Merge branch 'main' into feat/add-install-confirmation-21980

fleetdm · Jan 4, 2025 · aa537a1 · aa537a1
2 parents aec043a + 9181ba7
commit aa537a1
Show file tree

Hide file tree

Showing 580 changed files with 14,992 additions and 3,737 deletions.
diff --git a/.github/ISSUE_TEMPLATE/release-qa.md b/.github/ISSUE_TEMPLATE/release-qa.md
@@ -3,7 +3,7 @@ name:  Release QA
 about: Checklist of required tests prior to release
 title: 'Release QA:'
 labels: '#g-mdm,#g-endpoint-ops,:release'
-assignees: 'xpkoala,pezhub'
+assignees: 'xpkoala,pezhub,jmwatts'
 
 ---
 
@@ -111,8 +111,8 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 
 1. Verify able to run a script on all host types from CLI.
 2. Verify scripts library upload/download/delete.
-3. From Host details (Windows and macOS) run a script that should PASS, verify.
-4. From Host details (Windows and macOS) run a script that should FAIL, verify.
+3. From Host details (macOS, Windows, & Linux) run a script that should PASS, verify.
+4. From Host details (macOS, Windows, & Linux) run a script that should FAIL, verify.
 5. Verify UI loading state and statuses for scripts.
 6. Disable scripts globally and verify unable to run.
 7. Verify scripts display correctly in Activity feed.
@@ -121,40 +121,51 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 <tr><td>Software</td><td>Verify software library and install / download</td><td>
 
 1. Verify software library upload/download/delete.
-2. From Host details (Windows and macOS) run an install that should PASS, verify.
-3. From My Device (Windows and macOS) software tab should have self-service items available, verify.
+2. From Host details (macOS, Windows, & Linux) run an install that should PASS, verify.
+3. From My Device (macOS, Windows, & Linux) software tab should have self-service items available, verify.
 4. Verify UI loading state and statuses for installing software.
 6. Verify software installs display correctly in Activity feed.
 </td><td>pass/fail</td></tr>
 
 <tr><td>OS settings</td><td>Verify OS settings functionality</td><td>
 
-1. Verify able to configure Disk encryption.
+1. Verify able to configure Disk encryption (macOS, Windows, & Linux).
 2. Verify host enrolled with Disk encryption enforced successfully encrypts.
 3. Verify Profiles upload/download/delete (macOS & Windows).
-4. Verify profiles are delivered to host and applied. 
+4. Verify Profiles are delivered to host and applied. 
 </td><td>pass/fail</td></tr>
 
 <tr><td>Setup experience</td><td>Verify macOS Setup experience</td><td>
 
 1. Configure End user authentication.
 2. Upload a Bootstrap package.
-3. Enroll an ADE-eligible macOS host and verify successful authentication.
-4. Verify Bootstrap package is delivered.
+3. Add software (FMA, VPP, & Custom pkg)
+4. Add a script
+5. Enroll an ADE-eligible macOS host and verify successful authentication.
+6. Verify Bootstrap package is delivered.
+7. Verify SwiftDialogue window displays.
+8. Verify software installs and script runs.
 </td><td>pass/fail</td></tr>
 
 <tr><td>OS updates</td><td>Verify OS updates flow</td><td>
 
 1. Configure OS updates (macOS & Windows).
-2. Verify on-device that Nudge prompt appears (macOS). 
+2. Verify on-device that Nudge prompt appears (macOS 13).
+3. Verify enforce minimumOS occurs during enrollment (macOS 14+).
 </td><td>pass/fail</td></tr>
 
+<tr><td>iOS/iPadOS</td><td>Verify enrollment, profiles, & software installs</td><td>
 
+1. Verify ADE enrollment.
+2. Verify OTA enrollment.
+3. Verify Profiles are delivered to host and applied.
+4. Verify VPP apps install & display correctly in Activity feed.
+
 <tr><td>Certificates Upload</td><td>APNs cert and ABM token renewal workflow</td><td>
 
 1. Renew APNs Certificate.
 2. Renew ABM Token.
-3. Ensure ADE host can enroll.
+3. Ensure ADE hosts can enroll.
 </td><td>pass/fail</td></tr>
 
 <tr><td>Migration Test</td><td>Verify Fleet can migrate to the next version with no issues.</td><td>

diff --git a/.github/ISSUE_TEMPLATE/story.md b/.github/ISSUE_TEMPLATE/story.md
@@ -39,14 +39,15 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 ## Changes
 
