block activation mode update when vpro is active (#875)

jagratac · web-flow · commit ff7c579912d7 · 2026-03-02T23:14:40.000+05:30
diff --git a/apiv2/VERSION b/apiv2/VERSION
@@ -1 +1 @@
-2.9.10-dev
+2.9.10
diff --git a/apiv2/internal/server/host.go b/apiv2/internal/server/host.go
@@ -573,6 +573,55 @@ func (is *InventorygRPCServer) handleConsecutivePowerReset(
 		resourceID, invHost.DesiredPowerState)
 }
 
+// validateAmtControlModeChange validates that amtControlMode cannot be changed
+// when both desiredAmtState and currentAmtState are AMT_STATE_PROVISIONED.
+func (is *InventorygRPCServer) validateAmtControlModeChange(
+	ctx context.Context,
+	resourceID string,
+	fieldmask *fieldmaskpb.FieldMask,
+) error {
+	// Check if amtControlMode is in the field mask
+	amtControlModeInFieldMask := false
+	for _, path := range fieldmask.GetPaths() {
+		if path == inv_computev1.HostResourceFieldAmtControlMode {
+			amtControlModeInFieldMask = true
+			break
+		}
+	}
+
+	if !amtControlModeInFieldMask {
+		return nil
+	}
+
+	// Get the current host state to check AMT states
+	currentHostRes, err := is.InvClient.Get(ctx, resourceID)
+	if err != nil {
+		zlog.Warn().Err(err).Msgf("Could not retrieve current host state for %s", resourceID)
+		return errors.Wrap(err)
+	}
+
+	currentHost := currentHostRes.GetResource().GetHost()
+	if currentHost == nil {
+		return nil
+	}
+
+	desiredAmtState := currentHost.GetDesiredAmtState()
+	currentAmtState := currentHost.GetCurrentAmtState()
+
+	zlog.Debug().Msgf("Host %s AMT state check: desiredAmtState=%v, currentAmtState=%v",
+		resourceID, desiredAmtState, currentAmtState)
+
+	// Block amtControlMode change if both states are PROVISIONED
+	if desiredAmtState == inv_computev1.AmtState_AMT_STATE_PROVISIONED &&
+		currentAmtState == inv_computev1.AmtState_AMT_STATE_PROVISIONED {
+		return errors.Errorfc(codes.FailedPrecondition,
+			"cannot modify amtControlMode when host %s is already provisioned (desiredAmtState=%v, currentAmtState=%v)",
+			resourceID, desiredAmtState, currentAmtState)
+	}
+
+	return nil
+}
+
 // Update a host. (PUT).
 func (is *InventorygRPCServer) UpdateHost(
 	ctx context.Context,
@@ -635,6 +684,11 @@ func (is *InventorygRPCServer) PatchHost(
 		return nil, errors.Wrap(err)
 	}
 
