Goal

The URL for "My Device" is a static link that can be visited by everyone if someone shares that link. It can also be brute-forced. This is a blocker for some customers to deploying Fleet Desktop. The server will rotate the url. The fleet desktop agent should be in sync with the server.

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=7170%3A271466

Parent Epic

• #6064

How?

Fleet Server

New columns will be needed in host_device_auth (created_at, updated_at and accessed_at). Fleet Server will consider tokens as expired if now - updated_at > 1h. APIs will return the usual authentication error when a token is expired. On this first iteration we won't be renewing a token validity when the user visits the URL.

For good UX Fleet server will have to return the orbit_info SELECT on every distributed/read (we could alternatively add some small interval for this specific query, if need be). We will use the cached_mysql to not perform unnecessary token insertions on every distributed/write. Also token updating should do a INSERT ON DUPLICATE KEY token=token, and not update updated_at.

TBD: We will have to check for values of distributed_interval and token expiration time (e.g. if distributed_interval is too long, e.g. ~1h then we cannot make token expiration be 1h, Fleet Desktop won't work well).

Orbit

Orbit will attempt to rotate the token every ~1h, by checking mtime of $ROOT_DIR/identifier. If more than 1h has passed since the last update, it will (0) generate a new token, (1) wait for Fleet to ingest the value, and (2) update the file. Such file will now need to be world-accessible so that Fleet Desktop that runs as user can read it.

Fleet Desktop

Fleet Desktop won't receive the token as environment variable anymore. Fleet Desktop will now have to receive the path to the identifier file as a new environment variable. Fleet Desktop will check the mtime of such file and if it changes will reload the token in memory (3). Fleet Desktop will check the validity of the token before updating the menu item URL (4).

We should rename the menu item from "Initializing..." to "Connecting...", as the token will now change regularly.

Diagram

Following is the full diagram for the token flow, from generation to usage:

graph LR;
A[Fleet Server];
subgraph Device
    direction TB;
    subgraph root
        direction TB;
            B[Orbit];
            B -- "(0) Rotate token<br>(every X mins)" --> B
        D[osqueryd];
    end
    B -- "(2) Update token" --> I
    I["/opt/orbit/identifier"];
    E[Fleet Desktop];
end
D -- "(1) osquery API<br>(token write)" ----> A;
B -- "(1) Update token<br>via extension" --> D;
E -- "(4) Fleet Desktop API<br>(using token)" ----> A;
E -- "(3) Read token<br>(check mtime)" --> I;

Notes

• Depending on whether Fleet Desktop has been advertised as stable, we'll have to make sure changes are backwards compatible (so that a new Orbit can work with an old Fleet Desktop and vice-versa).

Goal

As a user, I want to specify a webhook URL where alerts about policies can be sent so that I'm able to easily create a ticket that includes what host is failing which policy.

Figma

Add ability to configure alerts for policies: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/?node-id=3124%3A81417

Tasks

1

• [ ] Update webhook_settings in app config to allow for the following json:

{
  "webhook_settings": {
    "failing_policies_webhook": {
      "enable_failing_policies_webhook": true,
      "destination_url": "http://some/url",
      "policy_ids": [1, 2, 3]
    },
    "interval": "1h"
  }
}

webhook_status.interval will also impact this webhook.

This webhook, when set, will make Fleet check on policies that are global, not team specific. More on how this will be done below.

This data must also be available when GETting app config.

Webhook Payload

{
    "timestamp": "2021-12-02T16:55:23Z",
    "policy": {
        "id": 1,
        "name": "Gatekeeper enabled",
        "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
        "description": "Checks if gatekeeper is enabled on macOS devices",
        "author_id": 42,
        "author_name": "John",
        "author_email": "[email protected]",
        "resolution": "Resolution steps",
        "passing_host_count": 2000,
        "failing_host_count": 300
    },
    "hosts": [
        {
            "id": 11,
            "hostname": "laptop-1",
            "url": "https://fleet.example.com/hosts/11"
        },
        {
            "id": 12,
            "hostname": "laptop-2",
            "url": "https://fleet.example.com/hosts/12"
        }
    ]
}

(timestamp is the webhook request send time.)