 ### Product
-- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Put "No changes" if there are no changes to the user interface. -->
+- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Make sure  wireframes show the UI down to 320px (min screen width). Put "No changes" if there are no changes to the user interface. -->
 - [ ] CLI (fleetctl) usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Put "No changes" if there are no changes to the CLI. -->
-- [ ] YAML changes: TODO <!-- Specify changes in the YAML files doc page as a PR to the reference docs release branch. Put "No changes" if there are no changes necessary. -->
-- [ ] REST API changes: TODO <!-- Specify changes in the the REST API doc page as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes. -->
+- [ ] YAML changes: TODO <!-- Specify changes in the YAML files doc page as a PR to the reference docs release branch following the guidelines in the handbook here: https://fleetdm.com/handbook/product-design#drafting Put "No changes" if there are no changes necessary. -->
+- [ ] REST API changes: TODO <!-- Specify changes in the the REST API doc page as a PR to reference docs release branch following the guidelines in the handbook here: https://fleetdm.com/handbook/product-design#drafting Put "No changes" if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes. -->
 - [ ] Fleet's agent (fleetd) changes: TODO <!-- Specify changes to fleetd. If the change requires a new Fleet (server) version, consider specifying to only enable this change in new Fleet versions. Put "No changes" if there are no changes necessary. -->
 - [ ] Activity changes: TODO <!-- Specify changes to the Audit log page in the contributor docs. Put "No changes" if there are no changes necessary. -->
 - [ ] Permissions changes: TODO <!-- Specify changes in the Manage access doc page as a PR to the reference docs release branch. If doc changes aren't necessary, explicitly mention no changes to the doc page. Put "No changes" if there are no permissions changes. -->
 - [ ] Changes to paid features or tiers: TODO  <!-- Specify changes in pricing-features-table.yml as a PR to reference docs release branch. Specify "Fleet Free" and/or "Fleet Premium" if there are no changes to the pricing page necessary. -->
+- [ ] Transparency changes: TODO <!-- If there are changes to the personal information Fleet can see on end user workstations, make sure wireframes include changes to the My device page. Also, specify changes as a PR to the fleetdm.com/better (aka Transparency page). Put "No changes" if there are no changes necessary. -->
 - [ ] Other reference documentation changes: TODO <!-- Any other reference doc changes? Specify changes as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. -->
 - [ ] Once shipped, requester has been notified
 - [ ] Once shipped, dogfooding issue has been filed

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -8,13 +8,14 @@ If some of the following don't apply, delete the relevant line.
   See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information.
 - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)
 - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.
-- [ ] Added/updated tests
 - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
 - [ ] If database migrations are included, checked table schema to confirm autoupdate
 - For database migrations:
   - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.
   - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
   - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).
+- [ ] Added/updated automated tests
+- [ ] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
 - [ ] Manual QA for all new/changed functionality
 - For Orbit and Fleet Desktop changes:
    - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`).

diff --git a/.github/scripts/update_osquery_versions.py b/.github/scripts/update_osquery_versions.py
@@ -1,16 +1,21 @@
 import os
-import requests
 import re
+import json
+import http.client
 
 # Use GITHUB_WORKSPACE to get the root of your repository
 repo_root = os.environ.get('GITHUB_WORKSPACE', '')
 FILE_PATH = os.path.join(repo_root, 'frontend', 'utilities', 'constants.tsx')
 
 
 def fetch_osquery_versions():
-    response = requests.get('https://api.github.com/repos/osquery/osquery/releases')
-    releases = response.json()
-    return [release['tag_name'] for release in releases if not release['prerelease']]
+    conn = http.client.HTTPSConnection('api.github.com')
+    conn.request('GET', '/repos/osquery/osquery/releases', headers={"User-Agent": "Fleet/osquery-checker"})
+    resp = conn.getresponse()
+    content = resp.read()
+    conn.close()
+
+    return [release['tag_name'] for release in json.loads(content.decode('utf-8'))]
 
 def update_min_osquery_version_options(new_versions):
     with open(FILE_PATH, 'r') as file:

diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       DOCKER_IMAGE:
-        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror.'
+        description: "The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror."
         required: true
 
