Fix conflict

.github/workflows/dogfood-deploy.yml

@@ -65,7 +65,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
-          terraform_version: 1.6.3
+          terraform_version: 1.10.2
           terraform_wrapper: false
       - name: Terraform Init
         id: init

CODEOWNERS

@@ -65,9 +65,9 @@ go.mod @fleetdm/go
 #
 # (see website/config/custom.js for DRIs of other paths not listed here)
 ##############################################################################################
-/docs                                           @eashaw
-/docs/REST\ API/rest-api.md                     @iansltx # « REST API reference documentation
-/docs/Contributing/API-for-contributors.md      @iansltx # « Advanced / contributors-only API reference documentation
+/docs                                           @rachaelshaw
+/docs/REST\ API/rest-api.md                     @rachaelshaw # « REST API reference documentation
+/docs/Contributing/API-for-contributors.md      @rachaelshaw # « Advanced / contributors-only API reference documentation
 /schema                                         @eashaw # « Data tables (osquery/fleetd schema) documentation
 /render.yaml                                    @edwardsb
 

articles/role-based-access.md

@@ -34,7 +34,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
 ## User permissions
 
 | **Action**                                                                                                                                 | Observer | Observer+* | Maintainer | Admin | GitOps* |
-| ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | ---------- | ----- | ------- |
+| ------------------------------------------------------------------------------------------------------------------------------------------ | :------: | :--------: | :--------: | :---: | :-----: |
 | View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities)                                                              | ✅       | ✅         | ✅         | ✅    |         |
 | Manage [activity automations](https://fleetdm.com/docs/using-fleet/audit-logs)                                 |               |                |                 | ✅         | ✅          |
 | View all hosts                                                                                                                             | ✅       | ✅         | ✅         | ✅    |         |
@@ -123,7 +123,7 @@ Users can be assigned to multiple teams in Fleet.
 Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
 
 | **Action**                                                                                                                       | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
-| -------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- | --------------- | ---------- | ----------- |
+| -------------------------------------------------------------------------------------------------------------------------------- | :-----------: | :------------: | :-------------: | :--------: | :---------: |
 | View hosts                                                                                                                       | ✅            | ✅             | ✅              | ✅         |             |
 | View a host by identifier                                                                                                        | ✅            | ✅             | ✅              | ✅         | ✅          |
 | Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels)                                                | ✅            | ✅             | ✅              | ✅         |             |

changes/23512-clarify-expected-behavior-of-host-counts

@@ -0,0 +1,2 @@
+- Clarify expected behavior of policy host counts, dashboard controls software count, and controls
+  os updates versions count.

changes/23823-cloudfront-cdn

@@ -0,0 +1,4 @@
+Allow delivery of bootstrap packages and software installers using signed URLs from CloudFront CDN. To enable, configure server settings:
+- s3_software_installers_cloudfront_url
+- s3_software_installers_cloudfront_url_signing_public_key_id
+- s3_software_installers_cloudfront_url_signing_private_key

changes/24366-success-email-message

@@ -0,0 +1 @@
+- Improve readability of success message on email update by never including the sender address.

changes/24629-ui-os-updates-table

@@ -0,0 +1,2 @@
+- Fixed UI bug on the "Controls" page where incorrect timestamp information was displayed while the
+  "Current versions" table was loading.

changes/24795-host-count

@@ -0,0 +1 @@
+- Fleet UI: Added timestamp for software, OS, and vulnerability detail pages for host count last update time

changes/24804-deleted-profiles

@@ -0,0 +1 @@
+Fixed issue where deleted Apple config profiles were installing on devices because devices were offline when the profile was added.

changes/25004-fleetctl-packge-cli-instructions

@@ -0,0 +1 @@
+- Display command line installation instructions when a package is generated

changes/25144-uninstall-after-mdm-action

@@ -0,0 +1 @@
+* Fixed reporting of software uninstall results after a host has been locked/unlocked

cmd/fleet/main.go

@@ -104,24 +104,25 @@ func applyDevFlags(cfg *config.FleetConfig) {
 		cfg.Prometheus.BasicAuth.Password = "insecure"
 	}
 
