add workflow tags to bulk update schema

baileycash-elastic · baileycash-elastic · commit cf4f67bf5aef · 2025-10-30T19:55:59.000-04:00
diff --git a/x-pack/platform/plugins/shared/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/platform/plugins/shared/rule_registry/server/alert_data_client/alerts_client.ts
@@ -70,6 +70,11 @@ import { getRuleTypeIdsFilter } from '../lib/get_rule_type_ids_filter';
 import { getConsumersFilter } from '../lib/get_consumers_filter';
 import { mergeUniqueFieldsByName } from '../utils/unique_fields';
 import { getAlertFieldsFromIndexFetcher } from '../utils/get_alert_fields_from_index_fetcher';
+import {
+  ADD_TAGS_UPDATE_SCRIPT,
+  getStatusUpdateScript,
+  REMOVE_TAGS_UPDATE_SCRIPT,
+} from '../utils/alert_client_bulk_update_scripts';
 import type { GetAlertFieldsResponseV1 } from '../routes/get_alert_fields';
 
 // TODO: Fix typings https://github.com/elastic/kibana/issues/101776
@@ -113,9 +118,11 @@ export interface UpdateOptions<Params extends RuleTypeParams> {
 
 export interface BulkUpdateOptions<Params extends RuleTypeParams> {
   ids?: string[] | null;
-  status: STATUS_VALUES;
+  status?: STATUS_VALUES;
   index: string;
   query?: object | string | null;
+  addTags?: string[];
+  removeTags?: string[];
 }
 
 interface MgetAndAuditAlert {
@@ -442,25 +449,6 @@ export class AlertsClient {
     }
   }
 
-  /**
-   * When an update by ids is requested, do a multi-get, ensure authz and audit alerts, then execute bulk update
-   */
-  private async mgetAlertsAuditOperateStatus({
-    alerts,
-    status,
-    operation,
-  }: {
-    alerts: MgetAndAuditAlert[];
-    status: STATUS_VALUES;
-    operation: ReadOperations.Find | ReadOperations.Get | WriteOperations.Update;
-  }) {
-    return this.mgetAlertsAuditOperate({
-      alerts,
-      operation,
-      fieldToUpdate: (source) => this.getAlertStatusFieldUpdate(source, status),
-    });
-  }
-
   private async buildEsQueryWithAuthz(
     query: object | string | null | undefined,
     id: string | null | undefined,
@@ -810,15 +798,70 @@ export class AlertsClient {
     query,
     index,
     status,
+    addTags,
+    removeTags,
   }: BulkUpdateOptions<Params>) {
+    const scriptOps: string[] = [];
+    const params: Record<string, any> = {};
+
+    if (status != null) {
+      scriptOps.push(getStatusUpdateScript(status));
+    }
+
+    if (addTags != null && addTags.length > 0) {
+      params.addTags = addTags;
+      scriptOps.push(ADD_TAGS_UPDATE_SCRIPT);
+    }
+
+    if (removeTags != null && removeTags.length > 0) {
+      params.removeTags = removeTags;
+      scriptOps.push(REMOVE_TAGS_UPDATE_SCRIPT);
+    }
+
+    if (scriptOps.length === 0) {
+      return;
+    }
+
+    const script = {
+      source: scriptOps.join('\n'),
+      lang: 'painless',
+      params,
+    };
+
     // rejects at the route level if more than 1000 id's are passed in
     if (ids != null) {
       const alerts = ids.map((id) => ({ id, index }));
-      return this.mgetAlertsAuditOperateStatus({
+      const mgetRes = await this.ensureAllAlertsAuthorized({
         alerts,
-        status,
         operation: WriteOperations.Update,
       });
+
+      const bulkUpdateRequest = [];
+
+      for (const item of mgetRes.docs) {
+        // @ts-expect-error doesn't handle error branch in MGetResponse
+        if (item.found) {
+          bulkUpdateRequest.push(
+            {
+              update: {
+                _index: item._index,
+                _id: item._id,
+              },
+            },
+            { script }
+          );
+        }
+      }
+
+      if (bulkUpdateRequest.length === 0) {
+        return;
+      }
+
+      const bulkUpdateResponse = await this.esClient.bulk({
+        refresh: 'wait_for',
+        body: bulkUpdateRequest,
+      });
+      return bulkUpdateResponse;
     } else if (query != null) {
       try {
         // execute search after with query + authorization filter
@@ -835,18 +878,11 @@ export class AlertsClient {
 
