License checks for actions plugin (#59070) (#60761)

* Define minimum license required for each action type (#58668)

* Add minimum required license

* Require at least gold license as a minimum license required on third party action types

* Use strings for license references

* Ensure license type is valid

* Fix some tests

* Add servicenow to gold

* Add tests

* Set license requirements on other built in action types

* Use jest.Mocked<ActionType> instead

* Change servicenow to platinum

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

* Make actions config mock and license state mock use factory pattern and jest mocks (#59370)

* Add license checks to action HTTP APIs (#59153)

* Initial work

* Handle errors in update action API

* Add unit tests for APIs

* Make action executor throw when action type isn't enabled

* Add test suite for basic license

* Fix ESLint errors

* Fix failing tests

* Attempt 1 to fix CI

* ESLint fixes

* Create sendResponse function on ActionTypeDisabledError

* Make disabled action types by config return 403

* Remove switch case

* Fix ESLint

* Add license checks within alerting / actions framework (#59699)

* Initial work

* Handle errors in update action API

* Add unit tests for APIs

* Verify action type before scheduling action task

* Make actions plugin.execute throw error if action type is disabled

* Bug fixes

* Make action executor throw when action type isn't enabled

* Add test suite for basic license

* Fix ESLint errors

* Stop action task from re-running when license check fails

* Fix failing tests

* Attempt 1 to fix CI

* ESLint fixes

* Create sendResponse function on ActionTypeDisabledError

* Make disabled action types by config return 403

* Remove switch case

* Fix ESLint

* Fix confusing assertion

* Add comment explaining double mock

* Log warning when alert action isn't scheduled

* Disable action types in UI when license doesn't support it (#59819)

* Initial work

* Handle errors in update action API

* Add unit tests for APIs

* Verify action type before scheduling action task

* Make actions plugin.execute throw error if action type is disabled

* Bug fixes

* Make action executor throw when action type isn't enabled

* Add test suite for basic license

* Fix ESLint errors

* Stop action task from re-running when license check fails

* Fix failing tests

* Attempt 1 to fix CI

* ESLint fixes

* Return enabledInConfig and enabledInLicense from actions get types API

* Disable cards that have invalid license in create connector flyout

* Create sendResponse function on ActionTypeDisabledError

* Make disabled action types by config return 403

* Remove switch case

* Fix ESLint

* Disable when creating alert action

* Return minimumLicenseRequired in /types API

* Disable row in connectors when action type is disabled

* Fix failing jest test

* Some refactoring

* Card in edit alert flyout

* Sort action types by name

* Add tooltips to create connector action type selector

* Add tooltips to alert flyout action type selector

* Add get more actions link in alert flyout

* Add callout when creating a connector

* Typos

* remove float right and use flexgroup

* replace pixels with eui variables

* turn on sass lint for triggers_actions_ui dir

* trying to add padding around cards

* Add callout in edit alert screen when some actions are disabled

* improve card selection for Add Connector flyout

* Fix cards for create connector

* Add tests

* ESLint issue

* Cleanup

* Cleanup pt2

* Fix type check errors

* moving to 3-columns cards for connector selection

* Change re-enable to enable terminology

* Revert "Change re-enable to enable terminology"

This reverts commit b497dfd.

* Add re-enable comment

* Remove unecessary fragment

* Add type to actionTypeNodes

* Fix EuiLink to not have opacity of 0.7 when not hovered

* design cleanup in progress

* updating classNames

* using EuiIconTip

* Remove label on icon tip

* Fix failing jest test

Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>

* Add index to .index action type test

* PR feedback

* Add isErrorThatHandlesItsOwnResponse

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>

.sass-lint.yml

@@ -7,6 +7,7 @@ files:
     - 'x-pack/legacy/plugins/rollup/**/*.s+(a|c)ss'
     - 'x-pack/legacy/plugins/security/**/*.s+(a|c)ss'
     - 'x-pack/legacy/plugins/canvas/**/*.s+(a|c)ss'
+    - 'x-pack/plugins/triggers_actions_ui/**/*.s+(a|c)ss'
   ignore:
     - 'x-pack/legacy/plugins/canvas/shareable_runtime/**/*.s+(a|c)ss'
     - 'x-pack/legacy/plugins/lens/**/*.s+(a|c)ss'

x-pack/legacy/plugins/siem/public/pages/case/components/configure_cases/index.tsx

