fix: do not abort MDM ingestion flow if IdP id not found (#19776)

> Related issue: #19612 # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2026-05-24 09:28:54 +00:00 · 2024-06-17 10:03:13 -04:00 · 2024-06-17 10:03:13 -04:00 · cc96b3372a
commit cc96b3372a
parent 85a5c6eecb
3 changed files with 47 additions and 3 deletions
--- a/changes/19612-idp-ingest
+++ b/changes/19612-idp-ingest
@ -0,0 +1 @@
+- Fixes issue where the MDM ingestion flow would fail if an invalid enrollment reference was passed.
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@ -1711,7 +1711,15 @@ func directIngestMDMMac(ctx context.Context, logger log.Logger, host *fleet.Host
 		}
 		if fleetEnrollRef != "" {
 			if err := ds.SetOrUpdateHostEmailsFromMdmIdpAccounts(ctx, host.ID, fleetEnrollRef); err != nil {
-				return ctxerr.Wrap(ctx, err, "updating host emails from mdm idp accounts")
+				if !fleet.IsNotFound(err) {
+					return ctxerr.Wrap(ctx, err, "updating host emails from mdm idp accounts")
+				}
+
+				level.Warn(logger).Log(
+					"component", "service",
+					"method", "directIngestMDMMac",
+					"msg", err.Error(),
+				)
 			}
 		}
 	}
--- a/server/service/osquery_utils/queries_test.go
+++ b/server/service/osquery_utils/queries_test.go
@ -502,6 +502,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 		got        map[string]string
 		wantParams []any
 		wantErr    string
+		enrollRef  string
 	}{
 		{
 			"empty server URL",
@ -512,6 +513,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{false, false, "", false, fleet.UnknownMDMName},
 			"",
+			"",
 		},
 		{
 			"with Fleet payload identifier",
@ -523,6 +525,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{false, true, "https://test.example.com", true, fleet.WellKnownMDMFleet},
 			"",
+			"",
 		},
 		{
 			"with a query string on the server URL",
@ -533,6 +536,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{false, true, "https://jamf.com/1/some/path", true, fleet.WellKnownMDMJamf},
 			"",
+			"",
 		},
 		{
 			"with invalid installed_from_dep",
@ -543,6 +547,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{},
 			"parsing installed_from_dep",
+			"",
 		},
 		{
 			"with invalid enrolled",
@ -553,6 +558,7 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{},
 			"parsing enrolled",
+			"",
 		},
 		{
 			"with invalid server_url",
@ -563,6 +569,19 @@ func TestDirectIngestMDMMac(t *testing.T) {
 			},
 			[]any{},
 			"parsing server_url",
+			"",
+		},
+		{
+			"with invalid enrollment reference",
+			map[string]string{
+				"enrolled":           "true",
+				"installed_from_dep": "true",
+				"server_url":         "https://test.example.com?enroll_reference=foobar",
+				"payload_identifier": apple_mdm.FleetPayloadIdentifier,
+			},
+			[]any{false, true, "https://test.example.com", true, fleet.WellKnownMDMFleet},
+			"",
+			"foobar",
 		},
 	}

@ -574,13 +593,19 @@ func TestDirectIngestMDMMac(t *testing.T) {
 				require.Equal(t, serverURL, c.wantParams[2])
 				require.Equal(t, installedFromDep, c.wantParams[3])
 				require.Equal(t, name, c.wantParams[4])
-				require.Empty(t, fleetEnrollmentRef)
+				require.Equal(t, fleetEnrollmentRef, c.enrollRef)
 				return nil
 			}
 			ds.SetOrUpdateHostEmailsFromMdmIdpAccountsFunc = func(ctx context.Context, hostID uint, fleetEnrollmentRef string) error {
 				return nil
 			}

+			if c.name == "with invalid enrollment reference" {
+				ds.SetOrUpdateHostEmailsFromMdmIdpAccountsFunc = func(ctx context.Context, hostID uint, fleetEnrollmentRef string) error {
+					return &nfe{}
+				}
+			}
+
 			err := directIngestMDMMac(context.Background(), log.NewNopLogger(), &host, ds, []map[string]string{c.got})
 			if c.wantErr != "" {
 				require.ErrorContains(t, err, c.wantErr)
@ -590,7 +615,9 @@ func TestDirectIngestMDMMac(t *testing.T) {
 				require.True(t, ds.SetOrUpdateMDMDataFuncInvoked)
 				require.NoError(t, err)
 				ds.SetOrUpdateMDMDataFuncInvoked = false
-				require.False(t, ds.SetOrUpdateHostEmailsFromMdmIdpAccountsFuncInvoked)
+				if c.name != "with invalid enrollment reference" {
+					require.False(t, ds.SetOrUpdateHostEmailsFromMdmIdpAccountsFuncInvoked)
+				}
 			}
 		})
 	}
@ -1957,3 +1984,11 @@ func TestGenerateSQLForAllExists(t *testing.T) {
 	sql = generateSQLForAllExists(query1, query2)
 	assert.Equal(t, "SELECT 1 WHERE EXISTS (SELECT 1 WHERE foo = 'ba;r') AND EXISTS (SELECT 1 WHERE baz = 'qu;x')", sql)
 }
+
+type nfe struct{}
+
+func (e nfe) Error() string {
+	return "foobar"
+}
+
+func (e nfe) IsNotFound() bool { return true }
				`@ -0,0 +1 @@`
				`- Fixes issue where the MDM ingestion flow would fail if an invalid enrollment reference was passed.`