For #26716.
Also moves the article to an OS-independent URL, updates links from
elsewhere, and adds a bit more internal-link juice for install
automation.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Notarization from the fleetctl-docker image is broken actually:
```
fleetctl package --type=pkg --fleet-url=myurl --enroll-secret=mysecret --macos-devid-pem-content=XYZ --notarize --app-store-connect-api-key-id=XYZ --app-store-connect-api-key-issuer=XYZ --app-store-connect-api-key-content=XYZ
[..]
transporter error> Package Summary:
transporter error>
transporter error> 1 package(s) were not uploaded because they had problems:
transporter error> /tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp - Error Messages:
transporter error> Notarization of MacOS applications using altool has been decommissioned. Please use notarytool. See: https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool (4200)
transporter error> [2024-11-15 13:35:47 UTC] <main> DBG-X: Returning 1
Error: I/O error: command ["/usr/local/bin/iTMSTransporter", "-m", "upload", "-apiIssuer", "XYZ", "-apiKey", "XYZ", "-f", "/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp", "-vp", "json"] exited with code 1
Error: rcodesign notarize: exit status 1
```
Luckily, bumping `rcodesign` version is enough to make it work again.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
For #27287
This PR adds integration tests for SCIM API endpoints as well as some
bug fixes found by these tests.
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
For #21396
# Details
This PR updates the automated release cycle for Orbit desktop, so that
it triggers based on a pushed _tag_ rather than a pushed PR. This has
the following benefits:
* The release can be based off of any branch, rather than always using
`main` as the base, so we can safely do patch release of desktop without
including in-progress code from main
* It brings the desktop release process more in line with the main Orbit
release process -- both are now triggered by a tag push.
We still create a PR for the release, to include a changelog.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
## Testing
To do -- will discuss with @lucasmrod
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
For #27301
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated automated tests
- [X] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [X] Manual QA for all new/changed functionality
# Details
This PR adds the ability to set/unset labels on policies via GitOps. It
builds on https://github.com/fleetdm/fleet/pull/27575 (back end for
policy labels) and updates the `PolicySpec` type and `ApplyPolicySpecs`
methods to update the `policy_labels` table where needed.
## Testing
1. Create a few labels in the UI
1. Create a global policy "foo" in the UI without labels
2. Create a global policy "bar" in the UI with labels
2. Create a global policy "baz" in the UI with labels
4. Use `fleetctl gitops` with a global .yml file, and under `policies:`
add "foo", "bar", "baz" and "boop".
* Add labels to "foo" with `labels_include_any:`
* Don't add `labels_include_any:` to "bar"
* Add labels to "baz" with `labels_include_any:`, but different labels
than what you added in the UI
* Add labels to "boop" with `labels_include_any:`
The expected outcome when viewing the queries in the UI (on the "edit
query" screen)
* Foo, Baz and Boop should have the labels specified in gitops
* Bar should have no labels
Repeat testing with _excluded_ labels.
---------
Co-authored-by: dantecatalfamo <dante.catalfamo@gmail.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
For #27283
This includes the work to add the new users card on host details and
show the new idp information as well as google profiles and other
emails.
This includes:
**new user card on the host details and my device page**
**rework of the grid layout on the host page**
**removal of unneeded device mapping code on host details and my device
page**
I've changed how we are using the grid layout in CSS to better support
dynamic rendering content
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [ ] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
For #27377.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated automated tests
For #27287
This PR adds SCIM Groups to Fleet's SCIM endpoint as a follow on to SCIM
Users. The logic has been manually tested with Okta, and integration
tests will be in the next PR.
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
If there is a pending install or uninstall for a software_title that has
a cooresponding software record (perhaps installed by another host),
then we need to apply the vulnerability joins to properly filter them.
https://github.com/fleetdm/fleet/issues/27745
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
Why? Product Designers 🤝 Frontend Engineers to discuss changes to design
conventions and UI components impact.
How often? Every 3 weeks
Who? Product Designers and Frontend Engineers
What? Talk about design conventions, UI components, and potential
overlap/collisions between wireframes
For #27276
# Details
This PR adds the ability to select labels when saving or editing a query
in the UI, so that the query will only target hosts with those labels.
It follows the API design from
https://github.com/fleetdm/fleet/pull/27196, utilizing the
labels_include_any and labels_exclude_any fields. The expectation is
that when creating or updating a query, labels_include_any and
labels_exclude_any are arrays of label names, and when fetching a single
query, they are arrays of objects with a name and an id key.
Other updates in this PR:
* Removed colons from various headings on the Save Policy Modal and Edit
Policy form
* Updated the "Delete label" text
* Removed "Policy runs on all hosts with these platforms." subheading
underneath the platform selector
* TargetLabelSelector component now has `suppressTitle` flag to turn off
the "Target" title.
Updates a test that can fail whenever the FMA list changes; the
assertions are from back when FMA was macOS only, so they're OK to
remove (the important stuff is still being tested)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated automated tests
Most Fleet users want Fleet Desktop > My device page to work. I think
let's document that as the best practice
---------
Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