-	cfg.S3 = config.S3Config{
-		CarvesBucket:           "carves-dev",
-		CarvesRegion:           "minio",
-		CarvesPrefix:           "dev-prefix",
-		CarvesEndpointURL:      "localhost:9000",
-		CarvesAccessKeyID:      "minio",
-		CarvesSecretAccessKey:  "minio123!",
-		CarvesDisableSSL:       true,
-		CarvesForceS3PathStyle: true,
-
-		SoftwareInstallersBucket:           "software-installers-dev",
-		SoftwareInstallersRegion:           "minio",
-		SoftwareInstallersPrefix:           "dev-prefix",
-		SoftwareInstallersEndpointURL:      "localhost:9000",
-		SoftwareInstallersAccessKeyID:      "minio",
-		SoftwareInstallersSecretAccessKey:  "minio123!",
-		SoftwareInstallersDisableSSL:       true,
-		SoftwareInstallersForceS3PathStyle: true,
+	cfg.S3.CarvesBucket = "carves-dev"
+	cfg.S3.CarvesRegion = "minio"
+	cfg.S3.CarvesPrefix = "dev-prefix"
+	cfg.S3.CarvesEndpointURL = "localhost:9000"
+	cfg.S3.CarvesAccessKeyID = "minio"
+	cfg.S3.CarvesSecretAccessKey = "minio123!"
+	cfg.S3.CarvesDisableSSL = true
+	cfg.S3.CarvesForceS3PathStyle = true
+
+	// Allow the software installers bucket to be overridden in dev mode
+	if cfg.S3.SoftwareInstallersBucket == "" {
+		cfg.S3.SoftwareInstallersBucket = "software-installers-dev"
+		cfg.S3.SoftwareInstallersRegion = "minio"
+		cfg.S3.SoftwareInstallersPrefix = "dev-prefix"
+		cfg.S3.SoftwareInstallersEndpointURL = "localhost:9000"
+		cfg.S3.SoftwareInstallersAccessKeyID = "minio"
+		cfg.S3.SoftwareInstallersSecretAccessKey = "minio123!"
+		cfg.S3.SoftwareInstallersDisableSSL = true
+		cfg.S3.SoftwareInstallersForceS3PathStyle = true
 	}
 
 	cfg.Packaging.S3 = config.S3Config{

cmd/fleet/serve.go

@@ -779,6 +779,8 @@ the way that the Fleet server works.
 					}
 					bootstrapPackageStore = bstore
 					level.Info(logger).Log("msg", "using S3 bootstrap package store", "bucket", config.S3.SoftwareInstallersBucket)
+
+					config.S3.ValidateCloudfrontURL(initFatal)
 				} else {
 					installerDir := os.TempDir()
 					if dir := os.Getenv("FLEET_SOFTWARE_INSTALLER_STORE_DIR"); dir != "" {

cmd/fleetctl/package.go

@@ -377,13 +377,31 @@ func packageCommand() *cli.Command {
 			}
 
 			path, _ = filepath.Abs(path)
+			pathBase := filepath.Base(path)
+			var installInstructions = "double-click the installer"
+			var deviceType string
+			switch c.String("type") {
+			case "pkg":
+				installInstructions += fmt.Sprintf(" or run the command `sudo installer -pkg \"%s\" -target /`", pathBase)
+				deviceType = "macOS"
+			case "deb":
+				installInstructions += fmt.Sprintf(" or run the command `sudo apt install \"%s\"`", pathBase)
+				deviceType = "Debian-based Linux"
+			case "rpm":
+				installInstructions += fmt.Sprintf(" or run the command `sudo dnf install \"%s\"`", pathBase)
+				deviceType = "RPM-based Linux"
+			case "msi":
+				installInstructions += fmt.Sprintf(" or run the command `msiexec /i \"%s\"` as administrator", pathBase)
+				deviceType = "Windows"
+			}
+
 			fmt.Printf(`
 Success! You generated fleetd at %s
 
-To add this device to Fleet, double-click to install fleetd.
+To add a new %s device to Fleet, %s.
 
 To add other devices to Fleet, distribute fleetd using Chef, Ansible, Jamf, or Puppet. Learn how: https://fleetdm.com/learn-more-about/enrolling-hosts
-`, path)
+`, path, deviceType, installInstructions)
 			if !disableOpenFolder {
 				open.Start(filepath.Dir(path)) //nolint:errcheck
 			}

docs/Configuration/agent-configuration.md

@@ -497,7 +497,7 @@ How to update agent options:
 
 The agents may take several seconds to update because Fleet has to wait for the hosts to check in. Additionally, hosts enrolled with removed enroll secrets must properly rotate their secret to have the new changes take effect.
 
