From 12f6d2de3b9a23a524f1fb42d99856336c0c741c Mon Sep 17 00:00:00 2001
From: Patrick Mueller <pmuellr@gmail.com>
Date: Thu, 27 May 2021 11:09:36 -0400
Subject: [PATCH] [alerting] add ignore_above to alerts params mappings to
 handle immense params (#100726) (#100772)

resolves https://github.com/elastic/kibana/issues/100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
---
 .../server/saved_objects/mappings.json        |  3 +-
 .../spaces_only/tests/alerting/create.ts      | 47 +++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/alerting/server/saved_objects/mappings.json b/x-pack/plugins/alerting/server/saved_objects/mappings.json
index 136dc530aa1199..43292c6a543463 100644
--- a/x-pack/plugins/alerting/server/saved_objects/mappings.json
+++ b/x-pack/plugins/alerting/server/saved_objects/mappings.json
@@ -47,7 +47,8 @@
         }
       },
       "params": {
-        "type": "flattened"
+        "type": "flattened",
+        "ignore_above": 4096
       },
       "scheduledTaskId": {
         "type": "keyword"
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/create.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/create.ts
index 9033b1f303943b..96534c192d67c1 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/create.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/create.ts
@@ -112,6 +112,53 @@ export default function createAlertTests({ getService }: FtrProviderContext) {
       });
     });
 
+    // see: https://github.com/elastic/kibana/issues/100607
+    // note this fails when the mappings for `params` does not have ignore_above
+    it('should handle alerts with immense params', async () => {
+      const { body: createdAction } = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/actions/connector`)
+        .set('kbn-xsrf', 'foo')
+        .send({
+          name: 'MY action',
+          connector_type_id: 'test.noop',
+          config: {},
+          secrets: {},
+        })
+        .expect(200);
+
+      const lotsOfSpaces = ''.padEnd(100 * 1000); // 100K space chars
+      const response = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/alerting/rule`)
+        .set('kbn-xsrf', 'foo')
+        .send(
+          getTestAlertData({
+            params: {
+              ignoredButPersisted: lotsOfSpaces,
+            },
+            actions: [
+              {
+                id: createdAction.id,
+                group: 'default',
+                params: {},
+              },
+            ],
+          })
+        );
+
+      expect(response.status).to.eql(200);
+      objectRemover.add(Spaces.space1.id, response.body.id, 'rule', 'alerting');
+
+      expect(response.body.params.ignoredButPersisted).to.eql(lotsOfSpaces);
+
+      // Ensure AAD isn't broken
+      await checkAAD({
+        supertest,
+        spaceId: Spaces.space1.id,
+        type: 'alert',
+        id: response.body.id,
+      });
+    });
+
     it('should allow providing custom saved object ids (uuid v1)', async () => {
       const customId = '09570bb0-6299-11eb-8fde-9fe5ce6ea450';
       const response = await supertest