mirror of
https://github.com/fleetdm/fleet
synced 2026-05-02 19:07:38 +00:00
2029cc98d9
This reverts commit a5bd50716d which was
this PR: https://github.com/fleetdm/fleet/pull/28742
It was determined that the behavior changes here conflict with other
changes being asked for by `customer-starchik`. Design to review and
come up with a different strategy for improving the behavior this change
originally was intended to fix
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- For Orbit and Fleet Desktop changes:
- [x] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [x] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
90 lines
2.8 KiB
Go
90 lines
2.8 KiB
Go
package update
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/stretchr/testify/require"
|
|
"github.com/stretchr/testify/suite"
|
|
)
|
|
|
|
func TestEscrowBuddy(t *testing.T) {
|
|
testingSuite := new(escrowBuddyTestSuite)
|
|
testingSuite.s = &testingSuite.Suite
|
|
suite.Run(t, testingSuite)
|
|
}
|
|
|
|
type escrowBuddyTestSuite struct {
|
|
suite.Suite
|
|
withTUF
|
|
}
|
|
|
|
func (s *escrowBuddyTestSuite) TestUpdatesDisabled() {
|
|
t := s.T()
|
|
cfg := &fleet.OrbitConfig{}
|
|
cfg.Notifications.RotateDiskEncryptionKey = true
|
|
r := NewEscrowBuddyRunner(nil, time.Second)
|
|
err := r.Run(cfg)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func (s *escrowBuddyTestSuite) TestEscrowBuddyRotatesKey() {
|
|
t := s.T()
|
|
updater := &Updater{
|
|
client: s.client,
|
|
opt: Options{Targets: make(map[string]TargetInfo), RootDirectory: t.TempDir()},
|
|
}
|
|
runner := &Runner{updater: updater, localHashes: make(map[string][]byte)}
|
|
escrowBuddyPath := "escrowBuddy/macos/stable/escrowBuddy.pkg"
|
|
|
|
cfg := &fleet.OrbitConfig{}
|
|
r := &EscrowBuddyRunner{updateRunner: runner, interval: time.Millisecond}
|
|
// mock the command to run the defaults cli
|
|
cmdCalls := []map[string]any{}
|
|
r.runCmdFunc = func(cmd string, args ...string) error {
|
|
cmdCalls = append(cmdCalls, map[string]any{"cmd": cmd, "args": args})
|
|
return nil
|
|
}
|
|
|
|
// no new target added if the notification is not set
|
|
err := r.Run(cfg)
|
|
require.NoError(t, err)
|
|
targets := runner.updater.opt.Targets
|
|
require.Len(t, targets, 0)
|
|
require.Empty(t, cmdCalls)
|
|
|
|
// there's an error when the remote repo doesn't have the target yet
|
|
cfg.Notifications.RotateDiskEncryptionKey = true
|
|
err = r.Run(cfg)
|
|
require.ErrorContains(t, err, "tuf: file not found")
|
|
require.Empty(t, cmdCalls)
|
|
|
|
// add escrow buddy to the remote
|
|
s.addRemoteTarget(escrowBuddyPath)
|
|
|
|
err = r.Run(cfg)
|
|
require.NoError(t, err)
|
|
require.Len(t, cmdCalls, 2)
|
|
require.Equal(t, cmdCalls[0]["cmd"], "sh")
|
|
require.Equal(t, cmdCalls[0]["args"], []string{"-c", "/Library/Security/SecurityAgentPlugins/Escrow\\ Buddy.bundle/Contents/Resources/AuthDBSetup.sh"})
|
|
require.Equal(t, cmdCalls[1]["cmd"], "sh")
|
|
require.Equal(t, cmdCalls[1]["args"], []string{"-c", "defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true"})
|
|
|
|
targets = runner.updater.opt.Targets
|
|
require.Len(t, targets, 1)
|
|
ti, ok := targets["escrowBuddy"]
|
|
require.True(t, ok)
|
|
require.EqualValues(t, EscrowBuddyMacOSTarget, ti)
|
|
|
|
time.Sleep(3 * time.Millisecond)
|
|
cfg.Notifications.RotateDiskEncryptionKey = false
|
|
cmdCalls = []map[string]any{}
|
|
err = r.Run(cfg)
|
|
require.NoError(t, err)
|
|
// only one call to set the GenerateNewKey to false
|
|
require.Len(t, cmdCalls, 1)
|
|
require.Equal(t, cmdCalls[0]["cmd"], "sh")
|
|
require.Equal(t, cmdCalls[0]["args"], []string{"-c", "defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool false"})
|
|
|
|
}
|