Skip to content

Commit

Permalink
Merge pull request #1 from dhurley14/fix-bulk-update-api
Browse files Browse the repository at this point in the history 
adds replace ALERT_STATUS with ALERT_WORKFLOW_STATUS and updates tests and adds logic for switching between signal.status and workflow status when updating alerts in .siem-signals
  • Loading branch information
@semd
semd authored Aug 12, 2021
2 parents ec8ada3 + f82720b commit 18e1f8b
Show file tree
Hide file tree
Showing 6 changed files with 163 additions and 125 deletions.
43 changes: 31 additions & 12 deletions x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ import { Logger, ElasticsearchClient, EcsEventOutcome } from '../../../../../src
import { alertAuditEvent, operationAlertAuditActionMap } from './audit_events';
import { AuditLogger } from '../../../security/server';
import {
ALERT_STATUS,
ALERT_WORKFLOW_STATUS,
ALERT_RULE_CONSUMER,
ALERT_RULE_TYPE_ID,
SPACE_IDS,
Expand Down Expand Up @@ -80,7 +80,7 @@ export interface BulkUpdateOptions<Params extends AlertTypeParams> {
ids: string[] | undefined | null;
status: STATUS_VALUES;
index: string;
query: string | undefined | null;
query: object | string | undefined | null;
}

interface GetAlertParams {
Expand All @@ -90,7 +90,7 @@ interface GetAlertParams {

interface SingleSearchAfterAndAudit {
id: string | null | undefined;
query: string | null | undefined;
query: object | string | null | undefined;
index?: string;
operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
lastSortIds: Array<string | number> | undefined;
Expand Down Expand Up @@ -315,7 +315,11 @@ export class AlertsClient {
},
},
{
doc: { [ALERT_STATUS]: status },
doc: {
[item?._source?.[ALERT_WORKFLOW_STATUS] == null
? 'signal.status'
: ALERT_WORKFLOW_STATUS]: status,
},
},
]);

Expand All @@ -330,7 +334,7 @@ export class AlertsClient {
}

private async buildEsQueryWithAuthz(
query: string | null | undefined,
query: object | string | null | undefined,
id: string | null | undefined,
alertSpaceId: string,
operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find,
Expand All @@ -345,15 +349,28 @@ export class AlertsClient {
},
operation
);
return buildEsQuery(
let esQuery;
if (id != null) {
esQuery = { query: `_id:${id}`, language: 'kuery' };
} else if (typeof query === 'string') {
esQuery = { query, language: 'kuery' };
} else if (query != null && typeof query === 'object') {
esQuery = [];
}
const builtQuery = buildEsQuery(
undefined,
{ query: query == null ? `_id:${id}` : query, language: 'kuery' },
esQuery == null ? { query: ``, language: 'kuery' } : esQuery,
[
(authzFilter as unknown) as Filter,
({ term: { [SPACE_IDS]: alertSpaceId } } as unknown) as Filter,
],
config
);
if (query != null && typeof query === 'object') {
// @ts-expect-error
builtQuery.bool.must.push(query);
}
return builtQuery;
} catch (exc) {
this.logger.error(exc);
throw Boom.expectationFailed(
Expand All @@ -373,7 +390,7 @@ export class AlertsClient {
operation,
}: {
index: string;
query: string;
query: object | string;
operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
}) {
let lastSortIds;
Expand Down Expand Up @@ -436,7 +453,7 @@ export class AlertsClient {
// first search for the alert by id, then use the alert info to check if user has access to it
const alert = await this.singleSearchAfterAndAudit({
id,
query: null,
query: undefined,
index,
operation: ReadOperations.Get,
lastSortIds: undefined,
Expand Down Expand Up @@ -483,7 +500,9 @@ export class AlertsClient {
index,
body: {
doc: {
[ALERT_STATUS]: status,
[alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
? 'signal.status'
: ALERT_WORKFLOW_STATUS]: status,
},
},
refresh: 'wait_for',
Expand Down Expand Up @@ -535,8 +554,8 @@ export class AlertsClient {
refresh: true,
body: {
script: {
source: `if (ctx._source['${ALERT_STATUS}'] != null) {
ctx._source['${ALERT_STATUS}'] = '${status}'
source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
}
if (ctx._source['signal.status'] != null) {
ctx._source['signal.status'] = '${status}'
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ describe('get()', () => {

await expect(alertsClient.get({ id: fakeAlertId, index: '.alerts-observability-apm' })).rejects
.toThrowErrorMatchingInlineSnapshot(`
"Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"null\\" and operation get
"Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"undefined\\" and operation get
Error: Error: Unauthorized for fake.rule and apm"
`);

Expand All @@ -281,7 +281,7 @@ describe('get()', () => {
await expect(
alertsClient.get({ id: 'NoxgpHkBqbdrfX07MqXV', index: '.alerts-observability-apm' })
).rejects.toThrowErrorMatchingInlineSnapshot(`
"Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"null\\" and operation get
"Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"undefined\\" and operation get
Error: Error: something went wrong"
`);
});
Expand Down
14 changes: 7 additions & 7 deletions x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

import {
ALERT_RULE_CONSUMER,
ALERT_STATUS,
ALERT_WORKFLOW_STATUS,
SPACE_IDS,
ALERT_RULE_TYPE_ID,
} from '@kbn/rule-data-utils';
Expand Down Expand Up @@ -89,8 +89,8 @@ describe('update()', () => {
_source: {
[ALERT_RULE_TYPE_ID]: 'apm.error_rate',
message: 'hello world 1',
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_STATUS]: 'open',
[SPACE_IDS]: [DEFAULT_SPACE],
},
},
Expand Down Expand Up @@ -139,7 +139,7 @@ describe('update()', () => {
Object {
"body": Object {
"doc": Object {
"${ALERT_STATUS}": "closed",
"kibana.alert.workflow_status": "closed",
},
},
"id": "1",
Expand Down Expand Up @@ -175,8 +175,8 @@ describe('update()', () => {
_source: {
[ALERT_RULE_TYPE_ID]: 'apm.error_rate',
message: 'hello world 1',
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_STATUS]: 'open',
[SPACE_IDS]: [DEFAULT_SPACE],
},
},
Expand Down Expand Up @@ -249,7 +249,7 @@ describe('update()', () => {
_source: {
[ALERT_RULE_TYPE_ID]: fakeRuleTypeId,
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_STATUS]: 'open',
[ALERT_WORKFLOW_STATUS]: 'open',
[SPACE_IDS]: [DEFAULT_SPACE],
},
},
Expand Down Expand Up @@ -330,8 +330,8 @@ describe('update()', () => {
_source: {
[ALERT_RULE_TYPE_ID]: 'apm.error_rate',
message: 'hello world 1',
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_STATUS]: 'open',
[SPACE_IDS]: [DEFAULT_SPACE],
},
},
Expand Down Expand Up @@ -391,7 +391,7 @@ describe('update()', () => {
[ALERT_RULE_TYPE_ID]: 'apm.error_rate',
message: 'hello world 1',
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_STATUS]: 'open',
[ALERT_WORKFLOW_STATUS]: 'open',
[SPACE_IDS]: [DEFAULT_SPACE],
},
},
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
status: t.union([t.literal('open'), t.literal('closed')]),
index: t.string,
ids: t.undefined,
query: t.string,
query: t.union([t.object, t.string]),
}),
])
),
Expand Down
Loading

0 comments on commit 18e1f8b

Please sign in to comment.