Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cases] Remove case id from alerts when deleting a case #154829

Merged
merged 8 commits into from
Apr 18, 2023
Merged

[Cases] Remove case id from alerts when deleting a case #154829

merged 8 commits into from
Apr 18, 2023

Conversation

cnasikas
Copy link
Member

@cnasikas cnasikas commented Apr 12, 2023
edited
Loading

Summary

This PR removes the case id from all alerts attached to a case when deleting a case. It also removes any alert authorization when removing alerts from a case.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@cnasikas cnasikas added release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Cases Cases feature v8.8.0 labels Apr 12, 2023
@cnasikas cnasikas mentioned this pull request Apr 12, 2023
Closed
8 tasks
@cnasikas cnasikas marked this pull request as ready for review April 13, 2023 13:51
@cnasikas cnasikas requested review from a team as code owners April 13, 2023 13:51
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops-cases (Feature:Cases)

cnasikas
cnasikas commented Apr 13, 2023
View reviewed changes
x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
ctx._source['${ALERT_CASE_IDS}'].remove(i);
}
if (ctx._source['${ALERT_CASE_IDS}'].contains('${caseId}')) {
int index = ctx._source['${ALERT_CASE_IDS}'].indexOf('${caseId}');
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove may mess up with the index and accessing the array like array[i] can produce an out-of-bounds error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, I totally forgot about that in Java: https://stackoverflow.com/questions/10431981/remove-elements-from-collection-while-iterating

jonathan-buttner
jonathan-buttner approved these changes Apr 17, 2023
View reviewed changes
Copy link
Contributor

@jonathan-buttner jonathan-buttner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested both security solution and observability and they work 👍

x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts Outdated
const SCRIPT_PARAMS_ID = 'caseIds';

const painlessScript = `if (ctx._source['${ALERT_CASE_IDS}'] != null && ctx._source['${ALERT_CASE_IDS}'].length > 0 && params['${SCRIPT_PARAMS_ID}'] != null && params['${SCRIPT_PARAMS_ID}'].length > 0) {
for (int i=0; i < params['${SCRIPT_PARAMS_ID}'].length; i++) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it might be a little easier to read if we create a temporary variable for params['${SCRIPT_PARAMS_ID}'] and ctx._source['${ALERT_CASE_IDS}']

Something like:

if (...) {
  List storedCaseIds = ctx._source['${ALERT_CASE_IDS}']; <- I think List is the right type here
  List caseIdsToRemove = params['${SCRIPT_PARAMS_ID}'];

  for (...) { }
}

x-pack/plugins/cases/server/client/cases/delete.ts
@@ -75,6 +75,7 @@ export async function deleteCases(ids: string[], clientArgs: CasesClientArgs): P
entities: bulkDeleteEntities,
options: { refresh: 'wait_for' },
}),
alertsService.removeCaseIdsFromAllAlerts({ caseIds: ids }),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future it might be interesting to investigate if we can skip some cases that we're pretty confident do not have any alerts attached to them. I think we could leverage our total_alerts field and ignore cases that have it set to 0. Not something we should do in this PR and might not even be worth doing in general 🤷‍♂️

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice idea! We can do it when we bound our delete API so the number of cases to retrieve is also bounded.

x-pack/test/cases_api_integration/common/lib/alerts.ts Outdated

const alertAfterDeletion = await getAlerts(alerts);

const caseIdsWithoutRemovedCase =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think this logic is the same as in createCaseAttachAlertAndDeleteAlert, might be worth moving it to a function

CoenWarmer
CoenWarmer approved these changes Apr 18, 2023
View reviewed changes
Copy link
Contributor

@CoenWarmer CoenWarmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AO Changes LGTM!

@cnasikas cnasikas enabled auto-merge (squash) April 18, 2023 12:12
@kibana-ci
Copy link
Collaborator

kibana-ci commented Apr 18, 2023
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #6 / removeCaseIdFromAlerts calls ensureAllAlertsAuthorized correctly
  • [job] [logs] Jest Tests #6 / removeCaseIdFromAlerts removes alerts from a case

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
ruleRegistry 231 234 +3
Unknown metric groups

API count

id before after diff
ruleRegistry 260 263 +3

ESLint disabled line counts

id before after diff
securitySolution 432 435 +3

Total ESLint disabled count

id before after diff
securitySolution 512 515 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
ruleRegistry 231 234 +3
Unknown metric groups

API count

id before after diff
ruleRegistry 260 263 +3

ESLint disabled line counts

id before after diff
securitySolution 432 435 +3

Total ESLint disabled count

id before after diff
securitySolution 512 515 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@cnasikas cnasikas merged commit 42effff into elastic:main Apr 18, 2023
@cnasikas cnasikas deleted the remove_alerts_delete_case branch April 18, 2023 16:21
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Apr 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonathan-buttner jonathan-buttner jonathan-buttner approved these changes

@CoenWarmer CoenWarmer CoenWarmer approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting Feature:Cases Cases feature release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@cnasikas @elasticmachine @kibana-ci @CoenWarmer @jonathan-buttner @kibanamachine