Commit Graph

1039 Commits

Author SHA1 Message Date
RachelElysia
e1513086f6
Backend (ListHostsInLabels): Surface used by data when filtering hosts by labels (#14050) 2023-09-22 15:56:44 -04:00
Lucas Manuel Rodriguez
4bdef5dbe9
Add labels to the fleetd extensions feature (#14008)
#13287

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-09-22 11:09:09 -03:00
Lucas Manuel Rodriguez
eb8349567c
Fix performance regressions in hosts APIs (#14036)
#13926 

I re-added the old queries back and we are now using them when not using
pagination or if the page size is larger than 100 (UI always uses
per_page=50)

TODO: We need to run actual load tests with high number of hosts (50k
hosts with 140 policies each)

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-09-22 05:19:02 -03:00
Tim Lee
338c64d78b
Add version_resolved_in to software API (#13939) 2023-09-18 16:53:32 -06:00
gillespi314
f0e87737a7
Add client_error column to host_disk_encryption_keys table (#13952) 2023-09-18 10:14:24 -05:00
Jacob Shandling
e2aa0b28c7
Add server validation for query Platform field (#13923) 2023-09-15 13:20:39 -07:00
Tim Lee
5bc6d30aa8
Add Description text to CVE Metadata (#13856) 2023-09-15 11:24:10 -06:00
Roberto Dip
ea6b59f179
upgrade Go version to 1.21.1 (#13877)
For #13715, this:

- Upgrades the Go version to `1.21.1`, infrastructure changes are
addressed separately at https://github.com/fleetdm/fleet/pull/13878
- Upgrades the linter version, as the current version doesn't work well
after the Go upgrade
- Fixes new linting errors (we now get errors for memory aliasing in
loops! 🎉 )

After this is merged people will need to:

1. Update their Go version. I use `gvm` and I did it like:

```
$ gvm install go1.21.1
$ gvm use go1.21.1 --default
```

2. Update the local version of `golangci-lint`:

```
$ go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
```

3. (optional) depending on your setup, you might need to re-install some
packages, for example:

```
# goimports to automatically import libraries
$  go install golang.org/x/tools/cmd/goimports@latest

# gopls for the language server
$ go install golang.org/x/tools/gopls@latest

# etc...
```
2023-09-13 15:59:35 -03:00
gillespi314
5935c0bb48
Add retries to MDM profile verification (#13811) 2023-09-12 09:59:47 -05:00
Martin Angers
7b0a0fbe5e
DB migrations for saved scripts (#13765) 2023-09-11 11:54:34 -04:00
Lucas Manuel Rodriguez
8bf46f16a5
Fix software ingestion when fields are larger than supported (#13741)
Should fix the issue reported in #12230. For Wireshark, osquery was
reporting a `vendor` value larger than what we allowed storing in the
`vendor` column (32 bytes). But recently we enlarged the `vendor` column
to fit `114` chars. The direct software ingestion routine was inserting
a new software entry every time because the incoming software vendor was
different to what Fleet had stored in the previous ingestion (`vendor`
column trimmed from `The Wireshark developer community,
https://www.wireshark.org/` to `The Wireshark developer communit`).

I've now made sure that all fields are trimmed as soon as they are
received by osquery thus not triggering any re-inserts when any field is
larger than what Fleet supports.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-09-06 17:32:11 -03:00
gillespi314
37fb4b0dab
Add fleetctl run-script command (#13622) 2023-09-05 14:14:09 -05:00
Lucas Manuel Rodriguez
03caba2030
Fix queries stats ingestion (Performance impact) (#13432)
#13318

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [x] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-09-01 15:14:49 -03:00
Martin Angers
cbc3f32e9d
Adjust response payload, messages and validations for /scripts/run/* endpoints. (#13607) 2023-08-31 09:08:50 -05:00
Lucas Manuel Rodriguez
9142c5de79
Prevent thundering herd when applying large number of policies on large number of hosts (#13552)
#13527

(Adding @mna to double check the changes in the async implementation of
policy result storage)

This PR also adds the osquery-perf changes needed to define the count of
macOS and Windows hosts.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~

Test with 80k hosts: 70k simulated macOS, 10k simulated Windows.
Apply Windows policies first, then apply macOS policies:
```
fleetctl apply -f ee/cis/win-10/cis-policy-queries.yml

# Leave running for some time

fleetctl apply -f ee/cis/macos-13/cis-policy-queries.yml
```

After applying CIS policies previous to these changes:
![Screenshot 2023-08-23 at 11 36
18](https://github.com/fleetdm/fleet/assets/2073526/72c1dc7d-e601-4248-be35-93c85b749f5d)

After applying these changes and applying the same policies:
![Screenshot 2023-08-28 at 15 42
57](https://github.com/fleetdm/fleet/assets/2073526/6b6d76b8-6acb-4893-a913-bf603a68f1a4)
2023-08-31 10:58:50 -03:00
Tim Lee
222b8f9f5c
paginate the policies API (#13459) 2023-08-30 16:30:17 -06:00
Martin Angers
090b142c49
Implement script execution on the fleetd agent (disabled by default) (#13569) 2023-08-30 14:02:44 -04:00
Martin Angers
edf4a4d02f
Add script execution simulation to osquery-perf in preparation for load testing (part 3 of ticket) (#13456) 2023-08-23 18:31:47 -04:00
Roberto Dip
d5c7e7eb51
store email used for authentication during MDM SSO (#13480)
related to #13431, this stores the email during SSO auth. Still left to
figure out how to link this email to an specific host.
2023-08-23 18:23:26 -03:00
Tim Lee
29e48f402a
Hotfix: add empty host slice validation in ListHosts (#13483) 2023-08-23 13:57:18 -06:00
Tim Lee
74ccff8161
13433 host query optimization (#13451) 2023-08-23 10:34:55 -06:00
Martin Angers
de32faefdb
Add /scripts/run and scripts/run/sync API endpoints to run scripts (part 1) (#13417) 2023-08-21 14:47:19 -04:00
Tim Lee
3b61adf7a4
Add validation for policy specs (#13294) 2023-08-21 10:22:07 -06:00
gillespi314
e08bb000c9
Update nanomdm dependency (#12721)
Updates include:
- Fix issues where `GetBootstrapToken` returned `500` instead of no data
and no error per Apple MDM
[documentation](https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token)
- Incorporate additional updates from the upstream nanomdm repo
2023-08-21 11:07:57 -03:00
gillespi314
d140a57355
Allow failed profiles to become verified if subsequently reported by osquery (#13343) 2023-08-18 12:34:13 -03:00
Roberto Dip
902e064d04
fix issues with migration flow (#13297)
For #13094
2023-08-14 09:56:59 -03:00
Roberto Dip
d845720c2d
fix: ensure we assign ABM profiles for modified hosts (#13275)
for #12958 and #13110
2023-08-10 19:51:17 -03:00
gillespi314
9ae3aa8036
Update MDM profile verification (#13138) 2023-08-07 09:46:03 -05:00
gillespi314
5b27581fdc
Configure bootstrap package and end user auth for newly created teams in MDM pre-assignment flow (#13089) 2023-08-07 09:43:39 -05:00
Roberto Dip
29b9a7fe88
account for NULL values in scheduled_query columns in data migration (#13142)
Prior to 4.35.0, some rows in the scheduled_query table might have a
`NULL` value due to a race condition with database replicas and the way
`ds.EnsureGlobalPack` and `ApplyPackSpecs` work together.

