Can run install scripts now.

Author: getvictor

ee/server/service/software_installers.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/fleetdm/fleet/v4/pkg/file"
 	"github.com/fleetdm/fleet/v4/pkg/fleethttp"
+	"github.com/fleetdm/fleet/v4/server/authz"
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
 	hostctx "github.com/fleetdm/fleet/v4/server/contexts/host"
 	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
@@ -415,11 +416,12 @@ func (svc *Service) InstallSoftwareTitle(ctx context.Context, hostID uint, softw
 			if err != nil {
 				return ctxerr.Wrapf(ctx, err, "getting last install data for host %d and installer %d", host.ID, installer.InstallerID)
 			}
-			if lastInstallRequest != nil && lastInstallRequest.Status != nil && *lastInstallRequest.Status == fleet.SoftwareInstallPending {
+			if lastInstallRequest != nil && lastInstallRequest.Status != nil &&
+				(*lastInstallRequest.Status == fleet.SoftwareInstallPending || *lastInstallRequest.Status == fleet.SoftwareUninstallPending) {
 				return &fleet.BadRequestError{
-					Message: "Couldn't install software. Host has a pending install request.",
+					Message: "Could not install software. Host has a pending install/uninstall request.",
 					InternalErr: ctxerr.WrapWithData(
-						ctx, err, "host already has a pending install for this installer",
+						ctx, err, "host already has a pending install/uninstall for this installer",
 						map[string]any{
 							"host_id":               host.ID,
 							"software_installer_id": installer.InstallerID,
@@ -594,6 +596,151 @@ func (svc *Service) installSoftwareTitleUsingInstaller(ctx context.Context, host
 	return ctxerr.Wrap(ctx, err, "inserting software install request")
 }
 
