[8.x] [Fleet] Prevent duplication of managed policy !! (#197575) (#19…

…8201)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Fleet] Prevent duplication of managed policy !!
(#197575)](#197575)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Shahzad","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-29T20:00:40Z","message":"[Fleet]
Prevent duplication of managed policy !! (#197575)\n\n##
Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/194149\r\n\r\nPrevent
duplication of managed policy !!\r\n\r\n<img width=\"1594\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/f386a287-4f9e-4307-ba84-98f3ea807ef9\">","sha":"81856bc8431daf83c972a65c6b8b0e312f8477a6","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","backport:prev-minor"],"title":"[Fleet]
Prevent duplication of managed policy
!!","number":197575,"url":"https://github.com/elastic/kibana/pull/197575","mergeCommit":{"message":"[Fleet]
Prevent duplication of managed policy !! (#197575)\n\n##
Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/194149\r\n\r\nPrevent
duplication of managed policy !!\r\n\r\n<img width=\"1594\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/f386a287-4f9e-4307-ba84-98f3ea807ef9\">","sha":"81856bc8431daf83c972a65c6b8b0e312f8477a6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197575","number":197575,"mergeCommit":{"message":"[Fleet]
Prevent duplication of managed policy !! (#197575)\n\n##
Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/194149\r\n\r\nPrevent
duplication of managed policy !!\r\n\r\n<img width=\"1594\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/f386a287-4f9e-4307-ba84-98f3ea807ef9\">","sha":"81856bc8431daf83c972a65c6b8b0e312f8477a6"}}]}]
BACKPORT-->

Co-authored-by: Shahzad <[email protected]>

x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx

@@ -137,13 +137,22 @@ export const AgentPolicyActionMenu = memo<{
           const copyPolicyItem = (
             <EuiContextMenuItem
               data-test-subj="agentPolicyActionMenuCopyButton"
-              disabled={!authz.integrations.writeIntegrationPolicies}
+              disabled={!authz.integrations.writeIntegrationPolicies || hasManagedPackagePolicy}
               icon="copy"
               onClick={() => {
                 setIsContextMenuOpen(false);
                 copyAgentPolicyPrompt(agentPolicy, onCopySuccess);
               }}
               key="copyPolicy"
+              toolTipContent={
+                hasManagedPackagePolicy ? (
+                  <FormattedMessage
+                    id="xpack.fleet.policyForm.copyPolicyActionText.disabled"
+                    defaultMessage="Agent policy with managed package policies cannot be copied."
+                    data-test-subj="agentPolicyActionMenuCopyButtonDisabledTooltip"
+                  />
+                ) : undefined
+              }
             >
               <FormattedMessage
                 id="xpack.fleet.agentPolicyActionMenu.copyPolicyActionText"

x-pack/plugins/fleet/server/services/agent_policy.test.ts

@@ -1319,6 +1319,36 @@ describe('Agent policy', () => {
     });
   });
 
+  describe('copy', () => {
+    let soClient: ReturnType<typeof savedObjectsClientMock.create>;
+    let esClient: ReturnType<typeof elasticsearchServiceMock.createClusterClient>['asInternalUser'];
+
+    beforeEach(() => {
+      soClient = getSavedObjectMock({ revision: 1, package_policies: ['package-1'] });
+      esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
+    });
+
+    it('should throw error for agent policy which has managed package policy', async () => {
+      mockedPackagePolicyService.findAllForAgentPolicy.mockReturnValue([
+        {
+          id: 'package-1',
+          is_managed: true,
+        },
+      ] as any);
+      try {
+        await agentPolicyService.copy(soClient, esClient, 'mocked', {
+          name: 'copy mocked',
+        });
+      } catch (e) {
+        expect(e.message).toEqual(
+          new PackagePolicyRestrictionRelatedError(
+            `Cannot copy an agent policy mocked that contains managed package policies`
+          ).message
+        );
+      }
+    });
+  });
+
   describe('deployPolicy', () => {
     beforeEach(() => {
       mockedGetFullAgentPolicy.mockReset();

x-pack/plugins/fleet/server/services/agent_policy.ts

@@ -768,6 +768,17 @@ class AgentPolicyService {
     if (!baseAgentPolicy) {
       throw new AgentPolicyNotFoundError('Agent policy not found');
     }
+    if (baseAgentPolicy.package_policies?.length) {
+      const hasManagedPackagePolicies = baseAgentPolicy.package_policies.some(
+        (packagePolicy) => packagePolicy.is_managed
+      );
+      if (hasManagedPackagePolicies) {
+        throw new PackagePolicyRestrictionRelatedError(
+          `Cannot copy an agent policy ${id} that contains managed package policies`
+        );
+      }
+    }
+
     const newAgentPolicy = await this.create(
       soClient,
       esClient,