fleet/server/service/windows_mdm_profiles_test.go

package service

import (
	"testing"

	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/stretchr/testify/require"
)

func TestValidateWindowsProfileFleetVariablesLicense(t *testing.T) {
	t.Parallel()
	profileWithVars := `<Replace>
			<Item>
				<Target>
					<LocURI>./Device/Vendor/MSFT/Accounts/DomainName</LocURI>
				</Target>
				<Data>Host UUID: $FLEET_VAR_HOST_UUID</Data>
			</Item>
		</Replace>`

	// Test with free license
	freeLic := &fleet.LicenseInfo{Tier: fleet.TierFree}
	_, err := validateWindowsProfileFleetVariables(profileWithVars, freeLic, nil)
	require.ErrorIs(t, err, fleet.ErrMissingLicense)

	// Test with premium license
	premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}
	vars, err := validateWindowsProfileFleetVariables(profileWithVars, premiumLic, nil)
	require.NoError(t, err)
	require.Contains(t, vars, "HOST_UUID")

	// Test profile without variables (should work with free license)
	profileNoVars := `<Replace>
			<Item>
				<Target>
					<LocURI>./Device/Vendor/MSFT/Accounts/DomainName</LocURI>
				</Target>
				<Data>Static Value</Data>
			</Item>
		</Replace>`
	vars, err = validateWindowsProfileFleetVariables(profileNoVars, freeLic, nil)
	require.NoError(t, err)
	require.Nil(t, vars)
}

func TestValidateWindowsProfileFleetVariables(t *testing.T) {
	tests := []struct {
		name        string
		profileXML  string
		wantErr     bool
		errContains string
	}{
		{
			name: "no variables",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>1</Data>
				</Item>
			</Replace>`,
			wantErr: false,
		},
		{
			name: "HOST_UUID variable",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>$FLEET_VAR_HOST_UUID</Data>
				</Item>
			</Replace>`,
			wantErr: false,
		},
		{
			name: "HOST_UUID variable with braces",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>${FLEET_VAR_HOST_UUID}</Data>
				</Item>
			</Replace>`,
			wantErr: false,
		},
		{
			name: "multiple HOST_UUID variables",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>$FLEET_VAR_HOST_UUID-${FLEET_VAR_HOST_UUID}</Data>
				</Item>
			</Replace>`,
			wantErr: false,
		},
		{
			name: "unsupported variable",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>$FLEET_VAR_HOST_FAKE</Data>
				</Item>
			</Replace>`,
			wantErr:     true,
			errContains: "Fleet variable $FLEET_VAR_HOST_FAKE is not supported in Windows profiles",
		},
		{
			name: "HOST_UUID with another unsupported variable",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>$FLEET_VAR_HOST_UUID-$FLEET_VAR_BOGUS_VAR</Data>
				</Item>
			</Replace>`,
			wantErr:     true,
			errContains: "Fleet variable $FLEET_VAR_BOGUS_VAR is not supported in Windows profiles",
		},
		{
			name: "unknown Fleet variable",
			profileXML: `<Replace>
				<Item>
					<Target>
						<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>
					</Target>
					<Data>${FLEET_VAR_UNKNOWN_VAR}</Data>
				</Item>
			</Replace>`,
			wantErr:     true,
			errContains: "Fleet variable $FLEET_VAR_UNKNOWN_VAR is not supported in Windows profiles",
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// Pass a premium license for testing (we're not testing license validation here)
			premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}
			_, err := validateWindowsProfileFleetVariables(tt.profileXML, premiumLic, nil)
			if tt.wantErr {
				require.Error(t, err)
				if tt.errContains != "" {
					require.Contains(t, err.Error(), tt.errContains)
				}
			} else {
				require.NoError(t, err)
			}
		})
	}
}
DCSW: Validate both CA variables are present and from the same CA (#35012) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #34973 # Checklist for submitter If some of the following don't apply, delete the relevant line. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually 2025-11-05 11:36:48 +00:00			`package service`

			`import (`
			`"testing"`

			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestValidateWindowsProfileFleetVariablesLicense(t *testing.T) {`
			`t.Parallel()`
			profileWithVars := `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Accounts/DomainName</LocURI>`
			`</Target>`
			`<Data>Host UUID: $FLEET_VAR_HOST_UUID</Data>`
			`</Item>`
			</Replace>`

