Skip to content

Add custom VPP app support #37969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iansltx merged 24 commits into from
Jan 8, 2026
Merged

Add custom VPP app support #37969

iansltx merged 24 commits into from
Jan 8, 2026

Conversation

@iansltx
Copy link
Member

@iansltx iansltx commented Jan 7, 2026
edited
Loading

Resolves #32481 for Fleet server-side work.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

  • Added/updated automated tests

  • QA'd all new/changed functionality manually

iansltx added 8 commits January 4, 2026 00:39
@iansltx
Initial WIP for using App Store Connect endpoint (or workalike) to gr…
01efc8a 
…ab VPP app data
@iansltx
Switch other VPP metadata pull usages to new method
9d8ca68 
Next up: wire up environment override on bearer token pull to allow that to work, test end-to-end against Apple API
@iansltx
Fix issues with app retrieval + refreshes
6df5619 
Next steps:

1. Fix tests
2. Make sure setting apps via GitOps works properly
3. Implement proxy auth management/persistence
@iansltx
Implement VPP metadata proxy client interactions
d2debd6 
Next up: manual testing against fake proxy, automated test updates
@iansltx
Pull server info from the right place, fix licensing, start fixing re…
68a8170 
…tries

Licensing wasn't picking up license keys for dev/expired licenses to pass on to the proxy because licenses weren't passed by ref.

Still need to figure out what's wrong with the auth-expired case
@iansltx
Fix retry logic, clear out old access tokens in MDM assets rather tha…
4b2ea3f 
…n leaving them after soft-deleting them

This has now been end-to-end validated. Just need to write tests now.
@iansltx
Fix lint
126149e
@iansltx
Add changes file
01dc37c
@codecov
Copy link

codecov bot commented Jan 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.00000% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.84%. Comparing base (bc0c7f1) to head (e0ce481).
⚠️ Report is 15 commits behind head on main.

Files with missing lines Patch % Lines
server/mdm/apple/apple_apps/api.go 75.60% 21 Missing and 19 partials ⚠️
...d/fleetctl/fleetctl/testing_utils/testing_utils.go 92.98% 3 Missing and 1 partial ⚠️
cmd/fleet/serve.go 0.00% 3 Missing ⚠️
server/mdm/apple/vpp/refresh.go 83.33% 2 Missing and 1 partial ⚠️
ee/server/service/vpp.go 92.30% 1 Missing and 1 partial ⚠️
cmd/fleet/cron.go 0.00% 1 Missing ⚠️
cmd/fleet/vuln_process.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #37969      +/-   ##
==========================================
+ Coverage   65.82%   65.84%   +0.01%     
==========================================
  Files        2387     2387              
  Lines      190158   190333     +175     
  Branches     8428     8428              
==========================================
+ Hits       125168   125321     +153     
- Misses      53609    53619      +10     
- Partials    11381    11393      +12
Flag Coverage Δ
backend 67.68% <80.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@iansltx
🤖 Fix some tests
6119657 
Zed + Opus 4.5; prompt: Fix broken fleetctl tests in https://github.com/fleetdm/fleet/actions/runs/20772756036/job/59652047015. This almost certainly involves replacing the fake iTunes server with a fake VPP apps proxy server, setting env vars appropriately to point at that server.
@iansltx iansltx mentioned this pull request Jan 7, 2026
Open
29 tasks
@iansltx
Clean up tests, validate (stubbed) proxy auth calls as well as calls …
80d107c 
…with hardcoded bearer tokens

Also fixes expected retry logic in the apple_apps API test since we're doing that one level up now
iansltx added 3 commits January 7, 2026 22:45
@iansltx
🤖 Add test coverage to VPP API proxy
f38592f 
Zed + Opus 4.5; prompt: Replace the TODOs in server/mdm/apple/apple_apps/api_test.go with appropriate tests.
@iansltx
Clean up/extend tests
4cb42cc
@iansltx
More test fixes, tweak VPP refresh to ensure we're mapping platform-s…
43d0093 
…pecific version numbers correctly
@iansltx iansltx marked this pull request as ready for review January 8, 2026 05:23
@iansltx iansltx requested a review from a team as a code owner January 8, 2026 05:23
iansltx added 2 commits January 7, 2026 23:34
@iansltx
🤖 Add 429 handling test
c3485e9 
Zed + Opus 4.5; prompt: Add a test for 429s/retry-after to TestDoRetries in server/mdm/apple/apple_apps/api_test.go
@iansltx
Tweak retry limit to make sure we keep retrying on 429s
1425443
@iansltx iansltx mentioned this pull request Jan 8, 2026
Open
jahzielv
jahzielv reviewed Jan 8, 2026
View reviewed changes
server/mdm/apple/apple_apps/api.go
Data []Metadata `json:"data"`
}

type Authenticator func(forceRenew bool) (string, error)
Copy link
Member

@jahzielv jahzielv Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: would be nice to have a comment on this type since it's exported

Copy link
Member Author

@iansltx iansltx Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. I'll add that if there are any other non-nit changes I need to make to this PR (which there probably are?)

jahzielv
jahzielv reviewed Jan 8, 2026
View reviewed changes
jahzielv
jahzielv reviewed Jan 8, 2026
View reviewed changes
jahzielv
jahzielv reviewed Jan 8, 2026
View reviewed changes
@jahzielv
Copy link
Member

jahzielv commented Jan 8, 2026

overall lgtm other than the couple things pointed out above

jahzielv
jahzielv approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@jahzielv jahzielv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the fixes! 🚀

@iansltx iansltx merged commit b191580 into main Jan 8, 2026
39 of 40 checks passed
@iansltx iansltx deleted the 32461-custom-vpp-apps branch January 8, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jahzielv jahzielv jahzielv approved these changes

Assignees

@jahzielv jahzielv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iansltx @jahzielv