From f9205c05104881a4b0748d53c489c897592526c6 Mon Sep 17 00:00:00 2001 From: Christos Nasikas Date: Wed, 11 Jan 2023 18:09:39 +0200 Subject: [PATCH] Add o11y tests --- .../common/lib/alerts.ts | 76 +++++ .../cases_api_integration/common/lib/utils.ts | 38 --- .../tests/common/comments/post_comment.ts | 287 ++++++++++------ .../internal/bulk_create_attachments.ts | 317 ++++++++++++------ 4 files changed, 474 insertions(+), 244 deletions(-) create mode 100644 x-pack/test/cases_api_integration/common/lib/alerts.ts diff --git a/x-pack/test/cases_api_integration/common/lib/alerts.ts b/x-pack/test/cases_api_integration/common/lib/alerts.ts new file mode 100644 index 0000000000000..f5584b61cb934 --- /dev/null +++ b/x-pack/test/cases_api_integration/common/lib/alerts.ts @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type SuperTest from 'supertest'; +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { ToolingLog } from '@kbn/tooling-log'; +import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugin/common/constants'; +import { DetectionAlert } from '@kbn/security-solution-plugin/common/detection_engine/schemas/alerts'; +import { RiskEnrichmentFields } from '@kbn/security-solution-plugin/server/lib/detection_engine/signals/enrichments/types'; +import { + getRuleForSignalTesting, + createRule, + waitForRuleSuccessOrStatus, + waitForSignalsToBePresent, + getSignalsByIds, + getQuerySignalIds, +} from '../../../detection_engine_api_integration/utils'; +import { superUser } from './authentication/users'; +import { getSpaceUrlPrefix } from './utils'; +import { User } from './authentication/types'; + +export const createSecuritySolutionAlerts = async ( + supertest: SuperTest.SuperTest, + log: ToolingLog +): Promise> => { + const rule = getRuleForSignalTesting(['auditbeat-*']); + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccessOrStatus(supertest, log, id); + await waitForSignalsToBePresent(supertest, log, 1, [id]); + const signals = await getSignalsByIds(supertest, log, [id]); + + return signals; +}; + +export const getSecuritySolutionAlerts = async ( + supertest: SuperTest.SuperTest, + alertIds: string[] +): Promise> => { + const { body: updatedAlert } = await supertest + .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) + .set('kbn-xsrf', 'true') + .send(getQuerySignalIds(alertIds)) + .expect(200); + + return updatedAlert; +}; + +interface AlertResponse { + 'kibana.alert.case_ids'?: string[]; +} + +export const getAlertById = async ({ + supertest, + id, + index, + expectedHttpCode = 200, + auth = { user: superUser, space: null }, +}: { + supertest: SuperTest.SuperTest; + id: string; + index: string; + expectedHttpCode?: number; + auth?: { user: User; space: string | null }; +}): Promise => { + const { body: alert } = await supertest + .get(`${getSpaceUrlPrefix(auth?.space)}/internal/rac/alerts?id=${id}&index=${index}`) + .auth(auth.user.username, auth.user.password) + .set('kbn-xsrf', 'true') + .expect(expectedHttpCode); + + return alert; +}; diff --git a/x-pack/test/cases_api_integration/common/lib/utils.ts b/x-pack/test/cases_api_integration/common/lib/utils.ts index 7453fa49beb4a..0fd34bddabbd6 100644 --- a/x-pack/test/cases_api_integration/common/lib/utils.ts +++ b/x-pack/test/cases_api_integration/common/lib/utils.ts @@ -60,24 +60,12 @@ import { ActionResult, FindActionResult } from '@kbn/actions-plugin/server/types import { ESCasesConfigureAttributes } from '@kbn/cases-plugin/server/services/configure/types'; import { ESCaseAttributes } from '@kbn/cases-plugin/server/services/cases/types'; import type { SavedObjectsRawDocSource } from '@kbn/core/server'; -import { ToolingLog } from '@kbn/tooling-log'; -import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugin/common/constants'; -import { DetectionAlert } from '@kbn/security-solution-plugin/common/detection_engine/schemas/alerts'; -import { RiskEnrichmentFields } from '@kbn/security-solution-plugin/server/lib/detection_engine/signals/enrichments/types'; import { User } from './authentication/types'; import { superUser } from './authentication/users'; import { getPostCaseRequest, postCaseReq } from './mock'; import { ObjectRemover as ActionsRemover } from '../../../alerting_api_integration/common/lib'; import { getServiceNowServer } from '../../../alerting_api_integration/common/fixtures/plugins/actions_simulators/server/plugin'; import { RecordingServiceNowSimulator } from '../../../alerting_api_integration/common/fixtures/plugins/actions_simulators/server/servicenow_simulation'; -import { - getRuleForSignalTesting, - createRule, - waitForRuleSuccessOrStatus, - waitForSignalsToBePresent, - getSignalsByIds, - getQuerySignalIds, -} from '../../../detection_engine_api_integration/utils'; function toArray(input: T | T[]): T[] { if (Array.isArray(input)) { @@ -1430,29 +1418,3 @@ export const getReferenceFromEsResponse = ( esResponse: TransportResult, unknown>, id: string ) => esResponse.body._source?.references?.find((r) => r.id === id); - -export const createSecuritySolutionAlerts = async ( - supertest: SuperTest.SuperTest, - log: ToolingLog -): Promise> => { - const rule = getRuleForSignalTesting(['auditbeat-*']); - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccessOrStatus(supertest, log, id); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signals = await getSignalsByIds(supertest, log, [id]); - - return signals; -}; - -export const getSecuritySolutionAlerts = async ( - supertest: SuperTest.SuperTest, - alertIds: string[] -): Promise> => { - const { body: updatedAlert } = await supertest - .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) - .set('kbn-xsrf', 'true') - .send(getQuerySignalIds(alertIds)) - .expect(200); - - return updatedAlert; -}; diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts index 79c6c70e4f9c4..82b059417a5cb 100644 --- a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts @@ -35,8 +35,6 @@ import { removeServerGeneratedPropertiesFromSavedObject, superUserSpace1Auth, updateCase, - createSecuritySolutionAlerts, - getSecuritySolutionAlerts, } from '../../../../common/lib/utils'; import { createSignalsIndex, @@ -53,6 +51,11 @@ import { secOnlyRead, superUser, } from '../../../../common/lib/authentication/users'; +import { + getSecuritySolutionAlerts, + createSecuritySolutionAlerts, + getAlertById, +} from '../../../../common/lib/alerts'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { @@ -346,127 +349,219 @@ export default ({ getService }: FtrProviderContext): void => { }); describe('alerts', () => { - beforeEach(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); - await createSignalsIndex(supertest, log); - }); + describe('security_solution', () => { + beforeEach(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await createSignalsIndex(supertest, log); + }); - afterEach(async () => { - await deleteSignalsIndex(supertest, log); - await deleteAllAlerts(supertest, log); - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); - }); + afterEach(async () => { + await deleteSignalsIndex(supertest, log); + await deleteAllAlerts(supertest, log); + await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + }); - const createCommentAndRefreshIndex = async ( - caseId: string, - alertId: string, - alertIndex: string, - expectedHttpCode?: number - ) => { - await createComment({ - supertest, - caseId, - params: { - alertId, - index: alertIndex, - rule: { - id: 'id', - name: 'name', + const createCommentAndRefreshIndex = async ( + caseId: string, + alertId: string, + alertIndex: string, + expectedHttpCode?: number + ) => { + await createComment({ + supertest, + caseId, + params: { + alertId, + index: alertIndex, + rule: { + id: 'id', + name: 'name', + }, + owner: 'securitySolutionFixture', + type: CommentType.alert, }, - owner: 'securitySolutionFixture', - type: CommentType.alert, - }, - expectedHttpCode, + expectedHttpCode, + }); + + await es.indices.refresh({ index: alertIndex }); + }; + + const bulkCreateAlertsAndVerifyAlertStatus = async ( + syncAlerts: boolean, + expectedAlertStatus: string + ) => { + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts }, + }); + + await updateCase({ + supertest, + params: { + cases: [ + { + id: postedCase.id, + version: postedCase.version, + status: CaseStatuses['in-progress'], + }, + ], + }, + }); + + const signals = await createSecuritySolutionAlerts(supertest, log); + + const alert = signals.hits.hits[0]; + expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open'); + + await createCommentAndRefreshIndex(postedCase.id, alert._id, alert._index); + + const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); + + expect(updatedAlert.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS]).eql( + expectedAlertStatus + ); + }; + + const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { + const cases = await Promise.all( + [...Array(totalCases).keys()].map((index) => + createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }) + ) + ); + + const signals = await createSecuritySolutionAlerts(supertest, log); + const alert = signals.hits.hits[0]; + + for (const theCase of cases) { + await createCommentAndRefreshIndex(theCase.id, alert._id, alert._index); + } + + const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); + const caseIds = cases.map((theCase) => theCase.id); + + expect(updatedAlert.hits.hits[0]._source?.[ALERT_CASE_IDS]).eql(caseIds); + + return updatedAlert; + }; + + it('should change the status of the alert if sync alert is on', async () => { + await bulkCreateAlertsAndVerifyAlertStatus(true, 'acknowledged'); }); - await es.indices.refresh({ index: alertIndex }); - }; + it('should NOT change the status of the alert if sync alert is off', async () => { + await bulkCreateAlertsAndVerifyAlertStatus(false, 'open'); + }); - const bulkCreateAlertsAndVerifyAlertStatus = async ( - syncAlerts: boolean, - expectedAlertStatus: string - ) => { - const postedCase = await createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts }, + it('should add the case ID to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); }); - await updateCase({ - supertest, - params: { - cases: [ - { - id: postedCase.id, - version: postedCase.version, - status: CaseStatuses['in-progress'], - }, - ], - }, + it('should add multiple case ids to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); }); - const signals = await createSecuritySolutionAlerts(supertest, log); + it('should not add more than 10 cases to an alert', async () => { + const updatedAlert = await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); + const alert = updatedAlert.hits.hits[0]; - const alert = signals.hits.hits[0]; - expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open'); + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }); - await createCommentAndRefreshIndex(postedCase.id, alert._id, alert._index); + createCommentAndRefreshIndex(postedCase.id, alert._id, alert._index, 400); + }); + }); - const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); + describe('observability', () => { + const alertId = 'NoxgpHkBqbdrfX07MqXV'; + const ampIndex = '.alerts-observability.apm.alerts'; - expect(updatedAlert.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS]).eql(expectedAlertStatus); - }; + beforeEach(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); + }); - const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { - const cases = await Promise.all( - [...Array(totalCases).keys()].map((index) => - createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts: false }, - }) - ) - ); + afterEach(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts'); + }); - const signals = await createSecuritySolutionAlerts(supertest, log); - const alert = signals.hits.hits[0]; + const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { + const cases = await Promise.all( + [...Array(totalCases).keys()].map((index) => + createCase(supertest, { + ...postCaseReq, + owner: 'observabilityFixture', + settings: { syncAlerts: false }, + }) + ) + ); - for (const theCase of cases) { - await createCommentAndRefreshIndex(theCase.id, alert._id, alert._index); - } + for (const theCase of cases) { + await createComment({ + supertest, + caseId: theCase.id, + params: { + alertId, + index: ampIndex, + rule: { + id: 'id', + name: 'name', + }, + owner: 'observabilityFixture', + type: CommentType.alert, + }, + }); + } - const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); - const caseIds = cases.map((theCase) => theCase.id); + const alert = await getAlertById({ + supertest, + id: alertId, + index: ampIndex, + auth: { user: superUser, space: 'space1' }, + }); - expect(updatedAlert.hits.hits[0]._source?.[ALERT_CASE_IDS]).eql(caseIds); + const caseIds = cases.map((theCase) => theCase.id); - return updatedAlert; - }; + expect(alert['kibana.alert.case_ids']).eql(caseIds); - it('should change the status of the alert if sync alert is on', async () => { - await bulkCreateAlertsAndVerifyAlertStatus(true, 'acknowledged'); - }); + return alert; + }; - it('should NOT change the status of the alert if sync alert is off', async () => { - await bulkCreateAlertsAndVerifyAlertStatus(false, 'open'); - }); + it('should add the case ID to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); + }); - it('should add the case ID to the alert schema', async () => { - await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); - }); + it('should add multiple case ids to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); + }); - it('should add multiple case ids to the alert schema', async () => { - await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); - }); + it('should not add more than 10 cases to an alert', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); - it('should not add more than 10 cases to an alert', async () => { - const updatedAlert = await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); - const alert = updatedAlert.hits.hits[0]; + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }); - const postedCase = await createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts: false }, + await createComment({ + supertest, + caseId: postedCase.id, + params: { + alertId, + index: ampIndex, + rule: { + id: 'id', + name: 'name', + }, + owner: 'observabilityFixture', + type: CommentType.alert, + }, + expectedHttpCode: 400, + }); }); - - createCommentAndRefreshIndex(postedCase.id, alert._id, alert._index, 400); }); }); diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/internal/bulk_create_attachments.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/internal/bulk_create_attachments.ts index 4e3f88d042a2b..01d1d806b61f4 100644 --- a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/internal/bulk_create_attachments.ts +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/internal/bulk_create_attachments.ts @@ -34,8 +34,6 @@ import { createCaseAndBulkCreateAttachments, bulkCreateAttachments, updateCase, - createSecuritySolutionAlerts, - getSecuritySolutionAlerts, } from '../../../../common/lib/utils'; import { createSignalsIndex, @@ -52,6 +50,11 @@ import { secOnlyRead, superUser, } from '../../../../common/lib/authentication/users'; +import { + getSecuritySolutionAlerts, + createSecuritySolutionAlerts, + getAlertById, +} from '../../../../common/lib/alerts'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { @@ -463,94 +466,148 @@ export default ({ getService }: FtrProviderContext): void => { }); describe('alerts', () => { - beforeEach(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); - await createSignalsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteSignalsIndex(supertest, log); - await deleteAllAlerts(supertest, log); - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); - }); + describe('security_solution', () => { + beforeEach(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await createSignalsIndex(supertest, log); + }); - const bulkCreateAlertsAndVerifyAlertStatus = async ( - syncAlerts: boolean, - expectedAlertStatus: string - ) => { - const postedCase = await createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts }, + afterEach(async () => { + await deleteSignalsIndex(supertest, log); + await deleteAllAlerts(supertest, log); + await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); }); - await updateCase({ - supertest, - params: { - cases: [ - { - id: postedCase.id, - version: postedCase.version, - status: CaseStatuses['in-progress'], + const bulkCreateAlertsAndVerifyAlertStatus = async ( + syncAlerts: boolean, + expectedAlertStatus: string + ) => { + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts }, + }); + + await updateCase({ + supertest, + params: { + cases: [ + { + id: postedCase.id, + version: postedCase.version, + status: CaseStatuses['in-progress'], + }, + ], + }, + }); + + const signals = await createSecuritySolutionAlerts(supertest, log); + + const attachments: CommentRequest[] = []; + const indices: string[] = []; + const ids: string[] = []; + + signals.hits.hits.forEach((alert) => { + expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open'); + attachments.push({ + alertId: alert._id, + index: alert._index, + rule: { + id: 'id', + name: 'name', }, - ], - }, - }); + owner: 'securitySolutionFixture', + type: CommentType.alert, + }); - const signals = await createSecuritySolutionAlerts(supertest, log); + indices.push(alert._index); + ids.push(alert._id); + }); - const attachments: CommentRequest[] = []; - const indices: string[] = []; - const ids: string[] = []; + await bulkCreateAttachments({ + supertest, + caseId: postedCase.id, + params: attachments, + }); - signals.hits.hits.forEach((alert) => { - expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open'); - attachments.push({ - alertId: alert._id, - index: alert._index, - rule: { - id: 'id', - name: 'name', - }, - owner: 'securitySolutionFixture', - type: CommentType.alert, + await es.indices.refresh({ index: indices }); + + const updatedAlerts = await getSecuritySolutionAlerts(supertest, ids); + + updatedAlerts.hits.hits.forEach((alert) => { + expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql(expectedAlertStatus); }); + }; - indices.push(alert._index); - ids.push(alert._id); - }); + const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { + const cases = await Promise.all( + [...Array(totalCases).keys()].map((index) => + createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }) + ) + ); - await bulkCreateAttachments({ - supertest, - caseId: postedCase.id, - params: attachments, + const signals = await createSecuritySolutionAlerts(supertest, log); + const alert = signals.hits.hits[0]; + + for (const theCase of cases) { + await bulkCreateAttachments({ + supertest, + caseId: theCase.id, + params: [ + { + alertId: alert._id, + index: alert._index, + rule: { + id: 'id', + name: 'name', + }, + owner: 'securitySolutionFixture', + type: CommentType.alert, + }, + ], + }); + } + + await es.indices.refresh({ index: alert._index }); + + const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); + const caseIds = cases.map((theCase) => theCase.id); + + expect(updatedAlert.hits.hits[0]._source?.