[EPM] restrict package install endpoint from installing/updating to old packages (elastic#64932)

* restrict installing or updating to out-of-date package

* throw bad requests in remove handler

* remove accidental commit

* remove space

Author: neptunian

x-pack/plugins/ingest_manager/server/routes/epm/handlers.ts

@@ -136,6 +136,12 @@ export const installPackageHandler: RequestHandler<TypeOf<
     };
     return response.ok({ body });
   } catch (e) {
+    if (e.isBoom) {
+      return response.customError({
+        statusCode: e.output.statusCode,
+        body: { message: e.output.payload.message },
+      });
+    }
     return response.customError({
       statusCode: 500,
       body: { message: e.message },
@@ -157,6 +163,12 @@ export const deletePackageHandler: RequestHandler<TypeOf<
     };
     return response.ok({ body });
   } catch (e) {
+    if (e.isBoom) {
+      return response.customError({
+        statusCode: e.output.statusCode,
+        body: { message: e.output.payload.message },
+      });
+    }
     return response.customError({
       statusCode: 500,
       body: { message: e.message },

x-pack/plugins/ingest_manager/server/services/epm/packages/install.ts

@@ -5,6 +5,7 @@
  */
 
 import { SavedObject, SavedObjectsClientContract } from 'src/core/server';
+import Boom from 'boom';
 import { PACKAGES_SAVED_OBJECT_TYPE } from '../../../constants';
 import {
   AssetReference,
@@ -93,11 +94,18 @@ export async function installPackage(options: {
   const { savedObjectsClient, pkgkey, callCluster } = options;
   // TODO: change epm API to /packageName/version so we don't need to do this
   const [pkgName, pkgVersion] = pkgkey.split('-');
+
   // see if some version of this package is already installed
+  // TODO: calls to getInstallationObject, Registry.fetchInfo, and Registry.fetchFindLatestPackge
+  // and be replaced by getPackageInfo after adjusting for it to not group/use archive assets
   const installedPkg = await getInstallationObject({ savedObjectsClient, pkgName });
-  const reinstall = pkgVersion === installedPkg?.attributes.version;
-
   const registryPackageInfo = await Registry.fetchInfo(pkgName, pkgVersion);
+  const latestPackage = await Registry.fetchFindLatestPackage(pkgName);
+
+  if (pkgVersion < latestPackage.version)
+    throw Boom.badRequest('Cannot install or update to an out-of-date package');
+
+  const reinstall = pkgVersion === installedPkg?.attributes.version;
   const { internal = false, removable = true } = registryPackageInfo;
 
   // delete the previous version's installation's SO kibana assets before installing new ones

x-pack/plugins/ingest_manager/server/services/epm/packages/remove.ts

@@ -5,6 +5,7 @@
  */
 
 import { SavedObjectsClientContract } from 'src/core/server';
+import Boom from 'boom';
 import { PACKAGES_SAVED_OBJECT_TYPE } from '../../../constants';
 import { AssetReference, AssetType, ElasticsearchAssetType } from '../../../types';
 import { CallESAsCurrentUser } from '../../../types';
@@ -20,9 +21,9 @@ export async function removeInstallation(options: {
   // TODO:  the epm api should change to /name/version so we don't need to do this
   const [pkgName] = pkgkey.split('-');
   const installation = await getInstallation({ savedObjectsClient, pkgName });
-  if (!installation) throw new Error('integration does not exist');
+  if (!installation) throw Boom.badRequest(`${pkgName} is not installed`);
   if (installation.removable === false)
-    throw new Error(`The ${pkgName} integration is installed by default and cannot be removed`);
+    throw Boom.badRequest(`${pkgName} is installed by default and cannot be removed`);
   const installedObjects = installation.installed || [];
 
   // Delete the manager saved object with references to the asset objects