         // executes updateByQuery with query + authorization filter
         // used in the queryAndAuditAllAlerts function
+
         const result = await this.esClient.updateByQuery({
           index,
           conflicts: 'proceed',
-          script: {
-            source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
-                ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
-              }
-              if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                ctx._source.signal.status = '${status}'
-              }`,
-            lang: 'painless',
-          },
+          script,
           query: fetchAndAuditResponse.authorizedQuery as Omit<QueryDslQueryContainer, 'script'>,
           ignore_unavailable: true,
         });
diff --git a/x-pack/platform/plugins/shared/rule_registry/server/routes/bulk_update_alerts.ts b/x-pack/platform/plugins/shared/rule_registry/server/routes/bulk_update_alerts.ts
@@ -20,28 +20,40 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
       validate: {
         body: buildRouteValidation(
           t.union([
-            t.strict({
-              status: t.union([
-                t.literal('open'),
-                t.literal('closed'),
-                t.literal('in-progress'), // TODO: remove after migration to acknowledged
-                t.literal('acknowledged'),
-              ]),
-              index: t.string,
-              ids: t.array(t.string),
-              query: t.undefined,
-            }),
-            t.strict({
-              status: t.union([
-                t.literal('open'),
-                t.literal('closed'),
-                t.literal('in-progress'), // TODO: remove after migration to acknowledged
-                t.literal('acknowledged'),
-              ]),
-              index: t.string,
-              ids: t.undefined,
-              query: t.union([t.object, t.string]),
-            }),
+            t.intersection([
+              t.strict({
+                index: t.string,
+                ids: t.array(t.string),
+                query: t.undefined,
+              }),
+              t.partial({
+                status: t.union([
+                  t.literal('open'),
+                  t.literal('closed'),
+                  t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                  t.literal('acknowledged'),
+                ]),
+                addTags: t.array(t.string),
+                removeTags: t.array(t.string),
+              }),
+            ]),
+            t.intersection([
+              t.strict({
+                index: t.string,
+                ids: t.undefined,
+                query: t.union([t.object, t.string]),
+              }),
+              t.partial({
+                status: t.union([
+                  t.literal('open'),
+                  t.literal('closed'),
+                  t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                  t.literal('acknowledged'),
+                ]),
+                addTags: t.array(t.string),
+                removeTags: t.array(t.string),
+              }),
+            ]),
           ])
         ),
       },
@@ -58,7 +70,7 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
       try {
         const racContext = await context.rac;
         const alertsClient = await racContext.getAlertsClient();
-        const { status, ids, index, query } = req.body;
+        const { status, ids, index, query, addTags, removeTags } = req.body;
 
         if (ids != null && ids.length > 1000) {
           return response.badRequest({
@@ -73,6 +85,8 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
           status,
           query,
           index,
+          addTags,
+          removeTags,
         });
 
         if (updatedAlert == null) {
diff --git a/x-pack/platform/plugins/shared/rule_registry/server/utils/alert_client_bulk_update_scripts.ts b/x-pack/platform/plugins/shared/rule_registry/server/utils/alert_client_bulk_update_scripts.ts
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
+} from '../../common/technical_rule_data_field_names';
+
+export const getStatusUpdateScript = (status: string) => {
+  return `
+          if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
+            ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}';
+          }
+          if (ctx._source.signal != null && ctx._source.signal.status != null) {
+            ctx._source.signal.status = '${status}';
+          }
+        `;
+};
+
+export const ADD_TAGS_UPDATE_SCRIPT = `
+        if (ctx._source['${ALERT_WORKFLOW_TAGS}'] == null) {
+          ctx._source['${ALERT_WORKFLOW_TAGS}'] = new ArrayList();
+        }
+        for (item in params.addTags) {
+          if (!ctx._source['${ALERT_WORKFLOW_TAGS}'].contains(item)) {
+            ctx._source['${ALERT_WORKFLOW_TAGS}'].add(item);
+          }
+        }
+      `;
+
+export const REMOVE_TAGS_UPDATE_SCRIPT = `
+        if (ctx._source['${ALERT_WORKFLOW_TAGS}'] != null) {
+          for (int i = 0; i < params.removeTags.length; i++) {
+            if (ctx._source['${ALERT_WORKFLOW_TAGS}'].contains(params.removeTags[i])) {
+              int index = ctx._source['${ALERT_WORKFLOW_TAGS}'].indexOf(params.removeTags[i]);
+              ctx._source['${ALERT_WORKFLOW_TAGS}'].remove(index);
+            }
+          }
+        }
+      `;
