Orbit passes EUA token during enrollment

[ksykulev]

Related issue: Resolves #41379

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests
• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)
• QA'd all new/changed functionality manually

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• New Features

  • Added EUA token support to Orbit enrollment workflow
  • Introduced --eua-token CLI flag for Windows MDM enrollment
  • Windows MSI packages now support EUA_TOKEN property (Orbit v1.55.0+)

• Tests

  • Added tests for EUA token handling in enrollment and Windows packaging

• Documentation

  • Added changelog entry documenting EUA token inclusion in enrollment requests

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Adds support for passing a Windows MDM end-user authentication (EUA) token from the Fleet MSI installer into Orbit, and sending it along with the /api/fleet/orbit/enroll request so Fleet can link the IdP account during enrollment.

Changes:

• Enable a new EUA_TOKEN MSI property (gated by Orbit version) and pass it to the Orbit Windows service as --eua-token.
• Add a hidden --eua-token CLI flag to Orbit and plumb it into the Orbit enroll request payload (eua_token).
• Add unit tests covering both the MSI template output and the enroll request JSON behavior.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
orbit/pkg/packaging/windows.go	Enables the new MSI property based on Orbit version gating.
orbit/pkg/packaging/windows_templates.go	Adds EUA_TOKEN property and wires it into the Windows service arguments.
orbit/pkg/packaging/windows_eua_test.go	New tests validating the WiX template includes/omits EUA pieces appropriately.
orbit/pkg/packaging/packaging.go	Extends packaging Options with EnableEUATokenProperty.
orbit/cmd/orbit/orbit.go	Adds hidden --eua-token flag and sets it on the Orbit client before enrollment-triggering calls.
client/orbit_client.go	Stores EUA token on the client and includes it in EnrollOrbitRequest.
client/orbit_client_eua_test.go	Verifies eua_token is present when set and omitted when empty.
changes/41379-orbit-eua	Adds a changelog entry for the new behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.92%. Comparing base (c3f5029) to head (82c57a5).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
orbit/cmd/orbit/orbit.go	0.00%	8 Missing ⚠️
orbit/pkg/packaging/windows.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #43369      +/-   ##
==========================================
+ Coverage   66.90%   66.92%   +0.01%     
==========================================
  Files        2596     2596              
  Lines      208220   208230      +10     
  Branches     9285     9321      +36     
==========================================
+ Hits       139314   139350      +36     
+ Misses      56236    56218      -18     
+ Partials    12670    12662       -8     

Flag	Coverage Δ
backend	68.70% <0.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[getvictor]

Looks good. Just some minor comments.

The base branch was changed.

[coderabbitai]

Walkthrough

The PR adds EUA token support throughout Orbit's enrollment and Windows installer workflow. The OrbitClient now stores an EUA token via a new SetEUAToken method and includes it in enrollment requests. A hidden CLI flag --eua-token (with environment variable ORBIT_EUA_TOKEN) enables passing the token during Orbit startup. The Windows MSI packaging system conditionally enables EUA token support for Orbit v1.55.0 and later by adding the --eua-token argument to the Orbit service configuration in the WiX template. Tests verify correct token handling in enrollment requests and installer generation.

Possibly related PRs

• Added EUA to the Fleet MSI installer #43295: Implements EUA token support for Orbit enrollment and Windows MSI installer by adding token handling to enroll request structs and plumbing it through client, CLI, service APIs, and packaging

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Orbit passes EUA token during enrollment' directly summarizes the main change: adding EUA token passing capability to the Orbit enrollment process.
Description check	✅ Passed	The PR description includes the related issue (#41379), checks the changes file and testing boxes, and marks fleetd/orbit compatibility items as verified.
Linked Issues check	✅ Passed	All core requirements from #41379 are met: EUA_TOKEN parameter added to Orbit, included in enrollment payload when set, and tests verify the behavior including omitempty handling.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to #41379 requirements: client token handling, CLI flag integration, Windows MSI property support, and corresponding tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 41379-eua-orbit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

client/orbit_client.go (1)

512-525: Clear EUA token after successful enroll to preserve one-time semantics.
At Line 524, the token is sent on every enroll call for the process lifetime. Since this is intended to be one-time, clear it after a successful enroll response.

♻️ Suggested change

 func (oc *OrbitClient) enroll() (string, error) {
 	verb, path := "POST", "/api/fleet/orbit/enroll"
 	params := fleet.EnrollOrbitRequest{
 		EnrollSecret:      oc.enrollSecret,
 		HardwareUUID:      oc.hostInfo.HardwareUUID,
 		HardwareSerial:    oc.hostInfo.HardwareSerial,
 		Hostname:          oc.hostInfo.Hostname,
 		Platform:          oc.hostInfo.Platform,
 		PlatformLike:      oc.hostInfo.PlatformLike,
 		OsqueryIdentifier: oc.hostInfo.OsqueryIdentifier,
 		ComputerName:      oc.hostInfo.ComputerName,
 		HardwareModel:     oc.hostInfo.HardwareModel,
 		EUAToken:          oc.euaToken,
 	}
 	var resp fleet.EnrollOrbitResponse
 	err := oc.request(verb, path, params, &resp)
 	if err != nil {
 		return "", err
 	}
+	oc.euaToken = ""
 	return resp.OrbitNodeKey, nil
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@client/orbit_client.go` around lines 512 - 525, The enroll() method currently
sends oc.euaToken on every call; after a successful enroll response, clear the
token to preserve one-time semantics by setting oc.euaToken = "" (in the
OrbitClient instance) before returning success. Locate this in enroll() after
the response is validated/parsed and ensure the token is cleared only on success
(and consider using any existing client mutex if concurrent calls to enroll()
are possible).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@client/orbit_client.go`:
- Around line 512-525: The enroll() method currently sends oc.euaToken on every
call; after a successful enroll response, clear the token to preserve one-time
semantics by setting oc.euaToken = "" (in the OrbitClient instance) before
returning success. Locate this in enroll() after the response is
validated/parsed and ensure the token is cleared only on success (and consider
using any existing client mutex if concurrent calls to enroll() are possible).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3f9ce1f7-dab2-4f1f-9e59-bcf8f8327c92

📥 Commits

Reviewing files that changed from the base of the PR and between 83a886b and a2da5d4.

📒 Files selected for processing (8)

• client/orbit_client.go
• client/orbit_client_eua_test.go
• orbit/changes/41379-orbit-eua
• orbit/cmd/orbit/orbit.go
• orbit/pkg/packaging/packaging.go
• orbit/pkg/packaging/windows.go
• orbit/pkg/packaging/windows_eua_test.go
• orbit/pkg/packaging/windows_templates.go

[getvictor]

@ksykulev I'm merging this so that I can built on top of these changes.