fix: supports null values for MEBX and MPSPasswords (#753)

rsdmike · web-flow · commit e568fca24e18 · 2026-01-12T15:27:39.000-07:00
diff --git a/internal/entity/device.go b/internal/entity/device.go
@@ -18,8 +18,8 @@ type Device struct {
 	DeviceInfo       string
 	Username         string
 	Password         string
-	MPSPassword      string
-	MEBXPassword     string
+	MPSPassword      *string
+	MEBXPassword     *string
 	UseTLS           bool
 	AllowSelfSigned  bool
 	CertHash         *string
diff --git a/internal/usecase/devices/repo.go b/internal/usecase/devices/repo.go
@@ -79,14 +79,18 @@ func (uc *UseCase) GetByID(ctx context.Context, guid, tenantID string, includeSe
 			return nil, ErrDeviceUseCase.Wrap("GetByID", "uc.safeRequirements.Decrypt Password", err)
 		}
 
-		d2.MPSPassword, err = uc.safeRequirements.Decrypt(data.MPSPassword)
-		if err != nil {
-			return nil, ErrDeviceUseCase.Wrap("GetByID", "uc.safeRequirements.Decrypt MPSPassword", err)
+		if data.MPSPassword != nil {
+			d2.MPSPassword, err = uc.safeRequirements.Decrypt(*data.MPSPassword)
+			if err != nil {
+				return nil, ErrDeviceUseCase.Wrap("GetByID", "uc.safeRequirements.Decrypt MPSPassword", err)
+			}
 		}
 
-		d2.MEBXPassword, err = uc.safeRequirements.Decrypt(data.MEBXPassword)
-		if err != nil {
-			return nil, ErrDeviceUseCase.Wrap("GetByID", "uc.safeRequirements.Decrypt MEBXPassword", err)
+		if data.MEBXPassword != nil {
+			d2.MEBXPassword, err = uc.safeRequirements.Decrypt(*data.MEBXPassword)
+			if err != nil {
+				return nil, ErrDeviceUseCase.Wrap("GetByID", "uc.safeRequirements.Decrypt MEBXPassword", err)
+			}
 		}
 	}
 
@@ -143,7 +147,10 @@ func (uc *UseCase) Delete(ctx context.Context, guid, tenantID string) error {
 }
 
 func (uc *UseCase) Update(ctx context.Context, d *dto.Device) (*dto.Device, error) {
-	d1 := uc.dtoToEntity(d)
+	d1, err := uc.dtoToEntity(d)
+	if err != nil {
+		return nil, err
+	}
 
 	updated, err := uc.repo.Update(ctx, d1)
 	if err != nil {
@@ -168,13 +175,16 @@ func (uc *UseCase) Update(ctx context.Context, d *dto.Device) (*dto.Device, erro
 }
 
 func (uc *UseCase) Insert(ctx context.Context, d *dto.Device) (*dto.Device, error) {
-	d1 := uc.dtoToEntity(d)
+	d1, err := uc.dtoToEntity(d)
+	if err != nil {
+		return nil, err
+	}
 
 	if d1.GUID == "" {
 		d1.GUID = uuid.New().String()
 	}
 
-	_, err := uc.repo.Insert(ctx, d1)
+	_, err = uc.repo.Insert(ctx, d1)
 	if err != nil {
 		return nil, ErrDatabase.Wrap("Insert", "uc.repo.Insert", err)
 	}
diff --git a/internal/usecase/devices/repo_test.go b/internal/usecase/devices/repo_test.go
@@ -14,6 +14,10 @@ import (
 	"github.com/device-management-toolkit/console/pkg/logger"
 )
 
+func ptr(s string) *string {
+	return &s
+}
+
 type testUsecase struct {
 	name     string
 	guid     string
@@ -291,8 +295,8 @@ func TestUpdate(t *testing.T) {
 		GUID:         "device-guid-123",
 		TenantID:     "tenant-id-456",
 		Password:     "encrypted",
-		MPSPassword:  "encrypted",
-		MEBXPassword: "encrypted",
+		MPSPassword:  nil,
+		MEBXPassword: nil,
 		Tags:         "hello,test",
 	}
 
