Skip to content

macos password sync feature branch#47422

Merged
JordanMontgomery merged 27 commits into
mainfrom
feature/fleet-macos-password-sync
Jul 9, 2026
Merged

macos password sync feature branch#47422
JordanMontgomery merged 27 commits into
mainfrom
feature/fleet-macos-password-sync

Conversation

@JordanMontgomery

@JordanMontgomery JordanMontgomery commented Jun 11, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #45524

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

  • Timeouts are implemented and retries are limited to avoid infinite loops

  • If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

For unreleased bug fixes in a release candidate, one of:

  • Confirmed that the fix is not expected to adversely impact load test results
  • Alerted the release DRI if additional load testing is needed

Database migrations

  • Checked schema for all modified table for columns that will auto-update timestamps during migration.
  • Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

  • Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

  • Verified that the setting is exported via fleetctl generate-gitops
  • Verified the setting is documented in a separate PR to the GitOps documentation
  • Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
  • Verified that any relevant UI is disabled when GitOps mode is enabled

Summary by CodeRabbit

  • New Features
    • Added Apple Platform SSO (PSSO) for macOS with device registration, sign-in, and public discovery (JWKS + Apple app-site association) protected by single-use nonces.
    • Added Apple account provisioning (Platform SSO password sync) configuration with masked client-secret handling and GitOps support.
    • Added a host-scoped PSSO device registration token variable for Apple MDM profile generation.
  • Bug Fixes
    • Fixed macOS packaging to correctly build, embed, and sign the Platform SSO extension.
    • Resetting device Apple MDM data now also clears stored PSSO enrollment records.

@JordanMontgomery JordanMontgomery changed the title Feature/fleet macos password sync DRAFT: DO NOT REVIEW Feature/fleet macos password sync Jun 11, 2026
@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 54.44915% with 645 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.99%. Comparing base (374aa7e) to head (4ac8fef).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
ee/server/service/apple_psso.go 34.59% 254 Missing and 39 partials ⚠️
ee/server/service/apple_psso_crypto.go 61.87% 74 Missing and 56 partials ⚠️
server/service/apple_psso.go 48.88% 77 Missing and 15 partials ⚠️
ee/server/service/apple_psso_idp_oidc_ropg.go 31.74% 42 Missing and 1 partial ⚠️
server/mdm/apple/psso/regtoken/regtoken.go 72.88% 8 Missing and 8 partials ⚠️
server/service/appconfig.go 77.77% 9 Missing and 7 partials ⚠️
server/datastore/mysql/apple_psso.go 83.09% 8 Missing and 4 partials ⚠️
server/service/apple_mdm.go 81.57% 4 Missing and 3 partials ⚠️
...ons/tables/20260708185958_CreateApplePSSOTables.go 78.57% 4 Missing and 2 partials ⚠️
...08190008_AddPSSODeviceRegistrationTokenFleetVar.go 68.42% 4 Missing and 2 partials ⚠️
... and 7 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #47422      +/-   ##
==========================================
- Coverage   68.11%   67.99%   -0.12%     
==========================================
  Files        3732     3701      -31     
  Lines      235793   236922    +1129     
  Branches    12520    12447      -73     
==========================================
+ Hits       160602   161092     +490     
- Misses      60771    61260     +489     
- Partials    14420    14570     +150     
Flag Coverage Δ
backend 69.61% <54.44%> (-0.11%) ⬇️
backend-activity 85.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #47105

Also fixes a small clock skew bug I found while testing. My mac was 1
second ahead of my server and that caused JWT verification to fail and
need to be retried. Added a 1 second allowance on it

Going into feature branch so some test failures are expected/fine and
will be fixed on the feature branch in followup PRs

# Checklist for submitter

No changes file but the overall feature will add one

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

## Database migrations

- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #46942

Moves the API endpoints to their final locations, refactor's them to use
the standard handlers where possible and cleans up a bit more of the POC
code. No changes file as the overall feature will have one

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #47127 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

No changes file - overall feature will have one

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added Apple Account Provisioning configuration support in MDM settings
with OAuth/OIDC parameters for macOS local account provisioning
* Enabled GitOps-based management of provisioning settings (global
configuration only)
  * Implemented secure storage and handling of OAuth client credentials

* **Bug Fixes**
* Improved conditional loading of OAuth credentials to prevent
configuration validation errors on endpoints that don't require secrets

* **Tests**
* Added test coverage for Apple Account Provisioning configuration
parsing and validation

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #47122 

Cleanup of key, CA and certificate minting versus the POC where they
were were more or less ad-hoc

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Strengthened Apple Platform SSO security by enforcing ECDSA algorithm
verification for device JWTs and validating device binding metadata
during key exchanges.

* **Refactor**
* Improved Platform SSO key management by persisting cryptographic
assets and loading them during initialization, replacing on-demand
generation for better consistency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #46939

This PR is stacked on the work from
#47801

Moves the SSO extension under the fleet desktop app. Adds the proper
entitlements so it signs and can be distributed. Updates Fleet's AASA
handling so the CI-generated SSO extension can establish trust by
default

Tested CI build end-to-end on a mac which produced the findigns about
codesign/notarization shockingly not flagging the mismatched
profile/entitlements and the app failing at runtime.

The entire old `apple-sso-extension` directory is deleted - it was
mostly just a wrapper app for the extension anyways

No changes file as the base branch will have one

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Improvements**
* Enhanced macOS build workflow with improved signing and notarization
process for Platform SSO extension to ensure secure integration.
* Updated bundle identifiers and team configuration for better SSO
extension integration and authentication support.
* Streamlined build process to properly embed and sign Platform SSO
components with the host application.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolved conflicts in README.md (kept PSSO extension section + main's Learn more
link), server/fleet/app.go (kept both GoogleWorkspace masking and Apple account
provisioning secret masking), and regenerated schema.sql.

Bumped CreateApplePSSOTables migration 20260611140639 -> 20260701173047 so it
orders after main's latest migration (20260626120000).
@JordanMontgomery JordanMontgomery force-pushed the feature/fleet-macos-password-sync branch from 090bbac to 591ea90 Compare July 1, 2026 18:10
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added secure password encryption support for Platform SSO logins on
macOS Fleet desktop.
* PSSO JWKS endpoint now publishes encryption public key alongside
signing key.

* **Tests**
  * Added coverage for password encryption and decryption flows.

* **Chores**
* Implemented automated encryption key generation and management for
Platform SSO.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@qodo-free-for-open-source-projects

Copy link
Copy Markdown

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: test-go (fleetctl, mysql:8.0.44) / test

Failed stage: Run Go Tests [❌]

Failed test name: TestGitOpsFullGlobal/useDeprecatedKeys=false

Failure summary:

The action failed because Go tests in the fleetctl package reported 3 failures, causing make test-go
to exit non-zero (make[1]: *** [Makefile:302: .run-go-tests] Error 1 -> make: *** [Makefile:417:
test-go] Error 2).

Specifically, cmd/fleetctl/fleetctl tests TestGitOpsFullGlobal/useDeprecatedKeys=false and
TestGitOpsFullGlobal/useDeprecatedKeys=true failed (see cmd/fleetctl/fleetctl/gitops_test.go:2244,
error surfaced via cmd/fleetctl/fleetctl/testing_utils_test.go:20).

Both failures were due to an unexpected API validation error when applying custom settings:
POST
/api/latest/fleet/mdm/profiles/batch returned 422 Validation Failed with message: cannot set custom
settings: Windows MDM isn't turned on.

Relevant error logs:
1:  Runner name: 'ubuntu-8core-1000965423'
2:  Runner group name: 'default larger runners'
...

991:  �[36;1mattempt=1�[0m
992:  �[36;1m�[0m
993:  �[36;1mwhile [ $attempt -le $max_attempts ]; do�[0m
994:  �[36;1m  echo "Attempt $attempt of $max_attempts"�[0m
995:  �[36;1m�[0m
996:  �[36;1m  # Try to connect to MySQL�[0m
997:  �[36;1m  if wait_for_mysql "mysql_test"; then�[0m
998:  �[36;1m    # If MySQL is ready, try to connect to MySQL replica�[0m
999:  �[36;1m    if wait_for_mysql "mysql_replica_test"; then�[0m
1000:  �[36;1m      # Both are ready, we're done�[0m
1001:  �[36;1m      echo "All MySQL connections successful"�[0m
1002:  �[36;1m      exit 0�[0m
1003:  �[36;1m    fi�[0m
1004:  �[36;1m  fi�[0m
1005:  �[36;1m�[0m
1006:  �[36;1m  # If we get here, at least one connection failed�[0m
1007:  �[36;1m  echo "Failed to connect to MySQL on attempt $attempt"�[0m
1008:  �[36;1m�[0m
1009:  �[36;1m  if [ $attempt -lt $max_attempts ]; then�[0m
1010:  �[36;1m    echo "Restarting containers and trying again..."�[0m
1011:  �[36;1m    restart_containers�[0m
1012:  �[36;1m  else�[0m
1013:  �[36;1m    echo "Maximum attempts reached. Failing the job."�[0m
1014:  �[36;1m    exit 1�[0m
...

