[8.19][Fleet] Add license gate around agents automatic upgrades feature (#2… (#229752)

Backport #224393 to 8.19

---------

Co-authored-by: Cristina Amico <criamico@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: 3 people

x-pack/platform/plugins/shared/fleet/public/applications/fleet/layouts/default/default.tsx

@@ -16,6 +16,7 @@ import { WithHeaderLayout } from '../../../../layouts';
 
 import { ExperimentalFeaturesService } from '../../services';
 import { AutoUpgradeAgentsTour } from '../../sections/agent_policy/components/auto_upgrade_agents_tour';
+import { useCanEnableAutomaticAgentUpgrades } from '../../../../hooks/use_can_enable_auto_upgrades';
 
 import { DefaultPageTitle } from './default_page_title';
 
@@ -37,6 +38,7 @@ export const DefaultLayout: React.FunctionComponent<Props> = ({
 
   const { docLinks } = useStartServices();
   const granularPrivilegesCallout = useDismissableTour('GRANULAR_PRIVILEGES');
+  const canEnableAutomaticAgentUpgrades = useCanEnableAutomaticAgentUpgrades();
 
   const tabs = [
     {
@@ -147,7 +149,9 @@ export const DefaultLayout: React.FunctionComponent<Props> = ({
       <WithHeaderLayout leftColumn={<DefaultPageTitle />} rightColumn={rightColumn} tabs={tabs}>
         {children}
       </WithHeaderLayout>
-      <AutoUpgradeAgentsTour anchor="#fleet-agent-policies-tab" />
+      {canEnableAutomaticAgentUpgrades ? (
+        <AutoUpgradeAgentsTour anchor="#fleet-agent-policies-tab" />
+      ) : null}
     </>
   );
 };

x-pack/platform/plugins/shared/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx

@@ -24,6 +24,8 @@ import { AgentUpgradeAgentModal } from '../../agents/components';
 
 import { ManageAutoUpgradeAgentsModal } from '../../agents/components/manage_auto_upgrade_agents_modal';
 
+import { useCanEnableAutomaticAgentUpgrades } from '../../../../../hooks/use_can_enable_auto_upgrades';
+
 import { AgentPolicyYamlFlyout } from './agent_policy_yaml_flyout';
 import { AgentPolicyCopyProvider } from './agent_policy_copy_provider';
 import { AgentPolicyDeleteProvider } from './agent_policy_delete_provider';
@@ -56,6 +58,7 @@ export const AgentPolicyActionMenu = memo<{
     const refreshAgentPolicy = useAgentPolicyRefresh();
 
     const { agentTamperProtectionEnabled } = ExperimentalFeaturesService.get();
+    const canEnableAutomaticAgentUpgrades = useCanEnableAutomaticAgentUpgrades();
 
     const isFleetServerPolicy = useMemo(
       () =>
@@ -211,7 +214,7 @@ export const AgentPolicyActionMenu = memo<{
               )}
             </EuiContextMenuItem>,
             viewPolicyItem,
-            manageAutoUpgradeAgentsItem,
+            ...(canEnableAutomaticAgentUpgrades ? [manageAutoUpgradeAgentsItem] : []),
             copyPolicyItem,
             deletePolicyItem,
           ];

x-pack/platform/plugins/shared/fleet/public/applications/fleet/sections/agent_policy/details_page/components/header/right_content.tsx

@@ -31,6 +31,7 @@ import { FLEET_SERVER_PACKAGE } from '../../../../../../../../common/constants';
 import { getRootIntegrations } from '../../../../../../../../common/services';
 import { ManageAutoUpgradeAgentsModal } from '../../../../agents/components/manage_auto_upgrade_agents_modal';
 import { AutoUpgradeAgentsTour } from '../../../components/auto_upgrade_agents_tour';
+import { useCanEnableAutomaticAgentUpgrades } from '../../../../../../../hooks/use_can_enable_auto_upgrades';
 
 import { ManageAutoUpgradeAgentsBadge } from './manage_auto_upgrade_agents';
 