2

• [ ] For triggering the webhooks, this will happen in two separate steps: collection and trigger.

1. Collection: The failing policies webhook will be triggered in two scenarios: when a host fails a policy and it's the first time it executes that policy, and when a host fails a policy that it had previously passed. For this, when a host fails a policy, we should check the state of the policy for that host and add to a redis set called policy_failure_{policy id} this host id (SADD). This will only happen for policies that are configured for webhooks, so potentially some caching on the checks will be needed.
2. Trigger: A fleet instance will hold the webhook lock (this is already implemented for the host status webhook, this would extend that functionality). Looping through all the policies that have webhooks configured, It'll get the host ids from the policy failure sets using SMEMBERS, trigger the webhook calls, and then remove the host ids from the sets with SREM. This means that if there's a host added to the set while this logic is happening, it'll be added to the set and will be picked up the next time

There shouldn't be a race between a case where a host fails and then it passes, given that policies are updated at 1hr intervals by default, and it's not usually lower than that.

Goal

As a Fleet user, I want to use Fleet in my vulnerability ticketing workflow so that I don't have to manually create tickets for new vulnerabilities (CVEs) or configure the webhook to create them for me.

NOTE: We will only support Jira Cloud in this first iteration using the v2 API. We are choosing to integrate with the v2 API and not the v3 API because it is more likely that older hosted versions of Jira Server will support v2 API. In the future, we may upgrade to using the v3 API if we need one of the new features.

Related

• Epic: #4523
• Frontend (blocked): #2936
• Jira Cloud Setup (done) https://fleetdm.atlassian.net/: #4579

Figma

Integrations for vulnerability automations: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=3905%3A218712

Jira ticket template

Summary (what Jira call's a name or title):

<CVE identifier> detected on <Number of affected hosts> hosts

Description:

See vulnerability (CVE) details in National Vulnerability Database (NVD) here: <Link to CVE details in NVD>

Affected hosts:
<Hostname1>: <Link to Host details page>
<Hostname2>: <Link to Host details page>
<Hostname3>: <Link to Host details page>
<Hostname4>: <Link to Host details page>
...
<Hostname50>: Link to Host details page>

View the affected software and more affected hosts:
1. Go to the **Software** page in Fleet: <Link to Software page in Fleet>
2. Above the list of software, in the **Search software** box, enter <CVE identifier>.
3. Hover over the affected software and select **View all hosts**.

--

This issue was created automatically by your Fleet to Jira integration.

