Test fixes.

cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json

@@ -90,7 +90,8 @@
 		"integrations": {
 			"jira": null,
 			"zendesk": null,
-			"google_calendar": null
+			"google_calendar": null,
+			"ndes_scep_proxy": null
 		},
 		"mdm": {
 			"apple_bm_terms_expired": false,

cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml

@@ -16,6 +16,7 @@ spec:
   integrations:
     google_calendar: null
     jira: null
+    ndes_scep_proxy: null
     zendesk: null
   mdm:
     apple_bm_terms_expired: false

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json

@@ -140,7 +140,8 @@
 		"integrations": {
 			"jira": null,
 			"zendesk": null,
-			"google_calendar": null
+			"google_calendar": null,
+			"ndes_scep_proxy": null
 		},
 		"update_interval": {
 			"osquery_detail": "1h0m0s",

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml

@@ -16,6 +16,7 @@ spec:
   integrations:
     google_calendar: null
     jira: null
+    ndes_scep_proxy: null
     zendesk: null
   mdm:
     apple_business_manager: null

cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml

@@ -16,6 +16,7 @@ spec:
   integrations:
     google_calendar: null
     jira: null
+    ndes_scep_proxy: null
     zendesk: null
   mdm:
     apple_business_manager:

cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml

@@ -16,6 +16,7 @@ spec:
   integrations:
     google_calendar: null
     jira: null
+    ndes_scep_proxy: null
     zendesk: null
   mdm:
     apple_business_manager:

ee/server/service/scep_proxy.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/Azure/go-ntlmssp"
+	"github.com/fleetdm/fleet/v4/pkg/fleethttp"
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
 	"github.com/fleetdm/fleet/v4/server/fleet"
 	scepclient "github.com/fleetdm/fleet/v4/server/mdm/scep/client"
@@ -54,10 +55,9 @@ func NewSCEPProxyService(logger log.Logger) scepserver.Service {
 func ValidateNDESSCEPAdminURL(ctx context.Context, proxy *fleet.NDESSCEPProxyIntegration) error {
 	adminURL, username, password := proxy.AdminURL, proxy.Username, proxy.Password
 	// Get the challenge from NDES
-	client := &http.Client{
-		Transport: ntlmssp.Negotiator{
-			RoundTripper: &http.Transport{},
-		},
+	client := fleethttp.NewClient()
+	client.Transport = ntlmssp.Negotiator{
+		RoundTripper: fleethttp.NewTransport(),
 	}
 	req, err := http.NewRequest(http.MethodGet, adminURL, http.NoBody)
 	if err != nil {
@@ -76,6 +76,9 @@ func ValidateNDESSCEPAdminURL(ctx context.Context, proxy *fleet.NDESSCEPProxyInt
 	// Make a Reader that uses utf16bom:
 	unicodeReader := transform.NewReader(resp.Body, utf16bom)
 	bodyText, err := io.ReadAll(unicodeReader)
+	if err != nil {
+		return ctxerr.Wrap(ctx, err, "reading response body")
+	}
 	htmlString := string(bodyText)
 
 	matches := challengeRegex.FindStringSubmatch(htmlString)

server/datastore/mysql/app_configs.go

@@ -85,11 +85,21 @@ func (ds *Datastore) SaveAppConfig(ctx context.Context, info *fleet.AppConfig) e
 func (ds *Datastore) insertOrReplaceConfigAsset(ctx context.Context, asset fleet.MDMConfigAsset) error {
 	assets, err := ds.GetAllMDMConfigAssetsByName(ctx, []fleet.MDMAssetName{asset.Name})
 	if err != nil {
+		if fleet.IsNotFound(err) {
+			return ds.InsertMDMConfigAssets(ctx, []fleet.MDMConfigAsset{asset})
+		}
 		return ctxerr.Wrap(ctx, err, "get all mdm config assets by name")
 	}
 	if len(assets) == 0 {
-		return ds.InsertMDMConfigAssets(ctx, []fleet.MDMConfigAsset{asset})
-	} else if !bytes.Equal(assets[asset.Name].Value, asset.Value) {
+		// Should never happen
+		return ctxerr.New(ctx, fmt.Sprintf("no asset found for name %s", asset.Name))
+	}
+	currentAsset, ok := assets[asset.Name]
+	if !ok {
+		// Should never happen
+		return ctxerr.New(ctx, fmt.Sprintf("asset not found for name %s", asset.Name))
+	}
+	if !bytes.Equal(currentAsset.Value, asset.Value) {
 		return ds.ReplaceMDMConfigAssets(ctx, []fleet.MDMConfigAsset{asset})
 	}
 	// asset already exists and is the same, so not need to update

