[8.7] [Defend Workflows] Osquery fixes (#155020) (#155879)

# Backport This will backport the following commits from `main` to `8.7`: - [[Defend Workflows] Osquery fixes (#155020)](#155020)  ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)  Co-authored-by: Tomasz Ciecierski <[email protected]>
elastic · Apr 26, 2023 · 7f69a76 · 7f69a76
1 parent e7fd103
commit 7f69a76
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 19 deletions.
diff --git a/x-pack/plugins/osquery/public/live_queries/form/index.tsx b/x-pack/plugins/osquery/public/live_queries/form/index.tsx
@@ -82,16 +82,8 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
   );
 
   const hooksForm = useHookForm<LiveQueryFormFields>();
-  const {
-    handleSubmit,
-    watch,
-    setValue,
-    resetField,
-    clearErrors,
-    getFieldState,
-    register,
-    formState: { isSubmitting },
-  } = hooksForm;
+  const { handleSubmit, watch, setValue, resetField, clearErrors, getFieldState, register } =
+    hooksForm;
 
   const canRunSingleQuery = useMemo(
     () =>
@@ -157,15 +149,15 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
           saved_query_id: values.savedQueryId,
           query,
           alert_ids: values.alertIds,
-          pack_id: values?.packId?.length ? values?.packId[0] : undefined,
+          pack_id: queryType === 'pack' && values?.packId?.length ? values?.packId[0] : undefined,
           ecs_mapping: values.ecs_mapping,
         },
         (value) => !isEmpty(value)
       ) as unknown as LiveQueryFormFields;
 
       await mutateAsync(serializedData);
     },
-    [alertAttachmentContext, mutateAsync]
+    [alertAttachmentContext, mutateAsync, queryType]
   );
 
   const serializedData: SavedQuerySOFormData = useMemo(
@@ -196,7 +188,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
             <EuiButton
               id="submit-button"
               disabled={!enabled}
-              isLoading={isSubmitting}
+              isLoading={isLoading}
               onClick={handleSubmit(onSubmit)}
             >
               <FormattedMessage
@@ -215,7 +207,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
       resultsStatus,
       handleShowSaveQueryFlyout,
       enabled,
-      isSubmitting,
+      isLoading,
       handleSubmit,
       onSubmit,
     ]

diff --git a/x-pack/plugins/osquery/server/common/error.ts b/x-pack/plugins/osquery/server/common/error.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export class CustomHttpRequestError extends Error {
+  constructor(message: string, public readonly statusCode: number = 500) {
+    super(message);
+    // For debugging - capture name of subclasses
+    this.name = this.constructor.name;
+    this.message = message;
+  }
+}
diff --git a/x-pack/plugins/osquery/server/common/types.ts b/x-pack/plugins/osquery/server/common/types.ts
@@ -56,3 +56,7 @@ export interface SavedQuerySavedObjectAttributes {
 }
 
 export type SavedQuerySavedObject = SavedObject<PackSavedObjectAttributes>;
+
+export interface HTTPError extends Error {
+  statusCode: number;
+}
diff --git a/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts b/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
@@ -21,6 +21,7 @@ import { convertSOQueriesToPack } from '../../routes/pack/utils';
 import { ACTIONS_INDEX } from '../../../common/constants';
 import { TELEMETRY_EBT_LIVE_QUERY_EVENT } from '../../lib/telemetry/constants';
 import type { PackSavedObjectAttributes } from '../../common/types';
+import { CustomHttpRequestError } from '../../common/error';
 
 interface Metadata {
   currentUser: string | undefined;
@@ -55,7 +56,7 @@ export const createActionHandler = async (
   });
 
   if (!selectedAgents.length) {
-    throw new Error('No agents found for selection');
+    throw new CustomHttpRequestError('No agents found for selection', 400);
   }
 
   let packSO;

diff --git a/x-pack/plugins/osquery/server/lib/fleet_integration.ts b/x-pack/plugins/osquery/server/lib/fleet_integration.ts
@@ -34,11 +34,20 @@ export const getPackagePolicyDeleteCallback =
           await Promise.all(
             map(
               foundPacks.saved_objects,
-              (pack: { id: string; references: SavedObjectReference[] }) =>
+              (pack: {
+                id: string;
+                references: SavedObjectReference[];
+                attributes: { shards: Array<{ key: string; value: string }> };
+              }) =>
                 packsClient.update(
                   packSavedObjectType,
                   pack.id,
-                  {},
+                  {
+                    shards: filter(
+                      pack.attributes.shards,
+                      (shard) => shard.key !== deletedOsqueryManagerPolicy.policy_id
+                    ),
+                  },
                   {
                     references: filter(
                       pack.references,

diff --git a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
@@ -113,8 +113,9 @@ export const createLiveQueryRoute = (router: IRouter, osqueryContext: OsqueryApp
           body: { data: osqueryAction },
         });
       } catch (error) {
-        // TODO validate for 400 (when agents are not found for selection)
-        // return response.badRequest({ body: new Error('No agents found for selection') });
+        if (error.statusCode === 400) {
+          return response.badRequest({ body: error });
+        }
 
         return response.customError({
           statusCode: 500,