Merge branch 'main' into becca/tuf-rollout-internal

.github/workflows/go.yml

@@ -65,6 +65,11 @@ jobs:
     - name: Build
       run: make -j2 github-build
 
+    - name: Check macOS build target
+      if: contains(matrix.os, 'macos')
+      # this uses grep's exit code
+      run: otool -l build/launcher | grep -A1 "minos 11"
+
     - name: Lipo
       run: make github-lipo
       if: ${{ contains(matrix.os, 'macos') }}
@@ -76,53 +81,89 @@ jobs:
     - name: Test
       run: make test
 
-    # Launcher should always successfully run and exit cleanly when called with `version` -- this is a quick
-    # check to ensure that launcher can update to this build.
-    - name: Test build - macOS and ubuntu
-      if: ${{ contains(matrix.os, 'macos') || contains(matrix.os, 'ubuntu') }}
-      run: |
-        if ! ./build/launcher --version; then
-          echo "launcher.exe --version failed"
-          exit 1
-        fi
-
-    # Launcher should always successfully run and exit cleanly when called with `version` -- this is a quick
-    # check to ensure that launcher can update to this build.
-    - name: Test build - Windows
-      if: ${{ contains(matrix.os, 'windows') }}
-      shell: powershell
-      run: |
-        .\build\launcher.exe --version
-        if( !$? ) {
-          throw "launcher.exe --version failed"
-        }
-
-    - name: Upload Build - Windows
-      if: ${{ contains(matrix.os, 'windows') }}
-      uses: actions/upload-artifact@v2
+    - name: Cache build output
+      uses: actions/cache@v3
       with:
-        name: ${{ matrix.os }}-build
-        path: build/
+        path: ./build
+        key: ${{ runner.os }}-${{ github.run_id }}
+        enableCrossOsArchive: true
 
-    - name: Upload Build - macOS
-      if: ${{ contains(matrix.os, 'macos') }}
-      uses: actions/upload-artifact@v2
+    # upload coverage here, because we don't cache it with the build
+    - name: Upload coverage
+      uses: actions/upload-artifact@v3
       with:
-        name: macos-latest-build
-        path: build/
+        name: ${{ runner.os }}-coverage.out
+        path: coverage.out
 
-    - name: Upload Build - Ubuntu
-      if: ${{ contains(matrix.os, 'ubuntu') }}
-      uses: actions/upload-artifact@v2
+  exec_testing:
+    name: Exec Test
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          # See https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software
+          - ubuntu-20.04
+          - ubuntu-22.04
+          - macos-11
+          - macos-12
+          - macos-13
+          - windows-2019
+          - windows-2022
+    needs: build_and_test
+    steps:
+    - name: cache restore build output
+      uses: actions/cache/restore@v3
       with:
-        name: ubuntu-latest-build
-        path: build/
+        path: ./build
+        key: ${{ runner.os }}-${{ github.run_id }}
+        enableCrossOsArchive: true
 
-    - name: Upload coverage
-      uses: actions/upload-artifact@v2
+    - name: Launcher Version
+      working-directory: build
+      run: ./launcher --version
+
+    - name: Download Osquery
+      working-directory: build
+      run: ./launcher download-osquery --directory .
+
+    - name: Osquery Version
+      working-directory: build
+      run: ./osqueryd --version
+
+    - name: Launcher Doctor
+      working-directory: build
+      run: ./launcher doctor
+
+
+  # If the prior exec tests suceeded, this grabs the cached things, and moves them to artifacts. We ought
+  # be able to do this entirely on ubuntu, so let's try!
+  store_artifacts:
+    name: Store Artifacts
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        artifactos:
+          # artifactos needs to match the runner.os set by the builds. (Which is not quite the same as matrix.os)
+          - linux
+          - macos
+          - windows
+    needs: exec_testing
+    steps:
+    - name: cache restore build output
+      uses: actions/cache/restore@v3
       with:
-        name: ${{ matrix.os }}-coverage.out
-        path: coverage.out
+        path: ./build
+        key: ${{ matrix.artifactos }}-${{ github.run_id }}
+        enableCrossOsArchive: true
+
+    - name: Upload Build
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ matrix.artifactos }}-build
+        path: build/
+        if-no-files-found: error
 
 
   package_builder_test:
@@ -195,3 +236,4 @@ jobs:
     needs:
       - build_and_test
       - package_builder_test
+      - exec_testing

Makefile

@@ -5,6 +5,11 @@ all: build
 GOPATH ?= $(HOME)/go
 PATH := $(GOPATH)/bin:$(PATH)
 
+
+# Set the target version of macOS. This is an ENV that is consumed by go build (and downstream c pieces)
+# It's set here, and not in the GitHub Actions tooling, so that we notice build warnings.
+export MACOSX_DEPLOYMENT_TARGET = 11
+
 export GO111MODULE=on
 
