fleet/website/api/controllers/android-proxy/modify-android-policies.js

module.exports = {


  friendlyName: 'Modify android policies',


  description: 'Modifies a policy of an Android enterprise',


  inputs: {
    androidEnterpriseId: {
      type: 'string',
      required: true,
    },
    policyId: {
      type: 'string',
      required: true,
    },
  },


  exits: {
    success: { description: 'The policy of an Android enterprise was successfully updated.' },
    missingAuthHeader: { description: 'This request was missing an authorization header.', responseType: 'unauthorized'},
    unauthorized: { description: 'Invalid authentication token.', responseType: 'unauthorized'},
    notFound: { description: 'No Android enterprise found for this Fleet server.', responseType: 'notFound'},
    invalidPolicy: { description: 'Invalid patch policy request', responseType: 'badRequest' },
    policyNotFound: { description: 'The specified policy was not found on this Android enterprise', responseType: 'notFound' },
  },


  fn: async function ({ androidEnterpriseId, policyId}) {

    // Extract fleetServerSecret from the Authorization header
    let authHeader = this.req.get('authorization');
    let fleetServerSecret;

    if (authHeader && authHeader.startsWith('Bearer')) {
      fleetServerSecret = authHeader.replace('Bearer', '').trim();
    } else {
      throw 'missingAuthHeader';
    }

    // Authenticate this request
    let thisAndroidEnterprise = await AndroidEnterprise.findOne({
      androidEnterpriseId: androidEnterpriseId
    });

    // Return a 404 response if no records are found.
    if (!thisAndroidEnterprise) {
      throw 'notFound';
    }
    // Return an unauthorized response if the provided secret does not match.
    if (thisAndroidEnterprise.fleetServerSecret !== fleetServerSecret) {
      throw 'unauthorized';
    }

    // Check the list of Android Enterprises managed by Fleet to see if this Android Enterprise is still managed.
    let isEnterpriseManagedByFleet = await sails.helpers.androidProxy.getIsEnterpriseManagedByFleet(androidEnterpriseId);
    // Return a 404 response if this Android enterprise is no longer managed by Fleet.
    if(!isEnterpriseManagedByFleet) {
      throw 'notFound';
    }

    // Update the policy for this Android enterprise.
    // Note: We're using sails.helpers.flow.build here to handle any errors that occurr using google's node library.
    let modifyPoliciesResponse = await sails.helpers.flow.build(async () => {
      let { google } = require('googleapis');
      let androidmanagement = google.androidmanagement('v1');
      let googleAuth = new google.auth.GoogleAuth({
        scopes: ['https://www.googleapis.com/auth/androidmanagement'],
        credentials: {
          client_email: sails.config.custom.androidEnterpriseServiceAccountEmailAddress,// eslint-disable-line camelcase
          private_key: sails.config.custom.androidEnterpriseServiceAccountPrivateKey,// eslint-disable-line camelcase
        },
      });
      // Acquire the google auth client, and bind it to all future calls
      let authClient = await googleAuth.getClient();
      google.options({ auth: authClient });
      // [?]: https://googleapis.dev/nodejs/googleapis/latest/androidmanagement/classes/Resource$Enterprises$Policies.html#patch
      let patchPoliciesResponse = await androidmanagement.enterprises.policies.patch({
        name: `enterprises/${androidEnterpriseId}/policies/${policyId}`,
        // Note: Typically, we use defined inputs instead of accessing req.body directly. We forward req.body here to prevent previously set values from being overwritten by undefined values.
        // This behavior should not be repeated in future Android proxy endpoints.
        requestBody: this.req.body,
        updateMask: this.req.param('updateMask') // Pass the update mask to avoid overwriting applications
      });
      return patchPoliciesResponse.data;
    }).intercept({ status: 429 }, (err) => {
      // If the Android management API returns a 429 response, log an additional warning that will trigger a help-p1 alert.
      sails.log.warn(`p1: Android management API rate limit exceeded!`);
      return new Error(`When attempting to update a policy for an Android enterprise (${androidEnterpriseId}), an error occurred. Error: ${err}`);
    }).intercept({ status: 400 }, (err) => {
      return {'invalidPolicy': `Attempted to update a policy with an invalid value for an Android enterprise (${androidEnterpriseId}): ${err}`};
    }).intercept({ status: 404 }, (err) => {
      return {'policyNotFound': `Specified policy not found on this Android enterprise (${androidEnterpriseId}): ${err}`};
    }).intercept((err) => {
      return new Error(`When attempting to update a policy for an Android enterprise (${androidEnterpriseId}), an error occurred. Error: ${require('util').inspect(err)}`);
    });