@@ -21,6 +21,7 @@ import { useConnectors } from '../../../../containers/case/configure/use_connect
 import { useCaseConfigure } from '../../../../containers/case/configure/use_configure';
 import {
   ActionsConnectorsContextProvider,
+  ActionType,
   ConnectorAddFlyout,
   ConnectorEditFlyout,
 } from '../../../../../../../../plugins/triggers_actions_ui/public';
@@ -60,11 +61,14 @@ const initialState: State = {
   mapping: null,
 };
 
-const actionTypes = [
+const actionTypes: ActionType[] = [
   {
     id: '.servicenow',
     name: 'ServiceNow',
     enabled: true,
+    enabledInConfig: true,
+    enabledInLicense: true,
+    minimumLicenseRequired: 'platinum',
   },
 ];
 

x-pack/plugins/actions/common/types.ts

@@ -4,10 +4,15 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { LicenseType } from '../../licensing/common/types';
+
 export interface ActionType {
   id: string;
   name: string;
   enabled: boolean;
+  enabledInConfig: boolean;
+  enabledInLicense: boolean;
+  minimumLicenseRequired: LicenseType;
 }
 
 export interface ActionResult {

x-pack/plugins/actions/server/action_type_registry.mock.ts

@@ -13,6 +13,7 @@ const createActionTypeRegistryMock = () => {
     get: jest.fn(),
     list: jest.fn(),
     ensureActionTypeEnabled: jest.fn(),
+    isActionTypeEnabled: jest.fn(),
   };
   return mocked;
 };

x-pack/plugins/actions/server/action_type_registry.test.ts

@@ -5,21 +5,31 @@
  */
 
 import { taskManagerMock } from '../../task_manager/server/task_manager.mock';
-import { ActionTypeRegistry } from './action_type_registry';
-import { ExecutorType } from './types';
-import { ActionExecutor, ExecutorError, TaskRunnerFactory } from './lib';
-import { configUtilsMock } from './actions_config.mock';
+import { ActionTypeRegistry, ActionTypeRegistryOpts } from './action_type_registry';
+import { ActionType, ExecutorType } from './types';
+import { ActionExecutor, ExecutorError, ILicenseState, TaskRunnerFactory } from './lib';
+import { actionsConfigMock } from './actions_config.mock';
+import { licenseStateMock } from './lib/license_state.mock';
+import { ActionsConfigurationUtilities } from './actions_config';
 
 const mockTaskManager = taskManagerMock.setup();
-const actionTypeRegistryParams = {
-  taskManager: mockTaskManager,
-  taskRunnerFactory: new TaskRunnerFactory(
-    new ActionExecutor({ isESOUsingEphemeralEncryptionKey: false })
-  ),
-  actionsConfigUtils: configUtilsMock,
-};
+let mockedLicenseState: jest.Mocked<ILicenseState>;
+let mockedActionsConfig: jest.Mocked<ActionsConfigurationUtilities>;
+let actionTypeRegistryParams: ActionTypeRegistryOpts;
 
-beforeEach(() => jest.resetAllMocks());
+beforeEach(() => {
+  jest.resetAllMocks();
+  mockedLicenseState = licenseStateMock.create();
+  mockedActionsConfig = actionsConfigMock.create();
+  actionTypeRegistryParams = {
+    taskManager: mockTaskManager,
+    taskRunnerFactory: new TaskRunnerFactory(
+      new ActionExecutor({ isESOUsingEphemeralEncryptionKey: false })
+    ),
+    actionsConfigUtils: mockedActionsConfig,
+    licenseState: mockedLicenseState,
+  };
+});
 