+func (svc *Service) UninstallSoftwareTitle(ctx context.Context, hostID uint, softwareTitleID uint) error {
+	// First check if scripts are disabled globally. If so, no need for further processing.
+	cfg, err := svc.ds.AppConfig(ctx)
+	if err != nil {
+		svc.authz.SkipAuthorization(ctx)
+		return err
+	}
+
+	if cfg.ServerSettings.ScriptsDisabled {
+		svc.authz.SkipAuthorization(ctx)
+		return fleet.NewUserMessageError(errors.New(fleet.RunScriptScriptsDisabledGloballyErrMsg), http.StatusForbidden)
+	}
+
+	// we need to use ds.Host because ds.HostLite doesn't return the orbit node key
+	host, err := svc.ds.Host(ctx, hostID)
+	if err != nil {
+		// if error is because the host does not exist, check first if the user
+		// had access to install/uninstall software (to prevent leaking valid host ids).
+		if fleet.IsNotFound(err) {
+			if err := svc.authz.Authorize(ctx, &fleet.HostSoftwareInstallerResultAuthz{}, fleet.ActionWrite); err != nil {
+				return err
+			}
+		}
+		svc.authz.SkipAuthorization(ctx)
+		return ctxerr.Wrap(ctx, err, "get host")
+	}
+
+	if host.OrbitNodeKey == nil || *host.OrbitNodeKey == "" {
+		// fleetd is required to install software so if the host is enrolled via plain osquery we return an error
+		svc.authz.SkipAuthorization(ctx)
+		return fleet.NewUserMessageError(errors.New("host does not have fleetd installed"), http.StatusUnprocessableEntity)
+	}
+
+	// If scripts are disabled (according to the last detail query), we return an error.
+	// host.ScriptsEnabled may be nil for older orbit versions.
+	if host.ScriptsEnabled != nil && !*host.ScriptsEnabled {
+		svc.authz.SkipAuthorization(ctx)
+		return fleet.NewUserMessageError(errors.New(fleet.RunScriptsOrbitDisabledErrMsg), http.StatusUnprocessableEntity)
+	}
+
+	// authorize with the host's team
+	if err := svc.authz.Authorize(ctx, &fleet.HostSoftwareInstallerResultAuthz{HostTeamID: host.TeamID}, fleet.ActionWrite); err != nil {
+		return err
+	}
+
+	installer, err := svc.ds.GetSoftwareInstallerMetadataByTeamAndTitleID(ctx, host.TeamID, softwareTitleID, false)
+	if err != nil {
+		if fleet.IsNotFound(err) {
+			return &fleet.BadRequestError{
+				Message: "Could not uninstall software. Software title is not available for uninstall. Please add software package to install/uninstall.",
+				InternalErr: ctxerr.WrapWithData(
+					ctx, err, "couldn't find an installer for software title",
+					map[string]any{"host_id": host.ID, "team_id": host.TeamID, "title_id": softwareTitleID},
+				),
+			}
+		}
+		return ctxerr.Wrap(ctx, err, "finding software installer for title")
+	}
+
+	lastInstallRequest, err := svc.ds.GetHostLastInstallData(ctx, host.ID, installer.InstallerID)
+	if err != nil {
+		return ctxerr.Wrapf(ctx, err, "getting last install data for host %d and installer %d", host.ID, installer.InstallerID)
+	}
+	if lastInstallRequest != nil && lastInstallRequest.Status != nil &&
+		(*lastInstallRequest.Status == fleet.SoftwareInstallPending || *lastInstallRequest.Status == fleet.SoftwareUninstallPending) {
+		return &fleet.BadRequestError{
+			Message: "Could not uninstall software. Host has a pending install/uninstall request.",
+			InternalErr: ctxerr.WrapWithData(
+				ctx, err, "host already has a pending install/uninstall for this installer",
+				map[string]any{
+					"host_id":               host.ID,
+					"software_installer_id": installer.InstallerID,
+					"team_id":               host.TeamID,
+					"title_id":              softwareTitleID,
+				},
+			),
+		}
+	}
+
+	// Validate platform
+	ext := filepath.Ext(installer.Name)
+	requiredPlatform := packageExtensionToPlatform(ext)
+	if requiredPlatform == "" {
+		// this should never happen
+		return ctxerr.Errorf(ctx, "software installer has unsupported type %s", ext)
+	}
+
+	if host.FleetPlatform() != requiredPlatform {
+		return &fleet.BadRequestError{
+			Message: fmt.Sprintf("Package (%s) can be uninstalled only on %s hosts.", ext, requiredPlatform),
+			InternalErr: ctxerr.NewWithData(
+				ctx, "invalid host platform for requested uninstall",
+				map[string]any{"host_id": host.ID, "team_id": host.TeamID, "title_id": installer.TitleID},
+			),
+		}
+	}
+
+	// Get the uninstall script and use the standard script infrastructure to run it.
+	contents, err := svc.ds.GetAnyScriptContents(ctx, installer.UninstallScriptContentID)
+	if err != nil {
+		if fleet.IsNotFound(err) {
+			return fleet.NewInvalidArgumentError("software_title_id", `No uninstall script exists for the provided "software_title_id".`).
+				WithStatus(http.StatusNotFound)
+		}
+		return err
+	}
+
+	var teamID uint
+	if host.TeamID != nil {
+		teamID = *host.TeamID
+	}
+	// create the script execution request, the host will be notified of the
+	// script execution request via the orbit config's Notifications mechanism.
+	request := fleet.HostScriptRequestPayload{
+		HostID:          host.ID,
+		ScriptContents:  string(contents),
+		ScriptContentID: installer.UninstallScriptContentID,
+		TeamID:          teamID,
+	}
+	if ctxUser := authz.UserFromContext(ctx); ctxUser != nil {
+		request.UserID = &ctxUser.ID
+	}
+	scriptResult, err := svc.ds.NewHostScriptExecutionRequest(ctx, &request)
+	if err != nil {
+		return ctxerr.Wrap(ctx, err, "create script execution request")
+	}
+
+	// Update the host software installs table with the uninstall request
+	if err = svc.insertSoftwareUninstallRequest(ctx, scriptResult.ExecutionID, host, installer); err != nil {
+		return err
+	}
+
+	// TODO: Add host activity -- pending uninstall request (upcoming)
+
+	return nil
+}
+
+func (svc *Service) insertSoftwareUninstallRequest(ctx context.Context, executionID string, host *fleet.Host,
+	installer *fleet.SoftwareInstaller) error {
+	if err := svc.ds.InsertSoftwareUninstallRequest(ctx, executionID, host.ID, installer.InstallerID); err != nil {
+		return ctxerr.Wrap(ctx, err, "inserting software uninstall request")
+	}
+	return nil
+}
+
 func (svc *Service) GetSoftwareInstallResults(ctx context.Context, resultUUID string) (*fleet.HostSoftwareInstallerResult, error) {
 	// Basic auth check
 	if err := svc.authz.Authorize(ctx, &fleet.Host{}, fleet.ActionList); err != nil {

