[RAC] Remove rbac on security solution side (#110472)

* wip to remove rbac

* Revert "[Cases] Include rule registry client for updating alert statuses (#108588)"

This reverts commit 1fd7038.

This leaves the rule registry mock changes

* remove rbac on Trend/Count alert

* update detection api for status

* remove @kbn-alerts packages

* fix leftover

* Switching cases to leverage update by query for alert status

* Adding missed files

* fix bad logic

* updating tests for use_alerts_privileges

* remove index alias/fields

* fix types

* fix plugin to get the right index names

* left over of alis on template

* forget to use current user for create/read route index

* updated alerts page to not show table when no privileges and updates to tests

* fix bug when switching between o11y and security solution

* updates tests and move to use privileges page when user tries to access alerts without proper access

* updating jest tests

* pairing with yara

* bring back kbn-alerts after discussion with the team

* fix types

* fix index field for o11y

* fix bug with updating index priv state

* fix i18n issue and update api docs

* fix refresh on alerts

* fix render view on alerts

* updating tests and checking for null in alerts page to not show no privileges page before load

* fix details rules

Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co>
Co-authored-by: Yara Tercero <yara.tercero@elastic.co>

Author: 3 people

docs/development/core/public/kibana-plugin-core-public.doclinksstart.links.md

@@ -128,6 +128,7 @@ readonly links: {
         readonly rollupJobs: string;
         readonly elasticsearch: Record<string, string>;
         readonly siem: {
+            readonly privileges: string;
             readonly guide: string;
             readonly gettingStarted: string;
             readonly ml: string;

docs/development/core/public/kibana-plugin-core-public.doclinksstart.md

@@ -204,6 +204,7 @@ export class DocLinksService {
         siem: {
           guide: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/index.html`,
           gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/index.html`,
+          privileges: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/sec-requirements.html`,
           ml: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/machine-learning.html`,
           ruleChangeLog: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/prebuilt-rules-changelog.html`,
           detectionsReq: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/detections-permissions-section.html`,
@@ -569,6 +570,7 @@ export interface DocLinksStart {
     readonly rollupJobs: string;
     readonly elasticsearch: Record<string, string>;
     readonly siem: {
+      readonly privileges: string;
       readonly guide: string;
       readonly gettingStarted: string;
       readonly ml: string;

src/core/public/doc_links/doc_links_service.ts

@@ -592,6 +592,7 @@ export interface DocLinksStart {
         readonly rollupJobs: string;
         readonly elasticsearch: Record<string, string>;
         readonly siem: {
+            readonly privileges: string;
             readonly guide: string;
             readonly gettingStarted: string;
             readonly ml: string;

src/core/public/public.api.md

@@ -10,7 +10,6 @@
   "id":"cases",
   "kibanaVersion":"kibana",
   "optionalPlugins":[
-    "ruleRegistry",
      "security",
      "spaces"
   ],

x-pack/plugins/cases/kibana.json

@@ -12,11 +12,19 @@ export const get = async (
   { alertsInfo }: AlertGet,
   clientArgs: CasesClientArgs
 ): Promise<CasesClientGetAlertsResponse> => {
-  const { alertsService, logger } = clientArgs;
+  const { alertsService, scopedClusterClient, logger } = clientArgs;
   if (alertsInfo.length === 0) {
     return [];
   }
 
-  const alerts = await alertsService.getAlerts({ alertsInfo, logger });
-  return alerts ?? [];
+  const alerts = await alertsService.getAlerts({ alertsInfo, scopedClusterClient, logger });
+  if (!alerts) {
+    return [];
+  }
+
+  return alerts.docs.map((alert) => ({
+    id: alert._id,
+    index: alert._index,
+    ...alert._source,
+  }));
 };

x-pack/plugins/cases/server/client/alerts/get.ts

@@ -7,7 +7,17 @@
 
 import { CaseStatuses } from '../../../common/api';
 import { AlertInfo } from '../../common';
-import { Alert } from '../../services/alerts/types';
+
+interface Alert {
+  id: string;
+  index: string;
+  destination?: {
+    ip: string;
+  };
+  source?: {
+    ip: string;
+  };
+}
 
 export type CasesClientGetAlertsResponse = Alert[];
 

x-pack/plugins/cases/server/client/alerts/types.ts

@@ -16,6 +16,6 @@ export const updateStatus = async (
   { alerts }: UpdateAlertsStatusArgs,
   clientArgs: CasesClientArgs
 ): Promise<void> => {
-  const { alertsService, logger } = clientArgs;
-  await alertsService.updateAlertsStatus({ alerts, logger });
+  const { alertsService, scopedClusterClient, logger } = clientArgs;
+  await alertsService.updateAlertsStatus({ alerts, scopedClusterClient, logger });
 };

x-pack/plugins/cases/server/client/alerts/update_status.ts

@@ -40,7 +40,12 @@ import {
 } from '../../services/user_actions/helpers';
 
 import { AttachmentService, CasesService, CaseUserActionService } from '../../services';
-import { createCaseError, CommentableCase, isCommentRequestTypeGenAlert } from '../../common';
+import {
+  createCaseError,
+  CommentableCase,
+  createAlertUpdateRequest,
+  isCommentRequestTypeGenAlert,
+} from '../../common';
 import { CasesClientArgs, CasesClientInternal } from '..';
 
 import { decodeCommentRequest } from '../utils';
@@ -190,9 +195,22 @@ const addGeneratedAlerts = async (
       user: userDetails,
       commentReq: query,
       id: savedObjectID,
-      casesClientInternal,
     });
 
