mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
227e94de5b
Some checks are pending
Build binaries / build-binaries (push) Waiting to run
Check automated documentation is up-to-date / check-doc-gen (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
Deploy Fleet website / build (20.x) (push) Waiting to run
Apply latest configuration to dogfood with GitOps / fleet-gitops (push) Waiting to run
Test latest changes in fleetctl preview / test-preview (ubuntu-latest) (push) Waiting to run
golangci-lint / lint (push) Waiting to run
golangci-lint / lint-incremental (push) Waiting to run
Docker publish / publish (push) Waiting to run
Ingest maintained apps / build (push) Waiting to run
OSSF Scorecard / Validate Gradle wrapper (push) Waiting to run
OSSF Scorecard / Scorecard analysis (push) Waiting to run
Sync Maintained Apps Outputs to R2 / sync-to-r2 (push) Waiting to run
Test DB Changes / test-db-changes (push) Waiting to run
Run fleetd-chrome tests / test-fleetd-chrome (ubuntu-latest) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, integration-mdm) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, main) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, mysql) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, service) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, vuln) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, fleetctl) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, integration-core) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, integration-enterprise) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, integration-mdm) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, main) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, mysql) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, service) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.4.8, vuln) (push) Waiting to run
Go Tests / test-go-nanomdm (push) Waiting to run
Go Tests / test-go-no-db (fast) (push) Waiting to run
Go Tests / test-go-no-db (scripts) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, fleetctl) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, fleetctl) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, integration-core) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, integration-enterprise) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, integration-mdm) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, integration-core) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, main) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, mysql) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, service) (push) Waiting to run
Go Tests / test-go (mysql:8.0.44, vuln) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, fleetctl) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, integration-core) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, integration-enterprise) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, integration-mdm) (push) Waiting to run
Go Tests / test-go-extended-mysql (mysql:8.0.42, integration-enterprise) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, main) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, mysql) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, service) (push) Waiting to run
Go Tests / test-go (mysql:9.5.0, vuln) (push) Waiting to run
Go Tests / upload-coverage (push) Blocked by required conditions
Go Tests / aggregate-result (push) Blocked by required conditions
JavaScript Tests / test-js (ubuntu-latest) (push) Waiting to run
