fleet/server/service/global_policies.go

package service

import (
	"context"

	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
	"github.com/fleetdm/fleet/v4/server/fleet"
)

/////////////////////////////////////////////////////////////////////////////////
// Add
/////////////////////////////////////////////////////////////////////////////////

type globalPolicyRequest struct {
	QueryID    uint   `json:"query_id"`
	Resolution string `json:"resolution"`
}

type globalPolicyResponse struct {
	Policy *fleet.Policy `json:"policy,omitempty"`
	Err    error         `json:"error,omitempty"`
}

func (r globalPolicyResponse) error() error { return r.Err }

func globalPolicyEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {
	req := request.(*globalPolicyRequest)
	resp, err := svc.NewGlobalPolicy(ctx, req.QueryID, req.Resolution)
	if err != nil {
		return globalPolicyResponse{Err: err}, nil
	}
	return globalPolicyResponse{Policy: resp}, nil
}

func (svc Service) NewGlobalPolicy(ctx context.Context, queryID uint, resolution string) (*fleet.Policy, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {
		return nil, err
	}

	return svc.ds.NewGlobalPolicy(ctx, queryID, resolution)
}

/////////////////////////////////////////////////////////////////////////////////
// List
/////////////////////////////////////////////////////////////////////////////////

type listGlobalPoliciesResponse struct {
	Policies []*fleet.Policy `json:"policies,omitempty"`
	Err      error           `json:"error,omitempty"`
}

func (r listGlobalPoliciesResponse) error() error { return r.Err }

func listGlobalPoliciesEndpoint(ctx context.Context, _ interface{}, svc fleet.Service) (interface{}, error) {
	resp, err := svc.ListGlobalPolicies(ctx)
	if err != nil {
		return listGlobalPoliciesResponse{Err: err}, nil
	}
	return listGlobalPoliciesResponse{Policies: resp}, nil
}

func (svc Service) ListGlobalPolicies(ctx context.Context) ([]*fleet.Policy, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {
		return nil, err
	}

	return svc.ds.ListGlobalPolicies(ctx)
}

/////////////////////////////////////////////////////////////////////////////////
// Get by id
/////////////////////////////////////////////////////////////////////////////////

type getPolicyByIDRequest struct {
	PolicyID uint `url:"policy_id"`
}

type getPolicyByIDResponse struct {
	Policy *fleet.Policy `json:"policy"`
	Err    error         `json:"error,omitempty"`
}

func (r getPolicyByIDResponse) error() error { return r.Err }

func getPolicyByIDEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {
	req := request.(*getPolicyByIDRequest)
	policy, err := svc.GetPolicyByIDQueries(ctx, req.PolicyID)
	if err != nil {
		return getPolicyByIDResponse{Err: err}, nil
	}
	return getPolicyByIDResponse{Policy: policy}, nil
}

func (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {
		return nil, err
	}

	policy, err := svc.ds.Policy(ctx, policyID)
	if err != nil {
		return nil, err
	}

	return policy, nil
}

/////////////////////////////////////////////////////////////////////////////////
// Delete
/////////////////////////////////////////////////////////////////////////////////

type deleteGlobalPoliciesRequest struct {
	IDs []uint `json:"ids"`
}

type deleteGlobalPoliciesResponse struct {
	Deleted []uint `json:"deleted,omitempty"`
	Err     error  `json:"error,omitempty"`
}

func (r deleteGlobalPoliciesResponse) error() error { return r.Err }

func deleteGlobalPoliciesEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {
	req := request.(*deleteGlobalPoliciesRequest)
	resp, err := svc.DeleteGlobalPolicies(ctx, req.IDs)
	if err != nil {
		return deleteGlobalPoliciesResponse{Err: err}, nil
	}
	return deleteGlobalPoliciesResponse{Deleted: resp}, nil
}

func (svc Service) DeleteGlobalPolicies(ctx context.Context, ids []uint) ([]uint, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {
		return nil, err
	}

	return svc.ds.DeleteGlobalPolicies(ctx, ids)
}

/////////////////////////////////////////////////////////////////////////////////
// Apply Spec
/////////////////////////////////////////////////////////////////////////////////

type applyPolicySpecsRequest struct {
	Specs []*fleet.PolicySpec `json:"specs"`
}

