Fix dupe profile enqueue bug#48652
Conversation
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Warning
- Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.
Pull request overview
This PR hardens Apple MDM profile reconciliation against a “duplicate hosts row sharing the same UUID” edge case that can cause duplicate enrollment IDs to be enqueued, leading to (id, command_uuid) primary-key collisions in nano_enrollment_queue and failed profile delivery.
Changes:
- Deduplicate per-command
EnrollmentIDsbefore building/enqueuing MDM commands (defense in depth). - Make batched and per-host reconcile selection deterministic when multiple
hostsrows share the same UUID (prefer highesthosts.id). - Add unit + MySQL integration coverage to prevent regressions for the duplicate-UUID scenario.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| server/mdm/apple/reconcile.go | Dedupes EnrollmentIDs on command targets before enqueue to prevent nano_enrollment_queue PK collisions. |
| server/mdm/apple/reconcile_test.go | Adds a unit test asserting ExecuteReconcileBatch enqueues a duplicated host UUID only once. |
| server/datastore/mysql/apple_mdm_test.go | Adds an end-to-end MySQL test covering duplicate host UUID behavior and ensuring a single queue row is created. |
| server/datastore/mysql/apple_mdm_batched.go | Adds deterministic ordering + in-memory dedupe for batched reconcile host listing; aligns per-host reconcile query to pick highest host ID. |
Files excluded by content exclusion policy (1)
- changes/48633-profile-reconcile-duplicate-host
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
WalkthroughThis change fixes duplicate enqueueing of configuration profiles for hosts that share the same hardware UUID. MySQL reconcile queries for both batched and single-host Apple MDM lookups now order results to select the highest host ID deterministically, and a new Changes
Sequence Diagram(s)sequenceDiagram
participant Datastore
participant dedupeHostsByUUID
participant ExecuteReconcileBatch
participant dedupeEnrollmentIDs
participant NanoEnrollmentQueue
Datastore->>Datastore: Query hosts ORDER BY h.uuid, h.id DESC
Datastore->>dedupeHostsByUUID: raw host reconcile rows
dedupeHostsByUUID-->>Datastore: deduped rows (highest HostID per UUID)
Datastore->>ExecuteReconcileBatch: install/remove targets
ExecuteReconcileBatch->>dedupeEnrollmentIDs: EnrollmentIDs per target
dedupeEnrollmentIDs-->>ExecuteReconcileBatch: deduped IDs, dropped count
ExecuteReconcileBatch->>NanoEnrollmentQueue: enqueue deduped commands
Possibly related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #48652 +/- ##
==========================================
+ Coverage 67.99% 68.03% +0.04%
==========================================
Files 3678 3678
Lines 233795 233832 +37
Branches 12268 12454 +186
==========================================
+ Hits 158962 159082 +120
+ Misses 60504 60439 -65
+ Partials 14329 14311 -18
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Related issue: Resolves #48633
Checklist for submitter
If some of the following don't apply, delete the relevant line.
Changes file added for user-visible changes in
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
Input data is properly validated,
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Timeouts are implemented and retries are limited to avoid infinite loops
If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
Testing