[ResponseOps][Rules] Prevent internally managed rule types to be snoozing/unsnoozing from the APIs (elastic#236678)

## Summary

This PR prevents internally managed rule types from being
snoozed/unsnoozed through the Rule Snooze and Unsnooze APIs. The
prevention logic is on he route level because we want to support
updating internally managed rules from the alerts client.

Partial fixes: elastic#222101


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: 2 people

x-pack/platform/plugins/shared/alerting/server/routes/lib/validate_internal_rule_type.test.ts

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { validateInternalRuleType } from './validate_internal_rule_type';
+
+describe('validateInternalRuleTypes', () => {
+  const ruleTypeId = 'internal';
+  const ruleTypes = new Map();
+  const operationText = 'edit';
+
+  beforeEach(() => {
+    ruleTypes.clear();
+  });
+
+  it('should throw an error for invalid rule types', async () => {
+    ruleTypes.set(ruleTypeId, { internallyManaged: true });
+
+    expect(() =>
+      validateInternalRuleType({ ruleTypeId, ruleTypes, operationText })
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"Cannot edit rule of type \\"internal\\" because it is internally managed."`
+    );
+  });
+
+  it('should not throw an error for valid rule types', async () => {
+    ruleTypes.set(ruleTypeId, { internallyManaged: false });
+
+    expect(() =>
+      validateInternalRuleType({ ruleTypeId, ruleTypes, operationText })
+    ).not.toThrowError();
+  });
+});

x-pack/platform/plugins/shared/alerting/server/routes/lib/validate_internal_rule_type.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import Boom from '@hapi/boom';
+
+interface ValidateRuleTypeParams {
+  ruleTypeId: string;
+  ruleTypes: Map<string, { internallyManaged?: boolean }>;
+  operationText: string;
+}
+
+export const validateInternalRuleType = ({
+  ruleTypeId,
+  ruleTypes,
+  operationText,
+}: ValidateRuleTypeParams) => {
+  const ruleType = ruleTypes.get(ruleTypeId);
+
+  /**
+   * Throws a bad request (400) if the rule type is internallyManaged
+   * ruleType will always exist here because ruleTypes.get will throw a 400
+   * error if the rule type is not registered.
+   */
+  if (ruleType?.internallyManaged) {
+    throw Boom.badRequest(
+      `Cannot ${operationText} rule of type "${ruleTypeId}" because it is internally managed.`
+    );
+  }
+};

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/create/create_rule_route.test.ts

@@ -948,14 +948,9 @@ describe('createRuleRoute', () => {
         ['ok']
       );
 
-      await handler(context, req, res);
-
-      expect(res.badRequest).toHaveBeenCalledWith({
-        body: {
-          message:
-            'Cannot create rule of type "test.internal-rule-type" because it is internally managed.',
-        },
-      });
+      await expect(handler(context, req, res)).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Cannot create rule of type \\"test.internal-rule-type\\" because it is internally managed."`
+      );
     });
   });
 });

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/create/create_rule_route.ts

@@ -27,6 +27,7 @@ import {
   handleDisabledApiKeysError,
   verifyAccessAndContext,
 } from '../../../lib';
+import { validateInternalRuleType } from '../../../lib/validate_internal_rule_type';
 import { transformRuleToRuleResponseV1 } from '../../transforms';
 import { validateRequiredGroupInDefaultActionsV1 } from '../../validation';
 import { transformCreateBodyV1 } from './transforms';
@@ -84,20 +85,11 @@ export const createRuleRoute = ({ router, licenseState, usageCounter }: RouteOpt
           });
 
           try {
-            const ruleType = ruleTypes.get(createRuleData.rule_type_id);
-
-            /**
-             * Throws a bad request (400) if the rule type is internallyManaged
-             * ruleType will always exist here because ruleTypes.get will throw a 400
-             * error if the rule type is not registered.
-             */
-            if (ruleType?.internallyManaged) {
-              return res.badRequest({
-                body: {
-                  message: `Cannot create rule of type "${createRuleData.rule_type_id}" because it is internally managed.`,
-                },
-              });
-            }
+            validateInternalRuleType({
+              ruleTypeId: createRuleData.rule_type_id,
+              ruleTypes,
+              operationText: 'create',
+            });
 
             /**
              * Throws an error if the group is not defined in default actions

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/snooze/external/snooze_rule_route.test.ts

@@ -68,6 +68,7 @@ rulesClient.update.mockResolvedValueOnce(mockedRule as unknown as SanitizedRule)
 describe('snoozeAlertRoute', () => {
   beforeEach(() => {
     jest.clearAllMocks();
+    rulesClient.get = jest.fn().mockResolvedValue(mockedRule);
   });
 
   it('snoozes a rule', async () => {
@@ -351,4 +352,44 @@ describe('snoozeAlertRoute', () => {
 
     expect(res.forbidden).toHaveBeenCalledWith({ body: { message: 'Fail' } });
   });
+
+  describe('internally managed rule types', () => {
+    it('returns 400 if the rule type is internally managed', async () => {
+      const licenseState = licenseStateMock.create();
+      const router = httpServiceMock.createRouter();
+      rulesClient.get = jest
+        .fn()
+        .mockResolvedValue({ ...mockedRule, alertTypeId: 'test.internal-rule-type' });
+
+      snoozeRuleRoute(router, licenseState);
+
+      const [config, handler] = router.post.mock.calls[0];
+
+      expect(config.path).toMatchInlineSnapshot(`"/api/alerting/rule/{id}/snooze_schedule"`);
+
+      rulesClient.snooze.mockResolvedValueOnce(mockedRule as unknown as SanitizedRule);
+
+      const [context, req, res] = mockHandlerArguments(
+        {
+          rulesClient, // @ts-expect-error: not all args are required for this test
+          listTypes: new Map([
+            ['test.internal-rule-type', { id: 'test.internal-rule-type', internallyManaged: true }],
+          ]),
+        },
+        {
+          params: {
+            id: '1',
+          },
+          body: {
+            schedule,
+          },
+        },
+        ['noContent']
+      );
+
+      await expect(handler(context, req, res)).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Cannot snooze rule of type \\"test.internal-rule-type\\" because it is internally managed."`
+      );
+    });
+  });
 });

