From 01d73ef7a5257784957652ed07fa56d9a07c6cca Mon Sep 17 00:00:00 2001
From: denisonbarbosa <denison.barbosa@canonical.com>
Date: Fri, 29 Nov 2024 06:02:24 -0400
Subject: [PATCH] Run certificate autoenroll with debug enabled

When something went wrong with somes parts of autoenrollment,
the user would need to download the autoenroll script and then run it
manually, instead of getting the expected output when running update
policies in debug mode. To avoid this cumbersome process, we now always
run the script in debug mode and log the error message.
---
 internal/policies/certificate/certificate.go                 | 5 +++--
 .../TestApplyPolicy/golden/computer,_configured_to_enroll    | 2 +-
 .../computer,_configured_to_enroll,_advanced_configuration   | 2 +-
 .../TestApplyPolicy/golden/computer,_configured_to_unenroll  | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/internal/policies/certificate/certificate.go b/internal/policies/certificate/certificate.go
index ced672509..1520a25e8 100644
--- a/internal/policies/certificate/certificate.go
+++ b/internal/policies/certificate/certificate.go
@@ -226,7 +226,7 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer
 		return errors.New(gotext.Get("failed to marshal policy server registry entries: %v", err))
 	}
 
-	if err := m.runScript(ctx, action, objectName, "--policy_servers_json", string(jsonGPOData)); err != nil {
+	if err := m.runScript(ctx, action, objectName, "--policy_servers_json", string(jsonGPOData), "--debug"); err != nil {
 		return err
 	}
 
@@ -251,10 +251,11 @@ func (m *Manager) runScript(ctx context.Context, action, objectName string, extr
 	defer smbsafe.DoneExec()
 
 	output, err := cmd.CombinedOutput()
+	defer log.Debugf(ctx, "Certificate autoenrollment script output:\n%s", string(output))
 	if err != nil {
 		return errors.New(gotext.Get("failed to run certificate autoenrollment script (exited with %d): %v\n%s", cmd.ProcessState.ExitCode(), err, string(output)))
 	}
-	log.Info(ctx, gotext.Get("Certificate autoenrollment script ran successfully\n%s", string(output)))
+	log.Info(ctx, gotext.Get("Certificate autoenrollment script ran successfully\n"))
 	return nil
 }
 
diff --git a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll
index d26d7ddb6..334d14da5 100644
--- a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll
+++ b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll
@@ -1,3 +1,3 @@
-enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null
+enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python
diff --git a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration
index d24501b34..8e45966d3 100644
--- a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration
+++ b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_enroll,_advanced_configuration
@@ -1,3 +1,3 @@
-enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json [{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"AuthFlags","data":2,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Cost","data":2147483645,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Flags","data":20,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"FriendlyName","data":"ActiveDirectoryEnrollmentPolicy","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"PolicyID","data":"{A5E9BF57-71C6-443A-B7FC-79EFA6F73EBD}","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"URL","data":"LDAP:","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers","valuename":"Flags","data":0,"type":4}]
+enroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json [{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"AuthFlags","data":2,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Cost","data":2147483645,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"Flags","data":20,"type":4},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"FriendlyName","data":"ActiveDirectoryEnrollmentPolicy","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"PolicyID","data":"{A5E9BF57-71C6-443A-B7FC-79EFA6F73EBD}","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54","valuename":"URL","data":"LDAP:","type":1},{"keyname":"Software\\Policies\\Microsoft\\Cryptography\\PolicyServers","valuename":"Flags","data":0,"type":4}] --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python
diff --git a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll
index a367e8c81..4d39b89e0 100644
--- a/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll
+++ b/internal/policies/certificate/testdata/TestApplyPolicy/golden/computer,_configured_to_unenroll
@@ -1,3 +1,3 @@
-unenroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null
+unenroll keypress example.com --state_dir #TMPDIR#/statedir --global_trust_dir /usr/local/share/ca-certificates --policy_servers_json null --debug
 KRB5CCNAME=#TMPDIR#/rundir/krb5cc/keypress
 PYTHONPATH=:#TMPDIR#/sharedir/python