This is no longer the case, but some databases are left in weird states,
which were not accounted by this migration.

Chaning the migration in-place because that's the approach we took in
previous migrations with similar problems.
2023-08-04 09:24:36 -07:00
Jacob Shandling
3bf0344396 Merge branch 'main' into 7765-combined-schedules-and-queries 2023-07-28 13:21:04 -07:00
Jacob Shandling
1cf532dfbb
UI - Fix a synchronicity issue in automations API patches (#13035)
## Addresses #13007 

## Fix a synchronicity issue in automations API patches
<img width="825" alt="Screenshot 2023-07-28 at 12 49 21 PM"
src="https://github.com/fleetdm/fleet/assets/61553566/9729dcd0-4813-452a-9911-6cf60f8352af">

- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2023-07-28 13:01:50 -07:00
Juan Fernandez
40e8f83829
Always use writer node when listing queries. (#13024)
Always use writer node when listing queries.
2023-07-28 12:41:05 -04:00
Martin Angers
6f77911ffe
Fix performance regression found in load testing (#12981) 2023-07-26 17:13:27 -04:00
Lucas Manuel Rodriguez
2afbd24021
Combine Schedules and Queries: API changes (#12778)
Combining schedules and queries API changes.
2023-07-24 20:17:20 -04:00
Juan Fernandez
a265559ee7
Combined schedules and queries data migration (#12855)
Added data migration for migrating scheduled queries in the global and team packs to the new query structure.
2023-07-24 19:59:34 -04:00
Roberto Dip
ec33f9e66f
account for possible NULL values in profile description (#12937)
in previous releases we weren't setting the value of description in some
of our `INSERT ON DUPLICATE KEY UPDATE` clauses, which caused some
queries to fail.

we could additionally add a migration to set all NULL values to '' and
make the column non-nullable, but as a first step I'm fixing this at the
application logic level.

related to: https://github.com/fleetdm/fleet/issues/12923

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-07-24 16:48:47 -03:00
Juan Fernandez
a3a28a0ec6
Bump migration, regen test schema 2023-07-21 13:57:22 -04:00
Juan Fernandez
6b664a2a82
Merge branch 'main' into 7765-combined-schedules-and-queries 2023-07-21 13:53:13 -04:00
Roberto Dip
ee461bac2e
optimizations to profile delivery (#12808)
for #12481
2023-07-20 18:11:45 -03:00
Juan Fernandez
b0c1dba44c
Updated cache strategy on queries used in GetClientConfig (#12815)
1. Cached results of `svc.ds.Team`
2. Cached results of `svc.ds.ListQueries` too for scheduled queries
only.
3. Do not load aggregated stats on `svc.ds.ListQueries` insde
`GetClientConfig`
2023-07-20 09:06:43 -03:00
gillespi314
b8ab1fb183
Update ingestion of host detail queries for MDM so hosts that report empty results are counted as "Off" (#12700) 2023-07-19 12:38:42 -05:00
Marcos Oviedo
f429c6db49
12613 Azure AD JWT Auth token support (#12817)
This PR adds support to parse Azure JWT tokens, and it also adds the STS
endpoint ([Section
3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a)
on the MS-MDE2 spec)

This relates to #12614 and #12613 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-19 13:30:24 -03:00
Juan Fernandez
8d55966553
Updated osquery/config endpoint to include scheduled queries (#12723)
Updated GetClientConfig API endpoint
2023-07-14 13:37:09 -04:00
Roberto Dip
e8070e0bd8
properly report changed profiles in the Puppet module (#12719)
For #12480
2023-07-14 12:53:03 -03:00
Gabriel Hernandez
9aa7c0c714
add dark and light background logo colors and show them on mdm migrat… (#12681) 2023-07-13 19:35:25 +01:00
Juan Fernandez
bfe6a5c3ad
Invalid policies should be ignored in the desktop endpoint (#12523)
Updated the `/desktop` endpoint to ignore invalid policies
2023-07-13 14:13:36 -04:00
Roberto Dip
eb75e303ec
change how team assignment works for the Puppet module (#12566)
For #12532, all details of how this works/why is done are in the issue
description.
2023-07-13 15:00:45 -03:00
Juan Fernandez
15f955350a
Add missing comment 2023-07-13 13:46:09 -04:00
Juan Fernandez
271956158c
Check if error is not nil 2023-07-13 13:10:09 -04:00
Roberto Dip
666ae8d787
ensure ds.TeamByName returns a 4xx response if no team is found (#12620)
this helps consumer of the datastore method handle the not found
scenario better and ensures we always return a 4xx code by default if we
can't find a matching team.

seems like calls to this method were special-cased everywhere except in
the apply user roles endpoint, where we returned a `500` status code if
we couldn't find a team.
2023-07-13 11:55:05 -03:00
Roberto Dip
53f0e281bf
set DeferForceAtUserLoginMaxBypassAttempts in FV profile (#12729)
Related to #12608, this automatically sets the
`DeferForceAtUserLoginMaxBypassAttempts` property to `1` on the
FileVault profile that's generated by Fleet.