@@ -63,6 +64,7 @@ export const HeaderRightContent: React.FunctionComponent<HeaderRightContentProps
   const [isManageAutoUpgradeAgentsModalOpen, setIsManageAutoUpgradeAgentsModalOpen] =
     useState<boolean>(false);
   const refreshAgentPolicy = useAgentPolicyRefresh();
+  const canEnableAutomaticAgentUpgrades = useCanEnableAutomaticAgentUpgrades();
 
   const isFleetServerPolicy = useMemo(
     () =>
@@ -215,7 +217,7 @@ export const HeaderRightContent: React.FunctionComponent<HeaderRightContentProps
                   '',
               },
               { isDivider: true },
-              ...(authz.fleet.allAgentPolicies
+              ...(canEnableAutomaticAgentUpgrades && authz.fleet.allAgentPolicies
                 ? [
                     {
                       label: i18n.translate('xpack.fleet.policyDetails.summary.autoUpgrade', {
@@ -251,7 +253,7 @@ export const HeaderRightContent: React.FunctionComponent<HeaderRightContentProps
                 {item.isDivider ?? false ? (
                   <Divider />
                 ) : item.label ? (
-                  <EuiDescriptionList compressed textStyle="reverse" style={{ textAlign: 'right' }}>
+                  <EuiDescriptionList compressed textStyle="reverse" css={{ textAlign: 'right' }}>
                     <EuiDescriptionListTitle className="eui-textNoWrap">
                       {item.label}
                     </EuiDescriptionListTitle>
@@ -279,7 +281,9 @@ export const HeaderRightContent: React.FunctionComponent<HeaderRightContentProps
           />
         </EuiPortal>
       )}
-      <AutoUpgradeAgentsTour anchor="#auto-upgrade-manage-button" />
+      {canEnableAutomaticAgentUpgrades ? (
+        <AutoUpgradeAgentsTour anchor="#auto-upgrade-manage-button" />
+      ) : null}
     </>
   );
 };

x-pack/platform/plugins/shared/fleet/public/hooks/use_can_enable_auto_upgrades.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ExperimentalFeaturesService } from '../services';
+
+import { licenseService } from './use_license';
+
+export function useCanEnableAutomaticAgentUpgrades() {
+  const { enableAutomaticAgentUpgrades } = ExperimentalFeaturesService.get();
+  return enableAutomaticAgentUpgrades && licenseService.isEnterprise();
+}

x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/handlers.ts

@@ -17,7 +17,7 @@ import { inputsFormat } from '../../../common/constants';
 import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header';
 
 import { fullAgentPolicyToYaml } from '../../../common/services';
-import { appContextService, agentPolicyService } from '../../services';
+import { appContextService, agentPolicyService, licenseService } from '../../services';
 import { type AgentClient, getLatestAvailableAgentVersion } from '../../services/agents';
 import { AGENTS_PREFIX, UNPRIVILEGED_AGENT_KUERY } from '../../constants';
 import type {
@@ -278,6 +278,12 @@ export const getAutoUpgradeAgentsStatusHandler: FleetRequestHandler<
 
   const agentClient = fleetContext.agentClient.asCurrentUser;
 
+  if (!licenseService.isEnterprise()) {
+    throw new FleetUnauthorizedError(
+      'Auto-upgrade agents feature requires at least Enterprise license'
+    );
+  }
+
   const body = await getAutoUpgradeAgentsStatus(agentClient, request.params.agentPolicyId);
   return response.ok({
     body,

x-pack/platform/plugins/shared/fleet/server/services/agent_policies/required_versions.test.ts

@@ -6,7 +6,9 @@
  */
 
 import { appContextService } from '..';
-import { AgentPolicyInvalidError } from '../../errors';
+import { AgentPolicyInvalidError, FleetUnauthorizedError } from '../../errors';
+
+import { licenseService } from '..';
 
 import { validateRequiredVersions } from './required_versions';
 
@@ -30,6 +32,10 @@ describe('validateRequiredVersions', () => {
       jest
         .spyOn(appContextService, 'getExperimentalFeatures')
         .mockReturnValue({ enableAutomaticAgentUpgrades: true } as any);
+      jest.spyOn(licenseService, 'isEnterprise').mockReturnValue(true);
+    });
+    afterEach(() => {
+      jest.spyOn(licenseService, 'isEnterprise').mockClear();
     });
 
     it('should throw error if duplicate versions', () => {
@@ -45,6 +51,20 @@ describe('validateRequiredVersions', () => {
       );
     });
 
+    it('should throw error if license is not at least Enterprise', () => {
+      jest.spyOn(licenseService, 'isEnterprise').mockReturnValue(false);
+      expect(() => {
+        validateRequiredVersions('test policy', [
+          { version: '9.0.0', percentage: 10 },
+          { version: '9.0.0', percentage: 10 },
+        ]);
+      }).toThrow(
+        new FleetUnauthorizedError(
+          `Agents auto upgrades feature requires at least Enterprise license`
+        )
+      );
+    });
+
     it('should throw error if has invalid semver version', () => {
       expect(() => {
         validateRequiredVersions('test policy', [

x-pack/platform/plugins/shared/fleet/server/services/agent_policies/required_versions.ts

