Orbit passes EUA token during enrollment#43369
Orbit passes EUA token during enrollment#43369ksykulev wants to merge 4 commits into41381-eua-ms-installerfrom
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
ksykulev
force-pushed
the
41379-eua-orbit
branch
from
f1fd907 to
29776ec
Compare
There was a problem hiding this comment.
Pull request overview
Adds support for passing a Windows MDM end-user authentication (EUA) token from the Fleet MSI installer into Orbit, and sending it along with the /api/fleet/orbit/enroll request so Fleet can link the IdP account during enrollment.
Changes:
- Enable a new
EUA_TOKENMSI property (gated by Orbit version) and pass it to the Orbit Windows service as--eua-token. - Add a hidden
--eua-tokenCLI flag to Orbit and plumb it into the Orbit enroll request payload (eua_token). - Add unit tests covering both the MSI template output and the enroll request JSON behavior.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| orbit/pkg/packaging/windows.go | Enables the new MSI property based on Orbit version gating. |
| orbit/pkg/packaging/windows_templates.go | Adds EUA_TOKEN property and wires it into the Windows service arguments. |
| orbit/pkg/packaging/windows_eua_test.go | New tests validating the WiX template includes/omits EUA pieces appropriately. |
| orbit/pkg/packaging/packaging.go | Extends packaging Options with EnableEUATokenProperty. |
| orbit/cmd/orbit/orbit.go | Adds hidden --eua-token flag and sets it on the Orbit client before enrollment-triggering calls. |
| client/orbit_client.go | Stores EUA token on the client and includes it in EnrollOrbitRequest. |
| client/orbit_client_eua_test.go | Verifies eua_token is present when set and omitted when empty. |
| changes/41379-orbit-eua | Adds a changelog entry for the new behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 41381-eua-ms-installer #43369 +/- ##
==========================================================
- Coverage 66.88% 66.84% -0.04%
==========================================================
Files 2594 2588 -6
Lines 207936 207536 -400
Branches 9207 9207
==========================================================
- Hits 139080 138732 -348
+ Misses 56200 56184 -16
+ Partials 12656 12620 -36
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ksykulev
force-pushed
the
41379-eua-orbit
branch
from
b249a9c to
049f089
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
ksykulev
force-pushed
the
41379-eua-orbit
branch
from
7f7d6f2 to
6e1a51e
Compare
getvictor
left a comment
getvictor
left a comment
There was a problem hiding this comment.
Looks good. Just some minor comments.
| srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
| body, err := io.ReadAll(r.Body) | ||
| assert.NoError(t, err) | ||
| assert.NoError(t, json.Unmarshal(body, &receivedBody)) | ||
|
|
||
| resp := fleet.EnrollOrbitResponse{OrbitNodeKey: testNodeKey} | ||
| w.Header().Set("Content-Type", "application/json") | ||
| err = json.NewEncoder(w).Encode(resp) | ||
| assert.NoError(t, err) | ||
| })) | ||
| defer srv.Close() |
There was a problem hiding this comment.
Nit. This setup is the same in both subtests. Can this be table-driven?
| func TestSetEUAToken(t *testing.T) { | ||
| oc := &OrbitClient{} | ||
| require.Empty(t, oc.euaToken) | ||
|
|
||
| oc.SetEUAToken("some-token") | ||
| require.Equal(t, "some-token", oc.euaToken) | ||
|
|
||
| oc.SetEUAToken("") | ||
| require.Empty(t, oc.euaToken) | ||
| } |
There was a problem hiding this comment.
Nit. This is already covered by the test above.
| @@ -0,0 +1 @@ | |||
| * Orbit passes EUA token during enrollment request No newline at end of file | |||
There was a problem hiding this comment.
This should be in orbit/changes/ directory
| t.Run("EUA_TOKEN flag appears in ServiceInstall Arguments", func(t *testing.T) { | ||
| opt := baseOpt | ||
| opt.EnableEUATokenProperty = true | ||
|
|
||
| var buf bytes.Buffer | ||
| err := windowsWixTemplate.Execute(&buf, opt) | ||
| require.NoError(t, err) | ||
|
|
||
| // Find the ServiceInstall Arguments line and verify eua-token is in it. | ||
| for line := range strings.SplitSeq(buf.String(), "\n") { | ||
| if strings.Contains(line, "Arguments=") && strings.Contains(line, "--fleet-url") { | ||
| assert.Contains(t, line, `--eua-token="[EUA_TOKEN]"`, | ||
| "eua-token flag should be in ServiceInstall Arguments") | ||
| return | ||
| } | ||
| } |
There was a problem hiding this comment.
Nit. This could be merged with test 1.
Related issue: Resolves #41379
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
Testing
fleetd/orbit/Fleet Desktop
runtime.GOOSis used as needed to isolate changes