In #10957, a customer attempted to run a live query on ~60k devices. We
saw that Fleet receives all results from the devices, but stops sending
them to the browser. We believe this _might_ be a deadlock (we couldn't
confirm this because of lack of access to the Fleet instance itself).
We haven't fully confirmed this to be the reason of the
hang/missing-results, but it's worth updating because it [fixes a
possible deadlock in the
package](https://github.com/igm/sockjs-go/releases/tag/v3.0.2).
The remaining changes are the result of running `go mod tidy`.
- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
```
go get -u go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux go.opentelemetry.io/otel go.opentelemetry.io/otel/exporters/otlp/otlptrace go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc go.opentelemetry.io/otel/sdk; go mod tidy
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
A recent dependabot PR (#9792) upgraded the Docker library, resulting in
errors running some tests:
```
FLEET_VERSION_A=v4.28.0 FLEET_VERSION_B=main go test ./test/upgrade *[main]
go: downloading github.com/stretchr/testify v1.8.2
--- FAIL: TestUpgradeAToB (34.73s)
fleet_test.go:71: start fleet: Error response from daemon: client version 1.42 is too new. Maximum supported API version is 1.41
```
Even after upgrading Docker Desktop to the latest, this error still
persisted. It seems that Docker released a version of the client that is
newer than the latest version of the server.
Reverting to a supported client version.
related to #10441, inspired by the prior work done in
https://github.com/kolide/fleet/pull/1360, this PR:
1. Adds a migration to use `utf8mb4_general_ci` as the default collation
for the database and all the tables. From [MySQL's documentation][1]:
> To change the table default character set and all character columns
> (CHAR, VARCHAR, TEXT) to a new character set, use a statement like
> this:
>
> ```
> ALTER TABLE tbl_name CONVERT TO CHARACTER SET charset_name;
> ```
> The statement also changes the collation of all character columns. If
> you specify no COLLATE clause to indicate which collation to use, the
> statement uses default collation for the character set.
2. Changes the connection settings to use `utf8mb4_general_ci` as the
default collation, from the [driver docs][2]:
> Sets the collation used for client-server interaction on
connection. In contrast to charset, collation does not issue additional
queries. If the specified collation is unavailable on the target server,
the connection will fail.
[1]: https://dev.mysql.com/doc/refman/5.7/en/alter-table.html
[2]: https://github.com/go-sql-driver/mysql
**TODO:** discuss how we can enforce this, is setting the database
default collation enough? should we add some kind of custom lint rule to
all migrations?
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Bumps
[github.com/kevinburke/go-bindata](https://github.com/kevinburke/go-bindata)
from 3.22.0+incompatible to 3.24.0+incompatible.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kevinburke/go-bindata/releases">github.com/kevinburke/go-bindata's
releases</a>.</em></p>
<blockquote>
<p>v3.24.0</p>
<p>v3.23.0</p>
<p>test</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kevinburke/go-bindata/blob/master/CHANGELOG.md">github.com/kevinburke/go-bindata's
changelog</a>.</em></p>
<blockquote>
<h2>3.24.0</h2>
<p>Remove uses of io/ioutil; you must use Go 1.18 or higher with this
version of
go-bindata and its generated asset files.</p>
<p>Update generated doc comments for compatibility with Go's updated doc
comment
guidelines.</p>
<h2>3.21.0</h2>
<p>Replace "Debug" with "AssetDebug" to reduce the
likelihood of conflicts.</p>
<h2>3.20.0</h2>
<p>Add the "Debug" constant if assets have been generated
using the <code>--debug</code> flag
at the command line.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1b67e2de03"><code>1b67e2d</code></a>
v3.24.0</li>
<li><a
href="2708ad2791"><code>2708ad2</code></a>
