Commit Graph

25 Commits

Author SHA1 Message Date
Martin Angers
68ddaafac0
Fix bug preventing gitops role from fleetctl applying macos setup assistant (and bootstrap package) (#12193) 2023-06-07 13:29:36 -04:00
Lucas Manuel Rodriguez
87709d8c95
Fix permissions on GitOps user for searching hosts or count targets (#11448)
#11447

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-01 12:57:28 -03:00
Martin Angers
582e85c876
Add support for the mdm.macos_setup.macos_setup_assistant key in fleetctl, API (#11296) 2023-04-25 09:36:01 -04:00
Lucas Manuel Rodriguez
ed4f6e4178
Remove old mdm_command action (do we really need it?) (#11222)
A question in form of PR:

Do we really need the following two entities in our
[policy.rego](https://github.com/fleetdm/fleet/blob/main/server/authz/policy.rego)
`1. (object=mdm_apple_command, action=read/write)` and `2. (object=host,
action=mdm_command)`? (Maybe mdm_command is a leftover action from the
PoC?)

Guess: `mdm_apple_command` (`fleet.MDMAppleCommandAuthz`) is what we
want: `action=write` means you can enqueue, `action=read` means you can
list commands and read their results.

PS: Found this while trying to add command execution permissions to the
new `GitOps` role.
2023-04-18 07:53:33 -03:00
Lucas Manuel Rodriguez
5aa5f8aae3
Add MDM configuration permissions to GitOps (#11207)
#8593 

Adding new MDM functionality to GitOps.

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [x] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-17 12:08:55 -03:00
Lucas Manuel Rodriguez
1ebfbb14eb
New gitops role (#10850)
#8593

This PR adds a new role `gitops` to Fleet.
MDM capabilities for the role coming on a separate PR. We need this
merged ASAP so that we can unblock the UI work for this.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 16:11:04 -03:00
Lucas Manuel Rodriguez
a756614c1a
New observer_plus role (#10675)
#8593

This PR adds a new role `observer_plus` to Fleet. (The `GitOps` role
will be added on a separate PR.)

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-05 15:23:49 -03:00
Martin Angers
50a2739609
Allow updating enable_disk_encryption via the Modify Team endpoint (#10208) 2023-03-06 09:54:51 -05:00
gillespi314
f1227d7303
Add authz and datastore methods for mdm config profiles (#9781) 2023-02-14 09:12:18 -06:00
gillespi314
1b4e8e692a
Add API endpoint to unenroll a host from Fleet's MDM (#9447) 2023-01-23 17:05:24 -06:00
Martin Angers
472c8bafb3
Refactor license so it is stored in the context (#8544) 2022-11-15 09:08:05 -05:00
Lucas Manuel Rodriguez
da171d3b8d
Merge pull request from GHSA-pr2g-j78h-84cr
* Fix access control issues with users

* Fix access control issues with packs

* Fix access control issues with software

* Changes suggested by Martin

* All users can access the global schedule

* Restrict access to activities

* Add explicit test for team admin escalation vuln

* All global users should be able to read all software

* Handbook editor pass - Security - GitHub Security (#5108)

* Update security.md

All edits are recorded by line:

395 replaced “open-source” with “open source”
411 replaced “open-source” with “open source”
439 added “the” before “comment”; replaced “repositories,” with “repositories”
445 deleted “being” before “located”
458 added “and” after “PR”
489 replaced “on” with “in”
493 replaced “open-source” with “open source”; Replaced “privileges,” with “privileges”

* Update security.md

line 479

* Update security.md

added (static analysis tools used to identify problems in code) to line 479

* Fix UI

* Fix UI

* revert api v1 to latest in documentation (#5149)

* revert api v1 to latest in documentation

* Update fleetctl doc page

Co-authored-by: Noah Talerman <noahtal@umich.edu>

* Add team admin team policy automation; fix e2e

* Update to company page of the handbook (#5164)

Updated "Why do we use a wireframe-first approach?" section of company.md

* removed extra data on smaller screens (#5154)

* Update for team automations; e2e

* Jira Integration: Cypress e2e tests only (#5055)

