From a384c97ad6a1f931503334fb64352e8295438f59 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Fri, 10 Jan 2025 14:13:31 -0600
Subject: [PATCH] Add more tests, fix bugs found by tests

---
 server/datastore/mysql/vpp.go        |  2 +-
 server/datastore/mysql/vpp_test.go   | 10 ++++++++++
 server/service/team_policies.go      |  2 +-
 server/service/team_policies_test.go | 25 +++++++++++++++++++++++++
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/server/datastore/mysql/vpp.go b/server/datastore/mysql/vpp.go
index 490b2152f705..2302e06c074d 100644
--- a/server/datastore/mysql/vpp.go
+++ b/server/datastore/mysql/vpp.go
@@ -492,7 +492,7 @@ func (ds *Datastore) GetTitleInfoFromVPPAppsTeamsID(ctx context.Context, vppApps
 }
 
 func (ds *Datastore) GetVPPAppMetadataByAdamIDAndPlatform(ctx context.Context, adamID string, platform fleet.AppleDevicePlatform) (*fleet.VPPApp, error) {
-	stmt := `SELECT va.adam_id, va.bundle_identifier, va.icon_url, va.name, va.title_id, va.platform, va.created_at, va.updated_at,
+	stmt := `SELECT va.adam_id, va.bundle_identifier, va.icon_url, va.name, va.title_id, va.platform, va.created_at, va.updated_at
 		FROM vpp_apps va WHERE va.adam_id = ? AND va.platform = ?
   `
 
diff --git a/server/datastore/mysql/vpp_test.go b/server/datastore/mysql/vpp_test.go
index 7d9d4dc0c457..b7c312739b08 100644
--- a/server/datastore/mysql/vpp_test.go
+++ b/server/datastore/mysql/vpp_test.go
@@ -201,6 +201,14 @@ func testVPPAppMetadata(t *testing.T, ds *Datastore) {
 	meta.VPPAppsTeamsID = 0 // we don't care about the VPP app team PK
 	require.Equal(t, &fleet.VPPAppStoreApp{Name: "vpp2", VPPAppID: vpp2}, meta)
 
+	appMeta, err := ds.GetVPPAppMetadataByAdamIDAndPlatform(ctx, meta.AdamID, meta.Platform)
+	require.NoError(t, err)
+	require.Equal(t, appMeta.AdamID, meta.AdamID)
+	require.Equal(t, appMeta.Platform, meta.Platform)
+
+	_, err = ds.GetVPPAppMetadataByAdamIDAndPlatform(ctx, "foo", meta.Platform)
+	require.ErrorContains(t, err, "not found")
+
 	// mark it as install_during_setup for team 2
 	ExecAdhocSQL(t, ds, func(q sqlx.ExtContext) error {
 		_, err := q.ExecContext(ctx, `UPDATE vpp_apps_teams SET install_during_setup = 1 WHERE global_or_team_id = ? AND adam_id = ?`, team2.ID, vpp2.AdamID)
@@ -911,6 +919,8 @@ func testVPPTokensCRUD(t *testing.T, ds *Datastore) {
 	assert.Equal(t, team.ID, teamTok.Teams[0].ID)
 	assert.Equal(t, team.Name, teamTok.Teams[0].Name)
 
+	// TODO make sure policies are unaffected
+
 	// Renew flow
 	upTok, err = ds.UpdateVPPToken(ctx, tokID, dataToken6)
 	assert.NoError(t, err)
diff --git a/server/service/team_policies.go b/server/service/team_policies.go
index edf667f79e24..9661b32ee33d 100644
--- a/server/service/team_policies.go
+++ b/server/service/team_policies.go
@@ -614,7 +614,7 @@ func (svc *Service) getInstallerOrVPPAppForTitle(ctx context.Context, teamID *ui
 		if softwareTitle.AppStoreApp.Platform != fleet.MacOSPlatform {
 			return nil, nil, ctxerr.Wrap(ctx, &fleet.BadRequestError{
 				Message: fmt.Sprintf(
-					"software_title_id %d on team_id %d is assocated to an iOS or iPadOS VPP app, only software installers or macOS VPP apps are supported",
+					"software_title_id %d on team_id %d is associated to an iOS or iPadOS VPP app, only software installers or macOS VPP apps are supported",
 					*softwareTitleID,
 					*teamID,
 				),
diff --git a/server/service/team_policies_test.go b/server/service/team_policies_test.go
index 551e6e567cf1..de24cca8ff97 100644
--- a/server/service/team_policies_test.go
+++ b/server/service/team_policies_test.go
@@ -182,6 +182,31 @@ func TestTeamPoliciesAuth(t *testing.T) {
 	}
 }
 
+func TestTeamPolicyVPPAutomationRejectsNonMacOS(t *testing.T) {
+	ds := new(mock.Store)
+	svc, ctx := newTestService(t, ds, nil, nil)
+	ctx = viewer.NewContext(ctx, viewer.Viewer{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}})
+
+	appID := fleet.VPPAppID{AdamID: "123456", Platform: fleet.IOSPlatform}
+	ds.TeamExistsFunc = func(ctx context.Context, id uint) (bool, error) {
+		return true, nil
+	}
+	ds.SoftwareTitleByIDFunc = func(ctx context.Context, id uint, teamID *uint, tmFilter fleet.TeamFilter) (*fleet.SoftwareTitle, error) {
+		return &fleet.SoftwareTitle{
+			AppStoreApp: &fleet.VPPAppStoreApp{
+				VPPAppID: appID,
+			},
+		}, nil
+	}
+
+	_, err := svc.NewTeamPolicy(ctx, 1, fleet.NewTeamPolicyPayload{
+		Name:            "query1",
+		Query:           "select 1;",
+		SoftwareTitleID: ptr.Uint(123),
+	})
+	require.ErrorContains(t, err, "is associated to an iOS or iPadOS VPP app")
+}
+
 func checkAuthErr(t *testing.T, shouldFail bool, err error) {
 	t.Helper()
 	if shouldFail {