Commit Graph

48 Commits

Author SHA1 Message Date
Roberto Dip
5c7019cfc4
allow clients to report errors back to the server (#13478)
for #13189, #13238 and #13239
2023-08-24 13:04:27 -03:00
Martin Angers
96aec85a0a
Add mechanism to force read from primary DB, use it for puppet matching (#12396) 2023-06-19 13:55:15 -04:00
Zachary Winnerman
2ec19979c2
APM Improvements (#11103)
# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-24 01:13:15 -04:00
Lucas Manuel Rodriguez
3757aace08
Add UUID to Fleet errors and clean up error msgs (#10411)
#8129 

Apart from fixing the issue in #8129, this change also introduces UUIDs
to Fleet errors. To be able to match a returned error from the API to a
error in the Fleet logs. See
https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for
more context.

Samples with the changes in this PR:
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0"
}
```
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd'
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "json decoder error"
    }
  ],
  "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d"
}
```
```
curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams"
{
  "message": "Authentication required",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication required"
    }
  ],
  "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Authorization header required",
  "errors": [
    {
      "name": "base",
      "reason": "Authorization header required"
    }
  ],
  "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Permission Denied",
  "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06"
}
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 13:44:06 -03:00
Martin Angers
472c8bafb3
Refactor license so it is stored in the context (#8544) 2022-11-15 09:08:05 -05:00
Martin Angers
fae8e4ca2c
Translate the AppConfig and Team validation messages to be more user-friendly (#8171) 2022-10-12 17:10:50 -04:00
gillespi314
749ff9ec2b
Add logging to capture user email upon successful login (#7927)
* Log user email upon successful login

* Add user email to logger context

* Use logging.With Extras for login email
2022-09-27 16:32:46 -03:00
Roberto Dip
2fcb27ed3f
add headers denoting capabilities between fleet server / desktop / orbit (#7833)
This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop.

The general idea is to _always_ send a custom header of the form:

```
fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities
capabilities              = capability * (,)
capability                = string
```

Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: 8c0bbdd291

Also, the following applies:

- Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability
- The current capabilities endpoint will be removed

### Motivation

This solution is trying to solve the following problems:

- We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers.
- We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because:
  - There are cases in which the server also needs to know which features are supported by its clients
  - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses.
- We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation.

Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 07:53:53 -03:00
Sharvil Shah
7d4e2e2b4b
Orbit remote management for flags (#7246)
Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2022-09-24 00:30:23 +05:30
Frank Sievertsen
dd8cf37a85
#7624 accept empty bearer authorization token. (#7685)
* Fix #7624 accept empty bearer authorization token.

* add changes file
2022-09-12 16:09:41 +02:00
Roberto Dip
8acf14ab43
adjust installers endpoint to avoid AJAX downloads (#7226)
Related to #7206, this delegates the handling of the download to the browser
2022-08-16 12:54:41 -03:00
Roberto Dip
b2d07e56b5
report error analytics (#6341)
Related to #5898, this reports an anonymized summary of errors stored in Redis into the analytics payload.

For each error stored, this includes:

- A `count` attribute with the number of occurrences of the error
- A `loc` attribute with the 3 topmost lines in the stack trace. Note that stack traces only contain package name + line number (example: github.com/fleetdm/fleet/server.go:12

This also includes a minor refactor around error types.
2022-06-28 16:31:14 -03:00
Lucas Manuel Rodriguez
9080563b7d
Fix some go lint warnings (#5888)
* Fix go lint warnings

* Add test for SMTPConfigured update
2022-05-31 07:19:57 -03:00
Roberto Dip
36284fecf0
wrap errors even if an error message is not provided (#5828) 2022-05-23 09:32:17 -03:00
Roberto Dip
3954648c28
automatically add host and viewer information to errors (#5807) 2022-05-20 11:09:50 -03:00
Roberto Dip
894fa22c71
implement a thin wrapper around stdlib errors (#5733)
This solves #5679 , and also implements #5515, #5509 and lays the ground for #5516

With the introduction of Wrap, Is and As in the standard library, we've now got built-in support for wrapping.

On top of that, a common pattern in the community is to define errors tailored to the context of each project while still conforming to the error and Unwrap interfaces (see Upspin, Chromium)

The output now includes stack traces and additional info
2022-05-18 11:47:55 -03:00
Benjamin Edwards
74bb559645
Add public ip to hosts & derive geolocation when rendering host (#4652)
* geoip wip
* return nil if ip is empty string or if ParseIP returns nil
* add ui component to render geolocation if available, address PR feedback
* render public ip if available
* add changes file, document geoip in deployment guide
* update rest-api docs
2022-03-21 12:29:52 -04:00
Martin Angers
b2845cd65f
Refactor authz skip for device auth, add org_logo_url for frontend (#4619) 2022-03-16 10:15:25 -04:00
Lucas Manuel Rodriguez
371c533bfc
Improved Datastore usage of osquery hosts requests (#3601)
* WIP

* Amend tests

* Do not load aggregated stats for packs

* Add option to host lite

* Fix remaining TODOs

* Fix osquery_utils tests

* Fix SQL

* Fix SQL (bis)

* Restore AuthenticateHost to load once

* Code improvements and re-add deferred host save

* More fixes to the PR

* Wrap users table update on tx

* Add caching to ListPacksForHost and ListScheduledQueriesInPack

* Remove SaveHostSoftware (replaced by UpdateHostSoftware)

* Add unit tests for new functionality

* Add changes file

* Fix scheduled queries test
2022-01-17 22:52:09 -03:00
Lucas Manuel Rodriguez
a47c605bdd
Log request errors in non-debug mode (take 2) (#3215)
* Log request errors in non-debug mode

* Amend test for debug

* Add check for error log
2021-12-07 12:52:43 -03:00
Martin Angers
69a4985cac
Use new error handling approach in other packages (#2954) 2021-11-22 09:13:26 -05:00
Martin Angers
3ae57a0242
Create errors with ctxerr, add the call to store them in redis (#2786) 2021-11-15 09:11:38 -05:00
Tomas Touceda
b95bb52c89
Issue 2868 ignore admin reset password sso (#2877)
* Ignore admin forced password reset if sso is enabled

* Add tests for authenticatedUser

* If SSOEnabled is true, then set AdminForcedPasswordReset to false

* Update tests to cover new password reset and sso flow

* Add changes file
2021-11-10 19:30:15 -03:00
Tomas Touceda
2902da76ca
Issue 2027 better error visibility (#2069) 2021-11-02 13:35:57 -04:00
Tomas Touceda
79f2c7c391
Issue 1798 rest api for live queries (#2675)
* wip

* wip

* Make tests not flaky

* Add changes file

* Make logging and authz thread safe

