Commit Graph

283 Commits

Author SHA1 Message Date
John Murphy
019191c36b SSO Login and Configuration Support (#1506)
Closes issue #1456 This PR adds a single sign on option to the login form, exposes single sign on to the end user, and allows an admin user to set single sign on configuration options.
2017-05-17 10:58:40 -05:00
John Murphy
12d2df1f9a Add SSO support to new user activation (#1504)
Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user.  When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user.
2017-05-10 11:26:05 -05:00
John Murphy
368b9d774c Server Side SSO Support (#1498)
This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows.

A Kolide user attempts to access a protected resource and is directed to log in.
If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in.
The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end.
The IDP calls the server, invoking CallbackSSO with the auth response.
We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL.
I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test
2017-05-08 19:43:48 -05:00
John Murphy
2945031a86 Fix bug in Osquery import and updated import docs (#1478)
This PR contains a fix for a bug that turned up when I was testing configimporter. If the platform field is not specified, its supposed to default to all per the osquery configuration spec. The default was not properly implemented, and if the platform value was missing from the imported configuration it failed. The PR also added instructions to the api documentation describing how to import an osquery configuration.
2017-04-23 19:41:27 -05:00
Zachary Wasserman
22fbb65db3 Re-enable all tests in TestUpdateHostIntervals (#1496) 2017-04-18 11:29:04 -07:00
Zachary Wasserman
dfa2d83855 Update online status calculation to use per-host intervals (#1494)
Replaces the existing calculation that uses a global online interval. This method was lacking due to the fact that different hosts may have different checkin intervals set.

The new calculation uses `min(distributed_interval, config_tls_refresh) + 30` as the interval. This is calculated with the stored values for each host.

Closes #1321
2017-04-18 10:39:50 -07:00
John Murphy
789596a78e SAML Database Support
Partially addresses #1456. This PR provides datastore support for SSO by creating a new entity IdentityProvider. This entity is an abstraction of the SAML IdentityProvider and contains the data needed to perform SAML authentication.
2017-04-12 15:42:10 -05:00
Zachary Wasserman
d7cd91c0e4 Retrieve and store host checkin intervals (#1473)
We now track the `config_tls_refresh`, `distributed_interval` and
`logger_tls_period` flag values for each host. Each value is updated by a
detail query agains the `osquery_flags` table, because they may be specified
outside of Kolide. The flags that can be specified within Kolide are also
updated when a config is returned to the host that changes their value.

This will enable us to do a more accurate per-host online status calculation as
discussed in #1419.
2017-04-06 11:55:24 -07:00
Zachary Wasserman
6a3ea3fc8c Remove remaining uses of golang.org/x/net/context (#1464) 2017-04-05 12:25:34 -07:00
John Murphy
c90368c4af Changed default osquery logging behavior
Made log rotation for osquery results and status logs optional.  This required writing the logwriter package which is a drop in replacement for lumberjack.  We still use lumberjack if the log rotation flag --osquery_enable_log_rotation flag is set. Note that the performance of the default is quite a bit better than lumberjack.


BenchmarkLogger-8       	 2000000	       747 ns/op
BenchmarkLumberjack-8   	 1000000	      1965 ns/op
PASS
BenchmarkLogger-8       	 2000000	       731 ns/op
BenchmarkLumberjack-8   	 1000000	      2040 ns/op
PASS
BenchmarkLogger-8       	 2000000	       741 ns/op
BenchmarkLumberjack-8   	 1000000	      1970 ns/op
PASS
BenchmarkLogger-8       	 2000000	       737 ns/op
BenchmarkLumberjack-8   	 1000000	      1930 ns/op
PASS
2017-04-03 16:48:50 -05:00
Zachary Wasserman
3ef2876aab Minor improvements to logger SIGHUP test (#1459)
These should provide a slight reliability improvement for this test.
2017-03-31 09:59:23 -07:00
John Murphy
d533931799 Addresses Issue where the reset button doesn't work on options page (#1447)
Closes issue #1388. The problem here is that previously, the reset button loaded a hard coded list of default options into the component state, instead of the proper behavior which is to reset the options to default values on the back end, and then load them back into the redux store. This PR adds a ResetOptions endpoint on the server, and wires up the UI so that it triggers the endpoint, then loads the default options from the backend server.
2017-03-30 18:56:11 -05:00
John Murphy
f4bee00b01 Fix Issue where saving same option value errs. (#1433)
Closes issue #1390

There were quite a few places where UPDATES could fail silently because we weren't checking target rows where actually found where we expect them to be. In order to address this problem clientFoundRows was set in the sql driver configuration and checks for UPDATES were added to determine if matched rows were found where we expect them to be.
2017-03-30 17:03:48 -05:00
Zachary Wasserman
60607cb366 Speed up manage packs page loading (#1429)
Push the calculation of target counts into the SQL query, rather than loading
all of the targets and then counting them. This provides a dramatic (>100x)
speedup in loading of the manage packs page when large numbers of hosts are
present.

