Drop global scripts enabled gate from software uninstalls, script-based lock/unlock/wipe

iansltx · iansltx · commit 69e0d3853c6d · 2024-12-16T18:52:45.000-06:00
TODO:

* Fix tests
* Write scripts to DB as eligible for skipping script disabled, read from DB when scripts disabled
diff --git a/cmd/fleetctl/mdm.go b/cmd/fleetctl/mdm.go
@@ -265,16 +265,6 @@ func mdmWipeCommand() *cli.Command {
 				return err
 			}
 
-			config, err := client.GetAppConfig()
-			if err != nil {
-				return err
-			}
-
-			// linux hosts need scripts to be enabled in the org settings to wipe.
-			if host.Platform == "linux" && config.ServerSettings.ScriptsDisabled {
-				return errors.New("Can't wipe host because running scripts is disabled in organization settings.")
-			}
-
 			if err := client.MDMWipeHost(host.ID); err != nil {
 				return fmt.Errorf("Failed to wipe host: %w", err)
 			}
diff --git a/ee/server/service/hosts.go b/ee/server/service/hosts.go
@@ -91,18 +91,6 @@ func (svc *Service) LockHost(ctx context.Context, hostID uint, viewPIN bool) (un
 				return "", ctxerr.Wrap(ctx, err, "check windows MDM enabled")
 			}
 		}
-		// on windows and linux, a script is used to lock the host so scripts must
-		// be enabled
-		appCfg, err := svc.ds.AppConfig(ctx)
-		if err != nil {
-			return "", ctxerr.Wrap(ctx, err, "get app config")
-		}
-		if appCfg.ServerSettings.ScriptsDisabled {
-			return "", ctxerr.Wrap(
-				ctx,
-				fleet.NewInvalidArgumentError("host_id", "Can't lock host because running scripts is disabled in organization settings."),
-			)
-		}
 		hostOrbitInfo, err := svc.ds.GetHostOrbitInfo(ctx, host.ID)
 		switch {
 		case err != nil:
@@ -182,7 +170,7 @@ func (svc *Service) UnlockHost(ctx context.Context, hostID uint) (string, error)
 
 	case "windows", "linux":
 		// on windows and linux, a script is used to lock the host so scripts must
-		// be enabled
+		// be enabled on the host
 		if host.FleetPlatform() == "windows" {
 			if err := svc.VerifyMDMWindowsConfigured(ctx); err != nil {
 				if errors.Is(err, fleet.ErrMDMNotConfigured) {
@@ -191,13 +179,6 @@ func (svc *Service) UnlockHost(ctx context.Context, hostID uint) (string, error)
 				return "", ctxerr.Wrap(ctx, err, "check windows MDM enabled")
 			}
 		}
-		appCfg, err := svc.ds.AppConfig(ctx)
-		if err != nil {
-			return "", ctxerr.Wrap(ctx, err, "get app config")
-		}
-		if appCfg.ServerSettings.ScriptsDisabled {
-			return "", ctxerr.Wrap(ctx, fleet.NewInvalidArgumentError("host_id", "Can't unlock host because running scripts is disabled in organization settings."))
-		}
 		hostOrbitInfo, err := svc.ds.GetHostOrbitInfo(ctx, host.ID)
 		switch {
 		case err != nil:
@@ -286,14 +267,7 @@ func (svc *Service) WipeHost(ctx context.Context, hostID uint) error {
 		requireMDM = true
 
 	case "linux":
-		// on linux, a script is used to wipe the host so scripts must be enabled
-		appCfg, err := svc.ds.AppConfig(ctx)
-		if err != nil {
-			return ctxerr.Wrap(ctx, err, "get app config")
-		}
-		if appCfg.ServerSettings.ScriptsDisabled {
-			return ctxerr.Wrap(ctx, fleet.NewInvalidArgumentError("host_id", "Can't wipe host because running scripts is disabled in organization settings."))
-		}
+		// on linux, a script is used to wipe the host so scripts must be enabled on the host
 		hostOrbitInfo, err := svc.ds.GetHostOrbitInfo(ctx, host.ID)
 		switch {
 		case err != nil:
diff --git a/ee/server/service/software_installers.go b/ee/server/service/software_installers.go
@@ -836,18 +836,6 @@ func (svc *Service) installSoftwareTitleUsingInstaller(ctx context.Context, host
 }
 
 func (svc *Service) UninstallSoftwareTitle(ctx context.Context, hostID uint, softwareTitleID uint) error {
-	// First check if scripts are disabled globally. If so, no need for further processing.
-	cfg, err := svc.ds.AppConfig(ctx)
-	if err != nil {
-		svc.authz.SkipAuthorization(ctx)
-		return err
-	}
-
-	if cfg.ServerSettings.ScriptsDisabled {
-		svc.authz.SkipAuthorization(ctx)
-		return fleet.NewUserMessageError(errors.New(fleet.RunScriptScriptsDisabledGloballyErrMsg), http.StatusForbidden)
-	}
-
 	// we need to use ds.Host because ds.HostLite doesn't return the orbit node key
 	host, err := svc.ds.Host(ctx, hostID)
 	if err != nil {
diff --git a/server/service/orbit.go b/server/service/orbit.go
@@ -295,7 +295,7 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro
 	}
 
 	// load the pending script executions for that host
-	if !appConfig.ServerSettings.ScriptsDisabled {
+	if !appConfig.ServerSettings.ScriptsDisabled { // TODO filter to only "special" scripts rather than skipping entirely when scripts disabled
 		pending, err := svc.ds.ListPendingHostScriptExecutions(ctx, host.ID)
 		if err != nil {
 			return fleet.OrbitConfig{}, err

Original file line number	Diff line number	Diff line change
`@@ -295,7 +295,7 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro`
`295`	`295`	`}`
`296`	`296`
`297`	`297`	`// load the pending script executions for that host`
`298`		`- if !appConfig.ServerSettings.ScriptsDisabled {`
	`298`	`+ if !appConfig.ServerSettings.ScriptsDisabled { // TODO filter to only "special" scripts rather than skipping entirely when scripts disabled`
`299`	`299`	`pending, err := svc.ds.ListPendingHostScriptExecutions(ctx, host.ID)`
`300`	`300`	`if err != nil {`
`301`	`301`	`return fleet.OrbitConfig{}, err`