From 2081300c48673665722103e0bd2a4afe391d2a2b Mon Sep 17 00:00:00 2001
From: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:22:21 -0400
Subject: [PATCH] Orbit shell no longer ignores disable-updates (#32698)

For #32514

Fixed issue that caused orbit shell to ignore the 'disable-updates' flag.
---
 ...32514-orbit-shell-ignores-updates-disabled |  1 +
 orbit/cmd/orbit/shell.go                      | 39 ++++++++++++++-----
 orbit/cmd/orbit/shell_test.go                 | 30 +++++++++++++-
 3 files changed, 58 insertions(+), 12 deletions(-)
 create mode 100644 orbit/changes/32514-orbit-shell-ignores-updates-disabled

diff --git a/orbit/changes/32514-orbit-shell-ignores-updates-disabled b/orbit/changes/32514-orbit-shell-ignores-updates-disabled
new file mode 100644
index 0000000000..2888e3eb60
--- /dev/null
+++ b/orbit/changes/32514-orbit-shell-ignores-updates-disabled
@@ -0,0 +1 @@
+* Fixed issue with `orbit shell` ignoring disable updates flag.
\ No newline at end of file
diff --git a/orbit/cmd/orbit/shell.go b/orbit/cmd/orbit/shell.go
index 56bb10e274..c59764cafd 100644
--- a/orbit/cmd/orbit/shell.go
+++ b/orbit/cmd/orbit/shell.go
@@ -3,13 +3,14 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/fleetdm/fleet/v4/pkg/certificate"
-	"github.com/fleetdm/fleet/v4/pkg/file"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 
+	"github.com/fleetdm/fleet/v4/pkg/certificate"
+	"github.com/fleetdm/fleet/v4/pkg/file"
+
 	"github.com/fleetdm/fleet/v4/orbit/pkg/constant"
 	"github.com/fleetdm/fleet/v4/orbit/pkg/osquery"
 	"github.com/fleetdm/fleet/v4/orbit/pkg/update"
@@ -70,18 +71,28 @@ var shellCommand = &cli.Command{
 		opt.LocalStore = localStore
 		opt.InsecureTransport = c.Bool("insecure")
 
-		updater, err := update.NewUpdater(opt)
+		disableUpdates := c.Bool("disable-updates")
+		updater, err := getUpdater(disableUpdates, opt)
 		if err != nil {
 			return err
 		}
-		if err := updater.UpdateMetadata(); err != nil {
-			log.Info().Err(err).Msg("failed to update metadata. using saved metadata.")
+
+		var osquerydPath string
+		if !disableUpdates {
+			if err := updater.UpdateMetadata(); err != nil {
+				log.Info().Err(err).Msg("failed to update metadata. using saved metadata.")
+			}
+			osquerydLocalTarget, err := updater.Get(constant.OsqueryTUFTargetName)
+			if err != nil {
+				return err
+			}
+			osquerydPath = osquerydLocalTarget.ExecPath
+		} else {
+			osquerydPath, err = updater.ExecutableLocalPath(constant.OsqueryTUFTargetName)
+			if err != nil {
+				log.Fatal().Err(err).Msgf("locate %s", constant.OsqueryTUFTargetName)
+			}
 		}
-		osquerydLocalTarget, err := updater.Get(constant.OsqueryTUFTargetName)
-		if err != nil {
-			return err
-		}
-		osquerydPath := osquerydLocalTarget.ExecPath
 
 		var g run.Group
 
@@ -177,3 +188,11 @@ func getCertPath(rootDir, fleetCertPath string) (string, error) {
 
 	return certPath, nil
 }
+
+func getUpdater(disableUpdates bool, opt update.Options) (*update.Updater, error) {
+	if disableUpdates {
+		log.Info().Msg("running with auto updates disabled")
+		return update.NewDisabled(opt), nil
+	}
+	return update.NewUpdater(opt)
+}
diff --git a/orbit/cmd/orbit/shell_test.go b/orbit/cmd/orbit/shell_test.go
index 0710ff595c..55fb4af82b 100644
--- a/orbit/cmd/orbit/shell_test.go
+++ b/orbit/cmd/orbit/shell_test.go
@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/fleetdm/fleet/v4/orbit/pkg/update"
 	"github.com/stretchr/testify/require"
 )
 
@@ -23,7 +24,7 @@ func TestGetCertPath(t *testing.T) {
 	invalidCertPath := filepath.Join(invalidRoot, "invalid_cert.pem")
 	require.NoError(t, os.WriteFile(invalidCertPath, []byte(`INVALID_CERT_CONTENT`), 0644))
 
-	tests := []struct {
+	cases := []struct {
 		name         string
 		rootDir      string
 		fleetCert    string
@@ -65,7 +66,7 @@ func TestGetCertPath(t *testing.T) {
 		},
 	}
 
-	for _, tt := range tests {
+	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			path, err := getCertPath(tt.rootDir, tt.fleetCert)
 
@@ -79,3 +80,28 @@ func TestGetCertPath(t *testing.T) {
 		})
 	}
 }
+
+func TestGetUpdater(t *testing.T) {
+	cases := []struct {
+		name           string
+		disableUpdates bool
+		expectDisabled bool
+	}{
+		{"updates enabled", false, false},
+		{"updates disabled", true, true},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			updater, err := getUpdater(c.disableUpdates, update.Options{})
+			// A 'disabled' updater should never fail, even with invalid options.
+			if c.expectDisabled {
+				require.NoError(t, err)
+				require.NotNil(t, updater)
+			} else {
+				require.Error(t, err)
+				require.Nil(t, updater)
+			}
+		})
+	}
+}