From 69bb2abc18154f73c0d7cc0350b3a9d7327d5f61 Mon Sep 17 00:00:00 2001
From: Roberto Dip <me@roperzh.com>
Date: Tue, 28 Feb 2023 15:54:24 -0300
Subject: [PATCH] modify query for when encryption key has newlines (#10094)

---
 server/service/osquery_utils/queries.go      | 12 +++++++++-
 server/service/osquery_utils/queries_test.go | 25 ++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index aadbd36f48..1474680403 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -570,7 +570,7 @@ var mdmQueries = map[string]DetailQuery{
 		// > location at any time.
 		//
 		// [1]: https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow
-		Query:            `SELECT to_base64(group_concat(line)) as filevault_key FROM file_lines WHERE path='/var/db/FileVaultPRK.dat'`,
+		Query:            `SELECT to_base64(group_concat(line, x'0a')) as filevault_key FROM file_lines WHERE path='/var/db/FileVaultPRK.dat'`,
 		Platforms:        []string{"darwin"},
 		DirectIngestFunc: directIngestDiskEncryptionKeyDarwin,
 		Discovery:        discoveryTable("file_lines"),
@@ -1292,6 +1292,16 @@ func directIngestDiskEncryptionKeyDarwin(
 		)
 	}
 
+	if strings.TrimSpace(rows[0]["filevault_key"]) == "" {
+		level.Debug(logger).Log(
+			"component", "service",
+			"method", "directIngestDiskEncryptionKeyDarwin",
+			"msg", "host reported empty /var/db/FileVaultPRK.dat contents",
+			"host", host.Hostname,
+		)
+		return nil
+	}
+
 	return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, rows[0]["filevault_key"])
 }
 
diff --git a/server/service/osquery_utils/queries_test.go b/server/service/osquery_utils/queries_test.go
index 14c8651d90..37e66f6a80 100644
--- a/server/service/osquery_utils/queries_test.go
+++ b/server/service/osquery_utils/queries_test.go
@@ -868,3 +868,28 @@ func TestDirectIngestDiskEncryptionLinux(t *testing.T) {
 	require.NoError(t, err)
 	require.True(t, ds.SetOrUpdateHostDisksEncryptionFuncInvoked)
 }
+
+func TestDirectIngestDiskEncryptionKeyDarwin(t *testing.T) {
+	ds := new(mock.Store)
+	ctx := context.Background()
+	logger := log.NewNopLogger()
+	wantKey := "OTM5ODRDQTYtOUY1Mi00NERELTkxOUEtMDlBN0ZBOUUzNUY5Cg=="
+	host := &fleet.Host{ID: 1}
+	ds.SetOrUpdateHostDiskEncryptionKeyFunc = func(ctx context.Context, hostID uint, encryptedBase64Key string) error {
+		require.Equal(t, wantKey, encryptedBase64Key)
+		require.Equal(t, host.ID, hostID)
+		return nil
+	}
+
+	err := directIngestDiskEncryptionKeyDarwin(ctx, logger, host, ds, []map[string]string{})
+	require.NoError(t, err)
+	require.False(t, ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked)
+
+	err = directIngestDiskEncryptionKeyDarwin(ctx, logger, host, ds, []map[string]string{{"filevault_key": ""}})
+	require.NoError(t, err)
+	require.False(t, ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked)
+
+	err = directIngestDiskEncryptionKeyDarwin(ctx, logger, host, ds, []map[string]string{{"filevault_key": wantKey}})
+	require.NoError(t, err)
+	require.True(t, ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked)
+}