server/datastore/mysql/app_configs_test.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/fleetdm/fleet/v4/pkg/optjson"
+	"github.com/fleetdm/fleet/v4/server/contexts/ctxdb"
 	"github.com/fleetdm/fleet/v4/server/ptr"
 
 	"github.com/fleetdm/fleet/v4/server/fleet"
@@ -35,6 +36,7 @@ func TestAppConfig(t *testing.T) {
 		{"Backwards Compatibility", testAppConfigBackwardsCompatibility},
 		{"GetConfigEnableDiskEncryption", testGetConfigEnableDiskEncryption},
 		{"IsEnrollSecretAvailable", testIsEnrollSecretAvailable},
+		{"NDESSCEPProxyPassword", testNDESSCEPProxyPassword},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
@@ -533,3 +535,64 @@ func testIsEnrollSecretAvailable(t *testing.T, ds *Datastore) {
 	}
 
 }
+
+func testNDESSCEPProxyPassword(t *testing.T, ds *Datastore) {
+	ctx := context.Background()
+	ctx = ctxdb.BypassCachedMysql(ctx, true)
+	defer TruncateTables(t, ds)
+
+	ac, err := ds.AppConfig(ctx)
+	require.NoError(t, err)
+
+	adminURL := "https://localhost:8080/mscep_admin/"
+	username := "admin"
+	url := "https://localhost:8080/mscep/mscep.dll"
+	password := "password"
+
+	ac.Integrations.NDESSCEPProxy = &fleet.NDESSCEPProxyIntegration{
+		AdminURL: adminURL,
+		Username: username,
+		Password: password,
+		URL:      url,
+	}
+
+	err = ds.SaveAppConfig(ctx, ac)
+	require.NoError(t, err)
+
+	checkProxyConfig := func() {
+		result, err := ds.AppConfig(ctx)
+		require.NoError(t, err)
+		require.NotNil(t, result.Integrations.NDESSCEPProxy)
+		assert.Equal(t, url, result.Integrations.NDESSCEPProxy.URL)
+		assert.Equal(t, adminURL, result.Integrations.NDESSCEPProxy.AdminURL)
+		assert.Equal(t, username, result.Integrations.NDESSCEPProxy.Username)
+		assert.Equal(t, fleet.MaskedPassword, result.Integrations.NDESSCEPProxy.Password)
+	}
+
+	checkProxyConfig()
+
+	checkPassword := func() {
+		assets, err := ds.GetAllMDMConfigAssetsByName(ctx, []fleet.MDMAssetName{fleet.MDMAssetNDESPassword})
+		require.NoError(t, err)
+		require.Len(t, assets, 1)
+		assert.Equal(t, password, string(assets[fleet.MDMAssetNDESPassword].Value))
+	}
+	checkPassword()
+
+	// Set password to masked password -- should not update
+	ac.Integrations.NDESSCEPProxy.Password = fleet.MaskedPassword
+	err = ds.SaveAppConfig(ctx, ac)
+	require.NoError(t, err)
+	checkProxyConfig()
+	checkPassword()
+
+	// Set password to empty -- should not update
+	url = "https://newurl.com"
+	ac.Integrations.NDESSCEPProxy.Password = ""
+	ac.Integrations.NDESSCEPProxy.URL = url
+	err = ds.SaveAppConfig(ctx, ac)
+	require.NoError(t, err)
+	checkProxyConfig()
+	checkPassword()
+
+}

server/datastore/mysql/schema.sql

@@ -65,7 +65,7 @@ CREATE TABLE `app_config_json` (
   UNIQUE KEY `id` (`id`)
 ) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 /*!40101 SET character_set_client = @saved_cs_client */;
-INSERT INTO `app_config_json` VALUES (1,'{\"mdm\": {\"ios_updates\": {\"deadline\": null, \"minimum_version\": null}, \"macos_setup\": {\"bootstrap_package\": null, \"macos_setup_assistant\": null, \"enable_end_user_authentication\": false, \"enable_release_device_manually\": false}, \"macos_updates\": {\"deadline\": null, \"minimum_version\": null}, \"ipados_updates\": {\"deadline\": null, \"minimum_version\": null}, \"macos_settings\": {\"custom_settings\": null}, \"macos_migration\": {\"mode\": \"\", \"enable\": false, \"webhook_url\": \"\"}, \"windows_updates\": {\"deadline_days\": null, \"grace_period_days\": null}, \"windows_settings\": {\"custom_settings\": null}, \"apple_bm_terms_expired\": false, \"apple_business_manager\": null, \"enable_disk_encryption\": false, \"enabled_and_configured\": false, \"end_user_authentication\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"issuer_uri\": \"\", \"metadata_url\": \"\"}, \"volume_purchasing_program\": null, \"windows_enabled_and_configured\": false, \"apple_bm_enabled_and_configured\": false}, \"scripts\": null, \"features\": {\"enable_host_users\": true, \"enable_software_inventory\": false}, \"org_info\": {\"org_name\": \"\", \"contact_url\": \"\", \"org_logo_url\": \"\", \"org_logo_url_light_background\": \"\"}, \"integrations\": {\"jira\": null, \"zendesk\": null, \"google_calendar\": null}, \"sso_settings\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"enable_sso\": false, \"issuer_uri\": \"\", \"metadata_url\": \"\", \"idp_image_url\": \"\", \"enable_jit_role_sync\": false, \"enable_sso_idp_login\": false, \"enable_jit_provisioning\": false}, \"agent_options\": {\"config\": {\"options\": {\"logger_plugin\": \"tls\", \"pack_delimiter\": \"/\", \"logger_tls_period\": 10, \"distributed_plugin\": \"tls\", \"disable_distributed\": false, \"logger_tls_endpoint\": \"/api/osquery/log\", \"distributed_interval\": 10, \"distributed_tls_max_attempts\": 3}, \"decorators\": {\"load\": [\"SELECT uuid AS host_uuid FROM system_info;\", \"SELECT hostname AS hostname FROM system_info;\"]}}, \"overrides\": {}}, \"fleet_desktop\": {\"transparency_url\": \"\"}, \"smtp_settings\": {\"port\": 587, \"domain\": \"\", \"server\": \"\", \"password\": \"\", \"user_name\": \"\", \"configured\": false, \"enable_smtp\": false, \"enable_ssl_tls\": true, \"sender_address\": \"\", \"enable_start_tls\": true, \"verify_ssl_certs\": true, \"authentication_type\": \"0\", \"authentication_method\": \"0\"}, \"server_settings\": {\"server_url\": \"\", \"enable_analytics\": false, \"query_report_cap\": 0, \"scripts_disabled\": false, \"deferred_save_host\": false, \"live_query_disabled\": false, \"ai_features_disabled\": false, \"query_reports_disabled\": false}, \"webhook_settings\": {\"interval\": \"0s\", \"activities_webhook\": {\"destination_url\": \"\", \"enable_activities_webhook\": false}, \"host_status_webhook\": {\"days_count\": 0, \"destination_url\": \"\", \"host_percentage\": 0, \"enable_host_status_webhook\": false}, \"vulnerabilities_webhook\": {\"destination_url\": \"\", \"host_batch_size\": 0, \"enable_vulnerabilities_webhook\": false}, \"failing_policies_webhook\": {\"policy_ids\": null, \"destination_url\": \"\", \"host_batch_size\": 0, \"enable_failing_policies_webhook\": false}}, \"host_expiry_settings\": {\"host_expiry_window\": 0, \"host_expiry_enabled\": false}, \"vulnerability_settings\": {\"databases_path\": \"\"}, \"activity_expiry_settings\": {\"activity_expiry_window\": 0, \"activity_expiry_enabled\": false}}','2020-01-01 01:01:01','2020-01-01 01:01:01');