This changeset also includes a migration to modify old FileVault
profiles that already exist in the database, and by virtue of that a
`InstallProfile` command will be issued to hosts that already have FV
enabled. During testing we found:

1. This doesn't affect users with FV already installed, they silently
get the profile updated without any changes.
2. Since the profile needs to be re-delivered, it'll go through the full
"pending" -> "verifying" -> "verified" cycle.
2023-07-13 11:54:05 -03:00
Juan Fernandez
2cc7869907
Account for possible replication lag 2023-07-13 08:24:26 -04:00
Juan Fernandez
22a6848bc3
Updated test schema 2023-07-10 16:01:46 -04:00
Juan Fernandez
19d3c29fe0
Allow users to delete queries being used by packs and scheduled_queries 2023-07-10 15:54:30 -04:00
Juan Fernandez
3ede5f8d85
Make team_id_char not null 2023-07-10 14:56:44 -04:00
Juan Fernandez
1151177938
Added missing FK constraint on scheduled_queries 2023-07-10 14:53:00 -04:00
Juan Fernandez
2b8dd65716
Updated default values, updated not null constraints 2023-07-10 13:22:51 -04:00
Juan Fernandez
ae5057f760
Moar refactoring 2023-07-07 09:46:06 -04:00
Juan Fernandez
6a69604c62
Updated factory method for creating queries in tests 2023-07-07 09:05:51 -04:00
Juan Fernandez
dc32ccfac8
Refactored Delete test 2023-07-07 08:54:09 -04:00
Juan Fernandez
8a1ffc97ea
Refactored Apply test 2023-07-07 08:51:51 -04:00
Juan Fernandez
38661ad7b0
Fixed linter error 2023-07-07 08:08:57 -04:00
Juan Fernandez
de9a1540d0
Updated ListQueries method in DB layer 2023-07-07 07:36:09 -04:00
Juan Fernandez
390e0565d0
Updated delete method on the DB layer 2023-07-07 07:31:36 -04:00
Juan Fernandez
807b2e35d3
Updated QueryByName DB access method 2023-07-06 19:37:08 -04:00
Juan Fernandez
d3a78cc736
Updated tests 2023-07-06 18:01:15 -04:00
Juan Fernandez
010eeff91a
Updated DB layer 2023-07-06 17:28:25 -04:00
Juan Fernandez
fcea5a833c
Updated query type 2023-07-06 16:19:28 -04:00
Juan Fernandez
ccb365e81d
Added migration with schema changes 2023-07-06 16:05:21 -04:00
Marcos Oviedo
96449dd47b
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555)
This relates to #12263 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests

---------

Co-authored-by: Roberto Dip <me@roperzh.com>
2023-07-05 10:06:37 -03:00
Roberto Dip
5ddd940cb8
ensure profiles and commands are delivered when MDM is turned on (#12580)
Related to #12482 and #12453, this cleans up Fleet tables that track
profile and bootstrap package status on re-enrollment.
2023-06-30 12:30:49 -03:00
gillespi314
410cbc3972
Add certificate management for Microsoft MDM (WSTEP) (#12543)
Issue #12261

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-06-29 19:31:53 -03:00
gillespi314
8cc7d38300
Mark "verifying" or "verified" MDM profiles as "failed" if osquery cannot confirm they are installed (#12414) 2023-06-21 13:00:49 -05:00
Martin Angers
1c249b60da
Add support to configure and enable Windows MDM, notify elegible hosts (#12340) 2023-06-20 14:06:45 -04:00
Martin Angers
96aec85a0a
Add mechanism to force read from primary DB, use it for puppet matching (#12396) 2023-06-19 13:55:15 -04:00
Martin Angers
68fa60c54d
Add a transferred_hosts activity when hosts are transferred to a new team (#12287) 2023-06-14 08:15:05 -04:00
Roberto Dip
1ad80fa251
bugfixes + adjustments for the puppet module (#12221)
A few minor things going on:

1. Adjusted the Puppet module to send the profiles base64 encoded
2. Enabled FileVault by default on teams created using the `/match`
endpoint.
3. Remove profiles when a team is removed. We can't do a foreign key
because the global team.id is NULL. I also included a migration to
cleanup orphaned profiles.
2023-06-08 18:05:44 -03:00
Martin Angers
de42164c53
Ignore fleet profiles when matching a set of custom profiles to a team (#12209) 2023-06-07 15:43:27 -04:00
Lucas Manuel Rodriguez
2a532ede94
Do not return empty SSO and SMTP settings for non-global-admins (#12180)
#11266

PS: I first attempted a serialization trick by introducing a new
`appConfigResponse` and implementing `json.Marshal` to exclude these
fields but it was too hacky and hard to maintain moving forward, so I'm
bitting the bullet now. Happy to hear other ideas.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-07 16:06:36 -03:00
Roberto Dip
6617938393
ensure we send post-enrollment commands if a DEP device is enrolling (#12159)
for #11257, h/t to @mna for the idea of resetting `token_update_tally`.

this is to cover scenarios where a host might be re-enrolling (eg: the
device has been wiped) but we don't know about it.

since `TokenUpdate` might be called multiple times during the lifecycle
of an MDM enrollment, we add a check on the value of
`nano_enrollments.token_update_tally`. For the scenarios described
above, the tally is still `> 0` even thought the host is enrolling for
the first time.

to mitigate this, we reset its value to 0 when we receive an
`Authenticate` message (which only happens only per enrollment)

I set the value to `0` because it's incremented to `current_value+1` by
nanomdm before calling our handler.
2023-06-06 20:18:14 -03:00
Juan Fernandez
801f38b80b
Renamed 'ChromeOS' label to 'chrome' (#12156)
Renamed 'ChromeOS' label to 'chrome'
2023-06-06 15:25:23 -04:00
Martin Angers
f27fcddd55
Prevent clearing macos updates settings when applying/modifying a team without those settings (#12160) 2023-06-06 14:31:33 -04:00
Roberto Dip
3127c9fffd
handle "modified" and "deleted" operation types in DEP sync (#12150)
for #10605, this modifies the cron used to ping the list/sync devices
API from ABM to account for the "deleted" and "modified" operation
types.

We know that:

1. Sometimes, Apple sends a "modified" operation type when a device's
MDM server is reassigned in ABM, up until now, we were ignoring these
devices.
2. Devices that are no longer assigned to Fleet in ABM can't be
migrated.
2023-06-06 15:04:59 -03:00
Juan Fernandez
1eb8bb800e
Bug: spec/labels endpoint should include the id (#12135)
spec/labels endpoint should include the ID prop
2023-06-06 09:11:03 -04:00
Martin Angers
9f064acd2e
Match pre-assigned profiles to a team (or create one) and assign host to team (#12127) 2023-06-05 15:08:21 -04:00
gillespi314
372c77ff23
Add backend for verified MDM profiles (#12078) 2023-06-05 12:05:28 -05:00
Martin Angers
48774876ea
Move post-DEP-enrollment processing to a worker job (#12017) 2023-06-05 11:58:23 -04:00
Roberto Dip
3fa809e167
strip query strings from MDM server_url during ingestion (#12107)
for #12106
2023-06-05 12:53:36 -03:00
Martin Angers
4322a28f5a
Implement preassign endpoint as first step to match profiles and hosts to teams (#12046) 2023-05-31 09:24:22 -04:00
gillespi314
e2243d24bf
Insert "verified" to mdm_apple_delivery_status table (#12033) 2023-05-30 14:11:42 -05:00
Juan Fernandez
de7377e54f
ChromeOS support for Fleet dashboard (#11953)
- Added built-in label for ChromeOS
- Ingest os_version info from ChromeOS hosts.
2023-05-26 14:32:01 -04:00
Juan Fernandez
2d5477266a
Feature 10566: Optimize query used for listing activities (#11708)
- Added index on `created_at` which is the sort key used when loading the log activities widget on the dashboard.
- Refactored query used when loading activities to avoid a full table scan.
2023-05-25 15:50:36 -04:00
Juan Fernandez
2249d171bc
Return DB results even if nothing has changed (#11936) 2023-05-24 14:05:45 -05:00
gillespi314
259d4fa1ac
Track host DEP assignments in new table (#11875) 2023-05-23 13:01:04 -05:00
Roberto Dip
8e532a5e76
pre-populate username/fullname during account creation (#11557)
Related to #10744, this pre-populates and disables the username/fullname
fields.

