Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/server/service/software.go
jacobshandling c75e5d85c0
Return light software metadata when listing hosts filtered by software present only on a different team (#42519) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39190

https://www.loom.com/share/3c1828f03c584756b7ed8f3ba75a1038

<img width="1840" height="1196" alt="Screenshot 2026-03-30 at 1 08
32 PM"
src="https://github.com/user-attachments/assets/592c9396-65b4-4723-99e7-63f9ee0264c1"
/>

- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Resolved host filtering by software version when the version is not
available on the selected team; now returns software information instead
of an error.
  * Fixed a related UI issue caused by the original filtering behavior.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 21:33:21 -07:00

279 lines
9 KiB
Go
Raw Blame History

package service
import (
"context"
"fmt"
"net/http"
"time"
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/ptr"
)
/////////////////////////////////////////////////////////////////////////////////
// List
/////////////////////////////////////////////////////////////////////////////////
type listSoftwareRequest struct {
fleet.SoftwareListOptions
}
// Deprecated: listSoftwareResponse is the response struct for the deprecated
// listSoftwareEndpoint. It differs from listSoftwareVersionsResponse in that
// the latter includes a count of the total number of software items.
type listSoftwareResponse struct {
CountsUpdatedAt *time.Time `json:"counts_updated_at"`
Software []fleet.Software `json:"software,omitempty"`
Err error `json:"error,omitempty"`
}
func (r listSoftwareResponse) Error() error { return r.Err }
// Deprecated: use listSoftwareVersionsEndpoint instead
func listSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
req := request.(*listSoftwareRequest)
resp, _, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return listSoftwareResponse{Err: err}, nil
}
// calculate the latest counts_updated_at
var latest time.Time
for _, sw := range resp {
if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
latest = sw.CountsUpdatedAt
}
}
listResp := listSoftwareResponse{Software: resp}
if !latest.IsZero() {
listResp.CountsUpdatedAt = &latest
}
return listResp, nil
}
type listSoftwareVersionsResponse struct {
Count int `json:"count"`
CountsUpdatedAt *time.Time `json:"counts_updated_at"`
Software []fleet.Software `json:"software,omitempty"`
Meta *fleet.PaginationMetadata `json:"meta"`
Err error `json:"error,omitempty"`
}
func (r listSoftwareVersionsResponse) Error() error { return r.Err }
func listSoftwareVersionsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
req := request.(*listSoftwareRequest)
// always include pagination for new software versions endpoint (not included by default in
// legacy endpoint for backwards compatibility)
req.SoftwareListOptions.ListOptions.IncludeMetadata = true
resp, meta, err := svc.ListSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return listSoftwareVersionsResponse{Err: err}, nil
}
// calculate the latest counts_updated_at
var latest time.Time
for _, sw := range resp {
if !sw.CountsUpdatedAt.IsZero() && sw.CountsUpdatedAt.After(latest) {
latest = sw.CountsUpdatedAt
}
}
listResp := listSoftwareVersionsResponse{Software: resp, Meta: meta}
if !latest.IsZero() {
listResp.CountsUpdatedAt = &latest
}
c, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return listSoftwareVersionsResponse{Err: err}, nil
}
listResp.Count = c
return listResp, nil
}
func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
TeamID: opt.TeamID,
}, fleet.ActionRead); err != nil {
return nil, nil, err
}
// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
lic, err := svc.License(ctx)
if err != nil {
return nil, nil, err
}
if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
return nil, nil, fleet.ErrMissingLicense
}
// default sort order to hosts_count descending
if opt.ListOptions.OrderKey == "" {
opt.ListOptions.OrderKey = "hosts_count"
opt.ListOptions.OrderDirection = fleet.OrderDescending
}
opt.WithHostCounts = true
softwares, meta, err := svc.ds.ListSoftware(ctx, opt)
if err != nil {
return nil, nil, err
}
return softwares, meta, nil
}
/////////////////////////////////////////////////////////////////////////////////
// Get Software
/////////////////////////////////////////////////////////////////////////////////
type getSoftwareRequest struct {
ID uint `url:"id"`
TeamID *uint `query:"team_id,optional" renameto:"fleet_id"`
}
type getSoftwareResponse struct {
Software *fleet.Software `json:"software,omitempty"`
Err error `json:"error,omitempty"`
}
func (r getSoftwareResponse) Error() error { return r.Err }
func getSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
req := request.(*getSoftwareRequest)
software, err := svc.SoftwareByID(ctx, req.ID, req.TeamID, false)
if err != nil {
return getSoftwareResponse{Err: err}, nil
}
return getSoftwareResponse{Software: software}, nil
}
func (svc *Service) SoftwareByID(ctx context.Context, id uint, teamID *uint, includeCVEScores bool) (*fleet.Software, error) {
if err := svc.authz.Authorize(ctx, &fleet.Host{TeamID: teamID}, fleet.ActionList); err != nil {
return nil, err
}
if teamID != nil && *teamID > 0 {
// This auth check ensures we return 403 if the user doesn't have access to the team
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{TeamID: teamID}, fleet.ActionRead); err != nil {
return nil, err
}
exists, err := svc.ds.TeamExists(ctx, *teamID)
if err != nil {
return nil, ctxerr.Wrap(ctx, err, "checking if team exists")
} else if !exists {
return nil, fleet.NewInvalidArgumentError("team_id/fleet_id", fmt.Sprintf("fleet %d does not exist", *teamID)).
WithStatus(http.StatusNotFound)
}
}
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, fleet.ErrNoContext
}
// NOTE: The following logic relaxes the restriction so that software metadata (e.g. id, name)
// can be returned even if the requesting user does not have permission to view any hosts where the software
// is installed. However, host-specific information remains protected and is only available if the
// user is authorized for the relevant teams. This ensures basic metadata visibility across all users
// while preserving team-based access control for sensitive, host-linked data.
software, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &fleet.TeamFilter{
User: vc.User,
IncludeObserver: true,
})
if err != nil {
if fleet.IsNotFound(err) && teamID == nil {
// here we use a global admin as filter because we want
// to check if the software version exists
filter := fleet.TeamFilter{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}}
sw, err := svc.ds.SoftwareByID(ctx, id, teamID, includeCVEScores, &filter)
if err != nil {
// Not found anywhere
return nil, ctxerr.Wrap(ctx, err, "software not found for any team")
}
// Found, but user has no permission to hosts it's installed on.
// Instead of PermissionError, return a stub with the name.
stub := &fleet.Software{
ID: id,
Name: sw.Name,
}
return stub, nil
}
return nil, ctxerr.Wrap(ctx, err, "getting software version by id")
}
return software, nil
}
func (svc *Service) SoftwareLiteByID(
ctx context.Context,
id uint,
) (fleet.SoftwareLite, error) {
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{}, fleet.ActionRead); err != nil {
return fleet.SoftwareLite{}, err
}
swLite, err := svc.ds.SoftwareLiteByID(ctx, id)
if err != nil {
return fleet.SoftwareLite{}, err
}
return swLite, nil
}
/////////////////////////////////////////////////////////////////////////////////
// Count
/////////////////////////////////////////////////////////////////////////////////
type countSoftwareRequest struct {
fleet.SoftwareListOptions
}
type countSoftwareResponse struct {
Count int `json:"count"`
Err error `json:"error,omitempty"`
}
func (r countSoftwareResponse) Error() error { return r.Err }
// Deprecated: counts are now included directly in the listSoftwareVersionsResponse. This
// endpoint is retained for backwards compatibility.
func countSoftwareEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (fleet.Errorer, error) {
req := request.(*countSoftwareRequest)
count, err := svc.CountSoftware(ctx, req.SoftwareListOptions)
if err != nil {
return countSoftwareResponse{Err: err}, nil
}
return countSoftwareResponse{Count: count}, nil
}
func (svc Service) CountSoftware(ctx context.Context, opt fleet.SoftwareListOptions) (int, error) {
if err := svc.authz.Authorize(ctx, &fleet.AuthzSoftwareInventory{
TeamID: opt.TeamID,
}, fleet.ActionRead); err != nil {
return 0, err
}
lic, err := svc.License(ctx)
if err != nil {
return 0, ctxerr.Wrap(ctx, err, "get license")
}
// Vulnerability filters are only available in premium
if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
return 0, fleet.ErrMissingLicense
}
// required for vulnerability filters
if lic.IsPremium() {
opt.IncludeCVEScores = true
}
return svc.ds.CountSoftware(ctx, opt)
}
Reference in a new issue View git blame Copy permalink