Linux disk encryption: frontend changes, backend error on update DE setting with missing private key #23714
Conversation
* Add Linux column to Disk encryption table
* Add "linux" to type for expected platforms with disk encryption
* Widen capabilities of `SectionHeader` to include:
* Vertically aligned title/subtitle
* Optional grey subtitle text coloring
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 22074-linux-encryption #23714 +/- ##
==========================================================
- Coverage 63.14% 63.13% -0.01%
==========================================================
Files 1557 1558 +1
Lines 147617 147653 +36
Branches 3687 3742 +55
==========================================================
+ Hits 93212 93227 +15
- Misses 47033 47053 +20
- Partials 7372 7373 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
- Allows rendering of Disk Encryption section even when MDM is not enabled
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
jacobshandling
changed the title
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| @@ -1523,6 +1523,9 @@ func unmarshalWithGlobalDefaults(b *json.RawMessage) (fleet.Features, error) { | |||
| func (svc *Service) updateTeamMDMDiskEncryption(ctx context.Context, tm *fleet.Team, enable *bool) error { | |||
| var didUpdate, didUpdateMacOSDiskEncryption bool | |||
| if enable != nil { | |||
| if len(svc.config.Server.PrivateKey) == 0 { | |||
There was a problem hiding this comment.
more idiomatic to use == "" for string evaluation
There was a problem hiding this comment.
After consulting with MDM, let's use == "" going forward, and update existing len-based checks as we come to them, no need to update now.
| setup. | ||
| </li> | ||
| <li> | ||
| Close this window and select <b>Refetch</b> on your <b>My device</b>{" "} |
There was a problem hiding this comment.
@mostlikelee Can we force a refetch on Orbit when the passphrase is entered?
| @@ -353,14 +374,15 @@ const DeviceUserPage = ({ | |||
| mdmEnabledAndConfigured={ | |||
| !!globalConfig?.mdm.enabled_and_configured | |||
| } | |||
| mdmConnectedToFleet={!!host.mdm.connected_to_fleet} | |||
| diskEncryptionStatus={ | |||
| connectedToFleetMdm={!!host.mdm.connected_to_fleet} | |||
There was a problem hiding this comment.
Need to verify that this doesn't show up for Linux hosts as there isn't a concept of Linux MDM the same way there is for Mac/Win.
There was a problem hiding this comment.
This should be testable now with a Linux host as nothing we're doing on the backend changes the fact that there's no Linux MDM.
There was a problem hiding this comment.
This prop is only used in conjunction with (a) macDiskEncryptionStatus === "action_required" to determine whether to (b) showMacDiskEncryptionKeyResetRequired – since (a) should only be possible for darwin hosts, there shouldn't be any issue here.
Here's a clarifying rename that should make those relationships more clear.
Does that make sense or am I missing something?
There was a problem hiding this comment.
Will, as noted, test all of this today
| }, | ||
| }); | ||
| } | ||
| return sendRequest("PATCH", teamsEndpoint, { | ||
| return sendRequest("POST", teamsEndpoint, { |
There was a problem hiding this comment.
Updating this call from using a deprecated endpoint to using the latest – see here
There was a problem hiding this comment.
Actually looks like we can unify logic for which endpoint to hit here, as the new endpoint supports a nil team ID for editing no-team config, vs. needing to split between a team-specific endpoint and a no-team-specific endpoint. Does that match what you're seeing?
| // TODO: API INTEGRATION: remove macos_settings when API change is merged in. | ||
| macos_settings: { enable_disk_encryption: enableDiskEncryption }, | ||
| // enable_disk_encryption: enableDiskEncryption, | ||
| enable_disk_encryption: enableDiskEncryption, |
There was a problem hiding this comment.
Is this supported on the backend, or does this tweak need to be built so we don't lose support for macOS?
There was a problem hiding this comment.
Above should answer this question as well
There was a problem hiding this comment.
(yes, it's supported 🙂)
jacobshandling
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| @@ -706,8 +706,8 @@ func attachFleetAPIRoutes(r *mux.Router, svc fleet.Service, config config.FleetC | |||
|
|
|||
| // Deprecated: GET /mdm/profiles/summary is now deprecated, replaced by the | |||
| // GET /configuration_profiles/summary endpoint. | |||
| mdmAnyMW.GET("/api/_version_/fleet/mdm/profiles/summary", getMDMProfilesSummaryEndpoint, getMDMProfilesSummaryRequest{}) | |||
| mdmAnyMW.GET("/api/_version_/fleet/configuration_profiles/summary", getMDMProfilesSummaryEndpoint, getMDMProfilesSummaryRequest{}) | |||
Addresses #22702, #23713, #23756, and #23747
-Note that much of this code as is will render as expected only once integrated with the backend or if manipulated manually for testing purposes
Frontend:
Create keyCreateLinuxKeyModalto inform user of next steps after clickingCreate keySectionHeadercomponent, apply to new UI-Other TODO:
Backend:
For "No team" and teams, error when trying to update disk encryption enabled while no server private key is present.
Changes file added for user-visible changes in
changes/Added/updated tests
Manual QA for all new/changed functionality