[ResponseOps] Allow users authenticated with an API keys to manage alerting rules

[doakalexi]

Resolves #152140

Summary

Updates the following functions in the Rules Client to re-use the API key in context and avoid having the system invalidate them when no longer in use:

• bulk_delete
• bulk_edit
• clone
• create
• delete
• update
• update_api_key

Also adds a new field to the rule SO to help determine when whether an api key was created by a user or created by us.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

To verify

• Follow these instructions to create an api key. Make sure to copy your api key
• Run the following

curl -X POST "http://localhost:5601/api/alerting/rule/" -H 'Authorization: ApiKey ${API_KEY}' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "rule_type_id": "example.pattern",
  "name": "pattern",
  "schedule": {
    "interval": "5s"
  },
  "actions": [
  ],
  "consumer": "alerts",
  "tags": [],
  "notify_when": "onActionGroupChange",
  "params": {
    "patterns": {
      "instA": " a - - a "
    }
  }
}'

• Verify that the request returns a rule with"api_key_created_by_user":true
• Try this with the other rules clients functions listed above to verify that you can manage alerting rules when authenticated with an api key
• Verify that "api_key_created_by_user":false when you remove the api key header and add -u ${USERNAME}:${PASSWORD} to authenticate

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[afharo]

SO changes LGTM. If not needed for search/aggregations, I'd avoid adding it to the mappings.

[pmuellr]

Trying out the _update_api_key API, via the following, doesn't seem to work. Am I holding it wrong?

$ curl -X POST "http://localhost:5601/internal/alerting/rule/4f0a4ec0-d3cf-11ed-8173-855da63578db/_update_api_key" -H "Authorization: ApiKey ${API_KEY}" -H 'kbn-xsrf: true'
{"statusCode":400,"error":"Bad Request","message":"Error updating API key for rule: could not create API key - Unsupported scheme \"ApiKey\" for granting API Key"}

Seems like it should not have tried to create an API key in this case, but didn't look in the code to see what was going on ...

[doakalexi]

Trying out the _update_api_key API, via the following, doesn't seem to work. Am I holding it wrong?

$ curl -X POST "http://localhost:5601/internal/alerting/rule/4f0a4ec0-d3cf-11ed-8173-855da63578db/_update_api_key" -H "Authorization: ApiKey ${API_KEY}" -H 'kbn-xsrf: true'
{"statusCode":400,"error":"Bad Request","message":"Error updating API key for rule: could not create API key - Unsupported scheme \"ApiKey\" for granting API Key"}

Seems like it should not have tried to create an API key in this case, but didn't look in the code to see what was going on ...

Resolved in this commit 47d83e6

[pmuellr]

Still reviewing, no blockers yet, however there is one potentially big thing I'd like added. Doesn't neccessarily need to be in this PR, but I think we'd want to do it before 8.8.

More function tests. :-).

What I'd like to see is a bunch of the following scenarios:

1. create a rule
2. make sure it's running (whatever's easiest, maybe the get event log function)
3. modify the rule with one of the methods changed in this PR
4. make sure the shape is correct after the modification, and check if it's still running
5. ideally, check to make sure any API keys in the scenario are queued for invalidation / still exist / etc, as expected - this might be hard, not sure where we store those queued-for-invalidation keys

I'd like to see this where we run ever combination of methods changed, where when we create the rule, and run the method, we use every combination of api-key / login. So, something like this:

for (const createType of ['api-key', 'login']) {
  for (const mutateType of ['api-key', 'login']) {
    for (const method of ['bulk_delete', 'bulk_edit', ... ]) {
      test(createType, mutateType, method);
    }
  }
}

[doakalexi]

Still reviewing, no blockers yet, however there is one potentially big thing I'd like added. Doesn't neccessarily need to be in this PR, but I think we'd want to do it before 8.8.

More function tests. :-).

I created an issue to add functional tests #154584

[pmuellr]

Lots of comments, generally LGTM. I think the most critical comment is on transform_rule_for_export.test.ts, to add some more tests. If anything else makes sense and is easy, cool. I'm interested in getting this merged soon-ish so we can start hammering on it, so if anything is "too big", I think we can do in a follow-up PR.

[pmuellr]

Looks like the name here is just added to the return object of getAuthenticationAPIKey(), not otherwise used. AFAIK, we don't display this name anywhere in alerting UX - I think it's primary use is when you are scrolling through the API Keys UX, for the keys we generate, so you can tell what rules they were for.

If so, I think this is fine.

I just don't want to confuse customers by suggesting there is an API key with that name. Maybe we should add something to the name though anyway, in this case. Could be useful while diagnosing problems ... like prefix/postfix with "(user-created)" or similar.

[doakalexi]

Oh okay that makes sense, I can add something like that

[doakalexi]

Resolved in this commit bc37396

[pmuellr]

Feels like we should have a test for apiKeyCreatedByUser: true in here, to make sure it's getting exported as null (like the other api key-related properties).

[doakalexi]

Resolved in this commit bc37396

[pmuellr]

@XavierM I'm guessing you're adding this in your SO refactor PR; heads up that we're doing it here to add a new property that doesn't need to be indexed.

[pmuellr]

These blocks of code are very similar between the various client methods - wonder if there's anyway we could arrange to do most of this work in a common function, to cut down on the boilerplate. Even it it was just useful for most of the methods, would probably be useful ...

[doakalexi]

Resolved in this commit bc37396

The only client method I didn't update was create.ts

[pmuellr]

can we rename these to have a "previous" or "old" prefix. My first thought on seeing these was - which "keyCreatedByUser"? It's not the newly created one, right? No, it's not, but I had to scroll to the top to see where these were assigned from the original rule. I think putting a prefix on them will keep me from wondering in the future :-)

[doakalexi]

Resolved in this commit bc37396

[pmuellr]

can we add id1 and id2 here as well, ensure that they get passed to the bulkKeyInvalidation function

[doakalexi]

Resolved in this commit bc37396

[pmuellr]

I don't believe either of these methods needs to be async, technically. I'm seeing a squiggle under the await for securityPluginStart.authc.getCurrentUser(request) indicating 'await' has no effect on the type of this expression.

[doakalexi]

Oh my bad, I will fix this!

[doakalexi]

Resolved in this commit bc37396

[mohamedhamed-ahmed]

Infra changes LGTM!

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: fca96c9

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
alerting	543	544	+1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
alerting	44.5KB	44.6KB	+67.0B

Unknown metric groups

API count

id	before	after	diff
alerting	564	565	+1

ESLint disabled line counts

id	before	after	diff
securitySolution	433	436	+3

Total ESLint disabled count

id	before	after	diff
securitySolution	513	516	+3

History

• 💔 Build #118718 failed 0f046d6
• 💔 Build #118659 failed 9168b69
• 💚 Build #118094 succeeded 47d83e6
• 💚 Build #117850 succeeded 7ba7360
• 💔 Build #117779 failed 19085c8

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream