Merge branch 'main' into software-empty-states

fleetdm · Jun 14, 2024 · b21e11c · b21e11c
2 parents d319e5c + 5a95911
commit b21e11c
Show file tree

Hide file tree

Showing 130 changed files with 1,387 additions and 787 deletions.
diff --git a/.github/ISSUE_TEMPLATE/story.md b/.github/ISSUE_TEMPLATE/story.md
@@ -35,6 +35,7 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 - [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
 - [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
 - [ ] REST API changes: TODO <!-- Specify changes as a draft PR to the REST API doc page. Remove this checkbox if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes. -->
+- [ ] Fleet's agent (fleetd) changes: TODO <!-- Specify changes to fleetd. If the change requires a new Fleet (server) version, consider specifying to only enable this change in new Fleet versions. Remove this checkbox if there are no changes necessary. -->
 - [ ] Permissions changes: TODO <!-- Specify changes as a draft PR to the Manage access doc page. If doc changes aren't necessary, explicitly mention no changes to the doc page. Remove this checkbox if there are no permissions changes. -->
 - [ ] Outdated documentation changes: TODO <!-- Specify required documentation changes (public-facing fleetdm.com/docs or contributors) & redirects to add to /website/config/routes.js. -->
 - [ ] Changes to paid features or tiers: TODO  <!-- Specify "Fleet Free" or "Fleet Premium".  If only certain parts of the user story involve paid features, specify which parts.  Implementation of paid features should live in the `ee/` directory. -->

diff --git a/changes/16961-return-api-token-for-api-only-users b/changes/16961-return-api-token-for-api-only-users
@@ -0,0 +1,2 @@
+- Endpoint `/api/latest/fleet/users/admin` to return API token when creating API-only (non-SSO) users.
+- Added API-token of the created API-only (non-SSO) user to the output of `fleetctl user create --api-only`.
diff --git a/changes/17316-parse-config-profile-error b/changes/17316-parse-config-profile-error
@@ -0,0 +1 @@
+- Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.
diff --git a/changes/18427-cert-names b/changes/18427-cert-names
@@ -0,0 +1 @@
+* Use Fleet instead of FleetDM in MDM certificates
diff --git a/changes/19090-flashing-count b/changes/19090-flashing-count
@@ -0,0 +1 @@
+- Cleanup count rendering fixing clientside flashing counts
diff --git a/changes/19512-mdm-migration-sonoma b/changes/19512-mdm-migration-sonoma
@@ -0,0 +1 @@
+- Fixed bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
diff --git a/changes/19545-unlock-pin b/changes/19545-unlock-pin
@@ -0,0 +1,2 @@
+* /api/latest/fleet/hosts/:id/lock returns `unlock_pin` for Apple hosts
+* UI no longer uses unlock pending state for Apple hosts
diff --git a/changes/19600-add-config-to-set-query-report-cap b/changes/19600-add-config-to-set-query-report-cap
@@ -0,0 +1 @@
+* Added a server setting to configure the query repory cap size, `server_settings.query_report_cap` (default is 1000).
diff --git a/changes/feature_19010-ipad-ios-wipe b/changes/feature_19010-ipad-ios-wipe
@@ -0,0 +1 @@
+* Added support to wipe iOS/iPadOS devices.
diff --git a/changes/part-of-19072-use-reader-db-for-stats b/changes/part-of-19072-use-reader-db-for-stats
@@ -0,0 +1 @@
+- Improved db usage when sending statistics
diff --git a/cmd/fleetctl/gitops_test.go b/cmd/fleetctl/gitops_test.go
@@ -418,6 +418,7 @@ func TestFullGlobalGitOps(t *testing.T) {
 	assert.Equal(t, orgName, savedAppConfig.OrgInfo.OrgName)
 	assert.Equal(t, fleetServerURL, savedAppConfig.ServerSettings.ServerURL)
 	assert.Contains(t, string(*savedAppConfig.AgentOptions), "distributed_denylist_duration")
+	assert.Equal(t, 2000, savedAppConfig.ServerSettings.QueryReportCap)
 	assert.Len(t, enrolledSecrets, 2)
 	assert.True(t, policyDeleted)
 	assert.Len(t, appliedPolicySpecs, 5)
@@ -923,7 +924,6 @@ team_settings:
 	_ = runAppForTest(t, []string{"gitops", "-f", globalFile.Name(), "-f", teamFile.Name(), "--delete-other-teams"})
 	assert.True(t, ds.ListTeamsFuncInvoked)
 	assert.True(t, ds.DeleteTeamFuncInvoked)
-
 }
 
 func TestFullGlobalAndTeamGitOps(t *testing.T) {
@@ -1059,7 +1059,6 @@ func TestTeamSofwareInstallersGitOps(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func setupFullGitOpsPremiumServer(t *testing.T) (*mock.Store, **fleet.AppConfig, **fleet.Team) {

diff --git a/cmd/fleetctl/mdm.go b/cmd/fleetctl/mdm.go
@@ -316,7 +316,6 @@ func hostMdmActionSetup(c *cli.Context, hostIdent string, actionType string) (cl
 	if err != nil {
 		var nfe service.NotFoundErr
 		if errors.As(err, &nfe) {
-			fmt.Println(hostIdent)
 			return nil, nil, errors.New("The host doesn't exist. Please provide a valid host identifier.")
 		}
 

diff --git a/cmd/fleetctl/mdm_test.go b/cmd/fleetctl/mdm_test.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"slices"
@@ -361,13 +362,6 @@ func TestMDMLockCommand(t *testing.T) {
 		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
 		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
 	}
-	macEnrolledUP := &fleet.Host{
-		ID:       9,
-		UUID:     "mac-enrolled-up",
-		Platform: "darwin",
-		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
-		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
-	}
 
 	winEnrolledLP := &fleet.Host{
 		ID:       10,
@@ -409,7 +403,6 @@ func TestMDMLockCommand(t *testing.T) {
 		macPending,
 		winPending,
 		winEnrolledUP,
-		macEnrolledUP,
 		winEnrolledLP,
 		macEnrolledLP,
 		winEnrolledWP,
@@ -421,7 +414,6 @@ func TestMDMLockCommand(t *testing.T) {
 
 	unlockPending := map[uint]*fleet.Host{
 		winEnrolledUP.ID: winEnrolledUP,
-		macEnrolledUP.ID: macEnrolledUP,
 	}
 
 	lockPending := map[uint]*fleet.Host{
@@ -446,9 +438,7 @@ func TestMDMLockCommand(t *testing.T) {
 
 		if _, ok := unlockPending[host.ID]; ok {
 			if fleetPlatform == "darwin" {
-				status.UnlockPIN = "1234"
-				status.UnlockRequestedAt = time.Now()
-				return &status, nil
+				return nil, errors.New("apple devices do not have an unlock pending state")
 			}
 
 			status.UnlockScript = &fleet.HostScriptResult{}
@@ -542,7 +532,6 @@ fleetctl mdm unlock --host=%s
 		{appCfgWinMDM, "valid windows but pending ", []string{"--host", winPending.UUID}, `Can't lock the host because it doesn't have MDM turned on.`},
 		{appCfgMacMDM, "valid macos but pending", []string{"--host", macPending.UUID}, `Can't lock the host because it doesn't have MDM turned on.`},
 		{appCfgAllMDM, "valid windows but pending unlock", []string{"--host", winEnrolledUP.UUID}, "Host has pending unlock request."},
-		{appCfgAllMDM, "valid macos but pending unlock", []string{"--host", macEnrolledUP.UUID}, "Host has pending unlock request."},
 		{appCfgAllMDM, "valid windows but pending lock", []string{"--host", winEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid macos but pending lock", []string{"--host", macEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid windows but pending wipe", []string{"--host", winEnrolledWP.UUID}, "Host has pending wipe request."},
@@ -603,13 +592,6 @@ func TestMDMUnlockCommand(t *testing.T) {
 		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
 		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
 	}
-	macEnrolledUP := &fleet.Host{
-		ID:       9,
-		UUID:     "mac-enrolled-up",
-		Platform: "darwin",
-		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
-		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
-	}
 	winEnrolledLP := &fleet.Host{
 		ID:       10,
 		UUID:     "win-enrolled-lp",
@@ -650,7 +632,6 @@ func TestMDMUnlockCommand(t *testing.T) {
 		macPending,
 		winPending,
 		winEnrolledUP,
-		macEnrolledUP,
 		winEnrolledLP,
 		macEnrolledLP,
 		winEnrolledWP,
@@ -667,7 +648,6 @@ func TestMDMUnlockCommand(t *testing.T) {
 
 	unlockPending := map[uint]*fleet.Host{
 		winEnrolledUP.ID: winEnrolledUP,
-		macEnrolledUP.ID: macEnrolledUP,
 	}
 
 	lockPending := map[uint]*fleet.Host{
@@ -701,9 +681,7 @@ func TestMDMUnlockCommand(t *testing.T) {
 
