[Alerting] Allow alert tags to be modified in bulk

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.mock.ts

@@ -14,6 +14,7 @@ export type AlertingAuthorizationMock = jest.Mocked<Schema>;
 const createAlertingAuthorizationMock = () => {
   const mocked: AlertingAuthorizationMock = {
     ensureAuthorized: jest.fn(),
+    bulkEnsureAuthorized: jest.fn(),
     getAuthorizedRuleTypes: jest.fn().mockResolvedValue(new Map()),
     getFindAuthorizationFilter: jest.fn().mockResolvedValue({
       filter: undefined,

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.test.ts

@@ -439,13 +439,53 @@ describe('AlertingAuthorization', () => {
     });
   });
 
+  /**
+   * ensureAuthorized calls bulkEnsureAuthorized internally, so we just need
+   * to test that the parameters are passed correctly
+   */
   describe('ensureAuthorized', () => {
     beforeEach(() => {
       jest.clearAllMocks();
       allRegisteredConsumers.clear();
       allRegisteredConsumers.add('myApp');
     });
 
+    it('authorized correctly', async () => {
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        ruleTypeRegistry,
+        authorization: securityStart.authz,
+        getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
+      });
+
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "myType/myApp/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
+  });
+
+  describe('bulkEnsureAuthorized', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+      allRegisteredConsumers.clear();
+      allRegisteredConsumers.add('myApp');
+    });
+
     it('is a no-op when there is no authorization api', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
@@ -455,9 +495,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -477,9 +516,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -497,9 +535,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
@@ -516,6 +553,44 @@ describe('AlertingAuthorization', () => {
       `);
     });
 
+    it('authorized correctly with multiple rule types and consumers', async () => {
+      allRegisteredConsumers.add('consumer-1');
+      allRegisteredConsumers.add('consumer-2');
+      allRegisteredConsumers.add('consumer-3');
+
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        ruleTypeRegistry,
+        authorization: securityStart.authz,
+        getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
+      });
+
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [
+          { ruleTypeId: 'rule-type-id-1', consumers: ['consumer-1', 'consumer-2'] },
+          { ruleTypeId: 'rule-type-id-2', consumers: ['consumer-1', 'consumer-3'] },
+        ],
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/consumer-1/rule/create",
+              "rule-type-id-1/consumer-2/rule/create",
+              "rule-type-id-2/consumer-1/rule/create",
+              "rule-type-id-2/consumer-3/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
+
     it('throws if user lacks the required rule privileges for the consumer', async () => {
       securityStart.authz.checkPrivilegesDynamicallyWithRequest.mockReturnValue(
         jest.fn(async () => ({ hasAllRequested: false }))
@@ -531,9 +606,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'myApp',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -557,9 +631,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'myApp',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
           operation: WriteOperations.Update,
           entity: AlertingAuthorizationEntity.Alert,
         })
@@ -579,9 +652,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -600,9 +672,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -623,9 +694,8 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        alertAuthorization.ensureAuthorized({
-          ruleTypeId: 'myType',
-          consumer: 'not-exist',
+        alertAuthorization.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['not-exist'] }],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -660,9 +730,10 @@ describe('AlertingAuthorization', () => {
       });
 
       await expect(
-        auth.ensureAuthorized({
-          ruleTypeId: 'rule-type-1',
-          consumer: 'disabled-feature-consumer',
+        auth.bulkEnsureAuthorized({
+          ruleTypeIdConsumersPairs: [
+            { ruleTypeId: 'rule-type-1', consumers: ['disabled-feature-consumer'] },
+          ],
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
@@ -681,9 +752,8 @@ describe('AlertingAuthorization', () => {
         ruleTypesConsumersMap,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
+      await alertAuthorization.bulkEnsureAuthorized({
+        ruleTypeIdConsumersPairs: [{ ruleTypeId: 'myType', consumers: ['myApp'] }],
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
         additionalPrivileges: ['test/create'],

x-pack/platform/plugins/shared/alerting/server/authorization/alerting_authorization.ts

@@ -27,6 +27,13 @@ export interface EnsureAuthorizedOpts {
   additionalPrivileges?: string[];
 }
 
+export interface BulkEnsureAuthorizedOpts {
+  ruleTypeIdConsumersPairs: Array<{ ruleTypeId: string; consumers: string[] }>;
+  operation: ReadOperations | WriteOperations;
+  entity: AlertingAuthorizationEntity;
+  additionalPrivileges?: string[];
+}
+
 interface HasPrivileges {
   read: boolean;
   all: boolean;
@@ -236,35 +243,71 @@ export class AlertingAuthorization {
     entity,
     additionalPrivileges = [],
   }: EnsureAuthorizedOpts) {
+    return this._ensureAuthorized({
+      ruleTypeIdConsumersPairs: [{ ruleTypeId, consumers: [consumer] }],
+      operation,
+      entity,
+      additionalPrivileges,
+    });
+  }
+
+  public async bulkEnsureAuthorized({
+    ruleTypeIdConsumersPairs,
+    operation,
+    entity,
+    additionalPrivileges = [],
+  }: BulkEnsureAuthorizedOpts) {
+    return this._ensureAuthorized({
+      ruleTypeIdConsumersPairs,
+      operation,
+      entity,
+      additionalPrivileges,
+    });
+  }
+
+  private async _ensureAuthorized({
+    ruleTypeIdConsumersPairs,
+    operation,
+    entity,
+    additionalPrivileges = [],
+  }: BulkEnsureAuthorizedOpts) {
     const { authorization } = this;
 