JavaScript Tests / lint-js (ubuntu-latest) (push) Waiting to run
Test Mock Changes / test-mock-changes (push) Waiting to run
Test native tooling packaging / test-packaging (local, ubuntu-latest) (push) Waiting to run
Test native tooling packaging / test-packaging (remote, ubuntu-latest) (push) Waiting to run
Test Puppet / test-puppet (push) Waiting to run
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44723 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Strengthened validation of sorting/order parameters across many list and cursor-based endpoints — unsupported sort keys now return explicit errors and prevent unsafe queries. * Labels listing: label-list pagination query name changed; ordering by host_count is rejected when host counts are disabled (validated at request parsing). * **Tests** * Added/expanded tests covering allowed order keys, rejection of unknown keys, and pagination behavior for multiple listing APIs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
763 lines
23 KiB
Go
763 lines
23 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/logging"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/platform/endpointer"
|
|
platform_logging "github.com/fleetdm/fleet/v4/server/platform/logging"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/gorilla/mux"
|
|
)
|
|
|
|
func encodeResponse(ctx context.Context, w http.ResponseWriter, response interface{}) error {
|
|
return endpointer.EncodeCommonResponse(ctx, w, response, jsonMarshal, FleetErrorEncoder)
|
|
}
|
|
|
|
func jsonMarshal(w http.ResponseWriter, response interface{}) error {
|
|
enc := json.NewEncoder(w)
|
|
enc.SetIndent("", " ")
|
|
return enc.Encode(response)
|
|
}
|
|
|
|
func uint32FromRequest(r *http.Request, name string) (uint32, error) {
|
|
vars := mux.Vars(r)
|
|
s, ok := vars[name]
|
|
if !ok {
|
|
return 0, endpointer.ErrBadRoute
|
|
}
|
|
u, err := strconv.ParseUint(s, 10, 32)
|
|
if err != nil {
|
|
return 0, ctxerr.Wrap(r.Context(), err, "uint32FromRequest")
|
|
}
|
|
return uint32(u), nil
|
|
}
|
|
|
|
// default number of items to include per page
|
|
const defaultPerPage = 20
|
|
|
|
// listOptionsFromRequest parses the list options from the request parameters
|
|
func listOptionsFromRequest(r *http.Request) (fleet.ListOptions, error) {
|
|
var err error
|
|
|
|
pageString := r.URL.Query().Get("page")
|
|
perPageString := r.URL.Query().Get("per_page")
|
|
orderKey := r.URL.Query().Get("order_key")
|
|
orderDirectionString := r.URL.Query().Get("order_direction")
|
|
afterString := r.URL.Query().Get("after")
|
|
|
|
var page int
|
|
if pageString != "" {
|
|
page, err = strconv.Atoi(pageString)
|
|
if err != nil {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("non-int page value"))
|
|
}
|
|
if page < 0 {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("negative page value"))
|
|
}
|
|
}
|
|
|
|
// We default to 0 for per_page so that not specifying any paging
|
|
// information gets all results
|
|
var perPage int
|
|
if perPageString != "" {
|
|
perPage, err = strconv.Atoi(perPageString)
|
|
if err != nil {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("non-int per_page value"))
|
|
}
|
|
if perPage <= 0 {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("invalid per_page value"))
|
|
}
|
|
}
|
|
|
|
if perPage == 0 && pageString != "" {
|
|
// We explicitly set a non-zero default if a page is specified
|
|
// (because the client probably intended for paging, and
|
|
// leaving the 0 would turn that off)
|
|
perPage = defaultPerPage
|
|
}
|
|
|
|
