Limited disk encryption key escrowing when setting enabled

[ksykulev]

Related issue: Resolves #33296

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Summary by CodeRabbit

Bug Fixes

• Disk encryption key escrowing now only proceeds when disk encryption is explicitly enabled at the global or team level.

Tests

• Significantly expanded test coverage for Mobile Device Management, including VPP app handling, device enrollment workflows, host lock/wipe operations, SCEP proxy integrations, and DigiCert certificate handling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codecov]

Codecov Report

❌ Patch coverage is 54.90196% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.19%. Comparing base (1a695da) to head (8c3807c).
⚠️ Report is 55 commits behind head on main.

Files with missing lines	Patch %	Lines
...r/service/osquery_utils/disk_encryption_helpers.go	60.86%	7 Missing and 2 partials ⚠️
server/service/osquery_utils/queries.go	50.00%	7 Missing and 1 partial ⚠️
server/service/orbit.go	50.00%	5 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #39047    +/-   ##
========================================
  Coverage   66.18%   66.19%            
========================================
  Files        2423     2424     +1     
  Lines      194006   194146   +140     
  Branches     8551     8551            
========================================
+ Hits       128400   128506   +106     
- Misses      53937    53956    +19     
- Partials    11669    11684    +15     

Flag	Coverage Δ
backend	67.95% <54.90%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mostlikelee]

LGTM

[ksykulev]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

The PR adds guards to prevent disk encryption key archival when disk encryption is not enabled at the team or global level. A new helper function determines if encryption is enabled for a host, with this check applied in multiple key ingestion and archival paths.

Changes

Cohort / File(s)	Summary
Changelog and Helper Function changes/33296-disk-encryption, server/service/osquery_utils/disk_encryption_helpers.go	Adds changelog entry and introduces IsDiskEncryptionEnabledForHost helper that checks team-level or global AppConfig to determine if encryption is enabled for a given host.
Archival Guards server/service/orbit.go, server/service/osquery_utils/queries.go	Introduces pre-archival guards in SetOrUpdateDiskEncryptionKey, EscrowLUKSData, and Darwin disk key ingestion paths (directIngestDiskEncryptionKeyFileDarwin, directIngestDiskEncryptionKeyFileLinesDarwin) to skip key archival if encryption is disabled, with corresponding debug logging.
Helper Function Tests server/service/osquery_utils/disk_encryption_helpers_test.go	Comprehensive test suite for IsDiskEncryptionEnabledForHost covering team-level, global, error, and override scenarios.
Existing Test Updates server/service/orbit_test.go, server/service/osquery_utils/queries_test.go	Updates test fixtures to enable disk encryption in AppConfig for LUKS and Darwin disk key ingestion test paths.
Integration Tests server/service/integration_mdm_test.go	Adds extensive MDM integration tests covering VPP apps, host lock/wipe operations, SCEP/DigiCert CA proxies, host enrollment/unenrollment scenarios, and label/policy association validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• PR #31634: Directly related as it modifies the same disk-encryption escrow code paths, functions, and introduces the escrow flow with corresponding activity logging.

Suggested reviewers

• JordanMontgomery
• rachaelshaw
• lukeheath

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly summarizes the main change: limiting disk encryption key escrowing to when the setting is enabled.
Description check	✅ Passed	Description includes required items: related issue #33296, changes file added, automated tests updated, and proper validation/SQL safety confirmed.
Linked Issues check	✅ Passed	All changes align with #33296 objective: guards added to prevent key escrowing when disk encryption is disabled [#33296].
Out of Scope Changes check	✅ Passed	All changes directly support the objective of limiting key escrowing; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 33296-disk-encryption

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@server/service/integration_mdm_test.go`:
- Around line 9476-9490: The loop that counts escrow activities is
order-dependent; modify it to count only activities with activity.ID >
seenEscrowKeyActivityID (treat seenEscrowKeyActivityID as the
lastSeenActivityID) instead of activity.ID != seenEscrowKeyActivityID, collect
those matching activities (Type ==
fleet.ActivityTypeEscrowedDiskEncryptionKey().ActivityName()), assert that
exactly one new activity was found (require.Equal(t, 1, newCount) or
require.Len), unmarshal Details into escrowKeyActivity and
require.True(activity.FleetInitiated) for that single new activity, and update
seenEscrowKeyActivityID to that activity.ID so results are deterministic and not
iteration-order dependent.

🧹 Nitpick comments (1)

server/service/osquery_utils/disk_encryption_helpers.go (1)

13-42: Add a defensive nil-host guard.

This helper is public and can panic if a nil host is passed in future call sites. A lightweight guard keeps it safe without changing behavior.

♻️ Suggested patch

 func IsDiskEncryptionEnabledForHost(ctx context.Context, logger log.Logger, ds fleet.Datastore, host *fleet.Host) bool {
+	if host == nil {
+		return false
+	}
 	// team
 	if host.TeamID != nil {

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Count only new escrow activities to avoid order-dependent results.
The current activity.ID != seenEscrowKeyActivityID filter depends on iteration order and can miscount when multiple prior escrow activities exist. Filter by activity.ID > lastSeenActivityID and assert exactly one new activity.

🐛 Make activity counting deterministic

-		escrowCountFinal := 0
-		escrowKeyActivity = fleet.ActivityTypeEscrowedDiskEncryptionKey{}
+		escrowCountFinal := 0
+		escrowKeyActivity = fleet.ActivityTypeEscrowedDiskEncryptionKey{}
+		lastSeenActivityID := seenEscrowKeyActivityID
 		for _, activity := range activities {
-			if activity.Type == escrowKeyActivity.ActivityName() && activity.ID != seenEscrowKeyActivityID {
+			if activity.Type == escrowKeyActivity.ActivityName() && activity.ID > lastSeenActivityID {
 				escrowCountFinal++
 				err := json.Unmarshal(*activity.Details, &escrowKeyActivity)
 				require.NoError(t, err)
 				require.True(t, activity.FleetInitiated)

 				seenEscrowKeyActivityID = activity.ID
 			}
 		}
-		require.Equal(t, escrowCountBefore+1, escrowCountFinal)
+		require.Equal(t, 1, escrowCountFinal)

🤖 Prompt for AI Agents

In `@server/service/integration_mdm_test.go` around lines 9476 - 9490, The loop
that counts escrow activities is order-dependent; modify it to count only
activities with activity.ID > seenEscrowKeyActivityID (treat
seenEscrowKeyActivityID as the lastSeenActivityID) instead of activity.ID !=
seenEscrowKeyActivityID, collect those matching activities (Type ==
fleet.ActivityTypeEscrowedDiskEncryptionKey().ActivityName()), assert that
exactly one new activity was found (require.Equal(t, 1, newCount) or
require.Len), unmarshal Details into escrowKeyActivity and
require.True(activity.FleetInitiated) for that single new activity, and update
seenEscrowKeyActivityID to that activity.ID so results are deterministic and not
iteration-order dependent.