Merge branch 'main' into 7766-frontend-main-merge

.github/workflows/build-orbit.yaml

@@ -2,9 +2,15 @@ name: Build, Sign and Notarize Orbit for macOS
 
 on:
   workflow_dispatch: # allow manual action
+  push:
+    paths:
+      # The workflow can be triggered by modifying ORBIT_VERSION env.
+      - '.github/workflows/build-orbit.yaml'
   pull_request:
     paths:
       - 'orbit/**.go'
+      # The workflow can be triggered by modifying ORBIT_VERSION env.
+      - '.github/workflows/build-orbit.yaml'
 
 env:
   ORBIT_VERSION: 1.17.0

CHANGELOG.md

@@ -1,3 +1,9 @@
+## Fleet 4.38.1 (Oct 5, 2023)
+
+### Bug Fixes
+
+* Fixed a bug that would cause live queries to stall if a detail query override was set for a team.
+
 ## Fleet 4.38.0 (Sep 25, 2023)
 
 ### Changes

CODEOWNERS

@@ -72,7 +72,6 @@ go.mod @fleetdm/go
 #
 # (see website/config/custom.js for DRIs of other paths not listed here)
 ##############################################################################################
-/website/views/pages/pricing.ejs                      @mikermcneil # « CEO is DRI for pricing
 /handbook/company/pricing-features-table.yml          @mikermcneil # « CEO is current DRI for features table
 
 ##############################################################################################

articles/fleet-4.37.0.md

@@ -1,4 +1,4 @@
-# Fleet 4.37.0 | Remote script execution & Puppet support.
+# Fleet 4.37.0 | Puppet support.
 
 ![Fleet 4.37.0](../website/assets/images/articles/fleet-4.37.0-1600x900@2x.png)
 
@@ -13,11 +13,12 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo
 * Puppet support
 * Web user interface improvements
 
+<!--
 ### Introducing cross-platform script execution
 
 _Available in Fleet Premium and Fleet Ultimate_
 
-Fleet adds a significant new feature, allowing IT administrators and security engineers to execute shell scripts across macOS, Windows, and Linux. This addition streamlines processes, offers root-level security control, and enables swift, real-time remediation and investigation. Learn more about Fleet's [cross-platform script execution](introducing-cross-platform-script-execution).
+Fleet adds a significant new feature, allowing IT administrators and security engineers to execute shell scripts across macOS, Windows, and Linux. This addition streamlines processes, offers root-level security control, and enables swift, real-time remediation and investigation. <!-- Learn more about Fleet's [cross-platform script execution](introducing-cross-platform-script-execution). -->
 
 
 ### Vulnerability dashboard

changes/12927-disk-encryption-settings

@@ -0,0 +1 @@
+* Deprecate `mdm.macos_settings.enable_disk_encryption` in favor of `mdm.enable_disk_encryption`

changes/12932-bitlocker-api-updates

@@ -0,0 +1,4 @@
+- Added `GET /mdm/disk_encryption/summary` endpoint to get the disk encryption summary for macOS and
+  Windows devices.
+- Added `os_settings` and `os_settings_disk_encryption` filters to `GET /hosts`, `GET /hosts/count`,
+  `GET /api/v1/fleet/labels/{id}/hosts` endpoints to filter hosts by OS settings.

changes/12933-bitlocker-host-details-api

@@ -0,0 +1 @@
+- Added `mdm.os_settings` to `GET /api/v1/hosts/{id}` response.

changes/bug-13894-failing-policies-styling

@@ -0,0 +1 @@
+* Fix styling for host details/device user failing policies call out

changes/issue-13953-changes-to-controls-page-for-bitlocker

@@ -0,0 +1 @@
+- change Controls/Disk Encryption and host details page to include windows bitlocker information.

changes/issue-13954-orbit-disk-encryption-key

@@ -0,0 +1 @@
+* Added the `POST /api/fleet/orbit/disk_encryption_key` endpoint for Windows hosts to report the bitlocker encryption key.

changes/issue-14007-support-get-windows-encryption-key

@@ -0,0 +1 @@
+* Added support to return the decrypted disk encryption key of a Windows host.