Closes #1426
2017-03-30 08:31:28 -07:00
Zachary Wasserman
6d9085da71 Remove extraneous calls to MarkHostSeen (#1441)
The seen time should only be updated once per request from the osquery agent to
the Kolide server. We now do that only in AuthenticateHost (which every request
besides enrollment must go through).
2017-03-30 08:31:05 -07:00
Zachary Wasserman
06ed4c2771 Only calculate online interval once when retrieving hosts (#1457)
This makes a major perf difference, as it reduces the O(# of hosts) queries
down to constant.
2017-03-30 08:30:05 -07:00
Victor Vrantchan
a9f5442cd2 use stdlib context in go-kit methods (#1454) 2017-03-29 11:46:52 -04:00
John Murphy
693600ba2b Decorator support (#1430)
* Added migrations

* Added handler for decorators

* Added logging and metrics for decorators

* WIP decorators

* Wip added decorator service

* Added service implementation

* Added mock decorator

* Added modify decorator

* Added testing

* Addressed code review issues raised by @zwass

* Added logging for missing type per @zwass
2017-03-28 16:45:18 -05:00
John Murphy
71e66e6d16 Added code to trim whitespace and trim trailing slash from input server url (#1442) 2017-03-22 14:40:01 -05:00
John Murphy
404afe3e22 Fix issue where config interval can be number or string (#1432)
* Fix issue where config interval can be number or string

* Implemented @groob code review suggestions

* Added type assertions with graceful failure if something slips through validation

* Implemented code review changes per @zwass
2017-03-21 12:02:13 -05:00
Zachary Wasserman
b59cd2b48b Accelerate checkins when hosts enroll (#1423)
Return `accelerate: 10` with distributed queries if we do not have host
details. This facilitates the host quickly joining all expected labels, as
`platform` gated label queries will not be returned until the detail queries
return with the platform.

Fixes #1421.
2017-03-21 09:17:38 -07:00
Zachary Wasserman
da096d7b50 Fix platform detection for CentOS6 (#1415)
On CentOS6 there is a bug in which osquery incorrectly reports an empty string
for platform. This PR fixes our detection of centos in this case.

Fixes #1339
2017-03-15 15:40:18 -07:00
Zachary Wasserman
715d908613 Update go-kit to 0.4.0 (#1411)
Notable refactoring:
- Use stdlib "context" in place of "golang.org/x/net/context"
- Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go
- Use MakeHandler when setting up endpoint tests (fixes test bug caught during
  this refactoring)

Closes #1411.
2017-03-15 08:55:30 -07:00
Zachary Wasserman
cc99f081fd Add a minimum threshold for the expected host checkin interval (#1397)
Adding this minimum helps prevent flapping of the online status.

Closes #1396.
2017-03-13 08:55:10 -07:00
Mike Arpaia
f510691ad0 Fix host status regression from #1334 (#1383) 2017-03-09 11:36:24 -07:00
Mike Arpaia
e4db95d2b5 More sensible online status calculation (#1334)
Improve the mechanism used to calculate whether or not hosts are online.

Previously, hosts were categorized as "online" if they had been seen within the past 30 minutes. To make the "online" status more representative of reality, hosts are marked "online" if the Kolide server has heard from them within two times the lowest polling interval as described by the Kolide-managed osquery configuration. For example, if you've configured osqueryd to check-in with Kolide every 10 seconds, only hosts that Kolide has heard from within the last 20 seconds will be marked "online".
2017-03-07 19:47:51 -07:00
Victor Vrantchan
79f2528419 provide context for ServeFrontend 500 errors (#1349)
Closes #1343
2017-03-03 19:49:55 -05:00
Zachary Wasserman
fa84415c13 Support osquery logger_tls_compress flag (#1346) 2017-03-03 14:43:11 -08:00
Victor Vrantchan
eff7ffa44f rotate osqueryd logs on SIGHUP (#1316)
rotate osqueryd logs on SIGHUP

Closes #1256

Note: Sometimes the test fails to rotate the log on SIGHUP, although
that doesn't appear to be the case with a long running process.
After some discussion and debugging with @zwass we agreed to call
t.Log and come back to this issue at a later time.
2017-03-03 12:21:48 -05:00
Zachary Wasserman
3d6ca7d5a4 Use sockjs to gracefully degrade websockets (#1255)
Use the [SockJS Protocol](https://github.com/sockjs/sockjs-protocol) to handle
bidirectional communication instead of plain websockets. This allows
distributed queries to function in situations in which they previously failed
(Load balancers not supporting websockets, issues with Safari and self-signed
certs, etc.).

Also includes fixes to the JS message handling logic where slightly different
message delivery semantics (when using XHR) were exposing bugs.