https://user-images.githubusercontent.com/4419992/236854781-ac67ee28-c19c-4130-a5e6-2872220501b5.mov


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-05-18 12:50:00 -03:00
Benjamin Edwards
f2ffb88cc3
wildcard host search support (#11303)
relates to #9996 

Added support for wildcard search on host search.

say for example you have the following hosts:

```
+------------------+
|hostname          |
+------------------+
|Molly‘s MacbookPro|
|Molly's MacbookPro|
|Molly‘s MacbookPro|
|Molly❛s MacbookPro|
|Molly❜s MacbookPro|
|Alex's MacbookPro |
+------------------+
```

searching for `Molly's` yields just the single host, but searching for
`Molly❜s` will perform a broader wildcard search using the literal `_`
character to match any character _in that position_.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
2023-05-18 10:01:57 -04:00
Juan Fernandez
009a87d33e
Feature 10196: Add filepath to end-points and third party integrations (#11285)
Adds the software installed path property to the proper end-points and third party integrations (webhook, Zendesk and Jira).
2023-05-17 16:53:15 -04:00
Martin Angers
3f9eccc7f8
Refetch host mdm enrollment status until unenrolled (#11740) 2023-05-17 15:52:45 -04:00
Juan Fernandez
7f83135aa1
Feature: Store installed file path when ingesting software (#11214)
Store software installed paths into the host_software_installed_paths table when ingesting osquery software data.
2023-05-17 14:49:09 -04:00
Martin Angers
e3a4e5fa0c
Add support for profile UUIDs per team/no-team for the default profile (#11717) 2023-05-17 09:06:14 -04:00
Martin Angers
043606895c
Add new error message to detect as non-cluster redis (#11719) 2023-05-16 14:24:38 -04:00
Roberto Dip
4dd127d577
base logic to show/hide the new Migrate to Fleet FD menu (#11679)
Related to #11670
2023-05-15 17:00:52 -03:00
Martin Angers
7b1b392627
Implement worker jobs that update/re-assign setup assistants on changes (#11630) 2023-05-15 14:06:09 -04:00
gillespi314
ceeb4c1ed5
Add mdm.macos_migration to app config endpoints (#11694) 2023-05-15 11:50:07 -05:00
gillespi314
a9584dc32f
Allow end user authentication during automatic MDM enrollment to be enabled on a per-team basis (#11566) 2023-05-10 15:22:08 -05:00
Roberto Dip
e635eb19fd
use writer for database reads on TokenUpdate (#11605)
Related to #11604
2023-05-10 09:40:11 -03:00
Martin Angers
70f18dda4a
Apply custom setup assistants (if present) when ingesting new devices (#11563) 2023-05-09 13:00:18 -04:00
Martin Angers
b3993ebda4
Allow "not_before" timestamp for worker jobs, schedule more quickly (#11512) 2023-05-03 16:25:36 -04:00
Roberto Dip
11356b2f15
add CRUD for EULA (#11274)
https://github.com/fleetdm/fleet/issues/10741
2023-05-02 10:09:33 -03:00
Roberto Dip
5544b2c579
account for pending hosts in bootstrap package filters (#11417)
https://github.com/fleetdm/fleet/issues/11395
2023-04-28 16:37:56 -03:00
Gabriel Hernandez
bd9176d67e
UI for bootstrap package flows (#11288)
relates to #10935

This is the UI for all the flows around adding, removing, downloading,
and viewing information about a bootstrap package for fleet mdm. This is
pretty comprehensive but includes:

### Backend

**Update `Get host/id`** to include bootstrap package name

```json
{
  "macos_setup": {
    ...
    "bootstrap_package_name": "test.pkg"
  }
}
```

### Frontend

**UI for ABM not being set up**:


![image](https://user-images.githubusercontent.com/1153709/234018772-3221e27b-50a4-454e-8e9f-b62c9d349010.png)

**UIs for uploading, downloading, and deleting bootstrap package**:


![image](https://user-images.githubusercontent.com/1153709/234017915-871f252f-bf80-4282-9acf-5ebea12c6efa.png)


![image](https://user-images.githubusercontent.com/1153709/234018029-322a5f30-dd22-44e3-b9ae-a4af7acb68b4.png)


![image](https://user-images.githubusercontent.com/1153709/234018163-4b84a2ce-a064-4952-a63d-0c8307391052.png)

**UIs for seeing bootstrap status aggregate data**


![image](https://user-images.githubusercontent.com/1153709/234018107-455d63ab-5b2c-4727-ad20-eef6b269c336.png)

**UIs for filtering hosts by bootstrap status**


![image](https://user-images.githubusercontent.com/1153709/234018334-170fe93a-700e-48eb-b198-2a1cc54d31a7.png)

**UIs for seeing package status on host details and my device page**:


![image](https://user-images.githubusercontent.com/1153709/234018488-7b515db4-1248-4be7-8de3-9b74bb5d4795.png)


![image](https://user-images.githubusercontent.com/1153709/234018525-d653cb2d-9ef9-437e-8eba-141e557f4f39.png)

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-04-27 16:10:41 +01:00
Roberto Dip
a23d208b1d
gate DEP enrollment behind SSO when configured (#11309)
#10739

Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-04-27 09:43:20 -03:00
gillespi314
003e208e4d
Update CLI flow to manage adding and deleting MDM bootstrap packages by applying config and team specs (#11349) 2023-04-26 16:09:21 -05:00
Roberto Dip
9068faf38f
Allow to configure SSO settings for MDM end user authentication (#11270)
Related to #10741, this adds a new key to app config named
`end_user_authentication`, which can be configured using the same keys
as the existing SSO feature.

Per the spec, if the feature is configured, it's implicitly enabled, at
least until we get to #10999.

Note that this only enables the SSO config, a second part of the ticket
with endpoints for the EULA will be tackled separately.
2023-04-25 12:16:33 -03:00
Martin Angers
582e85c876
Add support for the mdm.macos_setup.macos_setup_assistant key in fleetctl, API (#11296) 2023-04-25 09:36:01 -04:00
gillespi314
a37d138f4b
Migrate MDM status values in datastore and API layers (#11278) 2023-04-24 16:27:15 -05:00
Roberto Dip
5c487890ca
add an endpoint to get an aggregate summary of bootstrap packages (#11156)
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-04-22 10:23:38 -05:00
gillespi314
bb2fbbdd38
Add apple_bm_enabled_and_configured to app config responses (#11255) 2023-04-21 11:08:09 -05:00
gillespi314
be76e209d9
Update macOS settings status filter and aggregate host counts to incorporate disk encryption key status (#11182) 2023-04-19 10:03:44 -05:00
Martin Angers
7483f56b76
Report empty command status as "Pending", fix test (#11220) 2023-04-17 13:37:52 -04:00
Martin Angers
c1d3f67e6f
Add fleetctl get mdm-commands command and supporting API endpoint (#11163) 2023-04-17 11:45:16 -04:00
Juan Fernandez
c16184a647
Bug 10767: Don't return 500s if enroll secret not found (#11121)
Return proper status code (401) on '/api/fleet/orbit/enroll' if secret is invalid.
2023-04-13 16:16:40 -04:00
Roberto Dip
9acb6959a1
fix a couple of flaky tests (#11100)
This fixes the following flaky tests:

- `TestHosts/LoadHostByOrbitNodeKey`
- `TestIntegrationsEnterprise/TestListSoftware`
- `TestHosts/ListStatus`

I couldn't figure out what's wrong with `TestScanVulnerabilities` which
is also randomly failing, and it's super slow to run (since it has to
download assets from GitHub) maybe @juan-fdz-hawa can spot it?

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Added/updated tests
2023-04-11 20:15:59 -03:00
Roberto Dip
fe166c93e3
don't delete nano_* tables when a host is deleted (#11110) 2023-04-10 15:27:42 -05:00
Roberto Dip
a59b8a5096
various profile fixes (#11084)
### Related tickets

https://github.com/fleetdm/fleet/issues/10775
https://github.com/fleetdm/fleet/issues/10678
https://github.com/fleetdm/fleet/issues/11024
https://github.com/fleetdm/fleet/issues/11026

### What's happening

- Implemented the hashing mechanism defined by @mna in #10678, however
this mechanism is mainly relevant for batch profile updates via the CLI,
we can't leverage it when a host switches teams.
- Modified `BulkSetPendingMDMAppleHostProfiles` so when two profiles
with the same identifier are sheduled both for removal and update, the
function will now mark only the `install` as `pending` so it's picked by
the cron, and will `DELETE` the `remove` entry from the database so it's
not picked by the cron and never sent to the user.
- `GetHostMDMProfiles` and consequently the profiles returned in `GET
/api/_version_/fleet/hosts` return `host_mdm_apple_profiles.state =
NULL` as "Enforcing (pending", the distinction between `status =
'pending'` and `status IS NULL` is only useful for the cron, for users
both mean the same thing, and all our profile aggregations already
behave this way.
- Using the solution implemented by @gillespi314 in
https://github.com/fleetdm/fleet/pull/10998 we're now deleting the host
row from `host_disk_encryption_keys` if a host is moved from a team that
enforces disk encryption to a team that doesn't.


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-04-08 23:23:36 -03:00
Roberto Dip
34833d64a5
improve table cleanup on unenrollment (#11075)
https://github.com/fleetdm/fleet/issues/10948
2023-04-07 22:02:17 -03:00
Roberto Dip
77e5c004f4
implement bootstrap packages during DEP enrollment (#11052)
#10213
2023-04-07 17:31:02 -03:00
Martin Angers
231b8e4153
Support deletion host-referencing tables that use UUID instead of ID when deleting a host (#11017) 2023-04-05 16:29:28 -04:00
Lucas Manuel Rodriguez
a756614c1a
New observer_plus role (#10675)
#8593

This PR adds a new role `observer_plus` to Fleet. (The `GitOps` role
will be added on a separate PR.)

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-05 15:23:49 -03:00
Lucas Manuel Rodriguez
2f38f2e76a
Uninstalling software in a host also updates software table (#10540)
https://github.com/fleetdm/confidential/issues/1968

It's ready for review but I still need to load test this.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-05 13:53:43 -03:00
Gabriel Hernandez
50d66479b4
Feat/api/implelment filter disk encryption (#10987)
relates to #9436

Implementation of the API supporting filtering host by disk encryption
status. This adds this through a `macos_settings_disk_encryption` query
param that can be passed to these endpoints:

`GET /hosts`
`GET /hosts/count`
`GET /lables/:id/hosts`



- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-04-05 17:09:23 +01:00
Martin Angers
741a7aa5d0
Finalize MDM commands part 3: add the fleetctl get mdm-command-results command (#10964) 2023-04-05 10:50:36 -04:00
Roberto Dip
337d61c823
automatically install a fleetd configuration profile to relevant teams (#10910)
Related to #9459, this adds logic to the cron to add a
`com.fleetdm.fleetd.config` configuration profile to the
`apple_mdm_configuration_profiles` table.

As noted in the comments, this makes some assumptions:

- This profile will be applied to all hosts in the team (or "no team",)
but it will only be used by hosts that have a fleetd installation
without
  an enroll secret and fleet URL (mainly DEP enrolled hosts).
- Once the profile is applied to a team (or "no team",) it's not removed
if
  AppConfig.MDM.AppleBMDefaultTeam changes, this is to preserve existing
agents using the configuration (mainly ServerURL as EnrollSecret is used
  only during enrollment)
2023-04-04 17:09:20 -03:00
Martin Angers
e0e547f1a2
Finalize MDM commands part 2: implement fleetctl mdm run-command (#10866) 2023-04-03 14:25:49 -04:00
Juan Fernandez
4c2ddba2e4
Clean out-of-date NVD results. (#10514)
Keep the vulnerabilities detected via NVD and stored in the DB in sync. with the results from the NVD vulnerability process.
2023-04-03 13:45:18 -04:00
Roberto Dip
a23b437f17
Revert "rename CleanupHostDiskEncryptionKeysTable migration (#10903)" (#10915) 2023-03-31 12:14:50 -05:00
Roberto Dip
cc57016f02
rename CleanupHostDiskEncryptionKeysTable migration (#10903) 2023-03-31 10:44:41 -05:00
Gabriel Hernandez
cb582042cc
Fix disk encryption banner displaying incorrectly on My Device page (#10875)
relates to #10786 

This fixes an issue where users would see the incorrect disk encryption
banners on the my device page. This included a change to the ingestion
logic of the `directIngestDiskEncryptionKeyDarwin` method to take into
account if a host was already being encrypted with filevault locally.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-03-30 17:15:45 +01:00
Roberto Dip
9896d591c4
ensure duplicates are removed before enforcing collations (#10814)
Related to #10787, this tries to find in the tables with High likelihood
described in the issue.

