fleet/server/service/osquery_utils/disk_encryption_helpers.go

package osquery_utils

import (
	"context"
	"log/slog"

	"github.com/fleetdm/fleet/v4/server/fleet"
)

// IsDiskEncryptionEnabledForHost checks if disk encryption is enabled for the
// host team or globally if the host is not assigned to a team.
func IsDiskEncryptionEnabledForHost(ctx context.Context, logger *slog.Logger, ds fleet.Datastore, host *fleet.Host) bool {
	// team
	if host.TeamID != nil {
		teamMDM, err := ds.TeamMDMConfig(ctx, *host.TeamID)
		if err != nil {
			logger.DebugContext(ctx, "failed to get team MDM config for disk encryption check",
				"host_id", host.ID,
				"team_id", *host.TeamID,
				"err", err,
			)
			return false
		}
		if teamMDM == nil {
			return false
		}
		return teamMDM.EnableDiskEncryption
	}

	// global
	appConfig, err := ds.AppConfig(ctx)
	if err != nil {
		logger.DebugContext(ctx, "failed to get app config for disk encryption check",
			"host_id", host.ID,
			"err", err,
		)
		return false
	}
	return appConfig.MDM.EnableDiskEncryption.Value
}
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`package osquery_utils`

			`import (`
			`"context"`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`"log/slog"`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`)`

			`// IsDiskEncryptionEnabledForHost checks if disk encryption is enabled for the`
			`// host team or globally if the host is not assigned to a team.`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`func IsDiskEncryptionEnabledForHost(ctx context.Context, logger slog.Logger, ds fleet.Datastore, host fleet.Host) bool {`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`// team`
			`if host.TeamID != nil {`
			`teamMDM, err := ds.TeamMDMConfig(ctx, *host.TeamID)`
			`if err != nil {`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`logger.DebugContext(ctx, "failed to get team MDM config for disk encryption check",`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`"host_id", host.ID,`
			`"team_id", *host.TeamID,`
			`"err", err,`
			`)`
			`return false`
			`}`
			`if teamMDM == nil {`
			`return false`
			`}`
			`return teamMDM.EnableDiskEncryption`
			`}`

			`// global`
			`appConfig, err := ds.AppConfig(ctx)`
			`if err != nil {`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`logger.DebugContext(ctx, "failed to get app config for disk encryption check",`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`"host_id", host.ID,`
			`"err", err,`
			`)`
			`return false`
			`}`
			`return appConfig.MDM.EnableDiskEncryption.Value`
			`}`