CHANGELOG.md: prep for v3.24 release</li>
<li><a
href="5708eee1c2"><code>5708eee</code></a>
.github: add Go 1.18, 1.19</li>
<li><a
href="4a992e31ef"><code>4a992e3</code></a>
all: replace use of io/ioutil</li>
<li><a
href="adf7cd2dcf"><code>adf7cd2</code></a>
v3.23.0</li>
<li><a
href="54fe8e9bc4"><code>54fe8e9</code></a>
Release binaries for arm64</li>
<li><a
href="7ea0201288"><code>7ea0201</code></a>
.github: use latest Go versions</li>
<li><a
href="12dca65da1"><code>12dca65</code></a>
benchmark should write to tmp dir, not ./testdata. Fixes <a
href="https://github-redirect.dependabot.com/kevinburke/go-bindata/issues/42">#42</a>.</li>
<li><a
href="0d7fe269ac"><code>0d7fe26</code></a>
go-bindata: don't panic if given invalid regex</li>
<li><a
href="930726ace6"><code>930726a</code></a>
release: remove underscores from function names</li>
<li>Additional commits viewable in <a
href="https://github.com/kevinburke/go-bindata/compare/v3.22.0...v3.24.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to
0.7.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8e2b117aee"><code>8e2b117</code></a>
http2/hpack: avoid quadratic complexity in hpack decoding</li>
<li><a
href="547e7edf38"><code>547e7ed</code></a>
http2: avoid referencing ResponseWrite.Write parameter after
returning</li>
<li><a
href="39940adcaa"><code>39940ad</code></a>
html: parse comments per HTML spec</li>
<li><a
href="87ce33ecb4"><code>87ce33e</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="415cb6d518"><code>415cb6d</code></a>
all: fix some comments</li>
<li><a
href="7e3c19ca52"><code>7e3c19c</code></a>
all: correct typos in comments</li>
<li><a
href="296f09aa38"><code>296f09a</code></a>
http2: case insensitive handling for 100-continue</li>
<li><a
href="f8411da775"><code>f8411da</code></a>
nettest: fix tests on dragonfly and js/wasm</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.5.0...v0.7.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[github.com/getsentry/sentry-go](https://github.com/getsentry/sentry-go)
from 0.12.0 to 0.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-go/releases">github.com/getsentry/sentry-go's
releases</a>.</em></p>
<blockquote>
<h2>0.18.0</h2>
<p>The Sentry SDK team is happy to announce the immediate availability
of Sentry Go SDK v0.18.0.
This release contains initial support for <a
href="https://opentelemetry.io/">OpenTelemetry</a> and various other bug
fixes and improvements.</p>
<p><strong>Note</strong>: This is the last release supporting Go
1.17.</p>
<h3>Features</h3>
<ul>
<li>
<p>Initial support for <a
href="https://opentelemetry.io/">OpenTelemetry</a>.
You can now send all your OpenTelemetry spans to Sentry.</p>
<p>Install the <code>otel</code> module</p>
<pre lang="bash"><code>go get github.com/getsentry/sentry-go \
github.com/getsentry/sentry-go/otel
</code></pre>
<p>Configure the Sentry and OpenTelemetry SDKs</p>
<pre lang="go"><code>import (
"go.opentelemetry.io/otel"
sdktrace "go.opentelemetry.io/otel/sdk/trace"
"github.com/getsentry/sentry-go"
"github.com/getsentry/sentry-go/otel"
// ...
)
<p>// Initlaize the Sentry SDK
sentry.Init(sentry.ClientOptions{
Dsn: "<strong>DSN</strong>",
EnableTracing: true,
TracesSampleRate: 1.0,
})</p>
<p>// Set up the Sentry span processor
tp := sdktrace.NewTracerProvider(
sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),
// ...
)
otel.SetTracerProvider(tp)</p>
<p>// Set up the Sentry propagator
otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())
</code></pre></p>
<p>You can read more about using OpenTelemetry with Sentry in our <a
href="https://docs.sentry.io/platforms/go/performance/instrumentation/opentelemetry/">docs</a>.</p>
</li>
</ul>
<h3>Bug Fixes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-go/blob/master/CHANGELOG.md">github.com/getsentry/sentry-go's
changelog</a>.</em></p>
<blockquote>
<h2>0.18.0</h2>
<p>The Sentry SDK team is happy to announce the immediate availability
of Sentry Go SDK v0.18.0.
