Skip to content

Android certs support all idp vars#48100

Merged
ksykulev merged 2 commits into
mainfrom
36774-cert-idp
Jun 23, 2026
Merged

Android certs support all idp vars#48100
ksykulev merged 2 commits into
mainfrom
36774-cert-idp

Conversation

@ksykulev

@ksykulev ksykulev commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Related issue: Resolves #36774

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

Testing

  • Added/updated automated tests
  • QA'd all new/changed functionality manually

Summary by CodeRabbit

  • New Features
    • Certificate templates now support additional variables for subject names and SANs, including host platform and identity-provider-derived fields such as username (local part), groups, department, and full name.
  • Bug Fixes
    • Improved validation and error handling for missing host or identity-provider data during template variable substitution.
  • Tests
    • Expanded coverage for supported/unsupported variables, correct placeholder replacement, caching behavior, and RFC 4514 escaping in DN-related values.

Copilot AI review requested due to automatic review settings June 23, 2026 18:20
@ksykulev ksykulev requested a review from a team as a code owner June 23, 2026 18:20

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

  • Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR expands Android certificate template variable support so templates can reference HOST_PLATFORM and the full set of HOST_END_USER_IDP_* variables, and updates unit tests to cover the new validation and substitution behavior.

Changes:

  • Allow additional Fleet variables in certificate template subject names/SANs: HOST_PLATFORM, HOST_END_USER_IDP_USERNAME_LOCAL_PART, HOST_END_USER_IDP_GROUPS, HOST_END_USER_IDP_DEPARTMENT, HOST_END_USER_IDP_FULL_NAME.
  • Refactor certificate variable substitution to reuse shared end-user fetching logic and add substitution implementations for the newly supported variables.
  • Add/adjust unit tests to validate SAN variable allowlisting and to cover substitution + error cases for all supported variables.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
server/service/certificate_templates.go Adds support for additional host/IdP variables and refactors substitution logic for certificate templates.
server/service/certificate_templates_test.go Updates SAN validation tests and adds direct substitution tests for all supported variables.
Files excluded by content exclusion policy (1)
  • changes/36774-cert-template-all-idp-vars

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread server/service/certificate_templates.go
Comment thread server/service/certificate_templates.go
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee7970e9-625e-4da2-bb14-4a0d507947ac

📥 Commits

Reviewing files that changed from the base of the PR and between 05680a3 and 535b9d7.

📒 Files selected for processing (2)
  • server/service/certificate_templates.go
  • server/service/certificate_templates_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • server/service/certificate_templates_test.go
  • server/service/certificate_templates.go

Walkthrough

The PR expands Fleet's certificate template variable support. fleetVarsSupportedInCertificateTemplates gains HostPlatform and four IdP-derived fields: username local part, groups, department, and full name. Inside replaceCertificateVariables, inline end-user memoization is replaced by two helper closures—fetchEndUsers (lazy, memoized datastore call) and requireIDPUser (cached lookup with error on empty IdpUserName). The substitution switch is extended to handle all new variables, including string splitting for the local username part, joining for groups, and non-empty validation for department and full name. Tests update the SAN validation assertions and add a comprehensive TestReplaceCertificateVariables suite with RFC 4514 escaping coverage.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Android certs support all idp vars' directly summarizes the main change: expanding certificate template support to include all IdP variables and host platform.
Description check ✅ Passed The PR description includes the required 'Related issue' field and checks for changes file and testing, meeting the template requirements for this change type.
Linked Issues check ✅ Passed The PR successfully implements all objectives from issue #36774: adds support for all $FLEET_VAR_HOST_END_USER_IDP_* variables (local_part, groups, department, fullname) and FLEET_VAR_HOST_PLATFORM.
Out of Scope Changes check ✅ Passed All changes are directly related to the linked issue objectives: expanding certificate template variable support for IdP fields and adding platform support.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 36774-cert-idp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
server/service/certificate_templates_test.go (1)

673-707: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: subtests mutate shared ds.ScimUserByHostIDFunc without restoring it.

These error-path subtests reassign ds.ScimUserByHostIDFunc in place and never restore the original. The suite only passes because the happy-path subtests run before them; any future reordering or insertion would silently break. Consider scoping a fresh ds/func per subtest (or t.Cleanup to restore) to remove the ordering dependency.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/service/certificate_templates_test.go` around lines 673 - 707, The
test subtests are mutating the shared ds.ScimUserByHostIDFunc without restoring
it between test cases, creating an ordering dependency. To fix this, either
create a fresh ds instance at the beginning of each subtest (the "missing IDP
user returns error", "missing groups returns error", "missing department returns
error", and "missing full name returns error" subtests) or use t.Cleanup to save
and restore the original ds.ScimUserByHostIDFunc value after each subtest
completes. This ensures that each subtest is isolated and test execution order
does not affect the results.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/service/certificate_templates.go`:
- Around line 180-207: The IdP values (user.IdpGroups, user.Department, and
user.IdpFullName) in the replaceCertificateVariables function are being inserted
directly into certificate subject/SAN strings without escaping, which can cause
X.500 DN injection. Create or apply an RFC 4514 LDAP string encoding escape
function that converts special characters like commas to their escaped form
(e.g., comma becomes \,) before performing the substitutions. Apply this
escaping to each individual IdpGroups element before the strings.Join call, to
the user.Department value before the ReplaceAllString call, and to the fullName
value before its ReplaceAllString call, ensuring all untrusted IdP data is
properly escaped before being substituted into the certificate strings.

---

Nitpick comments:
In `@server/service/certificate_templates_test.go`:
- Around line 673-707: The test subtests are mutating the shared
ds.ScimUserByHostIDFunc without restoring it between test cases, creating an
ordering dependency. To fix this, either create a fresh ds instance at the
beginning of each subtest (the "missing IDP user returns error", "missing groups
returns error", "missing department returns error", and "missing full name
returns error" subtests) or use t.Cleanup to save and restore the original
ds.ScimUserByHostIDFunc value after each subtest completes. This ensures that
each subtest is isolated and test execution order does not affect the results.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e865393f-2957-4b3c-8718-6f3d1acaf457

📥 Commits

Reviewing files that changed from the base of the PR and between b55d458 and 05680a3.

📒 Files selected for processing (3)
  • changes/36774-cert-template-all-idp-vars
  • server/service/certificate_templates.go
  • server/service/certificate_templates_test.go

Comment thread server/service/certificate_templates.go Outdated
@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 72.60274% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.32%. Comparing base (b55d458) to head (535b9d7).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
server/service/certificate_templates.go 72.60% 13 Missing and 7 partials ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main   #48100   +/-   ##
=======================================
  Coverage   67.32%   67.32%           
=======================================
  Files        3657     3657           
  Lines      231272   231331   +59     
  Branches    12240    12240           
=======================================
+ Hits       155698   155742   +44     
- Misses      61605    61614    +9     
- Partials    13969    13975    +6     
Flag Coverage Δ
backend 68.94% <72.60%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ksykulev ksykulev merged commit a93c617 into main Jun 23, 2026
45 checks passed
@ksykulev ksykulev deleted the 36774-cert-idp branch June 23, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Android certs: support all variables prefixed with $FLEET_VAR_HOST_END_USER_IDP_

3 participants