From f254a9a343e35c36acd1e1590f935a45ae0f6830 Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Tue, 19 Jan 2021 14:49:53 -0800
Subject: [PATCH] Make name and secret required for enroll secrets (#207)

Adds a check to prevent users from unintentionally setting empty
secrets.

Fixes #188
---
 server/service/service_appconfig.go      |  9 ++++++
 server/service/service_appconfig_test.go | 41 ++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/server/service/service_appconfig.go b/server/service/service_appconfig.go
index fd9b5c9e04..4dd9bce59f 100644
--- a/server/service/service_appconfig.go
+++ b/server/service/service_appconfig.go
@@ -241,6 +241,15 @@ func appConfigFromAppConfigPayload(p kolide.AppConfigPayload, config kolide.AppC
 }
 
 func (svc service) ApplyEnrollSecretSpec(ctx context.Context, spec *kolide.EnrollSecretSpec) error {
+	for _, s := range spec.Secrets {
+		if s.Name == "" {
+			return errors.New("enroll secret name must not be empty")
+		}
+		if s.Secret == "" {
+			return errors.New("enroll secret must not be empty")
+		}
+	}
+
 	return svc.ds.ApplyEnrollSecretSpec(spec)
 }
 
diff --git a/server/service/service_appconfig_test.go b/server/service/service_appconfig_test.go
index 7cab2658db..cd3da50dba 100644
--- a/server/service/service_appconfig_test.go
+++ b/server/service/service_appconfig_test.go
@@ -84,3 +84,44 @@ func TestCreateAppConfig(t *testing.T) {
 		assert.Len(t, gotSecretSpec.Secrets[0].Secret, 32)
 	}
 }
+
+func TestEmptyEnrollSecret(t *testing.T) {
+	ds := new(mock.Store)
+	svc, err := newTestService(ds, nil, nil)
+	require.Nil(t, err)
+
+	ds.ApplyEnrollSecretSpecFunc = func(spec *kolide.EnrollSecretSpec) error {
+		return nil
+	}
+	ds.AppConfigFunc = func() (*kolide.AppConfig, error) {
+		return &kolide.AppConfig{}, nil
+	}
+
+	err = svc.ApplyEnrollSecretSpec(
+		context.Background(),
+		&kolide.EnrollSecretSpec{
+			Secrets: []kolide.EnrollSecret{{}},
+		},
+	)
+	require.Error(t, err)
+
+	err = svc.ApplyEnrollSecretSpec(
+		context.Background(),
+		&kolide.EnrollSecretSpec{Secrets: []kolide.EnrollSecret{{Name: "foo"}}},
+	)
+	require.Error(t, err)
+
+	err = svc.ApplyEnrollSecretSpec(
+		context.Background(),
+		&kolide.EnrollSecretSpec{Secrets: []kolide.EnrollSecret{{Secret: "foo"}}},
+	)
+	require.Error(t, err)
+
+	err = svc.ApplyEnrollSecretSpec(
+		context.Background(),
+		&kolide.EnrollSecretSpec{
+			Secrets: []kolide.EnrollSecret{{Name: "foo", Secret: "foo"}},
+		},
+	)
+	require.NoError(t, err)
+}