This successfully accounts for unique keys that contain leading/trailing
whitespace and are using a collation with a pad attribute set to `NO
PAD` (considers whitespace as any other character instead of ignoring
it)

I haven't found a way to successfully detect the same scenario for
special unicode characters, for example:

```
mysql> SELECT TABLE_NAME, TABLE_COLLATION FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'software';
+------------+--------------------+
| TABLE_NAME | TABLE_COLLATION    |
+------------+--------------------+
| software   | utf8mb4_general_ci |
+------------+--------------------+
1 row in set (0.01 sec)

mysql> select vendor COLLATE utf8mb4_unicode_ci from software where name = 'zchunk-libs' GROUP BY vendor COLLATE utf8mb4_unicode_ci;
+-----------------------------------+
| vendor COLLATE utf8mb4_unicode_ci |
+-----------------------------------+
| vendor                            |
| vendor?                           |
+-----------------------------------+
2 rows in set (0.01 sec)

mysql> ALTER TABLE `software` CONVERT TO CHARACTER SET `utf8mb4` COLLATE `utf8mb4_unicode_ci`;
ERROR 1062 (23000): Duplicate entry 'zchunk-libs-1.2.1-rpm_packages--vendor\2007-x86_64' for key 'unq_name'
```
> **Note** that `?`  in "vendor?" is an unicode character
2023-03-29 13:31:24 -03:00
Martin Angers
0e2c9bb873
finalize mdm commands part 1: support fleetctl get hosts --mdm and --mdm-pending (#10796) 2023-03-29 08:30:49 -04:00
Juan Fernandez
aecc2fed75
Feature 9834: Add published date to vulnerability object (#10434)
This only applies to Premium users, we want to show the vulnerabilities' published date anywhere vulnerabilities are shown including API endpoints and third party integrations.
2023-03-28 16:11:31 -04:00
Gabriel Hernandez
005956f9bc
Feat/implement api for disk encryption status aggregate (#10422)
relates to #9434

implements the `GET /fleet/mdm/apple/filevault/summary` aggregate
endpoint.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests

---------

Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-03-28 15:50:14 +01:00
Martin Angers
b6e10eb6da
Update host MDM profile status to pending in response to triggering events (#10443) 2023-03-27 14:43:01 -04:00
Roberto Dip
5667755042
account for currently unsupported user enrollments (#10658)
This modifies the query we use to list profiles to add/remove to account
for (currently) unsupported User enrollments.

#10659
2023-03-21 18:42:10 -03:00
Roberto Dip
09b6b8610f
delete all host MDM profiles when is unenrolled programatically through the API (#10603)
https://github.com/fleetdm/fleet/issues/10507
2023-03-20 19:37:15 -03:00
Roberto Dip
61a8a80514
allow to rotate disk encryption key from My Device (#10592)
Related to https://github.com/fleetdm/fleet/issues/8961

Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-03-20 16:14:07 -03:00
gillespi314
2ddf377c73
Treat MDM profile not found error as if profile was successfully removed (#10579) 2023-03-20 10:47:07 -05:00
Roberto Dip
f04ff27180
Prevent user action in profiles managed by Fleet (#10559)
related to https://github.com/fleetdm/fleet/issues/10547,
https://github.com/fleetdm/fleet/issues/10549,
https://github.com/fleetdm/fleet/issues/10550 and
https://github.com/fleetdm/fleet/issues/10552 this prevents user
interaction with fleet-managed profiles, including:

- batch actions
- individual POST/UPDATE/DELETE actions
- listing

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
2023-03-17 18:52:30 -03:00
Roberto Dip
305392e7bb
enforce an uniform collation for all tables (#10515)
related to #10441, inspired by the prior work done in
https://github.com/kolide/fleet/pull/1360, this PR:

1. Adds a migration to use `utf8mb4_general_ci` as the default collation
for the database and all the tables. From [MySQL's documentation][1]:

> To change the table default character set and all character columns
    > (CHAR, VARCHAR, TEXT) to a new character set, use a statement like
    > this:
    >
    > ```
    > ALTER TABLE tbl_name CONVERT TO CHARACTER SET charset_name;
    > ```
> The statement also changes the collation of all character columns. If
> you specify no COLLATE clause to indicate which collation to use, the
    > statement uses default collation for the character set.

2. Changes the connection settings to use `utf8mb4_general_ci` as the
default collation, from the [driver docs][2]:

   > Sets the collation used for client-server interaction on
connection. In contrast to charset, collation does not issue additional
queries. If the specified collation is unavailable on the target server,
the connection will fail.

[1]: https://dev.mysql.com/doc/refman/5.7/en/alter-table.html
[2]: https://github.com/go-sql-driver/mysql


**TODO:** discuss how we can enforce this, is setting the database
default collation enough? should we add some kind of custom lint rule to
all migrations?

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-03-16 15:49:24 -03:00
Lucas Manuel Rodriguez
b0f490b4d6
Run make dump-test-schema (#10505)
Forgot to run this in https://github.com/fleetdm/fleet/pull/10478
2023-03-15 10:47:49 -03:00
Martin Angers
276c767ab9
Update aggregated_stats to support "no team" in addition to "all teams" (#10466) 2023-03-14 17:01:16 -04:00
gillespi314
2bb79ef95a
Update team id query parameter to filter hosts by "no team" assignment (#10444) 2023-03-14 15:41:55 -05:00
gillespi314
c838395c44
Add profile name to host mdm apple profiles (#10455) 2023-03-14 11:21:52 -05:00
Lucas Manuel Rodriguez
5ec4fab440
Orbit to set --database_path when invoking osquery to retrieve system info (#10308)
#9132

The actual fix for the empty hosts is adding the `--database_path`
argument in the initial `osqueryd -S` invocation when retrieving the
UUID. Osquery attempts to retrieve the UUID from OS files/APIs, when not
possible (which is what happens on some linux distributions), then it
resorts to generating a new random UUID and storing it in the
`osquery.db`. The issue was Orbit's first invocation of `osqueryd -S`
was not using the same `osquery.db` as the main daemon invocation of
`osqueryd`.

I'm also adding a `hostname` + `platform` to the orbit enroll phase so
that if there are any issues in the future we can avoid the "empty" host
and have some information to help us troubleshoot.