frontend/components/ActivityDetails/InstallDetails/constants.ts

@@ -10,6 +10,8 @@ export const INSTALL_DETAILS_STATUS_ICONS: Record<
   installed: "success-outline",
   failed: "error-outline",
   failed_install: "error-outline",
+  pending_uninstall: "pending-outline",
+  failed_uninstall: "error-outline",
 } as const;
 
 const INSTALL_DETAILS_STATUS_PREDICATES: Record<
@@ -21,6 +23,8 @@ const INSTALL_DETAILS_STATUS_PREDICATES: Record<
   installed: "installed",
   failed: "failed to install",
   failed_install: "failed to install",
+  pending_uninstall: "is uninstalling or will uninstall",
+  failed_uninstall: "failed to uninstall",
 } as const;
 
 export const getInstallDetailsStatusPredicate = (

frontend/interfaces/software.ts

@@ -200,6 +200,8 @@ export const SOFTWARE_INSTALL_STATUSES = [
   "installed",
   "pending",
   "pending_install",
+  "pending_uninstall",
+  "failed_uninstall",
 ] as const;
 
 /*
@@ -290,6 +292,8 @@ const INSTALL_STATUS_PREDICATES: Record<SoftwareInstallStatus, string> = {
   installed: "installed",
   pending: "told Fleet to install",
   pending_install: "told Fleet to install",
+  pending_uninstall: "told Fleet to uninstall",
+  failed_uninstall: "failed to uninstall",
 } as const;
 
 export const getInstallStatusPredicate = (status: string | undefined) => {
@@ -308,6 +312,8 @@ export const INSTALL_STATUS_ICONS: Record<SoftwareInstallStatus, IconNames> = {
   installed: "success-outline",
   failed: "error-outline",
   failed_install: "error-outline",
+  pending_uninstall: "pending-outline",
+  failed_uninstall: "error-outline",
 } as const;
 
 type IHostSoftwarePackageWithLastInstall = IHostSoftwarePackage & {

frontend/pages/SoftwarePage/SoftwareTitleDetailsPage/SoftwarePackageCard/SoftwarePackageCard.tsx

@@ -113,6 +113,11 @@ const STATUS_DISPLAY_OPTIONS: Record<
     iconName: "pending-outline",
     tooltip: "Fleet will install software when these hosts come online.",
   },
+  pending_uninstall: {
+    displayName: "Pending",
+    iconName: "pending-outline",
+    tooltip: "Fleet will uninstall software when these hosts come online.",
+  },
   failed: {
     displayName: "Failed",
     iconName: "error",
@@ -129,6 +134,11 @@ const STATUS_DISPLAY_OPTIONS: Record<
     iconName: "error",
     tooltip: "Fleet failed to install software on these hosts.",
   },
+  failed_uninstall: {
+    displayName: "Failed",
+    iconName: "error",
+    tooltip: "Fleet failed to uninstall software on these hosts.",
+  },
 };
 
 interface IPackageStatusCountProps {

frontend/pages/hosts/details/cards/Software/InstallStatusCell/InstallStatusCell.tsx

@@ -50,6 +50,11 @@ export const INSTALL_STATUS_DISPLAY_OPTIONS: Record<
     displayText: "Pending",
     tooltip: () => "Fleet will install software when the host comes online.",
   },
+  pending_uninstall: {
+    iconName: "pending-outline",
+    displayText: "Pending",
+    tooltip: () => "Fleet will uninstall software when the host comes online.",
+  },
   failed: {
     iconName: "error",
     displayText: "Failed",
@@ -71,6 +76,16 @@ export const INSTALL_STATUS_DISPLAY_OPTIONS: Record<
       </>
     ),
   },
+  failed_uninstall: {
+    iconName: "error",
+    displayText: "Failed",
+    tooltip: ({ lastInstalledAt: lastInstall }) => (
+      <>
+        Fleet failed to install software ({dateAgo(lastInstall as string)} ago).
+        Select <b>Actions &gt; Software details</b> to see more.
+      </>
+    ),
+  },
   avaiableForInstall: {
     iconName: "install",
     displayText: "Available for install",

frontend/pages/hosts/details/cards/Software/SelfService/SelfServiceItem/SelfServiceItem.tsx

