-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve device user account creation during MDM IdP enrollment flow #20162
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking amazing, Ieft a few questions. I was imagining we could get rid of the enroll reference. The main purpose of that was to create a "link" between a device visiting the webview, and an enrollment.
because we can use device info for that now (🎉 ) we could get rid of it. Feel free to hit me up if you want to chat
server/datastore/mysql/migrations/tables/20240701103635_AddDeviceUuidToMdmIdPAccounts.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, left some very minor notes
server/datastore/mysql/migrations/tables/20240705152704_AddHostUuidToMdmIdpAccounts_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backend looks good to me, left just some minor comments and regarding the dependency, I agree that we should extract just what we need, there's very little added value for us in this package AFAICT, it's a think wrapper to parse from the request's header, but the rest of the logic uses the pkcs7 and plist repos that we already depend on (and the logic in verifyPKCS7SHA1RSA
which may be the more involved part but otherwise just depends on Go's crypto).
server/datastore/mysql/migrations/tables/20240705152704_AddHostUuidToMdmIdpAccounts.go
Outdated
Show resolved
Hide resolved
server/datastore/mysql/migrations/tables/20240705152704_AddHostUuidToMdmIdpAccounts_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not super familiar with the DEP/IdP flow, but backend code LGTM!
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #20162 +/- ##
==========================================
- Coverage 55.27% 55.14% -0.14%
==========================================
Files 1416 1420 +4
Lines 133123 133764 +641
Branches 3201 3200 -1
==========================================
+ Hits 73589 73759 +170
- Misses 53543 53992 +449
- Partials 5991 6013 +22
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Reverts #20162 and #20355 per [QA findings](#19185 (comment))
Reverts #20162 and #20355 per [QA findings](#19185 (comment))
Issue #19185
TODO (follow up in separate issue)
host_emails
frommdm_idp_accounts
, but we don't have anything similar for iOS. Consider adding a cron or hooking into the MDM Checkin for iOS hosts.profiles renew
). We currently never delete frommdm_idp_accounts
and the IdP email from the prior enrollment will get re-associated to the device UUID.Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/
,orbit/changes/
oree/fleetd-chrome/changes
.See Changes files for more information.
SELECT *
is avoided, SQL injection is prevented (using placeholders for values in statements)COLLATE utf8mb4_unicode_ci
).