[Fleet] Couple agent and package policies spaces

elastic · Oct 23, 2024 · f63e224 · f63e224
1 parent c417196
commit f63e224
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/x-pack/plugins/fleet/server/services/package_policy.ts b/x-pack/plugins/fleet/server/services/package_policy.ts
@@ -141,6 +141,7 @@ import { validateAgentPolicyOutputForIntegration } from './agent_policies/output
 import type { PackagePolicyClientFetchAllItemIdsOptions } from './package_policy_service';
 import { validatePolicyNamespaceForSpace } from './spaces/policy_namespaces';
 import { isSpaceAwarenessEnabled, isSpaceAwarenessMigrationPending } from './spaces/helpers';
+import { updatePackagePolicySpaces } from './spaces/package_policy';
 
 export type InputsOverride = Partial<NewPackagePolicyInput> & {
   vars?: Array<NewPackagePolicyInput['vars'] & { name: string }>;
@@ -224,6 +225,7 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
     context?: RequestHandlerContext,
     request?: KibanaRequest
   ): Promise<PackagePolicy> {
+    const useSpaceAwareness = await isSpaceAwarenessEnabled();
     const packagePolicyId = options?.id || uuidv4();
 
     let authorizationHeader = options.authorizationHeader;
@@ -283,6 +285,14 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
       }
 
       await validateIsNotHostedPolicy(soClient, policyId, options?.force);
+
+      if (useSpaceAwareness && enrichedPackagePolicy.policy_ids.length > 1) {
+        if (agentPolicy?.space_ids?.length ?? 0 > 1) {
+          throw new FleetError(
+            'Reusable integration policy could  not be used through multiple spaces.'
+          );
+        }
+      }
     }
 
     // trailing whitespace causes issues creating API keys
@@ -410,6 +420,21 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
       { ...options, id: packagePolicyId }
     );
 
+    for (const agentPolicy of agentPolicies) {
+      if (
+        useSpaceAwareness &&
+        agentPolicy &&
+        agentPolicy.space_ids &&
+        agentPolicy.space_ids.length > 1
+      ) {
+        await updatePackagePolicySpaces({
+          packagePolicyId: newSo.id,
+          currentSpaceId: soClient.getCurrentNamespace() ?? DEFAULT_SPACE_ID,
+          newSpaceIds: agentPolicy.space_ids,
+        });
+      }
+    }
+
     if (options?.bumpRevision ?? true) {
       for (const policyId of enrichedPackagePolicy.policy_ids) {
         await agentPolicyService.bumpRevision(soClient, esClient, policyId, {
@@ -997,6 +1022,18 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
         };
       }
     }
+    // Validate agent policy restriction
+    // TODO
+    if (packagePolicyUpdate.policy_ids?.length ?? 0 > 1) {
+      for (const policyId of packagePolicyUpdate.policy_ids) {
+        const agentPolicy = await agentPolicyService.get(soClient, policyId, true);
+        if (agentPolicy?.space_ids?.length ?? 0 > 1) {
+          throw new FleetError(
+            'Reusable integration policy could  not be used through multiple spaces.'
+          );
+        }
+      }
+    }
 
     // Handle component template/mappings updates for experimental features, e.g. synthetic source
     await handleExperimentalDatastreamFeatureOptIn({

diff --git a/x-pack/plugins/fleet/server/services/spaces/package_policy.ts b/x-pack/plugins/fleet/server/services/spaces/package_policy.ts
@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../common/constants';
+
+import { appContextService } from '../app_context';
+
+export async function updatePackagePolicySpaces({
+  packagePolicyId,
+  currentSpaceId,
+  newSpaceIds,
+}: {
+  packagePolicyId: string;
+  currentSpaceId: string;
+  newSpaceIds: string[];
+}) {
+  const soClientWithoutSpaceExtension =
+    appContextService.getInternalUserSOClientWithoutSpaceExtension();
+
+  const results = await soClientWithoutSpaceExtension.updateObjectsSpaces(
+    [
+      {
+        id: packagePolicyId,
+        type: PACKAGE_POLICY_SAVED_OBJECT_TYPE,
+      },
+    ],
+    newSpaceIds,
+    [],
+    { refresh: 'wait_for', namespace: currentSpaceId }
+  );
+
+  for (const soRes of results.objects) {
+    if (soRes.error) {
+      throw soRes.error;
+    }
+  }
+}