if orderKey == "" && orderDirectionString != "" {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("order_key must be specified with order_direction"))
|
|
}
|
|
|
|
if orderKey == "" && afterString != "" {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(r.Context(), badRequest("order_key must be specified with after"))
|
|
}
|
|
|
|
var orderDirection fleet.OrderDirection
|
|
switch orderDirectionString {
|
|
case "desc":
|
|
orderDirection = fleet.OrderDescending
|
|
case "asc":
|
|
orderDirection = fleet.OrderAscending
|
|
case "":
|
|
orderDirection = fleet.OrderAscending
|
|
default:
|
|
return fleet.ListOptions{},
|
|
ctxerr.Wrap(r.Context(), badRequest("unknown order_direction: "+orderDirectionString))
|
|
|
|
}
|
|
|
|
query := r.URL.Query().Get("query")
|
|
|
|
return fleet.ListOptions{
|
|
Page: uint(page), //nolint:gosec // dismiss G115
|
|
PerPage: uint(perPage), //nolint:gosec // dismiss G115
|
|
OrderKey: orderKey,
|
|
OrderDirection: orderDirection,
|
|
MatchQuery: strings.TrimSpace(query),
|
|
After: afterString,
|
|
}, nil
|
|
}
|
|
|
|
func hostListOptionsFromRequest(r *http.Request) (fleet.HostListOptions, error) {
|
|
opt, err := listOptionsFromRequest(r)
|
|
if err != nil {
|
|
return fleet.HostListOptions{}, err
|
|
}
|
|
|
|
hopt := fleet.HostListOptions{ListOptions: opt}
|
|
|
|
status := r.URL.Query().Get("status")
|
|
switch fleet.HostStatus(status) {
|
|
case fleet.StatusNew, fleet.StatusOnline, fleet.StatusOffline, fleet.StatusMIA, fleet.StatusMissing:
|
|
hopt.StatusFilter = fleet.HostStatus(status)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid status: %s", status)))
|
|
|
|
}
|
|
|
|
additionalInfoFiltersString := r.URL.Query().Get("additional_info_filters")
|
|
if additionalInfoFiltersString != "" {
|
|
hopt.AdditionalFilters = strings.Split(additionalInfoFiltersString, ",")
|
|
}
|
|
|
|
teamID, err := handleDeprecatedParams(r, "team_id", "fleet_id")
|
|
if err != nil {
|
|
return hopt, err
|
|
}
|
|
if teamID != "" {
|
|
id, err := strconv.ParseUint(teamID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid team_id: %s", teamID)))
|
|
}
|
|
tid := uint(id)
|
|
hopt.TeamFilter = &tid
|
|
}
|
|
|
|
policyID := r.URL.Query().Get("policy_id")
|
|
if policyID != "" {
|
|
id, err := strconv.ParseUint(policyID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid policy_id: %s", policyID)))
|
|
}
|
|
pid := uint(id)
|
|
hopt.PolicyIDFilter = &pid
|
|
}
|
|
|
|
policyResponse := r.URL.Query().Get("policy_response")
|
|
if policyResponse != "" {
|
|
if hopt.PolicyIDFilter == nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Missing policy_id (it must be present when policy_response is specified)",
|
|
),
|
|
)
|
|
}
|
|
var v *bool
|
|
switch policyResponse {
|
|
case "passing":
|
|
v = ptr.Bool(true)
|
|
case "failing":
|
|
v = ptr.Bool(false)
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(),
|
|
badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid policy_response: %v (Valid options are 'passing' or 'failing')",
|
|
policyResponse,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
hopt.PolicyResponseFilter = v
|
|
}
|
|
|
|
softwareID := r.URL.Query().Get("software_id")
|
|
if softwareID != "" {
|
|
id, err := strconv.ParseUint(softwareID, 10, 64)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid software_id: %s", softwareID)))
|
|
}
|
|
sid := uint(id)
|
|
hopt.SoftwareIDFilter = &sid
|
|
}
|
|
|
|
softwareVersionID := r.URL.Query().Get("software_version_id")
|
|
if softwareVersionID != "" {
|
|
