mirror of
https://github.com/fleetdm/fleet
synced 2026-04-28 00:47:22 +00:00
082b88bfbc
**Related issue:** Resolves #33296 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit **Bug Fixes** - Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level. **Tests** - Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
43 lines
1 KiB
Go
43 lines
1 KiB
Go
package osquery_utils
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/go-kit/log"
|
|
"github.com/go-kit/log/level"
|
|
)
|
|
|
|
// IsDiskEncryptionEnabledForHost checks if disk encryption is enabled for the
|
|
// host team or globally if the host is not assigned to a team.
|
|
func IsDiskEncryptionEnabledForHost(ctx context.Context, logger log.Logger, ds fleet.Datastore, host *fleet.Host) bool {
|
|
// team
|
|
if host.TeamID != nil {
|
|
teamMDM, err := ds.TeamMDMConfig(ctx, *host.TeamID)
|
|
if err != nil {
|
|
level.Debug(logger).Log(
|
|
"msg", "failed to get team MDM config for disk encryption check",
|
|
"host_id", host.ID,
|
|
"team_id", *host.TeamID,
|
|
"err", err,
|
|
)
|
|
return false
|
|
}
|
|
if teamMDM == nil {
|
|
return false
|
|
}
|
|
return teamMDM.EnableDiskEncryption
|
|
}
|
|
|
|
// global
|
|
appConfig, err := ds.AppConfig(ctx)
|
|
if err != nil {
|
|
level.Debug(logger).Log(
|
|
"msg", "failed to get app config for disk encryption check",
|
|
"host_id", host.ID,
|
|
"err", err,
|
|
)
|
|
return false
|
|
}
|
|
return appConfig.MDM.EnableDiskEncryption.Value
|
|
}
|