[Cases] Include rule registry client for updating alert statuses

x-pack/plugins/cases/kibana.json

@@ -23,6 +23,7 @@
      "features",
      "kibanaReact",
      "kibanaUtils",
+     "ruleRegistry",
      "triggersActionsUi"
   ],
   "server":true,

x-pack/plugins/cases/server/client/alerts/get.ts

@@ -12,19 +12,11 @@ export const get = async (
   { alertsInfo }: AlertGet,
   clientArgs: CasesClientArgs
 ): Promise<CasesClientGetAlertsResponse> => {
-  const { alertsService, scopedClusterClient, logger } = clientArgs;
+  const { alertsService, logger } = clientArgs;
   if (alertsInfo.length === 0) {
     return [];
   }
 
-  const alerts = await alertsService.getAlerts({ alertsInfo, scopedClusterClient, logger });
-  if (!alerts) {
-    return [];
-  }
-
-  return alerts.docs.map((alert) => ({
-    id: alert._id,
-    index: alert._index,
-    ...alert._source,
-  }));
+  const alerts = await alertsService.getAlerts({ alertsInfo, logger });
+  return alerts ?? [];
 };

x-pack/plugins/cases/server/client/alerts/types.ts

@@ -7,17 +7,7 @@
 
 import { CaseStatuses } from '../../../common/api';
 import { AlertInfo } from '../../common';
-
-interface Alert {
-  id: string;
-  index: string;
-  destination?: {
-    ip: string;
-  };
-  source?: {
-    ip: string;
-  };
-}
+import { Alert } from '../../services/alerts/types';
 
 export type CasesClientGetAlertsResponse = Alert[];
 

x-pack/plugins/cases/server/client/alerts/update_status.ts

@@ -16,6 +16,6 @@ export const updateStatus = async (
   { alerts }: UpdateAlertsStatusArgs,
   clientArgs: CasesClientArgs
 ): Promise<void> => {
-  const { alertsService, scopedClusterClient, logger } = clientArgs;
-  await alertsService.updateAlertsStatus({ alerts, scopedClusterClient, logger });
+  const { alertsService, logger } = clientArgs;
+  await alertsService.updateAlertsStatus({ alerts, logger });
 };

x-pack/plugins/cases/server/client/attachments/add.ts

@@ -47,7 +47,7 @@ import {
 } from '../../common';
 import { CasesClientArgs, CasesClientInternal } from '..';
 
-import { decodeCommentRequest } from '../utils';
+import { decodeCommentRequest, updateAlertsStatusCatchErrors } from '../utils';
 import { Operations } from '../../authorization';
 
 async function getSubCase({
@@ -203,8 +203,11 @@ const addGeneratedAlerts = async (
         comment: query,
         status: subCase.attributes.status,
       });
-      await casesClientInternal.alerts.updateStatus({
-        alerts: alertsToUpdate,
+      await updateAlertsStatusCatchErrors({
+        casesClientInternal,
+        alertsToUpdate,
+        logger,
+        errorMessage: 'for generated alerts',
       });
     }
 
@@ -385,8 +388,11 @@ export const addComment = async (
         status: updatedCase.status,
       });
 
-      await casesClientInternal.alerts.updateStatus({
-        alerts: alertsToUpdate,
+      await updateAlertsStatusCatchErrors({
+        casesClientInternal,
+        alertsToUpdate,
+        logger,
+        errorMessage: 'for user added alert',
       });
     }
 

x-pack/plugins/cases/server/client/cases/push.ts

@@ -6,7 +6,7 @@
  */
 
 import Boom from '@hapi/boom';
-import { SavedObjectsFindResponse, SavedObject } from 'kibana/server';
+import { SavedObjectsFindResponse, SavedObject, Logger } from 'kibana/server';
 
 import {
   ActionConnector,
@@ -22,26 +22,16 @@ import {
 import { buildCaseUserActionItem } from '../../services/user_actions/helpers';
 
 import { createIncident, getCommentContextFromAttributes } from './utils';
-import { createCaseError, flattenCaseSavedObject, getAlertInfoFromComments } from '../../common';
+import {
+  AlertInfo,
+  createCaseError,
+  flattenCaseSavedObject,
+  getAlertInfoFromComments,
+} from '../../common';
 import { CasesClient, CasesClientArgs, CasesClientInternal } from '..';
 import { Operations } from '../../authorization';
 import { casesConnectors } from '../../connectors';
-
-/**
- * Returns true if the case should be closed based on the configuration settings and whether the case
- * is a collection. Collections are not closable because we aren't allowing their status to be changed.
- * In the future we could allow push to close all the sub cases of a collection but that's not currently supported.
- */
-function shouldCloseByPush(
-  configureSettings: SavedObjectsFindResponse<CasesConfigureAttributes>,
-  caseInfo: SavedObject<CaseAttributes>
-): boolean {
-  return (
-    configureSettings.total > 0 &&
-    configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' &&
-    caseInfo.attributes.type !== CaseType.collection
-  );
-}
+import { CasesClientGetAlertsResponse } from '../alerts/types';
 
 /**
  * Parameters for pushing a case to an external system
@@ -106,9 +96,7 @@ export const push = async (
 
     const alertsInfo = getAlertInfoFromComments(theCase?.comments);
 
-    const alerts = await casesClientInternal.alerts.get({
-      alertsInfo,
-    });
+    const alerts = await getAlertsCatchErrors({ casesClientInternal, alertsInfo, logger });
 
     const getMappingsResponse = await casesClientInternal.configuration.getMappings({
       connector: theCase.connector,
@@ -278,3 +266,38 @@ export const push = async (
     throw createCaseError({ message: `Failed to push case: ${error}`, error, logger });
   }
 };
+
+async function getAlertsCatchErrors({
+  casesClientInternal,
+  alertsInfo,
+  logger,
+}: {
+  casesClientInternal: CasesClientInternal;
+  alertsInfo: AlertInfo[];
+  logger: Logger;
+}): Promise<CasesClientGetAlertsResponse> {
+  try {
+    return await casesClientInternal.alerts.get({
+      alertsInfo,
+    });
+  } catch (error) {
+    logger.error(`Failed to retrieve alerts during push: ${error}`);
+    return [];
+  }
+}
+
+/**
+ * Returns true if the case should be closed based on the configuration settings and whether the case
+ * is a collection. Collections are not closable because we aren't allowing their status to be changed.
+ * In the future we could allow push to close all the sub cases of a collection but that's not currently supported.
+ */
+function shouldCloseByPush(
+  configureSettings: SavedObjectsFindResponse<CasesConfigureAttributes>,
+  caseInfo: SavedObject<CaseAttributes>
+): boolean {
+  return (
+    configureSettings.total > 0 &&
+    configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' &&
+    caseInfo.attributes.type !== CaseType.collection
+  );
+}

x-pack/plugins/cases/server/client/cases/update.ts

@@ -12,6 +12,7 @@ import { fold } from 'fp-ts/lib/Either';
 import { identity } from 'fp-ts/lib/function';
 
 import {
+  Logger,
   SavedObject,
   SavedObjectsClientContract,
   SavedObjectsFindResponse,
@@ -42,7 +43,7 @@ import {
   CaseAttributes,
 } from '../../../common';
 import { buildCaseUserActions } from '../../services/user_actions/helpers';
-import { getCaseToUpdate } from '../utils';
+import { getCaseToUpdate, updateAlertsStatusCatchErrors } from '../utils';
 
 import { CasesService } from '../../services';
 import {
@@ -307,12 +308,14 @@ async function updateAlerts({
   caseService,
   unsecuredSavedObjectsClient,
   casesClientInternal,
+  logger,
 }: {
   casesWithSyncSettingChangedToOn: UpdateRequestWithOriginalCase[];
   casesWithStatusChangedAndSynced: UpdateRequestWithOriginalCase[];
   caseService: CasesService;
   unsecuredSavedObjectsClient: SavedObjectsClientContract;
   casesClientInternal: CasesClientInternal;
+  logger: Logger;
 }) {
   /**
    * It's possible that a case ID can appear multiple times in each array. I'm intentionally placing the status changes
@@ -361,7 +364,12 @@ async function updateAlerts({
     []
   );
 
-  await casesClientInternal.alerts.updateStatus({ alerts: alertsToUpdate });
+  await updateAlertsStatusCatchErrors({
+    casesClientInternal,
+    alertsToUpdate,
+    logger,
+    errorMessage: 'for updated cases',
+  });
 }
 
 function partitionPatchRequest(
@@ -569,6 +577,7 @@ export const update = async (
       caseService,
       unsecuredSavedObjectsClient,
       casesClientInternal,
+      logger,
     });
 
     const returnUpdatedCase = myCases.saved_objects

x-pack/plugins/cases/server/client/factory.ts

@@ -5,12 +5,7 @@
  * 2.0.
  */
 
-import {
-  KibanaRequest,
-  SavedObjectsServiceStart,
-  Logger,
-  ElasticsearchClient,
-} from 'kibana/server';
+import { KibanaRequest, SavedObjectsServiceStart, Logger } from 'kibana/server';
 import { SecurityPluginSetup, SecurityPluginStart } from '../../../security/server';
 import { SAVED_OBJECT_TYPES } from '../../common';
 import { Authorization } from '../authorization/authorization';
@@ -25,6 +20,7 @@ import {
 } from '../services';
 import { PluginStartContract as FeaturesPluginStart } from '../../../features/server';
 import { PluginStartContract as ActionsPluginStart } from '../../../actions/server';
+import { RuleRegistryPluginStartContract } from '../../../rule_registry/server';
 import { AuthorizationAuditLogger } from '../authorization';
 import { CasesClient, createCasesClient } from '.';
 