[ALERT_CASE_IDS]).eql(caseIds); + + return updatedAlert; + }; + + it('should change the status of the alerts if sync alert is on', async () => { + await bulkCreateAlertsAndVerifyAlertStatus(true, 'acknowledged'); }); - await es.indices.refresh({ index: indices }); + it('should NOT change the status of the alert if sync alert is off', async () => { + await bulkCreateAlertsAndVerifyAlertStatus(false, 'open'); + }); - const updatedAlerts = await getSecuritySolutionAlerts(supertest, ids); + it('should add the case ID to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); + }); - updatedAlerts.hits.hits.forEach((alert) => { - expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql(expectedAlertStatus); + it('should add multiple case ids to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); }); - }; - const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { - const cases = await Promise.all( - [...Array(totalCases).keys()].map((index) => - createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts: false }, - }) - ) - ); + it('should not add more than 10 cases to an alert', async () => { + const updatedAlert = await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); + const alert = updatedAlert.hits.hits[0]; - const signals = await createSecuritySolutionAlerts(supertest, log); - const alert = signals.hits.hits[0]; + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }); - for (const theCase of cases) { await bulkCreateAttachments({ supertest, - caseId: theCase.id, + caseId: postedCase.id, params: [ { alertId: alert._id, @@ -563,60 +620,100 @@ export default ({ getService }: FtrProviderContext): void => { type: CommentType.alert, }, ], + expectedHttpCode: 400, }); - } + }); + }); - await es.indices.refresh({ index: alert._index }); + describe('observability', () => { + const alertId = 'NoxgpHkBqbdrfX07MqXV'; + const ampIndex = '.alerts-observability.apm.alerts'; - const updatedAlert = await getSecuritySolutionAlerts(supertest, [alert._id]); - const caseIds = cases.map((theCase) => theCase.id); + beforeEach(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); + }); - expect(updatedAlert.hits.hits[0]._source?.[ALERT_CASE_IDS]).eql(caseIds); + afterEach(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts'); + }); - return updatedAlert; - }; + const bulkCreateAlertsAndVerifyCaseIdsInAlertSchema = async (totalCases: number) => { + const cases = await Promise.all( + [...Array(totalCases).keys()].map((index) => + createCase(supertest, { + ...postCaseReq, + owner: 'observabilityFixture', + settings: { syncAlerts: false }, + }) + ) + ); - it('should change the status of the alerts if sync alert is on', async () => { - await bulkCreateAlertsAndVerifyAlertStatus(true, 'acknowledged'); - }); + for (const theCase of cases) { + await bulkCreateAttachments({ + supertest, + caseId: theCase.id, + params: [ + { + alertId, + index: ampIndex, + rule: { + id: 'id', + name: 'name', + }, + owner: 'observabilityFixture', + type: CommentType.alert, + }, + ], + }); + } - it('should NOT change the status of the alert if sync alert is off', async () => { - await bulkCreateAlertsAndVerifyAlertStatus(false, 'open'); - }); + const alert = await getAlertById({ + supertest, + id: alertId, + index: ampIndex, + auth: { user: superUser, space: 'space1' }, + }); - it('should add the case ID to the alert schema', async () => { - await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); - }); + const caseIds = cases.map((theCase) => theCase.id); - it('should add multiple case ids to the alert schema', async () => { - await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); - }); + expect(alert['kibana.alert.case_ids']).eql(caseIds); - it('should not add more than 10 cases to an alert', async () => { - const updatedAlert = await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); - const alert = updatedAlert.hits.hits[0]; + return alert; + }; - const postedCase = await createCase(supertest, { - ...postCaseReq, - settings: { syncAlerts: false }, + it('should add the case ID to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(1); }); - await bulkCreateAttachments({ - supertest, - caseId: postedCase.id, - params: [ - { - alertId: alert._id, - index: alert._index, - rule: { - id: 'id', - name: 'name', + it('should add multiple case ids to the alert schema', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(2); + }); + + it('should not add more than 10 cases to an alert', async () => { + await bulkCreateAlertsAndVerifyCaseIdsInAlertSchema(10); + + const postedCase = await createCase(supertest, { + ...postCaseReq, + settings: { syncAlerts: false }, + }); + + await bulkCreateAttachments({ + supertest, + caseId: postedCase.id, + params: [ + { + alertId, + index: ampIndex, + rule: { + id: 'id', + name: 'name', + }, + owner: 'securitySolutionFixture', + type: CommentType.alert, }, - owner: 'securitySolutionFixture', - type: CommentType.alert, - }, - ], - expectedHttpCode: 400, + ], + expectedHttpCode: 400, + }); }); }); });