Run certificate autoenroll with debug enabled (#1151)

When something went wrong with some parts of autoenrollment, the user would need to download the autoenroll script and then run it manually, instead of getting the expected output when running update policies in debug mode. To avoid this cumbersome process, we now always run the script in debug mode and log the error message.
ubuntu · Dec 2, 2024 · 6f72f17 · 6f72f17
2 parents b7c1883 + 01d73ef
commit 6f72f17
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 5 deletions.
diff --git a/internal/policies/certificate/certificate.go b/internal/policies/certificate/certificate.go
@@ -226,7 +226,7 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer
 		return errors.New(gotext.Get("failed to marshal policy server registry entries: %v", err))
 	}
 
-	if err := m.runScript(ctx, action, objectName, "--policy_servers_json", string(jsonGPOData)); err != nil {
+	if err := m.runScript(ctx, action, objectName, "--policy_servers_json", string(jsonGPOData), "--debug"); err != nil {
 		return err
 	}
 
@@ -251,10 +251,11 @@ func (m *Manager) runScript(ctx context.Context, action, objectName string, extr
 	defer smbsafe.DoneExec()
 
 	output, err := cmd.CombinedOutput()
+	defer log.Debugf(ctx, "Certificate autoenrollment script output:\n%s", string(output))
 	if err != nil {
 		return errors.New(gotext.Get("failed to run certificate autoenrollment script (exited with %d): %v\n%s", cmd.ProcessState.ExitCode(), err, string(output)))
 	}
-	log.Info(ctx, gotext.Get("Certificate autoenrollment script ran successfully\n%s", string(output)))
+	log.Info(ctx, gotext.Get("Certificate autoenrollment script ran successfully\n"))
 	return nil
 }
 

diff --git a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll
@@ -1,3 +1,3 @@
-enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null
+enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python
diff --git a/...te/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration b/...te/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration
@@ -1,3 +1,3 @@
-enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json [{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"AuthFlags","data":2,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Cost","data":2147483645,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Flags","data":20,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"FriendlyName","data":"ActiveDirectoryEnrollmentPolicy","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"PolicyID","data":"{A5E9BF57-71C6-443A-B7FC-79EFA6F73EBD}","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"URL","data":"LDAP:","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers","valuename":"Flags","data":0,"type":4}]
+enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json [{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"AuthFlags","data":2,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Cost","data":2147483645,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Flags","data":20,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"FriendlyName","data":"ActiveDirectoryEnrollmentPolicy","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"PolicyID","data":"{A5E9BF57-71C6-443A-B7FC-79EFA6F73EBD}","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"URL","data":"LDAP:","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers","valuename":"Flags","data":0,"type":4}] --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python
diff --git a/...nal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll b/...nal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll
@@ -1,3 +1,3 @@
-unenroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null
+unenroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python