fleet/server/service/client_scripts.go
Scott Gress 4e35de2ac3
Update fleetctl client urls and params (#41463)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41385 

# Details

This PR updates `fleetctl` to use the new API urls and params when
communicating with Fleet server. This avoids deprecation warnings
showing up on the server that users won't be able to fix.

Most of the changes are straightforward `team_id` -> `fleet_id`. A
couple of code changes have been pointed out. The most interesting is in
icon URLs, which can be persisted in the database (so we'll need to do a
migration in Fleet 5 if we want to drop support for `team_id`.

Similarly the FMA download urls are briefly persisted in the db for the
purpose of sending MDM commands. If we drop team_id support in Fleet 5
there could be a brief window where there are unprocessed commands in
the db still with `team_id` in them, so we'll probably want to migrate
those as well.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a - all internal

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] ran `fleetctl gitops` on main and saw a bunch of deprecation
warnings, ran it on this branch and the warnings were gone 💨
  - [X] same with `fleetctl generate-gitops`
- [X] ran `fleetctl get` commands and verified that the new URLs and
params were used
- [X] ran `fleetctl apply` commands and verified that the new URLs and
params were used
2026-03-13 08:38:55 -05:00

263 lines
7.5 KiB
Go

package service
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"mime/multipart"
"net/http"
"os"
"strings"
"time"
"github.com/fleetdm/fleet/v4/server/fleet"
)
const pollWaitTime = 5 * time.Second
func (c *Client) RunHostScriptSync(hostID uint, scriptContents []byte, scriptName string, teamID uint) (*fleet.HostScriptResult, error) {
verb, path := "POST", "/api/latest/fleet/scripts/run"
res, err := c.runHostScript(verb, path, hostID, scriptContents, scriptName, teamID, http.StatusAccepted)
if err != nil {
return nil, err
}
if res.ExecutionID == "" {
return nil, errors.New("missing execution id in response")
}
return c.pollForResult(res.ExecutionID)
}
func (c *Client) RunHostScriptAsync(hostID uint, scriptContents []byte, scriptName string, teamID uint) (*fleet.HostScriptResult, error) {
verb, path := "POST", "/api/latest/fleet/scripts/run"
return c.runHostScript(verb, path, hostID, scriptContents, scriptName, teamID, http.StatusAccepted)
}
func (c *Client) runHostScript(verb, path string, hostID uint, scriptContents []byte, scriptName string, teamID uint, successStatusCode int) (*fleet.HostScriptResult, error) {
req := fleet.HostScriptRequestPayload{
HostID: hostID,
ScriptName: scriptName,
TeamID: teamID,
}
if len(scriptContents) > 0 {
req.ScriptContents = string(scriptContents)
}
var result fleet.HostScriptResult
res, err := c.AuthenticatedDo(verb, path, "", &req)
if err != nil {
return nil, err
}
defer res.Body.Close()
switch res.StatusCode {
case successStatusCode:
b, err := io.ReadAll(res.Body)
if err != nil {
return nil, fmt.Errorf("reading %s %s response: %w", verb, path, err)
}
if err := json.Unmarshal(b, &result); err != nil {
return nil, fmt.Errorf("decoding %s %s response: %w, body: %s", verb, path, err, b)
}
case http.StatusForbidden:
errMsg, err := extractServerErrMsg(verb, path, res)
if err != nil {
return nil, err
}
if strings.Contains(errMsg, fleet.RunScriptScriptsDisabledGloballyErrMsg) {
return nil, errors.New(fleet.RunScriptScriptsDisabledGloballyErrMsg)
}
return nil, errors.New(fleet.RunScriptForbiddenErrMsg)
// It's possible we get a GatewayTimeout error message from nginx or another
// proxy server, so we want to return a more helpful error message in that
// case.
case http.StatusGatewayTimeout:
return nil, errors.New(fleet.RunScriptGatewayTimeoutErrMsg)
case http.StatusPaymentRequired:
if teamID > 0 {
return nil, errors.New("Team id parameter requires Fleet Premium license.")
}
fallthrough // if no team id, fall through to default error message
default:
msg, err := extractServerErrMsg(verb, path, res)
if err != nil {
return nil, err
}
if msg == "" {
msg = fmt.Sprintf("decoding %d response is missing expected message.", res.StatusCode)
}
return nil, errors.New(msg)
}
return &result, nil
}
func (c *Client) pollForResult(id string) (*fleet.HostScriptResult, error) {
verb, path := "GET", fmt.Sprintf("/api/latest/fleet/scripts/results/%s", id)
var result *fleet.HostScriptResult
for {
res, err := c.AuthenticatedDo(verb, path, "", nil)
if err != nil {
return nil, fmt.Errorf("polling for result: %w", err)
}
defer res.Body.Close()
if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusNotFound {
msg, err := extractServerErrMsg(verb, path, res)
if err != nil {
return nil, fmt.Errorf("extracting error message: %w", err)
}
if msg == "" {
msg = fmt.Sprintf("decoding %d response is missing expected message.", res.StatusCode)
}
return nil, errors.New(msg)
}
if err := json.NewDecoder(res.Body).Decode(&result); err != nil {
return nil, fmt.Errorf("decoding response: %w", err)
}
if result.ExitCode != nil {
break
}
time.Sleep(pollWaitTime)
}
return result, nil
}
// ApplyNoTeamScripts sends the list of scripts to be applied for the hosts in
// no team.
func (c *Client) ApplyNoTeamScripts(scripts []fleet.ScriptPayload, opts fleet.ApplySpecOptions) ([]fleet.ScriptResponse, error) {
verb, path := "POST", "/api/latest/fleet/scripts/batch"
var resp batchSetScriptsResponse
err := c.authenticatedRequestWithQuery(map[string]interface{}{"scripts": scripts}, verb, path, &resp, opts.RawQuery())
return resp.Scripts, err
}
func (c *Client) validateMacOSSetupScript(fileName string) ([]byte, error) {
if err := c.CheckAppleMDMEnabled(); err != nil {
return nil, err
}
b, err := os.ReadFile(fileName)
if err != nil {
return nil, err
}
return b, nil
}
func (c *Client) deleteMacOSSetupScript(teamID *uint) error {
var query string
if teamID != nil {
query = fmt.Sprintf("fleet_id=%d", *teamID)
}
verb, path := "DELETE", "/api/latest/fleet/setup_experience/script"
var delResp deleteSetupExperienceScriptResponse
return c.authenticatedRequestWithQuery(nil, verb, path, &delResp, query)
}
func (c *Client) uploadMacOSSetupScript(filename string, data []byte, teamID *uint) error {
verb, path := "POST", "/api/latest/fleet/setup_experience/script"
var b bytes.Buffer
w := multipart.NewWriter(&b)
fw, err := w.CreateFormFile("script", filename)
if err != nil {
return err
}
if _, err := io.Copy(fw, bytes.NewBuffer(data)); err != nil {
return err
}
// add the fleet_id field
if teamID != nil {
if err := w.WriteField("fleet_id", fmt.Sprint(*teamID)); err != nil {
return err
}
}
w.Close()
response, err := c.doContextWithBodyAndHeaders(context.Background(), verb, path, "",
b.Bytes(),
map[string]string{
"Content-Type": w.FormDataContentType(),
"Accept": "application/json",
"Authorization": fmt.Sprintf("Bearer %s", c.token),
},
)
if err != nil {
return fmt.Errorf("do multipart request: %w", err)
}
defer response.Body.Close()
var resp setSetupExperienceScriptResponse
if err := c.parseResponse(verb, path, response, &resp); err != nil {
return fmt.Errorf("parse response: %w", err)
}
return nil
}
// ListScripts retrieves the saved scripts.
func (c *Client) ListScripts(query string) ([]*fleet.Script, error) {
verb, path := "GET", "/api/latest/fleet/scripts"
var responseBody listScriptsResponse
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
if err != nil {
return nil, err
}
return responseBody.Scripts, nil
}
// Get the contents of a saved script.
func (c *Client) GetScriptContents(scriptID uint) ([]byte, error) {
verb, path := "GET", "/api/latest/fleet/scripts/"+fmt.Sprint(scriptID)
response, err := c.AuthenticatedDo(verb, path, "alt=media", nil)
if err != nil {
return nil, fmt.Errorf("%s %s: %w", verb, path, err)
}
defer response.Body.Close()
err = c.parseResponse(verb, path, response, nil)
if err != nil {
return nil, fmt.Errorf("parsing script response: %w", err)
}
if response.StatusCode != http.StatusNoContent {
b, err := io.ReadAll(response.Body)
if err != nil {
return nil, fmt.Errorf("reading response body: %w", err)
}
return b, nil
}
return nil, nil
}
// GetSetupExperienceScript retrieves the setup script for the given team, if any.
func (c *Client) GetSetupExperienceScript(teamID uint) (*fleet.Script, error) {
verb, path := "GET", "/api/latest/fleet/setup_experience/script"
var query string
if teamID != 0 {
query = fmt.Sprintf("fleet_id=%d", teamID)
}
var responseBody getSetupExperienceScriptResponse
err := c.authenticatedRequestWithQuery(nil, verb, path, &responseBody, query)
if err != nil {
if isNotFoundErr(err) {
// If the script is not found, we return nil instead of an error.
return nil, nil
}
return nil, err
}
return responseBody.Script, nil
}