for #16954, this fixes an issue found during testing
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
for #16954
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- Don't cache requests to get profiles, they don't happen in order when
run agains a real Puppet server
- Report resource has changed if the profile was in the host but the new
resource type is absent
this PR modifies the `external_host_identifier` parameter that's used to
match hosts to Puppet runs to use an identifier that's *unique per run*
(instead of an identifier that's *unique per host*)
this has the adventage to:
1. allow for concurrent Puppet runs that don't interfere with each
other.
2. allow for failed/orphaned Puppet runs to not interfere with new runs
(the keys will eventually get expired)
all the existent behavior should be preserved.
> Note: I have verified that the value that the reporter gets is the one
associated with the right puppet run, even if multiple runs happen
simultaneously.
A few minor things going on:
1. Adjusted the Puppet module to send the profiles base64 encoded
2. Enabled FileVault by default on teams created using the `/match`
endpoint.
3. Remove profiles when a team is removed. We can't do a foreign key
because the global team.id is NULL. I also included a migration to
cleanup orphaned profiles.
Related to #11185 this adds a Puppet module that provides:
1. A custom type named `fleetdm::profile` that can be used to define
profiles to a device
2. A function named `fleetdm::release_device` that can be used to
release a device from await device configuration.
Instructions/usage can be found in the `README.md` file.
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from
8.5.1 to 9.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md">jsonwebtoken's
changelog</a>.</em></p>
<blockquote>
<h2>9.0.0 - 2022-12-21</h2>
<p><strong>Breaking changes: See <a
href="https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9">Migration
from v8 to v9</a></strong></p>
<h3>Breaking changes</h3>
<ul>
<li>Removed support for Node versions 11 and below.</li>
<li>The verify() function no longer accepts unsigned tokens by default.
([834503079514b72264fd13023a3b8d648afd6a16]<a
href="8345030795</a>)</li>
<li>RSA key size must be 2048 bits or greater.
([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]<a
href="ecdf6cc607</a>)</li>
<li>Key types must be valid for the signing / verification
algorithm</li>
</ul>
<h3>Security fixes</h3>
<ul>
<li>security: fixes <code>Arbitrary File Write via verify
function</code> - CVE-2022-23529</li>
<li>security: fixes <code>Insecure default algorithm in jwt.verify()
could lead to signature validation bypass</code> - CVE-2022-23540</li>
<li>security: fixes <code>Insecure implementation of key retrieval
function could lead to Forgeable Public/Private Tokens from RSA to
HMAC</code> - CVE-2022-23541</li>
<li>security: fixes <code>Unrestricted key type could lead to legacy
keys usage</code> - CVE-2022-23539</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1fa9dcc12"><code>e1fa9dc</code></a>
Merge pull request from GHSA-8cf7-32gw-wr33</li>
<li><a
href="5eaedbf2b0"><code>5eaedbf</code></a>
chore(ci): remove github test actions job (<a
href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/861">#861</a>)</li>
<li><a
href="cd4163eb14"><code>cd4163e</code></a>
chore(ci): configure Github Actions jobs for Tests & Security
Scanning (<a
href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/856">#856</a>)</li>
<li><a
href="ecdf6cc607"><code>ecdf6cc</code></a>
fix!: Prevent accidental use of insecure key sizes &
misconfiguration of secr...</li>
<li><a
href="8345030795"><code>8345030</code></a>
fix(sign&verify)!: Remove default <code>none</code> support from
<code>sign</code> and <code>verify</code> met...</li>
<li><a
href="7e6a86b1c2"><code>7e6a86b</code></a>
Upload OpsLevel YAML (<a
href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/849">#849</a>)</li>
<li><a
href="74d5719bd0"><code>74d5719</code></a>
docs: update references vercel/ms references (<a
href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/770">#770</a>)</li>
<li><a
href="d71e383862"><code>d71e383</code></a>
docs: document "invalid token" error</li>
<li><a
href="37650031fd"><code>3765003</code></a>
docs: fix spelling in README.md: Peak -> Peek (<a
href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/754">#754</a>)</li>
<li><a
href="a46097e962"><code>a46097e</code></a>
docs: make decode impossible to discover before verify</li>
<li>Additional commits viewable in <a
href="https://github.com/auth0/node-jsonwebtoken/compare/v8.5.1...v9.0.0">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a
new releaser for jsonwebtoken since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR provides the tooling that fleetdm.com will use to sign MDM Push
CSRs.
This was tested against the output of #8812, and the resulting requests
were validated to be accepted by Apple.
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
* Rename core->free and basic->premium
* Fix lint js
* Comment out portion of test that seems to timeout
* Rename tier to premium if basic is still loaded
