Commit Graph

27 Commits

Author SHA1 Message Date
Lucas Manuel Rodriguez
9191f4ce66
Add Apple MDM functionality (#7940)
* WIP

* Adding DEP functionality to Fleet

* Better organize additional MDM code

* Add cmdr.py and amend API paths

* Fix lint

* Add demo file

* Fix demo.md

* go mod tidy

* Add munki setup to Fleet

* Add diagram to demo.md

* Add fixes

* Update TODOs and demo.md

* Fix cmdr.py and add TODO

* Add endpoints to demo.md

* Add more Munki PoC/demo stuff

* WIP

* Remove proposals from PoC

* Replace prepare commands with fleetctl commands

* Update demo.md with current state

* Remove config field

* Amend demo

* Remove Munki setup from MVP-Dogfood

* Update demo.md

* Add apple mdm commands (#7769)

* fleetctl enqueue mdm command

* fix deps

* Fix build

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>

* Add command to upload installers

* go mod tidy

* fix subcommands help

There is a bug in urfave/cli where help text is not generated properly when subcommands
are nested too deep.

* Add support for installing apps

* Add a way to list enrolled devices

* Add dep listing

* Rearrange endpoints

* Move DEP routine to schedule

* Define paths globally

* Add a way to list enrollments and installers

* Parse device-ids as comma-separated string

* Remove unused types

* Add simple commands and nest under enqueue-command

* Fix simple commands

* Add help to enqueue-command

* merge apple_mdm database

* Fix commands

* update nanomdm

* Split nanomdm and nanodep schemas

* Set 512 MB in memory for upload

* Remove empty file

* Amend profile

* Add sample commands

* Add delete installers and fix bug in DEP profile assigning

* Add dogfood.md deployment guide

* Update schema.sql

* Dump schema with MySQL 5

* Set default value for authenticate_at

* add tokens to enrollment profiles

When a device downloads an MDM enrollment profile, verify the token passed
as a query parameter. This ensures untrusted devices don't enroll with
our MDM server.

- Rename enrollments to enrollment profiles. Enrollments is used by nano
  to refer to devices that are enrolled with MDM
- Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles
- Generate a token for authentication when creating an enrollment profile
- Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token=

* remove mdm apple server url

* update docs

* make dump-test-schema

* Update nanomdm with missing prefix table

* Add docs and simplify changes

* Add changes file

* Add method docs

* Fix compile and revert prepare.go changes

* Revert migration status check change

* Amend comments

* Add more docs

* Clarify storage of installers

* Remove TODO

* Remove unused

* update dogfood.md

* remove cmdr.py

* Add authorization tests

* Add TODO comment

* use kitlog for nano logging

* Add yaml tags

* Remove unused flag

* Remove changes file

* Only run DEP routine if MDM is enabled

* Add docs to all new exported types

* Add docs

* more nano logging changes

* Fix unintentional removal

* more nano logging changes

* Fix compile test

* Use string for configs and fix config test

* Add docs and amend changes

* revert changes to basicAuthHandler

* remove exported BasicAuthHandler

* rename rego authz type

* Add more information to dep list

* add db tag

* update deps

* Fix schema

* Remove unimplemented

Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 19:53:54 -03:00
Roberto Dip
2fcb27ed3f
add headers denoting capabilities between fleet server / desktop / orbit (#7833)
This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop.

The general idea is to _always_ send a custom header of the form:

```
fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities
capabilities              = capability * (,)
capability                = string
```

Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: 8c0bbdd291

Also, the following applies:

- Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability
- The current capabilities endpoint will be removed

### Motivation

This solution is trying to solve the following problems:

- We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers.
- We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because:
  - There are cases in which the server also needs to know which features are supported by its clients
  - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses.
- We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation.

Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 07:53:53 -03:00
Martin Angers
478b4d3f69
Validate team and appconfig payloads, with dry-run and force modes (#7731) 2022-09-19 13:53:44 -04:00
Lucas Manuel Rodriguez
6dcff28be0
Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 19:07:32 -03:00
Lucas Manuel Rodriguez
9b210fc6bd
Add support for CA root certificate to Fleet Desktop (fleetctl package's --fleet-certificate flag) (#6312)
* Orbit to pass the value of `--fleet-certificate` to Fleet Desktop

* Add changes for testing
2022-06-21 16:25:36 -03:00
Martin Angers
0b5fcd8e27
Add support for custom headers in fleetctl (#6118) 2022-06-07 16:00:09 -04:00
Roberto Dip
842ebbb2ae
add Go client to consume device endpoints (#5987)
This adds a new API client named DeviceClient to server/service, meant to consume device endpoints and be used from Fleet Desktop.

Some of the logic to make requests and parse responses was very repetitive, so I introduced a private baseClient type and moved some of the logic of the existent Client there.

