Merge branch 'main' into 20404-edit-software-fe

fleetdm · Sep 16, 2024 · 22e5d18 · 22e5d18
2 parents f14e9ee + 549e9c8
commit 22e5d18
Show file tree

Hide file tree

Showing 27 changed files with 874 additions and 403 deletions.
diff --git a/.github/workflows/test-native-tooling-packaging.yml b/.github/workflows/test-native-tooling-packaging.yml
@@ -21,6 +21,8 @@ on:
       - 'tools/bomutils-docker/**'
       - '.github/workflows/test-native-tooling-packaging.yml'
   workflow_dispatch: # Manual
+  schedule:
+    - cron: "0 5 * * *"
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
@@ -41,6 +43,12 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
+        # build_type == 'remote' means this job will test the fleetdm/fleetctl:latest from Docker Hub.
+        # build_type == 'local' means this job will build the the image locally.
+        #
+        # TODO(lucas): We should only run 'remote' on schedule
+        # (adding conditionals to 'matrix' requires many tricks).
+        build_type: ["remote", "local"]
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -50,23 +58,29 @@ jobs:
         egress-policy: audit
 
     - name: Checkout Code
+      if: ${{ matrix.build_type ==  'local' }}
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: Install Go
+      if: ${{ matrix.build_type ==  'local' }}
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version-file: 'go.mod'
 
     - name: Install Go Dependencies
+      if: ${{ matrix.build_type ==  'local' }}
       run: make deps-go
 
     - name: Build fleetdm/wix
+      if: ${{ matrix.build_type ==  'local' }}
       run: make wix-docker
 
     - name: Build fleetdm/bomutils
+      if: ${{ matrix.build_type ==  'local' }}
       run: make bomutils-docker
 
     - name: Build fleetdm/fleetctl
+      if: ${{ matrix.build_type ==  'local' }}
       run: make fleetctl-docker
 
     - name: Build DEB
@@ -92,3 +106,24 @@ jobs:
 
     - name: Build PKG with Fleet Desktop
       run: docker run -v "$(pwd):/build" fleetdm/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+    - name: Slack Notification
+      if: github.event.schedule == '0 5 * * *' && failure()
+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+      with:
+        payload: |
+          {
+            "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
+            "blocks": [
+              {
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "⚠️  Tests on fleetdm/fleetctl docker image failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{  github.run_id }}"
+                }
+              }
+            ]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
+        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/.github/workflows/test-packaging-build-docker-deps.yml b/.github/workflows/test-packaging-build-docker-deps.yml
@@ -0,0 +1,94 @@
+# This workflow tests packaging of fleetd with the
+# `fleetctl package` command using locally built fleetdm/wix and fleetdm/bomutils images.
+#
+# It fetches the targets: orbit, osquery and fleet-desktop from the default
+# (Fleet's) TUF server, https://tuf.fleetctl.com.
+name: Test packaging with local fleetdm/wix and fleetdm/bomutils
+
+on:
+  push:
+    branches:
+      - main
+      - patch-*
+      - prepare-*
+    paths:
+      - "tools/bomutils-docker/**"
+      - "tools/wix-docker/**"
+      - ".github/workflows/test-packaging-build-docker-deps.yml"
+  pull_request:
+    paths:
+      - "tools/bomutils-docker/**"
+      - "tools/wix-docker/**"
+      - ".github/workflows/test-packaging-build-docker-deps.yml"
+  workflow_dispatch: # Manual
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  test-packaging:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: "go.mod"
+
+      - name: Install Go Dependencies
+        run: make deps-go
+
+      - name: Build fleetctl
+        run: make fleetctl
+
+      - name: Build fleetdm/wix
+        run: make wix-docker
+
+      - name: Build fleetdm/bomutils
+        run: make bomutils-docker
+
+      - name: Build DEB
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build DEB with Fleet Desktop
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build RPM
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build RPM with Fleet Desktop
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build MSI
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build MSI with Fleet Desktop
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build PKG
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build PKG with Fleet Desktop
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
diff --git a/.github/workflows/test-packaging.yml b/.github/workflows/test-packaging.yml
@@ -1,7 +1,8 @@
-# This workflow tests packaging of Fleet-osquery with the
-# `fleetctl package` command. It fetches the targets: orbit,
-# osquery and fleet-desktop from the default (Fleet's) TUF server,
-# https://tuf.fleetctl.com.
+# This workflow tests packaging of fleetd with the
+# `fleetctl package` command.
+#
+# It fetches the targets: orbit, osquery and fleet-desktop from the default
+# (Fleet's) TUF server, https://tuf.fleetctl.com.
 name: Test packaging
 