type applyPolicySpecsResponse struct {
	Err error `json:"error,omitempty"`
}

func (r applyPolicySpecsResponse) error() error { return r.Err }

func applyPolicySpecsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {
	req := request.(*applyPolicySpecsRequest)
	err := svc.ApplyPolicySpecs(ctx, req.Specs)
	if err != nil {
		return applyPolicySpecsResponse{Err: err}, nil
	}
	return applyPolicySpecsResponse{}, nil
}

func (svc Service) ApplyPolicySpecs(ctx context.Context, policies []*fleet.PolicySpec) error {
	checkGlobalPolicyAuth := false
	for _, policy := range policies {
		if policy.Team != "" {
			team, err := svc.ds.TeamByName(ctx, policy.Team)
			if err != nil {
				return ctxerr.Wrap(ctx, err, "getting team by name")
			}
			if err := svc.authz.Authorize(ctx, &fleet.Policy{TeamID: &team.ID}, fleet.ActionWrite); err != nil {
				return err
			}
			continue
		}
		checkGlobalPolicyAuth = true
	}
	if checkGlobalPolicyAuth {
		if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {
			return err
		}
	}

	return svc.ds.ApplyPolicySpecs(ctx, policies)
}
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`package service`

			`import (`
			`"context"`

Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`)`

			`/////////////////////////////////////////////////////////////////////////////////`
			`// Add`
			`/////////////////////////////////////////////////////////////////////////////////`

			`type globalPolicyRequest struct {`
Issue 2456 policies yaml (#2512) * wip * Add policy specs support * Add documentation * Make policy apply idempotent * Fold in code * Improve tests and simplify auth checks * Lint and fix test 2021-10-15 10:34:11 +00:00			QueryID uint `json:"query_id"`
			Resolution string `json:"resolution"`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`}`

			`type globalPolicyResponse struct {`
			Policy *fleet.Policy `json:"policy,omitempty"`
			Err error `json:"error,omitempty"`
			`}`

			`func (r globalPolicyResponse) error() error { return r.Err }`

			`func globalPolicyEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {`
			`req := request.(*globalPolicyRequest)`
Issue 2456 policies yaml (#2512) * wip * Add policy specs support * Add documentation * Make policy apply idempotent * Fold in code * Improve tests and simplify auth checks * Lint and fix test 2021-10-15 10:34:11 +00:00			`resp, err := svc.NewGlobalPolicy(ctx, req.QueryID, req.Resolution)`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`if err != nil {`
			`return globalPolicyResponse{Err: err}, nil`
			`}`
			`return globalPolicyResponse{Policy: resp}, nil`
			`}`

Issue 2456 policies yaml (#2512) * wip * Add policy specs support * Add documentation * Make policy apply idempotent * Fold in code * Improve tests and simplify auth checks * Lint and fix test 2021-10-15 10:34:11 +00:00			`func (svc Service) NewGlobalPolicy(ctx context.Context, queryID uint, resolution string) (*fleet.Policy, error) {`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {`
			`return nil, err`
			`}`

Forward policy resolution (#2733) * Pass through the resoution for the policy * Update tests 2021-10-28 13:10:03 +00:00			`return svc.ds.NewGlobalPolicy(ctx, queryID, resolution)`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`}`

			`/////////////////////////////////////////////////////////////////////////////////`
			`// List`
			`/////////////////////////////////////////////////////////////////////////////////`

			`type listGlobalPoliciesResponse struct {`
			Policies []*fleet.Policy `json:"policies,omitempty"`
			Err error `json:"error,omitempty"`
			`}`

			`func (r listGlobalPoliciesResponse) error() error { return r.Err }`

			`func listGlobalPoliciesEndpoint(ctx context.Context, _ interface{}, svc fleet.Service) (interface{}, error) {`
			`resp, err := svc.ListGlobalPolicies(ctx)`
			`if err != nil {`
			`return listGlobalPoliciesResponse{Err: err}, nil`
			`}`
			`return listGlobalPoliciesResponse{Policies: resp}, nil`
			`}`

			`func (svc Service) ListGlobalPolicies(ctx context.Context) ([]*fleet.Policy, error) {`
			`if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {`
			`return nil, err`
			`}`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`return svc.ds.ListGlobalPolicies(ctx)`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`}`

			`/////////////////////////////////////////////////////////////////////////////////`
			`// Get by id`
			`/////////////////////////////////////////////////////////////////////////////////`

			`type getPolicyByIDRequest struct {`
			PolicyID uint `url:"policy_id"`
			`}`

			`type getPolicyByIDResponse struct {`
			Policy *fleet.Policy `json:"policy"`
			Err error `json:"error,omitempty"`
			`}`

