elastic · mikecote · Sep 20, 2019 · Sep 17, 2019 · Sep 18, 2019 · Sep 19, 2019
diff --git a/x-pack/legacy/plugins/alerting/server/alerts_client.mock.ts b/x-pack/legacy/plugins/alerting/server/alerts_client.mock.ts
@@ -17,6 +17,7 @@ const createAlertsClientMock = () => {
     update: jest.fn(),
     enable: jest.fn(),
     disable: jest.fn(),
+    updateApiKey: jest.fn(),
   };
   return mocked;
 };

diff --git a/x-pack/legacy/plugins/alerting/server/alerts_client.test.ts b/x-pack/legacy/plugins/alerting/server/alerts_client.test.ts
diff --git a/x-pack/legacy/plugins/alerting/server/alerts_client.ts b/x-pack/legacy/plugins/alerting/server/alerts_client.ts
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import Boom from 'boom';
 import { omit } from 'lodash';
 import { SavedObjectsClientContract, SavedObjectReference } from 'src/core/server';
 import { Alert, RawAlert, AlertTypeRegistry, AlertAction, Log } from './types';
@@ -215,6 +216,34 @@ export class AlertsClient {
     return this.getAlertFromRaw(id, updatedObject.attributes, updatedObject.references);
   }
 
+  public async updateApiKey({ id }: { id: string }) {
+    const {
+      references,
+      attributes: { enabled },
+    } = await this.savedObjectsClient.get('alert', id);
+
+    if (enabled === false) {
+      throw Boom.badRequest(`Can't update API key on a disabled alert`);
+    }
+
+    const apiKey = await this.createAPIKey();
+    const username = await this.getUserName();
+    await this.savedObjectsClient.update(
+      'alert',
+      id,
+      {
+        updatedBy: username,
+        apiKeyOwner: apiKey.created ? username : null,
+        apiKey: apiKey.created
+          ? Buffer.from(`${apiKey.result.id}:${apiKey.result.api_key}`).toString('base64')
+          : null,
+      },
+      {
+        references,
+      }
+    );
+  }
+
   public async enable({ id }: { id: string }) {
     const existingObject = await this.savedObjectsClient.get('alert', id);
     if (existingObject.attributes.enabled === false) {

diff --git a/x-pack/legacy/plugins/alerting/server/init.ts b/x-pack/legacy/plugins/alerting/server/init.ts
@@ -27,6 +27,7 @@ import {
   updateAlertRoute,
   enableAlertRoute,
   disableAlertRoute,
+  updateApiKeyRoute,
 } from './routes';
 
 // Extend PluginProperties to indicate which plugins are guaranteed to exist
@@ -125,6 +126,7 @@ export function init(server: Server) {
   updateAlertRoute(server);
   enableAlertRoute(server);
   disableAlertRoute(server);
+  updateApiKeyRoute(server);
 
   // Expose functions
   server.decorate('request', 'getAlertsClient', function() {

diff --git a/x-pack/legacy/plugins/alerting/server/routes/index.ts b/x-pack/legacy/plugins/alerting/server/routes/index.ts
@@ -12,3 +12,4 @@ export { listAlertTypesRoute } from './list_alert_types';
 export { updateAlertRoute } from './update';
 export { enableAlertRoute } from './enable';
 export { disableAlertRoute } from './disable';
+export { updateApiKeyRoute } from './update_api_key';
diff --git a/x-pack/legacy/plugins/alerting/server/routes/update_api_key.test.ts b/x-pack/legacy/plugins/alerting/server/routes/update_api_key.test.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createMockServer } from './_mock_server';
+import { updateApiKeyRoute } from './update_api_key';
+
+const { server, alertsClient } = createMockServer();
+updateApiKeyRoute(server);
+
+test('updates api key for an alert', async () => {
+  const request = {
+    method: 'POST',
+    url: '/api/alert/1/_update_api_key',
+  };
+
+  const { statusCode } = await server.inject(request);
+  expect(statusCode).toBe(204);
+  expect(alertsClient.updateApiKey).toHaveBeenCalledWith({ id: '1' });
+});
diff --git a/x-pack/legacy/plugins/alerting/server/routes/update_api_key.ts b/x-pack/legacy/plugins/alerting/server/routes/update_api_key.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Hapi from 'hapi';
+
+export function updateApiKeyRoute(server: Hapi.Server) {
+  server.route({
+    method: 'POST',
+    path: '/api/alert/{id}/_update_api_key',
+    options: {
+      tags: ['access:alerting-all'],
+      response: {
+        emptyStatusCode: 204,
+      },
+    },
+    async handler(request: Hapi.Request, h: Hapi.ResponseToolkit) {
+      const alertsClient = request.getAlertsClient!();
+      await alertsClient.updateApiKey({ id: request.params.id });
+      return h.response();
+    },
+  });
+}
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts b/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts
@@ -107,7 +107,13 @@ const Space2: Space = {
   disabledFeatures: [],
 };
 