1146:  go: downloading github.com/aws/aws-sdk-go-v2/feature/cloudfront/sign v1.8.3
1147:  go: downloading github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.81
1148:  go: downloading github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
1149:  go: downloading github.com/aws/smithy-go v1.24.2
1150:  go: downloading github.com/Masterminds/semver/v3 v3.3.1
1151:  go: downloading github.com/oschwald/geoip2-golang v1.8.0
1152:  go: downloading golang.org/x/image v0.42.0
1153:  go: downloading github.com/Masterminds/semver v1.5.0
1154:  go: downloading howett.net/plist v1.0.1
1155:  go: downloading github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f
1156:  go: downloading github.com/XSAM/otelsql v0.39.0
1157:  go: downloading github.com/doug-martin/goqu/v9 v9.18.0
1158:  go: downloading github.com/kolide/launcher v1.0.12
1159:  go: downloading github.com/osquery/osquery-go v0.0.0-20250131154556-629f995b6947
1160:  go: downloading github.com/google/go-cmp v0.7.0
1161:  go: downloading github.com/hashicorp/go-multierror v1.1.1
1162:  go: downloading github.com/aws/aws-sdk-go-v2/service/ses v1.30.4
...

1180:  go: downloading go.opentelemetry.io/otel/log v0.16.0
1181:  go: downloading github.com/andygrunwald/go-jira v1.16.0
1182:  go: downloading github.com/nukosuke/go-zendesk v0.13.1
1183:  go: downloading github.com/mattn/go-sqlite3 v1.14.22
1184:  go: downloading github.com/elazarl/go-bindata-assetfs v1.0.1
1185:  go: downloading github.com/gocarina/gocsv v0.0.0-20220310154401-d4df709ca055
1186:  go: downloading github.com/gorilla/websocket v1.5.1
1187:  go: downloading github.com/igm/sockjs-go/v3 v3.0.2
1188:  go: downloading go.elastic.co/apm/module/apmgorilla/v2 v2.6.2
1189:  go: downloading go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.60.0
1190:  go: downloading golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
1191:  go: downloading golang.org/x/term v0.43.0
1192:  go: downloading golang.org/x/sys v0.45.0
1193:  go: downloading filippo.io/edwards25519 v1.2.0
1194:  go: downloading github.com/spf13/pflag v1.0.6
1195:  go: downloading github.com/pkg/errors v0.9.1
1196:  go: downloading github.com/beorn7/perks v1.0.1
...

1305:  go: downloading sigs.k8s.io/yaml v1.4.0
1306:  go: downloading github.com/edsrzf/mmap-go v1.1.0
1307:  go: downloading github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d
1308:  go: downloading github.com/gorilla/schema v1.4.1
1309:  go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
1310:  go: downloading github.com/google/s2a-go v0.1.9
1311:  go: downloading github.com/siderolabs/go-cmd v0.1.1
1312:  go: downloading github.com/Masterminds/sprig v2.22.0+incompatible
1313:  go: downloading github.com/go-git/go-git/v5 v5.19.1
1314:  go: downloading gitlab.com/digitalxero/go-conventional-commit v1.0.7
1315:  go: downloading github.com/ProtonMail/go-crypto v1.1.6
1316:  go: downloading github.com/goreleaser/fileglob v1.3.0
1317:  go: downloading github.com/cavaliergopher/cpio v1.0.1
1318:  go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20
1319:  go: downloading github.com/tklauser/numcpus v0.11.0
1320:  go: downloading github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901
1321:  go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0
...

1452:  go: downloading github.com/AbGuthrie/goquery/v2 v2.0.1
1453:  go: downloading github.com/davecgh/go-spew v1.1.1
1454:  go: downloading github.com/tj/assert v0.0.3
1455:  go: downloading github.com/hashicorp/golang-lru v0.5.4
1456:  go: downloading github.com/c-bata/go-prompt v0.2.3
1457:  go: downloading github.com/pmezard/go-difflib v1.0.0
1458:  go: downloading github.com/stretchr/objx v0.5.2
1459:  go: downloading github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942
1460:  github.com/fleetdm/fleet/v4/cmd/fleetctl:
1461:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/fleetctltest:
1462:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/testing_utils:
1463:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/goquerycmd:
1464:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest:
1465:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/preview:
1466:  �[32m✓�[0m Integrations preview (52.17s)
1467:  �[32m✓�[0m Preview fails on invalid license key (0.00s)
1468:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/package:
...

1579:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days not a number (0.38s)
1580:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days out of range (0.50s)
1581:  �[32m✓�[0m Apply specs deprecated keys config with FIM values for agent options (#869 9) (0.45s)
1582:  �[32m✓�[0m Apply specs deprecated keys config with blank required org name (0.36s)
1583:  �[32m✓�[0m Apply specs deprecated keys config with blank required server url (0.42s)
1584:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options command-line flags (0.44s)
1585:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type in dry-run (0.46s)
1586:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type with force (0.48s)
1587:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options in dry-run (0.53s)
1588:  �[32m✓�[0m Apply specs deprecated keys config with invalid key type (0.46s)
1589:  �[32m✓�[0m Apply specs deprecated keys config with invalid value for agent options command-line flags (0.50s)
1590:  �[32m✓�[0m Apply specs deprecated keys config with unknown key (0.37s)
1591:  �[32m✓�[0m Apply specs deprecated keys config with valid agent options command-line flags (0.47s)
1592:  �[32m✓�[0m Apply specs deprecated keys dry-run set with unsupported spec (0.51s)
1593:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, appconfig warning for legacy (0.44s)
1594:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, no errors (0.45s)
1595:  �[32m✓�[0m Apply specs deprecated keys empty config (0.46s)
...

1598:  �[32m✓�[0m Apply specs deprecated keys invalid agent options dry-run (0.42s)
1599:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type (0.37s)
1600:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type in overrides (0.49s)
1601:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for existing team (0.52s)
1602:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for new team (0.49s)
1603:  �[32m✓�[0m Apply specs deprecated keys invalid agent options force (0.50s)
1604:  �[32m✓�[0m Apply specs deprecated keys invalid known key's value type for team cannot be forced (0.60s)
1605:  �[32m✓�[0m Apply specs deprecated keys invalid team agent options command-line flag (0.51s)
1606:  �[32m✓�[0m Apply specs deprecated keys invalid top-level key for team (0.48s)
1607:  �[32m✓�[0m Apply specs deprecated keys macos updates deadline set but minimum version empty (0.39s)
1608:  �[32m✓�[0m Apply specs deprecated keys macos updates minimum version set but deadline empty (0.48s)
1609:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with incomplete date (0.60s)
1610:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with invalid date (0.38s)
1611:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with timestamp (0.39s)
1612:  �[32m✓�[0m Apply specs deprecated keys macos updates.minimum version with build version (0.63s)
1613:  �[32m✓�[0m Apply specs deprecated keys missing required failing policies destination url (0.45s)
1614:  �[32m✓�[0m Apply specs deprecated keys missing required host status days count (0.38s)
...

1622:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption true (0.54s)
1623:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption with invalid value type (0.63s)
1624:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption without a value (0.40s)
1625:  �[32m✓�[0m Apply specs deprecated keys unknown key for team can be forced (0.47s)
1626:  �[32m✓�[0m Apply specs deprecated keys valid team agent options command-line flag (0.35s)
1627:  �[32m✓�[0m Apply specs deprecated keys windows updates unset valid (0.53s)
1628:  �[32m✓�[0m Apply specs deprecated keys windows updates valid (0.48s)
1629:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days but grace period empty (0.50s)
1630:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days not a number (0.44s)
1631:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days out of range (0.64s)
1632:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days but deadline empty (0.54s)
1633:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days not a number (0.44s)
1634:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days out of range (0.53s)
1635:  �[32m✓�[0m Apply specs dry-run set with unsupported spec (0.45s)
1636:  �[32m✓�[0m Apply specs dry-run set with various specs, appconfig warning for legacy (0.56s)
1637:  �[32m✓�[0m Apply specs dry-run set with various specs, no errors (0.44s)
1638:  �[32m✓�[0m Apply specs empty config (0.46s)
...

1641:  �[32m✓�[0m Apply specs invalid agent options dry-run (0.36s)
1642:  �[32m✓�[0m Apply specs invalid agent options field type (0.53s)
1643:  �[32m✓�[0m Apply specs invalid agent options field type in overrides (0.54s)
1644:  �[32m✓�[0m Apply specs invalid agent options for existing team (0.41s)
1645:  �[32m✓�[0m Apply specs invalid agent options for new team (0.42s)
1646:  �[32m✓�[0m Apply specs invalid agent options force (0.55s)
1647:  �[32m✓�[0m Apply specs invalid known key's value type for team cannot be forced (0.49s)
1648:  �[32m✓�[0m Apply specs invalid team agent options command-line flag (0.54s)
1649:  �[32m✓�[0m Apply specs invalid top-level key for team (0.35s)
1650:  �[32m✓�[0m Apply specs macos updates deadline set but minimum version empty (0.33s)
1651:  �[32m✓�[0m Apply specs macos updates minimum version set but deadline empty (0.39s)
1652:  �[32m✓�[0m Apply specs macos updates.deadline with incomplete date (0.37s)
1653:  �[32m✓�[0m Apply specs macos updates.deadline with invalid date (0.41s)
1654:  �[32m✓�[0m Apply specs macos updates.deadline with timestamp (0.45s)
1655:  �[32m✓�[0m Apply specs macos updates.minimum version with build version (0.48s)
1656:  �[32m✓�[0m Apply specs missing required failing policies destination url (0.46s)
1657:  �[32m✓�[0m Apply specs missing required host status days count (0.35s)
...

