New Fleet server config: Fleet Desktop URL for Secureframe partnership

[noahtalerman]

Goal

User story
As Secureframe,
I want to show end users the Secureframe logo when they click on My device > About Fleet
so that end users know they're using Secureframe.

Key result

None.

Original requests

None.

Context

• Product Designer: @noahtalerman
• Engineering support: @iansltx

Changes

Product

• [ ] Fleet server config changes: #27461
• [ ] UI changes: No changes.
• [ ] CLI (fleetctl) usage changes: No changes.
• [ ] YAML changes: No changes.
• [ ] REST API changes: No changes.
• [ ] Fleet's agent (fleetd) changes: No changes.
• [ ] GitOps mode changes: No changes.
• [ ] Activity changes: No changes.
• [ ] Permissions changes: No changes.
• [ ] Changes to paid features or tiers: This should be Fleet free only. Fleet premium will override this.
• [ ] Transparency changes: No changes.
• [x] First draft of test plan added
• [ ] Other reference documentation changes: No changes.
• [ ] Once shipped, requester has been notified
• [ ] Once shipped, dogfooding issue has been filed

Engineering

• [x] Test plan is finalized
• [ ] Feature guide changes: No changes.

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Risk level: Low

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

On Fleet FREE:

• [ ] Start a Fleet server. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to the following URL and you don't see the Secureframe branding: https://fleetdm.com/better
• [ ] Start a Fleet server with the new FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME environment variable set to true. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to the following URL and you see the Secureframe branding: https://fleetdm.com/better?utm_content=secureframe
• [ ] Check that FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME=false will not show custom branding
• [ ] Check that FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME=anything_other_than_true_or_false is not accepted/provides an easy to understand error/doesn't cause issues

Fleet Premium

• [ ] With FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME set to true, add a custom URL in Settings > Organization settings > Fleet Desktop > Custom transparency URL. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to your custom URL. The custom URL wins.

Testing notes

Confirmation

1. [ ] Engineer: Added comment to user story confirming successful completion of test plan.
2. [ ] QA: Added comment to user story confirming successful completion of test plan.

[iansltx]

How about forcing this to be a UTM parameter on our existing transparency page, so we can decide how to route things as they come up? This (untested) patch should do the trick:

Subject: [PATCH] Allow adding a UTM to the Fleet transparency URL on Fleet Free
---
Index: server/service/devices.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/server/service/devices.go b/server/service/devices.go
--- a/server/service/devices.go	(revision fa7938146bad5bc3107ab99564d58581f3a61766)
+++ b/server/service/devices.go	(date 1742449806048)
@@ -9,6 +9,8 @@
 	"io"
 	"net/http"
 	"net/url"
+	"os"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -402,6 +404,13 @@
 	}
 
 	transparencyURL := fleet.DefaultTransparencyURL
+	if utm := os.Getenv("TRANSPARENCY_UTM"); utm != "" {
+		utmRegex := regexp.MustCompile("^[a-zA-Z0-9-_]+$")
+		if utmRegex.MatchString(utm) {
+			transparencyURL += "?utm_campaign=" + utm
+		}
+	}
+
 	// Fleet Premium license is required for custom transparency url
 	if license.IsPremium() && config.FleetDesktop.TransparencyURL != "" {
 		transparencyURL = config.FleetDesktop.TransparencyURL

[lukeheath]

How about forcing this to be a UTM parameter on our existing transparency page, so we can decide how to route things as they come up?

@iansltx We considered that option but we want this to be one-off on a per-partnership basis and not generic. It also means the environment variable users will need to set is unique to the branded partnership, which translates better for the end user.

[iansltx]

Fair enough. Is ?utm_source=secureframe the right hardcoded value here or do we want something else? ?utm= isn't a standard UTM parameter name, hence my asking (?utm_content= is though).

[noahtalerman]

@iansltx I think we want ?utm_content=secureframe. The page is live here: https://fleetdm.com/better?utm_content=secureframe

I opened up a PR with proposed config changes here: https://github.com/fleetdm/fleet/pull/27461/files

Went with FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME instead to follow the pattern we use for other Fleet server config: top level section (partnerships) with related config options underneath. When we add more partnerships in the future, I think we could error if more than one is set to true.

Bringing this to #g-software design review tomorrow. FYI @eugkuo

[eugkuo]

@noahtalerman I've added this to the top of the agenda for tomorrow.

[iansltx]

Just made the following revisions to the associated PR:

• Env var name
• utm_source -> utm_content
• 1 -> true as the value we're checking for in the env var

Quick changes, and if nothing further is needed in design review this'll be quick to QA/ship.

[iansltx]

As noted above, providing engineering support on this. Skipping the additional issue add as it'd be 0pt.

[iansltx]

@jmwatts Re: expected errors, we'll be using the existing config framework foor bool values, so the error we'll see when handing back a non-boolean will be like this:

FLEET_LOGGING_DEBUG=furz build/fleet serve --dev --dev_license --mysql_address=127.0.0.1:3310 
panic: Unable to cast to bool for key logging.debug: strconv.ParseBool: parsing "furz": invalid syntax

goroutine 1 [running]:
github.com/fleetdm/fleet/v4/server/config.Manager.getConfigBool({0xc000195d40?, 0xc00064cf08?, 0xc0005381b0?}, {0x1108c7763, 0xd})
	/Volumes/Code/CH/fleet/server/config/config.go:1863 +0x8e
github.com/fleetdm/fleet/v4/server/config.Manager.LoadConfig({_, _, _})
	/Volumes/Code/CH/fleet/server/config/config.go:1517 +0xf14
main.createServeCmd.func1(0xc00064db08, {0x1108b702a?, 0x4?, 0x1108b702e?})
	/Volumes/Code/CH/fleet/cmd/fleet/serve.go:117 +0xcc
github.com/spf13/cobra.(*Command).execute(0xc00064db08, {0xc000538660, 0x3, 0x3})
	/Users/ian/gopath/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0xa91
github.com/spf13/cobra.(*Command).ExecuteC(0xc00064cf08)
	/Users/ian/gopath/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
	/Users/ian/gopath/pkg/mod/github.com/spf13/[email protected]/command.go:1039
main.main()
	/Volumes/Code/CH/fleet/cmd/fleet/main.go:64 +0x4dc

[iansltx]

Per E-Group call, this needs to ship in 4.67, so I've pulled it into the sprint onto me.

[jmwatts]

QA Notes

On Fleet FREE:

• [x] Start a Fleet server. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to the following URL and you don't see the Secureframe branding: https://fleetdm.com/better
• [x] Start a Fleet server with the new FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME environment variable set to true. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to the following URL and you see the Secureframe branding: https://fleetdm.com/better?utm_content=secureframe
• [x] Check that FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME=false will not show custom branding
• [x] Check that FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME=anything_other_than_true_or_false is not accepted/provides an easy to understand error/doesn't cause issues

panic: Unable to cast to bool for key partnerships.enable_secureframe: strconv.ParseBool: parsing "idk_maybe?": invalid syntax

goroutine 1 [running]:
github.com/fleetdm/fleet/v4/server/config.Manager.getConfigBool({0x1400021d860?, 0x1400077e608?, 0x1400055ff50?}, {0x1060842f1, 0x1f})
	/Users/janis/Documents/GitHub/fleet/server/config/config.go:1875 +0x94
github.com/fleetdm/fleet/v4/server/config.Manager.LoadConfig({_, _, _})
	/Users/janis/Documents/GitHub/fleet/server/config/config.go:1680 +0x1984
main.createServeCmd.func1(0x1400077f208, {0x10603019d?, 0x4?, 0x1060301a1?})
	/Users/janis/Documents/GitHub/fleet/cmd/fleet/serve.go:118 +0x98
github.com/spf13/cobra.(*Command).execute(0x1400077f208, {0x140005c26e0, 0x5, 0x5})
	/Users/janis/go/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0x818
github.com/spf13/cobra.(*Command).ExecuteC(0x1400077e608)
	/Users/janis/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x344
github.com/spf13/cobra.(*Command).Execute(...)
	/Users/janis/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
main.main()
	/Users/janis/Documents/GitHub/fleet/cmd/fleet/main.go:64 +0x410

(Fleet server did not start)

Fleet Premium

• [x] Start a Fleet server with the new FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME environment variable set to true. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to the following URL and you see the Secureframe branding: https://fleetdm.com/better?utm_content=secureframe
• [x] With FLEET_PARTNERSHIPS_ENABLE_SECUREFRAME set to true, add a custom URL in Settings > Organization settings > Fleet Desktop > Custom transparency URL. Enroll a host and click on Fleet Desktop > My device. Verify that you're navigated to your custom URL. The custom URL wins.

[eugkuo]

@noahtalerman dogfood issue filed and forwarding this to you.

[noahtalerman]

Hey @zayhanlon we shipped this improvement (user story) for Secureframe in 4.67. Heads up that there's no original customer request. Just the user story issue.

I think up to you on how to notify the partner and up to you on if we can close this issue.

[fleet-release]

Logo on Fleet's flight, Secureframe shines in users' sight, Trust in digital night.