Return actionable error message when enrolling

[kaanyalti]

• Enhancement

What does this PR do?

This PR adds checks to the enroll command to respond with an error message in case the user executing the command and the user that's the owner of the elastic program files don't match. Replaces #6038 based on the following comment

Why is it important?

Currently there are no checks in place to prevent or correct the situation where a user who is not the owner of the program files executes enroll. This leads to a broken state.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

How to test this PR locally

The testing steps are only for linux and mac

• Deploy ess, install agent in unprivileged mode and enroll into fleet
• Unenroll the agent from the fleet ui
• Run the enroll command as root user and validate the error message

Related issues

• Closes Actionable error message when attempting to enroll an unprivileged Agent as a privileged user #4889

[mergify]

This pull request does not have a backport label. Could you fix it @kaanyalti? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[michalpristas]

i don't think isEnroll is a proper name for this. not sure it captures properly what this func is doing

[kaanyalti]

I can also split this function into its constituent functions. It would be more readable. All the steps would be clearly outlined. I couldn't come up with a reasonably short function name that describes exactly what's happening.

If I split it, these functions will be called in order in enroll.go

• getFileOwner
• getCurrentUser
• isFileOwner

[blakerouse]

I agree with @michalpristas here, this is not the proper name for this function. It is just verifying that the executing users is the same as the owner of the executable.

To me the better name would be isOwnerExec?

[blakerouse]

On Windows you cannot actually open a shell as the elastic-agent-user so how would they be able to run enroll command on Windows as the elastic-agent-user.

[kaanyalti]

I can return an error message stating the fact that user cannot execute the command as admin for windows. Linux/mac error message will can still mention running the command as the elastic-agent-user

[blakerouse]

I agree with @michalpristas here, this is not the proper name for this function. It is just verifying that the executing users is the same as the owner of the executable.

To me the better name would be isOwnerExec?

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube