revisist of API keys invalidation

vitaliidm · vitaliidm · commit 0a34da49e490 · 2022-05-11T17:24:53.000+01:00
diff --git a/x-pack/plugins/alerting/server/rules_client/rules_client.ts b/x-pack/plugins/alerting/server/rules_client/rules_client.ts
@@ -1520,6 +1520,7 @@ export class RulesClient {
     const rules: Array<SavedObjectsBulkUpdateObject<RawRule>> = [];
     const errors: BulkEditError[] = [];
     const apiKeysToInvalidate: string[] = [];
+    const apiKeysMap = new Map<string, { oldApiKey?: string; newApiKey?: string }>();
     const username = await this.getUserName();
 
     for await (const response of rulesFinder.find()) {
@@ -1528,7 +1529,7 @@ export class RulesClient {
         async (rule) => {
           try {
             if (rule.attributes.apiKey) {
-              apiKeysToInvalidate.push(rule.attributes.apiKey);
+              apiKeysMap.set(rule.id, { oldApiKey: rule.attributes.apiKey });
             }
 
             const ruleType = this.ruleTypeRegistry.get(rule.attributes.alertTypeId);
@@ -1602,8 +1603,17 @@ export class RulesClient {
             } catch (error) {
               throw Error(`Error updating rule: could not create API key - ${error.message}`);
             }
+
             const apiKeyAttributes = this.apiKeyAsAlertAttributes(createdAPIKey, username);
 
+            // collect generated API keys
+            if (apiKeyAttributes.apiKey) {
+              apiKeysMap.set(rule.id, {
+                ...apiKeysMap.get(rule.id),
+                newApiKey: apiKeyAttributes.apiKey,
+              });
+            }
+
             // get notifyWhen
             const notifyWhen = getRuleNotifyWhenType(
               attributes.notifyWhen,
@@ -1652,7 +1662,41 @@ export class RulesClient {
       );
     }
 
-    const result = await this.unsecuredSavedObjectsClient.bulkUpdate(rules);
+    let result;
+    try {
+      result = await this.unsecuredSavedObjectsClient.bulkUpdate(rules);
+    } catch (e) {
+      // avoid unused newly generated API keys
+      if (apiKeysMap.size > 0) {
+        await bulkMarkApiKeysForInvalidation(
+          {
+            apiKeys: Array.from(apiKeysMap.values()).reduce<string[]>((acc, value) => {
+              if (value.newApiKey) {
+                acc.push(value.newApiKey);
+              }
+              return acc;
+            }, []),
+          },
+          this.logger,
+          this.unsecuredSavedObjectsClient
+        );
+      }
+      throw e;
+    }
+
+    result.saved_objects.map(({ id, error }) => {
+      const oldApiKey = apiKeysMap.get(id)?.oldApiKey;
+      const newApiKey = apiKeysMap.get(id)?.newApiKey;
+
+      // if SO wasn't saved and has new API key it will be invalidated
+      if (error && newApiKey) {
+        apiKeysToInvalidate.push(newApiKey);
+        // if SO saved and has old Api Key it will be invalidate
+      } else if (!error && oldApiKey) {
+        apiKeysToInvalidate.push(oldApiKey);
+      }
+    });
+
     return { apiKeysToInvalidate, resultSavedObjects: result.saved_objects, errors, rules };
   }
 
diff --git a/x-pack/plugins/alerting/server/rules_client/tests/bulk_edit.test.ts b/x-pack/plugins/alerting/server/rules_client/tests/bulk_edit.test.ts
@@ -33,6 +33,7 @@ const actionsAuthorization = actionsAuthorizationMock.create();
 const auditLogger = auditLoggerMock.create();
 
 const kibanaVersion = 'v8.2.0';
+const createAPIKeyMock = jest.fn();
 const rulesClientParams: jest.Mocked<ConstructorOptions> = {
   taskManager,
   ruleTypeRegistry,
@@ -42,7 +43,7 @@ const rulesClientParams: jest.Mocked<ConstructorOptions> = {
   spaceId: 'default',
   namespace: 'default',
   getUserName: jest.fn(),
-  createAPIKey: jest.fn(),
+  createAPIKey: createAPIKeyMock,
   logger: loggingSystemMock.create().get(),
   encryptedSavedObjectsClient: encryptedSavedObjects,
   getActionsClient: jest.fn(),
@@ -581,6 +582,99 @@ describe('bulkEdit()', () => {
       );
     });
 
+    test('should call bulkMarkApiKeysForInvalidation to invalidate unused keys if bulkUpdate failed', async () => {
+      createAPIKeyMock.mockReturnValue({ apiKeysEnabled: true, result: { api_key: '111' } });
+      mockCreatePointInTimeFinderAsInternalUser({
+        saved_objects: [
+          {
+            ...existingDecryptedRule,
+            attributes: { ...existingDecryptedRule.attributes, enabled: true },
+          },
+        ],
+      });
+
+      unsecuredSavedObjectsClient.bulkUpdate.mockImplementation(() => {
+        throw new Error('Fail');
+      });
+
+      await expect(
+        rulesClient.bulkEdit({
+          filter: 'alert.attributes.tags: "APM"',
+          operations: [
+            {
+              field: 'tags',
+              operation: 'add',
+              value: ['test-1'],
+            },
+          ],
+        })
+      ).rejects.toThrow('Fail');
+
+      expect(bulkMarkApiKeysForInvalidation).toHaveBeenCalledTimes(1);
+      expect(bulkMarkApiKeysForInvalidation).toHaveBeenCalledWith(
+        { apiKeys: ['dW5kZWZpbmVkOjExMQ=='] },
+        expect.any(Object),
+        expect.any(Object)
+      );
+    });
+
+    test('should call bulkMarkApiKeysForInvalidation to invalidate unused keys if SO update failed', async () => {
+      createAPIKeyMock.mockReturnValue({ apiKeysEnabled: true, result: { api_key: '111' } });
+      mockCreatePointInTimeFinderAsInternalUser({
+        saved_objects: [
+          {
+            ...existingDecryptedRule,
+            attributes: { ...existingDecryptedRule.attributes, enabled: true },
+          },
+        ],
+      });
+
+      unsecuredSavedObjectsClient.bulkUpdate.mockResolvedValue({
+        saved_objects: [
+          {
+            id: '1',
+            type: 'alert',
+            attributes: {
+              enabled: true,
+              tags: ['foo'],
+              alertTypeId: 'myType',
+              schedule: { interval: '1m' },
+              consumer: 'myApp',
+              scheduledTaskId: 'task-123',
+              params: { index: ['test-index-*'] },
+              throttle: null,
+              notifyWhen: null,
+              actions: [],
+            },
+            references: [],
+            version: '123',
+            error: {
+              error: 'test failure',
+              statusCode: 409,
+              message: 'test failure',
+            },
+          },
+        ],
+      });
+
+      await rulesClient.bulkEdit({
+        filter: 'alert.attributes.tags: "APM"',
+        operations: [
+          {
+            field: 'tags',
+            operation: 'add',
+            value: ['test-1'],
+          },
+        ],
+      });
+
+      expect(bulkMarkApiKeysForInvalidation).toHaveBeenCalledWith(
+        { apiKeys: ['dW5kZWZpbmVkOjExMQ=='] },
+        expect.any(Object),
+        expect.any(Object)
+      );
+    });
+
     test('should not call create apiKey if rule is disabled', async () => {
       await rulesClient.bulkEdit({
         filter: 'alert.attributes.tags: "APM"',