 const executor: ExecutorType = async options => {
   return { status: 'ok', actionId: options.actionId };
@@ -31,6 +41,7 @@ describe('register()', () => {
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     expect(actionTypeRegistry.has('my-action-type')).toEqual(true);
@@ -55,12 +66,14 @@ describe('register()', () => {
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     expect(() =>
       actionTypeRegistry.register({
         id: 'my-action-type',
         name: 'My action type',
+        minimumLicenseRequired: 'basic',
         executor,
       })
     ).toThrowErrorMatchingInlineSnapshot(
@@ -73,6 +86,7 @@ describe('register()', () => {
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     expect(mockTaskManager.registerTaskDefinitions).toHaveBeenCalledTimes(1);
@@ -94,13 +108,15 @@ describe('get()', () => {
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     const actionType = actionTypeRegistry.get('my-action-type');
     expect(actionType).toMatchInlineSnapshot(`
       Object {
         "executor": [Function],
         "id": "my-action-type",
+        "minimumLicenseRequired": "basic",
         "name": "My action type",
       }
     `);
@@ -116,10 +132,12 @@ describe('get()', () => {
 
 describe('list()', () => {
   test('returns list of action types', () => {
+    mockedLicenseState.isLicenseValidForActionType.mockReturnValue({ isValid: true });
     const actionTypeRegistry = new ActionTypeRegistry(actionTypeRegistryParams);
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     const actionTypes = actionTypeRegistry.list();
@@ -128,8 +146,13 @@ describe('list()', () => {
         id: 'my-action-type',
         name: 'My action type',
         enabled: true,
+        enabledInConfig: true,
+        enabledInLicense: true,
+        minimumLicenseRequired: 'basic',
       },
     ]);
+    expect(mockedActionsConfig.isActionTypeEnabled).toHaveBeenCalled();
+    expect(mockedLicenseState.isLicenseValidForActionType).toHaveBeenCalled();
   });
 });
 
@@ -144,8 +167,94 @@ describe('has()', () => {
     actionTypeRegistry.register({
       id: 'my-action-type',
       name: 'My action type',
+      minimumLicenseRequired: 'basic',
       executor,
     });
     expect(actionTypeRegistry.has('my-action-type'));
   });
 });
+
+describe('isActionTypeEnabled', () => {
+  let actionTypeRegistry: ActionTypeRegistry;
+  const fooActionType: ActionType = {
+    id: 'foo',
+    name: 'Foo',
+    minimumLicenseRequired: 'basic',
+    executor: async () => {},
+  };
+
+  beforeEach(() => {
+    actionTypeRegistry = new ActionTypeRegistry(actionTypeRegistryParams);
+    actionTypeRegistry.register(fooActionType);
+  });
+
+  test('should call isActionTypeEnabled of the actions config', async () => {
+    mockedLicenseState.isLicenseValidForActionType.mockReturnValue({ isValid: true });
+    actionTypeRegistry.isActionTypeEnabled('foo');
+    expect(mockedActionsConfig.isActionTypeEnabled).toHaveBeenCalledWith('foo');
+  });
+
+  test('should call isLicenseValidForActionType of the license state', async () => {
+    mockedLicenseState.isLicenseValidForActionType.mockReturnValue({ isValid: true });
+    actionTypeRegistry.isActionTypeEnabled('foo');
+    expect(mockedLicenseState.isLicenseValidForActionType).toHaveBeenCalledWith(fooActionType);
+  });
+
+  test('should return false when isActionTypeEnabled is false and isLicenseValidForActionType is true', async () => {
+    mockedActionsConfig.isActionTypeEnabled.mockReturnValue(false);
+    mockedLicenseState.isLicenseValidForActionType.mockReturnValue({ isValid: true });
+    expect(actionTypeRegistry.isActionTypeEnabled('foo')).toEqual(false);
+  });
+
+  test('should return false when isActionTypeEnabled is true and isLicenseValidForActionType is false', async () => {
+    mockedActionsConfig.isActionTypeEnabled.mockReturnValue(true);
+    mockedLicenseState.isLicenseValidForActionType.mockReturnValue({
+      isValid: false,
+      reason: 'invalid',
+    });
+    expect(actionTypeRegistry.isActionTypeEnabled('foo')).toEqual(false);
+  });
+});
+
+describe('ensureActionTypeEnabled', () => {
+  let actionTypeRegistry: ActionTypeRegistry;
+  const fooActionType: ActionType = {
+    id: 'foo',
+    name: 'Foo',
+    minimumLicenseRequired: 'basic',
+    executor: async () => {},
+  };
+
+  beforeEach(() => {
+    actionTypeRegistry = new ActionTypeRegistry(actionTypeRegistryParams);
+    actionTypeRegistry.register(fooActionType);
+  });
+
+  test('should call ensureActionTypeEnabled of the action config', async () => {
+    actionTypeRegistry.ensureActionTypeEnabled('foo');
+    expect(mockedActionsConfig.ensureActionTypeEnabled).toHaveBeenCalledWith('foo');
+  });
+
+  test('should call ensureLicenseForActionType on the license state', async () => {
+    actionTypeRegistry.ensureActionTypeEnabled('foo');
+    expect(mockedLicenseState.ensureLicenseForActionType).toHaveBeenCalledWith(fooActionType);
+  });
+
+  test('should throw when ensureActionTypeEnabled throws', async () => {
+    mockedActionsConfig.ensureActionTypeEnabled.mockImplementation(() => {
+      throw new Error('Fail');
+    });
+    expect(() =>
+      actionTypeRegistry.ensureActionTypeEnabled('foo')
+    ).toThrowErrorMatchingInlineSnapshot(`"Fail"`);
+  });
+
+  test('should throw when ensureLicenseForActionType throws', async () => {
+    mockedLicenseState.ensureLicenseForActionType.mockImplementation(() => {
+      throw new Error('Fail');
+    });
+    expect(() =>
+      actionTypeRegistry.ensureActionTypeEnabled('foo')
+    ).toThrowErrorMatchingInlineSnapshot(`"Fail"`);
+  });
+});

