Prevent patch title ID collisions

[allenhouchins]

Resolves: #44183
Only supply patch_software_title_id when the policy type is PolicyTypePatch. Previously fmaTitleID was passed for all policy inserts, which could cause unique index collisions (idx_team_id_patch_software_title_id) when dynamic policies (e.g. install_software) carried fleet_maintained_app_slug. Introduce patchSoftwareTitleIDArg set to the title ID for patch policies and nil otherwise, and use it in the tx.ExecContext call.

Related issue: Resolves #

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

• Confirmed that the fix is not expected to adversely impact load test results
• Alerted the release DRI if additional load testing is needed

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

• Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• Bug Fixes
  • Non-patch dynamic policies no longer inherit patch-specific identifiers, preventing conflicts when multiple policies target the same team/app while keeping patch policies correctly associated.
• Tests
  • Added a regression test to verify dynamic policies do not persist patch-only identifiers and that patch policies retain their expected association.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.78%. Comparing base (a4229fb) to head (d6ea484).
⚠️ Report is 79 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #44179      +/-   ##
==========================================
+ Coverage   66.76%   66.78%   +0.01%     
==========================================
  Files        2629     2627       -2     
  Lines      211215   211151      -64     
  Branches     9539     9539              
==========================================
- Hits       141027   141017      -10     
+ Misses      57361    57315      -46     
+ Partials    12827    12819       -8     

Flag	Coverage Δ
backend	68.56% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Updates ApplyPolicySpecs to avoid patch_software_title_id uniqueness collisions by only setting that column for patch policies, even when other (dynamic) policy types carry fleet_maintained_app_slug.

Changes:

• Introduce a separate SQL argument (patchSoftwareTitleIDArg) that is set only when spec.Type == fleet.PolicyTypePatch.
• Pass NULL for patch_software_title_id on non-patch policy inserts/updates to avoid triggering idx_team_id_patch_software_title_id collisions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 23373ec6-21fa-49dd-92c7-74f086903781

📥 Commits

Reviewing files that changed from the base of the PR and between 5b16c69 and d6ea484.

📒 Files selected for processing (1)

• server/datastore/mysql/policies.go

🚧 Files skipped from review as they are similar to previous changes (1)

• server/datastore/mysql/policies.go

---

Walkthrough

ApplyPolicySpecs in the MySQL datastore now supplies the patch_software_title_id SQL argument only for policies with type = patch; for other dynamic policy types the argument is left unset (nil/zero). This prevents non-patch specs that include fleet_maintained_app_slug from persisting or reusing a patch title ID and colliding with the idx_team_id_patch_software_title_id unique index. A regression test was added validating that only patch policies have patch_software_title_id populated.

Possibly related PRs

• Fix patch policy bugs #43420: Modifies ApplyPolicySpecs to change how patch_software_title_id is resolved and used during upsert, addressing similar index/collision behavior.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides a clear technical explanation of the bug fix but the submission checklist is entirely unchecked, missing critical completion indicators for testing, validation, and migration checks.	Complete the submission checklist by checking appropriate boxes to confirm testing was added, security validation was performed, and database considerations were reviewed.
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Prevent patch title ID collisions' clearly and concisely summarizes the main change: preventing unique index collisions by conditionally supplying patch_software_title_id only for patch policies.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch allenhouchins-bug-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

server/datastore/mysql/policies.go (1)

1506-1519: Fix looks correct — gating patch_software_title_id behind type == patch is the right call.

The deref *fmaTitleID on line 1511 is safe given the nil-guard at lines 1481-1485, and a zero-value any translates to SQL NULL for the parameter. Per the schema (context snippet 1), patch_software_title_id is nullable and the unique index idx_team_id_patch_software_title_id treats multiple NULLs as distinct, so dynamic policies that still carry fleet_maintained_app_slug no longer collide. Upserts of previously-buggy rows will also self-heal via patch_software_title_id = VALUES(patch_software_title_id) in the ON DUPLICATE KEY UPDATE clause.

A couple of follow-ups worth considering (non-blocking):

1. Add a regression test for ApplyPolicySpecs covering the failure mode this fixes — e.g., applying two specs on the same team where one is type: patch and another is type: dynamic (install_software) referencing the same fleet_maintained_app_slug. Without a test, it's easy for a future refactor to reintroduce the collision. The PR description notes no tests were added.
2. Pre-existing rows: any dynamic policies that were previously inserted with a non-NULL patch_software_title_id due to this bug will only be corrected the next time the spec is re-applied (the upsert path will reset it to NULL). If you suspect production already has such rows, a one-off backfill (UPDATE policies SET patch_software_title_id = NULL WHERE type = 'dynamic') may be worth considering as a separate change.

Want me to draft the regression test against server/datastore/mysql/policies_test.go?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/datastore/mysql/policies.go` around lines 1506 - 1519, The current fix
correctly gates patch_software_title_id to only set a value when spec.Type ==
fleet.PolicyTypePatch; add a regression test to ensure this doesn't regress by
creating two specs for the same team — one with Type == fleet.PolicyTypePatch
and one with Type == fleet.PolicyTypeDynamic (e.g., install_software) that
reference the same fleet_maintained_app_slug — and assert ApplyPolicySpecs (call
the function ApplyPolicySpecs in the code under test) results in one row with a
non-NULL patch_software_title_id for the patch policy and a NULL
patch_software_title_id for the dynamic policy; add this test to
server/datastore/mysql/policies_test.go and, optionally, consider scripting a
one-off DB migration/backfill to NULL out patch_software_title_id for rows where
type != 'patch' if production might contain bad data.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/datastore/mysql/policies.go`:
- Around line 1506-1519: The current fix correctly gates patch_software_title_id
to only set a value when spec.Type == fleet.PolicyTypePatch; add a regression
test to ensure this doesn't regress by creating two specs for the same team —
one with Type == fleet.PolicyTypePatch and one with Type ==
fleet.PolicyTypeDynamic (e.g., install_software) that reference the same
fleet_maintained_app_slug — and assert ApplyPolicySpecs (call the function
ApplyPolicySpecs in the code under test) results in one row with a non-NULL
patch_software_title_id for the patch policy and a NULL patch_software_title_id
for the dynamic policy; add this test to server/datastore/mysql/policies_test.go
and, optionally, consider scripting a one-off DB migration/backfill to NULL out
patch_software_title_id for rows where type != 'patch' if production might
contain bad data.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c4889e7a-0d87-4737-bd50-164b73bc29f2

📥 Commits

Reviewing files that changed from the base of the PR and between 8dcc43d and 874c5cf.

📒 Files selected for processing (1)

• server/datastore/mysql/policies.go