+	// Validate amtControlMode changes - not allowed when already provisioned
+	if errValidate := is.validateAmtControlModeChange(ctx, req.GetResourceId(), fieldmask); errValidate != nil {
+		return nil, errValidate
+	}
+
 	invRes := &inventory.Resource{
 		Resource: &inventory.Resource_Host{
 			Host: invHost,
diff --git a/apiv2/internal/server/host_test.go b/apiv2/internal/server/host_test.go
@@ -1461,3 +1461,201 @@ func updateInstanceAttestationStatusIndicator(
 	_, err := inv_testing.TestClients[inv_testing.RMClient].Update(ctx, instanceID, fieldMask, updateRes)
 	require.NoError(t, err)
 }
+
+//nolint:funlen // Test functions are long but necessary to test all the cases.
+func TestHost_PatchAmtControlModeValidation(t *testing.T) {
+	mockedClient := newMockedInventoryTestClient()
+	server := inv_server.InventorygRPCServer{InvClient: mockedClient}
+
+	cases := []struct {
+		name        string
+		mocks       func() []*mock.Call
+		ctx         context.Context
+		req         *restv1.PatchHostRequest
+		wantErr     bool
+		description string
+	}{
+		{
+			name: "Block amtControlMode change when both states are PROVISIONED",
+			mocks: func() []*mock.Call {
+				currentHost := &inv_computev1.HostResource{
+					ResourceId:      "host-12345678",
+					DesiredAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					CurrentAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					AmtControlMode:  inv_computev1.AmtControlMode_AMT_CONTROL_MODE_CCM,
+				}
+				return []*mock.Call{
+					mockedClient.On("Get", mock.Anything, "host-12345678").
+						Return(&inventory.GetResourceResponse{
+							Resource: &inventory.Resource{
+								Resource: &inventory.Resource_Host{Host: currentHost},
+							},
+						}, nil).Once(),
+				}
+			},
+			ctx: context.Background(),
+			req: &restv1.PatchHostRequest{
+				ResourceId: "host-12345678",
+				Host: &computev1.HostResource{
+					AmtControlMode: computev1.AmtControlMode_AMT_CONTROL_MODE_ACM,
+				},
+				FieldMask: &fieldmaskpb.FieldMask{
+					Paths: []string{computev1.HostResourceFieldAmtControlMode},
+				},
+			},
+			wantErr:     true,
+			description: "Should reject amtControlMode change when host is fully provisioned",
+		},
+		{
+			name: "Allow amtControlMode change when desiredAmtState is not PROVISIONED",
+			mocks: func() []*mock.Call {
+				currentHost := &inv_computev1.HostResource{
+					ResourceId:      "host-12345678",
+					DesiredAmtState: inv_computev1.AmtState_AMT_STATE_UNPROVISIONED,
+					CurrentAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					AmtControlMode:  inv_computev1.AmtControlMode_AMT_CONTROL_MODE_CCM,
+				}
+				return []*mock.Call{
+					mockedClient.On("Get", mock.Anything, "host-12345678").
+						Return(&inventory.GetResourceResponse{
+							Resource: &inventory.Resource{
+								Resource: &inventory.Resource_Host{Host: currentHost},
+							},
+						}, nil).Once(),
+					mockedClient.On("Update", mock.Anything, "host-12345678", mock.Anything, mock.Anything).
+						Return(&inventory.Resource{
+							Resource: &inventory.Resource_Host{Host: currentHost},
+						}, nil).Once(),
+				}
+			},
+			ctx: context.Background(),
+			req: &restv1.PatchHostRequest{
+				ResourceId: "host-12345678",
+				Host: &computev1.HostResource{
+					AmtControlMode: computev1.AmtControlMode_AMT_CONTROL_MODE_ACM,
+				},
+				FieldMask: &fieldmaskpb.FieldMask{
+					Paths: []string{computev1.HostResourceFieldAmtControlMode},
+				},
+			},
+			wantErr:     false,
+			description: "Should allow amtControlMode change when desiredAmtState is not PROVISIONED",
+		},
+		{
+			name: "Allow amtControlMode change when currentAmtState is not PROVISIONED",
+			mocks: func() []*mock.Call {
+				currentHost := &inv_computev1.HostResource{
+					ResourceId:      "host-12345678",
+					DesiredAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					CurrentAmtState: inv_computev1.AmtState_AMT_STATE_UNPROVISIONED,
+					AmtControlMode:  inv_computev1.AmtControlMode_AMT_CONTROL_MODE_CCM,
+				}
+				return []*mock.Call{
+					mockedClient.On("Get", mock.Anything, "host-12345678").
+						Return(&inventory.GetResourceResponse{
+							Resource: &inventory.Resource{
+								Resource: &inventory.Resource_Host{Host: currentHost},
+							},
+						}, nil).Once(),
+					mockedClient.On("Update", mock.Anything, "host-12345678", mock.Anything, mock.Anything).
