From 2f2c3eb0f4feddc8e44cc5cf03f268ee6691ed39 Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Mon, 28 Oct 2024 12:01:18 -0400
Subject: [PATCH 1/2] [Fleet] Prevent hosted policies space change

---
 .../server/routes/agent_policy/handlers.ts      |  2 ++
 .../server/services/spaces/agent_policy.test.ts | 17 +++++++++++++++++
 .../server/services/spaces/agent_policy.ts      | 14 +++++++++++++-
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts
index 49b5590a2e761..713c054d8105e 100644
--- a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts
+++ b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts
@@ -343,6 +343,7 @@ export const createAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
     }
 
@@ -385,6 +386,7 @@ export const updateAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
 
       spaceId = spaceIds[0];
diff --git a/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts b/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts
index 6c2c8e4d6fa50..ab69d4708c436 100644
--- a/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts
+++ b/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts
@@ -112,6 +112,23 @@ describe('updateAgentPolicySpaces', () => {
     );
   });
 
+  it('throw when trying to change a managed policies space', async () => {
+    jest.mocked(agentPolicyService.get).mockResolvedValue({
+      id: 'policy1',
+      space_ids: ['default'],
+      is_managed: true,
+    } as any);
+    jest.mocked(packagePolicyService.findAllForAgentPolicy).mockResolvedValue([] as any);
+    await expect(
+      updateAgentPolicySpaces({
+        agentPolicyId: 'policy1',
+        currentSpaceId: 'default',
+        newSpaceIds: ['test'],
+        authorizedSpaces: ['test', 'default'],
+      })
+    ).rejects.toThrowError(/Cannot update hosted agent policy policy1 space/);
+  });
+
   it('throw when trying to add a space with missing permissions', async () => {
     await expect(
       updateAgentPolicySpaces({
diff --git a/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts b/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts
index 905f7980af994..14d7f45f2c47c 100644
--- a/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts
+++ b/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts
@@ -19,7 +19,7 @@ import { appContextService } from '../app_context';
 import { agentPolicyService } from '../agent_policy';
 import { ENROLLMENT_API_KEYS_INDEX } from '../../constants';
 import { packagePolicyService } from '../package_policy';
-import { FleetError } from '../../errors';
+import { FleetError, HostedAgentPolicyRestrictionRelatedError } from '../../errors';
 
 import { isSpaceAwarenessEnabled } from './helpers';
 
@@ -28,11 +28,13 @@ export async function updateAgentPolicySpaces({
   currentSpaceId,
   newSpaceIds,
   authorizedSpaces,
+  options,
 }: {
   agentPolicyId: string;
   currentSpaceId: string;
   newSpaceIds: string[];
   authorizedSpaces: string[];
+  options?: { force?: boolean };
 }) {
   const useSpaceAwareness = await isSpaceAwarenessEnabled();
   if (!useSpaceAwareness || !newSpaceIds || newSpaceIds.length === 0) {
@@ -50,6 +52,16 @@ export async function updateAgentPolicySpaces({
     agentPolicyId
   );
 
+  if (!existingPolicy) {
+    return;
+  }
+
+  if (existingPolicy.is_managed && !options?.force) {
+    throw new HostedAgentPolicyRestrictionRelatedError(
+      `Cannot update hosted agent policy ${existingPolicy.id} space `
+    );
+  }
+
   if (deepEqual(existingPolicy?.space_ids?.sort() ?? [DEFAULT_SPACE_ID], newSpaceIds.sort())) {
     return;
   }

From 27b26458bad46a60b513037fcd115651a617e02a Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Mon, 28 Oct 2024 14:10:54 -0400
Subject: [PATCH 2/2] fix UI

---
 .../components/agent_policy_advanced_fields/index.tsx           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx
index 6b0a7c512d197..0277184acabf2 100644
--- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx
+++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx
@@ -328,7 +328,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           }
         >
           <SpaceSelector
-            isDisabled={disabled}
+            isDisabled={disabled || agentPolicy.is_managed === true}
             value={
               'space_ids' in agentPolicy && agentPolicy.space_ids
                 ? agentPolicy.space_ids