[Fleet] Added required_versions to agent policy and API with validation (elastic#206600)

Part of elastic/ingest-dev#4721

Added `required_versions` to agent policy and API with validation, added
unit tests for the validation.

UI change will come in another pr

To test:
- enable FF in `kibana.dev.yml`
  - `xpack.fleet.enableExperimental: ['enableAutomaticAgentUpgrades']`
- create/update an agent policy with `required_versions`
- add to preconfiguration
- `required_versions` is not added to the full agent policy in
`.fleet-policies`

```
POST kbn:/api/fleet/agent_policies
{
  "name": "Test versions",
  "namespace": "default",
    "required_versions": [
      {
        "version": "9.0.0",
        "percentage": 5
      }
    ]
}

POST kbn:/api/fleet/agent_policies
{
  "name": "Test versions 2",
  "namespace": "default",
    "required_versions": [
      {
        "version": "9.0.0",
        "percentage": 5
      },
      {
        "version": "9.0.0",
        "percentage": 5
      }
    ]
}

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": """Policy "Test versions 2" failed validation: duplicate versions not allowed in required_versions"""
}

PUT kbn:/api/fleet/agent_policies/fleet-first-agent-policy
{
  "name": "My first agent policy",
  "namespace": "default",
    "required_versions": [
      {
        "version": "8.18.0",
        "percentage": 10
      },
      {
        "version": "8.19.0",
        "percentage": 5
      }
    ]
}

GET kbn:/api/fleet/agent_policies/test-preconfigured

GET .fleet-policies/_search?q=policy_id:fleet-first-agent-policy
{
  "size": 1,
  "sort": [
    {
      "revision_idx": {
        "order": "desc"
      }
    }
  ]
}

xpack.fleet.agentPolicies:

  - name: Test preconfigured
    id: test-preconfigured
    is_managed: true
    namespace: default
    monitoring_enabled: []
    package_policies: []
    required_versions:
      - version: "9.0.0"
        percentage: 10
      - version: "9.1.0"
        percentage: 5
```

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <[email protected]>

Author: juliaElastic

oas_docs/output/kibana.serverless.yaml

@@ -14249,6 +14249,24 @@ paths:
                                   - created_at
                                   - created_by
                               type: array
+                        required_versions:
+                          items:
+                            additionalProperties: false
+                            type: object
+                            properties:
+                              percentage:
+                                description: Target percentage of agents to auto upgrade
+                                maximum: 100
+                                minimum: 0
+                                type: number
+                              version:
+                                description: Target version for automatic agent upgrade
+                                type: string
+                            required:
+                              - version
+                              - percentage
+                          nullable: true
+                          type: array
                         revision:
                           type: number
                         schema_version:
@@ -14517,6 +14535,24 @@ paths:
                   description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
                   nullable: true
                   type: object
+                required_versions:
+                  items:
+                    additionalProperties: false
+                    type: object
+                    properties:
+                      percentage:
+                        description: Target percentage of agents to auto upgrade
+                        maximum: 100
+                        minimum: 0
+                        type: number
+                      version:
+                        description: Target version for automatic agent upgrade
+                        type: string
+                    required:
+                      - version
+                      - percentage
+                  nullable: true
+                  type: array
                 space_ids:
                   items:
                     type: string
@@ -15097,6 +15133,24 @@ paths:
                                 - created_at
                                 - created_by
                             type: array
+                      required_versions:
+                        items:
+                          additionalProperties: false
+                          type: object
+                          properties:
+                            percentage:
+                              description: Target percentage of agents to auto upgrade
+                              maximum: 100
+                              minimum: 0
+                              type: number
+                            version:
+                              description: Target version for automatic agent upgrade
+                              type: string
+                          required:
+                            - version
+                            - percentage
+                        nullable: true
+                        type: array
                       revision:
                         type: number
                       schema_version:
@@ -15769,6 +15823,24 @@ paths:
                                   - created_at
                                   - created_by
                               type: array
+                        required_versions:
+                          items:
+                            additionalProperties: false
+                            type: object
+                            properties:
+                              percentage:
+                                description: Target percentage of agents to auto upgrade
+                                maximum: 100
+                                minimum: 0
+                                type: number
+                              version:
+                                description: Target version for automatic agent upgrade
+                                type: string
+                            required:
+                              - version
+                              - percentage
+                          nullable: true
+                          type: array
                         revision:
                           type: number
                         schema_version:
@@ -16421,6 +16493,24 @@ paths:
                                 - created_at
                                 - created_by
                             type: array
+                      required_versions:
+                        items:
+                          additionalProperties: false
+                          type: object
+                          properties:
+                            percentage:
+                              description: Target percentage of agents to auto upgrade
+                              maximum: 100
+                              minimum: 0
+                              type: number
+                            version:
+                              description: Target version for automatic agent upgrade
+                              type: string
+                          required:
+                            - version
+                            - percentage
+                        nullable: true
+                        type: array
                       revision:
                         type: number
                       schema_version:
@@ -16688,6 +16778,24 @@ paths:
                   description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
                   nullable: true
                   type: object
+                required_versions:
+                  items:
+                    additionalProperties: false
+                    type: object
+                    properties:
+                      percentage:
+                        description: Target percentage of agents to auto upgrade
+                        maximum: 100
+                        minimum: 0
+                        type: number
+                      version:
+                        description: Target version for automatic agent upgrade
+                        type: string
+                    required:
+                      - version
+                      - percentage
+                  nullable: true
+                  type: array
                 space_ids:
                   items:
                     type: string
@@ -17268,6 +17376,24 @@ paths:
                                 - created_at
                                 - created_by
                             type: array
+                      required_versions:
+                        items:
+                          additionalProperties: false
+                          type: object
+                          properties:
+                            percentage:
+                              description: Target percentage of agents to auto upgrade
+                              maximum: 100
+                              minimum: 0
+                              type: number
+                            version:
+                              description: Target version for automatic agent upgrade
+                              type: string
+                          required:
+                            - version
+                            - percentage
+                        nullable: true
+                        type: array
                       revision:
                         type: number
                       schema_version:
@@ -17940,6 +18066,24 @@ paths:
                                 - created_at
                                 - created_by
                             type: array
+                      required_versions:
+                        items:
+                          additionalProperties: false
+                          type: object
+                          properties:
+                            percentage:
+                              description: Target percentage of agents to auto upgrade
+                              maximum: 100
+                              minimum: 0
+                              type: number
+                            version:
+                              description: Target version for automatic agent upgrade
+                              type: string
+                          required:
+                            - version
+                            - percentage
+                        nullable: true
+                        type: array
                       revision:
                         type: number
                       schema_version:

x-pack/platform/plugins/shared/fleet/common/experimental_features.ts

@@ -28,6 +28,7 @@ const _allowedExperimentalValues = {
   asyncDeployPolicies: true,
   enableExportCSV: true,
   enabledUpgradeAgentlessDeploymentsTask: false,
+  enableAutomaticAgentUpgrades: false,
 };
 
 /**

x-pack/platform/plugins/shared/fleet/common/types/models/agent_policy.ts

@@ -62,6 +62,12 @@ export interface NewAgentPolicy {
       max_dur?: string;
     };
   };
+  required_versions?: AgentTargetVersion[] | null;
+}
+
+export interface AgentTargetVersion {
+  version: string;
+  percentage: number;
 }
 
 export interface AgentlessPolicy {

x-pack/platform/plugins/shared/fleet/server/services/agent_policies/index.ts

@@ -11,3 +11,4 @@ export {
   storedPackagePoliciesToAgentInputs,
 } from './package_policies_to_agent_inputs';
 export { getDataOutputForAgentPolicy, validateOutputForPolicy } from './outputs_helpers';
+export { validateRequiredVersions } from './required_versions';

x-pack/platform/plugins/shared/fleet/server/services/agent_policies/required_versions.test.ts

@@ -0,0 +1,85 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { appContextService } from '..';
+import { AgentPolicyInvalidError } from '../../errors';
+
+import { validateRequiredVersions } from './required_versions';
+
+describe('validateRequiredVersions', () => {
+  it('should throw error if feature flag is disabled', () => {
+    jest
+      .spyOn(appContextService, 'getExperimentalFeatures')
+      .mockReturnValue({ enableAutomaticAgentUpgrades: false } as any);
+
+    expect(() => {
+      validateRequiredVersions('test policy', [{ version: '9.0.0', percentage: 100 }]);
+    }).toThrow(
+      new AgentPolicyInvalidError(
+        `Policy "test policy" failed validation: required_versions are not allowed when automatic upgrades feature is disabled`
+      )
+    );
+  });
+
+  describe('feature flag enabled', () => {
+    beforeEach(() => {
+      jest
+        .spyOn(appContextService, 'getExperimentalFeatures')
+        .mockReturnValue({ enableAutomaticAgentUpgrades: true } as any);
+    });
+
+    it('should throw error if duplicate versions', () => {
+      expect(() => {
+        validateRequiredVersions('test policy', [
+          { version: '9.0.0', percentage: 10 },
+          { version: '9.0.0', percentage: 10 },
+        ]);
+      }).toThrow(
+        new AgentPolicyInvalidError(
+          `Policy "test policy" failed validation: duplicate versions not allowed in required_versions`
+        )
+      );
+    });
+
+    it('should throw error if has invalid semver version', () => {
+      expect(() => {
+        validateRequiredVersions('test policy', [
+          { version: '9.0.0', percentage: 10 },
+          { version: '9.0.0invalid', percentage: 10 },
+        ]);
+      }).toThrow(
+        new AgentPolicyInvalidError(
+          `Policy "test policy" failed validation: invalid semver version 9.0.0invalid in required_versions`
+        )
+      );
+    });
+
+    it('should throw error if sum of percentages exceeds 100', () => {
+      expect(() => {
+        validateRequiredVersions('test policy', [
+          { version: '9.0.0', percentage: 100 },
+          { version: '9.1.0', percentage: 10 },
+        ]);
+      }).toThrow(
+        new AgentPolicyInvalidError(
+          `Policy "test policy" failed validation: sum of required_versions percentages cannot exceed 100`
