From 81856bc8431daf83c972a65c6b8b0e312f8477a6 Mon Sep 17 00:00:00 2001
From: Shahzad <shahzad31comp@gmail.com>
Date: Tue, 29 Oct 2024 21:00:40 +0100
Subject: [PATCH] [Fleet] Prevent duplication of managed policy !! (#197575)

## Summary

Fixes https://github.com/elastic/kibana/issues/194149

Prevent duplication of managed policy !!

<img width="1594" alt="image"
src="https://github.com/user-attachments/assets/f386a287-4f9e-4307-ba84-98f3ea807ef9">
---
 .../agent_policy/components/actions_menu.tsx  | 11 ++++++-
 .../server/services/agent_policy.test.ts      | 30 +++++++++++++++++++
 .../fleet/server/services/agent_policy.ts     | 11 +++++++
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx
index f4f519b0a9c95..88dd00546e51f 100644
--- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx
+++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx
@@ -137,13 +137,22 @@ export const AgentPolicyActionMenu = memo<{
           const copyPolicyItem = (
             <EuiContextMenuItem
               data-test-subj="agentPolicyActionMenuCopyButton"
-              disabled={!authz.integrations.writeIntegrationPolicies}
+              disabled={!authz.integrations.writeIntegrationPolicies || hasManagedPackagePolicy}
               icon="copy"
               onClick={() => {
                 setIsContextMenuOpen(false);
                 copyAgentPolicyPrompt(agentPolicy, onCopySuccess);
               }}
               key="copyPolicy"
+              toolTipContent={
+                hasManagedPackagePolicy ? (
+                  <FormattedMessage
+                    id="xpack.fleet.policyForm.copyPolicyActionText.disabled"
+                    defaultMessage="Agent policy with managed package policies cannot be copied."
+                    data-test-subj="agentPolicyActionMenuCopyButtonDisabledTooltip"
+                  />
+                ) : undefined
+              }
             >
               <FormattedMessage
                 id="xpack.fleet.agentPolicyActionMenu.copyPolicyActionText"
diff --git a/x-pack/plugins/fleet/server/services/agent_policy.test.ts b/x-pack/plugins/fleet/server/services/agent_policy.test.ts
index 608b6f739fc29..fb3274b6eef77 100644
--- a/x-pack/plugins/fleet/server/services/agent_policy.test.ts
+++ b/x-pack/plugins/fleet/server/services/agent_policy.test.ts
@@ -1319,6 +1319,36 @@ describe('Agent policy', () => {
     });
   });
 
+  describe('copy', () => {
+    let soClient: ReturnType<typeof savedObjectsClientMock.create>;
+    let esClient: ReturnType<typeof elasticsearchServiceMock.createClusterClient>['asInternalUser'];
+
+    beforeEach(() => {
+      soClient = getSavedObjectMock({ revision: 1, package_policies: ['package-1'] });
+      esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
+    });
+
+    it('should throw error for agent policy which has managed package policy', async () => {
+      mockedPackagePolicyService.findAllForAgentPolicy.mockReturnValue([
+        {
+          id: 'package-1',
+          is_managed: true,
+        },
+      ] as any);
+      try {
+        await agentPolicyService.copy(soClient, esClient, 'mocked', {
+          name: 'copy mocked',
+        });
+      } catch (e) {
+        expect(e.message).toEqual(
+          new PackagePolicyRestrictionRelatedError(
+            `Cannot copy an agent policy mocked that contains managed package policies`
+          ).message
+        );
+      }
+    });
+  });
+
   describe('deployPolicy', () => {
     beforeEach(() => {
       mockedGetFullAgentPolicy.mockReset();
diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts
index bcbeafdde1182..f93bf583945a0 100644
--- a/x-pack/plugins/fleet/server/services/agent_policy.ts
+++ b/x-pack/plugins/fleet/server/services/agent_policy.ts
@@ -771,6 +771,17 @@ class AgentPolicyService {
     if (!baseAgentPolicy) {
       throw new AgentPolicyNotFoundError('Agent policy not found');
     }
+    if (baseAgentPolicy.package_policies?.length) {
+      const hasManagedPackagePolicies = baseAgentPolicy.package_policies.some(
+        (packagePolicy) => packagePolicy.is_managed
+      );
+      if (hasManagedPackagePolicies) {
+        throw new PackagePolicyRestrictionRelatedError(
+          `Cannot copy an agent policy ${id} that contains managed package policies`
+        );
+      }
+    }
+
     const newAgentPolicy = await this.create(
       soClient,
       esClient,