1676:  �[32m✓�[0m Apply specs windows updates.grace period days not a number (0.43s)
1677:  �[32m✓�[0m Apply specs windows updates.grace period days out of range (0.58s)
1678:  �[32m✓�[0m Apply team specs (0.50s)
1679:  �[32m✓�[0m Apply user roles (0.53s)
1680:  �[32m✓�[0m Apply user roles deprecated (0.65s)
1681:  �[32m✓�[0m Apply windows updates (0.51s)
1682:  �[32m✓�[0m Apply windows updates field omitted (0.00s)
1683:  �[32m✓�[0m Apply windows updates with null values (0.00s)
1684:  �[32m✓�[0m Apply windows updates with values (0.00s)
1685:  �[32m✓�[0m Can apply intervals in nanoseconds (0.33s)
1686:  �[32m✓�[0m Can apply intervals using durations (0.37s)
1687:  �[32m✓�[0m Clean status code err (0.00s)
1688:  �[32m✓�[0m Clean status code err bare wrapped status code err (0.00s)
1689:  �[32m✓�[0m Clean status code err nil (0.00s)
1690:  �[32m✓�[0m Clean status code err outer-wrapped status code err (0.00s)
1691:  �[32m✓�[0m Clean status code err plain error untouched (0.00s)
1692:  �[32m✓�[0m Compute label changes (0.00s)
...

1748:  �[32m✓�[0m Filename functions (0.00s)
1749:  �[32m✓�[0m Filename functions outfile name builds a file name using the name provided + current time (0.00s)
1750:  �[32m✓�[0m Filename functions outfile name with ext builds a file name using the name and extension provided + current time (0.00s)
1751:  �[32m✓�[0m FleetctlUpgradePacks empty packs (0.42s)
1752:  �[32m✓�[0m FleetctlUpgradePacks no pack (0.33s)
1753:  �[32m✓�[0m FleetctlUpgradePacks non empty (0.45s)
1754:  �[32m✓�[0m FleetctlUpgradePacks not admin (0.50s)
1755:  �[32m✓�[0m Format XML (0.00s)
1756:  �[32m✓�[0m Format XML XML with attributes (0.00s)
1757:  �[32m✓�[0m Format XML basic XML (0.00s)
1758:  �[32m✓�[0m Format XML empty XML (0.00s)
1759:  �[32m✓�[0m Format XML invalid XML (0.00s)
1760:  �[32m✓�[0m Format XML nested XML (0.00s)
1761:  �[32m✓�[0m Generate MDM apple (0.84s)
1762:  �[32m✓�[0m Generate MDM apple BM (0.35s)
1763:  �[32m✓�[0m Generate MDM apple CSR API call fails (0.40s)
1764:  �[32m✓�[0m Generate MDM apple successful run (0.44s)
1765:  �[32m✓�[0m Generate MDMVPP tokens (0.00s)
1766:  �[32m✓�[0m Generate MDMVPP tokens get VPP tokens error (0.00s)
1767:  �[32m✓�[0m Generate MDMVPP tokens multiple tokens with different teams (0.00s)
...

1786:  �[32m✓�[0m Generate org settings masked google workspace api key (0.00s)
1787:  �[32m✓�[0m Generate policies (0.00s)
1788:  �[32m✓�[0m Generate policies patch policy orphaned from fleet maintained app (0.00s)
1789:  �[32m✓�[0m Generate queries (0.00s)
1790:  �[32m✓�[0m Generate software (0.00s)
1791:  �[32m✓�[0m Generate software auto update schedule (0.00s)
1792:  �[32m✓�[0m Generate software script packages (0.00s)
1793:  �[32m✓�[0m Generate team settings (0.00s)
1794:  �[32m✓�[0m Generate team settings insecure (0.00s)
1795:  �[32m✓�[0m Generated org settings no SSO (0.00s)
1796:  �[32m✓�[0m Generated org settings okta conditional access not included (0.00s)
1797:  �[32m✓�[0m Get MDM command results (0.40s)
1798:  �[32m✓�[0m Get MDM command results command flag required (0.00s)
1799:  �[32m✓�[0m Get MDM command results command not found (0.01s)
1800:  �[32m✓�[0m Get MDM command results command results empty (0.01s)
1801:  �[32m✓�[0m Get MDM command results command results error (0.01s)
1802:  �[32m✓�[0m Get MDM command results darwin command results (0.00s)
1803:  �[32m✓�[0m Get MDM command results host specific results (0.00s)
1804:  �[32m✓�[0m Get MDM command results windows command results (0.00s)
1805:  �[32m✓�[0m Get MDM commands (0.38s)
1806:  �[32m✓�[0m Get apple BM (1.61s)
1807:  �[32m✓�[0m Get apple BM free license (0.38s)
1808:  �[32m✓�[0m Get apple BM premium license, multiple tokens (0.36s)
1809:  �[32m✓�[0m Get apple BM premium license, no token (0.51s)
1810:  �[32m✓�[0m Get apple BM premium license, single token (0.36s)
1811:  �[32m✓�[0m Get apple MDM (0.36s)
1812:  �[32m✓�[0m Get carve (0.44s)
1813:  �[32m✓�[0m Get carve with error (0.39s)
1814:  �[32m✓�[0m Get carves (0.33s)
...

1828:  �[32m✓�[0m Get hosts MDM get hosts - -mdm - -mdm-pending - (0.00s)
1829:  �[32m✓�[0m Get hosts MDM get hosts - -mdm-pending - -yaml - expected list hosts yaml.yml (0.01s)
1830:  �[32m✓�[0m Get hosts get hosts - -json - -remove-deprecated-keys (0.00s)
1831:  �[32m✓�[0m Get hosts get hosts - -json - expected list hosts json.json (0.00s)
1832:  �[32m✓�[0m Get hosts get hosts - -json test host - expected host detail response json.json (0.00s)
1833:  �[32m✓�[0m Get hosts get hosts - -yaml - expected list hosts yaml.yml (0.01s)
1834:  �[32m✓�[0m Get hosts get hosts - -yaml test host - expected host detail response yaml.yml (0.01s)
1835:  �[32m✓�[0m Get label (0.45s)
1836:  �[32m✓�[0m Get label usage include and exclude allowed (0.00s)
1837:  �[32m✓�[0m Get label usage include and exclude allowed macos (0.00s)
1838:  �[32m✓�[0m Get label usage include and exclude allowed macos# 01 (0.00s)
1839:  �[32m✓�[0m Get label usage include and exclude allowed macos# 02 (0.00s)
1840:  �[32m✓�[0m Get label usage include and exclude allowed windows (0.00s)
1841:  �[32m✓�[0m Get label usage include and exclude allowed windows# 01 (0.00s)
1842:  �[32m✓�[0m Get label usage include and exclude allowed windows# 02 (0.00s)
1843:  �[32m✓�[0m Get label usage include exclude overlap error (0.00s)
1844:  �[32m✓�[0m Get label usage include exclude overlap error macos (0.00s)
1845:  �[32m✓�[0m Get label usage include exclude overlap error macos# 01 (0.00s)
1846:  �[32m✓�[0m Get label usage include exclude overlap error macos# 02 (0.00s)
1847:  �[32m✓�[0m Get label usage include exclude overlap error windows (0.00s)
1848:  �[32m✓�[0m Get label usage include exclude overlap error windows# 01 (0.00s)
1849:  �[32m✓�[0m Get label usage include exclude overlap error windows# 02 (0.00s)
1850:  �[32m✓�[0m Get label usage multiple label keys error (0.00s)
1851:  �[32m✓�[0m Get label usage multiple label keys error macos (0.00s)
1852:  �[32m✓�[0m Get label usage multiple label keys error windows (0.00s)
1853:  �[32m✓�[0m Get label usage policy scopes (0.00s)
...

1869:  �[32m✓�[0m Get queries as observer team observer (0.01s)
1870:  �[32m✓�[0m Get query (0.48s)
1871:  �[32m✓�[0m Get query labels include all (0.40s)
1872:  �[32m✓�[0m Get reports labels include all (0.38s)
1873:  �[32m✓�[0m Get software titles (0.47s)
1874:  �[32m✓�[0m Get software versions (0.32s)
1875:  �[32m✓�[0m Get teams (0.84s)
1876:  �[32m✓�[0m Get teams YAML and apply (0.37s)
1877:  �[32m✓�[0m Get teams by name (0.42s)
1878:  �[32m✓�[0m Get teams expired license (0.44s)
1879:  �[32m✓�[0m Get teams not expired license (0.41s)
1880:  �[32m✓�[0m Get teams software from source of truth (0.59s)
1881:  �[32m✓�[0m Get user roles (0.43s)
1882:  �[32m✓�[0m Git ops ABM (6.22s)
1883:  �[32m✓�[0m Git ops ABM backwards compat (0.66s)
1884:  �[32m✓�[0m Git ops ABM both keys errors (0.45s)
1885:  �[32m✓�[0m Git ops ABM deprecated config with two tokens in the db fails (0.44s)
1886:  �[32m✓�[0m Git ops ABM new key all valid (0.84s)
1887:  �[32m✓�[0m Git ops ABM new key multiple elements (0.67s)
1888:  �[32m✓�[0m Git ops ABM no team is supported (0.56s)
1889:  �[32m✓�[0m Git ops ABM non existent org name fails (0.62s)
1890:  �[32m✓�[0m Git ops ABM not provided teams defaults to no team (0.49s)
1891:  �[32m✓�[0m Git ops ABM renamed new key all valid (0.84s)
1892:  �[32m✓�[0m Git ops ABM using an undefined team errors (0.67s)
1893:  �[32m✓�[0m Git ops EULA setting (4.36s)
...