## How to reproduce

On Linux, osquery reads `/sys/class/dmi/id/product_uuid` to load the
hardware UUID.
Some Linux distributions running on specific hardware or container
environments do not have such file available.
The way to reproduce on a Linux VM is to do the following:
```sh
$ sudo su
# chmod -r /sys/class/dmi/id/product_uuid
```
which will turn the file inaccessible to root.

## Checklist

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-03-13 18:54:18 -03:00
Lucas Manuel Rodriguez
b0475d998e
Run cleanup of cron_stats outside of the schedule package to prevent outages from breaking cron jobs (#10439)
#9486

Now cron jobs should recover from a Fleet outage after ~ two hours.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 16:15:30 -03:00
Lucas Manuel Rodriguez
3757aace08
Add UUID to Fleet errors and clean up error msgs (#10411)
#8129 

Apart from fixing the issue in #8129, this change also introduces UUIDs
to Fleet errors. To be able to match a returned error from the API to a
error in the Fleet logs. See
https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for
more context.

Samples with the changes in this PR:
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0"
}
```
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd'
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "json decoder error"
    }
  ],
  "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d"
}
```
```
curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams"
{
  "message": "Authentication required",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication required"
    }
  ],
  "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Authorization header required",
  "errors": [
    {
      "name": "base",
      "reason": "Authorization header required"
    }
  ],
  "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Permission Denied",
  "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06"
}
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 13:44:06 -03:00
Roberto Dip
a1ca172c95
allow to set up a DEP flow gated by Okta auth (#10338)
#10271
2023-03-13 10:33:32 -03:00
Lucas Manuel Rodriguez
2f585e3916
Improve logging to detect unrecognized platforms (#10423)
Just improving logs to detect platforms that Fleet does not recognize
yet (mostly Linux distributions)

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.~
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 10:06:39 -03:00
Martin Angers
0d6b9b98d4
Add mdm.macos_settings disk encryption fields to the response of GET /hosts/{id} and device. (#10371) 2023-03-08 15:42:23 -05:00
Martin Angers
765c8754b6
Add enabled/disabled disk encryption activities and trigger profiles generation (#10319) 2023-03-08 08:31:53 -05:00
Roberto Dip
7c3a281c23
add schema tables to support DEP Okta flow (#10290)
For #10271 and #10273, this adds the underlying table that will support
the Okta DEP flow.
2023-03-07 10:57:26 -03:00
gillespi314
6ae052c17d
Optimize sql for mdm profile status counts (#10304)
Local performance results with 2000+ records in hosts (no index for
hosts.uuid) and 4000+ records in host_mdm_apple_profiles:

New query (30ms)
<img width="1166" alt="Screenshot 2023-03-03 at 3 41 22 PM"
src="https://user-images.githubusercontent.com/73313222/222861016-4adab32a-697b-48ab-9e1e-6043ea9ba561.png">

Old query (900ms)
<img width="1166" alt="Screenshot 2023-03-03 at 3 41 49 PM"
src="https://user-images.githubusercontent.com/73313222/222861104-a6f4758b-0c17-4d25-b0aa-20292c932108.png">
2023-03-06 15:41:27 -03:00
gillespi314
36ac72d697
Add mdm profiles status filter to hosts endpoints (#10246) 2023-03-03 18:19:46 -06:00
Jacob Shandling
55fe65e062
Update aggregate profiles api (#10274)
* Change order of returned json fields
* Change field "failed" to "failing"

- [x] Manual QA
- [x] Updated docs

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2023-03-03 15:35:47 -08:00
gillespi314
615052a9ac
Create new API endpoint to provide aggregate status count of MDM profiles applying to hosts (#10194) 2023-03-01 18:36:59 -06:00
Roberto Dip
164bb4bf5c
add logic to configure FileVault + escrow (#10160)
Related to #9495, this adds the underlying methods to send a
configuration profile that enables FileVault and FileVault Escrow, so we
can fetch and decrypt the encryption key later on.

These methods still need to be called somewhere, and they might need to
be moved outside of `Service`, but at least this gives us a start.
2023-03-01 10:43:15 -03:00
Martin Angers
4593c49ec4
Add disk_encryption option to config and team YAML (#10185) 2023-02-28 15:34:46 -05:00
Martin Angers
e3ddb5f3ce
Support matching a host in orbit enrollment using the serial number (#9612) 2023-02-28 12:55:04 -05:00
gillespi314
6fec539fbf
Update API responses for hosts and labels endpoints to include host mdm info (#10141)
Issue #10126 

- Add mdm solution name to host mdm inf
- Add host mdm info in labels API response;
2023-02-27 18:40:34 -03:00
Juan Fernandez
7e366272c0
Feature 9386: Parse the Mac Office release notes for vulnerability processing (#9993)
This PR adds the capability of parsing the release notes posted in https://learn.microsoft.com/en-us/officeupdates/release-notes-office-for-mac into a JSON metadata file (to be released in the NVD repo) and use it for detecting vulnerabilities on Mac Office apps.
2023-02-24 14:18:25 -04:00
gillespi314
5a988872a7
Filter removed mdm profiles from host details (#10074) 2023-02-23 14:33:36 -06:00
Roberto Dip
cc4d6c9a2c
fix: don't try to send commands to non MDM enrolled hosts (#10052) 2023-02-23 16:17:53 -03:00
gillespi314
66bd7a7fb8
Reconcile API integration for MDM profile statuses in host details (#10045)
Fixes issues found during manual QA of integration for #10034 and #10019
2023-02-23 10:27:00 -03:00
gillespi314
e31fc889f1
Add MDM profiles to host detail in API responses (#10034)
Issue #9599 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-02-22 16:26:06 -06:00
Roberto Dip
262e9870e3
add a cron job to reconcile profiles (#9946)
https://github.com/fleetdm/fleet/issues/9590
2023-02-22 14:49:06 -03:00
Lucas Manuel Rodriguez
2e199dcdab
Fix golangci-lint issue and run Github action on all OSs (#9944)
We have code that builds conditionally depending on the platform (mostly
Orbit code) so we should run `golangci-lint` checks on all OSs.

This adds it to run on macOS, for Windows see:
https://github.com/fleetdm/fleet/issues/9943
2023-02-21 14:30:45 -03:00
Martin Angers
c3a9a1cd94
Fix panic when loading mdm-enrolled host by orbit key and is_server is null (#9957) 2023-02-21 08:41:04 -05:00
Martin Angers
fa695cef34