## Tasks

### 1
- [x] Add support for a new `integrations` object in the `app_config_json` table. 
- Use the following structure:

```json
{
    "integrations": {
        "jira": [
            {
                "url": "https://example.jira.com",
                "username": "adminUser",
                "password": "abc123",
                "project_key": "PROJECT",
                "enable_software_vulnerabilities": false
            }
        ]
    }
}

2

• [x] When a new software vulnerability automation is triggered, determine if either a Jira integration or webhook is enabled.
• Both configuration objects are stored in the app_config_json table using the following structure:

{
    "integrations": {
        "jira": [
            {
                "url": "https://example.jira.com",
                "username": "adminUser",
                "password": "abc123",
                "project_key": "PROJECT",
                "enable_software_vulnerabilities": false
            }
        ]
    }
    "webhook_settings": {
        "vulnerabilities_webhook": {
            "enable_vulnerabilities_webhook":true,
            "destination_url": "https://server.com",
            "host_batch_size": 1000
          }
    },
}

• If webhook_settings.vulnerabilities_webhook.enable_vulnerabilities_webhook: true, send the notification through the existing webhook flow.
• If integrations.jira[<index>].enable_software_vulnerabilities: true, create a new ticket in the select Jira integration.
• Enforce that both webhook and Jira cannot both be enabled. We will only support one automation path at a time.
• Enforce that multiple Jira configurations can be added to the integrations.jira array, but only one can be set enable_software_vulnerabilities: true.

3

• [x] Establish authenticated connection to Jira Server API using basic authentication.
• Use basic auth to authenticate with Jira Server API using user provided username and password.
• For the first iteration, the assumption is that basic auth is meaningfully faster to implement. In a future iteration, we will implement the more secure OAuth 2.0 method.

4

• [ ] ~~Retrieve project id from Jira Cloud API using project key.~~ Not required to create a ticket, project key is sufficient.
• Reference Get Project API docs.
• This assumes that both the project key and project id are needed to create the issue. If a project key alone will work, we can skip this step.
• This id should be cached if needed, we don't want to make this request after every vulnerability.

5

• [x] Create a Jira ticket using the Jira Cloud API.
• Reference Jira API Create Issue Docs for information about creating new issues.
• Retry up to five times.
• If issue create fails after five retries, fail silently for this first iteration. In future iterations, we will track the failure and notify the user.

6

• [x] Ensure newly added Jira configurations are valid.
• When a user adds a new Jira integration and associated credentials, we only want to save after we confirm the credentials work.
• Pick a simple Jira endpoint that we can hit as a "test" connection.
• On success, return 200 status code and save the new Jira integration.
• On failure, pass the status code and error message back to the Fleet UI via the PATCH /api/v1/fleet/config response and do not save the failing integration.

Architectural notes

Since we need to support retries and we want to support fleet restarting half way through, the vulnerability processing side of things should feed into a SQL table (could be redis, but it would be good to support storage) that reflects the status of each of the tickets created. That way, we have 2 separate parts: vulnerability processing, and jira ticket creation. One being slow doesn't affect the other.

These parts can use separate locks even, so that two instances are taking care of this in parallel.

The data stored should reflect the status of the ticket created, how many retries have been done, etc. We'll use all of this data to filter pending Jira tickets to be created.

We'll also use this table to understand what has happened in the system over time. We should cleanup old rows though, as it might not be useful to store that we created a ticket successfully a month ago.

While I'll leave the structure of the table to the developer that works on this, among the data that comes to mind would be useful to have I've got:

• created and updated at timestamps
• retries
• status
• cve it refers to
• error message received (could be null)

More things could be added if they are available and might be useful to store as well.

The config YAML document is where the user specifies agent_options configuration as well as other Fleet configuration (ex. host_settings.enable_software_inventory).

The teams YAML document is where the user specifies agent_options configuration as well as other Fleet configuration (secrets), for a specific team.

