mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
beca71e674
**Related issue:** Resolves #34464 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually --- ## What GitOps `--dry-run` was succeeding when `macos_manual_agent_install` was set to `true` and a `macos_script` was configured under `setup_experience`, but the actual GitOps run would fail with: ``` Couldn't add setup experience script. To add script, first disable macos_manual_agent_install. ``` ## Why The `manual_agent_install` conflict validation only existed server-side in `ee/server/service/setup_experience.go:SetSetupExperienceScript()`. The script upload call (`uploadMacOSSetupScript()`) was gated by `!opts.DryRun` in `server/service/client.go`, so during dry-run the upload was skipped entirely and the validation never fired. ## Fix Added client-side validation in `server/service/client.go` at the point where the YAML-parsed `MacOSSetup` struct is processed — before the script file is validated and loaded. This check runs for **both dry-run and real runs**, catching the conflict early. Two code paths were fixed: 1. **Team path** (~line 803): Checks `setup.ManualAgentInstall.Value` when `setup.Script.Value` is set 2. **No-team path** (~line 2603): Checks `macOSSetup.ManualAgentInstall.Value` when `macOSSetup.Script.Value` is set ## How I reproduced the issue locally ### Prerequisites - MySQL and Redis running via Docker: `docker compose up -d mysql_test redis` ### Steps 1. Wrote an integration test (`TestDryRunMacOSSetupScriptWithManualAgentInstallConflict`) that: - Creates a GitOps user and fleetctl config - Creates a bootstrap package server serving `testdata/signed.pkg` - Creates a `.sh` script file with `echo "setup script"` - Creates a **global config** YAML (minimal server settings) - Creates a **team config** YAML with `macos_manual_agent_install: true`, `macos_script: <path>`, and `macos_bootstrap_package: <url>` - Runs `fleetctl gitops --dry-run` and asserts it fails - Runs `fleetctl gitops` (no dry-run) and asserts it fails 2. Ran the test **before the fix** — confirmed the bug: ``` Dry-run error: <nil> ← BUG: should have failed Real run error: ...status 422...first disable macos_manual_agent_install ← correctly fails ``` 3. Applied the fix and re-ran — **both dry-run and real run now fail** with the `macos_manual_agent_install` conflict error. ### Test command ```bash MYSQL_TEST=1 REDIS_TEST=1 go test -v \ -run TestIntegrationsEnterpriseGitops/TestDryRunMacOSSetupScriptWithManualAgentInstallConflict \ ./cmd/fleetctl/integrationtest/gitops/... -count=1 -timeout 600s ``` Both sub-tests (team and no-team paths) pass. All related existing tests continue to pass: - `TestMacOSSetup`, `TestMacOSSetupScriptWithFleetSecret`, `TestDeletingNoTeamYAML`, `TestDisallowSoftwareSetupExperience` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * GitOps dry-run now correctly fails when a macOS setup configuration combines manual agent installation with a provided setup script, preventing false-positive dry-run success. * **Tests** * Added unit and integration regression tests to verify dry-run and real-run rejection of conflicting macOS setup configurations for both team-scoped and unassigned host scopes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| gitops | ||
| package | ||
| preview | ||
| vuln | ||
| suite.go | ||