id, err := strconv.ParseUint(softwareVersionID, 10, 64)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid software_version_id: %s", softwareVersionID)))
|
|
}
|
|
sid := uint(id)
|
|
hopt.SoftwareVersionIDFilter = &sid
|
|
}
|
|
|
|
softwareTitleID := r.URL.Query().Get("software_title_id")
|
|
if softwareTitleID != "" {
|
|
id, err := strconv.ParseUint(softwareTitleID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid software_title_id: %s", softwareTitleID)))
|
|
}
|
|
sid := uint(id)
|
|
hopt.SoftwareTitleIDFilter = &sid
|
|
}
|
|
|
|
softwareStatus := fleet.SoftwareInstallerStatus(strings.ToLower(r.URL.Query().Get("software_status")))
|
|
if softwareStatus != "" {
|
|
if !softwareStatus.IsValid() {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid software_status: %s", softwareStatus)),
|
|
)
|
|
}
|
|
if hopt.SoftwareTitleIDFilter == nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Missing software_title_id (it must be present when software_status is specified)",
|
|
),
|
|
)
|
|
}
|
|
if hopt.TeamFilter == nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Missing team_id (it must be present when software_status is specified)",
|
|
),
|
|
)
|
|
}
|
|
hopt.SoftwareStatusFilter = &softwareStatus
|
|
}
|
|
|
|
osID := r.URL.Query().Get("os_id")
|
|
if osID != "" {
|
|
id, err := strconv.ParseUint(osID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid os_id: %s", osID)))
|
|
}
|
|
sid := uint(id)
|
|
hopt.OSIDFilter = &sid
|
|
}
|
|
|
|
osVersionID := r.URL.Query().Get("os_version_id")
|
|
if osVersionID != "" {
|
|
id, err := strconv.ParseUint(osVersionID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid os_version_id: %s", osVersionID)))
|
|
}
|
|
sid := uint(id)
|
|
hopt.OSVersionIDFilter = &sid
|
|
}
|
|
|
|
osName := r.URL.Query().Get("os_name")
|
|
if osName != "" {
|
|
hopt.OSNameFilter = &osName
|
|
}
|
|
|
|
osVersion := r.URL.Query().Get("os_version")
|
|
if osVersion != "" {
|
|
hopt.OSVersionFilter = &osVersion
|
|
}
|
|
|
|
cve := r.URL.Query().Get("vulnerability")
|
|
if cve != "" {
|
|
hopt.VulnerabilityFilter = &cve
|
|
}
|
|
|
|
if hopt.OSNameFilter != nil && hopt.OSVersionFilter == nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid os_version (os_version must be specified with os_name)",
|
|
),
|
|
)
|
|
}
|
|
if hopt.OSNameFilter == nil && hopt.OSVersionFilter != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid os_name (os_name must be specified with os_version)",
|
|
),
|
|
)
|
|
}
|
|
|
|
// disable_failing_policies is a deprecated parameter and an alias for disable_issues
|
|
// disable_issues is the new parameter name, which takes precedence over disable_failing_policies
|
|
disableFailingPolicies := r.URL.Query().Get("disable_failing_policies")
|
|
disableIssues := r.URL.Query().Get("disable_issues")
|
|
if disableIssues != "" {
|
|
boolVal, err := strconv.ParseBool(disableIssues)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid disable_issues: %s",
|
|
disableIssues,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
hopt.DisableIssues = boolVal
|
|
} else if disableFailingPolicies != "" {
|
|
boolVal, err := strconv.ParseBool(disableFailingPolicies)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid disable_failing_policies: %s",
|
|
disableFailingPolicies,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
hopt.DisableIssues = boolVal
|
|
}
|
|
if hopt.DisableIssues {
|
|
switch {
|
|
case r.URL.Query().Get("order_key") == "issues":
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (issues cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