Goal

As a user, I want validation for all keys and values in the config and teams yaml document, verifying that all keys match true, real keys, with great error messages. And that the values are the right data type. Very strict validation.

This validation should apply everywhere agent options or config are applied and return meaningful, helpful errors if it fails.

Tasks

1

• [x] Fleet server validates that no required keys in the config and teams YAML document are missing.
• We don't have great documentation on what keys are required, so this will require some research/discussion.
• Once this information is gathered, loop in @noahtalerman. Assignee of this ticket is responsible for making sure the docs are updated.

2

• [ ] Fleet server validates all keys in config and teams YAML document match true, real keys. Keys under agent_options are validated based on latest osquery.

3

• [x] Document all keys in the config and teams YAML document by replacing the "Organization settings" and "Teams" sections of the configuration files docs. For each key, include a description, the default value (if there is one) and example YAML to indicate where each key is located in the greater config.
• Assignee can determine best format. One option is at https://fleetdm.com/docs/deploying/configuration#my-sql.

4

• [x] Fleet server validates all values in the config and teams YAML document are the right type. Values under agent_options are based on the latest osquery.

5

• [x] When running fleetctl apply with a config or teams YAML document, the Fleet server gives an error if validation fails. When this happens, Fleet doesn't try to set any configuration settings or any new agent_options to the hosts.

6

• [x] A user can test changes to a config or teams YAML document locally using a fleetctl apply --dry-run command. When running this command, the Fleet server gives an error if the validation fails. Fleet doesn't try to set configuration settings or send any new agent_options to the hosts.
• Ensure new fleetctl apply --dry-run command flag is documented.

7

• [x] Add a --force flag to bypass validation.
• When including this flag, bypass all validation checks and apply the given config.
• Ensure the API endpoint has an option to force so that it can be applied via the UI.

8

• [x] In addition to validating required fields and that fields have the right type, ensure the value is valid for the config option when possible.
• For example (from #6513 ) :

Fleet doesn't detect when logger_tls_endpoint is not a path starting with /. Applying a bad path would break osquery as it would stop talking to the right fleet instance.

Goal

Update query console right side panel to improve first-time experiences with Fleet and make it more approachable to new users.

Figma

https://www.figma.com/file/yLP0vJ8Ms4GbCoofLwptwS/%E2%9C%85-fleetdm.com-(current%2C-dev-ready)?node-id=5197%3A20730

Requirements

• Fleet UI ingests a new schema: https://github.com/fleetdm/confidential/issues/1619
• Fleet UI updates the query console right side panel (See Figma)

Related

• Parent epic: https://github.com/fleetdm/confidential/issues/1646
• Blocker: https://github.com/fleetdm/fleet/issues/8067

Notes

• The Fleet UI ingests the final schema.

Tasks

• TODO: Update with implementation requirements.

Goal

As a user, I want to be able to download a Fleet-osquery installer in the Fleet UI so that I can add hosts to Fleet without having to know how to successfully generate an installer with the fleetctl package command.

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/?node-id=6740%3A267448

Related

• #6555 (epic)
• #6365 (platform)
• #6592 (platform)

Package Download API

API endpoint is currently in review. Once merged, they will be deployed to theAPI for Contributors.

It appears the PR is going to merge pretty quickly next week. In that case, we likely want to build out everything except for the API calls, then add them in once the API PR merges.

If for any reason it looks like the API PR is going to be delayed until later in the week, we should build the full functionality of this ticket using a mock API that matches the pattern in these specs.

API Specs

Downloads a pre-built fleet-osquery installer with the given parameters.

GET /api/_version_/fleet/download_installer/{enroll_secret}/{kind}

Parameters

| Name | Type | In | Description | | ------------- | ------- | ----- | ------------------------------------------------------------------ | | enroll_secret | string | path | The global enroll secret. | | kind | string | path | The installer kind: pkg, msi, deb or rpm. | | desktop | boolean | query | Set to true to ask for an installer that includes Fleet Desktop. |

Default response

Status: 200
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Length: <length>
Body: <blob>

If an installer with the provided parameters is found, the installer is returned as a binary blob in the body of the response.

Installer doesn't exist

Status: 400

If an installer with the provided parameters doesn't exist.

Tasks

1

• [ ] Add new content for "Add Hosts" modal when Fleet instance is in sandbox mode.
• The goal is to allow sandbox users to download packaged installers without having to run commands in the command line.
• "Include Fleet Desktop" is checked by default.
• “Download installer” button is disabled until a platform is selected.
• Note the weighted margin-bottom –60px (rather than 40px) of the content to visually balance the contents. (See Figma)

2

• [ ] When a platform is selected, it enters a highlighted state.
• There are 8 files that can be downloaded. One for each platform with and without "Fleet Desktop" included.
• When "Download installer" button is clicked, an API request is sent to download the installers. (See API specs above)
• We will use the same process to download the file as used to download hosts CSV. The only difference is instead of type: "text/csv" we should set type: "application/octet-stream".

3

• [ ] Add loading spinner to the "Download installer" button while file is downloading.
• Reference the button loading spinner on the update query "Save" button for an example implementation.
• In the loading state, if the user clicks or hovers over the platform buttons or the checkbox, nothing happens. (UI is locked during loading)

4

• [ ] Add success state after successful download.
• A “finished” state appears, with instructions for what the next step is for the user to add the host to Fleet.
• The installer is automatically downloaded in the browser.
• “Got it” button closes the modal.
• Note there is different copy for MacOS, Windows and Linux.

MacOS: Run the installer on a macOS laptop or workstation to add it to Fleet. Windows: Run the installer on a Windows laptop, workstation, or sever to add it to Fleet Linux: Run the installer on a Linux laptop, workstation, or sever to add it to Fleet

5

• [ ] Add error state if the API returns a non-2xx response when file is requested.
• Based on the conversation in this thread, we may not be implementing the error state. Instead, we may make a HEAD request for all eight files, and if any are missing we may fall back to the default add hosts modal content.
• TODO: @noahtalerman will update this ticket with the product decision on this item.

6

• [ ] Add E2E tests to validate new add hosts flow for sandbox users.

7

• [ ] Try out the full sign up, provision, download package flow and tell us if the package has been successfully created.

Goal

As an API consumer, I want the GET /hosts/{id} and GET /device/{token} endpoint to include battery_condition in the response object so that I can inform the user if the battery needs to be charged.

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/?node-id=4897%3A181350

Related

• Frontend (blocked): #4062

Tasks

1

• [x] Retrieve battery condition from the [osquery battery table] (https://github.com/osquery/osquery/blob/master/specs/darwin/battery.table) and store in Fleet database.
• Add cycle_count to hosts information in Fleet database.
• Add health to hosts information in Fleet database.

2

• [x] Include a batteries array in the GET hosts/{id} response.
• Add new array to API response docs for this endpoint.

3

• [x] Include batteries array in the GET /device/{token} response.
• This endpoint is currently undocumented. Please add endpoint documentation to Fleet REST API docs as a new "Device" section with a single endpoint.

Sample array

{
  "host": {
    "batteries": [
      {
        "cycle_count": 1000,
        "health": "Good"
      }
    ]  
  }
}

NOTE: This issue was broken out of the following issue: #2998.

• Prior to separating these issues, the combined estimation from the backend engineering team was 5.

Goal

As an IT administrator, I want to be able to download a list of hosts in CSV format.

1

• [ ] Create new endpoint to generate a CSV containing all hosts with a specific software version installed.
• GET /api/v1/fleet/hosts/report.
• Generated filename should follow this naming pattern: Hosts YYYY-MM-DD
• Update API docs.

Parameters

| Name | Type | In | Description | | ----------------- | ------ | ----- | -------------------------------------| | software_id | integer | body | Required. The software's id. |

Example

• GET /api/v1/fleet/hosts/report?software_id=408&format=csv

Default response

Status: 200

CSV as the body of the response, see https://stackoverflow.com/questions/68162651/go-how-to-response-csv-file as an example.

Part of the Q2 Digital Experience OKRs

Goal

Reduce the time to value for new Fleet users by creating a Fleet sandbox.

Related

Epic: #4970 Fleet UI: #5723, #5902 PR: https://github.com/fleetdm/fleet/pull/6380

Figma

/get-started: https://www.figma.com/file/yLP0vJ8Ms4GbCoofLwptwS/?node-id=794%3A373

Needs updated wireframes

• [x] @mike-j-thomas for new users on fleetdm.com, update the password requirements to the following: Must include 12 characters, at least 1 number (e.g. 0 - 9), and at least 1 symbol (e.g. &*#) ~- [ ] @mike-j-thomas add an error state when an existing user has a password that doesn't meet the new requirements and they attempt to access Fleet Sandbox.~ ~- This error state should point the user to reset their password.~

Tasks

1

• [x] Add a Registration page (/try-fleet/register). This page replaces the Get started page.
• A user reaches the Registration page if they select the "Try it out" buttons on the main page (/) and the How it works page (/platform)
• This page accepts "Email" and "Password" fields
• Selecting "I have an account" takes the user to the new Login page (/try-fleet/login)
• Selecting "terms of service" navigates the user to the following Google doc: https://docs.google.com/document/d/1OM6YDVIs7bP8wg6iA3VG13X086r64tWDqBSRudG4a0Y/edit
• Selecting "privacy policy" navigates the user to the following Google doc: https://docs.google.com/document/d/17i_g1aGpnuSmlqj35-yHJiwj7WRrLdC_Typc1Yb7aBE/edit#heading=h.gjdgxs
• "Click here" navigates the user to https://fleetdm.com/docs/deploying

2

• [x] On the Registration page, add the "Sign up" flow
• Selecting the "Sign up" button fires a loading spinner and creates a user with lastName set the the supplied emailAddress, firstName set to the result of the following regex: emailAddress.split(/@/)[1], and sandboxExpiration set to the time 24 hours from the current time (using ISO 8601 standard to represent the time as a date).
  • The sandboxExpiration is sent in the POST request as sandbox_expiration.
• Selecting "Sign up" sends a POST request to the cloud provisioner.
  • The cloud provisioner responds with a url.
  • Using the url, fleetdm.com checks the url/healthz endpoint at some interval. When url/healthz returns 200, fleetdm.com redirects the user to the URL.
  • fleetdm.com redirects the user to this url and updates the user with cloudURL set to url.
  • The API request includes a secret (set as an environment variable) so that the cloud provisioner knows the request is coming from fleetdm.com.
    • This way, we prevent bots from hitting the API over and over again.

Request:

{
  "email": "[email protected]",
  "name": "[email protected]",
  "password": "sandbox123#",
  "sandbox_expiration": "0001-01-01T00:00:00Z"
}

Response:

{
  "url": "billybobcat.sandbox.fleetdm.com"
}

3

• [x] Add a new Login page (/try-fleet/login)
• This page accepts "Email" and "Password" fields
• "Create an account" navigates the user to the new Registration page.
• "Forgot your password?" navigates the user to the new Forgot password page (/try-fleet/forgot-password) .

4

• [x] On the Login page, add a new "Login" flow.
• For existing users that have never accessed Fleet sandbox, selecting "Sign in" sends a POST request to the cloud provisioner.
• Selecting the "Sign in" button fires a loading spinner and the fleetmd.com user's sandboxExpiration is set to the time 24 hours from the current time (using ISO 8601 standard to represent the time as a date). This is sent in the POST request as sandbox_expiration.
  • The cloud provisioner responds with a url.
  • Using the url, fleetdm.com checks the url/healthz endpoint at some interval. When url/healthz returns 200, fleetdm.com redirects the user to the URL.
  • fleetdm.com redirects the user to this url and updates the user with cloudURL set to url.
  • The API request includes a secret (set as an environment variable) so that the cloud provisioner knows the request is coming from fleetdm.com.
    • This way, we prevent bots from hitting the API over and over again. Request:

{
  "email": "[email protected]",
  "name": "[email protected]",
  "password": "sandbox123#",
  "sandbox_expiration": "0001-01-01T00:00:00Z"
}

Response:

{
  "url": "billybobcat.sandbox.fleetdm.com"
}

• For existing users that have accessed Fleet sandbox, selecting "Sign in" navigates the user to their Fleet sandbox URL

5

• [x] Add a new Forgot password page (/try-fleet/forgot-password) and forgot password flow.
• This page accepts "Email"
• Selecting "I have an account" navigates the user to the new Registration page (try-fleet/register)
• Selecting "Reset password" sends a password recovery link to the supplied email and navigates the user to the new Password reset sent page (/try-fleet/password-reset-sent).

6

• [x] Add a new Password reset sent page.
• "Back to login" navigates the user to the new Login page.
• "contact support" navigates the user to: TODO @mike-j-thomas

7

• [x] Add a new "Password reset" email template
