fleet
fleet copied to clipboard
fleetdm
Add backend changes for team labels
Resolves #36781.
- [X] Changes file added for user-visible changes in
changes/,orbit/changes/oree/fleetd-chrome/changes. - [X] Input data is properly validated,
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements)
Testing
- [X] Added/updated automated tests
- [X] Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
Summary by CodeRabbit
-
New Features
- Team labels are now supported, allowing labels to be assigned to specific teams.
-
Bug Fixes
- Label memberships properly clean up when hosts are transferred between teams.
- Team deletion now cascades cleanup of associated team labels.
- Label query results are scoped to prevent stale or misapplied results.
✏️ Tip: You can customize this high-level summary in your review settings.
Codecov Report
:x: Patch coverage is 55.55556% with 28 lines in your changes missing coverage. Please review.
:white_check_mark: Project coverage is 65.92%. Comparing base (76b6a25) to head (1621c78).
:warning: Report is 19 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #37116 +/- ##
==========================================
- Coverage 65.92% 65.92% -0.01%
==========================================
Files 2329 2329
Lines 184953 185260 +307
Branches 7707 7707
==========================================
+ Hits 121925 122124 +199
- Misses 51883 51969 +86
- Partials 11145 11167 +22
| Flag | Coverage Δ | |
|---|---|---|
| backend | 67.72% <55.55%> (-0.01%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
✅ Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
Walkthrough
This PR implements backend support for team-scoped labels where label membership respects team context. Changes include adding team_id to label creation, introducing transactional label deletion with related membership cleanup, filtering label queries by team, and cascading label cleanup when teams are deleted. Label memberships are cleaned up when hosts transfer between teams.
Changes
| Cohort / File(s) | Summary |
|---|---|
Label team scope and creation server/datastore/mysql/labels.go |
Added team_id column to label INSERT statement; label creation now accepts and persists team_id for team-scoped labels. |
Label deletion refactoring server/datastore/mysql/labels.go |
Introduced deleteLabelsInTx() helper for transactional label deletion with cascading cleanup of label_membership and pack_targets; DeleteLabel now uses this helper with improved error wrapping; refined error handling for label retrieval. |
Label query team filtering server/datastore/mysql/labels.go |
LabelQueriesForHost now includes team_id filter to scope label queries to the host's team context. |
Host team transfer cleanup server/datastore/mysql/hosts.go |
AddHostsToTeam now calls cleanupLabelMembershipOnTeamChange() to remove label memberships for labels belonging to other teams when hosts transfer. |
Label membership cleanup helper server/datastore/mysql/policies.go |
Added cleanupLabelMembershipOnTeamChange() internal helper that deletes label_membership entries for team-scoped labels when hosts move between teams. |
Team deletion cascade server/datastore/mysql/teams.go |
DeleteTeam now retrieves team-scoped label IDs and clears all related label rows via teamLabelsRefs tables before deleting labels with deleteLabelsInTx(); ensures proper cascade cleanup order (policies → teamRefs → labels → team → pack_targets). |
Label result filtering server/service/osquery.go |
Distributed query result handling now filters label results to remove those no longer applicable to the host before recording executions, preventing stale label assignments. |
Label datastore tests server/datastore/mysql/labels_test.go |
Added tests for team labels (TeamLabels, UpdateLabelMembershipForTransferredHost); refactored testUpdateLabelMembershipByHostIDs to exercise team-scoped label behavior, global vs. per-team labels, and membership propagation. |
Team deletion tests server/datastore/mysql/teams_test.go |
Extended testTeamsGetSetDelete to create team-scoped labels and hosts; added verification that team deletion cascades to remove label memberships, label entries, and host label associations. |
Integration tests server/service/integration_enterprise_test.go |
Extensive test additions covering label membership with distributed query results, host software management with label scoping, label and policy interactions, and enterprise workflow validation across multiple platforms. |
Team label MDM test server/service/integration_mdm_test.go |
Added TestTeamLabelsTeamDeletion() to verify label cleanup and membership removal when a team is deleted, ensuring label-related host configurations are properly reset without affecting other teams. |
Osquery test data server/service/osquery_test.go |
Updated test mock data; LabelQueriesForHost now returns numeric string keys; added label-query path coverage in error distribution test. |
Migration test formatting server/datastore/mysql/migrations/tables/20251207050413_TeamLabels_test.go |
Added nolint:gosec comments to suppress linting warnings; no behavioral changes. |
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~45 minutes
- Label deletion transactional logic (
labels.go): Verify deleteLabelsInTx() correctly handles cascading cleanup of label_membership and pack_targets within a single transaction. - Team deletion cascade order (
teams.go): Confirm deletion sequence (policies → teamRefs → labels → team → pack_targets) prevents foreign key constraint violations and completes cleanup. - Host transfer cleanup (
hosts.go+policies.go): Validate that cleanupLabelMembershipOnTeamChange() correctly identifies and removes only team-scoped labels belonging to other teams. - Label query filtering (
osquery.go): Review logic for clearing stale label results to ensure only invalid results are filtered. - Integration test coverage: Extensive test additions require verification that edge cases (multi-team scenarios, cascading deletes, label membership transitions) are correctly validated.
Suggested reviewers
- getvictor
- sgress454
- iansltx
Pre-merge checks and finishing touches
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | ⚠️ Warning | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
✅ Passed checks (4 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title clearly summarizes the main change: backend support for team labels functionality. |
| Description check | ✅ Passed | The description addresses the template with linked issue, changes file confirmation, validation and security checks, and testing completion markers. |
| Linked Issues check | ✅ Passed | All coding objectives from #36781 are met: team_id handling in label membership, team label cascading cleanup, and distributed query/host transfer logic updates. |
| Out of Scope Changes check | ✅ Passed | All changes are scoped to implement team label support as defined in #36781; no unrelated modifications detected. |
✨ Finishing touches
- [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
- [ ] Commit unit tests in branch
36781-team-labels-backend
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.