[Cases] Case action: Time window

packages/kbn-check-mappings-update-cli/current_fields.json

@@ -966,5 +966,14 @@
     "kuery",
     "serviceEnvironmentFilterEnabled",
     "serviceNameFilterEnabled"
+  ],
+  "cases-oracle": [
+    "cases",
+    "cases.id",
+    "counter",
+    "createdAt",
+    "rules",
+    "rules.id",
+    "updatedAt"
   ]
 }

x-pack/plugins/cases/server/connectors/cases/cases_connector.test.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import dateMath from '@kbn/datemath';
+import moment from 'moment';
 import { actionsConfigMock } from '@kbn/actions-plugin/server/actions_config.mock';
 import { actionsMock } from '@kbn/actions-plugin/server/mocks';
 import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
@@ -19,9 +21,11 @@ import type { Cases } from '../../../common';
 
 jest.mock('./cases_oracle_service');
 jest.mock('./cases_service');
+jest.mock('@kbn/datemath');
 
 const CasesOracleServiceMock = CasesOracleService as jest.Mock;
 const CasesServiceMock = CasesService as jest.Mock;
+const dateMathMock = dateMath as jest.Mocked<typeof dateMath>;
 
 describe('CasesConnector', () => {
   const services = actionsMock.createServices();
@@ -53,7 +57,9 @@ describe('CasesConnector', () => {
     tags: ['rule', 'test'],
     ruleUrl: 'https://example.com/rules/rule-test-id',
   };
+
   const owner = 'cases';
+  const timeWindow = '7d';
 
   const groupedAlertsWithOracleKey = [
     {
@@ -91,8 +97,8 @@ describe('CasesConnector', () => {
       cases: [],
       rules: [],
       grouping: groupedAlertsWithOracleKey[1].grouping,
-      createdAt: '2023-10-10T10:23:42.769Z',
-      updatedAt: '2023-10-10T10:23:42.769Z',
+      createdAt: '2023-10-12T10:23:42.769Z',
+      updatedAt: '2023-10-12T10:23:42.769Z',
     },
     {
       id: groupedAlertsWithOracleKey[2].oracleKey,
@@ -114,6 +120,7 @@ describe('CasesConnector', () => {
   const mockGetRecordId = jest.fn();
   const mockBulkGetRecords = jest.fn();
   const mockBulkCreateRecord = jest.fn();
+  const mockBulkUpdateRecord = jest.fn();
   const mockGetCaseId = jest.fn();
 
   const getCasesClient = jest.fn();
@@ -141,6 +148,7 @@ describe('CasesConnector', () => {
               version: 'so-version-2',
             },
           ]),
+          bulkUpdateRecord: mockBulkUpdateRecord.mockResolvedValue([]),
         };
       });
 
@@ -168,12 +176,14 @@ describe('CasesConnector', () => {
           services,
         },
       });
+
+      dateMathMock.parse.mockImplementation(() => moment('2023-10-09T10:23:42.769Z'));
     });
 
     describe('run', () => {
       describe('Oracle records', () => {
         it('generates the oracle keys correctly with grouping by one field', async () => {
-          await connector.run({ alerts, groupingBy: ['host.name'], owner, rule });
+          await connector.run({ alerts, groupingBy: ['host.name'], owner, rule, timeWindow });
 
           expect(mockGetRecordId).toHaveBeenCalledTimes(2);
 
@@ -193,7 +203,7 @@ describe('CasesConnector', () => {
         });
 
         it('generates the oracle keys correct with grouping by multiple fields', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(mockGetRecordId).toHaveBeenCalledTimes(3);
 
@@ -208,7 +218,7 @@ describe('CasesConnector', () => {
         });
 
         it('gets the oracle records correctly', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(mockBulkGetRecords).toHaveBeenCalledWith([
             groupedAlertsWithOracleKey[0].oracleKey,
@@ -218,7 +228,7 @@ describe('CasesConnector', () => {
         });
 
         it('created the non found oracle records correctly', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(mockBulkCreateRecord).toHaveBeenCalledWith([
             {
@@ -235,15 +245,109 @@ describe('CasesConnector', () => {
         it('does not create oracle records if there are no 404 errors', async () => {
           mockBulkGetRecords.mockResolvedValue([oracleRecords[0]]);
 
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(mockBulkCreateRecord).not.toHaveBeenCalled();
         });
+
+        it('does not create oracle records if there are other errors than 404', async () => {
+          mockBulkGetRecords.mockResolvedValue([
+            {
+              id: groupedAlertsWithOracleKey[2].oracleKey,
+              type: CASE_ORACLE_SAVED_OBJECT,
+              message: 'Conflict',
+              statusCode: 409,
+              error: 'Conflict',
+            },
+          ]);
+
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
+
+          /**
+           * TODO: Change it to: expect(mockBulkCreateRecord).not.toHaveBeenCalled();
+           */
+          expect(mockBulkCreateRecord).toHaveBeenCalledWith([]);
+        });
+
+        it('does not increase the counter if the time window has not passed', async () => {
+          mockBulkGetRecords.mockResolvedValue([oracleRecords[0]]);
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
+
+          expect(mockBulkUpdateRecord).not.toHaveBeenCalled();
+        });
+
+        it('updates the counter correctly if the time window has passed', async () => {
+          dateMathMock.parse.mockImplementation(() => moment('2023-11-10T10:23:42.769Z'));
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
+
+          expect(mockBulkUpdateRecord).toHaveBeenCalledWith([
+            { payload: { counter: 2 }, recordId: 'so-oracle-record-0', version: 'so-version-0' },
+            { payload: { counter: 2 }, recordId: 'so-oracle-record-1', version: 'so-version-1' },
+          ]);
+        });
+
+        it('run correctly with all records: valid, counter increased, counter did not increased, created', async () => {
+          dateMathMock.parse.mockImplementation(() => moment('2023-10-11T10:23:42.769Z'));
+          mockBulkCreateRecord.mockResolvedValue([
+            {
+              ...oracleRecords[0],
+              id: groupedAlertsWithOracleKey[2].oracleKey,
+              grouping: groupedAlertsWithOracleKey[2].grouping,
+              version: 'so-version-2',
+            },
+            // Returning errors to verify that the code does not return them
+            {
+              id: 'test-id',
+              type: CASE_ORACLE_SAVED_OBJECT,
+              message: 'Conflict',
+              statusCode: 409,
+              error: 'Conflict',
+            },
+          ]);
+
+          mockBulkUpdateRecord.mockResolvedValue([
+            { ...oracleRecords[0], counter: 2 },
+            // Returning errors to verify that the code does not return them
+            {
+              id: 'test-id',
+              type: CASE_ORACLE_SAVED_OBJECT,
+              message: 'Conflict',
+              statusCode: 409,
+              error: 'Conflict',
+            },
+          ]);
+
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
+
+          // 1. Get all records
+          expect(mockBulkGetRecords).toHaveBeenCalledWith([
+            groupedAlertsWithOracleKey[0].oracleKey,
+            groupedAlertsWithOracleKey[1].oracleKey,
+            groupedAlertsWithOracleKey[2].oracleKey,
+          ]);
+
+          // 2. Create the non found records
+          expect(mockBulkCreateRecord).toHaveBeenCalledWith([
+            {
+              recordId: groupedAlertsWithOracleKey[2].oracleKey,
+              payload: {
+                cases: [],
+                grouping: groupedAlertsWithOracleKey[2].grouping,
+                rules: [],
+              },
+            },
+          ]);
+
+          // 3. Update the counter for the records where the time window has passed
+          expect(mockBulkUpdateRecord).toHaveBeenCalledWith([
+            { payload: { counter: 2 }, recordId: 'so-oracle-record-0', version: 'so-version-0' },
+          ]);
+        });
       });
 
       describe('Cases', () => {
         it('generates the case ids correctly', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(mockGetCaseId).toHaveBeenCalledTimes(3);
 
@@ -258,8 +362,54 @@ describe('CasesConnector', () => {
           }
         });
 
