fleetdm · roperzh · May 31, 2022 · May 30, 2022 · May 30, 2022 · May 30, 2022
diff --git a/changes/issue-5685-device-policies-endpoint b/changes/issue-5685-device-policies-endpoint
@@ -0,0 +1 @@
+* Added `/api/_version_/fleet/device/{token}/policies` to retrieve policies for a device. This endpoint can only be accessed with a premium license.
@@ -0,0 +1,11 @@
+package service
+
+import (
+	"context"
+
+	"github.com/fleetdm/fleet/v4/server/fleet"
+)
+
+func (svc *Service) ListDevicePolicies(ctx context.Context, host *fleet.Host) ([]*fleet.HostPolicy, error) {
+	return svc.ds.ListPoliciesForHost(ctx, host)
+}
@@ -257,6 +257,8 @@ type Service interface {
 	// ListHostDeviceMapping returns the list of device-mapping of user's email address
 	// for the host.
 	ListHostDeviceMapping(ctx context.Context, id uint) ([]*HostDeviceMapping, error)
+	// ListDevicePolicies lists all policies for the given host, including passing / failing summaries
+	ListDevicePolicies(ctx context.Context, host *Host) ([]*HostPolicy, error)
 
 	MacadminsData(ctx context.Context, id uint) (*MacadminsData, error)
 	AggregatedMacadminsData(ctx context.Context, teamID *uint) (*AggregatedMacadminsData, error)

@@ -168,3 +168,45 @@ func getDeviceMacadminsDataEndpoint(ctx context.Context, request interface{}, sv
 	}
 	return getMacadminsDataResponse{Macadmins: data}, nil
 }
+
+////////////////////////////////////////////////////////////////////////////////
+// Get Current Device's Policies
+////////////////////////////////////////////////////////////////////////////////
+
+type getDevicePoliciesRequest struct {
+	Token string `url:"token"`
+}
+
+func (r *getDevicePoliciesRequest) deviceAuthToken() string {
+	return r.Token
+}
+
+type getDevicePoliciesResponse struct {
+	Err      error               `json:"error,omitempty"`
+	Policies []*fleet.HostPolicy `json:"policies"`
+}
+
+func (r getDevicePoliciesResponse) error() error { return r.Err }
+
+func getDevicePoliciesEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (interface{}, error) {
+	host, ok := hostctx.FromContext(ctx)
+	if !ok {
+		err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
+		return getHostResponse{Err: err}, nil
+	}
+
+	data, err := svc.ListDevicePolicies(ctx, host)
+	if err != nil {
+		return getDevicePoliciesResponse{Err: err}, nil
+	}
+
+	return getDevicePoliciesResponse{Policies: data}, nil
+}
+
+func (svc *Service) ListDevicePolicies(ctx context.Context, host *fleet.Host) ([]*fleet.HostPolicy, error) {
+	// skipauth: No authorization check needed due to implementation returning
+	// only license error.
+	svc.authz.SkipAuthorization(ctx)
+
+	return nil, fleet.ErrMissingLicense
+}
diff --git a/server/service/devices_test.go b/server/service/devices_test.go
@@ -0,0 +1,46 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/mock"
+	"github.com/fleetdm/fleet/v4/server/ptr"
+	"github.com/fleetdm/fleet/v4/server/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestListDevicePolicies(t *testing.T) {
+	ds := new(mock.Store)
+	mockPolicies := []*fleet.HostPolicy{&fleet.HostPolicy{fleet.PolicyData{Name: "test-policy"}, "pass"}}
+	ds.ListPoliciesForHostFunc = func(ctx context.Context, host *fleet.Host) ([]*fleet.HostPolicy, error) {
+		return mockPolicies, nil
+	}
+
+	ds.HostLiteFunc = func(ctx context.Context, hostID uint) (*fleet.Host, error) {
+		if hostID != uint(1) {
+			return nil, errors.New("test error")
+		}
+
+		return &fleet.Host{ID: hostID, TeamID: ptr.Uint(1)}, nil
+	}
+
+	t.Run("without premium license", func(t *testing.T) {
+		svc := newTestService(t, ds, nil, nil, &TestServerOpts{License: &fleet.LicenseInfo{Tier: fleet.TierFree}})
+		_, error := svc.ListDevicePolicies(test.UserContext(test.UserAdmin), &fleet.Host{ID: 1})
+		require.ErrorIs(t, error, fleet.ErrMissingLicense)
+	})
+
+	t.Run("with premium license", func(t *testing.T) {
+		svc := newTestService(t, ds, nil, nil, &TestServerOpts{License: &fleet.LicenseInfo{Tier: fleet.TierPremium}})
+
+		_, error := svc.ListDevicePolicies(test.UserContext(test.UserAdmin), &fleet.Host{})
+		require.Error(t, error)
+
+		policies, error := svc.ListDevicePolicies(test.UserContext(test.UserAdmin), &fleet.Host{ID: 1})
+		require.NoError(t, error)
+		require.Len(t, policies, len(mockPolicies))
+	})
+}
@@ -395,6 +395,7 @@ func attachFleetAPIRoutes(r *mux.Router, svc fleet.Service, config config.FleetC
 	de.POST("/api/_version_/fleet/device/{token}/refetch", refetchDeviceHostEndpoint, refetchDeviceHostRequest{})
 	de.GET("/api/_version_/fleet/device/{token}/device_mapping", listDeviceHostDeviceMappingEndpoint, listDeviceHostDeviceMappingRequest{})
 	de.GET("/api/_version_/fleet/device/{token}/macadmins", getDeviceMacadminsDataEndpoint, getDeviceMacadminsDataRequest{})
+	de.GET("/api/_version_/fleet/device/{token}/policies", getDevicePoliciesEndpoint, getDevicePoliciesRequest{})
 
 	// host-authenticated endpoints
 	he := newHostAuthenticatedEndpointer(svc, logger, opts, r, apiVersions...)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Added `/api/_version_/fleet/device/{token}/policies` to retrieve policies for a device. This endpoint can only be accessed with a premium license.