Fixes #1241, #1327.
2017-03-01 13:14:26 -08:00
Mike Arpaia
f713c1fc08 Performance improvements for the packs API (#1331) 2017-03-01 12:56:13 -07:00
Zachary Wasserman
879363311c Allow deleted label names to be replaced (#1309)
Fixes #1310
2017-02-24 17:47:30 -08:00
Victor Vrantchan
897cb35e24 Allow checking in to license server when license is saved. (#1299)
* Allow checking in to license server when license is saved.

Closes #1290
Closes #1277
2017-02-24 19:33:42 -05:00
Zachary Wasserman
7564967813 Fix flapping host network interfaces (#1283)
Ensure that host network interfaces do not disappear when they (unexpectedly)
are returned with no updates from osquery. Add test to verify.

Fixes #1278
2017-02-24 14:37:47 -08:00
Zachary Wasserman
0b4b921f17 Re-add default decorators to osquery config (#1269)
These decorators were removed in #953 due to an osquery bug. That bug is now
fixed, and we are adding the decorators back. We also now use `load` decorators
rather than `interval` decorators because they seem to function more reliably.
2017-02-23 12:36:08 -08:00
Zachary Wasserman
44a95e3192 Retrieve correct platform in detail queries (#1265)
Previously we were using `build_platform`, which does not always properly
reflect the platform of the host running osquery. Now we should properly
retrieve the platform.

Fixes #1264
2017-02-21 19:22:34 -08:00
John Murphy
146ee18c62 Fix for bug #1236 (#1244) 2017-02-17 01:02:49 +08:00
John Murphy
f8d9f4095c Bug #1233 (#1242) 2017-02-16 23:01:20 +08:00
John Murphy
c8d284fd3c Email confirmation fix (#1231)
* Email confirmation fix

* Added test for incorrect auth user confirming e-mail change
2017-02-16 21:07:20 +08:00
Mike Arpaia
63f0d21b47 Return a full label response when modifying a label (#1228)
close #1222
2017-02-14 15:28:34 -07:00
Mike Arpaia
a3589892c3 A simpler attempt at using the payload pattern for scheduled queries (#1210) 2017-02-13 14:31:22 -07:00
John Murphy
6dc56ad5f0 Add ability to modify labels (#1202) 2017-02-12 12:27:43 +08:00
Victor Vrantchan
ec1c3b3b94 reverse order of arguments in error message. (#1196)
Fixing bug introduced in #1195
2017-02-09 20:09:06 -05:00
Zachary Wasserman
430a267b57 Send query campaign totals before results (#1193)
Avoids a bug where the frontend shows "x of 0 Hosts Returning y Records" by
ensuring that the expected total is updated before any results are sent.
2017-02-09 16:12:13 -08:00
Victor Vrantchan
cbd5c9d250 add namedError in addition to baseError (#1195) 2017-02-09 17:27:09 -05:00
Victor Vrantchan
5ddf788052 return a licensing error(instead of 500) when the public key does not match. (#1194) 2017-02-09 16:28:06 -05:00
John Murphy
7988076799 Licensed endpoints (#1188) 2017-02-10 02:43:45 +08:00
John Murphy
9359604c13 Added GET licensing endpoint implementation (#1168)
* Added missing endpoint implementation
2017-02-04 00:41:17 +08:00
John Murphy
a1a0c91876 Licensing (#1123) 2017-02-03 04:30:59 +08:00
Mike Arpaia
a000751bfe renaming kolide-ose to kolide (#1143) 2017-02-01 10:20:50 -07:00
Victor Vrantchan
598e70ac55 always generate random enroll secret on setup (#1129)
Updated now that the UI has the ability to manage the enroll secret.
2017-01-30 12:48:43 -05:00
John Murphy
9465434826 Allow user to change email with confirmation (#1102)
* Change email functionality

* Code review changes for @groob

* Name change per @groob

* Code review changes per @marpaia

Also added addition non-happy path tests to satisfy concerns by @groob
2017-01-27 21:35:58 +08:00
Victor Vrantchan
ac95b764eb add host_hostname field to distributed query results row (#1081)
Add a hostname field to every distributed query result row in websocket response. By doing this calculation on the server, we're hoping to improve the rendering on the frontend client, which currently does the same calculation. 
 
Closes #1079
2017-01-23 12:37:03 -05:00
John Murphy
1a567b3f9f Labels response will return json with empty host_id rather than omit (#1078) 2017-01-23 23:37:09 +08:00
Mike Stone
378bf5571b connect new host enrollment (#1072) 2017-01-20 20:16:00 -05:00
Victor Vrantchan
54408ff9e4 move osquery enroll secret to appconfig (#1004)
For #995
2017-01-20 14:48:54 -05:00
Victor Vrantchan
60062834c8 add endpoint to serve the kolide certificate back to the user (#1025)
add endpoint to serve the kolide certificate back to the user

The API will attempt to establish a TLS connection and fetch the certificate from the TLS ConnectionState. 
The PEM encoded certificate will be served to the client in a JSON response as a base64 encoded string. 

