package service
import (
"fmt"
"testing"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/stretchr/testify/require"
)
func TestValidateWindowsProfileFleetVariablesLicense(t *testing.T) {
t.Parallel()
profileWithVars := `
-
./Device/Vendor/MSFT/Accounts/DomainName
Host UUID: $FLEET_VAR_HOST_UUID
`
// Test with free license
freeLic := &fleet.LicenseInfo{Tier: fleet.TierFree}
_, err := validateWindowsProfileFleetVariables(profileWithVars, freeLic, nil)
require.ErrorIs(t, err, fleet.ErrMissingLicense)
// Test with premium license
premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}
vars, err := validateWindowsProfileFleetVariables(profileWithVars, premiumLic, nil)
require.NoError(t, err)
require.Contains(t, vars, "HOST_UUID")
// Test profile without variables (should work with free license)
profileNoVars := `
-
./Device/Vendor/MSFT/Accounts/DomainName
Static Value
`
vars, err = validateWindowsProfileFleetVariables(profileNoVars, freeLic, nil)
require.NoError(t, err)
require.Nil(t, vars)
}
func TestValidateWindowsProfileFleetVariables(t *testing.T) {
tests := []struct {
name string
profileXML string
wantErr bool
errContains string
}{
{
name: "no variables",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
1
`,
wantErr: false,
},
{
name: "HOST_UUID variable",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
$FLEET_VAR_HOST_UUID
`,
wantErr: false,
},
{
name: "HOST_UUID variable with braces",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
${FLEET_VAR_HOST_UUID}
`,
wantErr: false,
},
{
name: "multiple HOST_UUID variables",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
$FLEET_VAR_HOST_UUID-${FLEET_VAR_HOST_UUID}
`,
wantErr: false,
},
{
name: "unsupported variable",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
$FLEET_VAR_HOST_FAKE
`,
wantErr: true,
errContains: "Fleet variable $FLEET_VAR_HOST_FAKE is not supported in Windows profiles",
},
{
name: "HOST_UUID with another unsupported variable",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
$FLEET_VAR_HOST_UUID-$FLEET_VAR_BOGUS_VAR
`,
wantErr: true,
errContains: "Fleet variable $FLEET_VAR_BOGUS_VAR is not supported in Windows profiles",
},
{
name: "unknown Fleet variable",
profileXML: `
-
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
${FLEET_VAR_UNKNOWN_VAR}
`,
wantErr: true,
errContains: "Fleet variable $FLEET_VAR_UNKNOWN_VAR is not supported in Windows profiles",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Pass a premium license for testing (we're not testing license validation here)
premiumLic := &fleet.LicenseInfo{Tier: fleet.TierPremium}
_, err := validateWindowsProfileFleetVariables(tt.profileXML, premiumLic, nil)
if tt.wantErr {
require.Error(t, err)
if tt.errContains != "" {
require.Contains(t, err.Error(), tt.errContains)
}
} else {
require.NoError(t, err)
}
})
}
}
func TestAdditionalNDESValidationForWindowsProfiles(t *testing.T) {
ndesVars := &NDESVarsFound{}
ndesVars, _ = ndesVars.SetChallenge()
ndesVars, _ = ndesVars.SetURL()
// Helper to build a SyncML Add item with a LocURI target and Data content.
addItem := func(locURI, data string) string {
return fmt.Sprintf(
`- %s%s
`,
locURI, data,
)
}
// A valid NDES profile with all required fields.
validProfile := addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_CHALLENGE") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_PROXY_URL") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/SubjectName", "CN=test,OU=$FLEET_VAR_SCEP_RENEWAL_ID")
tests := []struct {
name string
contents string
wantErr bool
errContains string
}{
{
name: "valid NDES profile",
contents: validProfile,
},
{
name: "valid NDES profile with braces syntax",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "${FLEET_VAR_NDES_SCEP_CHALLENGE}") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "${FLEET_VAR_NDES_SCEP_PROXY_URL}") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/SubjectName", "CN=test,OU=${FLEET_VAR_SCEP_RENEWAL_ID}"),
},
{
name: "valid NDES profile wrapped in atomic",
contents: `` +
`1- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge` +
`$FLEET_VAR_NDES_SCEP_CHALLENGE
` +
`2- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL` +
`$FLEET_VAR_NDES_SCEP_PROXY_URL
` +
`3- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/SubjectName` +
`CN=test,OU=$FLEET_VAR_SCEP_RENEWAL_ID
` +
``,
},
{
name: "challenge var in wrong field",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_CHALLENGE") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_CHALLENGE"),
wantErr: true,
errContains: `must only be in the SCEP certificate's "Challenge" field`,
},
{
name: "challenge var in arbitrary data field",
contents: addItem("./Device/Vendor/MSFT/Something/Else", "$FLEET_VAR_NDES_SCEP_CHALLENGE") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_CHALLENGE"),
wantErr: true,
errContains: `must only be in the SCEP certificate's "Challenge" field`,
},
{
name: "proxy url var in wrong field",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_PROXY_URL") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_PROXY_URL"),
wantErr: true,
errContains: `must only be in the SCEP certificate's "ServerURL" field`,
},
{
name: "proxy url var in arbitrary data field",
contents: addItem("./Device/Vendor/MSFT/Something/Else", "$FLEET_VAR_NDES_SCEP_PROXY_URL") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_PROXY_URL"),
wantErr: true,
errContains: `must only be in the SCEP certificate's "ServerURL" field`,
},
{
name: "challenge var in LocURI target",
contents: addItem(
"./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_NDES_SCEP_CHALLENGE/Install/Challenge",
"$FLEET_VAR_NDES_SCEP_CHALLENGE",
),
wantErr: true,
errContains: "must not appear in LocURI target paths",
},
{
name: "proxy url var in LocURI target",
contents: addItem(
"./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_NDES_SCEP_PROXY_URL/Install/ServerURL",
"$FLEET_VAR_NDES_SCEP_PROXY_URL",
),
wantErr: true,
errContains: "must not appear in LocURI target paths",
},
{
name: "challenge field has wrong value",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "hardcoded-password") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_PROXY_URL"),
wantErr: true,
errContains: `must be in the SCEP certificate's "Challenge" field`,
},
{
name: "server url field has wrong value",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_CHALLENGE") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "https://hardcoded.example.com"),
wantErr: true,
errContains: `must be in the SCEP certificate's "ServerURL" field`,
},
{
name: "subject name missing renewal id",
contents: addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/Challenge", "$FLEET_VAR_NDES_SCEP_CHALLENGE") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/ServerURL", "$FLEET_VAR_NDES_SCEP_PROXY_URL") +
addItem("./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/cert1/Install/SubjectName", "CN=test"),
wantErr: true,
errContains: "SubjectName item must contain the $FLEET_VAR_SCEP_RENEWAL_ID variable in the OU field",
},
{
name: "nil ndes vars returns nil",
contents: validProfile,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
vars := ndesVars
if tt.name == "nil ndes vars returns nil" {
vars = nil
}
err := additionalNDESValidationForWindowsProfiles(tt.contents, vars)
if tt.wantErr {
require.Error(t, err)
var badReqErr *fleet.BadRequestError
require.ErrorAs(t, err, &badReqErr, "expected BadRequestError for: %s", tt.name)
require.Contains(t, err.Error(), tt.errContains)
} else {
require.NoError(t, err)
}
})
}
}