Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy automations: run script - Backend main #22115

Closed
30 tasks done
sharon-fdm opened this issue Sep 16, 2024 · 6 comments
Closed
30 tasks done

Policy automations: run script - Backend main #22115

sharon-fdm opened this issue Sep 16, 2024 · 6 comments
Assignees
@iansltx
Labels
#g-endpoint-ops Endpoint ops product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.)
Milestone
4.58.0

Comments

@sharon-fdm
Copy link
Collaborator

sharon-fdm commented Sep 16, 2024
edited by iansltx
Loading

Checklist inspired by what we needed for #19551 on the backend

API documentation

See https://github.com/fleetdm/fleet/pull/22315/files

  • Script linking on policy GET
  • Script linking on policy POST

API

  • Script linking on policy GET
  • Script linking on policy POST

DB migrations

See server/datastore/mysql/migrations/tables/20240829170024_PolicyAutomaticInstallSoftware.go

  • New column in policies (fkey to scripts)
    - [ ] Potentially script author info, potentially with join table for user tombstones? Script activities don't have an author, so we can skip this

Policies service

  • Add/update types for API payload/response

Global policies service

  • Populate script info in GetPolicyByIDQueries

Team policies service

  • Add script ID to team policy type
  • Add mapping of script ID in teamPolicyEndpoint
  • Add mapping of script ID in NewTeamPolicy
  • Add mapping of script ID in newTeamPolicyPayloadToPolicyPayload
  • Implement populatePolicyRunScript
  • Populate policy script details in ListTeamPolicies for direct
  • Populate policy script details in ListTeamPolicies for inherited
  • Populate policy script details in GetTeamPolicyByIDQueries
  • Add script hook to modifyPolicy
  • Clear policy results and stats when setting or changing a script (equivalent to Clear policy results and stats when setting or changing an installer #22053)

Orbit service

- [ ] Save authorship on script execution, with nil fallback Script run activities don't have a script author, so nothing needed here

osquery service

  • Add processScriptsForNewlyFailingPolicies
  • Don't queue scripts for vanilla osquery hosts (or hosts with scripts disabled)
  • Don't queue scripts that are already queued

Policies datastore

Scripts datastore

  • Fail to delete a script associated with a policy (see software_installers DeleteSoftwareInstaller)

Teams data store

  • Update comment on DeleteTeam to reference scripts as well as installers

Testing client

  • Add cleanup of no-team scripts?
@sharon-fdm sharon-fdm added the :product Product Design department (shows up on 🦢 Drafting board) label Sep 16, 2024
@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. #g-endpoint-ops Endpoint ops product group ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.) and removed :product Product Design department (shows up on 🦢 Drafting board) labels Sep 16, 2024
@sharon-fdm sharon-fdm assigned iansltx and unassigned lucasmrod Sep 19, 2024
@iansltx iansltx added this to the 4.58.0-tentative milestone Sep 23, 2024
@iansltx
Copy link
Member

iansltx commented Sep 24, 2024

Since this is "install software, but with scripts", here are the relevant PRs, including fixes:

https://github.com/fleetdm/fleet/pull/21650/files
https://github.com/fleetdm/fleet/pull/21714/files
https://github.com/fleetdm/fleet/pull/21718/files
https://github.com/fleetdm/fleet/pull/21722/files
https://github.com/fleetdm/fleet/pull/22053/files

@iansltx
Copy link
Member

iansltx commented Sep 25, 2024

API docs PR: https://github.com/fleetdm/fleet/pull/22315/files

@iansltx
Copy link
Member

iansltx commented Sep 25, 2024

"No team" policies PR:

https://github.com/fleetdm/fleet/pull/21972/files

@iansltx iansltx mentioned this issue Sep 27, 2024
Merged
7 tasks
@iansltx
Copy link
Member

iansltx commented Oct 3, 2024

So things don't get lost in the noise of #17129, @xpkoala I'll add a test plan here.

iansltx added a commit that referenced this issue Oct 4, 2024
@iansltx @mostlikelee
Backend build for script automation (#22472)
e4df7ab 
#22115, #22116

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

No changes file, as FE changes file covers the entire feature

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Jacob Shandling <[email protected]>
Co-authored-by: Tim Lee <[email protected]>
@iansltx
Copy link
Member

iansltx commented Oct 6, 2024
edited by xpkoala
Loading

@xpkoala Test plan:

Migration

  • Starting with a script and policy created in <= 4.57.x works for these automation workflows

Regression avoidance

  • Manual script execution works
  • Manual script execution errors when the same script is already queued
  • Software install automation works (@jacobshandling and I QA'd this one for 4.57 if you need pointers), on both team and no-team

UI

  • Script automation is available for teams, including No Team
  • Script automation is not available for global policies
  • Script automation dialog allows adding/changing/removing scripts from team-specific policies (global-inherited policies should not be shown)
  • Scripts error on deletion attempt if they are associated with a policy, with useful error text
  • Scripts can be deleted if they are removed from a policy automation
  • Adding or changing a script automation for a policy clears that policy's stats/host statuses
  • Removing a script automation for a policy does not clear that policy's stats/host statuses
  • Changing a policy's name does not clear that policy's status/host statuses

Policy automation execution

* Known issue: No author on upcoming/past script run activity (fix incoming, pending product confirmation)

  • PowerShell scripts work on Windows
  • shell scripts work on macOS
  • zsh scripts work
  • shell scripts work on Linux
  • Pending activity visible for script run once queued
  • Script run activity shows in Past once executed
  • Manual script run fails when a policy failure has queued the same script

No-ops

  • Passing policies
  • Policies not assigned to the host's platform, even if the script could run (e.g. policy for macOS that would run a shell script, but host is Linux)
  • Policies with no script automation
  • Identical policy on another team has a script automation, but this team's policy version doesn't
  • Policies failing -> failing
  • Vanilla osquery
  • Host scripts are not enabled (if we don't have up to date information server-side, this may be an attempted run, followed by an exit code of -2)
  • Scropts are globally disabled
  • Too many (1k+) pending scripts (can test this with an offline host)
  • Same script is already pending for this host
  • Host is Windows and script is a shell script
  • Host is not-Windows and script is a PowerShell script

GitOps

  • Known issue: Non-functional on no-team due to path mismatch (so test on a different teaml fix incoming as part of GitOps script path fix)
  • Succeeds in setting up (confirm via UI) with correct YAML in team
controls:
    scripts:
        - path: ../path/to/script.sh
policies
   - # normal policy 
        run_script:
            path: ../path/to/script.sh
  • Succeeds when policy is defined in its own file, in a directory at a different nesting level than the team file

^^ I think this will fail right now. Will test this as part of the other known issue on GitOps paths

Changing existing configuration

  • If policy automation is dropped from YAML, it's dropped on-apply to the server
  • If policy automation is dropped and script is dropped from YAML, application is successful (script is deleted, policy automation is removed, no fkey issues)
  • If script contents change but path does not, script is updated in-place but policy is not reset
  • If script path changse (need to change in both controls and run_script), policy status/hosts are reset

Validation errors

  • Fails when attempted on global
  • Fails when script not found at path
  • Fails when script isn't also specified for the team
  • Fails on malformed YAML (e.g. missing value on path property)

@sharon-fdm sharon-fdm mentioned this issue Oct 9, 2024
Closed
54 tasks
@fleet-release
Copy link
Contributor

Script links in view,
Fleet's policies now imbued,
Efficient, we flew.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iansltx iansltx

Labels
#g-endpoint-ops Endpoint ops product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.)
Milestone
4.58.0
Development

No branches or pull requests
5 participants
@iansltx @lucasmrod @lukeheath @fleet-release @sharon-fdm