Invalidate alert API Key when generating a new one#53732
Invalidate alert API Key when generating a new one#53732mikecote merged 10 commits intoelastic:masterfrom
Conversation
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
@elasticmachine merge upstream |
💔 Build FailedHistory
To update your PR or re-run it, just comment with: |
💔 Build FailedTo update your PR or re-run it, just comment with: |
…t-api-key-cleanup
|
@elasticmachine merge upstream |
pmuellr
left a comment
There was a problem hiding this comment.
LGTM; added a comment/question about whether we need the new namespace param, whether we can just calculate as needed or at initialization based on spaceId
| alertTypeRegistry: AlertTypeRegistry; | ||
| encryptedSavedObjectsPlugin: EncryptedSavedObjectsStartContract; | ||
| spaceId?: string; | ||
| namespace?: string; |
There was a problem hiding this comment.
What's the difference between spaceId and namespace? Looks like spaceId is only ever used in scheduleAlert(). I see some a conversion function used elsewhere in files in the PR - spaceIdToNamespace(), wondering if we should just use spaceIdToNamespace(this.spaceId) instead of adding the namespace parameter?
There was a problem hiding this comment.
I'm not sure myself of the difference but I have been told by the security team that there is a difference. Also that we should use spaceId as our source of truth to convert into namespace and basePath.
We can use the function spaceIdToNamespace to get the value but I would have to pass the spaceIdToNamespace function as an argument to alerts client instead. So I figured I might as well pass the result of the function. I'm indifferent on the approach, thoughts?
There was a problem hiding this comment.
eh, I worry about two highly related values being stored like that, in case one gets "out of sync" with the other, but I don't think that's really an issue since you can't really change the space of a SO anyway. And having to send more functions in doesn't sound all that great either. Seems like leaving it the way it is, is fine.
There was a problem hiding this comment.
I'm hoping eventually we can just pass around the setup and start objects instead of sub-functions / properties. Though, not sure if that's good or bad but would reduce the number of things being passed around drastically.
| } | ||
| return { | ||
| created: true, | ||
| apiKeysEnabled: true, |
| const apiKeyId = Buffer.from(apiKey, 'base64') | ||
| .toString() | ||
| .split(':')[0]; | ||
| const response = await this.invalidateAPIKey({ id: apiKeyId }); |
There was a problem hiding this comment.
If this throws (instead of returning an error_count > 0) then we wo't get the error message that says we failed to invalidate the key. Is it worth catching and logging accordingly?
There was a problem hiding this comment.
The log message will still be there from the security plugin: https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/authentication/api_keys.ts#L161.
Though I went ahead and also wrapped it ourselves to swallow the error in that case: 4a4aad9.
gmmorris
left a comment
There was a problem hiding this comment.
LGTM.
Left a couple of notes about testing for the unhappy path of invalidating keys, but other than that, looks good.
| alertsClientParams.invalidateAPIKey.mockResolvedValue({ | ||
| apiKeysEnabled: true, | ||
| result: { error_count: 0 }, | ||
| }); |
There was a problem hiding this comment.
Feels like we're testing the happy path here, it might be worth adding a couple of tests that checks what happens when these api calls fail (throw an error, etc)
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
* Initial work to auto cleanup old API keys * Fix ESLint error * Rename confusing variables * Add test to ensure thrown errors are swallowed * Add more tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Initial work to auto cleanup old API keys * Fix ESLint error * Rename confusing variables * Add test to ensure thrown errors are swallowed * Add more tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* master: increase delay to make sure license refetched (elastic#53882) Allow custom NP plugin paths in production (elastic#53562) [Maps] show custom color ramps in legend (elastic#53780) [Lens] Expression type on document can be null (elastic#53883) [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778) Update dependency @elastic/charts to v16.0.2 (elastic#52619) Set consistent EOL symbol in core API docs (elastic#53815) [Logs UI] Refactor query bar state to hooks (elastic#52656) [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937) Invalidate alert API Key when generating a new one (elastic#53732) [Logs UI] HTTP API for log entries (elastic#53798)
* master: increase delay to make sure license refetched (elastic#53882) Allow custom NP plugin paths in production (elastic#53562) [Maps] show custom color ramps in legend (elastic#53780) [Lens] Expression type on document can be null (elastic#53883) [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778) Update dependency @elastic/charts to v16.0.2 (elastic#52619) Set consistent EOL symbol in core API docs (elastic#53815) [Logs UI] Refactor query bar state to hooks (elastic#52656) [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937) Invalidate alert API Key when generating a new one (elastic#53732) [Logs UI] HTTP API for log entries (elastic#53798) [kbn/pm] add caching to bootstrap (elastic#53622) adds createdAt and updatedAt fields to alerting (elastic#53793)
* master: increase delay to make sure license refetched (elastic#53882) Allow custom NP plugin paths in production (elastic#53562) [Maps] show custom color ramps in legend (elastic#53780) [Lens] Expression type on document can be null (elastic#53883) [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778) Update dependency @elastic/charts to v16.0.2 (elastic#52619) Set consistent EOL symbol in core API docs (elastic#53815) [Logs UI] Refactor query bar state to hooks (elastic#52656) [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937) Invalidate alert API Key when generating a new one (elastic#53732) [Logs UI] HTTP API for log entries (elastic#53798) [kbn/pm] add caching to bootstrap (elastic#53622) adds createdAt and updatedAt fields to alerting (elastic#53793) [SR] Enable component integration tests (elastic#53893)
…nsole-dependencies * 'master' of github.com:elastic/kibana: (33 commits) adds strict types to Alerting Client (elastic#53821) [Dashboard] Empty screen redesign (elastic#53681) Migrate config deprecations and `ShieldUser` functionality to the New Platform (elastic#53768) increase delay to make sure license refetched (elastic#53882) Allow custom NP plugin paths in production (elastic#53562) [Maps] show custom color ramps in legend (elastic#53780) [Lens] Expression type on document can be null (elastic#53883) [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778) Update dependency @elastic/charts to v16.0.2 (elastic#52619) Set consistent EOL symbol in core API docs (elastic#53815) [Logs UI] Refactor query bar state to hooks (elastic#52656) [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937) Invalidate alert API Key when generating a new one (elastic#53732) [Logs UI] HTTP API for log entries (elastic#53798) [kbn/pm] add caching to bootstrap (elastic#53622) adds createdAt and updatedAt fields to alerting (elastic#53793) [SR] Enable component integration tests (elastic#53893) Move index patterns: src/legacy/core_plugins/data 👉 src/plugins/data (elastic#53794) moved Task Manager server code under "server" directory (elastic#53777) Rename `/api/security/oidc` to `/api/security/oidc/callback`. (elastic#53886) ... # Conflicts: # yarn.lock
Resolves #45144
In this PR, I'm invalidating API keys after generating a new one. This happens within the update, enable, updateApiKey calls as well as after deleting an alert.
I'm also renaming a variable within
CreateAPIKeyResultinterface to be more clear (created->apiKeysEnabled). This is to be consistent with the new interfaceInvalidateAPIKeyResult.There are some notes worth considering (created an issue to track them #53868):
invalidated: trueas an attribute