This release contains initial support for <a
href="https://opentelemetry.io/">OpenTelemetry</a> and various other bug
fixes and improvements.</p>
<p><strong>Note</strong>: This is the last release supporting Go
1.17.</p>
<h3>Features</h3>
<ul>
<li>
<p>Initial support for <a
href="https://opentelemetry.io/">OpenTelemetry</a>.
You can now send all your OpenTelemetry spans to Sentry.</p>
<p>Install the <code>otel</code> module</p>
<pre lang="bash"><code>go get github.com/getsentry/sentry-go \
github.com/getsentry/sentry-go/otel
</code></pre>
<p>Configure the Sentry and OpenTelemetry SDKs</p>
<pre lang="go"><code>import (
"go.opentelemetry.io/otel"
sdktrace "go.opentelemetry.io/otel/sdk/trace"
"github.com/getsentry/sentry-go"
"github.com/getsentry/sentry-go/otel"
// ...
)
<p>// Initlaize the Sentry SDK
sentry.Init(sentry.ClientOptions{
Dsn: "<strong>DSN</strong>",
EnableTracing: true,
TracesSampleRate: 1.0,
})</p>
<p>// Set up the Sentry span processor
tp := sdktrace.NewTracerProvider(
sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),
// ...
)
otel.SetTracerProvider(tp)</p>
<p>// Set up the Sentry propagator
otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())
</code></pre></p>
<p>You can read more about using OpenTelemetry with Sentry in our <a
href="https://docs.sentry.io/platforms/go/performance/instrumentation/opentelemetry/">docs</a>.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4b97c8e661"><code>4b97c8e</code></a>
release: 0.18.0</li>
<li><a
href="79724631e3"><code>7972463</code></a>
fix(release): Bump root module version in submodules (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/576">#576</a>)</li>
<li><a
href="612c167049"><code>612c167</code></a>
fix(build): Tidy otel submodule (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/575">#575</a>)</li>
<li><a
href="3ec3943355"><code>3ec3943</code></a>
doc: Prepare 0.18.0 (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/572">#572</a>)</li>
<li><a
href="bb6e2bdbf0"><code>bb6e2bd</code></a>
fix(otel): Use vendored bagggage implementation in propagator (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/573">#573</a>)</li>
<li><a
href="3964ecefd0"><code>3964ece</code></a>
fix(baggage): Update baggage parsing and encoding in vendored otel
package (#...</li>
<li><a
href="ef3a838eef"><code>ef3a838</code></a>
test: Add Codecov configuration file (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/569">#569</a>)</li>
<li><a
href="de904d6e97"><code>de904d6</code></a>
fix(otel): Require otel 1.11.0 and higher (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/567">#567</a>)</li>
<li><a
href="d0a2aa3ebd"><code>d0a2aa3</code></a>
fix: Create a frozen DSC when calling ToBaggage (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/566">#566</a>)</li>
<li><a
href="fb7618028b"><code>fb76180</code></a>
release: Update .craft.yml to be ready for otel submodule release (<a
href="https://github-redirect.dependabot.com/getsentry/sentry-go/issues/565">#565</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/getsentry/sentry-go/compare/v0.12.0...v0.18.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Issue #9599
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Two minor things are happening here:
1. A new direct dependency was added in #9489, this runs `go mod tidy`
to update `go.mod` and `go.sum`
2. `"go.uber.org/atomic"` was automatically imported instead of
`"sys/atomic"` in #9494
This may be needed for CIS 2.3.2.2 check:
```
Correct date and time settings are required for authentication protocols, file creation,
modification dates and log entries. Ensure that time on the computer is within
acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a
drift under four and a half minutes passes the control check. Since Kerberos is one of
the important features of macOS integration into Directory systems, the guidance here
is to warn you before there could be an impact to operations. From the perspective of
accurate time, this check is not strict, so it may be too great for your organization. Your
organization can adjust to a smaller offset value as needed.
```
#9239
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
This PR provides the tooling that fleetdm.com will use to sign MDM Push
CSRs.
