[Cases] Remove case info from alerts when deleting an alert attachment #154024
Conversation
cnasikas
added
release_note:skip
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
|
|
||
| export const isAlertAttachment = ( | ||
| attachment: CommentAttributes | ||
| ): attachment is AttributesTypeAlerts => attachment.type === CommentType.alert; |
There was a problem hiding this comment.
Should we add unit test for this function?
| }, | ||
| }, | ||
| { | ||
| script: { source: painlessScript, lang: 'painless' }, |
There was a problem hiding this comment.
Yes because is a pain to write them hahhaha.
| @@ -29,3 +31,7 @@ export const isCommentRequestTypePersistableState = ( | |||
| ): context is CommentRequestPersistableStateType => { | |||
| return context.type === CommentType.persistableState; | |||
| }; | |||
|
|
|||
| export const isAlertAttachment = ( | |||
There was a problem hiding this comment.
Can we use the type guard here: https://github.com/elastic/kibana/blob/main/x-pack/plugins/cases/server/common/utils.ts#L254
It's slightly different as it operates on the request rather than attributes.
There was a problem hiding this comment.
Ah, thanks. And I was searching for an existing one.
| return; | ||
| } | ||
|
|
||
| await this.alertsClient.removeAlertsFromCase({ |
There was a problem hiding this comment.
removeAlertsFromCase makes me think this is removing the alert ids from the case but if I understand this correctly we're removing the case id from the alerts right? Maybe rename this to removeCaseIdFromAlerts
We'd probably want a similar change for bulkUpdateCases
| operation: ReadOperations.Get, | ||
| }); | ||
|
|
||
| const painlessScript = `if (ctx._source['${ALERT_CASE_IDS}'] != null && ctx._source['${ALERT_CASE_IDS}'].length > 0) { |
There was a problem hiding this comment.
nit: I think we can remove ctx._source['${ALERT_CASE_IDS}'].length > 0 as the for-loop ensures that it won't execute the loop since i = 0 is not less than 0 or a negative number.
|
|
||
| const painlessScript = `if (ctx._source['${ALERT_CASE_IDS}'] != null && ctx._source['${ALERT_CASE_IDS}'].length > 0) { | ||
| for (int i=0; i < ctx._source['${ALERT_CASE_IDS}'].length; i++) { | ||
| if (ctx._source['${ALERT_CASE_IDS}'][i] == '${caseId}') { |
There was a problem hiding this comment.
Painless might be figuring this out automatically but I think we want the string equality operator here:
if (ctx._source['${ALERT_CASE_IDS}'][i].equals('${caseId}'))
|
|
||
| const mgetRes = await this.ensureAllAlertsAuthorized({ | ||
| alerts, | ||
| operation: ReadOperations.Get, |
There was a problem hiding this comment.
Just double checking that we want the deletion operation to be a read here?
There was a problem hiding this comment.
Yes, the same as when we attach an alert to a case (add a case id to the alert schema).
| }); | ||
| } catch (error) { | ||
| throw createCaseError({ | ||
| message: `Failed to remove alerts from case ${caseId}: ${error}`, |
There was a problem hiding this comment.
Maybe update this to say Failed to remove case id from alerts...
| body: bulkUpdateRequest, | ||
| }); | ||
| } catch (error) { | ||
| this.logger.error(`Error removing alerts from case ${caseId}: ${error}`); |
There was a problem hiding this comment.
Maybe update this and the function name to removing case id from alerts.
| const updatedCases = []; | ||
|
|
||
| for (const theCase of cases) { | ||
| const updatedCase = await createComment({ |
There was a problem hiding this comment.
Could we do a Promise.all here?
There was a problem hiding this comment.
The Promise.all produces some weird race conditions/conflicts and the alerts are not updated correctly with the case ids.
| }); | ||
|
|
||
| describe('observability', () => { | ||
| const createCaseAttachAlertAndDeleteAlert = async ({ |
There was a problem hiding this comment.
Seems like this and the security solution function are pretty close do you think it'd make sense to move it to a function that both could call? I think the differences are the alerts that get created and owner, maybe those could be parameters?
| totalCases: number; | ||
| indexOfCaseToDelete: number; | ||
| expectedHttpCode?: number; | ||
| auth?: { user: User; space: string | null }; |
There was a problem hiding this comment.
How about we rename this to deleteCommentAuth since I think that's the only time we're using it right?
|
I tested it and everything is working great. The only slightly odd thing that could happen is if you attach an alert to the same case twice (as two separate attachments), then delete one of them, the case won't show in the alerts table but the case would still have an alert attached to it. I think this is fine though as I doubt users would add the same alert multiple times. |
Very good point. Maybe we should start preventing users to attach the same alert twice in a case. I have an issue for that: #145514 |
|
@elasticmachine run elasticsearch-ci/docs |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Public APIs missing exports
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @cnasikas |
cnasikas
added
release_note:breaking
and removed
release_note:skip
cnasikas
added
release_note:skip
Summary
Users can remove alerts from a case by deleting the whole alert attachment. This PR removes the case id from the alerts when deleting an attachment of type alert. It does not remove the case info from all alerts attached to a case when deleting a case. It also fixes a bug where the success toaster will not show when deleting an attachment.
Related: #146864, #140800
Testing
...and press "Remove alerts(s)"Please check that when you remove alert(s), attachments (ml, etc), and comments you get a success toaster with the correct text.
Checklist
Delete any items that are not applicable to this PR.
For maintainers