From 560c3921a3f455bd31546a08e17036b03a8f6059 Mon Sep 17 00:00:00 2001 From: Jonathan Katz <44128041+jkatz01@users.noreply.github.com> Date: Wed, 25 Feb 2026 13:26:17 -0500 Subject: [PATCH] Followup for enforcing manual agent install restrictions in gitops (#40503) **Related issue:** Resolves #40412 ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually - Individually or together setting vpp, software installers, or fleet maintained apps will send the correct error now when applied to no team with manual_agent_install enabled. --- .../gitops_enterprise_integration_test.go | 20 ++++++++++++------- ee/server/service/software_installers.go | 20 ++++++++++++++----- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go b/cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go index a7553e2e5a7..e91a08c2027 100644 --- a/cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go +++ b/cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go @@ -3389,7 +3389,7 @@ controls: queries: ` - testAll := ` + testVPP := ` controls: macos_setup: manual_agent_install: true @@ -3413,7 +3413,7 @@ team_settings: ` //nolint:gosec // test code - testPackagesFail := ` + testPackages := ` controls: macos_setup: manual_agent_install: true @@ -3442,7 +3442,7 @@ team_settings: testName: "All VPP with setup experience", VPPTeam: "All teams", teamName: teamName, - teamTemplate: testAll, + teamTemplate: testVPP, teamSettings: `secrets: [{"secret":"enroll_secret"}]`, errContains: ptr.String("Couldn't edit software."), }, @@ -3450,15 +3450,22 @@ team_settings: testName: "Packages fail", VPPTeam: "All teams", teamName: teamName, - teamTemplate: testPackagesFail, + teamTemplate: testPackages, teamSettings: `secrets: [{"secret":"enroll_secret"}]`, errContains: ptr.String("Couldn't edit software."), }, { - testName: "No team", + testName: "No team VPP", VPPTeam: "No team", teamName: "No team", - teamTemplate: testAll, + teamTemplate: testVPP, + errContains: ptr.String("Couldn't edit software."), + }, + { + testName: "No team Installers", + VPPTeam: "No team", + teamName: "No team", + teamTemplate: testPackages, errContains: ptr.String("Couldn't edit software."), }, // left out more possible combinations of setup experience being set for different platforms @@ -3493,7 +3500,6 @@ team_settings: testing_utils.StartAndServeVPPServer(t) // Don't attempt dry runs because they would not actually create the team, so the config would not be found - _, err = fleetctl.RunAppNoChecks([]string{"gitops", "--config", fleetctlConfig.Name(), "-f", globalFile.Name(), "-f", teamFileName}) if tc.errContains != nil { diff --git a/ee/server/service/software_installers.go b/ee/server/service/software_installers.go index c43e6372c43..c88ad829866 100644 --- a/ee/server/service/software_installers.go +++ b/ee/server/service/software_installers.go @@ -2218,13 +2218,23 @@ func (svc *Service) softwareBatchUpload( return resp, tfr, nil } + var manualAgentInstall bool tmID := ptr.ValOrZero(teamID) - team, err := svc.ds.TeamLite(ctx, tmID) - if err != nil { - batchErr = fmt.Errorf("Couldn't get team for team ID %d: %w", tmID, err) - return + if tmID == 0 { + ac, err := svc.ds.AppConfig(ctx) + if err != nil { + batchErr = fmt.Errorf("Couldn't get app config: %w", err) + return + } + manualAgentInstall = ac.MDM.MacOSSetup.ManualAgentInstall.Value + } else { + team, err := svc.ds.TeamLite(ctx, tmID) + if err != nil { + batchErr = fmt.Errorf("Couldn't get team for team ID %d: %w", tmID, err) + return + } + manualAgentInstall = team.Config.MDM.MacOSSetup.ManualAgentInstall.Value } - manualAgentInstall := team.Config.MDM.MacOSSetup.ManualAgentInstall.Value var g errgroup.Group g.SetLimit(1) // TODO: consider whether we can increase this limit, see https://github.com/fleetdm/fleet/issues/22704#issuecomment-2397407837