+    if (
+      (newComment.attributes.type === CommentType.alert ||
+        newComment.attributes.type === CommentType.generatedAlert) &&
+      caseInfo.attributes.settings.syncAlerts
+    ) {
+      const alertsToUpdate = createAlertUpdateRequest({
+        comment: query,
+        status: subCase.attributes.status,
+      });
+      await casesClientInternal.alerts.updateStatus({
+        alerts: alertsToUpdate,
+      });
+    }
+
     await userActionService.bulkCreate({
       unsecuredSavedObjectsClient,
       actions: [
@@ -368,9 +386,19 @@ export const addComment = async (
       user: userInfo,
       commentReq: query,
       id: savedObjectID,
-      casesClientInternal,
     });
 
+    if (newComment.attributes.type === CommentType.alert && updatedCase.settings.syncAlerts) {
+      const alertsToUpdate = createAlertUpdateRequest({
+        comment: query,
+        status: updatedCase.status,
+      });
+
+      await casesClientInternal.alerts.updateStatus({
+        alerts: alertsToUpdate,
+      });
+    }
+
     await userActionService.bulkCreate({
       unsecuredSavedObjectsClient,
       actions: [

x-pack/plugins/cases/server/client/attachments/add.ts

@@ -6,7 +6,7 @@
  */
 
 import Boom from '@hapi/boom';
-import { SavedObjectsFindResponse, SavedObject, Logger } from 'kibana/server';
+import { SavedObjectsFindResponse, SavedObject } from 'kibana/server';
 
 import {
   ActionConnector,
@@ -22,16 +22,26 @@ import {
 import { buildCaseUserActionItem } from '../../services/user_actions/helpers';
 
 import { createIncident, getCommentContextFromAttributes } from './utils';
-import {
-  AlertInfo,
-  createCaseError,
-  flattenCaseSavedObject,
-  getAlertInfoFromComments,
-} from '../../common';
+import { createCaseError, flattenCaseSavedObject, getAlertInfoFromComments } from '../../common';
 import { CasesClient, CasesClientArgs, CasesClientInternal } from '..';
 import { Operations } from '../../authorization';
 import { casesConnectors } from '../../connectors';
-import { CasesClientGetAlertsResponse } from '../alerts/types';
+
+/**
+ * Returns true if the case should be closed based on the configuration settings and whether the case
+ * is a collection. Collections are not closable because we aren't allowing their status to be changed.
+ * In the future we could allow push to close all the sub cases of a collection but that's not currently supported.
+ */
+function shouldCloseByPush(
+  configureSettings: SavedObjectsFindResponse<CasesConfigureAttributes>,
+  caseInfo: SavedObject<CaseAttributes>
+): boolean {
+  return (
+    configureSettings.total > 0 &&
+    configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' &&
+    caseInfo.attributes.type !== CaseType.collection
+  );
+}
 
 /**
  * Parameters for pushing a case to an external system
@@ -96,7 +106,9 @@ export const push = async (
 
     const alertsInfo = getAlertInfoFromComments(theCase?.comments);
 
-    const alerts = await getAlertsCatchErrors({ casesClientInternal, alertsInfo, logger });
+    const alerts = await casesClientInternal.alerts.get({
+      alertsInfo,
+    });
 
     const getMappingsResponse = await casesClientInternal.configuration.getMappings({
       connector: theCase.connector,
@@ -266,38 +278,3 @@ export const push = async (
     throw createCaseError({ message: `Failed to push case: ${error}`, error, logger });
   }
 };
-
-async function getAlertsCatchErrors({
-  casesClientInternal,
-  alertsInfo,
-  logger,
-}: {
-  casesClientInternal: CasesClientInternal;
-  alertsInfo: AlertInfo[];
-  logger: Logger;
-}): Promise<CasesClientGetAlertsResponse> {
-  try {
-    return await casesClientInternal.alerts.get({
-      alertsInfo,
-    });
-  } catch (error) {
-    logger.error(`Failed to retrieve alerts during push: ${error}`);
-    return [];
-  }
-}
-
-/**
- * Returns true if the case should be closed based on the configuration settings and whether the case
- * is a collection. Collections are not closable because we aren't allowing their status to be changed.
- * In the future we could allow push to close all the sub cases of a collection but that's not currently supported.
- */
-function shouldCloseByPush(
-  configureSettings: SavedObjectsFindResponse<CasesConfigureAttributes>,
-  caseInfo: SavedObject<CaseAttributes>
-): boolean {
-  return (
-    configureSettings.total > 0 &&
-    configureSettings.saved_objects[0].attributes.closure_type === 'close-by-pushing' &&
-    caseInfo.attributes.type !== CaseType.collection
-  );
-}