Remove policies yaml for now and apply policies in preview (#2644)

cmd/fleetctl/apply.go

@@ -27,7 +27,6 @@ type specGroup struct {
 	Teams   []*fleet.TeamSpec
 	Packs   []*fleet.PackSpec
 	Labels  []*fleet.LabelSpec
-	Policies []*fleet.PolicySpec
 	// This needs to be interface{} to allow for the patch logic. Otherwise we send a request that looks to the
 	// server like the user explicitly set the zero values.
 	AppConfig    interface{}
@@ -44,7 +43,6 @@ func specGroupFromBytes(b []byte) (*specGroup, error) {
 		Queries: []*fleet.QuerySpec{},
 		Packs:   []*fleet.PackSpec{},
 		Labels:  []*fleet.LabelSpec{},
-		Policies: []*fleet.PolicySpec{},
 	}
 
 	for _, spec := range splitYaml(string(b)) {
@@ -117,13 +115,6 @@ func specGroupFromBytes(b []byte) (*specGroup, error) {
 			}
 			specs.Teams = append(specs.Teams, teamSpec.Team)
 
-		case fleet.PolicyKind:
-			var policySpec *fleet.PolicySpec
-			if err := yaml.Unmarshal(s.Spec, &policySpec); err != nil {
-				return nil, errors.Wrap(err, "unmarshaling "+kind+" spec")
-			}
-			specs.Policies = append(specs.Policies, policySpec)
-
 		default:
 			return nil, errors.Errorf("unknown kind %q", s.Kind)
 		}
@@ -222,13 +213,6 @@ func applyCommand() *cli.Command {
 				log(c, "[+] applied user roles\n")
 			}
 
-			if len(specs.Policies) > 0 {
-				if err := fleetClient.ApplyPolicies(specs.Policies); err != nil {
-					return errors.Wrap(err, "applying policies")
-				}
-				logf(c, "[+] applied %d policies\n", len(specs.Policies))
-			}
-
 			return nil
 		},
 	}

cmd/fleetctl/apply_test.go

@@ -234,44 +234,3 @@ spec:
 	assert.True(t, savedAppConfig.HostSettings.EnableHostUsers)
 	assert.True(t, savedAppConfig.HostSettings.EnableSoftwareInventory)
 }
-
-func TestApplyPolicySpecs(t *testing.T) {
-	_, ds := runServerWithMockedDS(t)
-
-	var gotPolicies []*fleet.PolicySpec
-
-	ds.TeamByNameFunc = func(ctx context.Context, name string) (*fleet.Team, error) {
-		assert.Equal(t, "team1", name)
-		return &fleet.Team{ID: 123, Name: "team1"}, nil
-	}
-	ds.ApplyPolicySpecsFunc = func(ctx context.Context, specs []*fleet.PolicySpec) error {
-		gotPolicies = specs
-		return nil
-	}
-
-	name := writeTmpYml(t, `---
-apiVersion: v1
-kind: policy
-spec:
-  query: some query
----
-apiVersion: v1
-kind: policy
-spec:
-  query: some other query
-  team: team1
-  resolution: something something
-`)
-
-	assert.Equal(t, "[+] applied 2 policies\n", runAppForTest(t, []string{"apply", "-f", name}))
-	assert.Equal(t, []*fleet.PolicySpec{
-		{
-			QueryName: "some query",
-		},
-		{
-			QueryName:  "some other query",
-			Team:       "team1",
-			Resolution: "something something",
-		},
-	}, gotPolicies)
-}

cmd/fleetctl/preview.go

@@ -221,6 +221,11 @@ Use the stop and reset subcommands to manage the server and dependencies once st
 				return errors.Wrap(err, "failed to apply updated app config")
 			}
 
+			fmt.Println("Applying Policies...")
+			if err := loadPolicies(client); err != nil {
+				fmt.Println("WARNING: Couldn't load policies:", err)
+			}
+
 			secrets, err := client.GetEnrollSecretSpec()
 			if err != nil {
 				return errors.Wrap(err, "Error retrieving enroll secret")
@@ -588,3 +593,41 @@ func stopOrbit(destDir string) error {
 	}
 	return nil
 }
+
+func loadPolicies(client *service.Client) error {
+	policies := []struct {
+		name, query, description, resolution string
+	}{
+		{
+			"Is Gatekeeper enabled on macOS devices?",
+			"SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
+			"Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.",
+			"Run the following command in the Terminal app: /usr/sbin/spctl --master-enable",
+		},
+		{
+			"Is disk encryption enabled on Windows devices?",
+			"SELECT 1 FROM bitlocker_info where protection_status = 1;",
+			"Checks to make sure that device encryption is enabled on Windows devices.",
+			"Option 1: Select the Start button. Select Settings > Update & Security > Device encryption. If Device encryption doesn't appear, skip to Option 2. If device encryption is turned off, select Turn on. Option 2: Select the Start button. Under Windows System, select Control Panel. Select System and Security. Under BitLocker Drive Encryption, select Manage BitLocker. Select Turn on BitLocker and then follow the instructions.",
+		},
+		{
+			"Is Filevault enabled on macOS devices?",
+			`SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;`,
+			"Checks to make sure that the Filevault feature is enabled on macOS devices.",
+			"Choose Apple menu > System Preferences, then click Security & Privacy. Click the FileVault tab. Click the Lock icon, then enter an administrator name and password. Click Turn On FileVault.",
+		},
+	}
+
+	for _, policy := range policies {
+		q, err := client.CreateQuery(policy.name, policy.query, policy.description)
+		if err != nil {
+			return errors.Wrap(err, "creating query")
+		}
+		err = client.CreatePolicy(q.ID, policy.resolution)
+		if err != nil {
+			return errors.Wrap(err, "creating policy")
+		}
+	}
+
+	return nil
+}

server/service/client_policies.go

@@ -0,0 +1,11 @@
+package service
+
+func (c *Client) CreatePolicy(queryID uint, resolution string) error {
+	req := globalPolicyRequest{
+		QueryID:    queryID,
+		Resolution: resolution,
+	}
+	verb, path := "POST", "/api/v1/fleet/global/policies"
+	var responseBody globalPolicyResponse
+	return c.authenticatedRequest(req, verb, path, &responseBody)
+}

server/service/client_queries.go

@@ -136,3 +136,20 @@ func (c *Client) DeleteQuery(name string) error {
 
 	return nil
 }
+
+func (c *Client) CreateQuery(name, query, description string) (*fleet.Query, error) {
+	req := createQueryRequest{
+		payload: fleet.QueryPayload{
+			Name:        &name,
+			Description: &description,
+			Query:       &query,
+		},
+	}
+	verb, path := "POST", "/api/v1/fleet/queries"
+	var responseBody createQueryResponse
+	err := c.authenticatedRequest(req.payload, verb, path, &responseBody)
+	if err != nil {
+		return nil, err
+	}
+	return responseBody.Query, nil
+}