adjust response status code for mdm/apple/enqueue (#14666)

For #14529
2024-11-06 08:55:24 +00:00 · 2023-10-26 18:20:11 -03:00 · 2023-10-26 18:20:11 -03:00 · 001120274c
commit 001120274c
parent 6c42287914
4 changed files with 20 additions and 5 deletions
--- a/changes/14529-enqueue-apple-error
+++ b/changes/14529-enqueue-apple-error
@ -0,0 +1,3 @@
+* Change the response status code of /mdm/apple/enqueue to `400` if the host is:
+  - A macOS host that hasn't turned on Fleet MDM features.
+  - A Windows or Linux host.
--- a/API/rest-api.md
+++ b/API/rest-api.md
@ -4199,7 +4199,7 @@ This endpoint tells Fleet to run a custom MDM command, on the targeted macOS hos
 | Name                      | Type   | In    | Description                                                               |
 | ------------------------- | ------ | ----- | ------------------------------------------------------------------------- |
 | command                   | string | json  | A base64-encoded MDM command as described in [Apple's documentation](https://developer.apple.com/documentation/devicemanagement/commands_and_queries). Supported formats are standard ([RFC 4648](https://www.rfc-editor.org/rfc/rfc4648.html)) and raw (unpadded) encoding ([RFC 4648 section 3.2](https://www.rfc-editor.org/rfc/rfc4648.html#section-3.2)) |
-| device_ids                | array  | json  | An array of host UUIDs enrolled in Fleet's MDM on which the command should run.                   |
+| device_ids                | array  | json  | An array of macOS host UUIDs enrolled in Fleet's MDM on which the command should run.                   |

 Note that the `EraseDevice` and `DeviceLock` commands are _available in Fleet Premium_ only.

--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@ -1026,9 +1026,9 @@ func (svc *Service) EnqueueMDMAppleCommand(
 			if mysqlErr.Number == mysqlerr.ER_NO_REFERENCED_ROW_2 {
 				err := fleet.NewInvalidArgumentError(
 					"device_ids",
-					fmt.Sprintf("at least one of the hosts is not enrolled in MDM: %v", err),
-				).WithStatus(http.StatusConflict)
-				return http.StatusConflict, nil, ctxerr.Wrap(ctx, err, "enqueue command")
+					fmt.Sprintf("at least one of the hosts is not enrolled in MDM or is not a macOS device: %v", err),
+				).WithStatus(http.StatusBadRequest)
+				return http.StatusBadRequest, nil, ctxerr.Wrap(ctx, err, "enqueue command")
 			}
 		}

--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@ -4410,10 +4410,22 @@ func (s *integrationMDMTestSuite) TestEnqueueMDMCommand() {
 		enqueueMDMAppleCommandRequest{
 			Command:   base64Cmd(newRawCmd(uuid.New().String())),
 			DeviceIDs: []string{unenrolledHost.UUID},
-		}, http.StatusConflict)
+		}, http.StatusBadRequest)
 	errMsg := extractServerErrorText(res.Body)
 	require.Contains(t, errMsg, "at least one of the hosts is not enrolled in MDM")

+	// create a new Host to get the UUID on the DB
+	linuxHost := createOrbitEnrolledHost(t, "linux", "h1", s.ds)
+	windowsHost := createOrbitEnrolledHost(t, "windows", "h2", s.ds)
+	// call with unenrolled host UUID
+	res = s.Do("POST", "/api/latest/fleet/mdm/apple/enqueue",
+		enqueueMDMAppleCommandRequest{
+			Command:   base64Cmd(newRawCmd(uuid.New().String())),
+			DeviceIDs: []string{linuxHost.UUID, windowsHost.UUID},
+		}, http.StatusBadRequest)
+	errMsg = extractServerErrorText(res.Body)
+	require.Contains(t, errMsg, "is not a macOS device")
+
 	// call with payload that is not a valid, plist-encoded MDM command
 	res = s.Do("POST", "/api/latest/fleet/mdm/apple/enqueue",
 		enqueueMDMAppleCommandRequest{