From a03cca1b7decb8c4319c4afdea4c989f5429619b Mon Sep 17 00:00:00 2001
From: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Date: Thu, 12 Jun 2025 10:40:13 -0400
Subject: [PATCH] Reorder policyQueriesForHost logic to reduce DB hits (#29957)

For #29958

Found during 4.69.0 load testing.

We need to call disablePoliciesDurignSetupExperience after calling
GetHostPolicyReportedAt and running the time-based logic which often
results in us not contacting the DB for policies at all(since the time
based logic just hits redis)

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->


- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
- [x] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
---
 server/service/osquery.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/service/osquery.go b/server/service/osquery.go
index d989db8c18..3d0c34bd81 100644
--- a/server/service/osquery.go
+++ b/server/service/osquery.go
@@ -807,6 +807,10 @@ func (svc *Service) disablePoliciesDuringSetupExperience(ctx context.Context, ho
 // It returns (nil, true, nil) if the interval is so that policies should be executed on the host, but there are no policies
 // assigned to such host.
 func (svc *Service) policyQueriesForHost(ctx context.Context, host *fleet.Host) (policyQueries map[string]string, noPoliciesForHost bool, err error) {
+	policyReportedAt := svc.task.GetHostPolicyReportedAt(ctx, host)
+	if !svc.shouldUpdate(policyReportedAt, svc.config.Osquery.PolicyUpdateInterval, host.ID) && !host.RefetchRequested {
+		return nil, false, nil
+	}
 	disablePolicies, err := svc.disablePoliciesDuringSetupExperience(ctx, host)
 	if err != nil {
 		return nil, false, ctxerr.Wrap(ctx, err, "check if host is in setup experience")
@@ -815,10 +819,6 @@ func (svc *Service) policyQueriesForHost(ctx context.Context, host *fleet.Host)
 		level.Debug(svc.logger).Log("msg", "skipping policy queries for host in setup experience", "host_id", host.ID)
 		return nil, false, nil
 	}
-	policyReportedAt := svc.task.GetHostPolicyReportedAt(ctx, host)
-	if !svc.shouldUpdate(policyReportedAt, svc.config.Osquery.PolicyUpdateInterval, host.ID) && !host.RefetchRequested {
-		return nil, false, nil
-	}
 	policyQueries, err = svc.ds.PolicyQueriesForHost(ctx, host)
 	if err != nil {
 		return nil, false, ctxerr.Wrap(ctx, err, "retrieve policy queries")