@@ -34,6 +30,7 @@ interface CasesClientFactoryArgs {
   getSpace: GetSpaceFn;
   featuresPluginStart: FeaturesPluginStart;
   actionsPluginStart: ActionsPluginStart;
+  ruleRegistryPluginStart: RuleRegistryPluginStartContract;
 }
 
 /**
@@ -66,12 +63,10 @@ export class CasesClientFactory {
    */
   public async create({
     request,
-    scopedClusterClient,
     savedObjectsService,
   }: {
     request: KibanaRequest;
     savedObjectsService: SavedObjectsServiceStart;
-    scopedClusterClient: ElasticsearchClient;
   }): Promise<CasesClient> {
     if (!this.isInitialized || !this.options) {
       throw new Error('CasesClientFactory must be initialized before calling create');
@@ -91,9 +86,12 @@ export class CasesClientFactory {
     const caseService = new CasesService(this.logger, this.options?.securityPluginStart?.authc);
     const userInfo = caseService.getUser({ request });
 
+    const alertsClient = await this.options.ruleRegistryPluginStart.getRacClientWithRequest(
+      request
+    );
+
     return createCasesClient({
-      alertsService: new AlertService(),
-      scopedClusterClient,
+      alertsService: new AlertService(alertsClient),
       unsecuredSavedObjectsClient: savedObjectsService.getScopedClient(request, {
         includedHiddenTypes: SAVED_OBJECT_TYPES,
         // this tells the security plugin to not perform SO authorization and audit logging since we are handling

x-pack/plugins/cases/server/client/sub_cases/update.ts

@@ -36,7 +36,7 @@ import {
   User,
   CaseAttributes,
 } from '../../../common';
-import { getCaseToUpdate } from '../utils';
+import { getCaseToUpdate, updateAlertsStatusCatchErrors } from '../utils';
 import { buildSubCaseUserActions } from '../../services/user_actions/helpers';
 import {
   createAlertUpdateRequest,
@@ -246,7 +246,12 @@ async function updateAlerts({
       []
     );
 
-    await casesClientInternal.alerts.updateStatus({ alerts: alertsToUpdate });
+    await updateAlertsStatusCatchErrors({
+      casesClientInternal,
+      alertsToUpdate,
+      logger,
+      errorMessage: 'for updated sub cases',
+    });
   } catch (error) {
     throw createCaseError({
       message: `Failed to update alert status while updating sub cases: ${JSON.stringify(

x-pack/plugins/cases/server/client/types.ts

@@ -6,7 +6,7 @@
  */
 
 import type { PublicMethodsOf } from '@kbn/utility-types';
-import { ElasticsearchClient, SavedObjectsClientContract, Logger } from 'kibana/server';
+import { SavedObjectsClientContract, Logger } from 'kibana/server';
 import { User } from '../../common';
 import { Authorization } from '../authorization/authorization';
 import {
@@ -23,7 +23,6 @@ import { ActionsClient } from '../../../actions/server';
  * Parameters for initializing a cases client
  */
 export interface CasesClientArgs {
-  readonly scopedClusterClient: ElasticsearchClient;
   readonly caseConfigureService: CaseConfigureService;
   readonly caseService: CasesService;
   readonly connectorMappingsService: ConnectorMappingsService;

x-pack/plugins/cases/server/client/utils.ts

@@ -12,6 +12,7 @@ import { fold } from 'fp-ts/lib/Either';
 import { identity } from 'fp-ts/lib/function';
 import { pipe } from 'fp-ts/lib/pipeable';
 
+import { Logger } from 'kibana/server';
 import { nodeBuilder, KueryNode } from '../../../../../src/plugins/data/common';
 import { esKuery } from '../../../../../src/plugins/data/server';
 import {
@@ -35,6 +36,30 @@ import {
   isCommentRequestTypeActions,
   SavedObjectFindOptionsKueryNode,
 } from '../common';
+import { CasesClientInternal } from '.';
+import { UpdateAlertRequest } from './alerts/types';
+
+export async function updateAlertsStatusCatchErrors({
+  casesClientInternal,
+  alertsToUpdate,
+  logger,
+  errorMessage = '',
+}: {
+  casesClientInternal: CasesClientInternal;
+  alertsToUpdate: UpdateAlertRequest[];
+  logger: Logger;
+  errorMessage?: string;
+}) {
+  try {
+    await casesClientInternal.alerts.updateStatus({
+      alerts: alertsToUpdate,
+    });
+  } catch (error) {
+    // we'll log and continue as to not block the user from performing the rest of the action that caused this function
+    // to be called
+    logger.error(`Failed to update the status of the alerts ${errorMessage}: ${error}`);
+  }
+}
 
 export const decodeCommentRequest = (comment: CommentRequest) => {
   if (isCommentRequestTypeUser(comment)) {