fleet/server/service/osquery_utils/disk_encryption_helpers_test.go

package osquery_utils

import (
	"context"
	"log/slog"
	"testing"

	"github.com/fleetdm/fleet/v4/pkg/optjson"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/mock"
	"github.com/fleetdm/fleet/v4/server/ptr"
	"github.com/stretchr/testify/require"
)

func TestIsDiskEncryptionEnabledForHost(t *testing.T) {
	ctx := context.Background()
	logger := slog.New(slog.DiscardHandler)

	t.Run("team has disk encryption enabled", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}

		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
			require.Equal(t, uint(1), teamID)
			return &fleet.TeamMDM{
				EnableDiskEncryption: true,
			}, nil
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.True(t, result)
		require.True(t, ds.TeamMDMConfigFuncInvoked)
	})

	t.Run("team has disk encryption disabled", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}

		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
			return &fleet.TeamMDM{
				EnableDiskEncryption: false,
			}, nil
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.False(t, result)
		require.True(t, ds.TeamMDMConfigFuncInvoked)
	})

	t.Run("team has disk encryption disabled even when global is enabled", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}

		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
			return &fleet.TeamMDM{
				EnableDiskEncryption: false,
			}, nil
		}

		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
			require.Fail(t, "AppConfig should not be called when host has a team")
			return &fleet.AppConfig{
				MDM: fleet.MDM{
					EnableDiskEncryption: optjson.SetBool(true),
				},
			}, nil
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.False(t, result, "Team setting should take precedence over global setting")
		require.True(t, ds.TeamMDMConfigFuncInvoked)
		require.False(t, ds.AppConfigFuncInvoked, "Global config should not be checked when host is on a team")
	})

	t.Run("global disk encryption enabled (no team)", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: nil}

		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
			return &fleet.AppConfig{
				MDM: fleet.MDM{
					EnableDiskEncryption: optjson.SetBool(true),
				},
			}, nil
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.True(t, result)
		require.True(t, ds.AppConfigFuncInvoked)
	})

	t.Run("global disk encryption disabled (no team)", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: nil}

		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
			return &fleet.AppConfig{
				MDM: fleet.MDM{
					EnableDiskEncryption: optjson.SetBool(false),
				},
			}, nil
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.False(t, result)
		require.True(t, ds.AppConfigFuncInvoked)
	})

	t.Run("error getting team config returns false", func(t *testing.T) {
		ds := new(mock.Store)
		host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}

		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
			return nil, &fleet.Error{Message: "db error"}
		}

		result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)
		require.False(t, result)
	})
}
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`package osquery_utils`

			`import (`
			`"context"`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`"log/slog"`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00			`"testing"`

			`"github.com/fleetdm/fleet/v4/pkg/optjson"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/mock"`
			`"github.com/fleetdm/fleet/v4/server/ptr"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestIsDiskEncryptionEnabledForHost(t *testing.T) {`
			`ctx := context.Background()`
Converted osquery_utils to slog (#39883) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38889 Plan was to convert `osquery_utils` package to slog. Picked up some additional code that was related. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Already have changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit # Release Notes ## Refactor * Updated internal logging infrastructure to use improved system-level logging utilities ## Tests * Updated test suite to align with internal logging changes --- Note: This release contains internal infrastructure improvements with no user-facing changes or new features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-16 21:43:59 +00:00			`logger := slog.New(slog.DiscardHandler)`
Limited disk encryption key escrowing when setting enabled (#39047) Related issue: Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes* - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. Tests - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-02-02 16:50:30 +00:00
			`t.Run("team has disk encryption enabled", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}`

			`ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {`
			`require.Equal(t, uint(1), teamID)`
			`return &fleet.TeamMDM{`
			`EnableDiskEncryption: true,`
			`}, nil`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.True(t, result)`
			`require.True(t, ds.TeamMDMConfigFuncInvoked)`
			`})`

			`t.Run("team has disk encryption disabled", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}`

			`ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {`
			`return &fleet.TeamMDM{`
			`EnableDiskEncryption: false,`
			`}, nil`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.False(t, result)`
			`require.True(t, ds.TeamMDMConfigFuncInvoked)`
			`})`

			`t.Run("team has disk encryption disabled even when global is enabled", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}`

			`ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {`
			`return &fleet.TeamMDM{`
			`EnableDiskEncryption: false,`
			`}, nil`
			`}`

			`ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {`
			`require.Fail(t, "AppConfig should not be called when host has a team")`
			`return &fleet.AppConfig{`
			`MDM: fleet.MDM{`
			`EnableDiskEncryption: optjson.SetBool(true),`
			`},`
			`}, nil`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.False(t, result, "Team setting should take precedence over global setting")`
			`require.True(t, ds.TeamMDMConfigFuncInvoked)`
			`require.False(t, ds.AppConfigFuncInvoked, "Global config should not be checked when host is on a team")`
			`})`

			`t.Run("global disk encryption enabled (no team)", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: nil}`

			`ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {`
			`return &fleet.AppConfig{`
			`MDM: fleet.MDM{`
			`EnableDiskEncryption: optjson.SetBool(true),`
			`},`
			`}, nil`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.True(t, result)`
			`require.True(t, ds.AppConfigFuncInvoked)`
			`})`

			`t.Run("global disk encryption disabled (no team)", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: nil}`

			`ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {`
			`return &fleet.AppConfig{`
			`MDM: fleet.MDM{`
			`EnableDiskEncryption: optjson.SetBool(false),`
			`},`
			`}, nil`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.False(t, result)`
			`require.True(t, ds.AppConfigFuncInvoked)`
			`})`

			`t.Run("error getting team config returns false", func(t *testing.T) {`
			`ds := new(mock.Store)`
			`host := &fleet.Host{ID: 1, TeamID: ptr.Uint(1)}`

			`ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {`
			`return nil, &fleet.Error{Message: "db error"}`
			`}`

			`result := IsDiskEncryptionEnabledForHost(ctx, logger, ds, host)`
			`require.False(t, result)`
			`})`
			`}`