[Fleet] support force flag to add/remove package_policies (#96713)

## Summary

Can now pass a `force=true` parameter to add & remove integrations on hosted policies as originally intended [1] & [2]

 * Add `force` param for `POST` `/api/fleet/package_policies` & `/api/fleet/package_policies/delete` to a policy. Update tests to confirm
 * Not strictly required, but "while I was in there"
   * Updated a few places to throw `IngestManagerError` vs `Error` for `400` response vs `500`. Updated tests.
   * removed a few unnecessary `await`s of sync function

[1] #92426 (comment)
[2] #90445

### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

x-pack/plugins/fleet/server/routes/package_policy/handlers.ts

@@ -79,18 +79,20 @@ export const createPackagePolicyHandler: RequestHandler<
 > = async (context, request, response) => {
   const soClient = context.core.savedObjects.client;
   const esClient = context.core.elasticsearch.client.asCurrentUser;
-  const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined;
+  const user = appContextService.getSecurity()?.authc.getCurrentUser(request) || undefined;
+  const { force, ...newPolicy } = request.body;
   try {
     const newData = await packagePolicyService.runExternalCallbacks(
       'packagePolicyCreate',
-      { ...request.body },
+      newPolicy,
       context,
       request
     );
 
     // Create package policy
     const packagePolicy = await packagePolicyService.create(soClient, esClient, newData, {
       user,
+      force,
     });
     const body: CreatePackagePolicyResponse = { item: packagePolicy };
     return response.ok({
@@ -114,7 +116,7 @@ export const updatePackagePolicyHandler: RequestHandler<
 > = async (context, request, response) => {
   const soClient = context.core.savedObjects.client;
   const esClient = context.core.elasticsearch.client.asCurrentUser;
-  const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined;
+  const user = appContextService.getSecurity()?.authc.getCurrentUser(request) || undefined;
   const packagePolicy = await packagePolicyService.get(soClient, request.params.packagePolicyId);
 
   if (!packagePolicy) {
@@ -155,13 +157,13 @@ export const deletePackagePolicyHandler: RequestHandler<
 > = async (context, request, response) => {
   const soClient = context.core.savedObjects.client;
   const esClient = context.core.elasticsearch.client.asCurrentUser;
-  const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined;
+  const user = appContextService.getSecurity()?.authc.getCurrentUser(request) || undefined;
   try {
     const body: DeletePackagePoliciesResponse = await packagePolicyService.delete(
       soClient,
       esClient,
       request.body.packagePolicyIds,
-      { user }
+      { user, force: request.body.force }
     );
     return response.ok({
       body,

x-pack/plugins/fleet/server/services/agent_policy.ts

@@ -466,15 +466,17 @@ class AgentPolicyService {
     esClient: ElasticsearchClient,
     id: string,
     packagePolicyIds: string[],
-    options: { user?: AuthenticatedUser; bumpRevision: boolean } = { bumpRevision: true }
+    options: { user?: AuthenticatedUser; bumpRevision: boolean; force?: boolean } = {
+      bumpRevision: true,
+    }
   ): Promise<AgentPolicy> {
     const oldAgentPolicy = await this.get(soClient, id, false);
 
     if (!oldAgentPolicy) {
       throw new Error('Agent policy not found');
     }
 
-    if (oldAgentPolicy.is_managed) {
+    if (oldAgentPolicy.is_managed && !options?.force) {
       throw new IngestManagerError(`Cannot update integrations of managed policy ${id}`);
     }
 
@@ -497,15 +499,15 @@ class AgentPolicyService {
     esClient: ElasticsearchClient,
     id: string,
     packagePolicyIds: string[],
-    options?: { user?: AuthenticatedUser }
+    options?: { user?: AuthenticatedUser; force?: boolean }
   ): Promise<AgentPolicy> {
     const oldAgentPolicy = await this.get(soClient, id, false);
 
     if (!oldAgentPolicy) {
       throw new Error('Agent policy not found');
     }
 
-    if (oldAgentPolicy.is_managed) {
+    if (oldAgentPolicy.is_managed && !options?.force) {
       throw new IngestManagerError(`Cannot remove integrations of managed policy ${id}`);
     }
 

x-pack/plugins/fleet/server/services/package_policy.ts

@@ -60,14 +60,14 @@ class PackagePolicyService {
     soClient: SavedObjectsClientContract,
     esClient: ElasticsearchClient,
     packagePolicy: NewPackagePolicy,
-    options?: { id?: string; user?: AuthenticatedUser; bumpRevision?: boolean }
+    options?: { id?: string; user?: AuthenticatedUser; bumpRevision?: boolean; force?: boolean }
   ): Promise<PackagePolicy> {
     // Check that its agent policy does not have a package policy with the same name
     const parentAgentPolicy = await agentPolicyService.get(soClient, packagePolicy.policy_id);
     if (!parentAgentPolicy) {
       throw new Error('Agent policy not found');
     }
-    if (parentAgentPolicy.is_managed) {
+    if (parentAgentPolicy.is_managed && !options?.force) {
       throw new IngestManagerError(
         `Cannot add integrations to managed policy ${parentAgentPolicy.id}`
       );
@@ -77,7 +77,9 @@ class PackagePolicyService {
         (siblingPackagePolicy) => siblingPackagePolicy.name === packagePolicy.name
       )
     ) {
-      throw new Error('There is already a package with the same name on this agent policy');
+      throw new IngestManagerError(
+        'There is already a package with the same name on this agent policy'
+      );
     }
 
     // Add ids to stream
@@ -106,7 +108,7 @@ class PackagePolicyService {
       if (isPackageLimited(pkgInfo)) {
         const agentPolicy = await agentPolicyService.get(soClient, packagePolicy.policy_id, true);
         if (agentPolicy && doesAgentPolicyAlreadyIncludePackage(agentPolicy, pkgInfo.name)) {
-          throw new Error(
+          throw new IngestManagerError(
             `Unable to create package policy. Package '${pkgInfo.name}' already exists on this agent policy.`
           );
         }
@@ -140,6 +142,7 @@ class PackagePolicyService {
       {
         user: options?.user,
         bumpRevision: options?.bumpRevision ?? true,
+        force: options?.force,
       }
     );
 
@@ -367,7 +370,7 @@ class PackagePolicyService {
     soClient: SavedObjectsClientContract,
     esClient: ElasticsearchClient,
     ids: string[],
-    options?: { user?: AuthenticatedUser; skipUnassignFromAgentPolicies?: boolean }
+    options?: { user?: AuthenticatedUser; skipUnassignFromAgentPolicies?: boolean; force?: boolean }
   ): Promise<DeletePackagePoliciesResponse> {
     const result: DeletePackagePoliciesResponse = [];
 
@@ -385,6 +388,7 @@ class PackagePolicyService {
             [packagePolicy.id],
             {
               user: options?.user,
+              force: options?.force,
             }
           );
         }

x-pack/plugins/fleet/server/types/models/package_policy.ts

@@ -78,6 +78,7 @@ const PackagePolicyBaseSchema = {
 
 export const NewPackagePolicySchema = schema.object({
   ...PackagePolicyBaseSchema,
+  force: schema.maybe(schema.boolean()),
 });
 
 export const UpdatePackagePolicySchema = schema.object({

x-pack/plugins/fleet/server/types/rest_spec/package_policy.ts

@@ -33,5 +33,6 @@ export const UpdatePackagePolicyRequestSchema = {
 export const DeletePackagePoliciesRequestSchema = {
   body: schema.object({
     packagePolicyIds: schema.arrayOf(schema.string()),
+    force: schema.maybe(schema.boolean()),
   }),
 };