Skip to content

Fix dupe profile enqueue bug#48652

Draft
JordanMontgomery wants to merge 3 commits into
mainfrom
JM-48633
Draft

Fix dupe profile enqueue bug#48652
JordanMontgomery wants to merge 3 commits into
mainfrom
JM-48633

Conversation

@JordanMontgomery

@JordanMontgomery JordanMontgomery commented Jul 2, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #48633

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

  • Timeouts are implemented and retries are limited to avoid infinite loops

  • If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

@JordanMontgomery

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

  • Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR hardens Apple MDM profile reconciliation against a “duplicate hosts row sharing the same UUID” edge case that can cause duplicate enrollment IDs to be enqueued, leading to (id, command_uuid) primary-key collisions in nano_enrollment_queue and failed profile delivery.

Changes:

  • Deduplicate per-command EnrollmentIDs before building/enqueuing MDM commands (defense in depth).
  • Make batched and per-host reconcile selection deterministic when multiple hosts rows share the same UUID (prefer highest hosts.id).
  • Add unit + MySQL integration coverage to prevent regressions for the duplicate-UUID scenario.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

File Description
server/mdm/apple/reconcile.go Dedupes EnrollmentIDs on command targets before enqueue to prevent nano_enrollment_queue PK collisions.
server/mdm/apple/reconcile_test.go Adds a unit test asserting ExecuteReconcileBatch enqueues a duplicated host UUID only once.
server/datastore/mysql/apple_mdm_test.go Adds an end-to-end MySQL test covering duplicate host UUID behavior and ensuring a single queue row is created.
server/datastore/mysql/apple_mdm_batched.go Adds deterministic ordering + in-memory dedupe for batched reconcile host listing; aligns per-host reconcile query to pick highest host ID.
Files excluded by content exclusion policy (1)
  • changes/48633-profile-reconcile-duplicate-host

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread server/datastore/mysql/apple_mdm_batched.go Outdated
Comment thread server/datastore/mysql/apple_mdm_batched.go Outdated
Comment thread server/mdm/apple/reconcile.go Outdated
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This change fixes duplicate enqueueing of configuration profiles for hosts that share the same hardware UUID. MySQL reconcile queries for both batched and single-host Apple MDM lookups now order results to select the highest host ID deterministically, and a new dedupeHostsByUUID helper collapses duplicate UUID rows in memory. ExecuteReconcileBatch additionally deduplicates EnrollmentIDs in install/remove targets via a new dedupeEnrollmentIDs helper, logging a warning when duplicates are removed. New tests cover both the datastore-level dedupe and the reconcile-batch dedupe behavior, and a changelog entry documents the fix.

Changes

File(s) Summary
server/datastore/mysql/apple_mdm_batched.go Added ordering by h.uuid, h.id DESC and h.id DESC; introduced dedupeHostsByUUID to collapse duplicate-UUID host rows keeping highest HostID; updated documentation comments.
server/datastore/mysql/apple_mdm_test.go Added testReconcileAppleProfilesDuplicateHostUUID regression test verifying dedupe behavior and correct enqueue count for duplicate-UUID hosts.
server/mdm/apple/reconcile.go Added deduplication of EnrollmentIDs in ExecuteReconcileBatch install/remove targets via new dedupeEnrollmentIDs helper, with warning logging on duplicates found.
server/mdm/apple/reconcile_test.go Added TestMDMAppleExecuteReconcileBatchDedupesEnrollmentIDs verifying single enqueue call for duplicate enrollment payloads.
changes/48633-profile-reconcile-duplicate-host Added changelog entry describing the fix.

Sequence Diagram(s)

sequenceDiagram
  participant Datastore
  participant dedupeHostsByUUID
  participant ExecuteReconcileBatch
  participant dedupeEnrollmentIDs
  participant NanoEnrollmentQueue

  Datastore->>Datastore: Query hosts ORDER BY h.uuid, h.id DESC
  Datastore->>dedupeHostsByUUID: raw host reconcile rows
  dedupeHostsByUUID-->>Datastore: deduped rows (highest HostID per UUID)
  Datastore->>ExecuteReconcileBatch: install/remove targets
  ExecuteReconcileBatch->>dedupeEnrollmentIDs: EnrollmentIDs per target
  dedupeEnrollmentIDs-->>ExecuteReconcileBatch: deduped IDs, dropped count
  ExecuteReconcileBatch->>NanoEnrollmentQueue: enqueue deduped commands
Loading

Possibly related issues

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is only the template; the related issue, testing details, and any applicable checklist items are left unfilled. Fill in the related issue, mark applicable checklist items, and add testing notes or remove irrelevant sections.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and clearly describes the main change: fixing the duplicate profile enqueue bug.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch JM-48633

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.87179% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.03%. Comparing base (e95a8df) to head (a81a6bf).

Files with missing lines Patch % Lines
server/datastore/mysql/apple_mdm_batched.go 85.71% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #48652      +/-   ##
==========================================
+ Coverage   67.99%   68.03%   +0.04%     
==========================================
  Files        3678     3678              
  Lines      233795   233832      +37     
  Branches    12268    12454     +186     
==========================================
+ Hits       158962   159082     +120     
+ Misses      60504    60439      -65     
+ Partials    14329    14311      -18     
Flag Coverage Δ
backend 69.68% <94.87%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Apple MDM Reconciler can try to send duplicate profiles to duplicate deviecs

2 participants