-export const Spaces: Space[] = [Space1, Space2];
+const OtherSpace: Space = {
+  id: 'other',
+  name: 'Other',
+  disabledFeatures: [],
+};
+
+export const Spaces: Space[] = [Space1, Space2, OtherSpace];
 
 // For all scenarios, we define both an instance in addition
 // to a "type" definition so that we can use the exhaustive switch in

diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/index.ts
@@ -17,6 +17,7 @@ export default function alertingTests({ loadTestFile }: FtrProviderContext) {
     loadTestFile(require.resolve('./get'));
     loadTestFile(require.resolve('./list_alert_types'));
     loadTestFile(require.resolve('./update'));
+    loadTestFile(require.resolve('./update_api_key'));
     loadTestFile(require.resolve('./alerts'));
   });
 }
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/update_api_key.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/update_api_key.ts
@@ -0,0 +1,148 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from '@kbn/expect';
+import { getTestAlertData } from './utils';
+import { UserAtSpaceScenarios, Spaces } from '../../scenarios';
+import { getUrlPrefix, ObjectRemover } from '../../../common/lib';
+import { FtrProviderContext } from '../../../common/ftr_provider_context';
+
+// eslint-disable-next-line import/no-default-export
+export default function createUpdateApiKeyTests({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+
+  describe('update_api_key', () => {
+    const objectRemover = new ObjectRemover(supertest);
+    const OtherSpace = Spaces.find(space => space.id === 'other');
+
+    if (!OtherSpace) {
+      throw new Error('Space "other" not defined in scenarios');
+    }
+
+    after(() => objectRemover.removeAll());
+
+    for (const scenario of UserAtSpaceScenarios) {
+      const { user, space } = scenario;
+      describe(scenario.id, () => {
+        it('should handle update alert api key request appropriately', async () => {
+          const { body: createdAlert } = await supertest
+            .post(`${getUrlPrefix(space.id)}/api/alert`)
+            .set('kbn-xsrf', 'foo')
+            .send(getTestAlertData())
+            .expect(200);
+          objectRemover.add(space.id, createdAlert.id, 'alert');
+
+          const response = await supertestWithoutAuth
+            .post(`${getUrlPrefix(space.id)}/api/alert/${createdAlert.id}/_update_api_key`)
+            .set('kbn-xsrf', 'foo')
+            .auth(user.username, user.password);
+
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+            case 'global_read at space1':
+              expect(response.statusCode).to.eql(404);
+              expect(response.body).to.eql({
+                statusCode: 404,
+                error: 'Not Found',
+                message: 'Not Found',
+              });
+              break;
+            case 'superuser at space1':
+            case 'space_1_all at space1':
+              expect(response.statusCode).to.eql(204);
+              expect(response.body).to.eql('');
+              const { body: updatedAlert } = await supertestWithoutAuth
+                .get(`${getUrlPrefix(space.id)}/api/alert/${createdAlert.id}`)
+                .set('kbn-xsrf', 'foo')
+                .auth(user.username, user.password)
+                .expect(200);
+              expect(updatedAlert.apiKeyOwner).to.eql(user.username);
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
+
+        it(`should handle update alert api key on a disabled alert appropriately`, async () => {
+          const { body: createdAlert } = await supertest
+            .post(`${getUrlPrefix(space.id)}/api/alert`)
+            .set('kbn-xsrf', 'foo')
+            .send(getTestAlertData({ enabled: false }))
+            .expect(200);
+          objectRemover.add(space.id, createdAlert.id, 'alert');
+
+          const response = await supertestWithoutAuth
+            .post(`${getUrlPrefix(space.id)}/api/alert/${createdAlert.id}/_update_api_key`)
+            .set('kbn-xsrf', 'foo')
+            .auth(user.username, user.password);
+
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+            case 'global_read at space1':
+              expect(response.statusCode).to.eql(404);
+              expect(response.body).to.eql({
+                statusCode: 404,
+                error: 'Not Found',
+                message: 'Not Found',
+              });
+              break;
+            case 'superuser at space1':
+            case 'space_1_all at space1':
+              expect(response.statusCode).to.eql(400);
+              expect(response.body).to.eql({
+                statusCode: 400,
+                error: 'Bad Request',
+                message: `Can't update API key on a disabled alert`,
+              });
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
+
+        it(`shouldn't update alert api key from another space`, async () => {
+          const { body: createdAlert } = await supertest
+            .post(`${getUrlPrefix(space.id)}/api/alert`)
+            .set('kbn-xsrf', 'foo')
+            .send(getTestAlertData())
+            .expect(200);
+          objectRemover.add(space.id, createdAlert.id, 'alert');
+
+          const response = await supertestWithoutAuth
+            .post(`${getUrlPrefix(OtherSpace.id)}/api/alert/${createdAlert.id}/_update_api_key`)
+            .set('kbn-xsrf', 'foo')
+            .auth(user.username, user.password);
+
+          expect(response.statusCode).to.eql(404);
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+            case 'global_read at space1':
+            case 'space_1_all at space1':
+              expect(response.body).to.eql({
+                statusCode: 404,
+                error: 'Not Found',
+                message: 'Not Found',
+              });
+              break;
+            case 'superuser at space1':
+              expect(response.body).to.eql({
+                statusCode: 404,
+                error: 'Not Found',
+                message: `Saved object [alert/${createdAlert.id}] not found`,
+              });
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
+      });
+    }
+  });
+}
diff --git a/x-pack/test/alerting_api_integration/spaces_only/scenarios.ts b/x-pack/test/alerting_api_integration/spaces_only/scenarios.ts
@@ -12,6 +12,13 @@ const Space1: Space = {
   disabledFeatures: [],
 };
 
+const Other: Space = {
+  id: 'other',
+  name: 'Other',
+  disabledFeatures: [],
+};
+
 export const Spaces = {
   space1: Space1,
+  other: Other,
 };
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/index.ts
@@ -17,6 +17,7 @@ export default function alertingTests({ loadTestFile }: FtrProviderContext) {
     loadTestFile(require.resolve('./get'));
     loadTestFile(require.resolve('./list_alert_types'));
     loadTestFile(require.resolve('./update'));
+    loadTestFile(require.resolve('./update_api_key'));
     loadTestFile(require.resolve('./alerts'));
   });
 }
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/update_api_key.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/update_api_key.ts
@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from '@kbn/expect';
+import { getTestAlertData } from './utils';
+import { Spaces } from '../../scenarios';
+import { getUrlPrefix, ObjectRemover } from '../../../common/lib';
+import { FtrProviderContext } from '../../../common/ftr_provider_context';
+
+/**
+ * Eventhough security is disabled, this test checks the API behavior.
+ */
+
+// eslint-disable-next-line import/no-default-export
+export default function createUpdateApiKeyTests({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+
+  describe('update_api_key', () => {
+    const objectRemover = new ObjectRemover(supertest);
+
+    after(() => objectRemover.removeAll());
+
+    it('should handle update alert api key appropriately', async () => {
+      const { body: createdAlert } = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/alert`)
+        .set('kbn-xsrf', 'foo')
+        .send(getTestAlertData())
+        .expect(200);
+      objectRemover.add(Spaces.space1.id, createdAlert.id, 'alert');
+
+      await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/alert/${createdAlert.id}/_update_api_key`)
+        .set('kbn-xsrf', 'foo')
+        .expect(204, '');
+
+      const { body: updatedAlert } = await supertest
+        .get(`${getUrlPrefix(Spaces.space1.id)}/api/alert/${createdAlert.id}`)
+        .set('kbn-xsrf', 'foo')
+        .expect(200);
+      expect(updatedAlert.apiKeyOwner).to.eql(null);
+    });
+
+    it(`shouldn't update alert api key from another space`, async () => {
+      const { body: createdAlert } = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/alert`)
+        .set('kbn-xsrf', 'foo')
+        .send(getTestAlertData())
+        .expect(200);
+      objectRemover.add(Spaces.space1.id, createdAlert.id, 'alert');
+
+      await supertest
+        .post(`${getUrlPrefix(Spaces.other.id)}/api/alert/${createdAlert.id}/_update_api_key`)
+        .set('kbn-xsrf', 'foo')
+        .expect(404, {
+          statusCode: 404,
+          error: 'Not Found',
+          message: `Saved object [alert/${createdAlert.id}] not found`,
+        });
+    });
+  });
+}