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/snooze/external/snooze_rule_route.ts

@@ -8,6 +8,7 @@
 import Boom from '@hapi/boom';
 import { v4 } from 'uuid';
 import type { IRouter } from '@kbn/core/server';
+import { validateInternalRuleType } from '../../../../lib/validate_internal_rule_type';
 import {
   type SnoozeParamsV1,
   type SnoozeResponseV1,
@@ -71,6 +72,8 @@ export const snoozeRuleRoute = (
       verifyAccessAndContext(licenseState, async function (context, req, res) {
         const alertingContext = await context.alerting;
         const rulesClient = await alertingContext.getRulesClient();
+        const ruleTypes = alertingContext.listTypes();
+
         const params: SnoozeParamsV1 = req.params;
         const customSchedule = req.body.schedule?.custom;
 
@@ -83,6 +86,14 @@ export const snoozeRuleRoute = (
         const snoozeScheduleId = v4();
 
         try {
+          const rule = await rulesClient.get({ id: params.id });
+
+          validateInternalRuleType({
+            ruleTypeId: rule.alertTypeId,
+            ruleTypes,
+            operationText: 'snooze',
+          });
+
           const snoozedRule = await rulesClient.snooze({
             id: params.id,
             snoozeSchedule: {

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/snooze/internal/snooze_rule_route.test.ts

@@ -18,10 +18,6 @@ jest.mock('../../../../../lib/license_api_access', () => ({
   verifyApiAccess: jest.fn(),
 }));
 
-beforeEach(() => {
-  jest.resetAllMocks();
-});
-
 const SNOOZE_SCHEDULE = {
   rRule: {
     dtstart: '2021-03-07T00:00:00.000Z',
@@ -62,6 +58,11 @@ const mockedRule = {
 };
 
 describe('snoozeAlertRoute', () => {
+  beforeEach(() => {
+    jest.resetAllMocks();
+    rulesClient.get = jest.fn().mockResolvedValue(mockedRule);
+  });
+
   it('snoozes an alert', async () => {
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();
@@ -178,4 +179,44 @@ describe('snoozeAlertRoute', () => {
 
     expect(res.forbidden).toHaveBeenCalledWith({ body: { message: 'Fail' } });
   });
+
+  describe('internally managed rule types', () => {
+    it('returns 400 if the rule type is internally managed', async () => {
+      const licenseState = licenseStateMock.create();
+      const router = httpServiceMock.createRouter();
+      rulesClient.get = jest
+        .fn()
+        .mockResolvedValue({ ...mockedRule, alertTypeId: 'test.internal-rule-type' });
+
+      snoozeRuleRoute(router, licenseState);
+
+      const [config, handler] = router.post.mock.calls[0];
+
+      expect(config.path).toMatchInlineSnapshot(`"/internal/alerting/rule/{id}/_snooze"`);
+
+      rulesClient.snooze.mockResolvedValueOnce(mockedRule as unknown as SanitizedRule);
+
+      const [context, req, res] = mockHandlerArguments(
+        {
+          rulesClient, // @ts-expect-error: not all args are required for this test
+          listTypes: new Map([
+            ['test.internal-rule-type', { id: 'test.internal-rule-type', internallyManaged: true }],
+          ]),
+        },
+        {
+          params: {
+            id: '1',
+          },
+          body: {
+            snooze_schedule: SNOOZE_SCHEDULE,
+          },
+        },
+        ['noContent']
+      );
+
+      await expect(handler(context, req, res)).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Cannot snooze rule of type \\"test.internal-rule-type\\" because it is internally managed."`
+      );
+    });
+  });
 });

x-pack/platform/plugins/shared/alerting/server/routes/rule/apis/snooze/internal/snooze_rule_route.ts

@@ -7,6 +7,7 @@
 
 import type { TypeOf } from '@kbn/config-schema';
 import type { IRouter } from '@kbn/core/server';
+import { validateInternalRuleType } from '../../../../lib/validate_internal_rule_type';
 import {
   snoozeBodyInternalSchemaV1,
   snoozeParamsInternalSchemaV1,
@@ -39,9 +40,20 @@ export const snoozeRuleRoute = (
       verifyAccessAndContext(licenseState, async function (context, req, res) {
         const alertingContext = await context.alerting;
         const rulesClient = await alertingContext.getRulesClient();
+        const ruleTypes = alertingContext.listTypes();
+
         const params: SnoozeRuleRequestInternalParamsV1 = req.params;
         const body = transformSnoozeBodyV1(req.body);
+
         try {
+          const rule = await rulesClient.get({ id: params.id });
+
+          validateInternalRuleType({
+            ruleTypeId: rule.alertTypeId,
+            ruleTypes,
+            operationText: 'snooze',
+          });
+
           await rulesClient.snooze({ ...params, ...body });
           return res.noContent();
         } catch (e) {