fix: add missing check for invalid email (#22057)

> Related issue: #21813 # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2026-05-23 08:58:41 +00:00 · 2024-09-13 08:41:52 -04:00 · 2024-09-13 08:41:52 -04:00 · a2c6de65d6
commit a2c6de65d6
parent 419433fb44
4 changed files with 27 additions and 1 deletions
--- a/changes/21813-email-err
+++ b/changes/21813-email-err
@ -0,0 +1,2 @@
+- Fixed regression: we now check if the email used to get a signed CSR is invalid (i.e. is an email
+  from a free email provider).
--- a/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx
+++ b/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx
@ -65,7 +65,13 @@ const RenewCertModal = ({
  const onDownloadError = useCallback(
    // eslint-disable-next-line @typescript-eslint/no-unused-vars
    (e: unknown) => {
-      renderFlash("error", "Something's gone wrong. Please try again.");
+      const msg = getErrorReason(e);
+
+      if (msg.toLowerCase().includes("email address is not valid")) {
+        renderFlash("error", msg);
+      } else {
+        renderFlash("error", "Something's gone wrong. Please try again.");
+      }
    },
    [renderFlash]
  );
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@ -1329,6 +1329,14 @@ func (s *integrationMDMTestSuite) TestGetMDMCSR() {
 	require.Len(t, errResp.Errors, 1)
 	require.Contains(t, errResp.Errors[0].Reason, "FleetDM CSR request failed")

+	// Check that we return bad request if the website API does (it will do this in case of an
+	// invalid email address
+	s.FailNextCSRRequestWith(http.StatusUnprocessableEntity)
+	errResp = validationErrResp{}
+	s.DoJSON("GET", "/api/latest/fleet/mdm/apple/request_csr", getMDMAppleCSRRequest{}, http.StatusUnprocessableEntity, &errResp)
+	require.Len(t, errResp.Errors, 1)
+	require.Contains(t, errResp.Errors[0].Reason, "this email address is not valid")
+
 	// Invalid APNS cert upload attempt
 	s.uploadDataViaForm("/api/latest/fleet/mdm/apple/apns_certificate", "certificate", "certificate.pem", []byte("invalid-cert"), http.StatusUnprocessableEntity, "Invalid certificate. Please provide a valid certificate from Apple Push Certificate Portal.", nil)

--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@ -2351,6 +2351,16 @@ func (svc *Service) GetMDMAppleCSR(ctx context.Context) ([]byte, error) {
 	if err != nil {
 		var fwe apple_mdm.FleetWebsiteError
 		if errors.As(err, &fwe) {
+			// From svc.RequestMDMAppleCSR: fleetdm.com returns a bad request here if the email is invalid.
+			if fwe.Status >= 400 && fwe.Status <= 499 {
+				return nil, ctxerr.Wrap(
+					ctx,
+					fleet.NewInvalidArgumentError(
+						"email_address",
+						fmt.Sprintf("this email address is not valid: %v", err),
+					),
+				)
+			}
 			return nil, ctxerr.Wrap(
 				ctx,
 				fleet.NewUserMessageError(