Closes #1012
2017-01-20 14:32:10 -05:00
John Murphy
f2e7800f13 Send status message to browser to indicate query is done (#1020)
* Send status message to browser to indicate query is done

* Changed so only "finished" status message is emitted per @marpaia
2017-01-21 02:57:41 +08:00
John Murphy
7e136a018f removing trailing dots from osversion (#1066)
* removing trailing dots from osversion

* removed space from cutlist
2017-01-21 02:18:39 +08:00
Victor Vrantchan
eac718e937 add new status to host summary endpoint (#1057)
new_count shows all hosts that have been added to kolide in the last
24 hours
2017-01-20 08:57:47 -05:00
Victor Vrantchan
5f6f9388cd Account for hosts in labels in the total host count (#1056)
For #1039
2017-01-20 08:57:02 -05:00
John Murphy
28130b529b Addresses detail queries that don't return rows (#1044)
* If a detail query doesn't return results, log problem but don't interrupt additional query processing

* changed arg to ingest func to logger interface
2017-01-20 07:28:33 +08:00
Victor Vrantchan
d45c0103d1 Pack bugs (#1016)
* correctly list packs in response

Using append was adding a default pack response to the list of packs

* handle unique index for packs that exist but are deleted
2017-01-18 14:13:41 -05:00
Victor Vrantchan
fa39dcd555 fix various issues with SMTP configuration (#1001)
* fix various issues with SMTP configuration

* handle SplitHostPort error
2017-01-18 10:05:09 -05:00
Victor Vrantchan
0c93c4db67 fallback to username if Name field is not set (#996)
* fallback to username if Name field is not set

* add orgname field to invite emails
2017-01-17 16:37:00 -05:00
John Murphy
41517aa7d9 Log in user automatically after successful setup (#993)
* Log in user automatically after successful setup

* Handle login failure by omitting token from response
2017-01-18 04:24:13 +08:00
John Murphy
56b8772f13 Modify User (as a regular user) fails #891 (#959) 2017-01-18 00:43:59 +08:00
Victor Vrantchan
6135f90f57 change recordlabelexecutions to use map[uint]bool instead of map[string]bool (#965)
Closes #345
2017-01-17 01:03:51 -05:00
John Murphy
a2fded1b2c Added hosts for each label (#963) 2017-01-17 06:57:05 +08:00
Victor Vrantchan
f74216761a remove binaryFilesystem wrapper from bindata files (#964) 2017-01-16 10:16:50 -05:00
Victor Vrantchan
52a932bc6b Validate password requirements (#962)
Add validation for user password creation/reset
 - at least 7 chars
 - 1 number
 - 1 symbol 

consolidated service errors to a single file.
2017-01-15 18:23:09 -05:00
Victor Vrantchan
3802f3098e remove deprecated errors package (#961) 2017-01-14 15:00:09 -05:00
Mike Arpaia
581000bb64 Revert "Add some basic decorators to the osquery config (#875)" (#953)
This reverts commit 1d029073e5.
2017-01-13 13:21:54 -07:00
John Murphy
6f4dcdd082 Import Config - /config/import #366 (#764) 2017-01-13 12:35:25 -06:00
Victor Vrantchan
36dfad37ea allow osqueryd endpoints to enroll before app setup is complete (#931)
Closes #929
2017-01-11 19:40:58 -05:00
Mike Arpaia
dcfbe1b2d3 Ensure that manually attached hosts get packs (#922)
Previously, when determining which packs a host should get when it checked in, we were iterating each pack and only checking whether or not the host was apart of a label which was a target of the pack, but we were never checking whether or not the host had been added as a specific target of that pack. This PR makes the necessary modification to `svc.ListPacksForHost`.
2017-01-11 15:24:32 -07:00
Mike Arpaia
cf805aa66c Only return hosts which have been explicitly scheduled from packs API (#909)
* Only return hosts which have been explicitly scheduled from packs API

close #903

* better error handling

* documentation
2017-01-11 13:33:30 -07:00
Victor Vrantchan
1551e46fed add middleware to redirect setup to login if the app has an admin (#900)
user.
2017-01-11 14:05:07 -05:00
Zachary Wasserman
671255b105 Fix bug in saving host detail update time (#888)
Saving a new detail update time when the host details were not actually updated
caused detail updates to be missed. This PR fixes the existing test to catch
the bug, and fixes the bug.
2017-01-11 11:48:24 -07:00
Mike Arpaia
c2084026d1 Call MarkHostSeen from authenticate host (#881) 2017-01-11 09:30:13 -07:00
Mike Arpaia
9987983cb9 Simplifying SMTP Logic (#892)
* Simplifying SMTP Logic

This commit breaks the test email sending into it's own service method
(thus removing the capability from the API- if we want it back, we can
wire up another endpoint for just that). Additionally, error wrapping is
used through the new ModifyAppConfig service method to ensure that an
error or failed email will always result in an error while ensuring that
the submitted record always get committed (unless a serious error
happens).

* never wrap a nil error

* use err instead of individual errors
2017-01-11 01:27:09 -07:00
Mike Arpaia
efca0947ec SMTP API changes (#883)
* SMTP API changes

* remove smtp buttons

* remove password from api response

* no fields are required in the patch request
2017-01-10 21:41:58 -07:00
Zachary Wasserman
971eca9b2b Push distributed query errors over results websocket (#878)
As of recently, osquery will report when a distributed query fails. We now
expose errors over the results websocket. When a query errored on the host, the
`error` key in the result will be non-null. Note that osquery currently doesn't
provide any details so the error string will always be "failed". I anticipate
that we will fix this and the string is included for future-proofing.

Successful result:

```
{
  "type": "result",
  "data": {
    "distributed_query_execution_id": 15,
    "host": {
    ... omitted ...
    },
    "rows": [
      {
        "hour": "1"
      }
    ],
    "error": null
  }
}
```
Failed result:

```
{
  "type": "result",
  "data": {
    "distributed_query_execution_id": 14,
    "host": {
    ... omitted ...
    },
    "rows": [
    ],
    "error": "failed"
  }
}
```
2017-01-10 19:34:32 -08:00
Mike Arpaia
2371f58705 Remember to enable SMTP after configuring it (#882) 2017-01-10 19:51:40 -07:00
Mike Arpaia
5eb926c891 Make SMTP configuration work (#877)
* add a js validator that makes smtp server port required

* specifying that the InputField should be a number. this doesn't work, but i think that it should.

* casting the port as an int as a stop-gap fix

* email doesn't already have to be enabled to be enabled

* don't return the smtp password from the API

* show a fake placeholder password if the username is also set

* error type for @groob
2017-01-10 19:00:46 -07:00
Mike Arpaia
1d029073e5 Add some basic decorators to the osquery config (#875)
close #874
2017-01-10 16:02:42 -07:00
Mike Arpaia
84aaec0d71 Fix a few osquery config bugs (#869) 2017-01-10 15:27:52 -07:00
Victor Vrantchan
9789543f8f add mock package and use in invite tests (#603)
* add mock package and use in invite tests

* mock expired invite test
2017-01-10 16:49:14 -05:00
Victor Vrantchan
1ba5559ae3 Fix race condition and remove outdated assertions from test (#850)
Fixes #751
For #760
Race conditions were caused by running the test in parallel.

Also remove assertions which were no longer true. The RequestPasswordReset
method was refactored in #725, but because of the racy test, the assertions
which should've failed did not.
2017-01-10 16:41:50 -05:00
Zachary Wasserman
72dd667421 Fix result log struct to support snapshot logs (#866)
Snapshot logs have a different schema, and are now (un)serialized correctly.

Fixes #841
2017-01-10 12:54:35 -08:00
Mike Arpaia
ee3940e163 Adding the display_text attribute to the hosts API (#842)
* initial scaffolding of a hostResponseForHost helper to consistently get all required values when returning hosts via the api

* Using the hostname as the display text

* remove err: nil

* groob comments

* pre-allocating the hostResponses slice
2017-01-09 22:05:18 -07:00
Zachary Wasserman
60428e01c4 Fix required password reset flow (#833)
Permissions errors were preventing users from completing this flow

- Add separate endpoint for performing required password reset
- Rewrite frontend reset to use this endpoint

Fixes #792
2017-01-09 21:42:50 -07:00
Victor Vrantchan
71def50756 add missing logs to kolide service (#843)
Add logging middleware for more of the kolide Service interfaces. 
This PR was created through code generation, however it's not likely that the logging middleware can all be continuously regenerated - we're likely to want to add method specific key/values to individual methods. Moving forward, logging middleware should be maintained when changes are made to a service interface method.
2017-01-09 23:40:21 -05:00
Mike Arpaia
92f755e0af index into pre-allocated array (#844) 2017-01-09 21:30:51 -07:00
Mike Arpaia
a047ef2211 Quick contexts additions (#739)
* Defining a concrete type for session tokens

* More rightish vc.IsLoggedIn()

* using type conversion instead of a method call

* include sessions in test viewer contexts
2017-01-09 08:10:02 -07:00
Zachary Wasserman
77e4f3d936 Refactor require password reset into separate endpoint (#725)
- Remove require password reset from ModifyUser and
  RequestPasswordReset methods, and UserPayload struct
- Add new RequirePasswordReset method
- Refactor JS for new separate method
2017-01-06 14:38:39 -08:00
Mike Arpaia
23c86f6c12 Ensure author name and packs are set in NewQuery response (#774) 2017-01-05 18:48:56 -07:00
Zachary Wasserman
35806f1442 Separate tables from data migrations (#745)
This PR separates the table migrations from the data population migrations. Table migrations run before data migrations.

