From 4782bd49adceb28318ba66b0bb31b9e8e721193e Mon Sep 17 00:00:00 2001
From: kruskall <99559985+kruskall@users.noreply.github.com>
Date: Fri, 28 Feb 2025 16:56:33 +0100
Subject: [PATCH] fix(ipv6): do not build malformed enroll url with ipv6 host
 (#7036)

* fix(ipv6): do not build malformed enroll url with ipv6 host

replace string concat with net func to avoid building a malformed
url if the host is an ipv6

* changelog: add fragment

---------

Co-authored-by: Blake Rouse <blake.rouse@elastic.co>
---
 .../1740712347-support-ipv6-enroll-url.yaml   | 32 +++++++++++++++++++
 internal/pkg/agent/cmd/enroll_cmd.go          |  8 +++--
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 changelog/fragments/1740712347-support-ipv6-enroll-url.yaml

diff --git a/changelog/fragments/1740712347-support-ipv6-enroll-url.yaml b/changelog/fragments/1740712347-support-ipv6-enroll-url.yaml
new file mode 100644
index 00000000000..89d00ba0a51
--- /dev/null
+++ b/changelog/fragments/1740712347-support-ipv6-enroll-url.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: support ipv6 hosts in enroll url
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/7036
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go
index 19426c06d6b..caa8325dcc4 100644
--- a/internal/pkg/agent/cmd/enroll_cmd.go
+++ b/internal/pkg/agent/cmd/enroll_cmd.go
@@ -11,8 +11,10 @@ import (
 	"fmt"
 	"io"
 	"math/rand/v2"
+	"net"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 	"time"
 
@@ -433,7 +435,7 @@ func (c *enrollCmd) prepareFleetTLS() error {
 			if c.options.FleetServer.Host == "" {
 				c.options.FleetServer.Host = defaultFleetServerInternalHost
 			}
-			c.options.URL = fmt.Sprintf("http://%s:%d", host, port)
+			c.options.URL = "http://" + net.JoinHostPort(host, strconv.Itoa(int(port)))
 			c.options.Insecure = true
 			return nil
 		}
@@ -453,7 +455,7 @@ func (c *enrollCmd) prepareFleetTLS() error {
 		}
 		c.options.FleetServer.Cert = string(pair.Crt)
 		c.options.FleetServer.CertKey = string(pair.Key)
-		c.options.URL = fmt.Sprintf("https://%s:%d", hostname, port)
+		c.options.URL = "https://" + net.JoinHostPort(hostname, strconv.Itoa(int(port)))
 		c.options.CAs = []string{string(ca.Crt())}
 	}
 	// running with custom Cert and CertKey; URL is required to be set
@@ -465,7 +467,7 @@ func (c *enrollCmd) prepareFleetTLS() error {
 		if c.options.FleetServer.InternalPort != defaultFleetServerInternalPort {
 			c.log.Warnf("Internal endpoint configured to: %d. Changing this value is not supported.", c.options.FleetServer.InternalPort)
 		}
-		c.options.InternalURL = fmt.Sprintf("%s:%d", defaultFleetServerInternalHost, c.options.FleetServer.InternalPort)
+		c.options.InternalURL = net.JoinHostPort(defaultFleetServerInternalHost, strconv.Itoa(int(c.options.FleetServer.InternalPort)))
 	}
 
 	return nil