charts/fleet/Chart.yaml

@@ -8,4 +8,4 @@ version: v5.0.1
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.38.0
+appVersion: v4.38.1

charts/fleet/values.yaml

@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.38.0 # Version of Fleet to deploy
+imageTag: v4.38.1 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:

cmd/fleet/cron.go

@@ -18,6 +18,7 @@ import (
 	"github.com/fleetdm/fleet/v4/server/contexts/license"
 	"github.com/fleetdm/fleet/v4/server/datastore/mysql"
 	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/mdm"
 	apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
 	"github.com/fleetdm/fleet/v4/server/policies"
 	"github.com/fleetdm/fleet/v4/server/ptr"
@@ -838,7 +839,7 @@ func verifyDiskEncryptionKeys(
 		if key.UpdatedAt.After(latest) {
 			latest = key.UpdatedAt
 		}
-		if _, err := apple_mdm.DecryptBase64CMS(key.Base64Encrypted, cert.Leaf, cert.PrivateKey); err != nil {
+		if _, err := mdm.DecryptBase64CMS(key.Base64Encrypted, cert.Leaf, cert.PrivateKey); err != nil {
 			undecryptable = append(undecryptable, key.HostID)
 			continue
 		}

cmd/fleetctl/apply_test.go

@@ -1044,13 +1044,13 @@ spec:
           foo: qux
     name: Team1
     mdm:
+      enable_disk_encryption: false
       macos_updates:
         minimum_version: 10.10.10
         deadline: 1992-03-01
       macos_settings:
         custom_settings:
           - %s
-        enable_disk_encryption: false
     secrets:
       - secret: BBB
 `, mobileConfigPath))
@@ -1062,9 +1062,9 @@ spec:
 	require.Equal(t, "[+] applied 1 teams\n", runAppForTest(t, []string{"apply", "-f", name}))
 	assert.JSONEq(t, string(json.RawMessage(`{"config":{"views":{"foo":"qux"}}}`)), string(*savedTeam.Config.AgentOptions))
 	assert.Equal(t, fleet.TeamMDM{
+		EnableDiskEncryption: false,
 		MacOSSettings: fleet.MacOSSettings{
-			CustomSettings:       []string{mobileConfigPath},
-			EnableDiskEncryption: false,
+			CustomSettings: []string{mobileConfigPath},
 		},
 		MacOSUpdates: fleet.MacOSUpdates{
 			MinimumVersion: optjson.SetString("10.10.10"),
@@ -1097,9 +1097,9 @@ spec:
 	require.True(t, ds.NewJobFuncInvoked)
 	// all left untouched, only setup assistant added
 	assert.Equal(t, fleet.TeamMDM{
+		EnableDiskEncryption: false,
 		MacOSSettings: fleet.MacOSSettings{
-			CustomSettings:       []string{mobileConfigPath},
-			EnableDiskEncryption: false,
+			CustomSettings: []string{mobileConfigPath},
 		},
 		MacOSUpdates: fleet.MacOSUpdates{
 			MinimumVersion: optjson.SetString("10.10.10"),
@@ -1129,9 +1129,9 @@ spec:
 	require.Equal(t, "[+] applied 1 teams\n", runAppForTest(t, []string{"apply", "-f", name}))
 	// all left untouched, only bootstrap package added
 	assert.Equal(t, fleet.TeamMDM{
+		EnableDiskEncryption: false,
 		MacOSSettings: fleet.MacOSSettings{
-			CustomSettings:       []string{mobileConfigPath},
-			EnableDiskEncryption: false,
+			CustomSettings: []string{mobileConfigPath},
 		},
 		MacOSUpdates: fleet.MacOSUpdates{
 			MinimumVersion: optjson.SetString("10.10.10"),
@@ -2886,7 +2886,7 @@ spec:
     macos_settings:
       enable_disk_encryption: true
 `,
-			wantErr: `Couldn't update macos_settings because MDM features aren't turned on in Fleet.`,
+			wantErr: `Couldn't edit enable_disk_encryption. Neither macOS MDM nor Windows is turned on`,
 		},
 		{
 			desc: "app config macos_settings.enable_disk_encryption false",

cmd/fleetctl/get.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/fatih/color"
+	"github.com/fleetdm/fleet/v4/pkg/rawjson"
 	"github.com/fleetdm/fleet/v4/pkg/secure"
 	kithttp "github.com/go-kit/kit/transport/http"
 	"gopkg.in/guregu/null.v3"
@@ -167,12 +168,15 @@ func (eacp enrichedAppConfigPresenter) MarshalJSON() ([]byte, error) {
 		*fleet.VulnerabilitiesConfig
 	}
 
-	return json.Marshal(&struct {
-		fleet.EnrichedAppConfig
+	enrichedJSON, err := json.Marshal(fleet.EnrichedAppConfig(eacp))
+	if err != nil {
+		return nil, err
+	}
+
+	extraFieldsJSON, err := json.Marshal(&struct {
 		UpdateInterval  UpdateIntervalConfigPresenter  `json:"update_interval,omitempty"`
 		Vulnerabilities VulnerabilitiesConfigPresenter `json:"vulnerabilities,omitempty"`
 	}{
-		EnrichedAppConfig: fleet.EnrichedAppConfig(eacp),
 		UpdateInterval: UpdateIntervalConfigPresenter{
 			eacp.UpdateInterval.OSQueryDetail.String(),
 			eacp.UpdateInterval.OSQueryPolicy.String(),
@@ -184,6 +188,13 @@ func (eacp enrichedAppConfigPresenter) MarshalJSON() ([]byte, error) {
 			eacp.Vulnerabilities,
 		},
 	})
+	if err != nil {
+		return nil, err
+	}
+
+	// we need to marshal and combine both groups separately because
+	// enrichedAppConfig has a custom marshaler.
+	return rawjson.CombineRoots(enrichedJSON, extraFieldsJSON)
 }
 
 func printConfig(c *cli.Context, config interface{}) error {

cmd/fleetctl/get_test.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -168,15 +167,15 @@ func TestGetTeams(t *testing.T) {
 				}, nil
 			}
 
-			b, err := ioutil.ReadFile(filepath.Join("testdata", "expectedGetTeamsText.txt"))
+			b, err := os.ReadFile(filepath.Join("testdata", "expectedGetTeamsText.txt"))
 			require.NoError(t, err)
 			expectedText := string(b)
 
-			b, err = ioutil.ReadFile(filepath.Join("testdata", "expectedGetTeamsYaml.yml"))
+			b, err = os.ReadFile(filepath.Join("testdata", "expectedGetTeamsYaml.yml"))
 			require.NoError(t, err)
 			expectedYaml := string(b)
 
-			b, err = ioutil.ReadFile(filepath.Join("testdata", "expectedGetTeamsJson.json"))
+			b, err = os.ReadFile(filepath.Join("testdata", "expectedGetTeamsJson.json"))
 			require.NoError(t, err)
 			// must read each JSON value separately and compact it
 			var buf bytes.Buffer
@@ -206,8 +205,8 @@ func TestGetTeams(t *testing.T) {
 			errBuffer.Reset()
 			actualJSON, err := runWithErrWriter([]string{"get", "teams", "--json"}, &errBuffer)
 			require.NoError(t, err)
-			require.Equal(t, expectedJson, actualJSON.String())
 			require.Equal(t, errBuffer.String() == expiredBanner.String(), tt.shouldHaveExpiredBanner)
+			require.Equal(t, expectedJson, actualJSON.String())
 
 			errBuffer.Reset()
 			actualYaml, err := runWithErrWriter([]string{"get", "teams", "--yaml"}, &errBuffer)
@@ -433,7 +432,7 @@ func TestGetHosts(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			expected, err := ioutil.ReadFile(filepath.Join("testdata", tt.goldenFile))
+			expected, err := os.ReadFile(filepath.Join("testdata", tt.goldenFile))
 			require.NoError(t, err)
 			expectedResults := tt.scanner(string(expected))
 			actualResult := tt.scanner(runAppForTest(t, tt.args))
@@ -536,7 +535,7 @@ func TestGetHostsMDM(t *testing.T) {
 			}
 
 			if tt.goldenFile != "" {
-				expected, err := ioutil.ReadFile(filepath.Join("testdata", tt.goldenFile))
+				expected, err := os.ReadFile(filepath.Join("testdata", tt.goldenFile))
 				require.NoError(t, err)
 				if ext := filepath.Ext(tt.goldenFile); ext == ".json" {
 					// the output of --json is not a json array, but a list of

cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json

@@ -85,6 +85,7 @@
       "enabled_and_configured": false,
       "apple_bm_default_team": "",
       "windows_enabled_and_configured": false,
+      "enable_disk_encryption": false,
       "macos_updates": {
         "minimum_version": null,
         "deadline": null
@@ -95,8 +96,7 @@
         "webhook_url": ""
       },
       "macos_settings": {
-        "custom_settings": null,
-        "enable_disk_encryption": false
+        "custom_settings": null
       },
       "macos_setup": {
         "bootstrap_package": null,

cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml

@@ -19,6 +19,7 @@ spec:
     enabled_and_configured: false
     apple_bm_default_team: ""
     windows_enabled_and_configured: false
+    enable_disk_encryption: false
     macos_migration:
       enable: false
       mode: ""
@@ -28,7 +29,6 @@ spec:
       deadline: null
     macos_settings:
       custom_settings:
-      enable_disk_encryption: false
     macos_setup:
       bootstrap_package:
       enable_end_user_authentication: false

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json

@@ -43,6 +43,7 @@
       "apple_bm_enabled_and_configured": false,
       "enabled_and_configured": false,
       "windows_enabled_and_configured": false,
+      "enable_disk_encryption": false,
       "macos_updates": {
         "minimum_version": null,
         "deadline": null
@@ -53,8 +54,7 @@
         "webhook_url": ""
       },
       "macos_settings": {
-        "custom_settings": null,
-        "enable_disk_encryption": false
+        "custom_settings": null
       },
       "macos_setup": {
         "bootstrap_package": null,

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml

@@ -19,6 +19,7 @@ spec:
     apple_bm_terms_expired: false
     enabled_and_configured: false
     windows_enabled_and_configured: false
+    enable_disk_encryption: false
     macos_migration:
       enable: false
       mode: ""
@@ -28,7 +29,6 @@ spec:
       deadline: null
     macos_settings:
       custom_settings:
-      enable_disk_encryption: false
     macos_setup:
       bootstrap_package:
       enable_end_user_authentication: false

cmd/fleetctl/testdata/expectedGetTeamsJson.json

@@ -24,13 +24,13 @@
 				"enable_software_inventory": true
 			},
 			"mdm": {
+				"enable_disk_encryption": false,
 				"macos_updates": {
 					"minimum_version": null,
 					"deadline": null
 				},
 				"macos_settings": {
-					"custom_settings": null,
-					"enable_disk_encryption": false
+					"custom_settings": null
 				},
 				"macos_setup": {
 					"bootstrap_package": null,
@@ -84,13 +84,13 @@
 				}
 			},
 			"mdm": {
+				"enable_disk_encryption": false,
 				"macos_updates": {
 					"minimum_version": "12.3.1",
 					"deadline": "2021-12-14"
 				},
 				"macos_settings": {
-					"custom_settings": null,
-					"enable_disk_encryption": false
+					"custom_settings": null
 				},
 				"macos_setup": {
 					"bootstrap_package": null,

cmd/fleetctl/testdata/expectedGetTeamsYaml.yml

@@ -7,12 +7,12 @@ spec:
       enable_host_users: true
       enable_software_inventory: true
     mdm:
+      enable_disk_encryption: false
       macos_updates:
         minimum_version: null
         deadline: null
       macos_settings:
         custom_settings:
-        enable_disk_encryption: false
       macos_setup:
         bootstrap_package:
         enable_end_user_authentication: false
@@ -36,12 +36,12 @@ spec:
       enable_host_users: false
       enable_software_inventory: false
     mdm:
+      enable_disk_encryption: false
       macos_updates:
         minimum_version: "12.3.1"
         deadline: "2021-12-14"
       macos_settings:
         custom_settings:
-        enable_disk_encryption: false
       macos_setup:
         bootstrap_package:
         enable_end_user_authentication: false