case r.URL.Query().Get("order_key") == "failing_policies_count":
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (failing_policies_count cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
case r.URL.Query().Get("order_key") == "critical_vulnerabilities_count":
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (critical_vulnerabilities_count cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
case r.URL.Query().Get("order_key") == "total_issues_count":
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (total_issues_count cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
}
|
|
}
|
|
|
|
deviceMapping := r.URL.Query().Get("device_mapping")
|
|
if deviceMapping != "" {
|
|
boolVal, err := strconv.ParseBool(deviceMapping)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid device_mapping: %s", deviceMapping)))
|
|
}
|
|
hopt.DeviceMapping = boolVal
|
|
}
|
|
|
|
if !hopt.DeviceMapping && r.URL.Query().Get("order_key") == "device_mapping" {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (device_mapping cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
}
|
|
|
|
mdmID := r.URL.Query().Get("mdm_id")
|
|
if mdmID != "" {
|
|
id, err := strconv.ParseUint(mdmID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid mdm_id: %s", mdmID)))
|
|
}
|
|
mid := uint(id)
|
|
hopt.MDMIDFilter = &mid
|
|
}
|
|
|
|
if mdmName := r.URL.Query().Get("mdm_name"); mdmName != "" {
|
|
hopt.MDMNameFilter = &mdmName
|
|
}
|
|
|
|
enrollmentStatus := r.URL.Query().Get("mdm_enrollment_status")
|
|
switch fleet.MDMEnrollStatus(enrollmentStatus) {
|
|
case fleet.MDMEnrollStatusManual, fleet.MDMEnrollStatusAutomatic, fleet.MDMEnrollStatusPersonal,
|
|
fleet.MDMEnrollStatusPending, fleet.MDMEnrollStatusUnenrolled, fleet.MDMEnrollStatusEnrolled:
|
|
hopt.MDMEnrollmentStatusFilter = fleet.MDMEnrollStatus(enrollmentStatus)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid mdm_enrollment_status: %s", enrollmentStatus)),
|
|
)
|
|
}
|
|
|
|
connectedToFleet := r.URL.Query().Has("connected_to_fleet")
|
|
if connectedToFleet {
|
|
hopt.ConnectedToFleetFilter = ptr.Bool(true)
|
|
}
|
|
|
|
macOSSettingsStatus, err := handleDeprecatedParams(r, "macos_settings", "apple_settings")
|
|
if err != nil {
|
|
return hopt, err
|
|
}
|
|
switch fleet.OSSettingsStatus(macOSSettingsStatus) {
|
|
case fleet.OSSettingsFailed, fleet.OSSettingsPending, fleet.OSSettingsVerifying, fleet.OSSettingsVerified:
|
|
hopt.MacOSSettingsFilter = fleet.OSSettingsStatus(macOSSettingsStatus)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid apple_settings: %s", macOSSettingsStatus)),
|
|
)
|
|
}
|
|
|
|
macOSSettingsDiskEncryptionStatus := r.URL.Query().Get("macos_settings_disk_encryption")
|
|
switch fleet.DiskEncryptionStatus(macOSSettingsDiskEncryptionStatus) {
|
|
case
|
|
fleet.DiskEncryptionVerifying,
|
|
fleet.DiskEncryptionVerified,
|
|
fleet.DiskEncryptionActionRequired,
|
|
fleet.DiskEncryptionEnforcing,
|
|
fleet.DiskEncryptionFailed,
|
|
fleet.DiskEncryptionRemovingEnforcement:
|
|
hopt.MacOSSettingsDiskEncryptionFilter = fleet.DiskEncryptionStatus(macOSSettingsDiskEncryptionStatus)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(),
|
|
badRequest(fmt.Sprintf("Invalid macos_settings_disk_encryption: %s", macOSSettingsDiskEncryptionStatus)),
|
|
)
|
|
}
|
|
|
|
osSettingsStatus := r.URL.Query().Get("os_settings")
|
|
switch fleet.OSSettingsStatus(osSettingsStatus) {
|
|
case fleet.OSSettingsFailed, fleet.OSSettingsPending, fleet.OSSettingsVerifying, fleet.OSSettingsVerified:
|
|
hopt.OSSettingsFilter = fleet.OSSettingsStatus(osSettingsStatus)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid os_settings: %s", osSettingsStatus)),
|
|
)
|
|
}
|
|
|
|
osSettingsDiskEncryptionStatus := r.URL.Query().Get("os_settings_disk_encryption")
|
|
switch fleet.DiskEncryptionStatus(osSettingsDiskEncryptionStatus) {
|
|
case
|
|
fleet.DiskEncryptionVerifying,
|
|
fleet.DiskEncryptionVerified,
|
|
fleet.DiskEncryptionActionRequired,
|
|
fleet.DiskEncryptionEnforcing,
|
|
fleet.DiskEncryptionFailed,
|
|
fleet.DiskEncryptionRemovingEnforcement:
|
|
hopt.OSSettingsDiskEncryptionFilter = fleet.DiskEncryptionStatus(osSettingsDiskEncryptionStatus)
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(),
|
|
badRequest(fmt.Sprintf("Invalid os_settings_disk_encryption: %s", macOSSettingsDiskEncryptionStatus)),
|
|
)
|
|
}
|
|
|
|
mdmBootstrapPackageStatus, err := handleDeprecatedParams(r, "bootstrap_package", "macos_bootstrap_package")
|
|
if err != nil {
|
|
return hopt, err
|
|
}
|
|
switch fleet.MDMBootstrapPackageStatus(mdmBootstrapPackageStatus) {
|
|
case fleet.MDMBootstrapPackageFailed, fleet.MDMBootstrapPackagePending, fleet.MDMBootstrapPackageInstalled:
|
|
bpf := fleet.MDMBootstrapPackageStatus(mdmBootstrapPackageStatus)
|
|
hopt.MDMBootstrapPackageFilter = &bpf
|
|
case "":
|
|
// No error when unset
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid macos_bootstrap_package: %s", mdmBootstrapPackageStatus)),
|
|
)
|
|
}
|
|
|
|
profileUUID := r.URL.Query().Get("profile_uuid")
|
|
profileStatus := r.URL.Query().Get("profile_status")
|
|
switch {
|
|
case profileUUID != "" && profileStatus != "":
|
|
hopt.ProfileUUIDFilter = &profileUUID
|
|
if fleet.OSSettingsStatus(profileStatus).IsValid() {
|
|
psf := fleet.OSSettingsStatus(profileStatus)
|
|
hopt.ProfileStatusFilter = &psf
|
|
} else {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid profile_status: %s", profileStatus)))
|
|
}
|
|
case profileUUID != "" && profileStatus == "":
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest("Missing profile_status (it must be present when profile_uuid is specified)"))
|
|
case profileUUID == "" && profileStatus != "":
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest("Missing profile_uuid (it must be present when profile_status is specified)"))
|
|
}
|
|
|
|
munkiIssueID := r.URL.Query().Get("munki_issue_id")
|
|
if munkiIssueID != "" {
|
|
id, err := strconv.ParseUint(munkiIssueID, 10, 32)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid munki_issue_id: %s", munkiIssueID)))
|
|
}
|
|
mid := uint(id)
|
|
hopt.MunkiIssueIDFilter = &mid
|
|
}
|
|
|
|
lowDiskSpace := r.URL.Query().Get("low_disk_space")
|
|
if lowDiskSpace != "" {
|
|
v, err := strconv.Atoi(lowDiskSpace)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid low_disk_space: %s", lowDiskSpace)))
|
|
}
|
|
if v < 1 || v > 100 {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid low_disk_space, must be between 1 and 100: %s", lowDiskSpace,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
hopt.LowDiskSpaceFilter = &v
|
|
}
|
|
|
|
batchScriptExecutionID := r.URL.Query().Get("script_batch_execution_id")
|
|
if batchScriptExecutionID != "" {
|
|
hopt.BatchScriptExecutionIDFilter = &batchScriptExecutionID
|
|
batchScriptExecutionStatus := r.URL.Query().Get("script_batch_execution_status")
|
|
if batchScriptExecutionStatus != "" {
|
|
if fleet.BatchScriptExecutionStatus(batchScriptExecutionStatus).IsValid() {
|
|
bsef := fleet.BatchScriptExecutionStatus(batchScriptExecutionStatus)
|
|
hopt.BatchScriptExecutionStatusFilter = bsef
|
|
} else {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid script_batch_execution_status: %s", batchScriptExecutionStatus)))
|
|
}
|
|
}
|
|
}
|
|
|
|
populateSoftware := r.URL.Query().Get("populate_software")
|
|
if populateSoftware == "without_vulnerability_details" {
|
|
hopt.PopulateSoftware = true
|
|
hopt.PopulateSoftwareVulnerabilityDetails = false
|
|
} else if populateSoftware != "" {
|
|
ps, err := strconv.ParseBool(populateSoftware)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(`Invalid value for populate_software. Should be one of "true", "false", or "without_vulnerability_details".`))
|
|
}
|
|
hopt.PopulateSoftware = ps
|
|
hopt.PopulateSoftwareVulnerabilityDetails = ps
|
|
}
|
|
|
|
populatePolicies := r.URL.Query().Get("populate_policies")
|
|
if populatePolicies != "" {
|
|
pp, err := strconv.ParseBool(populatePolicies)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid boolean parameter populate_policies: %s", populateSoftware)),
|
|
)
|
|
}
|
|
hopt.PopulatePolicies = pp
|
|
}
|
|
|
|
populateUsers := r.URL.Query().Get("populate_users")
|
|
if populateUsers != "" {
|
|
pu, err := strconv.ParseBool(populateUsers)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid boolean parameter populate_users: %s", populateUsers)),
|
|
)
|
|
}
|
|
hopt.PopulateUsers = pu
|
|
}
|
|
|
|
populateLabels := r.URL.Query().Get("populate_labels")
|
|
if populateLabels != "" {
|
|
pl, err := strconv.ParseBool(populateLabels)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid boolean parameter populate_labels: %s", populateLabels)),
|
|
)
|
|
}
|
|
hopt.PopulateLabels = pl
|
|
}
|
|
|
|
includeDeviceStatus := r.URL.Query().Get("include_device_status")
|
|
if includeDeviceStatus != "" {
|
|
ids, err := strconv.ParseBool(includeDeviceStatus)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(fmt.Sprintf("Invalid boolean parameter include_device_status: %s", includeDeviceStatus)),
|
|
)
|
|
}
|
|
hopt.IncludeDeviceStatus = ids
|
|
}
|
|
|
|
// cannot combine software_id, software_version_id, and software_title_id
|
|
var softwareErrorLabel []string
|
|
if hopt.SoftwareIDFilter != nil {
|
|
softwareErrorLabel = append(softwareErrorLabel, "software_id")
|
|
}
|
|
if hopt.SoftwareVersionIDFilter != nil {
|
|
softwareErrorLabel = append(softwareErrorLabel, "software_version_id")
|
|
}
|
|
if hopt.SoftwareTitleIDFilter != nil {
|
|
softwareErrorLabel = append(softwareErrorLabel, "software_title_id")
|
|
}
|
|
if len(softwareErrorLabel) > 1 {
|
|
return hopt, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid parameters. The combination of %s is not allowed.", strings.Join(softwareErrorLabel, " and "))))
|
|
}
|
|
|
|
depProfileError := r.URL.Query().Get("dep_profile_error")
|
|
if depProfileError != "" {
|
|
boolVal, err := strconv.ParseBool(depProfileError)
|
|
if err != nil {
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid dep_profile_error: %s",
|
|
depProfileError,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
hopt.DEPProfileErrorFilter = &boolVal
|
|
}
|
|
|
|
depAssignProfileResponse := r.URL.Query().Get("dep_assign_profile_response")
|
|
if depAssignProfileResponse != "" {
|
|
switch fleet.DEPAssignProfileResponseStatus(depAssignProfileResponse) {
|
|
case fleet.DEPAssignProfileResponseSuccess,
|
|
fleet.DEPAssignProfileResponseFailed,
|
|
fleet.DEPAssignProfileResponseThrottled,
|
|
fleet.DEPAssignProfileResponseNotAccessible:
|
|
resp := fleet.DEPAssignProfileResponseStatus(depAssignProfileResponse)