			`func (r getPolicyByIDResponse) error() error { return r.Err }`

			`func getPolicyByIDEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {`
			`req := request.(*getPolicyByIDRequest)`
			`policy, err := svc.GetPolicyByIDQueries(ctx, req.PolicyID)`
			`if err != nil {`
			`return getPolicyByIDResponse{Err: err}, nil`
			`}`
			`return getPolicyByIDResponse{Policy: policy}, nil`
			`}`

			`func (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {`
			`if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {`
			`return nil, err`
			`}`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`policy, err := svc.ds.Policy(ctx, policyID)`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`return policy, nil`
			`}`

			`/////////////////////////////////////////////////////////////////////////////////`
			`// Delete`
			`/////////////////////////////////////////////////////////////////////////////////`

			`type deleteGlobalPoliciesRequest struct {`
			IDs []uint `json:"ids"`
			`}`

			`type deleteGlobalPoliciesResponse struct {`
			Deleted []uint `json:"deleted,omitempty"`
			Err error `json:"error,omitempty"`
			`}`

			`func (r deleteGlobalPoliciesResponse) error() error { return r.Err }`

			`func deleteGlobalPoliciesEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {`
			`req := request.(*deleteGlobalPoliciesRequest)`
			`resp, err := svc.DeleteGlobalPolicies(ctx, req.IDs)`
			`if err != nil {`
			`return deleteGlobalPoliciesResponse{Err: err}, nil`
			`}`
			`return deleteGlobalPoliciesResponse{Deleted: resp}, nil`
			`}`

			`func (svc Service) DeleteGlobalPolicies(ctx context.Context, ids []uint) ([]uint, error) {`
			`if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {`
			`return nil, err`
			`}`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`return svc.ds.DeleteGlobalPolicies(ctx, ids)`
Add global policies (#1750) * Add global policies * Update documentation and add extra parameter to config * Fix failing tests * Store historic policy records * Address review comments And also remove other inmem references I saw by chance * Add documentation for get by id request * Add parameter doc * Move schema generation to a cmd instead of a test Otherwise it messes up running all tests sometimes depending on how parallel it does * Remove brain dump for another task * Make migration tests a separate beast * Make schema generation idempotent and move dbutils cmd to tools * Allow all filters and add counts to Policy * Add test for Policy 2021-08-24 20:24:52 +00:00			`}`
Issue 2456 policies yaml (#2512) * wip * Add policy specs support * Add documentation * Make policy apply idempotent * Fold in code * Improve tests and simplify auth checks * Lint and fix test 2021-10-15 10:34:11 +00:00
			`/////////////////////////////////////////////////////////////////////////////////`
			`// Apply Spec`
			`/////////////////////////////////////////////////////////////////////////////////`

			`type applyPolicySpecsRequest struct {`
			Specs []*fleet.PolicySpec `json:"specs"`
			`}`

			`type applyPolicySpecsResponse struct {`
			Err error `json:"error,omitempty"`
			`}`

			`func (r applyPolicySpecsResponse) error() error { return r.Err }`

			`func applyPolicySpecsEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {`
			`req := request.(*applyPolicySpecsRequest)`
			`err := svc.ApplyPolicySpecs(ctx, req.Specs)`
			`if err != nil {`
			`return applyPolicySpecsResponse{Err: err}, nil`
			`}`
			`return applyPolicySpecsResponse{}, nil`
			`}`

			`func (svc Service) ApplyPolicySpecs(ctx context.Context, policies []*fleet.PolicySpec) error {`
			`checkGlobalPolicyAuth := false`
			`for _, policy := range policies {`
			`if policy.Team != "" {`
			`team, err := svc.ds.TeamByName(ctx, policy.Team)`
			`if err != nil {`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`return ctxerr.Wrap(ctx, err, "getting team by name")`
Issue 2456 policies yaml (#2512) * wip * Add policy specs support * Add documentation * Make policy apply idempotent * Fold in code * Improve tests and simplify auth checks * Lint and fix test 2021-10-15 10:34:11 +00:00			`}`
			`if err := svc.authz.Authorize(ctx, &fleet.Policy{TeamID: &team.ID}, fleet.ActionWrite); err != nil {`
			`return err`
			`}`
			`continue`
			`}`
			`checkGlobalPolicyAuth = true`
			`}`
			`if checkGlobalPolicyAuth {`
			`if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionWrite); err != nil {`
			`return err`
			`}`
			`}`

			`return svc.ds.ApplyPolicySpecs(ctx, policies)`
			`}`