-    const isAvailableConsumer = this.allRegisteredConsumers.has(consumer);
+    const areAllConsumersAvailable = ruleTypeIdConsumersPairs.every(({ consumers }) =>
+      consumers.every((consumer) => this.allRegisteredConsumers.has(consumer))
+    );
+
     if (authorization && this.shouldCheckAuthorization()) {
       const checkPrivileges = authorization.checkPrivilegesDynamicallyWithRequest(this.request);
 
-      const { hasAllRequested } = await checkPrivileges({
-        kibana: [
-          authorization.actions.alerting.get(ruleTypeId, consumer, entity, operation),
-          ...additionalPrivileges,
-        ],
+      const privileges = ruleTypeIdConsumersPairs.flatMap(({ ruleTypeId, consumers }) =>
+        consumers.map((consumer) =>
+          authorization.actions.alerting.get(ruleTypeId, consumer, entity, operation)
+        )
+      );
+
+      const res = await checkPrivileges({
+        kibana: [...privileges, ...additionalPrivileges],
       });
 
-      if (!isAvailableConsumer) {
+      const { hasAllRequested } = res;
+
+      if (!areAllConsumersAvailable) {
         /**
          * Under most circumstances this would have been caught by `checkPrivileges` as
          * a user can't have Privileges to an unknown consumer, but super users
          * don't actually get "privilege checked" so the made up consumer *will* return
          * as Privileged.
          * This check will ensure we don't accidentally let these through
          */
-        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
       }
 
       if (!hasAllRequested) {
-        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
       }
-    } else if (!isAvailableConsumer) {
-      throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
+    } else if (!areAllConsumersAvailable) {
+      throw Boom.forbidden(getUnauthorizedMessage(ruleTypeIdConsumersPairs, operation, entity));
     }
   }
 
@@ -316,7 +359,11 @@ export class AlertingAuthorization {
         ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, authType: string) => {
           if (!authorizedRuleTypes.has(ruleTypeId) || authType !== params.authorizationEntity) {
             throw Boom.forbidden(
-              getUnauthorizedMessage(ruleTypeId, consumer, params.operation, authType)
+              getUnauthorizedMessage(
+                [{ ruleTypeId, consumers: [consumer] }],
+                params.operation,
+                authType
+              )
             );
           }
 
@@ -326,8 +373,7 @@ export class AlertingAuthorization {
           if (!authorizedConsumers[consumer]) {
             throw Boom.forbidden(
               getUnauthorizedMessage(
-                ruleTypeId,
-                consumer,
+                [{ ruleTypeId, consumers: [consumer] }],
                 params.operation,
                 params.authorizationEntity
               )
@@ -496,10 +542,15 @@ function getConsumersWithPrivileges(
 }
 
 function getUnauthorizedMessage(
-  ruleTypeId: string,
-  scope: string,
+  ruleTypeIdConsumersPairs: BulkEnsureAuthorizedOpts['ruleTypeIdConsumersPairs'],
   operation: string,
   entity: string
 ): string {
-  return `Unauthorized by "${scope}" to ${operation} "${ruleTypeId}" ${entity}`;
+  const allConsumers = ruleTypeIdConsumersPairs.flatMap(({ consumers }) => consumers);
+  const allRuleTypeIds = ruleTypeIdConsumersPairs.map(({ ruleTypeId }) => ruleTypeId);
+
+  const ruleTypeIdsMessage = allRuleTypeIds.length <= 0 ? 'any' : `${allRuleTypeIds.join(', ')}`;
+  const consumersMessage = allConsumers.length <= 0 ? 'any consumer' : `${allConsumers.join(', ')}`;
+
+  return `Unauthorized by "${consumersMessage}" to ${operation} "${ruleTypeIdsMessage}" ${entity}`;
 }

x-pack/platform/plugins/shared/rule_registry/docs/alerts_client/alerts_client_api.md

@@ -13,3 +13,4 @@ Alerts as data client API Interface
 - [BulkUpdateOptions](interfaces/bulkupdateoptions.md)
 - [ConstructorOptions](interfaces/constructoroptions.md)
 - [UpdateOptions](interfaces/updateoptions.md)
+- [BulkUpdateTagArgs](interfaces/bulk_update_tag_args.md)