 on:
@@ -50,87 +51,86 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-      with:
-        egress-policy: audit
-
-    - name: Pull fleetdm/wix
-      # Run in background while other steps complete to speed up the workflow
-      run: docker pull fleetdm/wix:latest &
-
-    - name: Pull fleetdm/bomutils
-      # Run in background while other steps complete to speed up the workflow
-      run: docker pull fleetdm/bomutils:latest &
-
-    - name: Run Colima
-      if: startsWith(matrix.os, 'macos')
-      timeout-minutes: 15
-      # notes:
-      # - docker to install the docker CLI and interact with the Colima
-      #   container runtime
-      # - colima is pre-installed in macos-12 runners, but not in macos-13 or
-      #   macos-14 runners
-      run: |
-        brew install docker
-        # The runners come with an old version of [email protected] that fails to upgrade
-        # when python gets pulled in as a dep through the chain
-        # colima -> lima -> qemu -> glibc -> [email protected]
-        # Force upgrade it for now, remove once the problem is fixed
-        brew install --overwrite [email protected]
-        brew install colima
-        colima start --mount $TMPDIR:w
-
-    - name: Checkout Code
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-
-    - name: Install Go
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-      with:
-        go-version-file: 'go.mod'
-
-    - name: Install wine and wix
-      if: startsWith(matrix.os, 'macos')
-      run: |
-        ./scripts/macos-install-wine.sh -n
-        wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
-        mkdir wix
-        unzip wix.zip -d wix
-        rm -f wix.zip
-        echo wix installed at $(pwd)/wix
-
-      # It seems faster not to cache Go dependencies
-    - name: Install Go Dependencies
-      run: make deps-go
-
-    - name: Build fleetctl
-      run: make fleetctl
-
-    - name: Build DEB
-      run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build DEB with Fleet Desktop
-      run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build RPM
-      run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build RPM with Fleet Desktop
-      run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build MSI
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build MSI with Fleet Desktop
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build PKG
-      run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build PKG with Fleet Desktop
-      run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build MSI (using local Wix)
-      if: startsWith(matrix.os, 'macos')
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Run Colima
+        if: startsWith(matrix.os, 'macos')
+        timeout-minutes: 15
+        # notes:
+        # - docker to install the docker CLI and interact with the Colima
+        #   container runtime
+        # - colima is pre-installed in macos-12 runners, but not in macos-13 or
+        #   macos-14 runners
+        run: |
+          brew install docker
+          # The runners come with an old version of [email protected] that fails to upgrade
+          # when python gets pulled in as a dep through the chain
+          # colima -> lima -> qemu -> glibc -> [email protected]
+          # Force upgrade it for now, remove once the problem is fixed
+          brew install --overwrite [email protected]
+          brew install colima
+          colima start --mount $TMPDIR:w
+
+      - name: Pull fleetdm/wix
+        # Run in background while other steps complete to speed up the workflow
+        run: docker pull fleetdm/wix:latest
+
+      - name: Pull fleetdm/bomutils
+        # Run in background while other steps complete to speed up the workflow
+        run: docker pull fleetdm/bomutils:latest
+
+      - name: Checkout Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: "go.mod"
+
+      - name: Install wine and wix
+        if: startsWith(matrix.os, 'macos')
+        run: |
+          ./scripts/macos-install-wine.sh -n
+          wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
+          mkdir wix
+          unzip wix.zip -d wix
+          rm -f wix.zip
+          echo wix installed at $(pwd)/wix
+
+        # It seems faster not to cache Go dependencies
+      - name: Install Go Dependencies
+        run: make deps-go
+
+      - name: Build fleetctl
+        run: make fleetctl
+
+      - name: Build DEB
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build DEB with Fleet Desktop
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build RPM
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build RPM with Fleet Desktop
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build MSI
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build MSI with Fleet Desktop
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build PKG
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build PKG with Fleet Desktop
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build MSI (using local Wix)
+        if: startsWith(matrix.os, 'macos')
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix
diff --git a/changes/19442-ubuntu-python-packages b/changes/19442-ubuntu-python-packages
@@ -0,0 +1 @@
+- Addressing Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
diff --git a/changes/21468-no-teams-policies b/changes/21468-no-teams-policies
@@ -0,0 +1 @@
+* Enable 'No teams' funcitonality for the policies page and associated workflows.
diff --git a/cmd/fleet/cron.go b/cmd/fleet/cron.go
@@ -1012,7 +1012,6 @@ func verifyDiskEncryptionKeys(
 	logger kitlog.Logger,
 	ds fleet.Datastore,
 ) error {
-
 	appCfg, err := ds.AppConfig(ctx)
 	if err != nil {
 		logger.Log("err", "unable to get app config", "details", err)
@@ -1219,17 +1218,16 @@ func newMDMAPNsPusher(
 	commander *apple_mdm.MDMAppleCommander,
 	logger kitlog.Logger,
 ) (*schedule.Schedule, error) {
-
 	const name = string(fleet.CronAppleMDMAPNsPusher)
 
-	var interval = 1 * time.Minute
+	interval := 1 * time.Minute
 	if intervalEnv := os.Getenv("FLEET_DEV_CUSTOM_APNS_PUSHER_INTERVAL"); intervalEnv != "" {
 		var err error
 		interval, err = time.ParseDuration(intervalEnv)
 		if err != nil {
-			return nil, ctxerr.Wrap(ctx, err, "invalid duration provided in env var FLEET_DEV_CUSTOM_APNS_PUSHER_INTERVAL")
+			level.Warn(logger).Log("msg", "invalid duration provided for FLEET_DEV_CUSTOM_APNS_PUSHER_INTERVAL, using default interval")
+			interval = 1 * time.Minute
 		}
-
 	}
 
 	logger = kitlog.With(logger, "cron", name)