keep enrollment token when replacing data with signed (#10115)

michalpristas · web-flow · commit 91394cc959ee · 2025-09-24T19:15:53.000+02:00
diff --git a/internal/pkg/agent/application/actions/handlers/handler_action_migrate.go b/internal/pkg/agent/application/actions/handlers/handler_action_migrate.go
@@ -77,12 +77,19 @@ func (h *Migrate) Handle(ctx context.Context, a fleetapi.Action, ack acker.Acker
 		return err
 	}
 
+	// signed data contains secret reference to the enrollment token so we extract the cleartext value
+	// out of action.Data and replace it after unmarshalling the signed data into action.Data
+	// see: https://github.com/elastic/fleet-server/blob/22f1f7a0474080d3f56c7148a6505cff0957f549/internal/pkg/secret/secret.go#L75
+	enrollmentToken := action.Data.EnrollmentToken
+
 	if signedData != nil {
 		if err := json.Unmarshal(signedData, &action.Data); err != nil {
 			return fmt.Errorf("failed to convert signed data to action data: %w", err)
 		}
 	}
 
+	action.Data.EnrollmentToken = enrollmentToken
+
 	if err := h.coord.Migrate(ctx, action, fleetgateway.RequestBackoff); err != nil {
 		// this should not happen, unmanaged agent should not receive the action
 		// defensive coding to avoid misbehavior

Original file line number	Diff line number	Diff line change
`@@ -77,12 +77,19 @@ func (h *Migrate) Handle(ctx context.Context, a fleetapi.Action, ack acker.Acker`
`77`	`77`	`return err`
`78`	`78`	`}`
`79`	`79`
	`80`	`+ // signed data contains secret reference to the enrollment token so we extract the cleartext value`
	`81`	`+ // out of action.Data and replace it after unmarshalling the signed data into action.Data`
	`82`	`+ // see: https://github.com/elastic/fleet-server/blob/22f1f7a0474080d3f56c7148a6505cff0957f549/internal/pkg/secret/secret.go#L75`
	`83`	`+ enrollmentToken := action.Data.EnrollmentToken`
	`84`	`+`
`80`	`85`	`if signedData != nil {`
`81`	`86`	`if err := json.Unmarshal(signedData, &action.Data); err != nil {`
`82`	`87`	`return fmt.Errorf("failed to convert signed data to action data: %w", err)`
`83`	`88`	`}`
`84`	`89`	`}`
`85`	`90`
	`91`	`+ action.Data.EnrollmentToken = enrollmentToken`
	`92`	`+`
`86`	`93`	`if err := h.coord.Migrate(ctx, action, fleetgateway.RequestBackoff); err != nil {`
`87`	`94`	`// this should not happen, unmanaged agent should not receive the action`
`88`	`95`	`// defensive coding to avoid misbehavior`