From 7f69a763d14f84c249d04c5e75e313bb0177142e Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:42:45 -0400
Subject: [PATCH] [8.7] [Defend Workflows] Osquery fixes (#155020) (#155879)

# Backport

This will backport the following commits from `main` to `8.7`:
- [[Defend Workflows] Osquery fixes
(#155020)](https://github.com/elastic/kibana/pull/155020)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Tomasz
Ciecierski","email":"tomasz.ciecierski@elastic.co"},"sourceCommit":{"committedDate":"2023-04-26T13:34:06Z","message":"[Defend
Workflows] Osquery fixes
(#155020)","sha":"fda5ee96b37f186378d94a7b6a15b295d9616168","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Defend
Workflows","Feature:Osquery","v8.8.0","v8.7.2","v8.9.0"],"number":155020,"url":"https://github.com/elastic/kibana/pull/155020","mergeCommit":{"message":"[Defend
Workflows] Osquery fixes
(#155020)","sha":"fda5ee96b37f186378d94a7b6a15b295d9616168"}},"sourceBranch":"main","suggestedTargetBranches":["8.7","8.9"],"targetPullRequestStates":[{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155020","number":155020,"mergeCommit":{"message":"[Defend
Workflows] Osquery fixes
(#155020)","sha":"fda5ee96b37f186378d94a7b6a15b295d9616168"}},{"branch":"8.7","label":"v8.7.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tomasz Ciecierski <tomasz.ciecierski@elastic.co>
---
 .../public/live_queries/form/index.tsx        | 20 ++++++-------------
 x-pack/plugins/osquery/server/common/error.ts | 15 ++++++++++++++
 x-pack/plugins/osquery/server/common/types.ts |  4 ++++
 .../handlers/action/create_action_handler.ts  |  3 ++-
 .../osquery/server/lib/fleet_integration.ts   | 13 ++++++++++--
 .../live_query/create_live_query_route.ts     |  5 +++--
 6 files changed, 41 insertions(+), 19 deletions(-)
 create mode 100644 x-pack/plugins/osquery/server/common/error.ts

diff --git a/x-pack/plugins/osquery/public/live_queries/form/index.tsx b/x-pack/plugins/osquery/public/live_queries/form/index.tsx
index 7868c1bb3a471..d56b981b128c8 100644
--- a/x-pack/plugins/osquery/public/live_queries/form/index.tsx
+++ b/x-pack/plugins/osquery/public/live_queries/form/index.tsx
@@ -82,16 +82,8 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
   );
 
   const hooksForm = useHookForm<LiveQueryFormFields>();
-  const {
-    handleSubmit,
-    watch,
-    setValue,
-    resetField,
-    clearErrors,
-    getFieldState,
-    register,
-    formState: { isSubmitting },
-  } = hooksForm;
+  const { handleSubmit, watch, setValue, resetField, clearErrors, getFieldState, register } =
+    hooksForm;
 
   const canRunSingleQuery = useMemo(
     () =>
@@ -157,7 +149,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
           saved_query_id: values.savedQueryId,
           query,
           alert_ids: values.alertIds,
-          pack_id: values?.packId?.length ? values?.packId[0] : undefined,
+          pack_id: queryType === 'pack' && values?.packId?.length ? values?.packId[0] : undefined,
           ecs_mapping: values.ecs_mapping,
         },
         (value) => !isEmpty(value)
@@ -165,7 +157,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
 
       await mutateAsync(serializedData);
     },
-    [alertAttachmentContext, mutateAsync]
+    [alertAttachmentContext, mutateAsync, queryType]
   );
 
   const serializedData: SavedQuerySOFormData = useMemo(
@@ -196,7 +188,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
             <EuiButton
               id="submit-button"
               disabled={!enabled}
-              isLoading={isSubmitting}
+              isLoading={isLoading}
               onClick={handleSubmit(onSubmit)}
             >
               <FormattedMessage
@@ -215,7 +207,7 @@ const LiveQueryFormComponent: React.FC<LiveQueryFormProps> = ({
       resultsStatus,
       handleShowSaveQueryFlyout,
       enabled,
-      isSubmitting,
+      isLoading,
       handleSubmit,
       onSubmit,
     ]
diff --git a/x-pack/plugins/osquery/server/common/error.ts b/x-pack/plugins/osquery/server/common/error.ts
new file mode 100644
index 0000000000000..b48fd925dad62
--- /dev/null
+++ b/x-pack/plugins/osquery/server/common/error.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export class CustomHttpRequestError extends Error {
+  constructor(message: string, public readonly statusCode: number = 500) {
+    super(message);
+    // For debugging - capture name of subclasses
+    this.name = this.constructor.name;
+    this.message = message;
+  }
+}
diff --git a/x-pack/plugins/osquery/server/common/types.ts b/x-pack/plugins/osquery/server/common/types.ts
index 522f1fa250ada..51dc4f59ed5b4 100644
--- a/x-pack/plugins/osquery/server/common/types.ts
+++ b/x-pack/plugins/osquery/server/common/types.ts
@@ -56,3 +56,7 @@ export interface SavedQuerySavedObjectAttributes {
 }
 
 export type SavedQuerySavedObject = SavedObject<PackSavedObjectAttributes>;
+
+export interface HTTPError extends Error {
+  statusCode: number;
+}
diff --git a/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts b/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
index b2f6ca09234eb..3c776723a2da2 100644
--- a/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
+++ b/x-pack/plugins/osquery/server/handlers/action/create_action_handler.ts
@@ -21,6 +21,7 @@ import { convertSOQueriesToPack } from '../../routes/pack/utils';
 import { ACTIONS_INDEX } from '../../../common/constants';
 import { TELEMETRY_EBT_LIVE_QUERY_EVENT } from '../../lib/telemetry/constants';
 import type { PackSavedObjectAttributes } from '../../common/types';
+import { CustomHttpRequestError } from '../../common/error';
 
 interface Metadata {
   currentUser: string | undefined;
@@ -55,7 +56,7 @@ export const createActionHandler = async (
   });
 
   if (!selectedAgents.length) {
-    throw new Error('No agents found for selection');
+    throw new CustomHttpRequestError('No agents found for selection', 400);
   }
 
   let packSO;
diff --git a/x-pack/plugins/osquery/server/lib/fleet_integration.ts b/x-pack/plugins/osquery/server/lib/fleet_integration.ts
index f03afedc8628a..684334c1488b4 100644
--- a/x-pack/plugins/osquery/server/lib/fleet_integration.ts
+++ b/x-pack/plugins/osquery/server/lib/fleet_integration.ts
@@ -34,11 +34,20 @@ export const getPackagePolicyDeleteCallback =
           await Promise.all(
             map(
               foundPacks.saved_objects,
-              (pack: { id: string; references: SavedObjectReference[] }) =>
+              (pack: {
+                id: string;
+                references: SavedObjectReference[];
+                attributes: { shards: Array<{ key: string; value: string }> };
+              }) =>
                 packsClient.update(
                   packSavedObjectType,
                   pack.id,
-                  {},
+                  {
+                    shards: filter(
+                      pack.attributes.shards,
+                      (shard) => shard.key !== deletedOsqueryManagerPolicy.policy_id
+                    ),
+                  },
                   {
                     references: filter(
                       pack.references,
diff --git a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
index 9d7ad88da88b6..05f857e320066 100644
--- a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
+++ b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
@@ -113,8 +113,9 @@ export const createLiveQueryRoute = (router: IRouter, osqueryContext: OsqueryApp
           body: { data: osqueryAction },
         });
       } catch (error) {
-        // TODO validate for 400 (when agents are not found for selection)
-        // return response.badRequest({ body: new Error('No agents found for selection') });
+        if (error.statusCode === 400) {
+          return response.badRequest({ body: error });
+        }
 
         return response.customError({
           statusCode: 500,