[8.x] [Fleet] Prevent hosted policies space change (#198043) (#198081)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Fleet] Prevent hosted policies space change
(#198043)](#198043)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Nicolas
Chaulet","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-28T19:54:22Z","message":"[Fleet]
Prevent hosted policies space change
(#198043)","sha":"e827873c51a15c64c3a7cbdd6f2ee325e09c747e","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","backport:prev-minor"],"title":"[Fleet]
Prevent hosted policies space
change","number":198043,"url":"https://github.com/elastic/kibana/pull/198043","mergeCommit":{"message":"[Fleet]
Prevent hosted policies space change
(#198043)","sha":"e827873c51a15c64c3a7cbdd6f2ee325e09c747e"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198043","number":198043,"mergeCommit":{"message":"[Fleet]
Prevent hosted policies space change
(#198043)","sha":"e827873c51a15c64c3a7cbdd6f2ee325e09c747e"}}]}]
BACKPORT-->

Co-authored-by: Nicolas Chaulet <[email protected]>

x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx

@@ -328,7 +328,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           }
         >
           <SpaceSelector
-            isDisabled={disabled}
+            isDisabled={disabled || agentPolicy.is_managed === true}
             value={
               'space_ids' in agentPolicy && agentPolicy.space_ids
                 ? agentPolicy.space_ids

x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts

@@ -338,6 +338,7 @@ export const createAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
     }
 
@@ -380,6 +381,7 @@ export const updateAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
 
       spaceId = spaceIds[0];

x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts

@@ -112,6 +112,23 @@ describe('updateAgentPolicySpaces', () => {
     );
   });
 
+  it('throw when trying to change a managed policies space', async () => {
+    jest.mocked(agentPolicyService.get).mockResolvedValue({
+      id: 'policy1',
+      space_ids: ['default'],
+      is_managed: true,
+    } as any);
+    jest.mocked(packagePolicyService.findAllForAgentPolicy).mockResolvedValue([] as any);
+    await expect(
+      updateAgentPolicySpaces({
+        agentPolicyId: 'policy1',
+        currentSpaceId: 'default',
+        newSpaceIds: ['test'],
+        authorizedSpaces: ['test', 'default'],
+      })
+    ).rejects.toThrowError(/Cannot update hosted agent policy policy1 space/);
+  });
+
   it('throw when trying to add a space with missing permissions', async () => {
     await expect(
       updateAgentPolicySpaces({

x-pack/plugins/fleet/server/services/spaces/agent_policy.ts

@@ -19,7 +19,7 @@ import { appContextService } from '../app_context';
 import { agentPolicyService } from '../agent_policy';
 import { ENROLLMENT_API_KEYS_INDEX } from '../../constants';
 import { packagePolicyService } from '../package_policy';
-import { FleetError } from '../../errors';
+import { FleetError, HostedAgentPolicyRestrictionRelatedError } from '../../errors';
 
 import { isSpaceAwarenessEnabled } from './helpers';
 
@@ -28,11 +28,13 @@ export async function updateAgentPolicySpaces({
   currentSpaceId,
   newSpaceIds,
   authorizedSpaces,
+  options,
 }: {
   agentPolicyId: string;
   currentSpaceId: string;
   newSpaceIds: string[];
   authorizedSpaces: string[];
+  options?: { force?: boolean };
 }) {
   const useSpaceAwareness = await isSpaceAwarenessEnabled();
   if (!useSpaceAwareness || !newSpaceIds || newSpaceIds.length === 0) {
@@ -50,6 +52,16 @@ export async function updateAgentPolicySpaces({
     agentPolicyId
   );
 
+  if (!existingPolicy) {
+    return;
+  }
+
+  if (existingPolicy.is_managed && !options?.force) {
+    throw new HostedAgentPolicyRestrictionRelatedError(
+      `Cannot update hosted agent policy ${existingPolicy.id} space `
+    );
+  }
+
   if (deepEqual(existingPolicy?.space_ids?.sort() ?? [DEFAULT_SPACE_ID], newSpaceIds.sort())) {
     return;
   }