			`// Test with free license`
			`freeLic := &fleet.LicenseInfo{Tier: fleet.TierFree}`
			`_, err := validateWindowsProfileFleetVariables(profileWithVars, freeLic, nil)`
			`require.ErrorIs(t, err, fleet.ErrMissingLicense)`

			`// Test with premium license`
			`premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}`
			`vars, err := validateWindowsProfileFleetVariables(profileWithVars, premiumLic, nil)`
			`require.NoError(t, err)`
			`require.Contains(t, vars, "HOST_UUID")`

			`// Test profile without variables (should work with free license)`
			profileNoVars := `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Accounts/DomainName</LocURI>`
			`</Target>`
			`<Data>Static Value</Data>`
			`</Item>`
			</Replace>`
			`vars, err = validateWindowsProfileFleetVariables(profileNoVars, freeLic, nil)`
			`require.NoError(t, err)`
			`require.Nil(t, vars)`
			`}`

			`func TestValidateWindowsProfileFleetVariables(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`profileXML string`
			`wantErr bool`
			`errContains string`
			`}{`
			`{`
			`name: "no variables",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>1</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: false,`
			`},`
			`{`
			`name: "HOST_UUID variable",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>$FLEET_VAR_HOST_UUID</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: false,`
			`},`
			`{`
			`name: "HOST_UUID variable with braces",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>${FLEET_VAR_HOST_UUID}</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: false,`
			`},`
			`{`
			`name: "multiple HOST_UUID variables",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>$FLEET_VAR_HOST_UUID-${FLEET_VAR_HOST_UUID}</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: false,`
			`},`
			`{`
			`name: "unsupported variable",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
Add support for $FLEET_VAR_HOST_HARDWARE_SERIAL in Windows profiles, $FLEET_VAR_HOST_PLATFORM in Windows/Apple profiles (#35812) Fixes #34364, #34716. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually --------- Co-authored-by: Magnus Jensen <magnus@fleetdm.com> 2025-11-24 16:18:47 +00:00			`<Data>$FLEET_VAR_HOST_FAKE</Data>`
DCSW: Validate both CA variables are present and from the same CA (#35012) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #34973 # Checklist for submitter If some of the following don't apply, delete the relevant line. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually 2025-11-05 11:36:48 +00:00			`</Item>`
			</Replace>`,
			`wantErr: true,`
Add support for $FLEET_VAR_HOST_HARDWARE_SERIAL in Windows profiles, $FLEET_VAR_HOST_PLATFORM in Windows/Apple profiles (#35812) Fixes #34364, #34716. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually --------- Co-authored-by: Magnus Jensen <magnus@fleetdm.com> 2025-11-24 16:18:47 +00:00			`errContains: "Fleet variable $FLEET_VAR_HOST_FAKE is not supported in Windows profiles",`
DCSW: Validate both CA variables are present and from the same CA (#35012) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #34973 # Checklist for submitter If some of the following don't apply, delete the relevant line. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually 2025-11-05 11:36:48 +00:00			`},`
			`{`
			`name: "HOST_UUID with another unsupported variable",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>$FLEET_VAR_HOST_UUID-$FLEET_VAR_BOGUS_VAR</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: true,`
			`errContains: "Fleet variable $FLEET_VAR_BOGUS_VAR is not supported in Windows profiles",`
			`},`
			`{`
			`name: "unknown Fleet variable",`
			profileXML: `<Replace>
			`<Item>`
			`<Target>`
			`<LocURI>./Device/Vendor/MSFT/Policy/Config/System/AllowLocation</LocURI>`
			`</Target>`
			`<Data>${FLEET_VAR_UNKNOWN_VAR}</Data>`
			`</Item>`
			</Replace>`,
			`wantErr: true,`
			`errContains: "Fleet variable $FLEET_VAR_UNKNOWN_VAR is not supported in Windows profiles",`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`// Pass a premium license for testing (we're not testing license validation here)`
			`premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}`
			`_, err := validateWindowsProfileFleetVariables(tt.profileXML, premiumLic, nil)`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`if tt.errContains != "" {`
			`require.Contains(t, err.Error(), tt.errContains)`
			`}`
			`} else {`
			`require.NoError(t, err)`
			`}`
			`})`
			`}`
			`}`