@@ -38,6 +38,11 @@ const STATUS_CONFIG: Record<SoftwareInstallStatus, IStatusDisplayConfig> = {
     displayText: "Install in progress...",
     tooltip: () => "Software installation in progress...",
   },
+  pending_uninstall: {
+    iconName: "pending-outline",
+    displayText: "Uninstall in progress...",
+    tooltip: () => "Software uninstallation in progress...",
+  },
   failed: {
     iconName: "error",
     displayText: "Failed",
@@ -60,6 +65,17 @@ const STATUS_CONFIG: Record<SoftwareInstallStatus, IStatusDisplayConfig> = {
       </>
     ),
   },
+  failed_uninstall: {
+    iconName: "error",
+    displayText: "Failed",
+    tooltip: ({ lastInstalledAt = "" }) => (
+      <>
+        Software failed to install
+        {lastInstalledAt ? ` (${dateAgo(lastInstalledAt)})` : ""}. Select{" "}
+        <b>Retry</b> to install again, or contact your IT department.
+      </>
+    ),
+  },
 };
 
 interface IInstallerInfoProps {

pkg/file/scripts/uninstall_pkg.sh

@@ -10,7 +10,6 @@ do
 done
 
 # Loop through each pkg_id and remove receipts
-
 for pkg_id in "${pkg_ids[@]}"
 do
     pkgutil --forget $pkg_id

server/authz/policy.rego

@@ -677,15 +677,15 @@ allow {
 # Host software installs
 ##
 
-# Global admins and maintainers can write (install) software on hosts (not
+# Global admins and maintainers can write (install/uninstall) software on hosts (not
 # gitops as this is not something that relates to fleetctl apply).
 allow {
   object.type == "host_software_installer_result"
   subject.global_role == [admin, maintainer][_]
   action == write
 }
 
-# Team admin and maintainers can write (install) software on hosts for their
+# Team admin and maintainers can write (install/uninstall) software on hosts for their
 # teams (not gitops as this is not something that relates to fleetctl apply).
 allow {
   object.type == "host_software_installer_result"
@@ -937,7 +937,7 @@ allow {
   action == write
 }
 
-# Global admins, maintainers, observer_plus and observers can read scripts.
+# Global admins, maintainers, observer_plus and observers can read script results, including software uninstall results.
 allow {
   object.type == "host_script_result"
   subject.global_role == [admin, maintainer, observer, observer_plus][_]
@@ -953,7 +953,7 @@ allow {
   action == write
 }
 
-# Team admins, maintainers, observer_plus and observers can read scripts for their teams.
+# Team admins, maintainers, observer_plus and observers can read script results for their teams, including software uninstall results.
 allow {
   object.type == "host_script_result"
   not is_null(object.team_id)

server/datastore/mysql/activities_test.go

@@ -506,7 +506,8 @@ func testListHostUpcomingActivities(t *testing.T, ds *Datastore) {
 	h2A := hsr.ExecutionID
 	hsr, err = ds.NewHostScriptExecutionRequest(ctx, &fleet.HostScriptRequestPayload{HostID: h2.ID, ScriptContents: "F", UserID: &u.ID})
 	require.NoError(t, err)
-	_, err = ds.SetHostScriptExecutionResult(ctx, &fleet.HostScriptResultPayload{HostID: h2.ID, ExecutionID: hsr.ExecutionID, Output: "ok", ExitCode: 0})
+	_, _, err = ds.SetHostScriptExecutionResult(ctx,
+		&fleet.HostScriptResultPayload{HostID: h2.ID, ExecutionID: hsr.ExecutionID, Output: "ok", ExitCode: 0})
 	require.NoError(t, err)
 	h2F := hsr.ExecutionID
 	// add a pending software install request for h2

server/datastore/mysql/migrations/tables/20240903155740_UninstallPackages.go

@@ -67,7 +67,7 @@ ADD CONSTRAINT fk_uninstall_script_content_id
 	}
 
 	if _, err := tx.Exec(`
-ALTER TABLE host_software_installs 
+ALTER TABLE host_software_installs
 ADD COLUMN uninstall_script_output TEXT COLLATE utf8mb4_unicode_ci,
 ADD COLUMN uninstall_script_exit_code INT DEFAULT NULL,
 ADD COLUMN uninstall TINYINT UNSIGNED NOT NULL DEFAULT 0,
@@ -95,6 +95,9 @@ CASE
 	WHEN uninstall_script_exit_code IS NOT NULL AND
 		uninstall_script_exit_code != 0 THEN 'failed_uninstall'
 
+	WHEN uninstall_script_exit_code IS NOT NULL AND
+		uninstall_script_exit_code = 0 THEN NULL -- available for install again
+
 	WHEN host_id IS NOT NULL AND uninstall = 1 THEN 'pending_uninstall'
 
 	ELSE NULL -- not installed from Fleet installer or successfully uninstalled