Don't resend pending certificates

2026-04-21 13:37:30 +00:00 · 2026-04-20 17:05:21 -04:00 · 2026-04-20 17:05:21 -04:00 · b58f5e0c4d
commit b58f5e0c4d
parent 308e5f3dc8
2 changed files with 46 additions and 0 deletions
--- a/server/service/certificate_templates_test.go
+++ b/server/service/certificate_templates_test.go
@ -412,6 +412,18 @@ func TestResendHostCertificateTemplate(t *testing.T) {
 		}, nil
 	}

+	ds.GetCertificateTemplateByIdForHostFunc = func(ctx context.Context, id uint, hostUUID string) (*fleet.CertificateTemplateResponseForHost, error) {
+		return &fleet.CertificateTemplateResponseForHost{
+			CertificateTemplateResponse: fleet.CertificateTemplateResponse{
+				CertificateTemplateResponseSummary: fleet.CertificateTemplateResponseSummary{
+					ID:   id,
+					Name: templateName,
+				},
+			},
+			Status: fleet.CertificateTemplateDelivered,
+		}, nil
+	}
+
 	t.Run("succeeds and creates activity", func(t *testing.T) {
 		ds.ResendHostCertificateTemplateFunc = func(ctx context.Context, hID uint, tID uint) error {
 			require.Equal(t, hostID, hID)
@ -455,4 +467,28 @@ func TestResendHostCertificateTemplate(t *testing.T) {
 		require.Contains(t, err.Error(), "db error")
 		require.False(t, opts.ActivityMock.NewActivityFuncInvoked)
 	})
+
+	t.Run("returns 400 when template is pending for host", func(t *testing.T) {
+		ds.GetCertificateTemplateByIdForHostFunc = func(ctx context.Context, id uint, hostUUID string) (*fleet.CertificateTemplateResponseForHost, error) {
+			return &fleet.CertificateTemplateResponseForHost{
+				CertificateTemplateResponse: fleet.CertificateTemplateResponse{
+					CertificateTemplateResponseSummary: fleet.CertificateTemplateResponseSummary{
+						ID:   id,
+						Name: templateName,
+					},
+				},
+				Status: fleet.CertificateTemplatePending,
+			}, nil
+		}
+		ds.ResendHostCertificateTemplateFuncInvoked = false
+
+		err := svc.ResendHostCertificateTemplate(ctx, hostID, templateID)
+		require.Error(t, err)
+
+		var umErr interface{ StatusCode() int }
+		require.ErrorAs(t, err, &umErr)
+		require.Equal(t, 400, umErr.StatusCode())
+		require.False(t, ds.ResendHostCertificateTemplateFuncInvoked)
+		require.False(t, opts.ActivityMock.NewActivityFuncInvoked)
+	})
 }
--- a/server/service/certificates.go
+++ b/server/service/certificates.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"regexp"
 	"strings"
 	"time"
@ -780,6 +781,15 @@ func (svc *Service) ResendHostCertificateTemplate(ctx context.Context, hostID ui
 		return ctxerr.Wrap(ctx, err)
 	}

+	template, err := svc.ds.GetCertificateTemplateByIdForHost(ctx, templateID, host.UUID)
+	if err != nil {
+		return ctxerr.Wrap(ctx, err, "checking host certificate template")
+	}
+
+	if template.Status == fleet.CertificateTemplatePending {
+		return fleet.NewUserMessageError(errors.New("Couldn't resend pending certificate template."), http.StatusBadRequest)
+	}
+
 	if err := svc.ds.ResendHostCertificateTemplate(ctx, hostID, templateID); err != nil {
 		return ctxerr.Wrap(ctx, err, "resending certificate template")
 	}