[Alerting] Allow alert tags to be modified in bulk (#241883)

Closes #240356
Replaces [this PR](#241051)

## Summary

This pull request introduces a new API route and supporting backend
logic for bulk updating tags on alerts in the rule registry. The main
changes include the addition of a `patchTags` method to the
`AlertsClient`, a new route for bulk patching alert tags, and reusable
scripts for tag updates. These improvements make it possible to
add/remove or replace tags on multiple alerts efficiently, either by IDs
or by query.

### Alerting authorization
The `AlertingAuthorization` class changed to support bulk authorized
multiple rule type IDs and consumers. The `ensureAuthorized` was renamed
to `_ensureAuthorized` and accepts `Array<{ ruleTypeId: string;
consumers: string[] }>;`. The logic is the same as before, but it
constructs all security actions based on the input. This is needed to
avoid having to do one authorization call per `(ruleTypeId, consumer)`
pair. Lastly, a `bulkEnsureAuthorized` is exposed which is a wrapper of
the private `_ensureAuthorized`.

### Alerts client
The code in the `AlertsClient` is pretty outdated. For this reason, I
decided not to use the existing functionality and code from scratch. The
`bulkUpdateTags` is introduced, and it bulk updates the tags of multiple
alerts either by using `alertIds` or by using a KQL `query`. In the
first scenario, an aggregation is made to get the rule type ID and the
consumer of each alert. Then we bulk authorize. If the user has access,
we move forward and update the tags of the alerts. If not, we throw an
error. For the `query` scenario, we apply the authorization filter along
with the `query` to filter out the alerts that the user does not have
access to. Lastly, we audit log only once for the whole bulk operation
and not for each alert found.

### API and Backend Enhancements

* Added a new API route `POST /internal/rac/alerts/tags` for bulk
updating alert tags, supporting add, remove, and replace operations,
with validation and error handling.
[[1]](diffhunk://#diff-00a4668b8046bb9c2d423b91818e04ee9532682eecf426e5a80bce35276b0bd8R1-R113)
[[2]](diffhunk://#diff-0abcdbe7de6b3dc00d522a6673ff7bcd99d0f4bf2d6002c59d475e85747d0970R19-R26)
* Implemented the `bulkUpdateTags` method in `AlertsClient`, enabling
tag updates on alerts by IDs or query, using Elasticsearch scripts for
efficient bulk operations.

### Reusable Update Scripts

* Added reusable Painless scripts for adding, removing, and replacing
alert tags, exported from `alert_client_bulk_update_scripts.ts` and
integrated into the client logic.
[[1]](diffhunk://#diff-7c530f4d6aa0a6b9f0ca63714468130690bc5fa7e33a91591849318c1f380f7dR1-R34)
[[2]](diffhunk://#diff-bbccd80f85af0d00f6eafdbc9e444164e6fee357697dc7be42e978fd376a357cR74-R78)

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Christos Nasikas <[email protected]>
Co-authored-by: kibanamachine <[email protected]>

Author: 4 people

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.mock.ts

@@ -14,6 +14,7 @@ export type AlertingAuthorizationMock = jest.Mocked<Schema>;
 const createAlertingAuthorizationMock = () => {
   const mocked: AlertingAuthorizationMock = {
     ensureAuthorized: jest.fn(),
+    bulkEnsureAuthorized: jest.fn(),
     getAuthorizedRuleTypes: jest.fn().mockResolvedValue(new Map()),
     getFindAuthorizationFilter: jest.fn().mockResolvedValue({
       filter: undefined,

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.test.ts

@@ -439,13 +439,53 @@ describe('AlertingAuthorization', () => {
     });
   });
 
+  /**
+   * ensureAuthorized calls bulkEnsureAuthorized internally, so we just need
+   * to test that the parameters are passed correctly
+   */
   describe('ensureAuthorized', () => {
     beforeEach(() => {
       jest.clearAllMocks();
       allRegisteredConsumers.clear();
       allRegisteredConsumers.add('myApp');
     });
 
+    it('authorized correctly', async () => {
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        ruleTypeRegistry,
+        authorization: securityStart.authz,
+        getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
+      });
+
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "myType/myApp/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
+  });
+
+  describe('bulkEnsureAuthorized', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+      allRegisteredConsumers.clear();
+      allRegisteredConsumers.add('myApp');
+    });
+
     it('is a no-op when there is no authorization api', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
@@ -455,9 +495,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -477,9 +516,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -497,9 +535,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -516,6 +553,44 @@ describe('AlertingAuthorization', () => {
       `);
     });
 
+    it('authorized correctly with multiple rule types and consumers', async () => {
+      allRegisteredConsumers.add('consumer-1');
+      allRegisteredConsumers.add('consumer-2');
+      allRegisteredConsumers.add('consumer-3');
+
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        ruleTypeRegistry,
+        authorization: securityStart.authz,
+        getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
+      });
+
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [
+          { ruleTypeId: 'rule-type-id-1', consumers: ['consumer-1', 'consumer-2'] },
+          { ruleTypeId: 'rule-type-id-2', consumers: ['consumer-1', 'consumer-3'] },
+        ],
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/consumer-1/rule/create",
+              "rule-type-id-1/consumer-2/rule/create",
+              "rule-type-id-2/consumer-1/rule/create",
+              "rule-type-id-2/consumer-3/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
+
     it('throws if user lacks the required rule privileges for the consumer', async () => {
       securityStart.authz.checkPrivilegesDynamicallyWithRequest.mockReturnValue(
         jest.fn(async () => ({ hasAllRequested: false }))
@@ -531,9 +606,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'myApp',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -557,9 +631,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'myApp',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
           operation: WriteOperations.Update,
           entity: AlertingAuthorizationEntity.Alert,
         })
@@ -579,9 +652,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -600,9 +672,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -623,9 +694,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -660,9 +730,10 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        auth.ensureAuthorized({
-          ruleTypeId: 'rule-type-1',
-          consumer: 'disabled-feature-consumer',
+        auth.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [
+            { ruleTypeId: 'rule-type-1', consumers: ['disabled-feature-consumer'] },
+          ],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -681,9 +752,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
         additionalPrivileges: ['test/create'],

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.ts

@@ -27,6 +27,13 @@ export interface EnsureAuthorizedOpts {
   additionalPrivileges?: string[];
 }
 
+export interface BulkEnsureAuthorizedOpts {
+  ruleTypeIdConsumersPairs: Array<{ ruleTypeId: string; consumers: string[] }>;
+  operation: ReadOperations | WriteOperations;
+  entity: AlertingAuthorizationEntity;
+  additionalPrivileges?: string[];
+}
+
 interface HasPrivileges {
   read: boolean;
   all: boolean;
@@ -236,35 +243,71 @@ export class AlertingAuthorization {
     entity,
     additionalPrivileges = [],
   }: EnsureAuthorizedOpts) {
+    return this._ensureAuthorized({
+      ruleTypeIdConsumersPairs: [{ ruleTypeId, consumers: [consumer] }],
+      operation,
+      entity,
+      additionalPrivileges,
+    });
+  }
+
+  public async bulkEnsureAuthorized({
+    ruleTypeIdConsumersPairs,
+    operation,
+    entity,
+    additionalPrivileges = [],
+  }: BulkEnsureAuthorizedOpts) {
+    return this._ensureAuthorized({
+      ruleTypeIdConsumersPairs,
+      operation,
+      entity,
+      additionalPrivileges,
+    });
+  }
+
+  private async _ensureAuthorized({
+    ruleTypeIdConsumersPairs,
+    operation,
+    entity,
+    additionalPrivileges = [],
+  }: BulkEnsureAuthorizedOpts) {
     const { authorization } = this;
 
