From 517acb4523ce2176b90324c17ad3e0ba610ffd6b Mon Sep 17 00:00:00 2001
From: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Date: Fri, 24 May 2024 15:21:46 -0400
Subject: [PATCH] feat: authz tests

---
 server/service/mdm.go      | 10 +++++++---
 server/service/mdm_test.go | 10 ++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/server/service/mdm.go b/server/service/mdm.go
index 6232b36968..be93ed1c51 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -2278,7 +2278,11 @@ func uploadMDMAppleAPNSCertEndpoint(ctx context.Context, request interface{}, sv
 
 func (svc *Service) UploadMDMAppleAPNSCert(ctx context.Context, cert io.ReadSeeker) error {
 	if err := svc.authz.Authorize(ctx, &fleet.AppleCSR{}, fleet.ActionWrite); err != nil {
-		return ctxerr.Wrap(ctx, err)
+		return err
+	}
+
+	if cert == nil {
+		return fleet.NewInvalidArgumentError("certificate", "Invalid certificate. Please provide a valid certificate from Apple Push Certificate Portal.")
 	}
 
 	// Get cert file bytes
@@ -2287,7 +2291,7 @@ func (svc *Service) UploadMDMAppleAPNSCert(ctx context.Context, cert io.ReadSeek
 		return ctxerr.Wrap(ctx, err, "reading apns certificate")
 	}
 
-	// Validate cert TODO(JVE): is there more to do here for validation?
+	// Validate cert
 	block, _ := pem.Decode(certBytes)
 	if block == nil {
 		return fleet.NewInvalidArgumentError("certificate", "Invalid certificate. Please provide a valid certificate from Apple Push Certificate Portal.")
@@ -2323,7 +2327,7 @@ func deleteMDMAppleAPNSCertEndpoint(ctx context.Context, request interface{}, sv
 
 func (svc *Service) DeleteMDMAppleAPNSCert(ctx context.Context) error {
 	if err := svc.authz.Authorize(ctx, &fleet.AppleCSR{}, fleet.ActionWrite); err != nil {
-		return ctxerr.Wrap(ctx, err)
+		return err
 	}
 
 	return ctxerr.Wrap(ctx, svc.ds.DeleteMDMConfigAssetsByName(ctx, []fleet.MDMAssetName{
diff --git a/server/service/mdm_test.go b/server/service/mdm_test.go
index 7838259121..ab6b1b2209 100644
--- a/server/service/mdm_test.go
+++ b/server/service/mdm_test.go
@@ -70,6 +70,8 @@ func TestMDMAppleAuthorization(t *testing.T) {
 		return &fleet.AppConfig{OrgInfo: fleet.OrgInfo{OrgName: "Nurv"}}, nil
 	}
 
+	ds.DeleteMDMConfigAssetsByNameFunc = func(ctx context.Context, assetNames []fleet.MDMAssetName) error { return nil }
+
 	// use a custom implementation of checkAuthErr as the service call will fail
 	// with a not found error (given that MDM is not really configured) in case
 	// of success, and the package-wide checkAuthErr requires no error.
@@ -94,6 +96,14 @@ func TestMDMAppleAuthorization(t *testing.T) {
 		checkAuthErr(t, shouldFailWithAuth, err)
 
 		_, err = svc.GetMDMAppleCSR(ctx)
+		require.Error(t, err)
+		checkAuthErr(t, shouldFailWithAuth, err)
+
+		err = svc.UploadMDMAppleAPNSCert(ctx, nil)
+		require.Error(t, err)
+		checkAuthErr(t, shouldFailWithAuth, err)
+
+		err = svc.DeleteMDMAppleAPNSCert(ctx) // Don't expect anything other than an authz error here, since this is pretty much just a DB wrapper.
 		checkAuthErr(t, shouldFailWithAuth, err)
 	}