From 47408201e3d963efe4944073381befae6f39979a Mon Sep 17 00:00:00 2001
From: Roberto Dip <me@roperzh.com>
Date: Tue, 13 Feb 2024 17:30:44 -0300
Subject: [PATCH] fix: allow to unlock macOS hosts even if they're pending
 unlock (#16800)

unreleased bug for: https://github.com/fleetdm/fleet/issues/9949
---
 .../HostActionsDropdown.tests.tsx             | 29 +++++++++++++++++++
 .../HostActionsDropdown/helpers.tsx           |  9 +++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx b/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx
index a5d464a47703..209405049505 100644
--- a/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx
+++ b/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx
@@ -515,6 +515,35 @@ describe("Host Actions Dropdown", () => {
       expect(screen.getByText("Unlock")).toBeInTheDocument();
     });
 
+    it("renders when the host is enrolled in mdm and the mdm is enabled and host is unlocking", async () => {
+      const render = createCustomRenderer({
+        context: {
+          app: {
+            isPremiumTier: true,
+            isMdmEnabledAndConfigured: true,
+            isGlobalAdmin: true,
+            currentUser: createMockUser(),
+          },
+        },
+      });
+
+      const { user } = render(
+        <HostActionsDropdown
+          hostTeamId={null}
+          onSelect={noop}
+          hostStatus="online"
+          hostMdmEnrollmentStatus="On (automatic)"
+          mdmName="Fleet"
+          hostPlatform="darwin"
+          hostMdmDeviceStatus="unlocking"
+        />
+      );
+
+      await user.click(screen.getByText("Actions"));
+
+      expect(screen.getByText("Unlock")).toBeInTheDocument();
+    });
+
     it("does not render when the host is not enrolled in mdm", async () => {
       const render = createCustomRenderer({
         context: {
diff --git a/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx b/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx
index 354fac0ddd93..bb8828b69ee9 100644
--- a/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx
+++ b/frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx
@@ -196,9 +196,16 @@ const canUnlock = ({
     isMdmEnabledAndConfigured &&
     isEnrolledInMdm;
 
+  // "unlocking" for a macOS host means that somebody saw the unlock pin, but
+  // shouldn't prevent users from trying to see the pin again, which is
+  // considered an "unlock"
+  const isValidState =
+    (hostMdmDeviceStatus === "unlocking" && hostPlatform === "darwin") ||
+    hostMdmDeviceStatus === "locked";
+
   return (
     isPremiumTier &&
-    hostMdmDeviceStatus === "locked" &&
+    isValidState &&
     (isGlobalAdmin ||
       isGlobalMaintainer ||
       isGlobalObserver ||