From 54e18d87bde2edb7e17461109c20996fa8ba62c4 Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Thu, 27 Mar 2025 17:27:58 -0500 Subject: [PATCH] Fixing Fleet variable validation in (#27604) For #27603 Only fixing the UI issue. GitOps also has this issue, but GitOps does not validate Fleet variables locally, so not an easy fix. # Checklist for submitter - [x] Manual QA for all new/changed functionality - [x] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed. --- server/service/apple_mdm.go | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go index 42ebd4a9e4..9765398478 100644 --- a/server/service/apple_mdm.go +++ b/server/service/apple_mdm.go @@ -397,6 +397,17 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r return nil, ctxerr.Wrap(ctx, fleet.NewInvalidArgumentError("profile", err.Error())) } + // We validate Fleet variables before we unmarshal the profile because bad variables can break unmarshal. + // For example: $FLEET_VAR_BOZO + appConfig, err := svc.ds.AppConfig(ctx) + if err != nil { + return nil, ctxerr.Wrap(ctx, err) + } + err = validateConfigProfileFleetVariables(appConfig, expanded) + if err != nil { + return nil, ctxerr.Wrap(ctx, err, "validating fleet variables") + } + cp, err := fleet.NewMDMAppleConfigProfile([]byte(expanded), &teamID) if err != nil { return nil, ctxerr.Wrap(ctx, &fleet.BadRequestError{ @@ -410,14 +421,6 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r } return nil, ctxerr.Wrap(ctx, &fleet.BadRequestError{Message: err.Error()}) } - appConfig, err := svc.ds.AppConfig(ctx) - if err != nil { - return nil, ctxerr.Wrap(ctx, err) - } - err = validateConfigProfileFleetVariables(appConfig, string(cp.Mobileconfig)) - if err != nil { - return nil, ctxerr.Wrap(ctx, err, "validating fleet variables") - } // Save the original unexpanded profile cp.Mobileconfig = b