Related to #5685 and #5697
2022-06-01 20:05:05 -03:00
Michal Nicpon
075702113a
Print version warning when using fleetctl (#4139)
* Remove deprecated call in fleetctl
* Remove duplicate error returned by app.Run in tests
2022-02-14 09:43:34 -07:00
Tomas Touceda
a18e09b613
Simplify fleetctl implementation and improve testing (#3830)
* Simplify fleetctl implementation and improve testing

* Add a few more

* Handle not founds better

* Fix tests

* Check that logout ds func is called
2022-01-24 16:40:51 -03:00
Martin Angers
c997f853e5
Make creation of http.Client uniform across the codebase (#3097) 2021-11-24 15:56:54 -05:00
Martin Angers
69a4985cac
Use new error handling approach in other packages (#2954) 2021-11-22 09:13:26 -05:00
Tomas Touceda
e6368cc57f
Refactor integration tests (#1821)
* Refactor integration tests

* Remove nopCloser and use io.NopCloser

* Address review comments
2021-09-15 16:27:53 -03:00
Tomas Touceda
176037cad2
Implement fleetctl get software and the underlying API (#1999)
* Implement fleetctl get software and the underlying API

* Add documentation

* Simplify list software implementation

* Lint fixes

* Make team name unique

* Address review comments

* Fix lint

* Fix tests
2021-09-14 10:58:48 -03:00
Tomas Touceda
d6d53acda5
Issue 1600 fleetctl license expiration (#1800)
* Show banner in fleet and fleetctl if license expired

* Ignore if license is nil or tier is core

* Address review comments
2021-08-26 10:28:53 -03:00
Martin Angers
a3714d2ed9
Add fleetctl debug connection command (#1706)
Adds the `fleetctl debug connection` command to investigate
connection issues to the fleet server.

Closes #1579 .
2021-08-24 08:50:03 -04:00
Tomas Touceda
545b3f396e
Issue 1362 fleetctl user roles (#1397)
* WIP

* Add get user_roles and apply for a user_roles spec to fleetctl

* Uncomment other tests

* Update test to check output

* Update test with the new struct

* Mock token so that it doesn't pick up the one in the local machine

* Address review comments

* Fix printJSON and printYaml

* Fix merge conflict error

* If both roles are specified, fail

* Fix test

* Switch arguments around

* Update test with the new rule

* Fix other tests that fell through the cracks
2021-07-16 15:28:13 -03:00
WangXiang
468754f2b9
Format and clean code (#774)
1. use [staticcheck](https://staticcheck.io/) to check the code, and fix some issues.
2. use `go fmt` to format the code.
3. use `go mod tidy` clean the go mod.
2021-05-17 10:29:50 -07:00
Scott Lampert
5c69094571
Remove https check for client connection (#489)
Removes the https requirement for localhost only.
2021-03-18 11:21:36 -07:00
Zach Wasserman
22d9205d35
Add debug flag to fleetctl (#266)
This flag enables logging of HTTP requests and responses to stderr.

Closes #187
2021-02-02 18:55:16 -08:00
Zach Wasserman
ab94d94da0
Fix fleetctl Windows issues (#40)
- Properly set the path for the config file on Windows.
- Check for appropriate settings for TLS config.

Fixes #39
2020-11-17 16:02:14 -08:00
Zachary Wasserman
e452cc6a8a
Add file carving support (#15)
- Add endpoints for osquery to register and continue a carve.
- Implement client functionality for retrieving carve details and contents in fleetctl.
- Add documentation on using file carving with Fleet.

Addresses kolide/fleet#1714
2020-11-04 20:45:16 -08:00
Zachary Wasserman
adf87140a7
Add ability to prefix Fleet URLs (#2112)
- Add the server_url_prefix flag for configuring this functionality
- Add prefix handling to the server routes
- Refactor JS to use appropriate paths from modules
- Use JS template to get URL prefix into JS environment
- Update webpack config to support prefixing

Thanks to securityonion.net for sponsoring the development of this feature.

Closes #1661
2019-10-16 16:40:45 -07:00
Blake Atkinson
510ec10769 Documentation: Add mysql conn limits (#1947) 2018-11-01 17:43:24 -04:00
adamenger
a99313533d Added custom CA support to fleetctl client (#1931) 2018-10-01 15:23:46 -07:00
Zachary Wasserman
b80e0a102d
Add fleetctl query command (#1784)
Allow queries targeted by hostname and label name.
2018-05-17 15:54:34 -07:00
Zachary Wasserman
3d1d088be9
Implement clients for labels, packs and queries (#1760)
Go client methods for making get, set and delete requests on label, pack and
query entities.
2018-05-07 12:44:40 -07:00
Mike Arpaia
018e10ea66
Add fleetctl config and auth commands (#1751)
```
$ fleetctl config set address https://localhost:8080
[+] Set the "address" config key to "https://localhost:8080" in the "default" context

$ fleetctl config set ignore_tls true
[+] Set the "ignore_tls" config key to "true" in the "default" context

$ fleetctl setup --email mike@arpaia.co --password "abc123"
[+] Fleet setup successful and context configured!

$ cat ~/.fleet/config
contexts:
  default:
    address: https://localhost:8080
    email: mike@arpaia.co
    ignore_tls: true
    token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2tleSI6IlUvdm05Vk9wSG0xUlA4SUtjQnBhb2ovWlo1TXppSEVXcFRCNFNPb2tHQnNLUFpDQXFieVpWWnpJb0UvczQzcWkyd1pHZXJOa29SNFVIQ2hNZUc0K09RPT0ifQ.rHawSN8JvD4jjWAPTYX2Ep9ZpMt3u4mSIQcu920C-_s

$ fleetctl logout
[+] Fleet logout successful and local token cleared!

$ cat ~/.fleet/config
contexts:
  default:
    address: https://localhost:8080
    email: mike@arpaia.co
    ignore_tls: true
    token: ""
```
2018-05-04 10:53:21 -06:00