePayload, error) {
verb, path := "GET", "/api/latest/fleet/configuration_profiles"
query := make(url.Values)
if teamID != nil {
query.Add("team_id", strconv.FormatUint(uint64(*teamID), 10))
}
var responseBody listMDMConfigProfilesResponse
if err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query.Encode()); err != nil {
return nil, err
}
return responseBody.Profiles, nil
}
// Get the contents of a saved profile.
func (c *Client) GetProfileContents(profileID string) ([]byte, error) {
verb, path := "GET", "/api/latest/fleet/mdm/profiles/"+profileID
response, err := c.AuthenticatedDo(verb, path, "alt=media", nil)
if err != nil {
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
}
defer response.Body.Close()
err = c.parseResponse(verb, path, response, nil)
if err != nil {
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
}
if response.StatusCode != http.StatusNoContent {
b, err := io.ReadAll(response.Body)
if err != nil {
return nil, fmt.Errorf("reading response body: %w", err)
}
return b, nil
}
return nil, nil
}
func (c *Client) AddProfile(teamID uint, configurationProfile []byte) (uint, error) {
if c.token == "" {
return 0, errors.New("authentication token is empty")

22
server/service/client_scripts.go
View file

@ -229,3 +229,25 @@ func (c *Client) ListScripts(query string) ([]*fleet.Script, error) {
}
return responseBody.Scripts, nil
}
// Get the contents of a saved script.
func (c *Client) GetScriptContents(scriptID uint) ([]byte, error) {
verb, path := "GET", "/api/latest/fleet/scripts/"+fmt.Sprint(scriptID)
response, err := c.AuthenticatedDo(verb, path, "alt=media", nil)
if err != nil {
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
}
defer response.Body.Close()
err = c.parseResponse(verb, path, response, nil)
if err != nil {
return nil, fmt.Errorf("parsing script response: %w", err)
}
if response.StatusCode != http.StatusNoContent {
b, err := io.ReadAll(response.Body)
if err != nil {
return nil, fmt.Errorf("reading response body: %w", err)
}
return b, nil
}
return nil, nil
}

17
server/service/client_software.go
View file

@ -31,6 +31,23 @@ func (c *Client) ListSoftwareTitles(query string) ([]fleet.SoftwareTitleListResu
return responseBody.SoftwareTitles, nil
}
// GetSoftwareTitleByID retrieves a software title by ID.
//
//nolint:gocritic // ignore captLocal
func (c *Client) GetSoftwareTitleByID(ID uint, teamID *uint) (*fleet.SoftwareTitle, error) {
var query string
if teamID != nil {
query = fmt.Sprintf("team_id=%d", *teamID)
}
verb, path := "GET", "/api/latest/fleet/software/titles/"+fmt.Sprint(ID)
var responseBody getSoftwareTitleResponse
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
if err != nil {
return nil, err
}
return responseBody.SoftwareTitle, nil
}
func (c *Client) ApplyNoTeamSoftwareInstallers(softwareInstallers []fleet.SoftwareInstallerPayload, opts fleet.ApplySpecOptions) ([]fleet.SoftwarePackageResponse, error) {
query, err := url.ParseQuery(opts.RawQuery())
if err != nil {