Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/pkg/patch_policy/patch_policy.go
Ian Littman 65030e905f
Fix mis-assigned FMA bundle identifiers, switch to fuzzy matching on queries where Windows apps include version number in the name (incl. special fixes for Firefox ESR) (#42628) 
Resolves #42714.

Zed + Opus 4.6; initial prompts (see additional ones in follow-on
commits):

---

Audit our existing Fleet Maintained App catalog. Look for:

1. Software that has the wrong identifiers associated (e.g. Abstract),
e.g. in `exists` queries
2. Software that has the version number in the name that leaks into the
`exists` query, e.g. 7-zip or 010 Editor or Airtame. These should be
fuzzy-matched.

For each affected app, revise input manifests to fix the issues. For
(1), revise apps.json if needed as well. Don't modify apps.json for (2)
cases.

---

Are there any discrepancies between bundle identifiers in input
manifests for Darwin apps and apps.json? If so, fix them.

---

Outputs will get overwritten by the ingester if neither the ingester nor
the input JSON files are changed. Make whatever changes need to be made
so that these edits survive an FMA ingestion cycle.

---

Revise `fuzzy` to allow specifying a custom value e.g. `Mozilal Firefox
% (ESR)` in addition to the existing true/false, then use that new
functionality to build unique queries for Firefox ESR.

---

Commit these changes, across multiple commits (there will be cases where
a changes to a single file will be spread across multiple commits, most
notably apps.json). Split commits out as follows:

1. All darwin-related changes
2. Windows switches to fuzzy matching + associated unique_identifier
changes
3. Revised handling for Firefox ESR

Prefix commit messages with "🤖 ".

---

The ingester and test changes should've gone in commit 3. Move them
there from commit 2.

---



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Updated application identifiers for Abstract, Amazon Chime, Beyond
Compare, and Teleport Suite to use correct bundle and package
identifiers.
* Enhanced Windows and macOS installation detection queries to match
multiple application versions using pattern matching instead of exact
version strings.

* **New Features**
* Added support for configurable fuzzy matching patterns to improve
application name matching flexibility.

* **Tests**
* Added tests validating fuzzy matching configuration unmarshaling and
behavior.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-10 14:13:59 -05:00

94 lines
3 KiB
Go
Raw Blame History

package patch_policy
import (
"errors"
"fmt"
"strings"
"github.com/fleetdm/fleet/v4/server/fleet"
)
type PolicyData struct {
Name string
Platform string
Description string
Resolution string
Query string
ExistsQuery string
Version string
}
const (
templateStart = "SELECT 1 WHERE NOT EXISTS ("
templateEndDarwin = " AND version_compare(bundle_short_version, '%s') < 0);"
templateEndWindows = " AND version_compare(version, '%s') < 0);"
)
var (
ErrWrongPlatform = errors.New("platform should be darwin or windows")
ErrNoExistsQuery = errors.New("exists query was not provided")
)
// GenerateQueryForManifest wraps the "exists" query to create a patch policy query
func GenerateQueryForManifest(p PolicyData) (string, error) {
if p.ExistsQuery == "" {
return "", ErrNoExistsQuery
}
before, _ := strings.CutSuffix(p.ExistsQuery, ";")
// Escape any literal '%' in the exists query (e.g. SQL LIKE patterns)
// so fmt.Sprintf doesn't interpret them as format verbs.
before = strings.ReplaceAll(before, "%", "%%")
switch p.Platform {
case "darwin":
return fmt.Sprintf(templateStart+before+templateEndDarwin, p.Version), nil
case "windows":
return fmt.Sprintf(templateStart+before+templateEndWindows, p.Version), nil
}
return "", ErrWrongPlatform
}
// GenerateFromInstaller creates a patch policy with all fields from an installer
func GenerateFromInstaller(p PolicyData, installer *fleet.SoftwareInstaller) (*PolicyData, error) {
// use the patch policy query from the app manifest if available
query := installer.PatchQuery
if p.Description == "" {
p.Description = "Outdated software might introduce security vulnerabilities or compatibility issues."
}
if p.Resolution == "" {
p.Resolution = "Install the latest version from self-service."
}
switch installer.Platform {
case "darwin":
if p.Name == "" {
p.Name = fmt.Sprintf("macOS - %s up to date", installer.SoftwareTitle)
}
if installer.PatchQuery == "" {
query = defaultMacOSQuery(installer.BundleIdentifier, installer.Version)
}
case "windows":
if p.Name == "" {
p.Name = fmt.Sprintf("Windows - %s up to date", installer.SoftwareTitle)
}
if installer.PatchQuery == "" {
query = defaultWindowsQuery(installer.SoftwareTitle, installer.Version)
}
default:
return nil, ErrWrongPlatform
}
return &PolicyData{Query: query, Platform: installer.Platform, Name: p.Name, Description: p.Description, Resolution: p.Resolution}, nil
}
func defaultMacOSQuery(bundleIdentifier string, version string) string {
patchTemplate := "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = '%s' AND version_compare(bundle_short_version, '%s') < 0);"
return fmt.Sprintf(patchTemplate, bundleIdentifier, version)
}
func defaultWindowsQuery(softwareTitle string, version string) string {
patchTemplate := "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM programs WHERE name = '%s' AND version_compare(version, '%s') < 0);"
return fmt.Sprintf(patchTemplate, softwareTitle, version)
}
Reference in a new issue View git blame Copy permalink