Skip to content

Persist byod=true enroll param through IdP redirects#48808

Merged
georgekarrv merged 3 commits into
mainfrom
JM-48805
Jul 6, 2026
Merged

Persist byod=true enroll param through IdP redirects#48808
georgekarrv merged 3 commits into
mainfrom
JM-48805

Conversation

@JordanMontgomery

@JordanMontgomery JordanMontgomery commented Jul 6, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #48805

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

  • Timeouts are implemented and retries are limited to avoid infinite loops

  • If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

Summary by CodeRabbit

  • Bug Fixes
    • Preserve a user’s BYOD selection through IdP authentication so it no longer gets lost mid-flow.
    • Enrollment redirects to IdP SSO now retain the correct enrollment query settings (including BYOD and fully managed) for consistent enrollment behavior.
  • Tests
    • Added coverage to ensure the SSO initiation redirect preserves the expected query parameters and returns the correct redirect response.

@JordanMontgomery

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

  • Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR ensures the byod=true enrollment query parameter is preserved when initiating OTA enrollment via SSO, so it survives the IdP redirect round-trip and the user returns to the correct enrollment flow.

Changes:

  • Thread byod=true through the customOriginalURL passed into InitiateMDMSSO in the OTA enrollment SSO initiator.
  • Add a focused unit test that asserts which enrollment query params are (and are not) persisted into the SSO “original URL”.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
server/service/frontend.go Persist byod=true in the original URL used for the SSO round-trip during OTA enrollment initiation.
server/service/frontend_test.go Add a table-driven test using a capturing service stub to verify byod/fully_managed query param persistence behavior.
Files excluded by content exclusion policy (1)
  • changes/48805-byod-idp-enroll

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread server/service/frontend.go
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This change preserves byod=true during OTA enrollment SSO initiation. initiateOTAEnrollSSO now appends the BYOD query parameter to the SSO request URL when present, alongside existing fully_managed handling. Tests capture the generated original URL, verify which enrollment parameters are retained or omitted, and confirm the redirect response. A changelog entry records the fix.

Changes

Area Change
server/service/frontend.go Appends byod=true to the SSO request URL when byod=true is present
server/service/frontend_test.go Adds ssoURLCaptureService and TestInitiateOTAEnrollSSOPersistsQueryParams
changes/48805-byod-idp-enroll Updates the changelog entry

Possibly related PRs

  • fleetdm/fleet#48534: Also propagates BYOD-derived enrollment state through the enrollment flow.

Related Issues: None specified

Suggested labels: bug, enrollment, sso

Suggested reviewers: None specified

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the main change: preserving the byod=true enroll parameter through IdP redirects.
Description check ✅ Passed The description follows the template, includes the related issue, and completes the checklist and testing sections.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch JM-48805

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
server/service/frontend.go (1)

261-270: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider consolidating repeated param-passthrough checks.

The fully_managed and byod blocks are structurally identical. If more enrollment params need to be persisted through IdP redirects in the future, consider a small helper (e.g., iterate over an allow-list of param names) to avoid repeating this pattern a third/fourth time.

♻️ Example refactor
-	if r.URL.Query().Get("fully_managed") == "true" {
-		requestURL += "&fully_managed=true"
-	}
-	if r.URL.Query().Get("byod") == "true" {
-		requestURL += "&byod=true"
-	}
+	for _, param := range []string{"fully_managed", "byod"} {
+		if r.URL.Query().Get(param) == "true" {
+			requestURL += "&" + param + "=true"
+		}
+	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/service/frontend.go` around lines 261 - 270, The param passthrough
logic in initiateOTAEnrollSSO is duplicated for fully_managed and byod, so
consolidate it into a small reusable helper or allow-list-based loop. Update the
requestURL construction in initiateOTAEnrollSSO to iterate over the supported
enrollment params and append any present values once, so future params can be
added without repeating the same conditional blocks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@server/service/frontend.go`:
- Around line 261-270: The param passthrough logic in initiateOTAEnrollSSO is
duplicated for fully_managed and byod, so consolidate it into a small reusable
helper or allow-list-based loop. Update the requestURL construction in
initiateOTAEnrollSSO to iterate over the supported enrollment params and append
any present values once, so future params can be added without repeating the
same conditional blocks.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 06e80fa7-0dc5-4677-b020-a3ab56bffd59

📥 Commits

Reviewing files that changed from the base of the PR and between 667b371 and 038d546.

📒 Files selected for processing (3)
  • changes/48805-byod-idp-enroll
  • server/service/frontend.go
  • server/service/frontend_test.go

@JordanMontgomery JordanMontgomery marked this pull request as ready for review July 6, 2026 20:29
@JordanMontgomery JordanMontgomery requested a review from a team as a code owner July 6, 2026 20:29

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.04%. Comparing base (8415ae4) to head (22b6479).
⚠️ Report is 21 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #48808      +/-   ##
==========================================
+ Coverage   68.02%   68.04%   +0.02%     
==========================================
  Files        3681     3684       +3     
  Lines      233961   234056      +95     
  Branches    12453    12453              
==========================================
+ Hits       159146   159258     +112     
+ Misses      60497    60484      -13     
+ Partials    14318    14314       -4     
Flag Coverage Δ
backend 69.69% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@georgekarrv georgekarrv merged commit b526909 into main Jul 6, 2026
46 of 47 checks passed
@georgekarrv georgekarrv deleted the JM-48805 branch July 6, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Personal (BYOD) devices enroll as company-owned when end-user authentication is required

3 participants