Now, we have the ability to create the database tables without populating them with data. This can be useful for running "unit" tests against a MySQL store that doesn't have any pre-populated data. When performing real migrations, or for more "integration" style testing, the data migrations can also be executed.

Note there are some special cases that must be observed with these migrations, and the README is updated to reflect those.
2017-01-05 09:27:56 -08:00
Mike Arpaia
704ddd424b Host summary endpoint (#742)
* Initial scaffolding of the host summary endpoint

* inmem datastore implementation of GenerateHostStatusStatistics

* HostSummary docstring

* changing the url of the host summary endpoint

* datastore tests for GenerateHostStatusStatistics

* MySQL datastore implementation of GenerateHostStatusStatistics

* <= and >= to catch exact time edge case

* removing clock interface method

* lowercase error wraps

* removin superfluous whitespace

* use updated_at

* adding a seen_at column to the hosts table

* moving the update of seen_time to the caller

* using db.Get instead of db.Select
2017-01-04 14:16:17 -07:00
Victor Vrantchan
046f75295e consolidate delete operations in mysql store (#746)
Adds a helper method which soft deletes entities from the database.
2017-01-04 13:18:21 -05:00
Mike Arpaia
0122f6cb0a Add host_ids and label_ids fields to the packs API (#737)
This PR adds the `host_ids` and `label_ids` field to the packs HTTP API so that one can operate on the hosts/labels which a pack is scheduled to be executed on. This replaces (and deletes) the `/api/v1/kolide/packs/123/labels/456` API in favor of `PATCH /api/v1/packs/123` and specifying the `label_ids` field. This also allows for bulk operations.

Consider the following API examples:

## Creating a pack with a known set of hosts and labels

The key addition is the `host_ids` and `label_ids` field in both the request and the response.

### Request

```
POST /api/v1/kolide/packs
```

```json
{
	"name": "My new pack",
	"description": "The newest of the packs",
	"host_ids": [1, 2, 3],
	"label_ids": [1, 3, 5]
}
```

### Response

```json
{
	"pack": {
		"id": 123,
		"name": "My new pack",
		"description": "The newest of the packs",
		"platform": "",
		"created_by": 1,
		"disabled": false,
		"query_count": 0,
		"total_hosts_count": 5,
		"host_ids": [1, 2, 3],
		"label_ids": [1, 3, 5]
	}
}
```

## Modifying the hosts and/or labels that a pack is scheduled to execute on

### Request

```
PATCH /api/v1/kolide/packs/123
```

```json
{
	"host_ids": [1, 2, 3, 4, 5],
	"label_ids": [1, 3, 5, 7]
}
```

### Response

```json
{
	"pack": {
		"id": 123,
		"name": "My new pack",
		"description": "The newest of the packs",
		"platform": "",
		"created_by": 1,
		"disabled": false,
		"query_count": 0,
		"total_hosts_count": 5,
		"host_ids": [1, 2, 3, 4, 5],
		"label_ids": [1, 3, 5, 7]
	}
}
```

close #633
2017-01-03 10:32:06 -07:00
John Murphy
d1ef37b92c Osquery Options - /config/osquery-options #365 (#729) 2016-12-31 11:56:54 -06:00
Mike Arpaia
9a146c5f92 Renaming targets_count to be more clear (#733) 2016-12-30 12:30:34 -07:00
Mike Arpaia
e9aa5bcc8c Return query_count and targets_count in all pack responses (#731) 2016-12-30 12:06:54 -07:00
Victor Vrantchan
154200db8a Add endpoint to retrieve an invite with the invite token. (#719)
Closes #579
2016-12-29 20:58:12 -05:00
Victor Vrantchan
6cb1026d86 always return errors to the client as a map slice (#724)
keep the format for error returns consistent by always returning a
[]map[string]string for json errors. This simplifies the error handling
on the frontend.

Use "name":"base" as the name field for errors which do not have
a specific or known form field.
2016-12-29 19:40:12 -05:00
Victor Vrantchan
a13042e11b Redirect frontend routes to setup if setup is not configured. (#721)
Closes #617
2016-12-29 18:36:36 -05:00
John Murphy
eec835a07a Osquery options 365 (#657) 2016-12-29 12:32:28 -06:00
Victor Vrantchan
52580ff872 Add invite email template and use the new invite mailer pattern (#711)
Closes #693
Closes #581
2016-12-28 11:55:03 -05:00
Zachary Wasserman
39ebd81dc5 Close orphaned distributed query campaign after failed publish attempt (#707)
A distributed query campaign can be "orphaned" (left in the QueryRunning state)
if the Kolide server restarts while it is running, or other weirdness occurs.
When this happens, no subscribers are waiting to read results written by
osqueryd agents, but the agents continue to receive the query. Previously, this
would cause us to error on ingestion.

