Merge branch 'feat-save-certs' into post-apns-cert

2026-05-24 09:28:54 +00:00 · 2024-05-24 14:43:17 -04:00 · 2024-05-24 14:43:17 -04:00 · 333e733ab3
commit 333e733ab3
parent 7ab8a6c81b 23e773c213
3 changed files with 17 additions and 4 deletions
--- a/server/mdm/apple/cert.go
+++ b/server/mdm/apple/cert.go
@ -173,12 +173,12 @@ func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest)

 	req, err := http.NewRequest(http.MethodPost, u, bytes.NewReader(b))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating csr signing request for fleetdm api: %w", err)
 	}

 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("sending csr signing request to fleetdm api: %w", err)
 	}
 	defer resp.Body.Close()

@ -189,7 +189,7 @@ func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest)

 	var csrResp WebsiteResponse
 	if err := json.Unmarshal(respBytes, &csrResp); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("unmarshalling signed csr response from fleetdm api: %w", err)
 	}

 	return csrResp.CSR, nil
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@ -2137,7 +2137,7 @@ func getMDMAppleCSREndpoint(ctx context.Context, request interface{}, svc fleet.

 func (svc *Service) GetMDMAppleCSR(ctx context.Context) ([]byte, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.AppleCSR{}, fleet.ActionWrite); err != nil {
-		return nil, ctxerr.Wrap(ctx, err)
+		return nil, err
 	}

 	vc, ok := viewer.FromContext(ctx)
--- a/server/service/mdm_test.go
+++ b/server/service/mdm_test.go
@ -60,6 +60,16 @@ func TestMDMAppleAuthorization(t *testing.T) {
 	license := &fleet.LicenseInfo{Tier: fleet.TierPremium}
 	svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license, SkipCreateTestUsers: true})

+	ds.GetMDMConfigAssetsByNameFunc = func(ctx context.Context, assetNames []fleet.MDMAssetName) ([]fleet.MDMConfigAsset, error) {
+		return []fleet.MDMConfigAsset{}, nil
+	}
+
+	ds.InsertMDMConfigAssetsFunc = func(ctx context.Context, assets []fleet.MDMConfigAsset) error { return nil }
+
+	ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+		return &fleet.AppConfig{OrgInfo: fleet.OrgInfo{OrgName: "Nurv"}}, nil
+	}
+
 	// use a custom implementation of checkAuthErr as the service call will fail
 	// with a not found error (given that MDM is not really configured) in case
 	// of success, and the package-wide checkAuthErr requires no error.
@ -82,6 +92,9 @@ func TestMDMAppleAuthorization(t *testing.T) {
 		_, err = svc.RequestMDMAppleCSR(ctx, "not-an-email", "")
 		require.Error(t, err) // it *will* always fail, but not necessarily due to authorization
 		checkAuthErr(t, shouldFailWithAuth, err)
+
+		_, err = svc.GetMDMAppleCSR(ctx)
+		checkAuthErr(t, shouldFailWithAuth, err)
 	}

 	// Only global admins can access the endpoints.