1896:  �[32m✓�[0m Git ops EULA setting not a PDF file (0.57s)
1897:  �[32m✓�[0m Git ops EULA setting relative path to working dir to pdf file (no existing EULA uploaded) (0.50s)
1898:  �[32m✓�[0m Git ops EULA setting relative path to yaml file to pdf file (no existing EULA uploaded) (0.53s)
1899:  �[32m✓�[0m Git ops EULA setting uploading the same EULA again (0.55s)
1900:  �[32m✓�[0m Git ops EULA setting valid new pdf file (different EULA already uploaded) (0.59s)
1901:  �[32m✓�[0m Git ops EULA setting valid pdf file (no existing EULA uploaded) (0.51s)
1902:  �[32m✓�[0m Git ops MDM auth settings (0.40s)
1903:  �[32m✓�[0m Git ops SMTP settings (0.49s)
1904:  �[32m✓�[0m Git ops SSO server URL (0.50s)
1905:  �[32m✓�[0m Git ops SSO settings (0.64s)
1906:  �[32m✓�[0m Git ops android certificates add (0.64s)
1907:  �[32m✓�[0m Git ops android certificates change (0.53s)
1908:  �[32m✓�[0m Git ops android certificates delete all (0.42s)
1909:  �[32m✓�[0m Git ops android certificates delete one (0.50s)
1910:  �[32m✓�[0m Git ops app store app auto update (0.42s)
1911:  �[32m✓�[0m Git ops app store app auto update invalid auto-update window triggers error and does not call update software title auto update config (0.02s)
1912:  �[32m✓�[0m Git ops app store app auto update no auto update settings and no existing schedule does not call update software title auto update config (0.02s)
1913:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is applied for i OS VPP apps (0.02s)
1914:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is not called when no VPP apps provided (0.02s)
1915:  �[32m✓�[0m Git ops apple OS updates (0.55s)
1916:  �[32m✓�[0m Git ops apple OS updates ios updates (0.01s)
1917:  �[32m✓�[0m Git ops apple OS updates ios updates os updated when existing OS update declaration (0.01s)
1918:  �[32m✓�[0m Git ops apple OS updates ipados updates (0.01s)
1919:  �[32m✓�[0m Git ops apple OS updates ipados updates os updated when existing OS update declaration (0.01s)
1920:  �[32m✓�[0m Git ops apple OS updates macos updates (0.01s)
1921:  �[32m✓�[0m Git ops apple OS updates macos updates os updated when existing OS update declaration (0.01s)
1922:  �[32m✓�[0m Git ops basic global and no team (0.61s)
1923:  �[32m✓�[0m Git ops basic global and no team basic global and no-team.yml (0.05s)
1924:  �[32m✓�[0m Git ops basic global and no team both global and no-team.yml define controls -- should fail (0.01s)
1925:  �[32m✓�[0m Git ops basic global and no team controls only defined in no-team.yml (0.05s)
1926:  �[32m✓�[0m Git ops basic global and no team global DOES NOT define controls -- should fail (0.01s)
1927:  �[32m✓�[0m Git ops basic global and no team global and no-team.yml DO NOT define controls -- should fail (0.01s)
1928:  �[32m✓�[0m Git ops basic global and no team global defines software -- should fail (0.01s)
1929:  �[32m✓�[0m Git ops basic global and no team no-team provided without global -- should fail (0.01s)
1930:  �[32m✓�[0m Git ops basic global and no team no-team.yml defines policy with calendar events enabled -- should fail (0.01s)
1931:  �[32m✓�[0m Git ops basic global and no team unassigned provided without global -- should fail (0.02s)
1932:  �[32m✓�[0m Git ops basic global and team (0.60s)
...

1938:  �[32m✓�[0m Git ops custom settings global macos windows custom settings valid.yml (0.46s)
1939:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix 2 .yml (0.43s)
1940:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix.yml (0.43s)
1941:  �[32m✓�[0m Git ops custom settings global windows custom settings unknown label.yml (0.46s)
1942:  �[32m✓�[0m Git ops custom settings team macos custom settings valid deprecated.yml (0.53s)
1943:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix 2 .yml (0.46s)
1944:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix.yml (0.48s)
1945:  �[32m✓�[0m Git ops custom settings team macos windows custom settings unknown label.yml (0.48s)
1946:  �[32m✓�[0m Git ops custom settings team macos windows custom settings valid.yml (0.44s)
1947:  �[32m✓�[0m Git ops dry run rejects invalid label platform (0.48s)
1948:  �[32m✓�[0m Git ops exception enforcement (0.45s)
1949:  �[32m✓�[0m Git ops exception enforcement free tier (0.43s)
1950:  �[32m✓�[0m Git ops exceptions preserve omitted keys (0.45s)
1951:  �[32m✓�[0m Git ops features (0.48s)
1952:  �[32m✓�[0m Git ops filename validation (0.00s)
1953:  �[32m✓�[0m Git ops fleet failing policies webhook policy IDs (0.66s)
1954:  �[32m✓�[0m Git ops fleet webhooks and tickets enabled (0.65s)
...

2111:  �[32m✓�[0m New basic file structure has expected files (0.00s)
2112:  �[32m✓�[0m New basic file structure replaces and escapes org name template var (0.00s)
2113:  �[32m✓�[0m New basic file structure strips .template. from output filenames (0.00s)
2114:  �[32m✓�[0m New dir flag (0.01s)
2115:  �[32m✓�[0m New existing dir with force (0.01s)
2116:  �[32m✓�[0m New existing dir without force (0.00s)
2117:  �[32m✓�[0m New org name YAML quoting (0.01s)
2118:  �[32m✓�[0m New org name validation (0.02s)
2119:  �[32m✓�[0m New org name validation at max length (0.01s)
2120:  �[32m✓�[0m New org name validation control characters stripped (0.01s)
2121:  �[32m✓�[0m New org name validation only control characters (0.00s)
2122:  �[32m✓�[0m New org name validation only whitespace (0.00s)
2123:  �[32m✓�[0m New org name validation too long (0.00s)
2124:  �[32m✓�[0m New output messages (0.01s)
2125:  �[32m✓�[0m New template stripping (0.01s)
2126:  �[32m✓�[0m Print auth error (0.36s)
2127:  �[32m✓�[0m Print auth error SSO disabled shows default login message (0.00s)
2128:  �[32m✓�[0m Print auth error SSO enabled shows SSO instructions (0.00s)
2129:  �[32m✓�[0m Render template (0.00s)
...

2149:  �[32m✓�[0m Run api command get scripts full path missing (0.00s)
2150:  �[32m✓�[0m Run api command get scripts team (0.00s)
2151:  �[32m✓�[0m Run api command get scripts team no cache (0.00s)
2152:  �[32m✓�[0m Run api command get typo (0.00s)
2153:  �[32m✓�[0m Run api command upload script (0.00s)
2154:  �[32m✓�[0m Run script command (0.57s)
2155:  �[32m✓�[0m Run script command disabled scripts globally (0.00s)
2156:  �[32m✓�[0m Run script command host not found (0.01s)
2157:  �[32m✓�[0m Run script command invalid file type (0.01s)
2158:  �[32m✓�[0m Run script command invalid hashbang (0.01s)
2159:  �[32m✓�[0m Run script command invalid utf 8 (0.01s)
2160:  �[32m✓�[0m Run script command missing one of script-path and script-nqme (0.00s)
2161:  �[32m✓�[0m Run script command output truncated (0.01s)
2162:  �[32m✓�[0m Run script command posix shell hashbang (0.01s)
2163:  �[32m✓�[0m Run script command script empty (0.01s)
2164:  �[32m✓�[0m Run script command script failed (0.01s)
2165:  �[32m✓�[0m Run script command script killed (0.01s)
...

2220:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p but the team's in-run file disables EU A: accepted (0.00s)
2221:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p while a stored team keeps EUA on: rejected (#4337 1) (0.00s)
2222:  �[32m✓�[0m Validate git ops group EUA no EUA enabled anywhere is accepted (0.00s)
2223:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds complete id P: accepted (0.00s)
2224:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds id p missing entity id: rejected (0.00s)
2225:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file omits id P, stored has id P: rejected (overwrite clears) (0.00s)
2226:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has id P, no global file: accepted (0.00s)
2227:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has no id P, no global file: rejected (0.00s)
2228:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/gitops:
2229:  �[32m✓�[0m Git ops VPP (4.78s)
2230:  �[32m✓�[0m Git ops VPP all fleets is supported (0.59s)
2231:  �[32m✓�[0m Git ops VPP all teams is supported (0.51s)
2232:  �[32m✓�[0m Git ops VPP new key all valid (0.65s)
2233:  �[32m✓�[0m Git ops VPP new key multiple elements (0.76s)
2234:  �[32m✓�[0m Git ops VPP no team is supported (0.54s)
2235:  �[32m✓�[0m Git ops VPP non existent location fails (0.52s)
2236:  �[32m✓�[0m Git ops VPP not provided teams defaults to no team (0.57s)
2237:  �[32m✓�[0m Git ops VPP using an undefined team errors (0.62s)
2238:  �[32m✓�[0m Git ops existing team VPP apps with missing team (0.66s)
...