-
+> When configuring a value for [`script_execution_timeout`](https://fleetdm.com/docs/configuration/agent-configuration#script-execution-timeout) in the UI, make sure to put the key at the top level of the YAML, _not_ as a child of `config`.  
 
 <meta name="pageOrderInSection" value="300">
 <meta name="description" value="Learn how to use configuration files and the fleetctl command line tool to configure agent options.">

docs/REST API/rest-api.md

@@ -2634,39 +2634,6 @@ Returns the information of the specified host.
   "host": {
     "created_at": "2021-08-19T02:02:22Z",
     "updated_at": "2021-08-19T21:14:58Z",
-    "software": [
-      {
-        "id": 408,
-        "name": "osquery",
-        "version": "4.5.1",
-        "source": "rpm_packages",
-        "browser": "",
-        "generated_cpe": "",
-        "vulnerabilities": null,
-        "installed_paths": ["/usr/lib/some-path-1"]
-      },
-      {
-        "id": 1146,
-        "name": "tar",
-        "version": "1.30",
-        "source": "rpm_packages",
-        "browser": "",
-        "generated_cpe": "",
-        "vulnerabilities": null
-      },
-      {
-        "id": 321,
-        "name": "SomeApp.app",
-        "version": "1.0",
-        "source": "apps",
-        "browser": "",
-        "bundle_identifier": "com.some.app",
-        "last_opened_at": "2021-08-18T21:14:00Z",
-        "generated_cpe": "",
-        "vulnerabilities": null,
-        "installed_paths": ["/usr/lib/some-path-2"]
-      }
-    ],
     "id": 1,
     "detail_updated_at": "2021-08-19T21:07:53Z",
     "last_restarted_at": "2020-11-01T03:01:45Z",
@@ -2714,6 +2681,31 @@ Returns the information of the specified host.
     "percent_disk_space_available": 74,
     "gigs_total_disk_space": 160,
     "disk_encryption_enabled": true,
+    "status": "online",
+    "display_text": "23cfc9caacf0",
+    "issues": {
+        "failing_policies_count": 1,
+        "critical_vulnerabilities_count": 2, // Available in Fleet Premium
+        "total_issues_count": 3
+    },
+    "batteries": [
+      {
+        "cycle_count": 999,
+        "health": "Normal"
+      }
+    ],
+    "geolocation": {
+      "country_iso": "US",
+      "city_name": "New York",
+      "geometry": {
+        "type": "point",
+        "coordinates": [40.6799, -74.0028]
+      }
+    },
+    "maintenance_window": {
+      "starts_at": "2024-06-18T13:27:18−04:00",
+      "timezone": "America/New_York"
+    },
     "users": [
       {
         "uid": 0,
@@ -2766,8 +2758,6 @@ Returns the information of the specified host.
       }
     ],
     "packs": [],
-    "status": "online",
-    "display_text": "23cfc9caacf0",
     "policies": [
       {
         "id": 2,
@@ -2800,29 +2790,39 @@ Returns the information of the specified host.
         "critical": false
       }
     ],
-    "issues": {
-        "failing_policies_count": 1,
-        "critical_vulnerabilities_count": 2, // Fleet Premium only
-        "total_issues_count": 3
-    },
-    "batteries": [
+    "software": [
       {
-        "cycle_count": 999,
-        "health": "Normal"
+        "id": 408,
+        "name": "osquery",
+        "version": "4.5.1",
+        "source": "rpm_packages",
+        "browser": "",
+        "generated_cpe": "",
+        "vulnerabilities": null,
+        "installed_paths": ["/usr/lib/some-path-1"]
+      },
+      {
+        "id": 1146,
+        "name": "tar",
+        "version": "1.30",
+        "source": "rpm_packages",
+        "browser": "",
+        "generated_cpe": "",
+        "vulnerabilities": null
+      },
+      {
+        "id": 321,
+        "name": "SomeApp.app",
+        "version": "1.0",
+        "source": "apps",
+        "browser": "",
+        "bundle_identifier": "com.some.app",
+        "last_opened_at": "2021-08-18T21:14:00Z",
+        "generated_cpe": "",
+        "vulnerabilities": null,
+        "installed_paths": ["/usr/lib/some-path-2"]
       }
     ],
-    "geolocation": {
-      "country_iso": "US",
-      "city_name": "New York",
-      "geometry": {
-        "type": "point",
-        "coordinates": [40.6799, -74.0028]
-      }
-    },
-    "maintenance_window": {
-      "starts_at": "2024-06-18T13:27:18−04:00",
-      "timezone": "America/New_York"
-    },
     "mdm": {
       "encryption_key_available": true,
       "enrollment_status": "On (manual)",

ee/server/service/software_installers.go

@@ -438,10 +438,41 @@ func (svc *Service) UpdateSoftwareInstaller(ctx context.Context, payload *fleet.
 				payload.SelfService = &existingInstaller.SelfService
 			}
 
+			// Get the hosts that are NOT in label scope currently (before the update happens)
+			var hostsNotInScope map[uint]struct{}
+			if dirty["Labels"] {
+				hostsNotInScope, err = svc.ds.GetExcludedHostIDMapForSoftwareInstaller(ctx, payload.InstallerID)
+				if err != nil {
+					return nil, ctxerr.Wrap(ctx, err, "getting hosts not in scope for installer")
+				}
+			}
+
 			if err := svc.ds.SaveInstallerUpdates(ctx, payload); err != nil {
 				return nil, ctxerr.Wrap(ctx, err, "saving installer updates")
 			}
 
+			if dirty["Labels"] {
+				// Get the hosts that are now IN label scope (after the update)
+				hostsInScope, err := svc.ds.GetIncludedHostIDMapForSoftwareInstaller(ctx, payload.InstallerID)
+				if err != nil {
+					return nil, ctxerr.Wrap(ctx, err, "getting hosts in scope for installer")
+				}
+
+				var hostsToClear []uint
+				for id := range hostsInScope {
+					if _, ok := hostsNotInScope[id]; ok {
+						// it was not in scope but now it is, so we should clear policy status
+						hostsToClear = append(hostsToClear, id)
+					}
+				}
+
+				// We clear the policy status here because otherwise the policy automation machinery
+				// won't pick this up and the software won't install.
+				if err := svc.ds.ClearAutoInstallPolicyStatusForHosts(ctx, payload.InstallerID, hostsToClear); err != nil {
+					return nil, ctxerr.Wrap(ctx, err, "failed to clear auto install policy status for host")
+				}
+			}
+
 			// if we're updating anything other than self-service, we cancel pending installs/uninstalls,
 			// and if we're updating the package we reset counts. This is run in its own transaction internally
 			// for consistency, but independent of the installer update query as the main update should stick
@@ -484,7 +515,8 @@ func (svc *Service) UpdateSoftwareInstaller(ctx context.Context, payload *fleet.
 }
 
 func (svc *Service) validateEmbeddedSecretsOnScript(ctx context.Context, scriptName string, script *string,
-	argErr *fleet.InvalidArgumentError) *fleet.InvalidArgumentError {
+	argErr *fleet.InvalidArgumentError,
+) *fleet.InvalidArgumentError {
 	if script != nil {
 		if errScript := svc.ds.ValidateEmbeddedSecrets(ctx, []string{*script}); errScript != nil {
 			if argErr != nil {

frontend/components/LastUpdatedHostCount/LastUpdatedHostCount.stories.tsx

@@ -0,0 +1,23 @@
+import { Meta, StoryObj } from "@storybook/react";
+
+import LastUpdatedHostCount from "./LastUpdatedHostCount";
+
+const meta: Meta<typeof LastUpdatedHostCount> = {
+  title: "Components/LastUpdatedHostCount",
+  component: LastUpdatedHostCount,
+  args: {
+    hostCount: 40,
+  },
+};
+
+export default meta;
+
+type Story = StoryObj<typeof LastUpdatedHostCount>;
+
+export const Basic: Story = {};
+
+export const WithLastUpdatedAt: Story = {
+  args: {
+    lastUpdatedAt: "2021-01-01T00:00:00Z",
+  },
+};