SE: CLI setup experience changes

changes/22385-cli-gitops-macos-setup-software-and-script

@@ -0,0 +1 @@
+* Added support to `fleetctl gitops` to specify a setup experience script to run and software to install, for a team or no team.

cmd/fleetctl/apply.go

@@ -94,7 +94,7 @@ func applyCommand() *cli.Command {
 			teamsSoftwareInstallers := make(map[string][]fleet.SoftwarePackageResponse)
 			teamsScripts := make(map[string][]fleet.ScriptResponse)
 
-			_, _, _, err = fleetClient.ApplyGroup(c.Context, specs, baseDir, logf, nil, opts, teamsSoftwareInstallers, teamsScripts)
+			_, _, _, err = fleetClient.ApplyGroup(c.Context, false, specs, baseDir, logf, nil, opts, teamsSoftwareInstallers, teamsScripts)
 			if err != nil {
 				return err
 			}

cmd/fleetctl/gitops_test.go

@@ -438,6 +438,9 @@ func TestGitOpsBasicTeam(t *testing.T) {
 	ds.ListSoftwareTitlesFunc = func(ctx context.Context, opt fleet.SoftwareTitleListOptions, tmFilter fleet.TeamFilter) ([]fleet.SoftwareTitleListResult, int, *fleet.PaginationMetadata, error) {
 		return nil, 0, nil, nil
 	}
+	ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
+		return nil
+	}
 
 	tmpFile, err := os.CreateTemp(t.TempDir(), "*.yml")
 	require.NoError(t, err)
@@ -903,6 +906,9 @@ func TestGitOpsFullTeam(t *testing.T) {
 	ds.ListSoftwareTitlesFunc = func(ctx context.Context, opt fleet.SoftwareTitleListOptions, tmFilter fleet.TeamFilter) ([]fleet.SoftwareTitleListResult, int, *fleet.PaginationMetadata, error) {
 		return nil, 0, nil, nil
 	}
+	ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
+		return nil
+	}
 
 	startSoftwareInstallerServer(t)
 
@@ -1159,6 +1165,9 @@ func TestGitOpsBasicGlobalAndTeam(t *testing.T) {
 	ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
 		return []*fleet.ABMToken{}, nil
 	}
+	ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
+		return nil
+	}
 
 	globalFile, err := os.CreateTemp(t.TempDir(), "*.yml")
 	require.NoError(t, err)
@@ -1437,6 +1446,9 @@ func TestGitOpsBasicGlobalAndNoTeam(t *testing.T) {
 	ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
 		return []*fleet.ABMToken{}, nil
 	}
+	ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
+		return nil
+	}
 
 	globalFileBasic, err := os.CreateTemp(t.TempDir(), "*.yml")
 	require.NoError(t, err)
@@ -2354,6 +2366,9 @@ func setupFullGitOpsPremiumServer(t *testing.T) (*mock.Store, **fleet.AppConfig,
 	ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
 		return []*fleet.ABMToken{}, nil
 	}
+	ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
+		return nil
+	}
 
 	t.Setenv("FLEET_SERVER_URL", fleetServerURL)
 	t.Setenv("ORG_NAME", orgName)

cmd/fleetctl/preview.go

@@ -389,7 +389,7 @@ Use the stop and reset subcommands to manage the server and dependencies once st
 			// so pass in the current working directory.
 			teamsSoftwareInstallers := make(map[string][]fleet.SoftwarePackageResponse)
 			teamsScripts := make(map[string][]fleet.ScriptResponse)
-			_, _, _, err = client.ApplyGroup(c.Context, specs, ".", logf, nil, fleet.ApplyClientSpecOptions{}, teamsSoftwareInstallers, teamsScripts)
+			_, _, _, err = client.ApplyGroup(c.Context, false, specs, ".", logf, nil, fleet.ApplyClientSpecOptions{}, teamsSoftwareInstallers, teamsScripts)
 			if err != nil {
 				return err
 			}

cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json

@@ -130,7 +130,9 @@
 				"bootstrap_package": null,
 				"enable_end_user_authentication": false,
 				"macos_setup_assistant": null,
-				"enable_release_device_manually": false
+				"enable_release_device_manually": false,
+				"script": null,
+				"software": null
 			},
 			"windows_settings": {
 				"custom_settings": null

cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml

@@ -50,6 +50,8 @@ spec:
       enable_end_user_authentication: false
       enable_release_device_manually: false
       macos_setup_assistant:
+      script:
+      software:
     windows_settings:
       custom_settings: null
     end_user_authentication:

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json

@@ -82,7 +82,9 @@
 				"bootstrap_package": null,
 				"enable_end_user_authentication": false,
 				"macos_setup_assistant": null,
-				"enable_release_device_manually": false
+				"enable_release_device_manually": false,
+				"script": null,
+				"software": null
 			},
 			"windows_settings": {
 				"custom_settings": null

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml

@@ -50,6 +50,8 @@ spec:
       enable_end_user_authentication: false
       enable_release_device_manually: false
       macos_setup_assistant:
+      script:
+      software:
     windows_settings:
       custom_settings:
     end_user_authentication:

cmd/fleetctl/testdata/expectedGetTeamsJson.json

@@ -54,7 +54,9 @@
 					"bootstrap_package": null,
 					"enable_end_user_authentication": false,
 					"macos_setup_assistant": null,
-					"enable_release_device_manually": false
+					"enable_release_device_manually": false,
+					"script": null,
+					"software": null
 				},
 				"windows_settings": {
 					"custom_settings": null
@@ -137,7 +139,9 @@
 					"bootstrap_package": null,
 					"enable_end_user_authentication": false,
 					"macos_setup_assistant": null,
-					"enable_release_device_manually": false
+					"enable_release_device_manually": false,
+					"script": null,
+					"software": null
 				},
 				"windows_settings": {
 					"custom_settings": null

cmd/fleetctl/testdata/expectedGetTeamsYaml.yml

@@ -34,6 +34,8 @@ spec:
         enable_end_user_authentication: false
         enable_release_device_manually: false
         macos_setup_assistant:
+        script:
+        software:
     scripts: null
     secrets: null
     webhook_settings:
@@ -84,6 +86,8 @@ spec:
         enable_end_user_authentication: false
         enable_release_device_manually: false
         macos_setup_assistant:
+        script:
+        software:
     scripts: null
     webhook_settings:
       host_status_webhook: null

cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml

@@ -40,6 +40,8 @@ spec:
       enable_end_user_authentication: false
       macos_setup_assistant: null
       enable_release_device_manually: false
+      script: null
+      software: null
     macos_updates:
       deadline: null
       minimum_version: null

cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml

@@ -40,6 +40,8 @@ spec:
       enable_end_user_authentication: false
       macos_setup_assistant: %s
       enable_release_device_manually: false
+      script: null
+      software: null
     macos_updates:
       deadline: null
       minimum_version: null

cmd/fleetctl/testdata/macosSetupExpectedTeam1And2Empty.yml

@@ -22,6 +22,8 @@ spec:
         enable_end_user_authentication: false
         macos_setup_assistant: null
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null
@@ -62,6 +64,8 @@ spec:
         bootstrap_package: null
         macos_setup_assistant: null
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null

cmd/fleetctl/testdata/macosSetupExpectedTeam1And2Set.yml

@@ -22,6 +22,8 @@ spec:
         enable_end_user_authentication: false
         macos_setup_assistant: %s
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null
@@ -62,6 +64,8 @@ spec:
         bootstrap_package: %s
         macos_setup_assistant: %s
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null

cmd/fleetctl/testdata/macosSetupExpectedTeam1Empty.yml

@@ -20,6 +20,8 @@ spec:
         enable_end_user_authentication: false
         macos_setup_assistant: null
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null

cmd/fleetctl/testdata/macosSetupExpectedTeam1Set.yml

@@ -21,6 +21,8 @@ spec:
         enable_end_user_authentication: false
         macos_setup_assistant: %s
         enable_release_device_manually: false
+        script: null
+        software: null
       macos_updates:
         deadline: null
         minimum_version: null

ee/server/service/software_installers.go

@@ -1301,15 +1301,16 @@ func (svc *Service) softwareBatchUpload(
 			}
 
 			installer := &fleet.UploadSoftwareInstallerPayload{
-				TeamID:            teamID,
-				InstallScript:     p.InstallScript,
-				PreInstallQuery:   p.PreInstallQuery,
-				PostInstallScript: p.PostInstallScript,
-				UninstallScript:   p.UninstallScript,
-				InstallerFile:     bytes.NewReader(bodyBytes),
-				SelfService:       p.SelfService,
-				UserID:            userID,
-				URL:               p.URL,
+				TeamID:             teamID,
+				InstallScript:      p.InstallScript,
+				PreInstallQuery:    p.PreInstallQuery,
+				PostInstallScript:  p.PostInstallScript,
+				UninstallScript:    p.UninstallScript,
+				InstallerFile:      bytes.NewReader(bodyBytes),
+				SelfService:        p.SelfService,
+				UserID:             userID,
+				URL:                p.URL,
+				InstallDuringSetup: p.InstallDuringSetup,
 			}
 
 			// set the filename before adding metadata, as it is used as fallback

ee/server/service/teams.go

@@ -1396,6 +1396,15 @@ func (svc *Service) editTeamFromSpec(
 		}
 	}
 
+	// if the setup experience script was cleared, remove it for that team
+	if spec.MDM.MacOSSetup.Script.Set &&
+		spec.MDM.MacOSSetup.Script.Value == "" &&
+		oldMacOSSetup.Script.Value != "" {
+		if err := svc.DeleteSetupExperienceScript(ctx, &team.ID); err != nil {
+			return ctxerr.Wrapf(ctx, err, "clear setup experience script for team %d", team.ID)
+		}
+	}
+
 	if didUpdateMacOSEndUserAuth {
 		if err := svc.updateMacOSSetupEnableEndUserAuth(
 			ctx, spec.MDM.MacOSSetup.EnableEndUserAuthentication, &team.ID, &team.Name,

ee/server/service/vpp.go

@@ -79,9 +79,10 @@ func (svc *Service) BatchAssociateVPPApps(ctx context.Context, teamName string,
 			SelfService: false,
 			Platform:    fleet.IPadOSPlatform,
 		}, {
-			AppStoreID:  payload.AppStoreID,
-			SelfService: payload.SelfService,
-			Platform:    fleet.MacOSPlatform,
+			AppStoreID:         payload.AppStoreID,
+			SelfService:        payload.SelfService,
+			Platform:           fleet.MacOSPlatform,
+			InstallDuringSetup: payload.InstallDuringSetup,
 		}}...)
 	}
 
@@ -101,7 +102,14 @@ func (svc *Service) BatchAssociateVPPApps(ctx context.Context, teamName string,
 				return fleet.NewInvalidArgumentError("app_store_apps.platform",
 					fmt.Sprintf("platform must be one of '%s', '%s', or '%s", fleet.IOSPlatform, fleet.IPadOSPlatform, fleet.MacOSPlatform))
 			}
-			vppAppTeams = append(vppAppTeams, fleet.VPPAppTeam{VPPAppID: fleet.VPPAppID{AdamID: payload.AppStoreID, Platform: payload.Platform}, SelfService: payload.SelfService})
+			vppAppTeams = append(vppAppTeams, fleet.VPPAppTeam{
+				VPPAppID: fleet.VPPAppID{
+					AdamID:   payload.AppStoreID,
+					Platform: payload.Platform,
+				},
+				SelfService:        payload.SelfService,
+				InstallDuringSetup: payload.InstallDuringSetup,
+			})
 		}
 
 		var missingAssets []string
@@ -374,14 +382,15 @@ func (svc *Service) AddAppStoreApp(ctx context.Context, teamID *uint, appID flee
 func getVPPAppsMetadata(ctx context.Context, ids []fleet.VPPAppTeam) ([]*fleet.VPPApp, error) {
 	var apps []*fleet.VPPApp
 
-	// Map of adamID to platform, then to whether it's available as self-service.
-	adamIDMap := make(map[string]map[fleet.AppleDevicePlatform]bool)
+	// Map of adamID to platform, then to whether it's available as self-service
+	// and installed during setup.
+	adamIDMap := make(map[string]map[fleet.AppleDevicePlatform]fleet.VPPAppTeam)
 	for _, id := range ids {
 		if _, ok := adamIDMap[id.AdamID]; !ok {
-			adamIDMap[id.AdamID] = make(map[fleet.AppleDevicePlatform]bool, 1)
-			adamIDMap[id.AdamID][id.Platform] = id.SelfService
+			adamIDMap[id.AdamID] = make(map[fleet.AppleDevicePlatform]fleet.VPPAppTeam, 1)
+			adamIDMap[id.AdamID][id.Platform] = fleet.VPPAppTeam{SelfService: id.SelfService, InstallDuringSetup: id.InstallDuringSetup}
 		} else {
-			adamIDMap[id.AdamID][id.Platform] = id.SelfService
+			adamIDMap[id.AdamID][id.Platform] = fleet.VPPAppTeam{SelfService: id.SelfService, InstallDuringSetup: id.InstallDuringSetup}
 		}
 	}
 
@@ -397,14 +406,15 @@ func getVPPAppsMetadata(ctx context.Context, ids []fleet.VPPAppTeam) ([]*fleet.V
 	for adamID, metadata := range assetMetatada {
 		platforms := getPlatformsFromSupportedDevices(metadata.SupportedDevices)
 		for platform := range platforms {
-			if selfService, ok := adamIDMap[adamID][platform]; ok {
+			if props, ok := adamIDMap[adamID][platform]; ok {
 				app := &fleet.VPPApp{
 					VPPAppTeam: fleet.VPPAppTeam{
 						VPPAppID: fleet.VPPAppID{
 							AdamID:   adamID,
 							Platform: platform,
 						},
-						SelfService: selfService,
+						SelfService:        props.SelfService,
+						InstallDuringSetup: props.InstallDuringSetup,
 					},
 					BundleIdentifier: metadata.BundleID,
 					IconURL:          metadata.ArtworkURL,

pkg/spec/gitops.go

@@ -757,7 +757,8 @@ func parseSoftware(top map[string]json.RawMessage, result *GitOps, baseDir strin
 	for _, item := range software.Packages {
 		var softwarePackageSpec fleet.SoftwarePackageSpec
 		if item.Path != nil {
-			fileBytes, err := os.ReadFile(resolveApplyRelativePath(baseDir, *item.Path))
+			softwarePackageSpec.ReferencedYamlPath = resolveApplyRelativePath(baseDir, *item.Path)
+			fileBytes, err := os.ReadFile(softwarePackageSpec.ReferencedYamlPath)
 			if err != nil {
 				multiError = multierror.Append(multiError, fmt.Errorf("failed to read policies file %s: %v", *item.Path, err))
 				continue