Fix server URL for hosts enrolled in Fleet MDM (#9952) 2023-02-20 12:16:56 -05:00
Martin Angers
33f33163a9
Add macos custom profiles support via fleetctl apply (#9824) 2023-02-15 13:01:44 -05:00
gillespi314
f1227d7303
Add authz and datastore methods for mdm config profiles (#9781) 2023-02-14 09:12:18 -06:00
Roberto Dip
0f5a35061e
don't filter DEP hosts by OS before ingesting and improve logs (#9815)
Related to https://github.com/fleetdm/fleet/issues/9653 I couldn't find
any documentation to back this up, but I have a strong suspicion that
the `os` field in the device sync response might come empty in some
scenarios (particularly, when a laptop is brand new, which is hard to
reproduce 😅)

My thoughts are:

1. For the recently purchased MacBooks,
`IngestMDMAppleDevicesFromDEPSync` didn't create an entry in the
database, BUT `nanodep.Assigner.ProcessDeviceResponse` correctly
assigned a DEP profile (the devices were able to enroll). Both methods
filter by `op_type` but only ours filters by `os`.
2. I think this is safe-ish to do, as you will normally assign a MDM
server per device type in ABM

![image](https://user-images.githubusercontent.com/4419992/218732609-0936e3a9-cadf-4485-9aa4-af2c9398cff9.png)
3. I have added extra logs to try to prove this hypothesis next time a
brand new device comes in, let's keep an eye on and re-evaluate this
approach.
2023-02-14 10:23:19 -03:00
gillespi314
aca2449566
Add new data types and table for Apple MDM config profiles (#9758) 2023-02-08 18:36:20 -06:00
Roberto Dip
7cd581866a
add API endpoint to see disk encryption key (#9713)
https://github.com/fleetdm/fleet/issues/8708
2023-02-08 20:20:23 -03:00
Roberto Dip
046401d190
Ingest file vault recovery keys in macOS (#9712)
Related + details at https://github.com/fleetdm/fleet/issues/8708
2023-02-08 11:49:42 -03:00
Roberto Dip
e06b00df11
Add readonly MDM.EnabledAndConfigured to app config and device responses (#9575)
Related to #9571, this adds a new value to both responses which is
calculated when the Fleet server is started, and only set to `true` if
the server is properly configured for MDM.

This helps the UI to determine wether or not we should show certain UI
elements that we only want to show to servers with MDM enabled.
2023-02-01 14:47:52 -03:00
Roberto Dip
4c4c114e96
add mocks + tests and move things around (#9574)
#8948

- Add more go:generate commands for MDM mocks
- Add unit and integration tests for MDM code
- Move interfaces from their PoC location to match existing patterns
2023-01-31 11:46:01 -03:00
Martin Angers
8a137e2b5b
Move host details mdm properties to new mdm object (#9505) 2023-01-30 16:40:11 -06:00
Lucas Manuel Rodriguez
8163b7d8da
Update live query selector logic (OR -> AND) (#9559)
See requirements in #8682.

Two assumptions on the implementation (@zayhanlon please take a look):
- Hosts explicitly selected to run always run the live query (no matter
the values on the selectors).
- When selecting `All hosts`, selecting any other platform or label is
kind of a no-op. We should look into graying out all the selectors if
the user selects `All hosts`.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-30 18:35:56 -03:00
Roberto Dip
851545c21f
create and send Nudge configuration to hosts (#9491)
related to #9348
2023-01-25 17:03:40 -03:00
Roberto Dip
2d25a3f48d
add mdm root key and macos_updates to app and team configs (#9442)
Related to https://github.com/fleetdm/fleet/issues/9345,
https://github.com/fleetdm/fleet/issues/9358 and
https://github.com/fleetdm/fleet/issues/9346 this adds:

1. The ability to configure `mdm.macos_updates` via `PATCH /config` and
`PATCH /teams/{id}`
3. The ability to configure `mdm.macos_updates` by using `fleetctl apply
-f` for teams and global config.
2023-01-24 13:20:02 -03:00
gillespi314
1b4e8e692a
Add API endpoint to unenroll a host from Fleet's MDM (#9447) 2023-01-23 17:05:24 -06:00
Gabriel Hernandez
7d4653baaa
add attribute to GET /activities endpoint with pagination metadata (#9279)
relates to https://github.com/fleetdm/fleet/issues/8928

This adds a new `meta` attribute to the "GET /activities" endpoint that
includes pagination metadata. This can allow clients to know if there
are additional items to request.


- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-01-18 12:57:11 +00:00
Martin Angers
e89c45776a
Notify orbit via the GET config endpoint that the DEP profile needs to be renewed (#9373) 2023-01-17 13:19:48 -05:00
gillespi314
fba3607c4a
Add mdm status and server url to host endpoint responses (#9320) 2023-01-16 17:08:24 -06:00
Roberto Dip
f87c28e6df
automatically assign DEP enrolled devices to a team if set via config (#9135)
Related to https://github.com/fleetdm/fleet/issues/9068 and
https://github.com/fleetdm/fleet/issues/8733, this builds on the work
done in https://github.com/fleetdm/fleet/pull/9062 to tie the loose ends
and assign the configured team to the device that's enrolling
2023-01-16 17:38:51 -03:00
Roberto Dip
2447a371b0
use nanomdm's multi service + integration tests and fixes (#9269)
**Use nano's multi service**

This allows us to integrate more seamlessly with nano and to run our
custom MDM logic _after_ the request was handled by nano, which gives us
more flexibility (for example: now we can issue commands after a
TokenUpdate message)

From nano's code:

> MultiService executes multiple services for the same service calls.
> The first service returns values or errors to the caller. We give the
> first service a chance to alter any 'core' request data (say, the
> Enrollment ID) by waiting for it to finish then we run the remaining
> services' calls in parallel.

**Integration tests + fixes**

- Move some of the service logic from `cmd/` to `server/service`
- Add integration tests for the MDM enrollment flow, including SCEP
authentication.
- Fixed a bug that set `host_mdm.mdm_id = 0`  during MDM enrollment due
  to how MySQL reports the last insert id when `ON DUPLICATE KEY` is
  used.
- Completely remove the host row from `host_mdm` when a device is
  unenrolled from MDM to match the behavior of how we ingest MDM data
  from osquery

Related to https://github.com/fleetdm/fleet/issues/8708,
https://github.com/fleetdm/fleet/issues/9034
2023-01-16 17:06:30 -03:00
gillespi314
bae10e0ba2
Adjust max age for cron stats entries (#9190) 2023-01-16 10:23:52 -06:00
Tomas Touceda
398bb38da7
Add software_updated_at field to host (#9116)
#9012

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2023-01-09 08:55:43 -03:00
Martin Angers
656e5bfc70
Flag when the Apple BM terms have expired (#9091)
#8862 

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-01-06 17:44:20 -03:00