 		if _, ok := unlockPending[host.ID]; ok {
 			if fleetPlatform == "darwin" {
-				status.UnlockPIN = "1234"
-				status.UnlockRequestedAt = time.Now()
-				return &status, nil
+				return nil, errors.New("apple devices do not have an unlock pending state")
 			}
 
 			status.UnlockScript = &fleet.HostScriptResult{}
@@ -800,7 +778,6 @@ fleetctl get host %s
 		{appCfgWinMDM, "valid windows but pending mdm enroll", []string{"--host", winPending.UUID}, `Can't unlock the host because it doesn't have MDM turned on.`},
 		{appCfgMacMDM, "valid macos but pending mdm enroll", []string{"--host", macPending.UUID}, `Can't unlock the host because it doesn't have MDM turned on.`},
 		{appCfgAllMDM, "valid windows but pending unlock", []string{"--host", winEnrolledUP.UUID}, "Host has pending unlock request."},
-		{appCfgAllMDM, "valid macos but pending unlock", []string{"--host", macEnrolledUP.UUID}, ""},
 		{appCfgAllMDM, "valid windows but pending lock", []string{"--host", winEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid macos but pending lock", []string{"--host", macEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid windows but pending wipe", []string{"--host", winEnrolledWP.UUID}, "Host has pending wipe request."},
@@ -856,13 +833,6 @@ func TestMDMWipeCommand(t *testing.T) {
 		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
 		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
 	}
-	macEnrolledUP := &fleet.Host{
-		ID:       9,
-		UUID:     "mac-enrolled-up",
-		Platform: "darwin",
-		MDMInfo:  &fleet.HostMDM{Enrolled: true, Name: fleet.WellKnownMDMFleet},
-		MDM:      fleet.MDMHostData{Name: fleet.WellKnownMDMFleet, EnrollmentStatus: ptr.String("On (manual)")},
-	}
 	winEnrolledLP := &fleet.Host{
 		ID:       10,
 		UUID:     "win-enrolled-lp",
@@ -950,7 +920,6 @@ func TestMDMWipeCommand(t *testing.T) {
 		macPending,
 		winPending,
 		winEnrolledUP,
-		macEnrolledUP,
 		winEnrolledLP,
 		macEnrolledLP,
 		winEnrolledWP,
@@ -971,7 +940,6 @@ func TestMDMWipeCommand(t *testing.T) {
 
 	unlockPending := map[uint]*fleet.Host{
 		winEnrolledUP.ID: winEnrolledUP,
-		macEnrolledUP.ID: macEnrolledUP,
 	}
 
 	lockPending := map[uint]*fleet.Host{
@@ -1010,9 +978,7 @@ func TestMDMWipeCommand(t *testing.T) {
 
 		if _, ok := unlockPending[host.ID]; ok {
 			if fleetPlatform == "darwin" {
-				status.UnlockPIN = "1234"
-				status.UnlockRequestedAt = time.Now()
-				return &status, nil
+				return nil, errors.New("apple devices do not have an unlock pending state")
 			}
 
 			status.UnlockScript = &fleet.HostScriptResult{}
@@ -1129,7 +1095,6 @@ func TestMDMWipeCommand(t *testing.T) {
 		{appCfgWinMDM, "valid windows but pending mdm enroll", []string{"--host", winPending.UUID}, `Can't wipe the host because it doesn't have MDM turned on.`},
 		{appCfgMacMDM, "valid macos but pending mdm enroll", []string{"--host", macPending.UUID}, `Can't wipe the host because it doesn't have MDM turned on.`},
 		{appCfgAllMDM, "valid windows but pending unlock", []string{"--host", winEnrolledUP.UUID}, "Host has pending unlock request."},
-		{appCfgAllMDM, "valid macos but pending unlock", []string{"--host", macEnrolledUP.UUID}, "Host has pending unlock request."},
 		{appCfgAllMDM, "valid windows but pending lock", []string{"--host", winEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid macos but pending lock", []string{"--host", macEnrolledLP.UUID}, "Host has pending lock request."},
 		{appCfgAllMDM, "valid windows but pending wipe", []string{"--host", winEnrolledWP.UUID}, "Host has pending wipe request."},

diff --git a/cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json b/cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json
@@ -11,6 +11,7 @@
 		"server_settings": {
 			"server_url": "",
 			"live_query_disabled": false,
+			"query_report_cap": 0,
 			"query_reports_disabled": false,
 			"enable_analytics": false,
 			"deferred_save_host": false,

