fix: allow to unlock macOS hosts even if they're pending unlock (#16800)

unreleased bug for: https://github.com/fleetdm/fleet/issues/9949

frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx

@@ -515,6 +515,35 @@ describe("Host Actions Dropdown", () => {
       expect(screen.getByText("Unlock")).toBeInTheDocument();
     });
 
+    it("renders when the host is enrolled in mdm and the mdm is enabled and host is unlocking", async () => {
+      const render = createCustomRenderer({
+        context: {
+          app: {
+            isPremiumTier: true,
+            isMdmEnabledAndConfigured: true,
+            isGlobalAdmin: true,
+            currentUser: createMockUser(),
+          },
+        },
+      });
+
+      const { user } = render(
+        <HostActionsDropdown
+          hostTeamId={null}
+          onSelect={noop}
+          hostStatus="online"
+          hostMdmEnrollmentStatus="On (automatic)"
+          mdmName="Fleet"
+          hostPlatform="darwin"
+          hostMdmDeviceStatus="unlocking"
+        />
+      );
+
+      await user.click(screen.getByText("Actions"));
+
+      expect(screen.getByText("Unlock")).toBeInTheDocument();
+    });
+
     it("does not render when the host is not enrolled in mdm", async () => {
       const render = createCustomRenderer({
         context: {

frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx

@@ -196,9 +196,16 @@ const canUnlock = ({
     isMdmEnabledAndConfigured &&
     isEnrolledInMdm;
 
+  // "unlocking" for a macOS host means that somebody saw the unlock pin, but
+  // shouldn't prevent users from trying to see the pin again, which is
+  // considered an "unlock"
+  const isValidState =
+    (hostMdmDeviceStatus === "unlocking" && hostPlatform === "darwin") ||
+    hostMdmDeviceStatus === "locked";
+
   return (
     isPremiumTier &&
-    hostMdmDeviceStatus === "locked" &&
+    isValidState &&
     (isGlobalAdmin ||
       isGlobalMaintainer ||
       isGlobalObserver ||