+        it('generates the case ids correctly when the time window has passed', async () => {
+          dateMathMock.parse.mockImplementation(() => moment('2023-10-11T10:23:42.769Z'));
+
+          mockBulkUpdateRecord.mockResolvedValue([{ ...oracleRecords[0], counter: 2 }]);
+
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
+
+          expect(mockGetCaseId).toBeCalledTimes(3);
+
+          /**
+           * Oracle record index: 1
+           * Should not update the counter
+           */
+          expect(mockGetCaseId).nthCalledWith(1, {
+            counter: 1,
+            grouping: { 'dest.ip': '0.0.0.1', 'host.name': 'B' },
+            owner: 'cases',
+            ruleId: 'rule-test-id',
+            spaceId: 'default',
+          });
+
+          /**
+           * Oracle record index: 3
+           * Not found. Created.
+           */
+          expect(mockGetCaseId).nthCalledWith(2, {
+            counter: 1,
+            grouping: { 'dest.ip': '0.0.0.3', 'host.name': 'B' },
+            owner: 'cases',
+            ruleId: 'rule-test-id',
+            spaceId: 'default',
+          });
+
+          /**
+           * Oracle record index: 0
+           * Should update the counter
+           */
+          expect(mockGetCaseId).nthCalledWith(3, {
+            counter: 2,
+            grouping: { 'dest.ip': '0.0.0.1', 'host.name': 'A' },
+            owner: 'cases',
+            ruleId: 'rule-test-id',
+            spaceId: 'default',
+          });
+        });
+
         it('gets the cases correctly', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(casesClientMock.cases.bulkGet).toHaveBeenCalledWith({
             ids: ['mock-id-1', 'mock-id-2', 'mock-id-3'],
@@ -286,7 +436,7 @@ describe('CasesConnector', () => {
             ],
           });
 
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(casesClientMock.cases.bulkCreate).toHaveBeenCalledWith({
             cases: [
@@ -323,15 +473,15 @@ describe('CasesConnector', () => {
             ],
           });
 
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(casesClientMock.cases.bulkCreate).not.toHaveBeenCalled();
         });
       });
 
       describe('Alerts', () => {
         it('attach the alerts to the correct cases correctly', async () => {
-          await connector.run({ alerts, groupingBy, owner, rule });
+          await connector.run({ alerts, groupingBy, owner, rule, timeWindow });
 
           expect(casesClientMock.attachments.bulkCreate).toHaveBeenCalledTimes(3);
 
@@ -397,6 +547,11 @@ describe('CasesConnector', () => {
     });
   });
 
+  /**
+   * In this testing group we test
+   * only the functionality that differs
+   * from the testing with grouping
+   */
   describe('Without grouping', () => {
     beforeEach(() => {
       jest.clearAllMocks();
@@ -440,7 +595,7 @@ describe('CasesConnector', () => {
 
     describe('Oracle records', () => {
       it('generates the oracle keys correctly with no grouping', async () => {
-        await connector.run({ alerts, groupingBy: [], owner, rule });
+        await connector.run({ alerts, groupingBy: [], owner, rule, timeWindow });
 
         expect(mockGetRecordId).toHaveBeenCalledTimes(1);
 
@@ -453,15 +608,15 @@ describe('CasesConnector', () => {
       });
 
       it('gets the oracle records correctly', async () => {
-        await connector.run({ alerts, groupingBy: [], owner, rule });
+        await connector.run({ alerts, groupingBy: [], owner, rule, timeWindow });
 
         expect(mockBulkGetRecords).toHaveBeenCalledWith(['so-oracle-record-0']);
       });
     });
 
     describe('Cases', () => {
       it('generates the case ids correctly', async () => {
-        await connector.run({ alerts, groupingBy: [], owner, rule });
+        await connector.run({ alerts, groupingBy: [], owner, rule, timeWindow });
 
         expect(mockGetCaseId).toHaveBeenCalledTimes(1);
 
@@ -475,7 +630,7 @@ describe('CasesConnector', () => {
       });
 
       it('gets the cases correctly', async () => {
-        await connector.run({ alerts, groupingBy: [], owner, rule });
+        await connector.run({ alerts, groupingBy: [], owner, rule, timeWindow });
 
         expect(casesClientMock.cases.bulkGet).toHaveBeenCalledWith({
           ids: ['mock-id-1'],
@@ -485,7 +640,7 @@ describe('CasesConnector', () => {
 
     describe('Alerts', () => {
       it('attach all alerts to the same case when the grouping is not defined', async () => {
-        await connector.run({ alerts, groupingBy: [], owner, rule });
+        await connector.run({ alerts, groupingBy: [], owner, rule, timeWindow });
         expect(casesClientMock.attachments.bulkCreate).toHaveBeenCalledTimes(1);
 
         expect(casesClientMock.attachments.bulkCreate).nthCalledWith(1, {