mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 16:39:01 +00:00
de7ce439ec
Fixes https://github.com/fleetdm/fleet/issues/24394 by adding new verification logic to detect and verify these profiles. We only verify a subset of the properties because there are certain settings such as the Authentication which Windows seems to upgrade in circumstances where it can(e.g. WPA2 specified but interface + router supports WPA3 results in WPA3 on the client and there are likely other similar scenarios). After discussion with design team we've decided the limited verification is better than what we had before and a good solution for now. I know this is extremely heavy on comments but the behavior is strange and non obvious. Also see latest comment on the issue for some testing discussion: https://github.com/fleetdm/fleet/issues/24394#issuecomment-2810261844 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
205 lines
8 KiB
Go
205 lines
8 KiB
Go
package admx
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestIsADMX(t *testing.T) {
|
|
t.Parallel()
|
|
assert.False(t, IsADMX(""))
|
|
assert.False(t, IsADMX("not an ADMX policy"))
|
|
assert.False(t, IsADMX(`<![CDATA[bozo]]>`))
|
|
assert.False(t, IsADMX(`<![CDATA[<bozo/>]]>`))
|
|
assert.False(t, IsADMX(`<![CDATA[<bozo]]>`))
|
|
|
|
// This is a WLAN XML profile
|
|
assert.False(t, IsADMX(
|
|
`<?xml version="1.0"?>
|
|
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
|
|
<name>Test</name>
|
|
<SSIDConfig>
|
|
<SSID>
|
|
<hex>54657374</hex>
|
|
<name>Test</name>
|
|
</SSID>
|
|
<nonBroadcast>false</nonBroadcast>
|
|
</SSIDConfig>
|
|
<connectionType>ESS</connectionType>
|
|
<connectionMode>auto</connectionMode>
|
|
<MSM>
|
|
<security>
|
|
<authEncryption>
|
|
<authentication>WPA2PSK</authentication>
|
|
<encryption>AES</encryption>
|
|
<useOneX>false</useOneX>
|
|
</authEncryption>
|
|
<sharedKey>
|
|
<keyType>passPhrase</keyType>
|
|
<protected>false</protected>
|
|
<keyMaterial>sup3rs3cr3t</keyMaterial>
|
|
</sharedKey>
|
|
</security>
|
|
</MSM>
|
|
</WLANProfile>`))
|
|
|
|
assert.True(t, IsADMX(`<![CDATA[<enabled/>]]>`))
|
|
assert.True(t, IsADMX(`<![CDATA[<disabled/>]]>`))
|
|
assert.True(t, IsADMX(`<![CDATA[<data id="id" value="value"/>]]>`))
|
|
assert.True(t, IsADMX(
|
|
` <![CDATA[
|
|
<enabled/>
|
|
]]>`))
|
|
assert.True(t,
|
|
IsADMX("<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>"))
|
|
assert.True(t, IsADMX(
|
|
`<Enabled/>
|
|
<![CDATA[<data id="ExecutionPolicy" value="AllSigned"/>]]>
|
|
<![CDATA[<data id="Listbox_ModuleNames" value="*"/>
|
|
<data id="OutputDirectory" value="false"/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`))
|
|
}
|
|
|
|
func TestEqual(t *testing.T) {
|
|
t.Parallel()
|
|
testCases := []struct {
|
|
name, a, b, errorContains string
|
|
equal bool
|
|
}{
|
|
{
|
|
name: "empty policies",
|
|
a: "",
|
|
b: "",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "enabled policies",
|
|
a: "<![CDATA[<enabled/>]]>",
|
|
b: "<Enabled/>",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "disabled policies",
|
|
a: "<![CDATA[<disabled/>]]>",
|
|
b: "<Disabled/>",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "unequal policies",
|
|
a: "<![CDATA[<disabled/>]]>",
|
|
b: "<enabled/>",
|
|
equal: false,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "enabled policies with data",
|
|
a: `<![CDATA[<enabled/>
|
|
<data id="ExecutionPolicy" value="AllSigned"/>
|
|
<data id="Listbox_ModuleNames" value="*"/>
|
|
<data id="OutputDirectory" value="false"/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "enabled policies with data and nonstandard format",
|
|
a: `<Enabled/>
|
|
<![CDATA[<data id="ExecutionPolicy" value="AllSigned"/>]]>
|
|
<![CDATA[<data id="Listbox_ModuleNames" value="*"/>
|
|
<data id="OutputDirectory" value="false"/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "disabled policies with data",
|
|
a: `<![CDATA[<disabled/>
|
|
<data id="ExecutionPolicy" value="AllSigned"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Disabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: true,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "unparsable policy a 1",
|
|
a: "<bozo",
|
|
b: "",
|
|
equal: false,
|
|
errorContains: "unmarshalling ADMX policy",
|
|
},
|
|
{
|
|
name: "unparsable policy a 2",
|
|
a: "<bozo",
|
|
b: "",
|
|
equal: false,
|
|
errorContains: "unmarshalling ADMX policy",
|
|
},
|
|
{
|
|
name: "unparsable policy b 1",
|
|
a: "",
|
|
b: "<bozo",
|
|
equal: false,
|
|
errorContains: "unmarshalling ADMX policy",
|
|
},
|
|
{
|
|
name: "unparsable policy b 2",
|
|
a: "",
|
|
b: "<bozo",
|
|
equal: false,
|
|
errorContains: "unmarshalling ADMX policy",
|
|
},
|
|
{
|
|
name: "unequal policies with missing enable",
|
|
a: `<![CDATA[<Xenabled/>
|
|
<data id="ExecutionPolicy" value="AllSigned"/>
|
|
<data id="Listbox_ModuleNames" value="*"/>
|
|
<data id="OutputDirectory" value="false"/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: false,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "unequal policies with data 1",
|
|
a: `<![CDATA[<enabled/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: false,
|
|
errorContains: "",
|
|
},
|
|
{
|
|
name: "unequal policies with data 2",
|
|
a: `<![CDATA[<enabled/>
|
|
<data id="ExecutionPolicy" value="XXXX"/>
|
|
<data id="Listbox_ModuleNames" value="*"/>
|
|
<data id="OutputDirectory" value="false"/>
|
|
<data id="EnableScriptBlockInvocationLogging" value="true"/>
|
|
<data id="SourcePathForUpdateHelp" value="false"/>]]>`,
|
|
b: "<Enabled/><Data id=\"EnableScriptBlockInvocationLogging\" value=\"true\"/><Data id=\"ExecutionPolicy\" value=\"AllSigned\"/><Data id=\"Listbox_ModuleNames\" value=\"*\"/><Data id=\"OutputDirectory\" value=\"false\"/><Data id=\"SourcePathForUpdateHelp\" value=\"false\"/>",
|
|
equal: false,
|
|
errorContains: "",
|
|
},
|
|
}
|
|
for _, tt := range testCases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
equal, err := Equal(tt.a, tt.b)
|
|
if tt.errorContains == "" {
|
|
assert.NoError(t, err)
|
|
} else {
|
|
assert.ErrorContains(t, err, tt.errorContains)
|
|
}
|
|
assert.Equal(t, tt.equal, equal)
|
|
})
|
|
}
|
|
}
|