diff --git a/cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml b/cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml
@@ -59,6 +59,7 @@ spec:
     deferred_save_host: false
     enable_analytics: false
     live_query_disabled: false
+    query_report_cap: 0
     query_reports_disabled: false
     server_url: ""
     scripts_disabled: false

diff --git a/cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json b/cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json
@@ -11,6 +11,7 @@
 		"server_settings": {
 			"server_url": "",
 			"live_query_disabled": false,
+			"query_report_cap": 0,
 			"query_reports_disabled": false,
 			"enable_analytics": false,
 			"deferred_save_host": false,

diff --git a/cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml b/cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml
@@ -98,6 +98,7 @@ spec:
     deferred_save_host: false
     enable_analytics: false
     live_query_disabled: false
+    query_report_cap: 0
     query_reports_disabled: false
     server_url: ""
     scripts_disabled: false

diff --git a/cmd/fleetctl/testdata/gitops/global_config_no_paths.yml b/cmd/fleetctl/testdata/gitops/global_config_no_paths.yml
@@ -101,6 +101,7 @@ org_settings:
     deferred_save_host: false
     enable_analytics: true
     live_query_disabled: false
+    query_report_cap: 2000
     query_reports_disabled: false
     scripts_disabled: false
     server_url: $FLEET_SERVER_URL

diff --git a/cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml b/cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml
@@ -59,6 +59,7 @@ spec:
     deferred_save_host: false
     enable_analytics: true
     live_query_disabled: false
+    query_report_cap: 0
     query_reports_disabled: false
     server_url: https://example.org
     scripts_disabled: false

diff --git a/cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml b/cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml
@@ -59,6 +59,7 @@ spec:
     deferred_save_host: false
     enable_analytics: true
     live_query_disabled: false
+    query_report_cap: 0
     query_reports_disabled: false
     server_url: https://example.org
     scripts_disabled: false

diff --git a/cmd/fleetctl/user.go b/cmd/fleetctl/user.go
@@ -160,7 +160,7 @@ func createUserCommand() *cli.Command {
 			force_reset := !sso && !apiOnly
 
 			// password requirements are validated as part of `CreateUser`
-			err = client.CreateUser(fleet.UserPayload{
+			sessionKey, err := client.CreateUser(fleet.UserPayload{
 				Password:                 &password,
 				Email:                    &email,
 				Name:                     &name,
@@ -174,6 +174,10 @@ func createUserCommand() *cli.Command {
 				return fmt.Errorf("Failed to create user: %w", err)
 			}
 
+			if apiOnly && sessionKey != nil && *sessionKey != "" {
+				fmt.Fprintf(c.App.Writer, "Success! The API token for your new user is: %s\n", *sessionKey)
+			}
+
 			return nil
 		},
 	}
@@ -208,7 +212,6 @@ func createBulkUsersCommand() *cli.Command {
 			}
 			defer csvFile.Close()
 			csvLines, err := csv.NewReader(csvFile).ReadAll()
-
 			if err != nil {
 				return err
 			}
@@ -278,7 +281,7 @@ func createBulkUsersCommand() *cli.Command {
 			}
 
 			for _, user := range users {
-				err = client.CreateUser(user)
+				_, err = client.CreateUser(user)
 				if err != nil {
 					return fmt.Errorf("Failed to create user: %w", err)
 				}
@@ -351,7 +354,6 @@ func deleteBulkUsersCommand() *cli.Command {
 			}
 			defer csvFile.Close()
 			csvLines, err := csv.NewReader(csvFile).ReadAll()
-
 			if err != nil {
 				return err
 			}
@@ -362,10 +364,10 @@ func deleteBulkUsersCommand() *cli.Command {
 				}
 			}
 			return nil
-
 		},
 	}
 }
+
 func generateRandomPassword() (string, error) {
 	password, err := password.Generate(20, 2, 2, false, true)
 	if err != nil {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- Endpoint `/api/latest/fleet/users/admin` to return API token when creating API-only (non-SSO) users.
		- Added API-token of the created API-only (non-SSO) user to the output of `fleetctl user create --api-only`.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Use Fleet instead of FleetDM in MDM certificates
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Cleanup count rendering fixing clientside flashing counts
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Fixed bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		* /api/latest/fleet/hosts/:id/lock returns `unlock_pin` for Apple hosts
		* UI no longer uses unlock pending state for Apple hosts
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Added a server setting to configure the query repory cap size, `server_settings.query_report_cap` (default is 1000).