mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
407d05eab9
For the CIS benchmark feature, we need a way to import a group of policies (spec yml) into a team. This PR adds a flag to `apply -f` to allow setting a team name to a group of policies. Sample: ```sh fleetctl apply --context dogfood --policies-team "📊 CIS Benchmarks" -f ee/cis/macos-13/cis-policy-queries.yml ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [ ] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
88 lines
2.2 KiB
Go
88 lines
2.2 KiB
Go
package main
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/fleetdm/fleet/v4/pkg/spec"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/urfave/cli/v2"
|
|
)
|
|
|
|
func applyCommand() *cli.Command {
|
|
var (
|
|
flFilename string
|
|
flForce bool
|
|
flDryRun bool
|
|
)
|
|
return &cli.Command{
|
|
Name: "apply",
|
|
Usage: "Apply files to declaratively manage osquery configurations",
|
|
UsageText: `fleetctl apply [options]`,
|
|
Flags: []cli.Flag{
|
|
&cli.StringFlag{
|
|
Name: "f",
|
|
EnvVars: []string{"FILENAME"},
|
|
Value: "",
|
|
Destination: &flFilename,
|
|
Usage: "A file to apply",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "force",
|
|
EnvVars: []string{"FORCE"},
|
|
Destination: &flForce,
|
|
Usage: "Force applying the file even if it raises validation errors (only supported for 'config' and 'team' specs)",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "dry-run",
|
|
EnvVars: []string{"DRY_RUN"},
|
|
Destination: &flDryRun,
|
|
Usage: "Do not apply the file, just validate it (only supported for 'config' and 'team' specs)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "policies-team",
|
|
Usage: "A team's name, this flag is only used on policies specs (overrides 'team' key in the policies file). This allows to easily import a group of policies to a team.",
|
|
},
|
|
configFlag(),
|
|
contextFlag(),
|
|
debugFlag(),
|
|
},
|
|
Action: func(c *cli.Context) error {
|
|
if flFilename == "" {
|
|
return errors.New("-f must be specified")
|
|
}
|
|
b, err := os.ReadFile(flFilename)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
fleetClient, err := clientFromCLI(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
specs, err := spec.GroupFromBytes(b)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logf := func(format string, a ...interface{}) {
|
|
fmt.Fprintf(c.App.Writer, format, a...)
|
|
}
|
|
|
|
opts := fleet.ApplySpecOptions{
|
|
Force: flForce,
|
|
DryRun: flDryRun,
|
|
}
|
|
if policiesTeamName := c.String("policies-team"); policiesTeamName != "" {
|
|
opts.TeamForPolicies = policiesTeamName
|
|
}
|
|
baseDir := filepath.Dir(flFilename)
|
|
err = fleetClient.ApplyGroup(c.Context, specs, baseDir, logf, opts)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
}
|