[Fleet] Prevent hosted policies space change (elastic#198043)

tiansivive · Oct 29, 2024 · b03646c · b03646c
1 parent ec54b09
commit b03646c
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/...pplications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx b/...pplications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx
@@ -328,7 +328,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           }
         >
           <SpaceSelector
-            isDisabled={disabled}
+            isDisabled={disabled || agentPolicy.is_managed === true}
             value={
               'space_ids' in agentPolicy && agentPolicy.space_ids
                 ? agentPolicy.space_ids

diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts
@@ -343,6 +343,7 @@ export const createAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
     }
 
@@ -385,6 +386,7 @@ export const updateAgentPolicyHandler: FleetRequestHandler<
         currentSpaceId: spaceId,
         newSpaceIds: spaceIds,
         authorizedSpaces,
+        options: { force },
       });
 
       spaceId = spaceIds[0];

diff --git a/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts b/x-pack/plugins/fleet/server/services/spaces/agent_policy.test.ts
@@ -112,6 +112,23 @@ describe('updateAgentPolicySpaces', () => {
     );
   });
 
+  it('throw when trying to change a managed policies space', async () => {
+    jest.mocked(agentPolicyService.get).mockResolvedValue({
+      id: 'policy1',
+      space_ids: ['default'],
+      is_managed: true,
+    } as any);
+    jest.mocked(packagePolicyService.findAllForAgentPolicy).mockResolvedValue([] as any);
+    await expect(
+      updateAgentPolicySpaces({
+        agentPolicyId: 'policy1',
+        currentSpaceId: 'default',
+        newSpaceIds: ['test'],
+        authorizedSpaces: ['test', 'default'],
+      })
+    ).rejects.toThrowError(/Cannot update hosted agent policy policy1 space/);
+  });
+
   it('throw when trying to add a space with missing permissions', async () => {
     await expect(
       updateAgentPolicySpaces({

diff --git a/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts b/x-pack/plugins/fleet/server/services/spaces/agent_policy.ts
@@ -19,7 +19,7 @@ import { appContextService } from '../app_context';
 import { agentPolicyService } from '../agent_policy';
 import { ENROLLMENT_API_KEYS_INDEX } from '../../constants';
 import { packagePolicyService } from '../package_policy';
-import { FleetError } from '../../errors';
+import { FleetError, HostedAgentPolicyRestrictionRelatedError } from '../../errors';
 
 import { isSpaceAwarenessEnabled } from './helpers';
 
@@ -28,11 +28,13 @@ export async function updateAgentPolicySpaces({
   currentSpaceId,
   newSpaceIds,
   authorizedSpaces,
+  options,
 }: {
   agentPolicyId: string;
   currentSpaceId: string;
   newSpaceIds: string[];
   authorizedSpaces: string[];
+  options?: { force?: boolean };
 }) {
   const useSpaceAwareness = await isSpaceAwarenessEnabled();
   if (!useSpaceAwareness || !newSpaceIds || newSpaceIds.length === 0) {
@@ -50,6 +52,16 @@ export async function updateAgentPolicySpaces({
     agentPolicyId
   );
 
+  if (!existingPolicy) {
+    return;
+  }
+
+  if (existingPolicy.is_managed && !options?.force) {
+    throw new HostedAgentPolicyRestrictionRelatedError(
+      `Cannot update hosted agent policy ${existingPolicy.id} space `
+    );
+  }
+
   if (deepEqual(existingPolicy?.space_ids?.sort() ?? [DEFAULT_SPACE_ID], newSpaceIds.sort())) {
     return;
   }