x-pack/plugins/actions/server/action_type_registry.ts

@@ -7,27 +7,30 @@
 import Boom from 'boom';
 import { i18n } from '@kbn/i18n';
 import { RunContext, TaskManagerSetupContract } from '../../task_manager/server';
-import { ExecutorError, TaskRunnerFactory } from './lib';
+import { ExecutorError, TaskRunnerFactory, ILicenseState } from './lib';
 import { ActionType } from './types';
 import { ActionType as CommonActionType } from '../common';
 import { ActionsConfigurationUtilities } from './actions_config';
 
-interface ConstructorOptions {
+export interface ActionTypeRegistryOpts {
   taskManager: TaskManagerSetupContract;
   taskRunnerFactory: TaskRunnerFactory;
   actionsConfigUtils: ActionsConfigurationUtilities;
+  licenseState: ILicenseState;
 }
 
 export class ActionTypeRegistry {
   private readonly taskManager: TaskManagerSetupContract;
   private readonly actionTypes: Map<string, ActionType> = new Map();
   private readonly taskRunnerFactory: TaskRunnerFactory;
   private readonly actionsConfigUtils: ActionsConfigurationUtilities;
+  private readonly licenseState: ILicenseState;
 
-  constructor(constructorParams: ConstructorOptions) {
+  constructor(constructorParams: ActionTypeRegistryOpts) {
     this.taskManager = constructorParams.taskManager;
     this.taskRunnerFactory = constructorParams.taskRunnerFactory;
     this.actionsConfigUtils = constructorParams.actionsConfigUtils;
+    this.licenseState = constructorParams.licenseState;
   }
 
   /**
@@ -42,6 +45,17 @@ export class ActionTypeRegistry {
    */
   public ensureActionTypeEnabled(id: string) {
     this.actionsConfigUtils.ensureActionTypeEnabled(id);
+    this.licenseState.ensureLicenseForActionType(this.get(id));
+  }
+
+  /**
+   * Returns true if action type is enabled in the config and a valid license is used.
+   */
+  public isActionTypeEnabled(id: string) {
+    return (
+      this.actionsConfigUtils.isActionTypeEnabled(id) &&
+      this.licenseState.isLicenseValidForActionType(this.get(id)).isValid === true
+    );
   }
 
   /**
@@ -103,7 +117,10 @@ export class ActionTypeRegistry {
     return Array.from(this.actionTypes).map(([actionTypeId, actionType]) => ({
       id: actionTypeId,
       name: actionType.name,
-      enabled: this.actionsConfigUtils.isActionTypeEnabled(actionTypeId),
+      minimumLicenseRequired: actionType.minimumLicenseRequired,
+      enabled: this.isActionTypeEnabled(actionTypeId),
+      enabledInConfig: this.actionsConfigUtils.isActionTypeEnabled(actionTypeId),
+      enabledInLicense: this.licenseState.isLicenseValidForActionType(actionType).isValid === true,
     }));
   }
 }