The new behavior will instead set the campaign to completed when it detects
that it is orphaned. This should prevent sending queries for which there is no
subscriber.

- New NoSubscriber error interface in pubsub
- Detect NoSubscriber errors and close campaigns
- Tests on pubsub and service methods

Fixes #695
2016-12-27 10:35:19 -05:00
Victor Vrantchan
f092c614cf add error logging to distributed query campaign handler (#694) 2016-12-22 20:31:45 -05:00
Zachary Wasserman
2c7fc2a6f2 Minor refactoring in HostStatus function (#692)
- Refactor function
- Add test
2016-12-22 13:32:40 -08:00
Victor Vrantchan
3658e4833e add prometheus metrics to every http endpoint in the app (#680)
tracking the following metrics:

http_request_duration_microseconds
http_request_size_bytes
http_response_size_bytes
http_requests_total
2016-12-22 12:39:44 -05:00
Victor Vrantchan
e7e57ddbc0 prevent password reuse when changing passwords (#678)
For #375
Closes #448
2016-12-22 12:08:29 -05:00
John Murphy
d653cdf281 Minor App Config API tweaks requested by @mikestone14 (#681)
* Minor App Config API tweaks requested by @mikestone14

* Refactored mail test into separate method, implemented code review changes
2016-12-22 08:12:34 -06:00
Victor Vrantchan
8ef11f51bf create user from invite: set admin property from invite. (#675)
Closes #589
2016-12-21 12:34:10 -05:00
John Murphy
62748bfbb1 App Settings - /admin/settings #363 (#590) 2016-12-20 15:54:30 -06:00
Victor Vrantchan
41610c1f66 catch sql.ErrNoRows in mysql/invites (#667) 2016-12-20 16:31:09 -05:00
Victor Vrantchan
9d49dbc465 change the implementation of ErrNotFound and AlreadyExists to a struct type (#665)
with an exposed interface.

Not checking for a specific sentinel error reduces coupling between packages
and allows adding context like the resource ID and resource type.
2016-12-20 13:35:22 -05:00
Zachary Wasserman
41120ebc00 Improve user endpoint validations (#642)
- Add empty string checks for NewUser
- Create validations for ModifyUser
- Use GravatarURL when creating new user

Fixes #620
2016-12-15 09:28:53 -08:00
Mike Arpaia
1ada011f37 Remove existing bulk functionality (#641) 2016-12-14 17:22:17 -08:00
Zachary Wasserman
0e783e7887 Add change password endpoint (#628) 2016-12-14 10:11:43 -08:00
Mike Arpaia
bed279b919 Remove "selected" keyword from response (#635) 2016-12-13 15:59:59 -08:00
Mike Arpaia
f109b14f9d Moving query attributes from the query object to the pack-query relationship (#559)
* Moving query attributes from the query object to the pack-query relationship

* some additional tests

* http request parsing test

* QueryOptions in new test_util code

* initial scaffolding of new request structures

* service and datastore

* test outline

* l2 merge conflict scrub

* service tests for scheduled query service

* service and datastore tests

* most endpoints and transports

* order of values are not deterministic with inmem

* transport tests

* rename PackQuery to ScheduledQuery

* removing existing implementation of adding queries to packs

* accounting for the new argument to NewQuery

* fix alignment in sql query

* removing underscore

* add removed to the datastore

* removed differential from the schema
2016-12-13 14:22:05 -08:00
Zachary Wasserman
556cbf43bd Use canPerformActions authZ check appropriately in handlers (#625)
Fixes #282
2016-12-13 08:57:49 -08:00
Zachary Wasserman
0c62bda2f1 Fix session expiration logic with password reset (#619)
- Only expire sessions at reset request time when admin forces reset
- Expire sessions when reset completed

Prior to this, there was a possible DoS vector in which an attacker could
prevent a user from taking actions in the app by constantly requesting password
resets and expiring all the user's active sessions.

Fixes #612
2016-12-12 09:24:51 -08:00
Zachary Wasserman
b362682d90 Add service method for bulk deleting queries (#600)
- New datastore method for bulk deletion
- New service method calling this datastore method
- Endpoint, transport and handler connections for service method

Closes #389
2016-12-09 09:12:45 -08:00
Zachary Wasserman
d9190020fe Record author information with queries (#578) 2016-12-07 12:22:31 -08:00
Victor Vrantchan
6d9ad56e6d use validation error for expired invite tokens. (#587)
Closes #586
2016-12-07 11:25:48 -05:00
Victor Vrantchan
62a5e65c2e use random string instead of JWT for tokens. (#584)
uses a random URL encoded base64 string as the token for password reset
and invites.
2016-12-07 10:42:58 -05:00
John Murphy
7812b2f3bd Fixes host detail updates with MySQL backend (#568) 2016-12-07 03:51:11 +08:00
Zachary Wasserman
bc6109fb56 Fixes for saved queries (#576)
- Only saved queries should be returned by ListQueries
- Bugfixes