+INSERT INTO `app_config_json` VALUES (1,'{\"mdm\": {\"ios_updates\": {\"deadline\": null, \"minimum_version\": null}, \"macos_setup\": {\"bootstrap_package\": null, \"macos_setup_assistant\": null, \"enable_end_user_authentication\": false, \"enable_release_device_manually\": false}, \"macos_updates\": {\"deadline\": null, \"minimum_version\": null}, \"ipados_updates\": {\"deadline\": null, \"minimum_version\": null}, \"macos_settings\": {\"custom_settings\": null}, \"macos_migration\": {\"mode\": \"\", \"enable\": false, \"webhook_url\": \"\"}, \"windows_updates\": {\"deadline_days\": null, \"grace_period_days\": null}, \"windows_settings\": {\"custom_settings\": null}, \"apple_bm_terms_expired\": false, \"apple_business_manager\": null, \"enable_disk_encryption\": false, \"enabled_and_configured\": false, \"end_user_authentication\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"issuer_uri\": \"\", \"metadata_url\": \"\"}, \"volume_purchasing_program\": null, \"windows_enabled_and_configured\": false, \"apple_bm_enabled_and_configured\": false}, \"scripts\": null, \"features\": {\"enable_host_users\": true, \"enable_software_inventory\": false}, \"org_info\": {\"org_name\": \"\", \"contact_url\": \"\", \"org_logo_url\": \"\", \"org_logo_url_light_background\": \"\"}, \"integrations\": {\"jira\": null, \"zendesk\": null, \"google_calendar\": null, \"ndes_scep_proxy\": null}, \"sso_settings\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"enable_sso\": false, \"issuer_uri\": \"\", \"metadata_url\": \"\", \"idp_image_url\": \"\", \"enable_jit_role_sync\": false, \"enable_sso_idp_login\": false, \"enable_jit_provisioning\": false}, \"agent_options\": {\"config\": {\"options\": {\"logger_plugin\": \"tls\", \"pack_delimiter\": \"/\", \"logger_tls_period\": 10, \"distributed_plugin\": \"tls\", \"disable_distributed\": false, \"logger_tls_endpoint\": \"/api/osquery/log\", \"distributed_interval\": 10, \"distributed_tls_max_attempts\": 3}, \"decorators\": {\"load\": [\"SELECT uuid AS host_uuid FROM system_info;\", \"SELECT hostname AS hostname FROM system_info;\"]}}, \"overrides\": {}}, \"fleet_desktop\": {\"transparency_url\": \"\"}, \"smtp_settings\": {\"port\": 587, \"domain\": \"\", \"server\": \"\", \"password\": \"\", \"user_name\": \"\", \"configured\": false, \"enable_smtp\": false, \"enable_ssl_tls\": true, \"sender_address\": \"\", \"enable_start_tls\": true, \"verify_ssl_certs\": true, \"authentication_type\": \"0\", \"authentication_method\": \"0\"}, \"server_settings\": {\"server_url\": \"\", \"enable_analytics\": false, \"query_report_cap\": 0, \"scripts_disabled\": false, \"deferred_save_host\": false, \"live_query_disabled\": false, \"ai_features_disabled\": false, \"query_reports_disabled\": false}, \"webhook_settings\": {\"interval\": \"0s\", \"activities_webhook\": {\"destination_url\": \"\", \"enable_activities_webhook\": false}, \"host_status_webhook\": {\"days_count\": 0, \"destination_url\": \"\", \"host_percentage\": 0, \"enable_host_status_webhook\": false}, \"vulnerabilities_webhook\": {\"destination_url\": \"\", \"host_batch_size\": 0, \"enable_vulnerabilities_webhook\": false}, \"failing_policies_webhook\": {\"policy_ids\": null, \"destination_url\": \"\", \"host_batch_size\": 0, \"enable_failing_policies_webhook\": false}}, \"host_expiry_settings\": {\"host_expiry_window\": 0, \"host_expiry_enabled\": false}, \"vulnerability_settings\": {\"databases_path\": \"\"}, \"activity_expiry_settings\": {\"activity_expiry_window\": 0, \"activity_expiry_enabled\": false}}','2020-01-01 01:01:01','2020-01-01 01:01:01');
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!50503 SET character_set_client = utf8mb4 */;
 CREATE TABLE `calendar_events` (