-    const isAvailableConsumer = this.allRegisteredConsumers.has(consumer);
+    const areAllConsumersAvailable = ruleTypeIdConsumersPairs.every(({ consumers }) =>
+      consumers.every((consumer) => this.allRegisteredConsumers.has(consumer))
+    );
+
     if (authorization && this.shouldCheckAuthorization()) {
       const checkPrivileges = authorization.checkPrivilegesDynamicallyWithRequest(this.request);
 
-      const { hasAllRequested } = await checkPrivileges({
-        kibana: [
-          authorization.actions.alerting.get(ruleTypeId, consumer, entity, operation),
-          ...additionalPrivileges,
-        ],
+      const privileges = ruleTypeIdConsumersPairs.flatMap(({ ruleTypeId, consumers }) =>
+        consumers.map((consumer) =>
+          authorization.actions.alerting.get(ruleTypeId, consumer, entity, operation)
+        )
+      );
+
+      const res = await checkPrivileges({
+        kibana: [...privileges, ...additionalPrivileges],
       });
 
-      if (!isAvailableConsumer) {
+      const { hasAllRequested } = res;
+
+      if (!areAllConsumersAvailable) {
         /**
          * Under most circumstances this would have been caught by `checkPrivileges` as
          * a user can't have Privileges to an unknown consumer, but super users
          * don't actually get "privilege checked" so the made up consumer *will* return
          * as Privileged.
          * This check will ensure we don't accidentally let these through
          */
-        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
       }
 
       if (!hasAllRequested) {
-        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
       }
-    } else if (!isAvailableConsumer) {
-      throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+    } else if (!areAllConsumersAvailable) {
+      throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
     }
   }
 
@@ -316,7 +359,11 @@ export class AlertingAuthorization {
         ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, authType: string) => {
           if (!authorizedRuleTypes.has(ruleTypeId) || authType !== params.authorizationEntity) {
             throw Boom.forbidden(
-              getUnauthorizedMessage(ruleTypeId, consumer, params.operation, authType)
+              getUnauthorizedMessage(
+                [{ ruleTypeId, consumers: [consumer] }],
+                params.operation,
+                authType
+              )
             );
           }
 
@@ -326,8 +373,7 @@ export class AlertingAuthorization {
           if (!authorizedConsumers[consumer]) {
             throw Boom.forbidden(
               getUnauthorizedMessage(
-                ruleTypeId,
-                consumer,
+                [{ ruleTypeId, consumers: [consumer] }],
                 params.operation,
                 params.authorizationEntity
               )
@@ -496,10 +542,15 @@ function getConsumersWithPrivileges(
 }
 
 function getUnauthorizedMessage(
-  ruleTypeId: string,
-  scope: string,
+  ruleTypeIdConsumersPairs: BulkEnsureAuthorizedOpts['ruleTypeIdConsumersPairs'],
   operation: string,
   entity: string
 ): string {
-  return `Unauthorized by "${scope}" to ${operation} "${ruleTypeId}" ${entity}`;
+  const allConsumers = ruleTypeIdConsumersPairs.flatMap(({ consumers }) => consumers);
+  const allRuleTypeIds = ruleTypeIdConsumersPairs.map(({ ruleTypeId }) => ruleTypeId);
+
+  const ruleTypeIdsMessage = allRuleTypeIds.length <= 0 ? 'any' : `${allRuleTypeIds.join(', ')}`;
+  const consumersMessage = allConsumers.length <= 0 ? 'any consumer' : `${allConsumers.join(', ')}`;
+
+  return `Unauthorized by "${consumersMessage}" to ${operation} "${ruleTypeIdsMessage}" ${entity}`;
 }

x-pack/platform/plugins/shared/rule_registry/docs/alerts_client/alerts_client_api.md

@@ -13,3 +13,4 @@ Alerts as data client API Interface
 - [BulkUpdateOptions](interfaces/bulkupdateoptions.md)
 - [ConstructorOptions](interfaces/constructoroptions.md)
 - [UpdateOptions](interfaces/updateoptions.md)
+- [BulkUpdateTagArgs](interfaces/bulk_update_tag_args.md)