+						Return(&inventory.Resource{
+							Resource: &inventory.Resource_Host{Host: currentHost},
+						}, nil).Once(),
+				}
+			},
+			ctx: context.Background(),
+			req: &restv1.PatchHostRequest{
+				ResourceId: "host-12345678",
+				Host: &computev1.HostResource{
+					AmtControlMode: computev1.AmtControlMode_AMT_CONTROL_MODE_ACM,
+				},
+				FieldMask: &fieldmaskpb.FieldMask{
+					Paths: []string{computev1.HostResourceFieldAmtControlMode},
+				},
+			},
+			wantErr:     false,
+			description: "Should allow amtControlMode change when currentAmtState is not PROVISIONED",
+		},
+		{
+			name: "Allow patch without amtControlMode in field mask",
+			mocks: func() []*mock.Call {
+				currentHost := &inv_computev1.HostResource{
+					ResourceId:      "host-12345678",
+					DesiredAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					CurrentAmtState: inv_computev1.AmtState_AMT_STATE_PROVISIONED,
+					AmtControlMode:  inv_computev1.AmtControlMode_AMT_CONTROL_MODE_CCM,
+					Name:            "updated-host",
+				}
+				return []*mock.Call{
+					mockedClient.On("Update", mock.Anything, "host-12345678", mock.Anything, mock.Anything).
+						Return(&inventory.Resource{
+							Resource: &inventory.Resource_Host{Host: currentHost},
+						}, nil).Once(),
+				}
+			},
+			ctx: context.Background(),
+			req: &restv1.PatchHostRequest{
+				ResourceId: "host-12345678",
+				Host: &computev1.HostResource{
+					Name: "updated-host",
+				},
+				FieldMask: &fieldmaskpb.FieldMask{
+					Paths: []string{"name"},
+				},
+			},
+			wantErr:     false,
+			description: "Should allow patch when amtControlMode is not in field mask even if host is provisioned",
+		},
+		{
+			name: "Allow amtControlMode change when both states are UNSPECIFIED",
+			mocks: func() []*mock.Call {
+				currentHost := &inv_computev1.HostResource{
+					ResourceId:      "host-12345678",
+					DesiredAmtState: inv_computev1.AmtState_AMT_STATE_UNSPECIFIED,
+					CurrentAmtState: inv_computev1.AmtState_AMT_STATE_UNSPECIFIED,
+					AmtControlMode:  inv_computev1.AmtControlMode_AMT_CONTROL_MODE_UNSPECIFIED,
+				}
+				return []*mock.Call{
+					mockedClient.On("Get", mock.Anything, "host-12345678").
+						Return(&inventory.GetResourceResponse{
+							Resource: &inventory.Resource{
+								Resource: &inventory.Resource_Host{Host: currentHost},
+							},
+						}, nil).Once(),
+					mockedClient.On("Update", mock.Anything, "host-12345678", mock.Anything, mock.Anything).
+						Return(&inventory.Resource{
+							Resource: &inventory.Resource_Host{Host: currentHost},
+						}, nil).Once(),
+				}
+			},
+			ctx: context.Background(),
+			req: &restv1.PatchHostRequest{
+				ResourceId: "host-12345678",
+				Host: &computev1.HostResource{
+					AmtControlMode: computev1.AmtControlMode_AMT_CONTROL_MODE_ACM,
+				},
+				FieldMask: &fieldmaskpb.FieldMask{
+					Paths: []string{computev1.HostResourceFieldAmtControlMode},
+				},
+			},
+			wantErr:     false,
+			description: "Should allow amtControlMode change when both states are UNSPECIFIED",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.mocks != nil {
+				tc.mocks()
+			}
+
+			reply, err := server.PatchHost(tc.ctx, tc.req)
+			if tc.wantErr {
+				assert.Error(t, err, tc.description)
+				return
+			}
+			assert.NoError(t, err, tc.description)
+			assert.NotNil(t, reply, tc.description)
+		})
+	}
+}
diff --git a/apiv2/internal/server/utils.go b/apiv2/internal/server/utils.go
@@ -72,7 +72,7 @@ func TruncateUint64ToUint32(value uint64) uint32 {
 		zlog.Warn().Msgf("uint64 value %d exceeds uint32 max limit, truncating", value)
 	}
 
-	return uint32(value & math.MaxUint32) //nolint:gosec // Mask the lower 32 bits.
+	return uint32(value & math.MaxUint32) //nolint:gosec,nolintlint // G115: intentional truncation
 }
 
 // SafeUint32Toint32 safely converts a uint32 to a int32.

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ func TruncateUint64ToUint32(value uint64) uint32 {`
`72`	`72`	`zlog.Warn().Msgf("uint64 value %d exceeds uint32 max limit, truncating", value)`
`73`	`73`	`}`
`74`	`74`
`75`		`- return uint32(value & math.MaxUint32) //nolint:gosec // Mask the lower 32 bits.`
	`75`	`+ return uint32(value & math.MaxUint32) //nolint:gosec,nolintlint // G115: intentional truncation`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`// SafeUint32Toint32 safely converts a uint32 to a int32.`