[Alerting] Handling connectors with missing secrets during rule creation and action execution

x-pack/plugins/actions/server/create_execute_function.test.ts

@@ -177,6 +177,35 @@ describe('execute()', () => {
     );
   });
 
+  test('throws when isMissingSecrets is true for connector', async () => {
+    const executeFn = createExecutionEnqueuerFunction({
+      taskManager: mockTaskManager,
+      isESOCanEncrypt: true,
+      actionTypeRegistry: actionTypeRegistryMock.create(),
+      preconfiguredActions: [],
+    });
+    savedObjectsClient.get.mockResolvedValueOnce({
+      id: '123',
+      type: 'action',
+      attributes: {
+        name: 'mock-action',
+        isMissingSecrets: true,
+        actionTypeId: 'mock-action',
+      },
+      references: [],
+    });
+    await expect(
+      executeFn(savedObjectsClient, {
+        id: '123',
+        params: { baz: false },
+        spaceId: 'default',
+        apiKey: null,
+      })
+    ).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Unable to execute action because the referenced connector is incorrectly configured. Please review the configuration for the \\"mock-action\\" connector."`
+    );
+  });
+
   test('should ensure action type is enabled', async () => {
     const mockedActionTypeRegistry = actionTypeRegistryMock.create();
     const executeFn = createExecutionEnqueuerFunction({

x-pack/plugins/actions/server/create_execute_function.ts

@@ -46,12 +46,18 @@ export function createExecutionEnqueuerFunction({
       );
     }
 
-    const actionTypeId = await getActionTypeId(
+    const { actionTypeId, name, isMissingSecrets } = await getAction(
       unsecuredSavedObjectsClient,
       preconfiguredActions,
       id
     );
 
+    if (isMissingSecrets) {
+      throw new Error(
+        `Unable to execute action because the referenced connector is incorrectly configured. Please review the configuration for the "${name}" connector.`
+      );
+    }
+
     if (!actionTypeRegistry.isActionExecutable(id, actionTypeId, { notifyUsage: true })) {
       actionTypeRegistry.ensureActionTypeEnabled(actionTypeId);
     }
@@ -91,18 +97,16 @@ function executionSourceAsSavedObjectReferences(executionSource: ActionExecutorO
     : {};
 }
 
-async function getActionTypeId(
+async function getAction(
   unsecuredSavedObjectsClient: SavedObjectsClientContract,
   preconfiguredActions: PreConfiguredAction[],
   actionId: string
-): Promise<string> {
+): Promise<PreConfiguredAction | RawAction> {
   const pcAction = preconfiguredActions.find((action) => action.id === actionId);
   if (pcAction) {
-    return pcAction.actionTypeId;
+    return pcAction;
   }
 
-  const {
-    attributes: { actionTypeId },
-  } = await unsecuredSavedObjectsClient.get<RawAction>('action', actionId);
-  return actionTypeId;
+  const { attributes } = await unsecuredSavedObjectsClient.get<RawAction>('action', actionId);
+  return attributes;
 }

x-pack/plugins/alerting/server/alerts_client/alerts_client.ts

@@ -269,7 +269,7 @@ export class AlertsClient {
       throw Boom.badRequest(`Error creating rule: could not create API key - ${error.message}`);
     }
 
-    this.validateActions(alertType, data.actions);
+    await this.validateActions(alertType, data.actions);
 
     const createTime = Date.now();
     const { references, actions } = await this.denormalizeActions(data.actions);
@@ -728,7 +728,7 @@ export class AlertsClient {
       data.params,
       alertType.validate?.params
     );
-    this.validateActions(alertType, data.actions);
+    await this.validateActions(alertType, data.actions);
 
     const { actions, references } = await this.denormalizeActions(data.actions);
     const username = await this.getUserName();
@@ -1434,10 +1434,36 @@ export class AlertsClient {
     };
   }
 
-  private validateActions(
+  private async validateActions(
     alertType: UntypedNormalizedAlertType,
     actions: NormalizedAlertAction[]
-  ): void {
+  ): Promise<void> {
+    if (actions.length === 0) {
+      return;
+    }
+
+    // check for actions using connectors with missing secrets
+    const actionsClient = await this.getActionsClient();
+    const actionIds = [...new Set(actions.map((action) => action.id))];
+    const actionResults = (await actionsClient.getBulk(actionIds)) || [];
+    const actionsUsingConnectorsWithMissingSecrets = actionResults.filter(
+      (result) => result.isMissingSecrets
+    );
+
+    if (actionsUsingConnectorsWithMissingSecrets.length) {
+      throw Boom.badRequest(
+        i18n.translate('xpack.alerting.alertsClient.validateActions.misconfiguredConnector', {
+          defaultMessage: 'Invalid connectors: {groups}',
+          values: {
+            groups: actionsUsingConnectorsWithMissingSecrets
+              .map((connector) => connector.name)
+              .join(', '),
+          },
+        })
+      );
+    }
+
+    // check for actions with invalid action groups
     const { actionGroups: alertTypeActionGroups } = alertType;
     const usedAlertActionGroups = actions.map((action) => action.group);
     const availableAlertTypeActionGroups = new Set(map(alertTypeActionGroups, 'id'));