@@ -367,8 +371,8 @@ func TestInsert(t *testing.T) {
 				device := &entity.Device{
 					GUID:         "device-guid-123",
 					Password:     "encrypted",
-					MPSPassword:  "encrypted",
-					MEBXPassword: "encrypted",
+					MPSPassword:  nil,
+					MEBXPassword: nil,
 					TenantID:     "tenant-id-456",
 				}
 
@@ -388,8 +392,8 @@ func TestInsert(t *testing.T) {
 				device := &entity.Device{
 					GUID:         "device-guid-123",
 					Password:     "encrypted",
-					MPSPassword:  "encrypted",
-					MEBXPassword: "encrypted",
+					MPSPassword:  nil,
+					MEBXPassword: nil,
 					TenantID:     "tenant-id-456",
 				}
 
@@ -431,3 +435,169 @@ func TestInsert(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdateWithPasswords(t *testing.T) {
+	t.Parallel()
+
+	// Entity with encrypted passwords (what gets stored in DB)
+	deviceWithPasswords := &entity.Device{
+		GUID:         "device-guid-123",
+		TenantID:     "tenant-id-456",
+		Password:     "encrypted",
+		MPSPassword:  ptr("encrypted"),
+		MEBXPassword: ptr("encrypted"),
+		Tags:         "hello,test",
+	}
+
+	// DTO with plaintext passwords (what comes from API)
+	deviceDTOWithPasswords := &dto.Device{
+		GUID:         "device-guid-123",
+		TenantID:     "tenant-id-456",
+		Tags:         []string{"hello", "test"},
+		MPSPassword:  "mpspass",
+		MEBXPassword: "mebxpass",
+	}
+
+	// Expected DTO result (passwords not returned without includeSecrets)
+	expectedDTO := &dto.Device{
+		GUID:         "device-guid-123",
+		TenantID:     "tenant-id-456",
+		Tags:         []string{"hello", "test"},
+		MPSPassword:  "encrypted",
+		MEBXPassword: "encrypted",
+	}
+
+	t.Run("successful update with passwords", func(t *testing.T) {
+		t.Parallel()
+
+		useCase, repo, management := devicesTest(t)
+
+		repo.EXPECT().
+			Update(context.Background(), deviceWithPasswords).
+			Return(true, nil)
+		repo.EXPECT().
+			GetByID(context.Background(), "device-guid-123", "tenant-id-456").
+			Return(deviceWithPasswords, nil)
+		management.EXPECT().
+			DestroyWsmanClient(*expectedDTO)
+
+		result, err := useCase.Update(context.Background(), deviceDTOWithPasswords)
+
+		require.NoError(t, err)
+		require.Equal(t, expectedDTO, result)
+	})
+}
+
+func TestInsertWithPasswords(t *testing.T) {
+	t.Parallel()
+
+	t.Run("successful insertion with passwords", func(t *testing.T) {
+		t.Parallel()
+
+		useCase, repo, _ := devicesTest(t)
+
+		// Entity with encrypted passwords
+		deviceWithPasswords := &entity.Device{
+			GUID:         "device-guid-123",
+			TenantID:     "tenant-id-456",
+			Password:     "encrypted",
+			MPSPassword:  ptr("encrypted"),
+			MEBXPassword: ptr("encrypted"),
+		}
+
+		repo.EXPECT().
+			Insert(context.Background(), deviceWithPasswords).
+			Return("unique-device-id", nil)
+		repo.EXPECT().
+			GetByID(context.Background(), "device-guid-123", "tenant-id-456").
+			Return(deviceWithPasswords, nil)
+
+		// DTO with plaintext passwords
+		deviceDTO := &dto.Device{
+			GUID:         "device-guid-123",
+			TenantID:     "tenant-id-456",
+			Tags:         []string{""},
+			MPSPassword:  "mpspass",
+			MEBXPassword: "mebxpass",
+		}
+
+		insertedDevice, err := useCase.Insert(context.Background(), deviceDTO)
+
+		require.NoError(t, err)
+		require.Equal(t, deviceDTO.TenantID, insertedDevice.TenantID)
+		require.Equal(t, "encrypted", insertedDevice.MPSPassword)
+		require.Equal(t, "encrypted", insertedDevice.MEBXPassword)
+	})
+}
+
+func TestGetByIDWithSecrets(t *testing.T) {
+	t.Parallel()
+
+	// Entity with encrypted passwords from DB
+	deviceWithPasswords := &entity.Device{
+		GUID:         "device-guid-123",
+		TenantID:     "tenant-id-456",
+		Password:     "encrypted",
+		MPSPassword:  ptr("encrypted"),
+		MEBXPassword: ptr("encrypted"),
+	}
+
+	// Expected DTO with decrypted passwords
+	expectedDTO := &dto.Device{
+		GUID:         "device-guid-123",
+		TenantID:     "tenant-id-456",
+		Tags:         nil,
+		Password:     "decrypted",
+		MPSPassword:  "decrypted",
+		MEBXPassword: "decrypted",
+	}
+
+	t.Run("successful retrieval with secrets", func(t *testing.T) {
+		t.Parallel()
+
+		useCase, repo, _ := devicesTest(t)
+
+		repo.EXPECT().
+			GetByID(context.Background(), "device-guid-123", "tenant-id-456").
+			Return(deviceWithPasswords, nil)
+
+		got, err := useCase.GetByID(context.Background(), "device-guid-123", "tenant-id-456", true)
+
+		require.NoError(t, err)
+		require.Equal(t, expectedDTO, got)
+	})
+
+	t.Run("retrieval with secrets - nil passwords", func(t *testing.T) {
+		t.Parallel()
+
+		useCase, repo, _ := devicesTest(t)
+
+		// Entity with nil passwords
+		deviceNilPasswords := &entity.Device{
+			GUID:         "device-guid-123",
+			TenantID:     "tenant-id-456",
+			Password:     "encrypted",
+			MPSPassword:  nil,
+			MEBXPassword: nil,
+		}
+
+		repo.EXPECT().
+			GetByID(context.Background(), "device-guid-123", "tenant-id-456").
+			Return(deviceNilPasswords, nil)
+
+		// Expected DTO - passwords should be empty strings when nil
+		expectedDTONilPasswords := &dto.Device{
+			GUID:         "device-guid-123",
+			TenantID:     "tenant-id-456",
+			Tags:         nil,
+			Password:     "decrypted",
+			MPSPassword:  "",
+			MEBXPassword: "",
+		}
+
+		got, err := useCase.GetByID(context.Background(), "device-guid-123", "tenant-id-456", true)
+
+		require.NoError(t, err)
+		require.Equal(t, expectedDTONilPasswords, got)
+	})
+}
diff --git a/internal/usecase/devices/usecase.go b/internal/usecase/devices/usecase.go
@@ -66,7 +66,7 @@ func New(r Repository, d WSMAN, redirection Redirection, log logger.Interface, s
 }
 
 // convert dto.Device to entity.Device.
-func (uc *UseCase) dtoToEntity(d *dto.Device) *entity.Device {
+func (uc *UseCase) dtoToEntity(d *dto.Device) (*entity.Device, error) {
 	// convert []string to comma separated string
 	if d.Tags == nil {
 		d.Tags = []string{}
@@ -90,8 +90,6 @@ func (uc *UseCase) dtoToEntity(d *dto.Device) *entity.Device {
 		// DeviceInfo:       d.DeviceInfo,
 		Username:        d.Username,
 		Password:        d.Password,
-		MPSPassword:     d.MPSPassword,
-		MEBXPassword:    d.MEBXPassword,
 		UseTLS:          d.UseTLS,
 		AllowSelfSigned: d.AllowSelfSigned,
 	}
@@ -100,17 +98,29 @@ func (uc *UseCase) dtoToEntity(d *dto.Device) *entity.Device {
 
 	d1.Password, err = uc.safeRequirements.Encrypt(d1.Password)
 	if err != nil {
-		uc.log.Error("Error encrypting password")
+		return nil, ErrDeviceUseCase.Wrap("dtoToEntity", "failed to encrypt password", err)
 	}
 
-	d1.MPSPassword, err = uc.safeRequirements.Encrypt(d1.MPSPassword)
-	if err != nil {
-		uc.log.Error("Error encrypting MPS password")
+	if d.MPSPassword == "" {
+		d1.MPSPassword = nil
+	} else {
+		encrypted, err := uc.safeRequirements.Encrypt(d.MPSPassword)
+		if err != nil {
+			return nil, ErrDeviceUseCase.Wrap("dtoToEntity", "failed to encrypt MPS password", err)
+		}
+
+		d1.MPSPassword = &encrypted
 	}
 
-	d1.MEBXPassword, err = uc.safeRequirements.Encrypt(d1.MEBXPassword)
-	if err != nil {
-		uc.log.Error("Error encrypting MEBX password")
+	if d.MEBXPassword == "" {
+		d1.MEBXPassword = nil
+	} else {
+		encrypted, err := uc.safeRequirements.Encrypt(d.MEBXPassword)
+		if err != nil {
+			return nil, ErrDeviceUseCase.Wrap("dtoToEntity", "failed to encrypt MEBX password", err)
+		}
+
+		d1.MEBXPassword = &encrypted
 	}
 
 	if d.CertHash == "" {
@@ -119,7 +129,7 @@ func (uc *UseCase) dtoToEntity(d *dto.Device) *entity.Device {
 		d1.CertHash = &d.CertHash
 	}
 
-	return d1
+	return d1, nil
 }
 
 // convert entity.Device to dto.Device.
@@ -154,5 +164,13 @@ func (uc *UseCase) entityToDTO(d *entity.Device) *dto.Device {
 		d1.CertHash = *d.CertHash
 	}
 
+	if d.MPSPassword != nil {
+		d1.MPSPassword = *d.MPSPassword
+	}
+
+	if d.MEBXPassword != nil {
+		d1.MEBXPassword = *d.MEBXPassword
+	}
+
 	return d1
 }
diff --git a/internal/usecase/sqldb/device_test.go b/internal/usecase/sqldb/device_test.go
@@ -43,8 +43,8 @@ func setupDeviceTable(t *testing.T) *sql.DB {
 			deviceinfo TEXT NOT NULL DEFAULT '',
 			username TEXT NOT NULL DEFAULT '',
 			password TEXT NOT NULL DEFAULT '',
-			mpspassword TEXT NOT NULL DEFAULT '',
-			mebxpassword TEXT NOT NULL DEFAULT '',
+			mpspassword TEXT,
+			mebxpassword TEXT,
 			usetls BOOLEAN NOT NULL DEFAULT FALSE,
 			allowselfsigned BOOLEAN NOT NULL DEFAULT FALSE,
 			certhash TEXT NOT NULL DEFAULT ''
@@ -656,8 +656,8 @@ func TestDeviceRepo_Delete(t *testing.T) {
 					deviceinfo TEXT NOT NULL DEFAULT '',
 					username TEXT NOT NULL DEFAULT '',
 					password TEXT NOT NULL DEFAULT '',
-					mpspassword TEXT NOT NULL DEFAULT '',
-					mebxpassword TEXT NOT NULL DEFAULT '',
+					mpspassword TEXT,
+					mebxpassword TEXT,
 					usetls BOOLEAN NOT NULL DEFAULT FALSE,
 					allowselfsigned BOOLEAN NOT NULL DEFAULT FALSE
 				);
@@ -806,8 +806,8 @@ func TestDeviceRepo_Update(t *testing.T) {
 					deviceinfo TEXT NOT NULL DEFAULT '',
 					username TEXT NOT NULL DEFAULT '',
 					password TEXT NOT NULL DEFAULT '',
-					mpspassword TEXT NOT NULL DEFAULT '',
-					mebxpassword TEXT NOT NULL DEFAULT '',
+					mpspassword TEXT,
+					mebxpassword TEXT,
 					usetls BOOLEAN NOT NULL DEFAULT FALSE,
 					allowselfsigned BOOLEAN NOT NULL DEFAULT FALSE,
 					certhash TEXT NOT NULL DEFAULT ''