 # If not windows, set the shell to bash explicitly

cmd/launcher/main.go

@@ -127,6 +127,8 @@ func runSubcommands() error {
 		run = runInteractive
 	case "desktop":
 		run = runDesktop
+	case "download-osquery":
+		run = runDownloadOsquery
 	case "uninstall":
 		run = runUninstall
 	default:

cmd/launcher/run_download_osquery.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/kolide/kit/fsutil"
+	"github.com/kolide/launcher/pkg/packaging"
+)
+
+// runDownloadOsquery downloads the stable osquery to the provided path. It's meant for use in out CI pipeline.
+func runDownloadOsquery(args []string) error {
+	fs := flag.NewFlagSet("launcher download-osquery", flag.ExitOnError)
+
+	var (
+		flChannel = fs.String("channel", "stable", "What channel to download from")
+		flDir     = fs.String("directory", ".", "Where to download osquery to")
+	)
+
+	if err := fs.Parse(args); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*2)
+	defer cancel()
+
+	target := packaging.Target{}
+	if err := target.PlatformFromString(runtime.GOOS); err != nil {
+		return fmt.Errorf("error parsing platform: %w, %s", err, runtime.GOOS)
+	}
+
+	// We're reusing packaging code, which is based around having a persistent cache directory. It's not quite what
+	// we want but it'll do
+	cacheDir, err := os.MkdirTemp("", "osquery-download")
+	if err != nil {
+		return fmt.Errorf("creating temp cache dir: %w", err)
+	}
+	defer os.RemoveAll(cacheDir)
+
+	dlpath, err := packaging.FetchBinary(ctx, cacheDir, "osqueryd", target.PlatformBinaryName("osqueryd"), *flChannel, target)
+	if err != nil {
+		return fmt.Errorf("error fetching binary osqueryd binary: %w", err)
+	}
+
+	outfile := filepath.Join(*flDir, filepath.Base(dlpath))
+	if err := fsutil.CopyFile(dlpath, outfile); err != nil {
+		return fmt.Errorf("error copying binary osqueryd binary: %w", err)
+	}
+
+	fmt.Printf("Downloaded to: %s\n", outfile)
+
+	return nil
+}

ee/desktop/runner/server/server.go

@@ -123,23 +123,25 @@ func (ms *RunnerServer) authMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		ms.mutex.Lock()
-		defer ms.mutex.Unlock()
-
-		key := ""
-		for k, v := range ms.desktopProcAuthTokens {
-			if v == authHeader[1] {
-				key = k
-				break
-			}
-		}
-
-		if key == "" {
-			level.Debug(ms.logger).Log("msg", "no key found for desktop auth token")
+		if !ms.isAuthTokenValid(authHeader[1]) {
+			level.Debug(ms.logger).Log("msg", "invalid desktop auth token")
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
 
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (ms *RunnerServer) isAuthTokenValid(authToken string) bool {
+	ms.mutex.Lock()
+	defer ms.mutex.Unlock()
+
+	for _, v := range ms.desktopProcAuthTokens {
+		if v == authToken {
+			return true
+		}
+	}
+
+	return false
+}

go.mod

@@ -41,11 +41,11 @@ require (
 	go.opencensus.io v0.23.0
 	golang.org/x/crypto v0.4.0
 	golang.org/x/exp v0.0.0-20221126150942-6ab00d035af9
-	golang.org/x/image v0.5.0
+	golang.org/x/image v0.10.0
 	golang.org/x/net v0.10.0
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.8.0
-	golang.org/x/text v0.9.0
+	golang.org/x/text v0.11.0
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
 	google.golang.org/grpc v1.55.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
@@ -55,10 +55,10 @@ require (
 
 require (
 	github.com/apache/thrift v0.16.0
-	github.com/fatih/color v1.15.0
+	github.com/github/smimesign v0.2.0
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/kolide/systray v1.10.4
 	github.com/kolide/toast v1.0.0
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/shirou/gopsutil/v3 v3.23.3
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0
@@ -67,8 +67,6 @@ require (
 require (
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
@@ -83,7 +81,7 @@ require (
 	github.com/bugsnag/panicwrap v1.2.0 // indirect
 	github.com/cenkalti/backoff v2.0.0+incompatible // indirect
 	github.com/cloudflare/cfssl v0.0.0-20181102015659-ea4033a214e7 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.1
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go v1.5.1-1 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
@@ -103,8 +101,6 @@ require (
 	github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a // indirect
 	github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/miekg/pkcs11 v0.0.0-20180208123018-5f6e0d0dad6f // indirect
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
@@ -115,7 +111,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.5.0 // indirect
-	github.com/shoenig/go-m1cpu v0.1.4 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
 	github.com/spf13/viper v1.8.1 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect