Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Detections] EQL query validation: Separate syntax errors into a own error type (#10181) #190149

Merged
merged 11 commits into from
Aug 15, 2024

Conversation

e40pud
Copy link
Contributor

@e40pud e40pud commented Aug 8, 2024

Summary

Addresses https://github.com/elastic/security-team/issues/10181

This PR is a refactoring of EQL query validator:

  • to separate different validation errors passed from ES. Before we marked parsing_exception, verification_exception and mapping_exception as the same error of type ERR_INVALID_EQL. After these changes we will split these errors into separate ones: syntax (parsing_exception), invalid EQL (verification_exception and mapping_exception; can be split in future if needed)
  • to handle missing data source as a new EQL error of type MISSING_DATA_SOURCE. Before data.search.search<EqlSearchStrategyRequest, EqlSearchStrategyResponse>() call would throw an exception in case data source does not exist and we would handle it as a failed request and show an error toast (see relevant ticket [Security Solution] Rule's EQL query validation fails unexpectedly when fields missing #178611). After these changes we would not show a toast and handle missing data source error as other EQL validation errors - showing an error message in the EQL query bar.

This will allow us to distinguish between different types of EQL validation errors and will help to decide on whether certain errors are blocking during the rule creation/editing flow (#180407).

Checklist

Delete any items that are not applicable to this PR.

@e40pud e40pud added release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. ci:cloud-deploy Create or update a Cloud deployment Team:Detection Engine Security Solution Detection Engine Area ci:project-deploy-security Create a Security Serverless Project labels Aug 8, 2024
@e40pud e40pud self-assigned this Aug 8, 2024
@e40pud
Copy link
Contributor Author

e40pud commented Aug 8, 2024

/ci

@e40pud
Copy link
Contributor Author

e40pud commented Aug 8, 2024

/ci

@e40pud
Copy link
Contributor Author

e40pud commented Aug 9, 2024

/ci

@e40pud e40pud marked this pull request as ready for review August 9, 2024 12:16
@e40pud e40pud requested review from a team as code owners August 9, 2024 12:16
@e40pud e40pud requested a review from rylnd August 9, 2024 12:16
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@e40pud
Copy link
Contributor Author

e40pud commented Aug 11, 2024

@elasticmachine merge upstream

@elastic elastic deleted a comment from kibanamachine Aug 13, 2024
@elastic elastic deleted a comment from kibanamachine Aug 13, 2024
@elastic elastic deleted a comment from kibanamachine Aug 13, 2024
@elastic elastic deleted a comment from kibanamachine Aug 13, 2024
@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#6754

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts: 100/100 tests passed.

see run history

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks great! The cypress tests demonstrating this behavior are fantastic, but it would be great to have some unit tests showing how this code handles different types of responses, since that's been expanded/changed significantly with this PR.

Approving because those tests should be quick and easy, but please request another review if you want/need it.

}
)
);
if (isParsingErrorResponse(response)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this function is growing in complexity, it's probably time to add some unit tests around it (more for documentation of behavior than anything else); maybe extract a function that receives a response and test that? That would also allow us to document the shape of response(s) we handle.

type EqlValidationTransformer = (response: unknown) => {
  valid: boolean;
  error?: { code: EQL_ERROR_CODES; messages?: string[]; error?: Error };
};

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point! I will add tests for this functionality

@elastic elastic deleted a comment from kibanamachine Aug 14, 2024
@kibana-ci
Copy link
Collaborator

kibana-ci commented Aug 14, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 20.7MB 20.7MB +3.3KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @e40pud

@e40pud
Copy link
Contributor Author

e40pud commented Aug 15, 2024

Looks like cypress DE tests are flaky. I created a separate test PR to check whether cypress tests are unstable on main branch and same tests are flaky.

@e40pud e40pud merged commit 2c5ae36 into elastic:main Aug 15, 2024
44 checks passed
@kibanamachine kibanamachine added v8.16.0 backport:skip This commit does not require backporting labels Aug 15, 2024
@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#6766

[❌] Security Solution Detection Engine - Cypress: 58/100 tests passed.
[❌] [Serverless] Security Solution Detection Engine - Cypress: 75/100 tests passed.

see run history

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting ci:cloud-deploy Create or update a Cloud deployment ci:project-deploy-security Create a Security Serverless Project release_note:skip Skip the PR/issue when compiling release notes Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants