From fe269bf14939a48965564b2e51e290129eb08452 Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Tue, 31 Dec 2024 13:23:16 -0600 Subject: [PATCH] Fixed Windows verification issue. --- server/fleet/datastore.go | 3 +++ server/mdm/microsoft/profile_verifier.go | 6 ++++++ server/mdm/microsoft/profile_verifier_test.go | 15 +++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/server/fleet/datastore.go b/server/fleet/datastore.go index 78175335626c..489145fae596 100644 --- a/server/fleet/datastore.go +++ b/server/fleet/datastore.go @@ -1954,6 +1954,9 @@ type ProfileVerificationStore interface { // profile status. It deletes the row if the profile operation is "remove" // and the status is "verifying" (i.e. successfully removed). UpdateOrDeleteHostMDMAppleProfile(ctx context.Context, profile *HostMDMAppleProfile) error + // ExpandEmbeddedSecrets expands the fleet secrets in a + // document using the secrets stored in the datastore. + ExpandEmbeddedSecrets(ctx context.Context, document string) (string, error) } var _ ProfileVerificationStore = (Datastore)(nil) diff --git a/server/mdm/microsoft/profile_verifier.go b/server/mdm/microsoft/profile_verifier.go index 057cec6c3477..255e6310e81d 100644 --- a/server/mdm/microsoft/profile_verifier.go +++ b/server/mdm/microsoft/profile_verifier.go @@ -9,6 +9,7 @@ import ( "io" "strings" + "github.com/fleetdm/fleet/v4/server/contexts/ctxerr" "github.com/fleetdm/fleet/v4/server/fleet" "github.com/fleetdm/fleet/v4/server/mdm" ) @@ -31,6 +32,11 @@ func LoopHostMDMLocURIs( return fmt.Errorf("getting host profiles for verification: %w", err) } for _, expectedProf := range profileMap { + expanded, err := ds.ExpandEmbeddedSecrets(ctx, string(expectedProf.RawProfile)) + if err != nil { + return ctxerr.Wrapf(ctx, err, "expanding embedded secrets for profile %s", expectedProf.Name) + } + expectedProf.RawProfile = []byte(expanded) var prof fleet.SyncMLCmd wrappedBytes := fmt.Sprintf("%s", expectedProf.RawProfile) if err := xml.Unmarshal([]byte(wrappedBytes), &prof); err != nil { diff --git a/server/mdm/microsoft/profile_verifier_test.go b/server/mdm/microsoft/profile_verifier_test.go index 38dae13a1816..aba4aa94f4c7 100644 --- a/server/mdm/microsoft/profile_verifier_test.go +++ b/server/mdm/microsoft/profile_verifier_test.go @@ -4,6 +4,7 @@ import ( "context" "encoding/xml" "io" + "strings" "testing" "time" @@ -159,6 +160,16 @@ func TestVerifyHostMDMProfilesHappyPaths(t *testing.T) { toFail: []string{}, toRetry: []string{}, }, + { + name: "single profile with secret variables reported and verified", + hostProfiles: []hostProfile{ + {"N1", syncml.ForTestWithData(map[string]string{"L1": "$FLEET_SECRET_VALUE"}), 0}, + }, + report: []osqueryReport{{"N1", "200", "L1", "D1"}}, + toVerify: []string{"N1"}, + toFail: []string{}, + toRetry: []string{}, + }, { name: "Get succeeds but has missing data", hostProfiles: []hostProfile{ @@ -296,6 +307,10 @@ func TestVerifyHostMDMProfilesHappyPaths(t *testing.T) { return out, nil } + ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) { + return strings.ReplaceAll(document, "$FLEET_SECRET_VALUE", "D1"), nil + } + out, err := xml.Marshal(msg) require.NoError(t, err) require.NoError(t, VerifyHostMDMProfiles(ctx, ds, host, out))