 # This allows a subsequently queued workflow run to interrupt previous runs
@@ -26,7 +26,8 @@ env:
   TF_WORKSPACE: fleet
   TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE || 'fleetdm/fleet:main' }}
   TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
-  TF_VAR_slack_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
+  TF_VAR_slack_p1_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
+  TF_VAR_slack_p2_webhook: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }}
   TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
   TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
   TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}

diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml
@@ -76,6 +76,7 @@ jobs:
           DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
           DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
           MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
+          DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET }}
 
       - name: Notify on Gitops failure
         if: failure() && github.ref_name == 'main'

diff --git a/.github/workflows/generate-desktop-targets.yml b/.github/workflows/generate-desktop-targets.yml
@@ -22,7 +22,10 @@ env:
   FLEET_DESKTOP_VERSION: 1.37.0
 
 permissions:
-  contents: read
+  contents: write
+  id-token: write
+  attestations: write
+  packages: write
 
 jobs:
   desktop-macos:
@@ -31,7 +34,6 @@ jobs:
     # later, avoiding runtime errors on systems using macOS 13 or newer.
     runs-on: macos-13
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -75,6 +77,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-app-tar-gz
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "desktop.app.tar.gz"
+
       - name: Upload desktop.app.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -84,7 +92,6 @@ jobs:
   desktop-windows:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -103,6 +110,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-windows
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "fleet-desktop.exe"
+
       - name: Upload fleet-desktop.exe
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -125,7 +138,6 @@ jobs:
   desktop-linux:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -144,6 +156,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-linux
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "desktop.tar.gz"
+
       - name: Upload desktop.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -153,7 +171,6 @@ jobs:
   desktop-linux-arm64:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -172,6 +189,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-linux-arm64
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: 'desktop.tar.gz'
+
       - name: Upload desktop.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:

diff --git a/.github/workflows/generate-osqueryd-targets.yml b/.github/workflows/generate-osqueryd-targets.yml
@@ -24,10 +24,13 @@ defaults:
     shell: bash
 
 env:
-  OSQUERY_VERSION: 5.14.1
+  OSQUERY_VERSION: 5.15.0
 
 permissions:
-  contents: read
+  contents: write
+  id-token: write
+  attestations: write
+  packages: write
 
 jobs:
   generate-macos:
@@ -45,6 +48,12 @@ jobs:
         run: |
           make osqueryd-app-tar-gz out-path=. version=$OSQUERY_VERSION
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "osqueryd.app.tar.gz"
+
       - name: Upload osqueryd.app.tar.gz
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -70,6 +79,12 @@ jobs:
           chmod +x ./opt/osquery/bin/osqueryd
           ./opt/osquery/bin/osqueryd --version
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "opt/osquery/bin/osqueryd"
+
       - name: Upload osqueryd for linux
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -99,6 +114,12 @@ jobs:
           chmod +x ./opt/osquery/bin/osqueryd
           file ./opt/osquery/bin/osqueryd | grep aarch64
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "opt/osquery/bin/osqueryd"
+
       - name: Upload osqueryd for linux-arm64
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -126,6 +147,12 @@ jobs:
           msiexec /a osquery-${{ env.OSQUERY_VERSION }}.msi /qb TARGETDIR=C:\temp
           C:\temp\osquery\osqueryd\osqueryd.exe --version
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: C:\temp\osquery\osqueryd\osqueryd.exe
+
       - name: Upload osqueryd for Windows
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:

diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml
@@ -24,6 +24,9 @@ jobs:
     environment: Docker Hub
     permissions:
       contents: write
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -90,7 +93,7 @@ jobs:
       - name: Attest binaries and archives
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         with:
-          subject-path: "dist/fleet*"
+          subject-path: "dist/**"
 
       # Get the commit hash so we can get image digests
       - name: Get the short commit hash
@@ -103,23 +106,23 @@ jobs:
         continue-on-error: true
         id: image_digests
         run: |
-          echo "digest_fleet=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
-          echo "digest_fleetctl=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
+          echo "digest_fleet=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
+          echo "digest_fleetctl=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
 
       - name: Attest Fleet image
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         continue-on-error: true
         with:
           subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
-          subject-name: "fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"
+          subject-name: "fleetdm/fleet"
           push-to-registry: true
 
       - name: Attest FleetCtl image
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         continue-on-error: true
         with:
           subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
-          subject-name: "fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"
+          subject-name: "fleetdm/fleetctl"
           push-to-registry: true
 
       - name: Get tag