• The template includes a "Reset password" link which navigates the user to the new New password page (/try-fleet/new-password)

8

• [x] Add a new New password page
• A user is sent here from the "Password reset" email template.
• This page accepts "Password" and "Password confirmation" fields.
• Selecting "Change my password" navigates the user to their Fleet Sandbox URL

This issue includes a required improvement for the 1.0.0 release of Fleet's osquery installers (aka orbit). These installers are currently in beta.

To utilize some osquery features on macOS the latest version of osquery, deploying osquery with the .app bundle is required.

Goal

With Fleet's osquery installers, we are currently packaging osquery 5.1.0. With osquery 5.0.1 and above the format of the package was changed to a full macOS app so that osquery can access the EndpointSecurity events that the kernel exposes.

How?

• [ ] Mimic the package format for Orbit to follow a similar structure as the osquery one for 5.0.1

Tasks completed:

• Removed a single host from target
• Handled user login redirects better
• Added typing for Fleet Ace
• Used console.error where appropriate
• Select Targets - Round online target percentage
• Select Targets - Used given "All Linux" label from the API
• Rendered the live query warning banner when needed
• Rendered target dropdown error on error
• Rendered error when going to target selector page
• Collapsed the sidebar on page 1
• Fixed any design flaws (missing icons, spacing, etc.)
• Permissions
• Removed redux for query flow (queryIdForEdit, selectedTargets, selectedOsqueryTable, currentUser, isBasicTier)
• Replaced any types as much as possible
• Pieced together app (routes, file imports, etc)
• Removed all files no longer used pertaining to the live query flow
• Fixed tests

This is the 4th PR for #1497, and second to last before pushing to main. The checklist will be done on the final PR.

For the initial implementation of cron_stats, we arbitrarily set a max age of 14 days for retention of table entries. In practice, there's not a demonstrated need for that length of time. Additionally, we've been expanding the number and frequency of cron jobs that generate entries so having a shorter window to clean up older entries will reduce database usage.

Issue #8879

This PR covers items 4 and 5 from the issue.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)
• [x] Added/updated tests
• [x] Manual QA for all new/changed functionality

Currently, switching between different channels does not always work because orbit will only update the symlink when a new version of the target channel is detected (see #9053). This PR will check if the symlink is out of date when updating so that we always update into the correct channel.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• [x] Manual QA for all new/changed functionality
  • For Orbit and Fleet Desktop changes:
    • [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
    • [x] Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

Action: .github/workflows/test-website.yml

See the following two samples:

• https://github.com/fleetdm/fleet/actions/runs/3841095992/jobs/6540917979
• https://github.com/fleetdm/fleet/actions/runs/3761802010/jobs/6393897043

Error:

body: `{"message":"API rate limit exceeded for 172.176.205.113.
(But here's the good news: Authenticated requests get a higher rate limit.
Check out the documentation for more details.)",
"documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"}`

TL;DR: All Github API requests should set the GITHUB_TOKEN as shown in https://docs.github.com/en/actions/security-guides/automatic-token-authentication E.g.:

curl --request POST \
	--url https://api.github.com/repos/${{ github.repository }}/issues \
	--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
	--header 'content-type: application/json' \
	--data '{
	"title": "Automated issue for commit: ${{ github.sha }}",
	"body": "This issue was automatically created by the GitHub Action workflow **${{ github.workflow }}**. \n\n The commit hash was: _${{ github.sha }}_."
	}' \
	--fail

Issue

Cerra #8995

New feature

• Inform user when an end user enrolls or unenrolls to MDM

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• [x] Changes file added for user-visible changes in changes/ or orbit/changes/.
• [ ] Manual QA for all new/changed functionality

This issue is based on a Slack message from Mike McNeil in #g-business-operations and may contain confidential information.

Goal

[public] @guillaume Is this being prevented by MDM?

Meta: After thinking harder, and remembering this only started after updating my OS this morning, I'm guessing it's something to do with the macOS update. But this is a good example of a real-world question that comes up, and an example of the thought process that leads to blaming security/IT. cc @mo

How?

• [ ] TODO