From 8cfcb49d24916af72051263d5b3f49786eb85352 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Thu, 21 Nov 2024 12:37:07 -0600
Subject: [PATCH] Fix Orbit version check in LUKS escrow trigger endpoint

The host context never includes Orbit version (only the hosts/{id} endpoint does) so we need to grab that data when we need it.
---
 ee/server/service/devices.go   |  8 +++++++-
 server/service/devices_test.go | 26 ++++++++++++++++----------
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/ee/server/service/devices.go b/ee/server/service/devices.go
index 9fa82d0e556c..996a4ac74be4 100644
--- a/ee/server/service/devices.go
+++ b/ee/server/service/devices.go
@@ -208,7 +208,13 @@ func (svc *Service) validateReadyForLinuxEscrow(ctx context.Context, host *fleet
 		return &fleet.BadRequestError{Message: "Host's disk is not encrypted. Please enable disk encryption for this host."}
 	}
 
-	if host.OrbitVersion == nil || !fleet.IsAtLeastVersion(*host.OrbitVersion, fleet.MinOrbitLUKSVersion) {
+	// We have to pull Orbit info because the auth context doesn't fill in host.OrbitVersion
+	orbitInfo, err := svc.ds.GetHostOrbitInfo(ctx, host.ID)
+	if err != nil {
+		return err
+	}
+
+	if orbitInfo == nil || !fleet.IsAtLeastVersion(orbitInfo.Version, fleet.MinOrbitLUKSVersion) {
 		return &fleet.BadRequestError{Message: "Host's Orbit version does not support this feature. Please upgrade Orbit to the latest version."}
 	}
 
diff --git a/server/service/devices_test.go b/server/service/devices_test.go
index 774a941ca06f..4faae0e48019 100644
--- a/server/service/devices_test.go
+++ b/server/service/devices_test.go
@@ -514,7 +514,7 @@ func TestTriggerLinuxDiskEncryptionEscrow(t *testing.T) {
 
 		// invalid platform
 		err := svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Host platform does not support key escrow")
+		require.ErrorContains(t, err, "Host platform does not support key escrow")
 		require.True(t, ds.IsHostPendingEscrowFuncInvoked)
 
 		// valid platform, no-team, encryption not enabled
@@ -524,7 +524,7 @@ func TestTriggerLinuxDiskEncryptionEscrow(t *testing.T) {
 			return appConfig, nil
 		}
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Disk encryption is not enabled for hosts not assigned to a team")
+		require.ErrorContains(t, err, "Disk encryption is not enabled for hosts not assigned to a team")
 
 		// valid platform, team, encryption not enabled
 		host.TeamID = ptr.Uint(1)
@@ -534,29 +534,32 @@ func TestTriggerLinuxDiskEncryptionEscrow(t *testing.T) {
 			return teamConfig, nil
 		}
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Disk encryption is not enabled for this host's team")
+		require.ErrorContains(t, err, "Disk encryption is not enabled for this host's team")
 
 		// valid platform, team, host disk is not encrypted or unknown encryption state
 		teamConfig = &fleet.TeamMDM{EnableDiskEncryption: true}
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Host's disk is not encrypted. Please enable disk encryption for this host.")
+		require.ErrorContains(t, err, "Host's disk is not encrypted. Please enable disk encryption for this host.")
 		host.DiskEncryptionEnabled = ptr.Bool(false)
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Host's disk is not encrypted. Please enable disk encryption for this host.")
+		require.ErrorContains(t, err, "Host's disk is not encrypted. Please enable disk encryption for this host.")
 
-		// Orbit version is too old
+		// No Fleet Desktop
 		host.DiskEncryptionEnabled = ptr.Bool(true)
-		host.OrbitVersion = ptr.String("1.35.1")
+		orbitInfo := &fleet.HostOrbitInfo{Version: "1.35.1"}
+		ds.GetHostOrbitInfoFunc = func(ctx context.Context, id uint) (*fleet.HostOrbitInfo, error) {
+			return orbitInfo, nil
+		}
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "Host's Orbit version does not support this feature. Please upgrade Orbit to the latest version.")
+		require.ErrorContains(t, err, "Host's Orbit version does not support this feature. Please upgrade Orbit to the latest version.")
 
 		// Encryption key is already escrowed
-		host.OrbitVersion = ptr.String(fleet.MinOrbitLUKSVersion)
+		orbitInfo.Version = fleet.MinOrbitLUKSVersion
 		ds.AssertHasNoEncryptionKeyStoredFunc = func(ctx context.Context, hostID uint) error {
 			return errors.New("encryption key is already escrowed")
 		}
 		err = svc.TriggerLinuxDiskEncryptionEscrow(ctx, host)
-		require.Error(t, err, "encryption key is already escrowed")
+		require.ErrorContains(t, err, "encryption key is already escrowed")
 
 		require.Len(t, reportedErrors, 7)
 	})
@@ -570,6 +573,9 @@ func TestTriggerLinuxDiskEncryptionEscrow(t *testing.T) {
 		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
 			return &fleet.AppConfig{MDM: fleet.MDM{EnableDiskEncryption: optjson.SetBool(true)}}, nil
 		}
+		ds.GetHostOrbitInfoFunc = func(ctx context.Context, id uint) (*fleet.HostOrbitInfo, error) {
+			return &fleet.HostOrbitInfo{Version: "1.36.0", DesktopVersion: ptr.String("42")}, nil
+		}
 		ds.AssertHasNoEncryptionKeyStoredFunc = func(ctx context.Context, hostID uint) error {
 			return nil
 		}