    // Return the modified policy back to the Fleet server.
    return modifyPoliciesResponse;

  }


};
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`module.exports = {`


			`friendlyName: 'Modify android policies',`


			`description: 'Modifies a policy of an Android enterprise',`


			`inputs: {`
			`androidEnterpriseId: {`
			`type: 'string',`
			`required: true,`
			`},`
			`policyId: {`
			`type: 'string',`
			`required: true,`
			`},`
			`},`


			`exits: {`
Website: Update Android proxy endpoints exits (#34135) Changes: - Updated the website's Android proxy endpoints to use action2 exit signals. 2025-10-10 22:11:42 +00:00			`success: { description: 'The policy of an Android enterprise was successfully updated.' },`
			`missingAuthHeader: { description: 'This request was missing an authorization header.', responseType: 'unauthorized'},`
			`unauthorized: { description: 'Invalid authentication token.', responseType: 'unauthorized'},`
			`notFound: { description: 'No Android enterprise found for this Fleet server.', responseType: 'notFound'},`
fail gracefully when profile is invalid (#38899) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #35211 # Checklist for submitter - [x] QA'd all new/changed functionality manually 2026-01-28 15:57:27 +00:00			`invalidPolicy: { description: 'Invalid patch policy request', responseType: 'badRequest' },`
Website: update android proxy error handling (#40140) Related to: https://github.com/fleetdm/fleet/issues/40127 Changes: - Updated errors logged by Android proxy endpoints to include more information about the error. - Added a `deviceNoLongerManaged` exit to the `delete-android-device` endpoint that is used when the Google API returns a "Device is no longer being managed" error. - Added a `policyNotFound` exit to the `modify-android-policies` and `modify-enterprise-app-policy` endpoints that is used when the Google API returns a 404 response - Added a `invalidPolicyName` exit to the `modify-android-device` endpoint that is used when the Google API returns an error related to the policy name sent in the request body. 2026-02-19 23:46:41 +00:00			`policyNotFound: { description: 'The specified policy was not found on this Android enterprise', responseType: 'notFound' },`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`},`


			`fn: async function ({ androidEnterpriseId, policyId}) {`

			`// Extract fleetServerSecret from the Authorization header`
			`let authHeader = this.req.get('authorization');`
			`let fleetServerSecret;`

			`if (authHeader && authHeader.startsWith('Bearer')) {`
			`fleetServerSecret = authHeader.replace('Bearer', '').trim();`
			`} else {`
Website: Update Android proxy endpoints exits (#34135) Changes: - Updated the website's Android proxy endpoints to use action2 exit signals. 2025-10-10 22:11:42 +00:00			`throw 'missingAuthHeader';`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`}`

			`// Authenticate this request`
			`let thisAndroidEnterprise = await AndroidEnterprise.findOne({`
			`androidEnterpriseId: androidEnterpriseId`
			`});`

			`// Return a 404 response if no records are found.`
			`if (!thisAndroidEnterprise) {`
Website: Update Android proxy endpoints exits (#34135) Changes: - Updated the website's Android proxy endpoints to use action2 exit signals. 2025-10-10 22:11:42 +00:00			`throw 'notFound';`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`}`
			`// Return an unauthorized response if the provided secret does not match.`
			`if (thisAndroidEnterprise.fleetServerSecret !== fleetServerSecret) {`
Website: Update Android proxy endpoints exits (#34135) Changes: - Updated the website's Android proxy endpoints to use action2 exit signals. 2025-10-10 22:11:42 +00:00			`throw 'unauthorized';`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`}`
Website: Update Android Proxy endpoints to return 404 responses if an Android Enterprise are not managed by Fleet (#33816) Related to: https://github.com/fleetdm/fleet/issues/33266 Changes: - Added a new helper `sails.helpers.androidProxy.getIsEnterpriseManagedByFleet`. This helper returns `true` if a provided Android Enterprise ID is present in the list of all Android Enterprises managed by Fleet, or `false` if it is not in the list. - Updated `create-android-enrollment-token`, `create-android-signup-url`, and `modify-android-policies` to return a 404 response to the requesting Fleet instance if their Android Enterprise is not managed by Fleet. 2025-10-06 17:50:42 +00:00
			`// Check the list of Android Enterprises managed by Fleet to see if this Android Enterprise is still managed.`
			`let isEnterpriseManagedByFleet = await sails.helpers.androidProxy.getIsEnterpriseManagedByFleet(androidEnterpriseId);`
			`// Return a 404 response if this Android enterprise is no longer managed by Fleet.`
			`if(!isEnterpriseManagedByFleet) {`
Website: Update Android proxy endpoints exits (#34135) Changes: - Updated the website's Android proxy endpoints to use action2 exit signals. 2025-10-10 22:11:42 +00:00			`throw 'notFound';`
Website: Update Android Proxy endpoints to return 404 responses if an Android Enterprise are not managed by Fleet (#33816) Related to: https://github.com/fleetdm/fleet/issues/33266 Changes: - Added a new helper `sails.helpers.androidProxy.getIsEnterpriseManagedByFleet`. This helper returns `true` if a provided Android Enterprise ID is present in the list of all Android Enterprises managed by Fleet, or `false` if it is not in the list. - Updated `create-android-enrollment-token`, `create-android-signup-url`, and `modify-android-policies` to return a 404 response to the requesting Fleet instance if their Android Enterprise is not managed by Fleet. 2025-10-06 17:50:42 +00:00			`}`

Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`// Update the policy for this Android enterprise.`
			`// Note: We're using sails.helpers.flow.build here to handle any errors that occurr using google's node library.`
			`let modifyPoliciesResponse = await sails.helpers.flow.build(async () => {`
			`let { google } = require('googleapis');`
			`let androidmanagement = google.androidmanagement('v1');`
			`let googleAuth = new google.auth.GoogleAuth({`
			`scopes: ['https://www.googleapis.com/auth/androidmanagement'],`
			`credentials: {`
			`client_email: sails.config.custom.androidEnterpriseServiceAccountEmailAddress,// eslint-disable-line camelcase`
			`private_key: sails.config.custom.androidEnterpriseServiceAccountPrivateKey,// eslint-disable-line camelcase`
			`},`
			`});`
			`// Acquire the google auth client, and bind it to all future calls`
			`let authClient = await googleAuth.getClient();`
			`google.options({ auth: authClient });`
			`// [?]: https://googleapis.dev/nodejs/googleapis/latest/androidmanagement/classes/Resource$Enterprises$Policies.html#patch`
			`let patchPoliciesResponse = await androidmanagement.enterprises.policies.patch({`
			name: `enterprises/${androidEnterpriseId}/policies/${policyId}`,
Website: Add note about using req.body in android proxy endpoints (#41186) Closes: https://github.com/fleetdm/fleet/issues/39688 Changes: - Added a note to android proxy endpoints that forward `req.body` to the Android management API. 2026-03-07 00:06:25 +00:00			`// Note: Typically, we use defined inputs instead of accessing req.body directly. We forward req.body here to prevent previously set values from being overwritten by undefined values.`
			`// This behavior should not be repeated in future Android proxy endpoints.`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`requestBody: this.req.body,`
Android app self service: backend support (#34711) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #34389 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## Database migrations - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). 2025-11-13 23:10:24 +00:00			`updateMask: this.req.param('updateMask') // Pass the update mask to avoid overwriting applications`
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`});`
			`return patchPoliciesResponse.data;`
fail gracefully when profile is invalid (#38899) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #35211 # Checklist for submitter - [x] QA'd all new/changed functionality manually 2026-01-28 15:57:27 +00:00			`}).intercept({ status: 429 }, (err) => {`
Website: Add API rate limit alert to Android proxy endpoints (#35637) Closes: https://github.com/fleetdm/fleet/issues/34358 Changes: - Updated Android enterprise proxy endpoints to log an additional warning to alert us if we exceed the Android management API rate limit. 2025-11-12 21:37:21 +00:00			`// If the Android management API returns a 429 response, log an additional warning that will trigger a help-p1 alert.`
			sails.log.warn(`p1: Android management API rate limit exceeded!`);
			return new Error(`When attempting to update a policy for an Android enterprise (${androidEnterpriseId}), an error occurred. Error: ${err}`);
fail gracefully when profile is invalid (#38899) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #35211 # Checklist for submitter - [x] QA'd all new/changed functionality manually 2026-01-28 15:57:27 +00:00			`}).intercept({ status: 400 }, (err) => {`
			return {'invalidPolicy': `Attempted to update a policy with an invalid value for an Android enterprise (${androidEnterpriseId}): ${err}`};
Website: update android proxy error handling (#40140) Related to: https://github.com/fleetdm/fleet/issues/40127 Changes: - Updated errors logged by Android proxy endpoints to include more information about the error. - Added a `deviceNoLongerManaged` exit to the `delete-android-device` endpoint that is used when the Google API returns a "Device is no longer being managed" error. - Added a `policyNotFound` exit to the `modify-android-policies` and `modify-enterprise-app-policy` endpoints that is used when the Google API returns a 404 response - Added a `invalidPolicyName` exit to the `modify-android-device` endpoint that is used when the Google API returns an error related to the policy name sent in the request body. 2026-02-19 23:46:41 +00:00			`}).intercept({ status: 404 }, (err) => {`
			return {'policyNotFound': `Specified policy not found on this Android enterprise (${androidEnterpriseId}): ${err}`};
fail gracefully when profile is invalid (#38899) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #35211 # Checklist for submitter - [x] QA'd all new/changed functionality manually 2026-01-28 15:57:27 +00:00			`}).intercept((err) => {`
Website: update android proxy error handling (#40140) Related to: https://github.com/fleetdm/fleet/issues/40127 Changes: - Updated errors logged by Android proxy endpoints to include more information about the error. - Added a `deviceNoLongerManaged` exit to the `delete-android-device` endpoint that is used when the Google API returns a "Device is no longer being managed" error. - Added a `policyNotFound` exit to the `modify-android-policies` and `modify-enterprise-app-policy` endpoints that is used when the Google API returns a 404 response - Added a `invalidPolicyName` exit to the `modify-android-device` endpoint that is used when the Google API returns an error related to the policy name sent in the request body. 2026-02-19 23:46:41 +00:00			return new Error(`When attempting to update a policy for an Android enterprise (${androidEnterpriseId}), an error occurred. Error: ${require('util').inspect(err)}`);
Website: Add android proxy endpoints (#28267) Related to: https://github.com/fleetdm/fleet/issues/26270 Changes: - Added a new database model: `AndroidEnterprise` - Added one new website dependency: `[email protected]` - Added `android-proxy/create-android-signup-url`: an endpoint that returns a signup url used to grant access to Fleet's Android MDM integration. - Added `android-proxy/create-android-enterprise`: An endpoint that creates an Android enterprise for a Fleet server - Added `android-proxy/create-android-enrollment-token`: An endpoint that returns an enrollment token for an Android enterprise - Added `android-proxy/modify-android-policies`: An endpoint used to update policies of an Android enterprise - Added `android-proxy/delete-one-android-enterprise`: an endpoint that deletes an Android enterprise --------- Co-authored-by: Victor Lyuboslavsky <[email protected]> 2025-06-12 18:23:49 +00:00			`});`


			`// Return the modified policy back to the Fleet server.`
			`return modifyPoliciesResponse;`

			`}`


			`};`