2331:  �[32m✓�[0m Git ops team software installers team software installer with display name.yml (1.44s)
2332:  �[32m✓�[0m Integrations enterprise gitops (319.68s)
2333:  �[32m✓�[0m Integrations enterprise gitops test CA integrations (3.97s)
2334:  �[32m✓�[0m Integrations enterprise gitops test FMA labels include all (6.07s)
2335:  �[32m✓�[0m Integrations enterprise gitops test IPA software installers (10.66s)
2336:  �[32m✓�[0m Integrations enterprise gitops test JSON configuration profile escaping (1.29s)
2337:  �[32m✓�[0m Integrations enterprise gitops test add manual labels (1.53s)
2338:  �[32m✓�[0m Integrations enterprise gitops test configuration profile escaping (1.37s)
2339:  �[32m✓�[0m Integrations enterprise gitops test delete CA with certificate templates (5.92s)
2340:  �[32m✓�[0m Integrations enterprise gitops test delete mac OS setup (5.10s)
2341:  �[32m✓�[0m Integrations enterprise gitops test deleting no team YAML (2.69s)
2342:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience (123.80s)
2343:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience all VPP with setup experience (1.26s)
2344:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team VPP (1.15s)
2345:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team installers (60.56s)
2346:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience packages fail (60.67s)
2347:  �[32m✓�[0m Integrations enterprise gitops test dry run mac OS setup script with manual agent install conflict (0.44s)
...

2377:  �[32m✓�[0m Integrations enterprise gitops test omitted top level keys global (2.47s)
2378:  �[32m✓�[0m Integrations enterprise gitops test remove custom settings from default YAML (2.58s)
2379:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps (3.83s)
2380:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps all teams (2.42s)
2381:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps no team (1.25s)
2382:  �[32m✓�[0m Integrations enterprise gitops test unset configuration profile labels (4.96s)
2383:  �[32m✓�[0m Integrations enterprise gitops test unset software installer labels (12.47s)
2384:  �[32m✓�[0m Integrations enterprise starter library (5.05s)
2385:  �[32m✓�[0m Integrations enterprise starter library test apply starter library premium (3.56s)
2386:  �[32m✓�[0m Integrations gitops (2.40s)
2387:  �[32m✓�[0m Integrations gitops test fleet gitops (0.49s)
2388:  �[32m✓�[0m Integrations gitops test fleet gitops DDM fleet vars requires premium (0.12s)
2389:  �[32m✓�[0m Integrations gitops test fleet gitops with fleet secrets (0.23s)
2390:  �[32m✓�[0m Integrations starter library (1.64s)
2391:  �[32m✓�[0m Integrations starter library test apply starter library free (0.19s)
2392:  === �[31mFailed�[0m
2393:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)
2394:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=155.361µs uuid=4fb571d6-1568-4552-bb47-067da1e2188d err="not found"
2395:  [-] would've deleted report Query to delete
2396:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=144.34µs uuid=f8f0911c-f9dd-47da-8437-33da5fc51df0 err="not found"
2397:  testing_utils_test.go:20: 
2398:  Error Trace:	/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/testing_utils_test.go:20
2399:  /home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/gitops_test.go:2244
2400:  Error:      	Received unexpected error:
2401:  applying custom settings: POST /api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: cannot set custom settings: Windows MDM isn't turned on. For more information about setting up MDM, please visit https://fleetdm.com/learn-more-about/windows-mdm (API time: 1ms)
2402:  Test:       	TestGitOpsFullGlobal/useDeprecatedKeys=false
2403:  --- FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)
2404:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2405:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=127.168µs uuid=39a6eeb1-7ced-4c33-b198-66c02bf3e941 err="not found"
2406:  [-] would've deleted report Query to delete
2407:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=101.319µs uuid=3cb79658-605c-4992-bfa3-5d004943ef90 err="not found"
2408:  testing_utils_test.go:20: 
2409:  Error Trace:	/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/testing_utils_test.go:20
2410:  /home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/gitops_test.go:2244
2411:  Error:      	Received unexpected error:
2412:  applying custom settings: POST /api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: cannot set custom settings: Windows MDM isn't turned on. For more information about setting up MDM, please visit https://fleetdm.com/learn-more-about/windows-mdm (API time: 1ms)
2413:  Test:       	TestGitOpsFullGlobal/useDeprecatedKeys=true
2414:  --- FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2415:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal (0.53s)
2416:  DONE 922 tests, 3 failures in 650.400s
2417:  make[1]: *** [Makefile:302: .run-go-tests] Error 1
2418:  make[1]: Leaving directory '/home/runner/work/fleet/fleet'
2419:  make: *** [Makefile:417: test-go] Error 2
2420:  ##[error]Process completed with exit code 2.
2421:  Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
2422:  ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
2423:  with:
2424:  name: fleetctl-mysql8.0.44-coverage
2425:  path: ./coverage.txt
2426:  if-no-files-found: error
2427:  compression-level: 6
...

2430:  RACE_ENABLED: false
2431:  GO_TEST_TIMEOUT: 20m
2432:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2433:  RUN_TESTS_ARG: 
2434:  CI_TEST_PKG: fleetctl
2435:  NEED_DOCKER: 1
2436:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2437:  GOTOOLCHAIN: local
2438:  ##[endgroup]
2439:  (node:51007) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2440:  (Use `node --trace-deprecation ...` to show where the warning was created)
2441:  With the provided path, there will be 1 file uploaded
2442:  Artifact name is valid!
2443:  Root directory input is valid!
2444:  Beginning upload of artifact content to blob storage
2445:  (node:51007) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2446:  Uploaded bytes 2322600
2447:  Finished uploading artifact content to blob storage!
2448:  SHA256 hash of uploaded artifact zip is 95aaa27b0259697c5facf44d6d5136a431f6457b6e7660f34b69ad42923d4d28
2449:  Finalizing artifact upload
2450:  Artifact fleetctl-mysql8.0.44-coverage.zip successfully finalized. Artifact ID 8020320311
2451:  Artifact fleetctl-mysql8.0.44-coverage has been successfully uploaded! Final size is 2322600 bytes. Artifact ID is 8020320311
2452:  Artifact download URL: https://github.com/fleetdm/fleet/actions/runs/28541232412/artifacts/8020320311
2453:  ##[group]Run c1grep() { grep "$@" || test $? = 1; }
2454:  �[36;1mc1grep() { grep "$@" || test $? = 1; }�[0m
2455:  �[36;1mc1grep -oP 'FAIL: .*$' /tmp/gotest.log > /tmp/summary.txt�[0m
2456:  �[36;1mc1grep 'test timed out after' /tmp/gotest.log >> /tmp/summary.txt�[0m
2457:  �[36;1mc1grep 'fatal error:' /tmp/gotest.log >> /tmp/summary.txt�[0m
2458:  �[36;1mc1grep -A 10 'panic: runtime error: ' /tmp/gotest.log >> /tmp/summary.txt�[0m
2459:  �[36;1mc1grep ' FAIL\t' /tmp/gotest.log >> /tmp/summary.txt�[0m
2460:  �[36;1mGO_FAIL_SUMMARY=$(head -n 5 /tmp/summary.txt | sed ':a;N;$!ba;s/\n/\\n/g')�[0m
2461:  �[36;1mecho "GO_FAIL_SUMMARY=$GO_FAIL_SUMMARY"�[0m
2462:  �[36;1mif [[ -z "$GO_FAIL_SUMMARY" ]]; then�[0m
2463:  �[36;1m  GO_FAIL_SUMMARY="unknown, please check the build URL"�[0m
2464:  �[36;1mfi�[0m
2465:  �[36;1mGO_FAIL_SUMMARY=$GO_FAIL_SUMMARY envsubst < .github/workflows/config/slack_payload_template.json > ./payload.json�[0m
2466:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2467:  env:
2468:  RACE_ENABLED: false
2469:  GO_TEST_TIMEOUT: 20m
2470:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2471:  RUN_TESTS_ARG: 
2472:  CI_TEST_PKG: fleetctl
2473:  NEED_DOCKER: 1
2474:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2475:  GOTOOLCHAIN: local
2476:  ##[endgroup]
2477:  GO_FAIL_SUMMARY=FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)\nFAIL: TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2478:  Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
2479:  ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
2480:  with:
2481:  name: fleetctl-mysql8.0.44-test-log
2482:  path: /tmp/gotest.log
2483:  if-no-files-found: error
2484:  compression-level: 6
...

2487:  RACE_ENABLED: false
2488:  GO_TEST_TIMEOUT: 20m
2489:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2490:  RUN_TESTS_ARG: 
2491:  CI_TEST_PKG: fleetctl
2492:  NEED_DOCKER: 1
2493:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2494:  GOTOOLCHAIN: local
2495:  ##[endgroup]
2496:  (node:51029) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2497:  (Use `node --trace-deprecation ...` to show where the warning was created)
2498:  With the provided path, there will be 1 file uploaded
2499:  Artifact name is valid!
2500:  Root directory input is valid!
2501:  Beginning upload of artifact content to blob storage
2502:  (node:51029) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2503:  Uploaded bytes 11177
...

2519:  RACE_ENABLED: false
2520:  GO_TEST_TIMEOUT: 20m
2521:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2522:  RUN_TESTS_ARG: 
2523:  CI_TEST_PKG: fleetctl
2524:  NEED_DOCKER: 1
2525:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2526:  GOTOOLCHAIN: local
2527:  ##[endgroup]
2528:  (node:51041) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2529:  (Use `node --trace-deprecation ...` to show where the warning was created)
2530:  With the provided path, there will be 1 file uploaded
2531:  Artifact name is valid!
2532:  Root directory input is valid!
2533:  Beginning upload of artifact content to blob storage
2534:  (node:51041) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2535:  Uploaded bytes 205
...

2551:  RACE_ENABLED: false
2552:  GO_TEST_TIMEOUT: 20m
2553:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2554:  RUN_TESTS_ARG: 
2555:  CI_TEST_PKG: fleetctl
2556:  NEED_DOCKER: 1
2557:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2558:  GOTOOLCHAIN: local
2559:  ##[endgroup]
2560:  (node:51053) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2561:  (Use `node --trace-deprecation ...` to show where the warning was created)
2562:  With the provided path, there will be 1 file uploaded
2563:  Artifact name is valid!
2564:  Root directory input is valid!
2565:  Beginning upload of artifact content to blob storage
2566:  (node:51053) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2567:  Uploaded bytes 104962
...

