Update WLAN XML profile verification so they aren't resent

[JordanMontgomery]

Fixes #24394 by adding new verification logic to detect and verify these profiles. We only verify a subset of the properties because there are certain settings such as the Authentication which Windows seems to upgrade in circumstances where it can(e.g. WPA2 specified but interface + router supports WPA3 results in WPA3 on the client and there are likely other similar scenarios). After discussion with design team we've decided the limited verification is better than what we had before and a good solution for now.

I know this is extremely heavy on comments but the behavior is strange and non obvious.

Also see latest comment on the issue for some testing discussion: #24394 (comment)

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Added/updated automated tests
• A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
• Manual QA for all new/changed functionality

[codecov]

Codecov Report

Attention: Patch coverage is 82.40000% with 22 lines in your changes missing coverage. Please review.

Project coverage is 63.98%. Comparing base (183d0d8) to head (84df57c).
Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
server/mdm/microsoft/wlanxml/wlanxml.go	83.01%	12 Missing and 6 partials ⚠️
server/mdm/microsoft/profile_verifier.go	73.33%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #28296   +/-   ##
=======================================
  Coverage   63.98%   63.98%           
=======================================
  Files        1783     1784    +1     
  Lines      171258   171327   +69     
  Branches     4945     4945           
=======================================
+ Hits       109576   109625   +49     
- Misses      53036    53054   +18     
- Partials     8646     8648    +2     

Flag	Coverage Δ
backend	65.03% <82.40%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mna]

Looks great! I think the comments are very useful given that it's complementary to the code and provides insights into why that custom Equal stuff is even required. Just had some minor things as feedback, none are blockers to merge (which is why I also "Approve", meaning - up to you to apply the suggestions here, in a later PR or not at all).

[mna]

Just curious (I don't know what is ADMX?), why does the XML has to be escaped here? (i.e. why don't we send <?xml...?)

[mna]

Oh I think it's because that's how we receive it from the host for verification, right?

[JordanMontgomery]

Correct. WE get an XML file with a big XMLEncoded blob in it which is itself an XML file and likewise we send something similar.

[mna]

Feels like there was more to come here?

[JordanMontgomery]

Good catch. I wrote so many comments trying to capture all the strangeness I was trying to account for I missed this incomplete one.

[JordanMontgomery]

Actually removed comment since it is no longer relevant

[mna]

Nit: this test would work nicely as table-driven (simple input -> expected output test cases).

[JordanMontgomery]

Refactored this as a table based test

[getvictor]

I went over the PR with Jordan. I can re-review after the next set of changes.

[getvictor]

@JordanMontgomery When the diff fails, do we log the specific error (what is wrong) or print the error in the UI? This info would be useful if we have to debug this in production.

[JordanMontgomery]

@JordanMontgomery When the diff fails, do we log the specific error (what is wrong) or print the error in the UI? This info would be useful if we have to debug this in production.

We don't currently do this for any profile types as best I can tell except in the really bad cases where we completely fail to unmarshal(which shouldn't be common). Right now the error we show in the UI For these generally comes from us trying to re-Add the profile. I think as the code is currently written the easiest way to debug is probably to capture the fleetd logs which show the OSQuery output and allow comparing the profiles, but that is obviously not great.

We could for all failed profiles add a debug log where we log the profiles(expected + received. My only concern with that would be the possibility we leak secrets into the logs

[getvictor]

LGTM