From b2e35d12cffccba0d6fa67a7e64ff63e61749464 Mon Sep 17 00:00:00 2001
From: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Date: Mon, 20 Mar 2023 15:22:57 -0500
Subject: [PATCH] Report MDM profile status pending when user action required
 for disk encryption settings (#10606)

---
 server/fleet/hosts.go        | 16 ++++++++++++++++
 server/service/hosts.go      | 12 +++++++++---
 server/service/hosts_test.go | 29 +++++++++++++++++++++++++----
 3 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/server/fleet/hosts.go b/server/fleet/hosts.go
index b995a0cf17..98bc614d99 100644
--- a/server/fleet/hosts.go
+++ b/server/fleet/hosts.go
@@ -378,6 +378,22 @@ func (d *MDMHostData) DetermineDiskEncryptionStatus(profiles []HostMDMAppleProfi
 	d.MacOSSettings = &settings
 }
 
+func (d *MDMHostData) ProfileStatusFromDiskEncryptionState(currStatus *MDMAppleDeliveryStatus) *MDMAppleDeliveryStatus {
+	if d.MacOSSettings == nil || d.MacOSSettings.DiskEncryption == nil {
+		return currStatus
+	}
+	switch *d.MacOSSettings.DiskEncryption {
+	case DiskEncryptionActionRequired, DiskEncryptionEnforcing, DiskEncryptionRemovingEnforcement:
+		return &MDMAppleDeliveryPending
+	case DiskEncryptionFailed:
+		return &MDMAppleDeliveryFailed
+	case DiskEncryptionApplied:
+		return &MDMAppleDeliveryApplied
+	default:
+		return currStatus
+	}
+}
+
 // Only exposed for Datastore tests, to be able to assert the rawDecryptable
 // unexported field.
 func (d *MDMHostData) TestGetRawDecryptable() *int {
diff --git a/server/service/hosts.go b/server/service/hosts.go
index 16847f2815..a860d1a052 100644
--- a/server/service/hosts.go
+++ b/server/service/hosts.go
@@ -804,15 +804,21 @@ func (svc *Service) getHostDetails(ctx context.Context, host *fleet.Host, opts f
 		return nil, ctxerr.Wrap(ctx, err, "get app config for host mdm profiles")
 	}
 	if ac.MDM.EnabledAndConfigured {
-		p, err := svc.ds.GetHostMDMProfiles(ctx, host.UUID)
+		profs, err := svc.ds.GetHostMDMProfiles(ctx, host.UUID)
 		if err != nil {
 			return nil, ctxerr.Wrap(ctx, err, "get host mdm profiles")
 		}
-		profiles = p
 
 		// determine disk encryption and action required here based on profiles and
 		// raw decryptable key status.
-		host.MDM.DetermineDiskEncryptionStatus(profiles, mobileconfig.FleetFileVaultPayloadIdentifier)
+		host.MDM.DetermineDiskEncryptionStatus(profs, mobileconfig.FleetFileVaultPayloadIdentifier)
+
+		for _, p := range profs {
+			if p.Identifier == mobileconfig.FleetFileVaultPayloadIdentifier {
+				p.Status = host.MDM.ProfileStatusFromDiskEncryptionState(p.Status)
+			}
+			profiles = append(profiles, p)
+		}
 	}
 	host.MDM.Profiles = &profiles
 
diff --git a/server/service/hosts_test.go b/server/service/hosts_test.go
index c9426b1619..63f0db11da 100644
--- a/server/service/hosts_test.go
+++ b/server/service/hosts_test.go
@@ -109,10 +109,11 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 		name       string
 		rawDecrypt *int
 		fvProf     *fleet.HostMDMAppleProfile
-		wantStatus fleet.DiskEncryptionState
+		wantState  fleet.DiskEncryptionState
 		wantAction fleet.ActionRequiredState
+		wantStatus *fleet.MDMAppleDeliveryStatus
 	}{
-		{"no profile", ptr.Int(-1), nil, "", ""},
+		{"no profile", ptr.Int(-1), nil, "", "", nil},
 
 		{
 			"installed profile, no key",
@@ -125,6 +126,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionActionRequired,
 			fleet.ActionRequiredLogOut,
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, unknown decryptable",
@@ -137,6 +139,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, not decryptable",
@@ -149,6 +152,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionActionRequired,
 			fleet.ActionRequiredRotateKey,
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, decryptable",
@@ -161,6 +165,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionApplied,
 			"",
+			&fleet.MDMAppleDeliveryApplied,
 		},
 		{
 			"pending install, decryptable",
@@ -173,6 +178,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending install, unknown decryptable",
@@ -185,6 +191,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending install, no key",
@@ -197,6 +204,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"failed install, no key",
@@ -209,6 +217,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"failed install, not decryptable",
@@ -221,6 +230,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"pending remove, decryptable",
@@ -233,6 +243,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionRemovingEnforcement,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending remove, no key",
@@ -245,6 +256,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionRemovingEnforcement,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"failed remove, unknown decryptable",
@@ -257,6 +269,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"removed profile, not decryptable",
@@ -269,6 +282,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			"",
 			"",
+			&fleet.MDMAppleDeliveryApplied,
 		},
 	}
 	for _, c := range cases {
@@ -295,11 +309,11 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			hostDetail, err := svc.getHostDetails(test.UserContext(context.Background(), test.UserAdmin), host, opts)
 			require.NoError(t, err)
 
-			if c.wantStatus == "" {
+			if c.wantState == "" {
 				require.Nil(t, hostDetail.MDM.MacOSSettings.DiskEncryption)
 			} else {
 				require.NotNil(t, hostDetail.MDM.MacOSSettings.DiskEncryption)
-				require.Equal(t, c.wantStatus, *hostDetail.MDM.MacOSSettings.DiskEncryption)
+				require.Equal(t, c.wantState, *hostDetail.MDM.MacOSSettings.DiskEncryption)
 			}
 			if c.wantAction == "" {
 				require.Nil(t, hostDetail.MDM.MacOSSettings.ActionRequired)
@@ -307,6 +321,13 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 				require.NotNil(t, hostDetail.MDM.MacOSSettings.ActionRequired)
 				require.Equal(t, c.wantAction, *hostDetail.MDM.MacOSSettings.ActionRequired)
 			}
+			if c.wantStatus != nil {
+				require.NotNil(t, hostDetail.MDM.Profiles)
+				profs := *hostDetail.MDM.Profiles
+				require.Equal(t, c.wantStatus, profs[0].Status)
+			} else {
+				require.Nil(t, *hostDetail.MDM.Profiles)
+			}
 		})
 	}
 }