[Fleet] Fleet server invalidate api keys for agent < 7.13 (#95789) (#…

…96088)

x-pack/plugins/fleet/server/services/fleet_server/saved_object_migrations.ts

@@ -25,6 +25,7 @@ import { listEnrollmentApiKeys, getEnrollmentAPIKey } from '../api_keys/enrollme
 import { appContextService } from '../app_context';
 import { isAgentsSetup } from '../agents';
 import { agentPolicyService } from '../agent_policy';
+import { invalidateAPIKeys } from '../api_keys';
 
 export async function runFleetServerMigration() {
   // If Agents are not setup skip as there is nothing to migrate
@@ -56,6 +57,7 @@ function getInternalUserSOClient() {
 async function migrateAgents() {
   const esClient = appContextService.getInternalUserESClient();
   const soClient = getInternalUserSOClient();
+  const logger = appContextService.getLogger();
   let hasMore = true;
   while (hasMore) {
     const res = await soClient.find({
@@ -75,11 +77,20 @@ async function migrateAgents() {
           .getEncryptedSavedObjects()
           .getDecryptedAsInternalUser<AgentSOAttributes>(AGENT_SAVED_OBJECT_TYPE, so.id);
 
+        await invalidateAPIKeys(
+          soClient,
+          [attributes.access_api_key_id, attributes.default_api_key_id].filter(
+            (keyId): keyId is string => keyId !== undefined
+          )
+        ).catch((error) => {
+          logger.error(`Invalidating API keys for agent ${so.id} failed: ${error.message}`);
+        });
+
         const body: FleetServerAgent = {
           type: attributes.type,
-          active: attributes.active,
+          active: false,
           enrolled_at: attributes.enrolled_at,
-          unenrolled_at: attributes.unenrolled_at,
+          unenrolled_at: new Date().toISOString(),
           unenrollment_started_at: attributes.unenrollment_started_at,
           upgraded_at: attributes.upgraded_at,
           upgrade_started_at: attributes.upgrade_started_at,