Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Update error message when clearing End Users settings while EUA is enabled (#41243)

Browse source 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40790

Updating error message returned when EUA is still enabled in at least
one team, and user attempts to clear out End users settings in Settings
> Integrations > SSO.

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests

- [x] QA'd all new/changed functionality manually



https://github.com/user-attachments/assets/492fed92-019e-4c2a-ab09-98841bb45da4

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Nico 2026-03-10 13:20:43 -03:00 committed by GitHub
parent 72d273b91d
commit 4570f758f0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 114 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/40790-fix-clear-idp-error-message Normal file
View file

@ -0,0 +1 @@
* Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.

4
cmd/fleetctl/fleetctl/gitops_test.go
View file

@ -3591,6 +3591,10 @@ func TestGitOpsMDMAuthSettings(t *testing.T) {
return nil
}
ds.TeamIDsWithSetupExperienceIdPEnabledFunc = func(ctx context.Context) ([]uint, error) {
return nil, nil
}
// Do a GitOps run with no mdm end user auth settings.
_, err := RunAppNoChecks([]string{"gitops", "-f", globalFileBasic.Name()})
require.NoError(t, err)

30
server/service/appconfig.go
View file

@ -1522,13 +1522,31 @@ func (svc *Service) validateMDM(
}
// MacOSSetup validation
if mdm.MacOSSetup.EnableEndUserAuthentication {
if mdm.EndUserAuthentication.IsEmpty() {
// TODO: update this error message to include steps to resolve the issue once docs for IdP
// config are available
invalid.Append("macos_setup.enable_end_user_authentication",
`Couldn't enable macos_setup.enable_end_user_authentication because no IdP is configured for MDM features.`)
if mdm.EndUserAuthentication.IsEmpty() && !oldMdm.EndUserAuthentication.IsEmpty() {
// IdP is being cleared: block if global EUA will still be enabled after this update
// (mdm.MacOSSetup.EnableEndUserAuthentication reflects the incoming request's value),
// or if any team has EUA enabled. We only look at non-zero team IDs since global (id=0)
// is covered by the incoming request value.
teamIDs, err := svc.ds.TeamIDsWithSetupExperienceIdPEnabled(ctx)
if err != nil {
return ctxerr.Wrap(ctx, err, "checking teams with EUA enabled")
}
anyTeamEUAEnabled := false
for _, id := range teamIDs {
if id != 0 {
anyTeamEUAEnabled = true
break
}
}
if anyTeamEUAEnabled || mdm.MacOSSetup.EnableEndUserAuthentication {
invalid.Append("end_user_authentication",
`End user authentication is enabled. Please disable end user authentication in Controls > Setup experience and try again`)
}
} else if mdm.MacOSSetup.EnableEndUserAuthentication && mdm.EndUserAuthentication.IsEmpty() {
// TODO: update this error message to include steps to resolve the issue once docs for IdP
// config are available
invalid.Append("macos_setup.enable_end_user_authentication",
`Couldn't enable macos_setup.enable_end_user_authentication because no IdP is configured for MDM features.`)
}
if mdm.MacOSSetup.LockEndUserInfo.Value && !mdm.MacOSSetup.EnableEndUserAuthentication {

89
server/service/integration_mdm_test.go
View file

@ -5193,6 +5193,8 @@ func (s *integrationMDMTestSuite) TestMDMMacOSSetup() {
t.Run("ValidateEnableEndUserAuthentication", func(t *testing.T) {
// ensure the test is setup correctly
var acResp appConfigResponse
var errResp validationErrResp
var teamResp teamResponse
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"end_user_authentication": {
@ -5207,7 +5209,30 @@ func (s *integrationMDMTestSuite) TestMDMMacOSSetup() {
}`), http.StatusOK, &acResp)
require.NotEmpty(t, acResp.MDM.EndUserAuthentication)
// ok to disable end user authentication without a configured IdP
// can't clear IdP settings while end user authentication is enabled (global)
errResp = validationErrResp{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"end_user_authentication": {
"entity_id": "",
"idp_name": "",
"metadata_url": ""
}
}
}`), http.StatusUnprocessableEntity, &errResp)
require.Len(t, errResp.Errors, 1)
require.Equal(t, errResp.Errors[0].Reason, "End user authentication is enabled. Please disable end user authentication in Controls > Setup experience and try again")
// disable end user authentication before clearing IdP settings
acResp = appConfigResponse{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"macos_setup": {
"enable_end_user_authentication": false
}
}
}`), http.StatusOK, &acResp)
require.Equal(t, acResp.MDM.MacOSSetup.EnableEndUserAuthentication, false)
acResp = appConfigResponse{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
@ -5215,13 +5240,70 @@ func (s *integrationMDMTestSuite) TestMDMMacOSSetup() {
"entity_id": "",
"idp_name": "",
"metadata_url": ""
},
}
}
}`), http.StatusOK, &acResp)
require.True(t, acResp.MDM.EndUserAuthentication.IsEmpty())
// can't clear IdP settings while end user authentication is enabled on a team
// 1. configure IdP globally
acResp = appConfigResponse{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"end_user_authentication": {
"entity_id": "https://localhost:8080",
"idp_name": "SimpleSAML",
"metadata_url": "http://localhost:9080/simplesaml/saml2/idp/metadata.php"
}
}
}`), http.StatusOK, &acResp)
require.NotEmpty(t, acResp.MDM.EndUserAuthentication)
require.False(t, acResp.MDM.MacOSSetup.EnableEndUserAuthentication)
// 2. enable EUA on a team
s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", tm.ID), json.RawMessage(fmt.Sprintf(`{
"name": %q,
"mdm": {
"macos_setup": {
"enable_end_user_authentication": true
}
}
}`, tm.Name)), http.StatusOK, &teamResp)
require.True(t, teamResp.Team.Config.MDM.MacOSSetup.EnableEndUserAuthentication)
// 3. clearing IdP while team EUA is enabled should fail
errResp = validationErrResp{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"end_user_authentication": {
"entity_id": "",
"idp_name": "",
"metadata_url": ""
}
}
}`), http.StatusUnprocessableEntity, &errResp)
require.Len(t, errResp.Errors, 1)
require.Equal(t, errResp.Errors[0].Reason, "End user authentication is enabled. Please disable end user authentication in Controls > Setup experience and try again")
// 4. disable team EUA, then clear IdP
s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", tm.ID), json.RawMessage(fmt.Sprintf(`{
"name": %q,
"mdm": {
"macos_setup": {
"enable_end_user_authentication": false
}
}
}`, tm.Name)), http.StatusOK, &teamResp)
acResp = appConfigResponse{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"mdm": {
"end_user_authentication": {
"entity_id": "",
"idp_name": "",
"metadata_url": ""
}
}
}`), http.StatusOK, &acResp)
require.Equal(t, acResp.MDM.MacOSSetup.EnableEndUserAuthentication, false)
require.True(t, acResp.MDM.EndUserAuthentication.IsEmpty())
// can't enable end user authentication without a configured IdP
@ -5243,7 +5325,6 @@ func (s *integrationMDMTestSuite) TestMDMMacOSSetup() {
fleet.MDMAppleSetupPayload{TeamID: ptr.Uint(0), EnableEndUserAuthentication: ptr.Bool(true)}, http.StatusUnprocessableEntity)
// can't enable end user authentication on team config without a configured IdP already on app config
var teamResp teamResponse
s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", tm.ID), json.RawMessage(fmt.Sprintf(`{
"name": %q,
"mdm": {