[Fleet] Prevent agents from enrolling in a managed policy

x-pack/plugins/fleet/server/services/agents/enroll.ts

@@ -10,11 +10,13 @@ import semverParse from 'semver/functions/parse';
 import semverDiff from 'semver/functions/diff';
 import semverLte from 'semver/functions/lte';
 
-import { SavedObjectsClientContract } from 'src/core/server';
-import { AgentType, Agent, AgentSOAttributes } from '../../types';
+import type { SavedObjectsClientContract } from 'src/core/server';
+import type { AgentType, Agent, AgentSOAttributes } from '../../types';
 import { savedObjectToAgent } from './saved_objects';
 import { AGENT_SAVED_OBJECT_TYPE } from '../../constants';
+import { IngestManagerError } from '../../errors';
 import * as APIKeyService from '../api_keys';
+import { agentPolicyService } from '../../services';
 import { appContextService } from '../app_context';
 
 export async function enroll(
@@ -26,6 +28,11 @@ export async function enroll(
   const agentVersion = metadata?.local?.elastic?.agent?.version;
   validateAgentVersion(agentVersion);
 
+  const agentPolicy = await agentPolicyService.get(soClient, agentPolicyId, false);
+  if (agentPolicy?.is_managed) {
+    throw new IngestManagerError(`Cannot enroll in managed policy ${agentPolicyId}`);
+  }
+
   const agentData: AgentSOAttributes = {
     active: true,
     policy_id: agentPolicyId,

x-pack/test/fleet_api_integration/apis/agents/enroll.ts

@@ -18,8 +18,9 @@ export default function (providerContext: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const esClient = getService('es');
   const kibanaServer = getService('kibanaServer');
-
+  const supertestWithAuth = getService('supertest');
   const supertest = getSupertestWithoutAuth(providerContext);
+
   let apiKey: { id: string; api_key: string };
   let kibanaVersion: string;
 
@@ -58,6 +59,51 @@ export default function (providerContext: FtrProviderContext) {
       await esArchiver.unload('fleet/agents');
     });
 
+    it('should not allow enrolling in a managed policy', async () => {
+      // update existing policy to managed
+      await supertestWithAuth
+        .put(`/api/fleet/agent_policies/policy1`)
+        .set('kbn-xsrf', 'xxxx')
+        .send({
+          name: 'Test policy',
+          namespace: 'default',
+          is_managed: true,
+        })
+        .expect(200);
+
+      // try to enroll in managed policy
+      const { body } = await supertest
+        .post(`/api/fleet/agents/enroll`)
+        .set('kbn-xsrf', 'xxx')
+        .set(
+          'Authorization',
+          `ApiKey ${Buffer.from(`${apiKey.id}:${apiKey.api_key}`).toString('base64')}`
+        )
+        .send({
+          type: 'PERMANENT',
+          metadata: {
+            local: {
+              elastic: { agent: { version: kibanaVersion } },
+            },
+            user_provided: {},
+          },
+        })
+        .expect(400);
+
+      expect(body.message).to.contain('Cannot enroll in managed policy');
+
+      // restore to original (unmanaged)
+      await supertestWithAuth
+        .put(`/api/fleet/agent_policies/policy1`)
+        .set('kbn-xsrf', 'xxxx')
+        .send({
+          name: 'Test policy',
+          namespace: 'default',
+          is_managed: false,
+        })
+        .expect(200);
+    });
+
     it('should not allow to enroll an agent with a invalid enrollment', async () => {
       await supertest
         .post(`/api/fleet/agents/enroll`)