From 5e58fbded0592b1006c289341f376d89f1f88793 Mon Sep 17 00:00:00 2001
From: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Date: Tue, 19 Oct 2021 02:29:14 +0200
Subject: [PATCH] [Security Solution][Detections] Fix a bug in
 siem-detection-engine-rule-status Saved Object migration to SO references
 (#115355)

**Ticket:** https://github.com/elastic/kibana/issues/107068
**Follow-up after:** https://github.com/elastic/kibana/pull/114585

## Summary

The existing migration function `legacyMigrateRuleAlertIdSOReferences` that migrates `alertId` fields to SO references array did not include all the other attributes of a `siem-detection-engine-rule-status` doc being migrated to the resulting doc.

This PR includes a fix and an integration test for that.

## Run the test

To run the test, in one terminal execute:

```
cd ${KIBANA_HOME} && node scripts/functional_tests_server --config x-pack/test/detection_engine_api_integration/security_and_spaces/config.ts
```

In another terminal execute:

```
cd ${KIBANA_HOME} && node scripts/functional_test_runner --config x-pack/test/detection_engine_api_integration/security_and_spaces/config.ts --include=x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
---
 .../legacy_rule_status/legacy_migrations.ts   | 63 ++++++++-----------
 .../security_and_spaces/tests/migrations.ts   | 25 ++++++++
 2 files changed, 52 insertions(+), 36 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts
index 92d7487be0cdb..72ab4a2237ba1 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts
@@ -18,34 +18,19 @@ import { IRuleSavedAttributesSavedObjectAttributes } from '../types';
 import { legacyGetRuleReference } from './legacy_utils';
 
 export const truncateMessageFields: SavedObjectMigrationFn<Record<string, unknown>> = (doc) => {
-  const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes;
+  const { lastFailureMessage, lastSuccessMessage, ...otherAttributes } = doc.attributes;
 
   return {
     ...doc,
     attributes: {
+      ...otherAttributes,
       lastFailureMessage: truncateMessage(lastFailureMessage),
       lastSuccessMessage: truncateMessage(lastSuccessMessage),
-      ...restAttributes,
     },
     references: doc.references ?? [],
   };
 };
 
-/**
- * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and
- * additional fields on the Alerting Framework Rule SO.
- *
- * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x)
- */
-export const legacyRuleStatusSavedObjectMigration = {
-  '7.15.2': truncateMessageFields,
-  '7.16.0': (
-    doc: SavedObjectUnsanitizedDoc<IRuleSavedAttributesSavedObjectAttributes>
-  ): SavedObjectSanitizedDoc<IRuleSavedAttributesSavedObjectAttributes> => {
-    return legacyMigrateRuleAlertIdSOReferences(doc);
-  },
-};
-
 /**
  * This migrates alertId within legacy `siem-detection-engine-rule-status` to saved object references on an upgrade.
  * We only migrate alertId if we find these conditions:
@@ -62,29 +47,24 @@ export const legacyRuleStatusSavedObjectMigration = {
 export const legacyMigrateRuleAlertIdSOReferences = (
   doc: SavedObjectUnsanitizedDoc<IRuleSavedAttributesSavedObjectAttributes>
 ): SavedObjectSanitizedDoc<IRuleSavedAttributesSavedObjectAttributes> => {
-  const { references } = doc;
-
-  // Isolate alertId from the doc
-  const { alertId, ...attributesWithoutAlertId } = doc.attributes;
-  const existingReferences = references ?? [];
+  const { alertId, ...otherAttributes } = doc.attributes;
+  const existingReferences = doc.references ?? [];
 
+  // early return if alertId is not a string as expected
   if (!isString(alertId)) {
-    // early return if alertId is not a string as expected
     return { ...doc, references: existingReferences };
-  } else {
-    const alertReferences = legacyMigrateAlertId({
-      alertId,
-      existingReferences,
-    });
-
-    return {
-      ...doc,
-      attributes: {
-        ...attributesWithoutAlertId.attributes,
-      },
-      references: [...existingReferences, ...alertReferences],
-    };
   }
+
+  const alertReferences = legacyMigrateAlertId({
+    alertId,
+    existingReferences,
+  });
+
+  return {
+    ...doc,
+    attributes: otherAttributes,
+    references: [...existingReferences, ...alertReferences],
+  };
 };
 
 /**
@@ -113,3 +93,14 @@ export const legacyMigrateAlertId = ({
     return [legacyGetRuleReference(alertId)];
   }
 };
+
+/**
+ * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and
+ * additional fields on the Alerting Framework Rule SO.
+ *
+ * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x)
+ */
+export const legacyRuleStatusSavedObjectMigration = {
+  '7.15.2': truncateMessageFields,
+  '7.16.0': legacyMigrateRuleAlertIdSOReferences,
+};
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts
index 6d1d64a04cd93..cfae7532ba496 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts
@@ -6,6 +6,7 @@
  */
 
 import expect from '@kbn/expect';
+import { IRuleStatusSOAttributes } from '../../../../plugins/security_solution/server/lib/detection_engine/rules/types';
 import { FtrProviderContext } from '../../common/ftr_provider_context';
 
 // eslint-disable-next-line import/no-default-export
@@ -113,6 +114,30 @@ export default ({ getService }: FtrProviderContext): void => {
           undefined
         );
       });
+
+      it('migrates legacy siem-detection-engine-rule-status and retains other attributes as the same attributes as before', async () => {
+        const response = await es.get<{
+          'siem-detection-engine-rule-status': IRuleStatusSOAttributes;
+        }>({
+          index: '.kibana',
+          id: 'siem-detection-engine-rule-status:d62d2980-27c4-11ec-92b0-f7b47106bb35',
+        });
+        expect(response.statusCode).to.eql(200);
+
+        expect(response.body._source?.['siem-detection-engine-rule-status']).to.eql({
+          statusDate: '2021-10-11T20:51:26.622Z',
+          status: 'succeeded',
+          lastFailureAt: '2021-10-11T18:10:08.982Z',
+          lastSuccessAt: '2021-10-11T20:51:26.622Z',
+          lastFailureMessage:
+            '4 days (323690920ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: "Threshy" id: "fb1046a0-0452-11ec-9b15-d13d79d162f3" rule id: "b789c80f-f6d8-41f1-8b4f-b4a23342cde2" signals index: ".siem-signals-spong-default"',
+          lastSuccessMessage: 'succeeded',
+          gap: '4 days',
+          bulkCreateTimeDurations: ['34.49'],
+          searchAfterTimeDurations: ['62.58'],
+          lastLookBackDate: null,
+        });
+      });
     });
   });
 };