* Update company.md (#5170)

This is to update the formatting under "empathy" and to fix the spelling of "help text."
This was done as per @mikermcneil .
This is related to #https://github.com/fleetdm/fleet/pull/4941 and https://github.com/fleetdm/fleet/issues/4902

* fix update updated_at for aggregated_stats (#5112)

Update the updated_at column when using ON DUPLICATE UPDATE so that
the counts_updated_at is up to date

* basic sql formatting in code ie whitespace around operators

* Fix e2e test

* Fix tests in server/authz

Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com>
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
2022-04-18 10:27:30 -07:00
Martin Angers
fc01947ae7
Allow global admin to change anyone's password. (#4582) 2022-03-15 08:11:53 -04:00
Martin Angers
84ac0f05a9
Grant write to policies to global maintainer (#4321) 2022-02-22 16:57:36 -05:00
Martin Angers
290b5d90e5
Add team target filters to rego authorization checks for running queries (#4194) 2022-02-15 13:41:48 -05:00
Lucas Manuel Rodriguez
d4243d0a72
Team observers can browse global policies (#3737)
* Allow team observers to browse global policies

* Add integration core test for team observer

* Fix integration tests
2022-01-18 13:18:40 -03:00
Lucas Manuel Rodriguez
25fd04ea18
Fix team packs rego policy rules (#3356) 2021-12-13 20:53:29 -08:00
Lucas Manuel Rodriguez
964f85b174
Amend policy creation and spec (for proprietary query), and add update APIs (#2890)
* Amend policy creation (proprietary query), add update APIs

* Fix Datastore.SavePolicy bug (and add tests)

* Add integration tests for new policy APIs

* Add author email

* Add activities

* Push breaking changes for return policy fields

* WIP

* Add integration test for host policies

* Make more improvements to policy representation

* Improve upgrade code (from PR review comments)

* PR changes

* Revert activities for policies

* Use *uint instead of uint for queryID, use fleet.PolicyPayload

* Filter out other schemas

* New policy flow (#2922)

* created new policy flow -- no API connection

* added api props

* fixed prop name

* lint fixes

* removed unused modal; fixed style

* name, desc icons; created global components

* lint fixes

* ignoring certain files and lines for prettier

* Update frontend/pages/policies/PolicyPage/PolicyPage.tsx

* Make policy names unique across deployment

* Amend upgrade script

* Fix migration for unique names

* Do not deduplicate but instead rename policies

Co-authored-by: Martavis Parker <47053705+martavis@users.noreply.github.com>
2021-11-24 14:16:42 -03:00
gillespi314
229b91b530
Add endpoint for management of team enroll secrets (#2849) 2021-11-11 10:45:39 -06:00
Tomas Touceda
d3a0d62902
Issue 2456 policies yaml (#2512)
* wip

* Add policy specs support

* Add documentation

* Make policy apply idempotent

* Fold in code

* Improve tests and simplify auth checks

* Lint and fix test
2021-10-15 07:34:11 -03:00
Tomas Touceda
ddc6b300d4
Allow team maintainers to delete hosts from their teams (#2373) 2021-10-05 15:15:05 -03:00
Tomas Touceda
e2caf46d6d
Issue 2133 team maintainer can edit delete queries (#2256)
* wip

* Team maintainers can edit and delete queries they authored

* Update documentation

* Fix test
2021-09-28 14:53:05 -03:00
Zach Wasserman
c5280c0517
Add v4 suffix in go.mod (#1224) 2021-06-25 21:46:51 -07:00
Zach Wasserman
fb32f0cf40
Remove kolide types and packages from backend (#974)
Generally renamed `kolide` -> `fleet`
2021-06-06 15:07:29 -07:00
Zach Wasserman
18faa5a06b
Add authorization checks in service (#938)
- Add policy.rego file defining authorization policies.
- Add Go integrations to evaluate Rego policies (via OPA).
- Add middleware to ensure requests without authorization check are rejected (guard against programmer error).
- Add authorization checks to most service endpoints.
2021-06-03 16:24:15 -07:00