2600:  RACE_ENABLED: false
2601:  GO_TEST_TIMEOUT: 20m
2602:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2603:  RUN_TESTS_ARG: 
2604:  CI_TEST_PKG: fleetctl
2605:  NEED_DOCKER: 1
2606:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2607:  GOTOOLCHAIN: local
2608:  ##[endgroup]
2609:  (node:51066) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2610:  (Use `node --trace-deprecation ...` to show where the warning was created)
2611:  With the provided path, there will be 1 file uploaded
2612:  Artifact name is valid!
2613:  Root directory input is valid!
2614:  Beginning upload of artifact content to blob storage
2615:  (node:51066) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2616:  Uploaded bytes 133

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

  • Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR introduces Apple Platform SSO (PSSO) / macOS account provisioning support across Fleet server, datastore, GitOps, and the macOS Fleet Desktop app (including an embedded Platform SSO extension), enabling host-scoped registration tokens and new PSSO protocol endpoints.

Changes:

  • Adds PSSO HTTP endpoints (including .well-known/apple-app-site-association), Redis-backed nonce storage, device/key persistence, and host-secret expansion for per-host registration tokens.
  • Adds mdm.apple_account_provisioning AppConfig/GitOps support with the IdP client secret stored in mdm_config_assets (masked in API responses) plus activity logging.
  • Updates Fleet Desktop macOS build/signing pipeline to bundle and ship a PSSO app extension, plus supporting entitlements/provisioning-profile handling in CI.

Reviewed changes

Copilot reviewed 74 out of 75 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tools/cloner-check/generated_files/appconfig.txt Updates generated AppConfig field inventory for new MDM config fields.
server/service/testing_utils_test.go Adjusts test service wiring for new EE service arg and MDM protocol registration signature.
server/service/svctest/service.go Adjusts svctest EE service wiring for new PSSO nonce store arg.
server/service/svctest/server.go Updates MDM protocol services registration call with svc.
server/service/handler.go Registers PSSO endpoints and serves AASA from root mux; updates protocol service signature.
server/service/client.go Ensures GitOps clears apple_account_provisioning when omitted.
server/service/apple_psso.go Adds core (non-EE) PSSO endpoints + asset bootstrap + license stubs.
server/service/apple_psso_test.go Tests core PSSO request decoding and asset bootstrap behavior.
server/service/apple_mdm.go Adds new Fleet var and validates safe placement of PSSO registration token var in profiles.
server/service/apple_mdm_test.go Adds tests for PSSO registration token variable validation + licensing.
server/service/appconfig.go Adds apple account provisioning config validation + secret persistence in config assets + activity.
server/service/appconfig_test.go Adds tests covering secret storage/masking/clearing semantics and activity emission.
server/mock/service/service_mock.go Extends mock fleet.Service with PSSO method hooks.
server/mock/datastore_mock.go Extends mock datastore with PSSO device/key methods.
server/mdm/psso/providers.go Adds public constructor to wire Redis nonce store without importing internal package.
server/mdm/psso/internal/redis_nonces_store/redis_nonces_store.go Implements Redis-backed PSSO nonce store with TTL + consume semantics.
server/mdm/psso/internal/redis_nonces_store/redis_nonces_store_test.go Tests nonce store behavior in standalone and cluster redis test setups.
server/mdm/nanomdm/service/nanomdm/service.go Expands host-scoped secrets at command delivery time for secret profiles.
server/mdm/apple/psso/regtoken/regtoken.go Implements mint/validate logic for Fleet-signed device registration JWTs.
server/mdm/apple/psso/regtoken/regtoken_test.go Tests regtoken mint/validate, expiry, audience/method pinning, and PEM minting parity.
server/mdm/apple/profile_processor.go Rewrites new PSSO fleet var to host-secret placeholder and avoids per-host fanout when possible.
server/mdm/apple/profile_processor_test.go Tests PSSO placeholder behavior and fanout short-circuiting.
server/fleet/service.go Extends fleet.Service interface with PSSO methods.
server/fleet/secrets.go Adds new host secret type for PSSO device registration token.
server/fleet/mdm.go Adds PSSO fleet var regex and new mdm_config_assets names.
server/fleet/datastore.go Extends Datastore interface with PSSO device/key persistence methods.
server/fleet/apple_psso.go Adds fleet domain types for PSSO devices/keys/settings and AppleAccountProvisioning config.
server/fleet/apple_profiles.go Treats host-scoped secrets as “profiles with secrets” for secret-command path.
server/fleet/app.go Adds AppleAccountProvisioning to AppConfig MDM + masks secret in Obfuscate().
server/fleet/activities.go Adds new activity type for edited account provisioning settings.
server/datastore/mysql/secret_variables.go Adds host secret expansion path to mint PSSO registration token at delivery time.
server/datastore/mysql/secret_variables_test.go Tests token minting failure without signing key and successful mint/validation.
server/datastore/mysql/migrations/tables/20260708190008_AddPSSODeviceRegistrationTokenFleetVar.go Adds DB migration to insert new fleet variable definition.
server/datastore/mysql/migrations/tables/20260708190008_AddPSSODeviceRegistrationTokenFleetVar_test.go Tests fleet variable row insertion migration.
server/datastore/mysql/migrations/tables/20260708185958_CreateApplePSSOTables.go Adds PSSO device/key tables with FK cascade.
server/datastore/mysql/migrations/tables/20260708185958_CreateApplePSSOTables_test.go Tests PSSO tables constraints, timestamps, and cascade behavior.
server/datastore/mysql/hosts.go Documents intentional preservation of PSSO device/key rows across host deletion.
server/datastore/mysql/apple_psso.go Implements MySQL PSSO device/key CRUD/upsert operations.
server/datastore/mysql/apple_psso_test.go Tests MySQL PSSO upsert/get/list/delete semantics and re-registration behavior.
server/datastore/mysql/apple_mdm.go Clears PSSO registration on ADE re-enrollment reset.
server/datastore/mysql/apple_mdm_test.go Extends reset-on-reenrollment test to cover PSSO device/key cleanup.
pkg/spec/gitops.go Adds GitOps controls parsing + global-only enforcement for apple_account_provisioning.
pkg/spec/gitops_test.go Adds tests for apple_account_provisioning parsing and team-file rejection.
go.mod Promotes go-jose v3 to direct dependency.
ee/server/service/service.go Wires nonce store into EE service and adds PSSO service state fields.
ee/server/service/mdm_external_test.go Updates EE service constructor invocation for new arg.
ee/server/service/apple_psso_test.go Adds EE tests for configuration gating, nonce behavior, JWKS, and registration validation.
ee/server/service/apple_psso_idp_oidc_ropg.go Adds generic OIDC ROPG IdP client for password validation and claim extraction.
ee/server/service/apple_psso_crypto_test.go Adds extensive crypto/JWT/JWE tests for PSSO wire format and key derivations.
cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml Updates expected appconfig output to include apple_account_provisioning fields.
cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml Updates expected appconfig output to include apple_account_provisioning fields.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml Updates expected get-config yaml to include apple_account_provisioning.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json Updates expected get-config json to include apple_account_provisioning.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml Updates expected app-config yaml to include apple_account_provisioning.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerYaml.yml Updates expected team-maintainer yaml to include apple_account_provisioning.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerJson.json Updates expected team-maintainer json to include apple_account_provisioning.
cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigJson.json Updates expected app-config json to include apple_account_provisioning.
cmd/fleetctl/fleetctl/generate_gitops.go Emits apple_account_provisioning controls with TODO secret placeholder during generate-gitops.
cmd/fleetctl/fleetctl/generate_gitops_test.go Adds test for generate-gitops output for apple_account_provisioning.
cmd/fleet/serve.go Wires Redis nonce store into EE service and passes svc to Apple MDM protocol registration.
apps/fleet-desktop-macos/README.md Documents embedded Platform SSO extension, endpoints, entitlements, and signing requirements.
apps/fleet-desktop-macos/FleetPSSOExtension/Info.plist Adds appex metadata for Platform SSO extension.
apps/fleet-desktop-macos/FleetPSSOExtension/FleetPSSOExtension.entitlements Adds extension entitlements (sandbox, network, managed associated domains).
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift Adds shared helpers for registration payload, key IDs, UUID lookup, and login configuration.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift Implements Platform SSO v2 Password-mode registration handler.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift Adds URLSession networking + minimal JWKS parsing for encryption public key.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController.swift Adds principal class to satisfy extension load requirements.
apps/fleet-desktop-macos/FleetDesktop/FleetDesktop.entitlements Adds host app entitlements for managed associated domains.
apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig Adds example profile showing BaseURL and RegistrationToken variable usage.
apps/fleet-desktop-macos/build.sh Builds and embeds the Platform SSO extension into the app bundle.
.github/workflows/fleet-desktop-macos-build.yml Adds provisioning-profile embedding + inside-out signing for app + appex.
docs/Contributing/research/mdm/psso.md Content excluded from automated review (policy-restricted).
Files excluded by content exclusion policy (1)
  • docs/Contributing/research/mdm/psso.md

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cmd/fleetctl/fleetctl/generate_gitops.go
Comment on lines +32 to +50
func keyID(_ key: SecKey) -> String {
let digest = SHA256.hash(data: derRepresentation(of: key))
return Data(digest).base64URLEncodedString()
}

func derRepresentation(of key: SecKey) -> Data {
guard let pub = SecKeyCopyPublicKey(key),
let data = SecKeyCopyExternalRepresentation(pub, nil) as Data? else {
return Data()
}
return data
}

func pemRepresentation(of key: SecKey) -> String {
let der = derRepresentation(of: key)
let b64 = der.base64EncodedString(options: [.lineLength64Characters,
.endLineWithLineFeed])
return "-----BEGIN PUBLIC KEY-----\n\(b64)\n-----END PUBLIC KEY-----"
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds valid enough, but I'm not quite sure of the Swift language to fully validate

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is actually valid, I will fix

Comment on lines +48 to +53
let payload = self.registrationPayload(
signing: signKey,
encryption: encKey,
registrationToken: registrationToken)
let ok = await self.postDeviceRegistration(payload: payload)
completion(ok ? .success : .failed)
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR adds Apple Platform SSO support end to end: an embedded macOS PSSO extension and build/signing updates, server-side PSSO endpoints and crypto handling, Redis nonce storage, MySQL persistence and migrations, registration-token minting and validation, Apple profile validation and secret expansion, and AppConfig/GitOps support for Apple account provisioning. It also adds matching tests and fixtures across the affected areas.