|
|
hopt.DEPAssignProfileResponseFilter = &resp
|
|
default:
|
|
return hopt, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf(
|
|
"Invalid dep_assign_profile_response: %s. Valid options are '%s', '%s', '%s', or '%s'.",
|
|
depAssignProfileResponse,
|
|
fleet.DEPAssignProfileResponseSuccess,
|
|
fleet.DEPAssignProfileResponseFailed,
|
|
fleet.DEPAssignProfileResponseThrottled,
|
|
fleet.DEPAssignProfileResponseNotAccessible,
|
|
),
|
|
),
|
|
)
|
|
}
|
|
}
|
|
|
|
return hopt, nil
|
|
}
|
|
|
|
func labelListOptionsFromRequest(r *http.Request) (fleet.ListOptions, error) {
|
|
opt, err := listOptionsFromRequest(r)
|
|
if err != nil {
|
|
return fleet.ListOptions{}, err
|
|
}
|
|
|
|
includeHostCountsStr := r.URL.Query().Get("include_host_counts")
|
|
if includeHostCountsStr != "" && opt.OrderKey == "host_count" {
|
|
includeHostCounts, parseErr := strconv.ParseBool(includeHostCountsStr)
|
|
if parseErr == nil && !includeHostCounts {
|
|
return fleet.ListOptions{}, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
"Invalid order_key (host_count cannot be ordered when they are disabled)",
|
|
),
|
|
)
|
|
}
|
|
}
|
|
|
|
return opt, nil
|
|
}
|
|
|
|
func carveListOptionsFromRequest(r *http.Request) (fleet.CarveListOptions, error) {
|
|
opt, err := listOptionsFromRequest(r)
|
|
if err != nil {
|
|
return fleet.CarveListOptions{}, err
|
|
}
|
|
|
|
carveOpts := fleet.CarveListOptions{ListOptions: opt}
|
|
|
|
expired := r.URL.Query().Get("expired")
|
|
if expired == "" {
|
|
carveOpts.Expired = false
|
|
} else {
|
|
boolVal, err := strconv.ParseBool(expired)
|
|
if err != nil {
|
|
return carveOpts, ctxerr.Wrap(
|
|
r.Context(), badRequest(
|
|
fmt.Sprintf("Invalid expired: %s", expired),
|
|
),
|
|
)
|
|
}
|
|
carveOpts.Expired = boolVal
|
|
}
|
|
return carveOpts, nil
|
|
}
|
|
|
|
func userListOptionsFromRequest(r *http.Request) (fleet.UserListOptions, error) {
|
|
opt, err := listOptionsFromRequest(r)
|
|
if err != nil {
|
|
return fleet.UserListOptions{}, err
|
|
}
|
|
|
|
userOpts := fleet.UserListOptions{ListOptions: opt}
|
|
tid, err := handleDeprecatedParams(r, "team_id", "fleet_id")
|
|
if err != nil {
|
|
return userOpts, err
|
|
}
|
|
if tid != "" {
|
|
teamID, err := strconv.ParseUint(tid, 10, 64)
|
|
if err != nil {
|
|
return userOpts, ctxerr.Wrap(r.Context(), badRequest(fmt.Sprintf("Invalid team_id: %s", tid)))
|
|
}
|
|
// GitHub CodeQL flags this as: Incorrect conversion between integer types. Previously waived: https://github.com/fleetdm/fleet/security/code-scanning/516
|
|
userOpts.TeamID = uint(teamID)
|
|
}
|
|
|
|
return userOpts, nil
|
|
}
|
|
|
|
type getGenericSpecRequest struct {
|
|
Name string `url:"name"`
|
|
}
|
|
|
|
func handleDeprecatedParams(r *http.Request, deprecatedParam, newParam string) (string, error) {
|
|
ctx := r.Context()
|
|
query := r.URL.Query()
|
|
hasOld := query.Has(deprecatedParam)
|
|
hasNew := query.Has(newParam)
|
|
|
|
if hasOld && hasNew {
|
|
return "", ctxerr.Wrap(
|
|
ctx,
|
|
badRequest(fmt.Sprintf("Cannot specify both %s and %s parameters", deprecatedParam, newParam)),
|
|
)
|
|
}
|
|
if hasOld {
|
|
if platform_logging.TopicEnabled(platform_logging.DeprecatedFieldTopic) {
|
|
logging.WithLevel(ctx, slog.LevelWarn)
|
|
logging.WithExtras(ctx,
|
|
"deprecated_param", deprecatedParam,
|
|
"deprecation_warning", fmt.Sprintf("'%s' is deprecated, use '%s' instead", deprecatedParam, newParam),
|
|
)
|
|
}
|
|
return query.Get(deprecatedParam), nil
|
|
}
|
|
return query.Get(newParam), nil
|
|
}
|