Commit Graph

20 Commits

Author SHA1 Message Date
Roberto Dip
e630fabf89
token rotation for fleet desktop (#7779)
This implements what's described in detail here https://github.com/fleetdm/fleet/blob/main/proposals/fleet-desktop-token-rotation.md
2022-10-10 17:15:35 -03:00
Roberto Dip
2fcb27ed3f
add headers denoting capabilities between fleet server / desktop / orbit (#7833)
This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop.

The general idea is to _always_ send a custom header of the form:

```
fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities
capabilities              = capability * (,)
capability                = string
```

Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: 8c0bbdd291

Also, the following applies:

- Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability
- The current capabilities endpoint will be removed

### Motivation

This solution is trying to solve the following problems:

- We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers.
- We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because:
  - There are cases in which the server also needs to know which features are supported by its clients
  - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses.
- We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation.

Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 07:53:53 -03:00
Juan Fernandez
4ef883b311
Feature 6946: Fleet Desktop should use minimal api end-point for data (#7536)
Updated desktop client to use new EE desktop endpoint.
2022-09-15 12:12:50 -04:00
Tomas Touceda
8457e55b53
Bump go to 1.19.1 (#7690)
* Bump go to 1.19.1

* Bump remaining go-version to the 1.19.1

* Add extra paths for test-go

* Oops, putting the right path in the right place

* gofmt file

* gofmt ALL THE THINGS

* Moar changes

* Actually, go.mod doesn't like minor versions
2022-09-12 20:32:43 -03:00
Juan Fernandez
b60d535d4a
Feature 7084: Add new EE endpoint for Fleet Desktop (#7530)
Added new EE endpoint, that is meant to be used by Fleet Desktop only. The new endpoint will return the number of failed policies.
2022-09-12 15:37:38 -04:00
Roberto Dip
740aafd817
Revert token rotation (#7628)
This reverts all changes related to token rotation.
2022-09-08 15:04:02 -03:00
Roberto Dip
9174c7c711
token rotation for Fleet Desktop (#7517)
See https://github.com/fleetdm/fleet/issues/6348 for a very detailed rundown

Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2022-09-06 20:25:29 -03:00
Martin Angers
b9930930f5
Document the device-authenticated endpoints in API for Contributors (#6406) 2022-06-29 08:12:20 -04:00
Roberto Dip
19c5e3545b
add a dedicated endpoint that redirects to fleet_desktop.transparency_url (#6204)
As part of https://github.com/fleetdm/fleet/issues/5947, and in order to have a simplified workflow in Fleet Desktop, we defined https://github.com/fleetdm/fleet/issues/6200 to add a new endpoint that redirects to the transparency url as defined in the config (for premium users only)

```
~/projects/fleet $ curl -v -s https://localhost:8080/api/latest/fleet/device/bf34ab98-23b0-48bc-8e82-8c0143cba11c/transparency
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 307
< content-type: application/json; charset=utf-8
< location: https://fleetdm.com/transparency
< content-length: 0
< date: Mon, 13 Jun 2022 18:09:29 GMT
<
* Connection #0 to host localhost left intact
```
2022-06-13 16:07:08 -03:00
gillespi314
a3ab5646f5
Add new fleet_desktop property to config object (#6151) 2022-06-10 10:39:02 -05:00
Roberto Dip
a6cf9b3d8d
add endpoint in devices API to query for api features (#6152)
Related to #6063, this adds a new device API to get an object with boolean values that we can use as feature flags to manage backwards compatibility in Fleet Desktop.
2022-06-09 10:17:55 -03:00
Roberto Dip
19f995d3b5
only include policies in device endpoints for premium users (#6077)
This removes policy information from `GET /api/_version_/fleet/device/{token}` from non-premium Fleet instances.

Starting the server with `./build/fleet serve --dev --dev_license`

```bash
$ curl -s https://localhost:8080/api/latest/fleet/device/1804e808-171f-4dda-9bec-f695b2f2371a | jq '.host.policies // "not present"'
[
  {
    "id": 3,
    "name": "Antivirus healthy (Linux)",
    "query": "SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;",
    "description": "Checks that both ClamAV's daemon and its updater service (freshclam) are running.",
    "author_id": 1,
    "author_name": "Roberto",
    "author_email": "test@example.com",
    "team_id": null,
    "resolution": "Ensure ClamAV and Freshclam are installed and running.",
    "platform": "darwin,linux",
    "created_at": "2022-05-23T20:53:36Z",
    "updated_at": "2022-06-03T13:17:42Z",
    "response": ""
  }
]
```

Starting the server with `./build/fleet serve --dev`

```bash
$ curl -s https://localhost:8080/api/latest/fleet/device/1804e808-171f-4dda-9bec-f695b2f2371a | jq '.host.policies // "not present"'
"not present"
```
2022-06-07 13:27:13 -03:00
Michal Nicpon
30a864c8d2
Sync CVE scores periodically (#5838) 2022-06-01 10:06:57 -06:00
Roberto Dip
eb8defdcbe
add premium, device authed endpoint to retrieve policies (#5967)
This adds a new device authenticated endpoint, `/api/_version_/fleet/device/{token}/policies` to retrieve the device policies.

An example request / response looks like:

```bash
curl  https://localhost:8080/api/latest/fleet/device/1804e808-171f-4dda-9bec-f695b2f2371a/policies
```

```json
{
  "policies": [
    {
      "id": 3,
      "name": "Antivirus healthy (Linux)",
      "query": "SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;",
      "description": "Checks that both ClamAV's daemon and its updater service (freshclam) are running.",
      "author_id": 1,
      "author_name": "Admin",
      "author_email": "admin@example.com",
      "team_id": null,
      "resolution": "Ensure ClamAV and Freshclam are installed and running.",
      "platform": "darwin,windows,linux",
      "created_at": "2022-05-23T20:53:36Z",
      "updated_at": "2022-05-23T20:53:36Z",
      "response": "fail"
    }
  ]
}
```

Related to [#5685](https://github.com/fleetdm/fleet/issues/5685), in another changeset I will be adding "client" endpoints so we can consume this endpoint from Fleet Desktop
2022-05-31 14:54:43 -03:00
gillespi314
b4ffec10db
Remove skipLoadingExtras and includeCVEScores from GetHost and HostByIdentifier methods (#5874) 2022-05-25 11:30:03 -05:00
Michal Nicpon
983f9e59b3
Include CVE scores when listing software (#5673) 2022-05-20 10:58:40 -06:00
gillespi314
9c14495701
Fix error handling (#5823) 2022-05-19 18:29:33 -05:00
gillespi314
8e333509b1
Add license object to GET /fleet/device/{token} response (#5820) 2022-05-19 16:28:49 -05:00
Martin Angers
b2845cd65f
Refactor authz skip for device auth, add org_logo_url for frontend (#4619) 2022-03-16 10:15:25 -04:00
Martin Angers
a1c67547b3
Add new endpoints to retrieve device information by orbit identifier (#4531) 2022-03-09 16:13:56 -05:00