Possibly related PRs

  • fleetdm/fleet#47181: Updates the macOS Fleet Desktop build and signing workflow for the Platform SSO extension.
  • fleetdm/fleet#47801: Touches the same Apple PSSO service and crypto code paths.
  • fleetdm/fleet#48048: Overlaps on the PSSO password-encryption/JWKS flow and related client/server crypto handling.
🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning Most feature goals are implemented, but the PR lacks the requested local build/test documentation and Fleet Server prerequisite notes. Add documentation for local build/test setup, including Fleet Server prerequisites such as AASA and any signing/notarization steps.
Docstring Coverage ⚠️ Warning Docstring coverage is 34.04% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is too generic and does not clearly describe the Platform SSO/password-sync changes. Rename it to a concise summary like "Add macOS Platform SSO password sync support".
✅ Passed checks (2 passed)
Check name Status Explanation
Out of Scope Changes check ✅ Passed The changes are tightly focused on Platform SSO, GitOps, migrations, tests, and related wiring, with no obvious unrelated additions.
Description check ✅ Passed The description follows the template and covers the required issue, checklist, testing, migration, and GitOps sections.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/fleet-macos-password-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (3)
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift (1)

25-25: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Use an explicit short-lived URLSession timeout for Setup Assistant calls.

URLSession.shared can wait much longer than this registration flow should block. A dedicated ephemeral session with a bounded timeoutIntervalForRequest keeps registration/JWKS failures predictable.

Also applies to: 49-49

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController`+Networking.swift
at line 25, The JWKS fetch in AuthenticationViewController+Networking uses
URLSession.shared, which can block longer than the registration flow should
allow. Update the networking calls in this file to use a dedicated ephemeral
URLSession with a short timeoutIntervalForRequest instead of the shared session,
and apply the same timeout-bound session to the other matching network call
referenced in this controller so Setup Assistant failures surface quickly and
predictably.
server/mdm/apple/psso/regtoken/regtoken.go (1)

29-34: 🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy lift

Consider a shorter-lived, revocable registration token.

A 5-year token with no jti/revocation tracking means a leaked registration token can't be individually revoked — the only remediation is rotating Fleet's PSSO signing key, which invalidates every host's token. DefaultValidity is the token lifetime. A long lifetime lets a device reuse the same token across re-registrations without resending the profile. Since Validate always checks against the currently-active signing key (per the PSSORegisterDevice flow), a per-token revocation list (keyed by a jti claim) or a considerably shorter TTL with re-issuance-on-profile-refresh would reduce blast radius if a profile leaks.

Also applies to: 79-117

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/mdm/apple/psso/regtoken/regtoken.go` around lines 29 - 34, Shorten the
registration token lifetime and add per-token revocation support in the PSSO
registration token flow. Update the token issuance/validation logic in
regtoken.go (especially DefaultValidity, Generate, and Validate) to include a
unique jti claim and check it against a revocation list, or otherwise reduce the
default TTL and reissue tokens during profile refresh so a leaked token can be
invalidated without rotating the global signing key.
server/service/handler.go (1)

1094-1105: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider rate-limiting the unauthenticated PSSO endpoints.

pssoNoncePath/pssoRegistrationPath/pssoTokenPath are registered on the no-auth endpointer with no rate limiter, unlike other unauthenticated endpoints in this function (login, sso, sso/callback, mdm/sso, forgot_password all get a dedicated throttled bucket). The nonce endpoint in particular mints and stores a value on every call with no authentication, which could be flooded to exhaust the nonce store.

💡 Example: reuse the existing rate-limit pattern
+	pssoLimiter := limiter.Limit("psso", throttled.RateQuota{MaxRate: throttled.PerMin(60), MaxBurst: 20})
-	ne.POST(pssoNoncePath, pssoNonceEndpoint, pssoNonceRequest{})
-	ne.POST(pssoRegistrationPath, pssoRegistrationEndpoint, pssoRegistrationRequest{})
-	ne.POST(pssoTokenPath, pssoTokenEndpoint, pssoTokenRequest{})
+	ne.WithCustomMiddleware(pssoLimiter).POST(pssoNoncePath, pssoNonceEndpoint, pssoNonceRequest{})
+	ne.WithCustomMiddleware(pssoLimiter).POST(pssoRegistrationPath, pssoRegistrationEndpoint, pssoRegistrationRequest{})
+	ne.WithCustomMiddleware(pssoLimiter).POST(pssoTokenPath, pssoTokenEndpoint, pssoTokenRequest{})
	ne.GET(pssoJWKSPath, pssoJWKSEndpoint, pssoJWKSRequest{})

Note: limiter is defined later in this function (Line 1176); the limiter setup would need to move earlier or a separate limiter instantiated near Line 1102.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/service/handler.go` around lines 1094 - 1105, The unauthenticated PSSO
routes registered in registerPSSO via ne.POST/ne.GET are missing the same
throttling used by other public endpoints in handler.go. Add a dedicated rate
limit bucket for pssoNonceEndpoint, pssoRegistrationEndpoint, and
pssoTokenEndpoint (especially pssoNonceEndpoint, which writes a nonce each
call), and wire it into the no-auth endpointer registration instead of leaving
these paths unthrottled. If needed, move or recreate the limiter near the
registerPSSO setup so these endpoints can share the existing throttled pattern.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController`+Networking.swift:
- Around line 24-36: The `loginRequestEncryptionKey(jwksURL:)` flow currently
returns `nil` on fetch/decode/key-selection failures, which lets registration
continue without a `loginRequestEncryptionPublicKey`. Update the caller path in
`AuthenticationViewController+Networking` to treat a missing Fleet encryption
JWK as a registration failure instead of silently falling back, and ensure the
`loginRequestEncryptionKey(jwksURL:)` result is validated so absence of the
`enc` key or any load/parse error stops saving the login configuration.

In
`@apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController`+Shared.swift:
- Around line 76-79: The BaseURL parsing in AuthenticationViewController+Shared
currently accepts any valid URL scheme, so update the validation to reject
non-HTTPS values before continuing. In the shared configuration path where
baseString is converted to URL and host is extracted, require the parsed URL
scheme to be HTTPS (alongside a non-nil host) and throw the existing FleetPSSO
error if it is anything else. Keep the change localized to the BaseURL guard so
all downstream registration, nonce, token, and JWKS endpoint construction only
proceeds from secure HTTPS configuration.
- Around line 37-50: The PEM conversion in derRepresentation(of:) /
pemRepresentation(of:) is wrapping raw SecKeyCopyExternalRepresentation output,
which is not valid for a PUBLIC KEY PEM. Update
AuthenticationViewController+Shared.swift so the key bytes are first encoded as
SPKI/PKIX SubjectPublicKeyInfo DER before base64-wrapping, especially for the
P-256 path, and then have pemRepresentation(of:) build the PEM from that SPKI
DER rather than the raw X9.63 bytes.

In `@ee/server/service/apple_psso.go`:
- Around line 398-432: The PSSO registration flow currently canonicalizes and
stores caller-supplied key IDs without verifying they belong to the submitted
public keys, which can let a valid registration overwrite another key row. In
`registerPSSODevice`, compute the expected device KID from each parsed public
key (using the existing `parseECPublicKeyPEM` results, e.g. a helper like
`computePSSODeviceKID`) and compare it to `req.SigningKeyID` and
`req.EncryptionKeyID` before building the `fleet.PSSOKey` list. Reject the
request with a bad request error if either KID does not match its corresponding
key, then proceed to `SetOrUpdatePSSODevice` only after both checks pass.

In `@server/service/appconfig_test.go`:
- Around line 2014-2016: The assertion in the test for AppleAccountProvisioning
secret masking only checks the masked case, so it can miss regressions where an
unmasked response still contains a secret. Update the test around
modified.MDM.AppleAccountProvisioning.OAuthIdPClientSecret.Value to also assert
the value is empty whenever tc.want.wantMasked is false, using the same test
block and response object so both masked and unmasked outcomes are validated.

In `@server/service/appconfig.go`:
- Around line 1142-1163: The provisioning flow in appconfig currently updates
`mdm_config_assets` via `persistAppleAccountProvisioningSecret` and
`bootstrapPSSOAssets` before `SaveAppConfig`, so a failed save can leave assets
out of sync with the stored AppConfig. Refactor the
`svc.persistAppleAccountProvisioningSecret`, `bootstrapPSSOAssets`, and
`svc.ds.SaveAppConfig` sequence into one atomic datastore transaction or a
single helper on the datastore/service layer so the secret/asset mutations and
AppConfig persistence succeed or fail together.

