fix audit unenroll

[juliaElastic]

What is the problem this PR solves?

// Please do not just reference an issue. Explain WHAT the problem this PR solves here.

audit unenroll should set the agent active flag to false

How does this PR solve the problem?

// Explain HOW you solved the problem in your code. It is possible that during PR reviews this changes and then this section should be updated.

How to test this PR locally

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

Closes elastic/kibana#197180

[mergify]

This pull request does not have a backport label. Could you fix it @juliaElastic? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[juliaElastic]

I need confirmation on how this feature is supposed to work, read through the comments in elastic/elastic-agent#484 and the integration/e2e tests and it seems the feature is supposed to allow calling the audit unenroll API multiple times, and a checkin after.

However, the existing unenroll action sets the active flag to false (and that is needed for the UI to correctly show unenrolled state), and by adding it to the audit unenroll API, the agent will no longer accept API calls (the API key will be invalidated).

If we want this audit unenroll to be a "soft unenroll" and the agent to be able to come back online, we have to change the status calculation on the UI to show "unenrolled" if unenrolled_at is set, not when active:false is set.
If we do this, it raises the question what happens if the agent never checks in again, will it be left active indefinitely with an active API key?
So far the unenroll action was not reversible.

[michel-laterman]

We need to test/support this scenario.
It's important for Endpoint to be able to signal that it is orphaned even if the installed agent is removed

[michel-laterman]

In the original implementation I tried setting agents to inactive (#3818) however that would cause the API key authentication we do on checkins to fail. It would require a change in our overall auth logic if we wanted to make this change

[juliaElastic]

Closing this as it seems we can't move agents to inactive on audit unenroll as they wouldn't be able to check in again.