## Addresses #10819
Exclude the "Manage users" menu option in sandbox mode.
- [x] Manual QA for all new/changed functionality
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
## Addresses #11394 (and dup #11397)
Lower sandbox reroute logic from router index into OrgSettingsPage,
where the value of AppContext.isSandboxMode can be correctly read
https://www.loom.com/share/8f3eb546a58d4c93a268b4d02b42c54c
## Checklist for submitter
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
.
Closes: #10848
Changes:
- Updated the `receive-usage-analytics` webhook to send custom metrics
to our Datadog account, where we can create graphs and dashboards to
track Fleet feature adoption, Fleet/osquery/orbit versions in use,
reported host counts, and stored errors.
- Added a new config variable: `sails.config.custom.datadogApiKey`
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md))..
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
## Addresses #9371
### Adds a suite of UI logic for premium features in the Sandbox
environment
For reviewer: please review the work for the below 3 substasks, which
are the only remaining subtasks encompassed by this PR that have not yet
passed review individually:
- #10822 (9)
- #10823 (10)
- #10824 (11)
## Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
For #11218, In the initial implementation of the feature, we used to
launch Nudge as a root, so setting the permissions of the config file to
0600 was okay.
As part of the fix for #10044, we now launch Nudge as the current user
(which is also recommended in the Nudge wiki), but previous
installations of the beta version (probably only Fleeties using Dogfood)
still have the configuration file with restrictive permissions, so Nudge
wasn't able to read the config when launched as a user.
This is kind of hidden because `os.WriteFile` takes a permission
arugment, but it's only used if it's writing the file for the first
time.
#7970
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
rename aws_iam_policy and aws_iam_policy_attachment resources to use
underscore instead of hyphen in their names. Also, change
aws_iam_policy_attachment to aws_iam_role_policy_attachment to match the
correct resource type.
## Addresses #11188
When an _already authenticated_ no-access user tries to access any
authenticated routes:
- Log the user out
- Display the 403 'Forbidden' error page
https://www.loom.com/share/358fd5b534984ab9ab40220986a7d094
The user _can_ still log in – see attached issue.
## Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
feat(firehose): add Terraform documentation to README.md
feat(firehose): add Terraform module for IAM policy
feat(firehose): add Terraform output for IAM policy ARN
docs(byo-firehose-logging-destination): add introduction and explanation
of IAM role and policy
This commit adds an introduction and explanation of the IAM role and
policy defined in the Terraform code. Specifically, it explains that the
IAM role named `fleet_role` is being defined in the AWS account, and
that it will be assumed by the Fleet application being hosted. The
commit also explains that the IAM role is being given specific
permissions to perform certain actions on the Firehose service, and that
the associated IAM policy specifies the minimum allowed permissions.
Additionally, the commit explains that the Firehose service is KMS
encrypted, and that the IAM role needs permission to the KMS key being
used to encrypt the data going into Firehose. Finally, the commit
explains that the code sets up a secure and controlled environment for
the Fleet application to perform its necessary actions on the Firehose
service within the AWS account.
refactor(byo-firehose-logging-destination): reformat table of resources
and inputs
feat(byo-firehose-logging-destination): add KMS key resource for
firehose encryption
feat(byo-firehose-logging-destination): add S3 bucket resource for
logging destination
feat(byo-firehose-logging-destination): add IAM policy and role
resources for firehose
feat(byo-firehose-logging-destination): add IAM policy attachment
resource for fleet-firehose policy
feat(byo-firehose-logging-destination): add data source for current AWS
region
feat(byo-firehose-logging-destination): add data source for KMS alias
feat(byo-firehose-logging-destination): add data source for IAM policy
documents
feat(byo-firehose-logging-destination): add outputs for firehose IAM
role, delivery streams, and S3 bucket
fix(iam.tf): change aws_iam_policy and aws_iam_policy_attachment
resource names to include fleet prefix
closes https://github.com/fleetdm/fleet/issues/11331
#11089
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [x] Added/updated tests
- [X] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