This was tested against the output of #8812, and the resulting requests
were validated to be accepted by Apple.
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
this upgrades the following packages by running:
```
go get golang.org/x/text@v0.3.8
go get golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c
go get github.com/docker/distribution@v2.8.0
```
`golang.org/x/text` and `golang.org/x/net` are safe to upgrade as they
only contain the security fix.
`github.com/docker/distribution` is only used by `test/upgrade` and I
have verified that everything works properly by running a test.
* Update go-tuf to v0.5.0
This was triggered by the security advisory
[GHSA-3633-5h82-39pq](https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-3633-5h82-39pq).
Fleet's use of go-tuf is not vulnerable to this issue due to not using
key thresholds greater than 1.
There were some API changes that necessitate changing the initialization
code for the TUF client. See
https://github.com/theupdateframework/go-tuf/issues/379 for further
discussion.
* Add changes file
* Update default root metadata
* Add review changes to update-go-tuf branch
* Update tests
* Add more checks to roots output
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
* WIP
* Adding DEP functionality to Fleet
* Better organize additional MDM code
* Add cmdr.py and amend API paths
* Fix lint
* Add demo file
* Fix demo.md
* go mod tidy
* Add munki setup to Fleet
* Add diagram to demo.md
* Add fixes
* Update TODOs and demo.md
* Fix cmdr.py and add TODO
* Add endpoints to demo.md
* Add more Munki PoC/demo stuff
* WIP
* Remove proposals from PoC
* Replace prepare commands with fleetctl commands
* Update demo.md with current state
* Remove config field
* Amend demo
* Remove Munki setup from MVP-Dogfood
* Update demo.md
* Add apple mdm commands (#7769)
* fleetctl enqueue mdm command
* fix deps
* Fix build
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
* Add command to upload installers
* go mod tidy
* fix subcommands help
There is a bug in urfave/cli where help text is not generated properly when subcommands
are nested too deep.
* Add support for installing apps
* Add a way to list enrolled devices
* Add dep listing
* Rearrange endpoints
* Move DEP routine to schedule
* Define paths globally
* Add a way to list enrollments and installers
* Parse device-ids as comma-separated string
* Remove unused types
* Add simple commands and nest under enqueue-command
* Fix simple commands
* Add help to enqueue-command
* merge apple_mdm database
* Fix commands
* update nanomdm
* Split nanomdm and nanodep schemas
* Set 512 MB in memory for upload
* Remove empty file
* Amend profile
* Add sample commands
* Add delete installers and fix bug in DEP profile assigning
* Add dogfood.md deployment guide
* Update schema.sql
* Dump schema with MySQL 5
* Set default value for authenticate_at
* add tokens to enrollment profiles
When a device downloads an MDM enrollment profile, verify the token passed
as a query parameter. This ensures untrusted devices don't enroll with
our MDM server.
- Rename enrollments to enrollment profiles. Enrollments is used by nano
to refer to devices that are enrolled with MDM
- Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles
- Generate a token for authentication when creating an enrollment profile
- Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token=
* remove mdm apple server url
* update docs
* make dump-test-schema
* Update nanomdm with missing prefix table
* Add docs and simplify changes
* Add changes file
* Add method docs
* Fix compile and revert prepare.go changes
* Revert migration status check change
* Amend comments
* Add more docs
* Clarify storage of installers
* Remove TODO
* Remove unused
* update dogfood.md
* remove cmdr.py
* Add authorization tests
* Add TODO comment
* use kitlog for nano logging
* Add yaml tags
* Remove unused flag
* Remove changes file
* Only run DEP routine if MDM is enabled
* Add docs to all new exported types
* Add docs
* more nano logging changes
* Fix unintentional removal
* more nano logging changes
* Fix compile test
* Use string for configs and fix config test
* Add docs and amend changes
* revert changes to basicAuthHandler
* remove exported BasicAuthHandler
* rename rego authz type
* Add more information to dep list
* add db tag
* update deps
* Fix schema
* Remove unimplemented
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
