Start Linux disk encryption enterprise test, don't touch macOS FileVault on enabling encryption if macOS MDM isn't enabled

iansltx · iansltx · commit f74819032eed · 2024-11-22T20:46:49.000-06:00
diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
@@ -2157,7 +2157,7 @@ func (svc *Service) updateAppConfigMDMDiskEncryption(ctx context.Context, enable
 		if ac.MDM.EnableDiskEncryption.Value != *enabled {
 			ac.MDM.EnableDiskEncryption = optjson.SetBool(*enabled)
 			didUpdate = true
-			didUpdateMacOSDiskEncryption = true
+			didUpdateMacOSDiskEncryption = ac.MDM.EnabledAndConfigured
 		}
 	}
 
diff --git a/server/service/integration_enterprise_test.go b/server/service/integration_enterprise_test.go
@@ -2881,6 +2881,40 @@ func (s *integrationEnterpriseTestSuite) TestAppleOSUpdatesTeamConfig() {
 	}, http.StatusUnprocessableEntity, &tmResp)
 }
 
+func (s *integrationEnterpriseTestSuite) TestLinuxDiskEncryption() {
+	t := s.T()
+
+	// create a Linux host
+	hostLin, err := s.ds.NewHost(context.Background(), &fleet.Host{
+		DetailUpdatedAt: time.Now(),
+		LabelUpdatedAt:  time.Now(),
+		PolicyUpdatedAt: time.Now(),
+		SeenTime:        time.Now(),
+		NodeKey:         ptr.String(strings.ReplaceAll(t.Name(), "/", "_") + "3"),
+		OsqueryHostID:   ptr.String(strings.ReplaceAll(t.Name(), "/", "_") + "3"),
+		UUID:            t.Name() + "3",
+		Hostname:        t.Name() + "foo3.local",
+		PrimaryIP:       "192.168.1.3",
+		PrimaryMac:      "30-65-EC-6F-C4-60",
+		Platform:        "ubuntu",
+		OSVersion:       "Ubuntu 22.04",
+	})
+	require.NoError(t, err)
+
+	// turn on disk encryption enforcement
+	s.Do("POST", "/api/latest/fleet/disk_encryption", updateDiskEncryptionRequest{EnableDiskEncryption: true}, http.StatusNoContent)
+
+	// set encrypted for host
+	require.NoError(t, s.ds.SetOrUpdateHostDisksEncryption(context.Background(), hostLin.ID, true))
+
+	// should succeed as we no longer require MDM to access this endpoint, as Linux encryption doesn't require MDM
+	var summary getMDMDiskEncryptionSummaryResponse
+	s.DoJSON("GET", "/api/latest/fleet/mdm/disk_encryption/summary", getMDMDiskEncryptionSummaryRequest{}, http.StatusOK, &summary)
+	s.DoJSON("GET", "/api/latest/fleet/disk_encryption", getMDMDiskEncryptionSummaryRequest{}, http.StatusOK, &summary)
+	// disk is encrypted but key hasn't been escrowed yet
+	require.Equal(t, fleet.MDMDiskEncryptionSummary{ActionRequired: fleet.MDMPlatformsCounts{Linux: 1}}, *summary.MDMDiskEncryptionSummary)
+}
+
 func (s *integrationEnterpriseTestSuite) TestListDevicePolicies() {
 	t := s.T()
 	ctx := context.Background()

Original file line number	Diff line number	Diff line change
`@@ -2157,7 +2157,7 @@ func (svc *Service) updateAppConfigMDMDiskEncryption(ctx context.Context, enable`
`2157`	`2157`	`if ac.MDM.EnableDiskEncryption.Value != *enabled {`
`2158`	`2158`	`ac.MDM.EnableDiskEncryption = optjson.SetBool(*enabled)`
`2159`	`2159`	`didUpdate = true`
`2160`		`- didUpdateMacOSDiskEncryption = true`
	`2160`	`+ didUpdateMacOSDiskEncryption = ac.MDM.EnabledAndConfigured`
`2161`	`2161`	`}`
`2162`	`2162`	`}`
`2163`	`2163`