---

Nitpick comments:
In
`@apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController`+Networking.swift:
- Line 25: The JWKS fetch in AuthenticationViewController+Networking uses
URLSession.shared, which can block longer than the registration flow should
allow. Update the networking calls in this file to use a dedicated ephemeral
URLSession with a short timeoutIntervalForRequest instead of the shared session,
and apply the same timeout-bound session to the other matching network call
referenced in this controller so Setup Assistant failures surface quickly and
predictably.

In `@server/mdm/apple/psso/regtoken/regtoken.go`:
- Around line 29-34: Shorten the registration token lifetime and add per-token
revocation support in the PSSO registration token flow. Update the token
issuance/validation logic in regtoken.go (especially DefaultValidity, Generate,
and Validate) to include a unique jti claim and check it against a revocation
list, or otherwise reduce the default TTL and reissue tokens during profile
refresh so a leaked token can be invalidated without rotating the global signing
key.

In `@server/service/handler.go`:
- Around line 1094-1105: The unauthenticated PSSO routes registered in
registerPSSO via ne.POST/ne.GET are missing the same throttling used by other
public endpoints in handler.go. Add a dedicated rate limit bucket for
pssoNonceEndpoint, pssoRegistrationEndpoint, and pssoTokenEndpoint (especially
pssoNonceEndpoint, which writes a nonce each call), and wire it into the no-auth
endpointer registration instead of leaving these paths unthrottled. If needed,
move or recreate the limiter near the registerPSSO setup so these endpoints can
share the existing throttled pattern.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a60b58d9-b9ad-4928-8160-112523525db0

📥 Commits

Reviewing files that changed from the base of the PR and between 4c6aa75 and a44bf7f.

⛔ Files ignored due to path filters (2)
  • apps/fleet-desktop-macos/README.md is excluded by !**/*.md
  • docs/Contributing/research/mdm/psso.md is excluded by !**/*.md
📒 Files selected for processing (73)
  • .github/workflows/fleet-desktop-macos-build.yml
  • apps/fleet-desktop-macos/FleetDesktop/FleetDesktop.entitlements
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController.swift
  • apps/fleet-desktop-macos/FleetPSSOExtension/FleetPSSOExtension.entitlements
  • apps/fleet-desktop-macos/FleetPSSOExtension/Info.plist
  • apps/fleet-desktop-macos/build.sh
  • apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig
  • cmd/fleet/serve.go
  • cmd/fleetctl/fleetctl/generate_gitops.go
  • cmd/fleetctl/fleetctl/generate_gitops_test.go
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigJson.json
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerJson.json
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerYaml.yml
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json
  • cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml
  • cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml
  • cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml
  • ee/server/service/apple_psso.go
  • ee/server/service/apple_psso_crypto.go
  • ee/server/service/apple_psso_crypto_test.go
  • ee/server/service/apple_psso_idp_oidc_ropg.go
  • ee/server/service/apple_psso_test.go
  • ee/server/service/mdm_external_test.go
  • ee/server/service/service.go
  • go.mod
  • pkg/spec/gitops.go
  • pkg/spec/gitops_test.go
  • server/datastore/mysql/apple_mdm.go
  • server/datastore/mysql/apple_mdm_test.go
  • server/datastore/mysql/apple_psso.go
  • server/datastore/mysql/apple_psso_test.go
  • server/datastore/mysql/hosts.go
  • server/datastore/mysql/migrations/tables/20260708185958_CreateApplePSSOTables.go
  • server/datastore/mysql/migrations/tables/20260708185958_CreateApplePSSOTables_test.go
  • server/datastore/mysql/migrations/tables/20260708190008_AddPSSODeviceRegistrationTokenFleetVar.go
  • server/datastore/mysql/migrations/tables/20260708190008_AddPSSODeviceRegistrationTokenFleetVar_test.go
  • server/datastore/mysql/schema.sql
  • server/datastore/mysql/secret_variables.go
  • server/datastore/mysql/secret_variables_test.go
  • server/fleet/activities.go
  • server/fleet/app.go
  • server/fleet/apple_profiles.go
  • server/fleet/apple_psso.go
  • server/fleet/datastore.go
  • server/fleet/mdm.go
  • server/fleet/secrets.go
  • server/fleet/service.go
  • server/mdm/apple/profile_processor.go
  • server/mdm/apple/profile_processor_test.go
  • server/mdm/apple/psso/regtoken/regtoken.go
  • server/mdm/apple/psso/regtoken/regtoken_test.go
  • server/mdm/nanomdm/service/nanomdm/service.go
  • server/mdm/psso/internal/redis_nonces_store/redis_nonces_store.go
  • server/mdm/psso/internal/redis_nonces_store/redis_nonces_store_test.go
  • server/mdm/psso/providers.go
  • server/mock/datastore_mock.go
  • server/mock/service/service_mock.go
  • server/service/appconfig.go
  • server/service/appconfig_test.go
  • server/service/apple_mdm.go
  • server/service/apple_mdm_test.go
  • server/service/apple_psso.go
  • server/service/apple_psso_test.go
  • server/service/client.go
  • server/service/handler.go
  • server/service/svctest/server.go
  • server/service/svctest/service.go
  • server/service/testing_utils_test.go
  • tools/cloner-check/generated_files/appconfig.txt

Comment thread ee/server/service/apple_psso.go
Comment thread server/service/appconfig_test.go
Comment thread server/service/appconfig.go
…for TokenToUserMapping(e.g. setting custom full name/account name) (#48161)

Resolves: #47173

Basically anything mapped into the IdP profile prefixed with
account(e.g. accountFullName, accountUserName) can now be referenced by
the profile's TokenToUserMapping and mapped to user attributes like
FullName or Username(short name)

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Improved Apple PSSO login handling for shared devices and user
registration, including better validation before completing sign-in.
* Custom identity-provider account claims can now be carried through
sign-in more reliably, while keeping system-controlled login fields
protected.
* The login flow now consistently targets the correct PSSO endpoint for
key handling.

* **Bug Fixes**
* Fixed cases where user registration could proceed without a valid
username or fail to save login configuration cleanly.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
ee/server/service/apple_psso_token_mapping_test.go (1)

67-106: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Expand reserved-claim smuggling coverage in TestBuildPSSOIDTokenClaims.

The test only smuggles iss and exp through Extra (lines 81–82). Since buildPSSOIDTokenClaims also sets sub, aud, nonce, and iat as Fleet-controlled values, adding these to the Extra map would verify that all reserved claims are overridden — not just two of them.

♻️ Proposed addition to the Extra map
 		// An IdP that tries to smuggle reserved claims must not win.
 		"iss":   "https://evil.example.com",
 		"exp":   int64(1),
+		"sub":   "evil-sub",
+		"aud":   "evil-client",
+		"nonce": "evil-nonce",
+		"iat":   int64(0),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ee/server/service/apple_psso_token_mapping_test.go` around lines 67 - 106,
`TestBuildPSSOIDTokenClaims` only verifies reserved-claim overriding for `iss`
and `exp`; expand the `idpClaims.Extra` setup in `buildPSSOIDTokenClaims`
coverage to also include smuggled `sub`, `aud`, `nonce`, and `iat` values. Then
assert those keys still resolve to the Fleet-controlled values returned by
`buildPSSOIDTokenClaims`, ensuring every reserved claim is overridden, not just
`iss` and `exp`.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ee/server/service/apple_psso_token_mapping_test.go`:
- Around line 67-106: `TestBuildPSSOIDTokenClaims` only verifies reserved-claim
overriding for `iss` and `exp`; expand the `idpClaims.Extra` setup in
`buildPSSOIDTokenClaims` coverage to also include smuggled `sub`, `aud`,
`nonce`, and `iat` values. Then assert those keys still resolve to the
Fleet-controlled values returned by `buildPSSOIDTokenClaims`, ensuring every
reserved claim is overridden, not just `iss` and `exp`.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 67500167-86f0-4456-8d0b-d9f4d8a2a642

📥 Commits

Reviewing files that changed from the base of the PR and between a44bf7f and 10d0901.

⛔ Files ignored due to path filters (1)
  • docs/Contributing/research/mdm/psso.md is excluded by !**/*.md
📒 Files selected for processing (5)
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift
  • ee/server/service/apple_psso.go
  • ee/server/service/apple_psso_idp_oidc_ropg.go
  • ee/server/service/apple_psso_token_mapping_test.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • ee/server/service/apple_psso_idp_oidc_ropg.go
  • apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift
  • ee/server/service/apple_psso.go

MagnusHJensen
MagnusHJensen previously approved these changes Jul 9, 2026

@MagnusHJensen MagnusHJensen left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall code looks good to me, flow as well. Tested on my local mac and it worked just fine.

Take a look at the AI comments, some I think seem valid enough. Ping me for a re-review once addressed

…assword-sync

# Conflicts:
#	server/datastore/mysql/schema.sql
…assword-sync

# Conflicts:
#	server/fleet/service.go
#	server/mock/service/service_mock.go
@JordanMontgomery JordanMontgomery merged commit a334816 into main Jul 9, 2026
58 checks passed
@JordanMontgomery JordanMontgomery deleted the feature/fleet-macos-password-sync branch July 9, 2026 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

macOS local account: initial account creation and sync password based on IdP credentials from any IdP that supports OAuth ROPG

4 participants