host details status

server/fleet/hosts.go

@@ -678,6 +678,12 @@ func (h *Host) IsDEPAssignedToFleet() bool {
 	return h.DEPAssignedToFleet != nil && *h.DEPAssignedToFleet
 }
 
+// IsLUKSSupported returns true if the host's platform is Linux and running
+// one of the supported OS versions.
+func (h *Host) IsLUKSSupported() bool {
+	return h.Platform == "ubuntu" || strings.Contains(h.OSVersion, "Fedora") // fedora h.Platform reports as "rhel"
+}
+
 // IsEligibleForWindowsMDMUnenrollment returns true if the host must be
 // unenrolled from Fleet's Windows MDM (if it MDM was disabled).
 func (h *Host) IsEligibleForWindowsMDMUnenrollment(isConnectedToFleetMDM bool) bool {
@@ -1169,6 +1175,7 @@ type HostDiskEncryptionKey struct {
 	Decryptable     *bool     `json:"-" db:"decryptable"`
 	UpdatedAt       time.Time `json:"updated_at" db:"updated_at"`
 	DecryptedValue  string    `json:"key" db:"-"`
+	ClientError     string    `json:"-" db:"client_error"`
 }
 
 // HostSoftwareInstalledPath represents where in the file system a software on a host was installed

server/fleet/service.go

@@ -1049,6 +1049,13 @@ type Service interface {
 		assumeEnabled *bool,
 	) error
 
+	///////////////////////////////////////////////////////////////////////////////
+	// Linux MDM
+
+	// LinuxHostDiskEncryptionStatus returns the current disk encryption status of the specified Linx host
+	// Returns empty status if the host is not a supported Linux host
+	LinuxHostDiskEncryptionStatus(ctx context.Context, host Host) (HostMDMDiskEncryption, error)
+
 	///////////////////////////////////////////////////////////////////////////////
 	// Common MDM
 

server/service/hosts.go

@@ -1240,6 +1240,14 @@ func (svc *Service) getHostDetails(ctx context.Context, host *fleet.Host, opts f
 	}
 	host.MDM.Profiles = &profiles
 
+	if host.IsLUKSSupported() {
+		status, err := svc.LinuxHostDiskEncryptionStatus(ctx, *host)
+		if err != nil {
+			return nil, ctxerr.Wrap(ctx, err, "get host disk encryption status")
+		}
+		host.MDM.OSSettings.DiskEncryption = status
+	}
+
 	var macOSSetup *fleet.HostMDMMacOSSetup
 	if ac.MDM.EnabledAndConfigured && license.IsPremium(ctx) {
 		macOSSetup, err = svc.ds.GetHostMDMMacOSSetup(ctx, host.ID)

server/service/linux_mdm.go

@@ -0,0 +1,44 @@
+package service
+
+import (
+	"context"
+
+	"github.com/fleetdm/fleet/v4/server/fleet"
+)
+
+func (svc *Service) LinuxHostDiskEncryptionStatus(ctx context.Context, host fleet.Host) (fleet.HostMDMDiskEncryption, error) {
+	if !host.IsLUKSSupported() {
+		return fleet.HostMDMDiskEncryption{}, nil
+	}
+
+	actionRequired := fleet.DiskEncryptionActionRequired
+	verified := fleet.DiskEncryptionVerified
+	failed := fleet.DiskEncryptionFailed
+
+	key, err := svc.ds.GetHostDiskEncryptionKey(ctx, host.ID)
+	if err != nil {
+		if fleet.IsNotFound(err) {
+			return fleet.HostMDMDiskEncryption{
+				Status: &actionRequired,
+			}, nil
+		}
+		return fleet.HostMDMDiskEncryption{}, err
+	}
+
+	if key.ClientError != "" {
+		return fleet.HostMDMDiskEncryption{
+			Status: &failed,
+			Detail: key.ClientError,
+		}, nil
+	}
+
+	if key.Base64Encrypted == "" {
+		return fleet.HostMDMDiskEncryption{
+			Status: &actionRequired,
+		}, nil
+	}
+
+	return fleet.HostMDMDiskEncryption{
+		Status: &verified,
+	}, nil
+}

server/service/linux_mdm_test.go

@@ -0,0 +1,103 @@
+package service
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/mock"
+	"github.com/fleetdm/fleet/v4/server/ptr"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLinuxHostDiskEncryptionStatus(t *testing.T) {
+	ds := new(mock.Store)
+	svc, ctx := newTestService(t, ds, nil, nil)
+
+	actionRequired := fleet.DiskEncryptionActionRequired
+	verified := fleet.DiskEncryptionVerified
+	failed := fleet.DiskEncryptionFailed
+
+	testcases := []struct {
+		name              string
+		host              fleet.Host
+		keyExists         bool
+		clientErrorExists bool
+		status            fleet.HostMDMDiskEncryption
+		notFound          bool
+	}{
+		{
+			name:              "no key",
+			host:              fleet.Host{ID: 1, Platform: "ubuntu"},
+			keyExists:         false,
+			clientErrorExists: false,
+			status: fleet.HostMDMDiskEncryption{
+				Status: &actionRequired,
+			},
+		},
+		{
+			name:              "key exists",
+			host:              fleet.Host{ID: 1, Platform: "ubuntu"},
+			keyExists:         true,
+			clientErrorExists: false,
+			status: fleet.HostMDMDiskEncryption{
+				Status: &verified,
+			},
+		},
+		{
+			name:              "key exists && client error",
+			host:              fleet.Host{ID: 1, Platform: "ubuntu"},
+			keyExists:         true,
+			clientErrorExists: true,
+			status: fleet.HostMDMDiskEncryption{
+				Status: &failed,
+				Detail: "client error",
+			},
+		},
+		{
+			name:              "key not found",
+			host:              fleet.Host{ID: 1, Platform: "ubuntu"},
+			keyExists:         false,
+			clientErrorExists: false,
+			status: fleet.HostMDMDiskEncryption{
+				Status: &actionRequired,
+			},
+			notFound: true,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, hostID uint) (*fleet.HostDiskEncryptionKey, error) {
+				var encrypted string
+				if tt.keyExists {
+					encrypted = "encrypted"
+				}
+
+				var clientError string
+				if tt.clientErrorExists {
+					clientError = "client error"
+				}
+
+				var nfe notFoundError
+				if tt.notFound {
+					return nil, &nfe
+				}
+
+				return &fleet.HostDiskEncryptionKey{
+					HostID:          hostID,
+					Base64Encrypted: encrypted,
+					Decryptable:     ptr.Bool(true),
+					UpdatedAt:       time.Now(),
+					ClientError:     clientError,
+				}, nil
+			}
+
+			status, err := svc.LinuxHostDiskEncryptionStatus(ctx, tt.host)
+			assert.Nil(t, err)
+
+			assert.Equal(t, tt.status, status)
+		})
+	}
+}