@@ -7,8 +7,8 @@
 
 import type { AgentTargetVersion } from '../../../common/types';
 
-import { AgentPolicyInvalidError } from '../../errors';
-import { appContextService } from '..';
+import { AgentPolicyInvalidError, FleetUnauthorizedError } from '../../errors';
+import { appContextService, licenseService } from '..';
 import { checkTargetVersionsValidity } from '../../../common/services/agent_utils';
 
 export function validateRequiredVersions(
@@ -23,6 +23,11 @@ export function validateRequiredVersions(
       `Policy "${name}" failed validation: required_versions are not allowed when automatic upgrades feature is disabled`
     );
   }
+  if (requiredVersions && !licenseService.isEnterprise()) {
+    throw new FleetUnauthorizedError(
+      'Agents auto upgrades feature requires at least Enterprise license'
+    );
+  }
   const error = checkTargetVersionsValidity(requiredVersions);
   if (error) {
     throw new AgentPolicyInvalidError(

x-pack/platform/plugins/shared/fleet/server/tasks/automatic_agent_upgrade_task.test.ts

@@ -13,7 +13,7 @@ import { TaskStatus } from '@kbn/task-manager-plugin/server';
 import { getDeleteTaskRunResult } from '@kbn/task-manager-plugin/server/task';
 
 import { createAppContextStartContractMock } from '../mocks';
-import { agentPolicyService, appContextService } from '../services';
+import { agentPolicyService, appContextService, licenseService } from '../services';
 import {
   fetchAllAgentsByKuery,
   getAgentsByKuery,
@@ -106,6 +106,8 @@ describe('AutomaticAgentUpgradeTask', () => {
   let mockTaskManagerSetup: jest.Mocked<TaskManagerSetupContract>;
 
   beforeEach(() => {
+    jest.spyOn(licenseService, 'isEnterprise').mockReturnValue(true);
+
     mockContract = createAppContextStartContractMock();
     appContextService.start(mockContract);
     mockCore = coreSetupMock();
@@ -119,6 +121,7 @@ describe('AutomaticAgentUpgradeTask', () => {
 
   afterEach(() => {
     jest.clearAllMocks();
+    jest.spyOn(licenseService, 'isEnterprise').mockClear();
   });
 
   describe('Task lifecycle', () => {
@@ -177,6 +180,14 @@ describe('AutomaticAgentUpgradeTask', () => {
       expect(mockAgentPolicyService.fetchAllAgentPolicies).not.toHaveBeenCalled();
     });
 
+    it('Should exit if the license is not at least Enterprise', async () => {
+      jest.spyOn(licenseService, 'isEnterprise').mockReturnValue(false);
+
+      await runTask();
+
+      expect(mockAgentPolicyService.fetchAllAgentPolicies).not.toHaveBeenCalled();
+    });
+
     it('Should upgrade eligible agents', async () => {
       const agents = generateAgents(10);
       mockedGetAgentsByKuery

x-pack/platform/plugins/shared/fleet/server/tasks/automatic_agent_upgrade_task.ts

@@ -31,7 +31,7 @@ import type {
   FleetServerAgentMetadata,
 } from '../../common/types';
 
-import { agentPolicyService, appContextService } from '../services';
+import { agentPolicyService, appContextService, licenseService } from '../services';
 import {
   fetchAllAgentsByKuery,
   getAgentsByKuery,
@@ -132,6 +132,12 @@ export class AutomaticAgentUpgradeTask {
       );
       return;
     }
+    if (!licenseService.isEnterprise()) {
+      this.logger.debug(
+        '[AutomaticAgentUpgradeTask] Aborting runTask: automatic upgrades feature requires at least Enterprise license'
+      );
+      return;
+    }
 
     if (!this.wasStarted) {
       this.logger.debug('[AutomaticAgentUpgradeTask] Aborting runTask(): task not started yet');
@@ -369,6 +375,9 @@ export class AutomaticAgentUpgradeTask {
 
     numberOfAgentsForUpgrade -= numberOfRetriedAgents;
     if (numberOfAgentsForUpgrade <= 0) {
+      this.logger.debug(
+        `[AutomaticAgentUpgradeTask] Number of agents ${numberOfAgentsForUpgrade}: no candidate agents found for upgrade (target version: ${requiredVersion.version}, percentage: ${requiredVersion.percentage})`
+      );
       return;
     }