Addresses #388
2016-12-06 10:16:04 -08:00
John Murphy
e6b1ed9ade Added MIA status for hosts that haven't been updated for 30 days (#570) 2016-12-07 01:37:22 +08:00
Victor Vrantchan
b1bca7c98c enbable API route after setup is complete (#564)
Fixes #563
2016-12-02 13:46:31 -05:00
Zachary Wasserman
b901c4c0d3 Update models/service method for saving queries (#553)
- Add saved state to query (to differentiate queries explicitly saved from
  those just run as distributed queries)
- Remove unique constraint on query name

Closes #390
2016-12-01 13:21:27 -08:00
Zachary Wasserman
e1db2d4c27 Add cleanup method for distributed queries and metadata (#547)
- New datastore method for expiring queries and deleting metadata
- Start goroutine in serve to run this method on an hourly interval

Closes #392
2016-12-01 10:31:16 -08:00
John Murphy
f66904f240 Host details 405 (#535) 2016-12-02 01:00:00 +08:00
Zachary Wasserman
ed3c696c6e Refactor campaign methods into separate file (#540) 2016-11-29 10:20:06 -08:00
John Murphy
44ef92550f Added built in labels (#526) 2016-11-26 02:08:22 +08:00
Zachary Wasserman
0b612eedab Push query results and metadata over websocket connection (#519)
- New route `/api/v1/kolide/results/{id}` with upgrade to websocket connection
- Query results pushed over websocket as they are received from pubsub
- Target totals updates pushed over websocket every second
- New datastore method to support retrieiving target totals
- Websocket package includes helpers and patterns for communicating over websockets
2016-11-22 16:35:43 -08:00
Mike Arpaia
a036c5da9f Add attributes to packs (#524)
* Adds created_by attribute to packs

This PR also updated the distributed query code to use the pattern
established here (service checks context)

* add enable/disable state to packs

* add query_count to packs API responses

* add host_count to packs API responses (very, very poorly)

* pack description should not be required

* counting hosts in packs via mysql

* removing extraneous newline in test

* Switch case instead of if/if else

* add description to update query for SavePack method

* change AND to WHERE in query as per @zwass

* add ordering and list options as per @murphybytes' suggestion
2016-11-22 13:56:05 -08:00
Mike Arpaia
a8a7be7f20 Packs pages (#426)
* initial scaffolding

* pack info sidebar

* fixing the merge of the routes

* Remove radium from pack info sidepanel

* lint

* cards!

* redux entity config

* pack interface

* wiring up redux with fake dev data

* Add description attribute to packs

* move redux to top level page component to isolate data fetching

* initial scaffolding of all packs table

* adding redux entities back

* minimal

* alpha order in packs.js

* no newlines in HTML

* onclick handler to function on component class

* alpha order in router

* alpha order in paths.js

* no newline in side panel

* removing input field

* lint fixes
2016-11-21 11:49:36 -08:00
Zachary Wasserman
3cd841051b Add online count to target/label responses (#513)
Closes #508
2016-11-18 09:23:44 -08:00
Zachary Wasserman
34625ce4d0 Add service method/endpoint for creating distributed query campaign (#485) 2016-11-16 13:07:50 -08:00
John Murphy
6a825c11e3 Datastore refactor (#439)
Removed Gorm, replaced it with Sqlx

* Added SQL bundling command to Makfile

* Using go-kit logger

* Added soft delete capability

* Changed SearchLabel to accept a variadic param for optional omit list
instead of array

* Gorm removed

* Refactor table structures to use CURRENT_TIMESTAMP mysql function

* Moved Inmem datastore into it's own package

* Updated README

* Implemented code review suggestions from @zwass

* Removed reference to Gorm from glide.yaml
2016-11-16 21:47:49 +08:00
Mike Arpaia
752710ccf1 Return count of hosts in targets search for each label (#480) 2016-11-14 12:10:28 -08:00
Zachary Wasserman
9c38d6d19e Update osquery service methods for distributed queries (#476) 2016-11-14 10:22:54 -08:00
Zachary Wasserman
5d8a42a959 Fix page in RequireSetup check (#465)
The previous value would require setup unless there were at least 2 users. Now
one user is sufficient to proceed past setup.
2016-11-09 16:35:49 -08:00
Victor Vrantchan
ac14215e21 create first time setup endpoint (#436)
The endpoint is only active if there are no users in the datastore.
While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}`
for #378
2016-11-09 12:19:07 -05:00
Zachary Wasserman
675c40ea15 Cleanup in service_users_test (#460)
- Use subtests where appropriate
- Attempt to fix #445
2016-11-09 08:52:25 -08:00