[Response Ops][Task Manager] Update functions do not handle API key invalidation

[doakalexi]

Resolves #244918
Resolves #247560. I fixed a skipped test, bc I needed to write tests in that area.

Summary

This PR updates the bulk update function in to regenerate the API key on task update. There may be cases where we don't want to regenerate the API key, so I added an flag that can be passed in the with the request to indicate whether or not we want regenerate the API key.

I made some changes to bulk update function to handle the following:

• If a task with an API key is updated without a request, we cannot correctly get the encrypted saved objects client to use for update and so we throw an error.
• If a task with an API key is updated with a request and the regenerate flag is set to true, we invalidate the old API key and create a new API key using the new request.
• If a task without an API key is updated with a request, no changes are made bc we don't want to add an API key to this task
• If a task without an API key is updated without a request, no changes are made.

Note: I didn't update the update or bulkPartialUpdate functions because they are only used internally by task manager. Pls let me know if I'm misunderstanding, and I can add them there too.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

To verify

1. Update scheduled_reports_service.ts here (on line 496) with

await this.taskManager.bulkUpdateSchedules([id], schedule, {
        request: this.request,
        regenerateApiKey: true,
      });

3. Start Kibana
4. Go to discover and create a scheduled report and let it run
5. Go to dev tools and run the following command. Take note of the API key

POST .kibana_task_manager/_search
{
    "query": {
        "term": {
          "task.taskType": {
            "value": "report:execute-scheduled"
          }
        }
    }
}

6. Go to the reporting page in stack management and edit the schedule date to be a couple minutes in the future
7. Repeat step 4 and verify that the API key has been updated.
8. Verify that after the update the scheduled report runs as expected.

[doakalexi]

I updated this test to throw an error, but the changes make it seem like I changed the other tests too.

[doakalexi]

/oblt-deploy

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[pmuellr]

from #244918 (comment) :

if a user updates the search query, that should result in an API key change.

Note that search query, for a scheduled report, isn't stored in the task at all, so it makes sense to parameterize the regenerateApiKey flag - the caller is the only one that can determine if the API key should be updated. However, it's set for all the elements passed in. I don't think this is a problem today, but if some code did need to do some bulk updates with some regen'd and some not, they'd have to make two separate bulk calls. So, not a problem, something to consider for the future.

Likewise, if any doc in an update with fail with one of the new constraints (has an API key, request is null), ALL of the updates will fail. Again, we may want to revisit this later, but I think it's fine for now, as it seems unlikely folks would be mixing and matching tasks with and without API keys.

[pmuellr]

LGTM, except for the timing on marking API keys invalid. Looks like it's too early to me, an error after processing those could potential cancel the update, but also invalidate the keys that are still in the tasks?

[pmuellr]

I notice this failed on Dec 29 - makes sense, fails starting on Dec 29, starts working again Jan 1 :-)

[pmuellr]

We mark invalidated API keys in this new function, but it seems too early, if an error occurs somewhere after here and we throw an error instead of doing the update. Seems like we should only invalidate the keys if the SO bulk update succeeds.

[doakalexi]

Oh okay that makes sense! I will update this, thanks!

[doakalexi]

Updated in this commit, 48d89c0

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: 48d89c0

Failed CI Steps

• FTR Configs #22
• FTR Configs #31
• FTR Configs #39
• FTR Configs #39
• FTR Configs #61
• FTR Configs #102
• FTR Configs #112
• FTR Configs #127

Test Failures

• [job] [logs] FTR Configs #39 / Cloud Security Posture Security Alerts Page - Graph visualization expanded flyout - show alert details
• [job] [logs] FTR Configs #39 / Cloud Security Posture Test adding Cloud Security Posture Integrations CSPM AWS CIS_AWS Organization Manual Direct Access CIS_AWS Organization Manual Direct Access Workflow

History

• 💚 Build #386087 succeeded 5099223
• 💔 Build #382300 failed 804c2bb

[pmuellr]

LGTM, left a code style comment

[pmuellr]

We could move these two lines up, to be in top-level function scope. And then also move the return { ... } down, replacing the current return null;. Then you wouldn't need the conditional assignment at the call-site.

[doakalexi]

Updated in this commit, fb51512 and this one 0b83b97

[pmuellr]

LGTM, thx