+        )
+      );
+    });
+
+    it('should not throw error if valid required_versions', () => {
+      validateRequiredVersions('test policy', [
+        { version: '9.0.0', percentage: 90 },
+        { version: '9.1.0', percentage: 10 },
+      ]);
+    });
+
+    it('should not throw error if required_versions undefined', () => {
+      validateRequiredVersions('test policy');
+    });
+  });
+});

x-pack/platform/plugins/shared/fleet/server/services/agent_policies/required_versions.ts

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import semverValid from 'semver/functions/valid';
+
+import type { AgentTargetVersion } from '../../../common/types';
+
+import { AgentPolicyInvalidError } from '../../errors';
+import { appContextService } from '..';
+
+export function validateRequiredVersions(
+  name: string,
+  requiredVersions?: AgentTargetVersion[] | null
+): void {
+  if (!requiredVersions) {
+    return;
+  }
+  if (!appContextService.getExperimentalFeatures().enableAutomaticAgentUpgrades) {
+    throw new AgentPolicyInvalidError(
+      `Policy "${name}" failed validation: required_versions are not allowed when automatic upgrades feature is disabled`
+    );
+  }
+  const versions = requiredVersions.map((v) => v.version);
+  const uniqueVersions = new Set(versions);
+  if (versions.length !== uniqueVersions.size) {
+    throw new AgentPolicyInvalidError(
+      `Policy "${name}" failed validation: duplicate versions not allowed in required_versions`
+    );
+  }
+  versions.forEach((version) => {
+    if (!semverValid(version)) {
+      throw new AgentPolicyInvalidError(
+        `Policy "${name}" failed validation: invalid semver version ${version} in required_versions`
+      );
+    }
+  });
+  const sumOfPercentages = requiredVersions.reduce((acc, v) => acc + v.percentage, 0);
+  if (sumOfPercentages > 100) {
+    throw new AgentPolicyInvalidError(
+      `Policy "${name}" failed validation: sum of required_versions percentages cannot exceed 100`
+    );
+  }
+}

x-pack/platform/plugins/shared/fleet/server/services/agent_policy.ts

@@ -110,7 +110,11 @@ import { incrementPackagePolicyCopyName } from './package_policies';
 import { outputService } from './output';
 import { agentPolicyUpdateEventHandler } from './agent_policy_update';
 import { escapeSearchQueryPhrase, normalizeKuery as _normalizeKuery } from './saved_object';
-import { getFullAgentPolicy, validateOutputForPolicy } from './agent_policies';
+import {
+  getFullAgentPolicy,
+  validateOutputForPolicy,
+  validateRequiredVersions,
+} from './agent_policies';
 import { auditLoggingService } from './audit_logging';
 import { licenseService } from './license';
 import { createSoFindIterable } from './utils/create_so_find_iterable';
@@ -408,6 +412,7 @@ class AgentPolicyService {
       {},
       getAllowedOutputTypesForAgentPolicy(agentPolicy)
     );
+    validateRequiredVersions(agentPolicy.name, agentPolicy.required_versions);
 
     const newSo = await soClient.create<AgentPolicySOAttributes>(
       savedObjectType,
@@ -708,6 +713,7 @@ class AgentPolicyService {
         namespace: agentPolicy.namespace,
       });
     }
+    validateRequiredVersions(agentPolicy.name ?? id, agentPolicy.required_versions);
 
     const existingAgentPolicy = await this.get(soClient, id, true);