* Move cancel defer below err check
2021-10-26 11:33:31 -03:00
Tomas Touceda
e08fcb949b
Fix logging of errors in kitlog (#2427)
* Fix logging of errors in kitlog

* Update error messages
2021-10-07 18:15:40 -03:00
Tomas Touceda
52ae04ecf5
Only log distributed queries ingestion errors (except for one case) (#1535)
* Don't return errors in distributed query ingestion, just log them

* Allow for multiple errors in the logging context

* Update check when loading host

* Log multiple errors and add tests for other changes

* Add missing host func

* Add another missing host func

* Add changes file
2021-08-04 10:11:51 -03:00
Tomas Touceda
5859db36bb
Move logger up to the HTTP layer and make it generic (#1439)
* Add basic idea

* Implement the new logging strategy everywhere

* Remove unused const

* Add tests and fix error cases

* Fix logging in osquery service

* If there are extras, log info unless force debug

* Change to info

* Fix test

* Make logging context more chainable and force info for sessions
2021-08-02 19:06:27 -03:00
Zach Wasserman
c5280c0517
Add v4 suffix in go.mod (#1224) 2021-06-25 21:46:51 -07:00
RachelElysia
aeb852e168
Remove username from UI (#1168)
* Remove username from UI code
* Remove username from tests
* Remove username from database
* Modify server endpoints for removing username
* Implement backend aspects of removing username
* Update API docs
* Add name to fleetctl
2021-06-24 13:42:29 -07:00
Zach Wasserman
d78c5fd124
Clean up service and return license errors (#1097)
- Expose license errors instead of permission errors by adding explicit skip authorization.
- Remove pre-Teams authorization checks from service.

Fixes #964
2021-06-16 10:55:41 -07:00
Zach Wasserman
db459d3363
Continue to update names in backend code and docs (#976) 2021-06-06 16:58:23 -07:00
Zach Wasserman
fb32f0cf40
Remove kolide types and packages from backend (#974)
Generally renamed `kolide` -> `fleet`
2021-06-06 15:07:29 -07:00
Zach Wasserman
18faa5a06b
Add authorization checks in service (#938)
- Add policy.rego file defining authorization policies.
- Add Go integrations to evaluate Rego policies (via OPA).
- Add middleware to ensure requests without authorization check are rejected (guard against programmer error).
- Add authorization checks to most service endpoints.
2021-06-03 16:24:15 -07:00
Zach Wasserman
2f51493d20
Delete instead of disabling users (#622)
- Migration to delete existing disabled users.
- Remove enabled attribute.
- Add endpoint for user deletion.
2021-04-08 16:53:33 -07:00
Zach Wasserman
b12a6cb4c1
Migrate old admin field to new global role (#609)
- Migrate old admins to global admins
- Migrate old non-admins to global maintainers
- Remove old admin column
- Give initial user global admin privilege
- Comment out some tests (to be refactored for new permissions model later)
2021-04-06 18:27:10 -07:00
Mike Arpaia
af96e52a00
Update the Go import paths to new repo name (#27) 2020-11-11 09:59:12 -08:00
Zachary Wasserman
7e26b915c5 Refactoring and fixes in user authorization
- Simplify/fix logic for authorization
- Rename/refactor for clarity
- Add tests for auth related code
2018-09-18 14:56:25 -04:00
ferhat elmas
9e0912e2f3 General simplification in go part (#1658)
* don't check if error is nil, return it
 * don't compare bool to bool, use it
 * don't supply capacity to make for slice when len
   is equal to cap
2017-12-04 09:43:43 -05:00
Mike Arpaia
018b91ab2c Rename project to Kolide Fleet (#1529) 2017-06-22 15:50:45 -04:00
Zachary Wasserman
715d908613 Update go-kit to 0.4.0 (#1411)
Notable refactoring:
- Use stdlib "context" in place of "golang.org/x/net/context"
- Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go
- Use MakeHandler when setting up endpoint tests (fixes test bug caught during
  this refactoring)

Closes #1411.
2017-03-15 08:55:30 -07:00
Mike Arpaia
a000751bfe renaming kolide-ose to kolide (#1143) 2017-02-01 10:20:50 -07:00
Mike Arpaia
a047ef2211 Quick contexts additions (#739)
* Defining a concrete type for session tokens

* More rightish vc.IsLoggedIn()

* using type conversion instead of a method call

* include sessions in test viewer contexts
2017-01-09 08:10:02 -07:00
Mike Arpaia
23c86f6c12 Ensure author name and packs are set in NewQuery response (#774) 2017-01-05 18:48:56 -07:00
Zachary Wasserman
0faa3a55fb Make context imports consistent (#359) 2016-10-31 15:18:05 -07:00
Zachary Wasserman
d2e31146c6 Fix bugs with password resets (#330)
- Permissions error with admin forced password reset
- Redirecting on successful admin forced password reset
- URL fix for forgot password reset
- Use JWT key for password reset request
2016-10-20 15:09:51 -04:00
Mike Arpaia
0482f12926 Organizing go code (#241) 2016-09-26 11:48:55 -07:00
Victor Vrantchan
372dac8304 Create context packages (#228)
add token context package
add viewer context package
add host context package
update authenticated middleware to set viewer context or return error
re-organize API handler
2016-09-26 13:14:39 -04:00