Do not queue installations on vanilla osquery devices (#21718)

Another small fix for #21428.
2026-05-23 08:58:41 +00:00 · 2024-08-30 18:58:20 -03:00 · 2024-08-30 18:58:20 -03:00 · c6e20456a5
commit c6e20456a5
parent 5f2eaefabd
2 changed files with 25 additions and 2 deletions
--- a/server/service/integration_enterprise_test.go
+++ b/server/service/integration_enterprise_test.go
@ -12764,7 +12764,7 @@ func (s *integrationEnterpriseTestSuite) TestPolicyAutomationsSoftwareInstallers
 	team2, err := s.ds.NewTeam(ctx, &fleet.Team{Name: t.Name() + "team2"})
 	require.NoError(t, err)

-	newFleetdHost := func(name string, teamID *uint, platform string) *fleet.Host {
+	newHost := func(name string, teamID *uint, platform string) *fleet.Host {
 		h, err := s.ds.NewHost(ctx, &fleet.Host{
 			DetailUpdatedAt: time.Now(),
 			LabelUpdatedAt:  time.Now(),
@ -12778,6 +12778,10 @@ func (s *integrationEnterpriseTestSuite) TestPolicyAutomationsSoftwareInstallers
 			TeamID:          teamID,
 		})
 		require.NoError(t, err)
+		return h
+	}
+	newFleetdHost := func(name string, teamID *uint, platform string) *fleet.Host {
+		h := newHost(name, teamID, platform)
 		orbitKey := setOrbitEnrollment(t, h, s.ds)
 		h.OrbitNodeKey = &orbitKey
 		return h
@ -12787,6 +12791,7 @@ func (s *integrationEnterpriseTestSuite) TestPolicyAutomationsSoftwareInstallers
 	host1Team1 := newFleetdHost("host1Team1", &team1.ID, "darwin")
 	host2Team1 := newFleetdHost("host2Team1", &team1.ID, "ubuntu")
 	host3Team2 := newFleetdHost("host3Team2", &team2.ID, "windows")
+	hostVanillaOsquery5Team1 := newHost("hostVanillaOsquery5Team2", &team1.ID, "darwin")

 	// Upload dummy_installer.pkg to team1.
 	pkgPayload := &fleet.UploadSoftwareInstallerPayload{
@ -13351,4 +13356,17 @@ func (s *integrationEnterpriseTestSuite) TestPolicyAutomationsSoftwareInstallers
 	require.NotNil(t, actor.UserName)
 	require.Equal(t, "Test Name admin1@example.com", *actor.UserName)
 	require.Equal(t, "admin1@example.com", actor.UserEmail)
+
+	// hostVanillaOsquery5Team1 sends policy results with failed policies with associated installers.
+	// Fleet should not queue an install for vanilla osquery hosts.
+	distributedResp = submitDistributedQueryResultsResponse{}
+	s.DoJSONWithoutAuth("POST", "/api/osquery/distributed/write", genDistributedReqWithPolicyResults(
+		hostVanillaOsquery5Team1,
+		map[uint]*bool{
+			policy1Team1.ID: ptr.Bool(false),
+		},
+	), http.StatusOK, &distributedResp)
+	hostVanillaOsquery5Team1LastInstall, err := s.ds.GetHostLastInstallData(ctx, hostVanillaOsquery5Team1.ID, dummyInstallerPkgInstallerID)
+	require.NoError(t, err)
+	require.Nil(t, hostVanillaOsquery5Team1LastInstall)
 }
--- a/server/service/osquery.go
+++ b/server/service/osquery.go
@ -1008,7 +1008,7 @@ func (svc *Service) SubmitDistributedQueryResults(
 			logging.WithErr(ctx, err)
 		}

-		if err := svc.processSoftwareForNewlyFailingPolicies(ctx, host.ID, host.TeamID, host.Platform, policyResults); err != nil {
+		if err := svc.processSoftwareForNewlyFailingPolicies(ctx, host.ID, host.TeamID, host.Platform, host.OrbitNodeKey, policyResults); err != nil {
 			logging.WithErr(ctx, err)
 		}

@ -1616,8 +1616,13 @@ func (svc *Service) processSoftwareForNewlyFailingPolicies(
 	hostID uint,
 	hostTeamID *uint,
 	hostPlatform string,
+	hostOrbitNodeKey *string,
 	incomingPolicyResults map[uint]*bool,
 ) error {
+	if hostOrbitNodeKey == nil || *hostOrbitNodeKey == "" {
+		// We do not want to queue software installations on vanilla osquery hosts.
+		return nil
+	}
 	if hostTeamID == nil {
 		// TODO(lucas): Support hosts in "No team".
 		return nil