Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Endpoint] Allow wildcard in trusted app paths #97623

Merged
merged 39 commits into from
Apr 29, 2021
Merged

[Security Solution][Endpoint] Allow wildcard in trusted app paths #97623

merged 39 commits into from
Apr 29, 2021

Conversation

ashokaditya
Copy link
Member

@ashokaditya ashokaditya commented Apr 20, 2021

Summary

Adds a dropdown for the path field to enable adding wildcards as well as adding specific paths for creating trusted apps.
See elastic/security-team/issues/543 for more details.

Screenshot 2021-04-20 at 12 48 50

Checklist

Delete any items that are not applicable to this PR.

@ashokaditya ashokaditya added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Feature:Trusted Apps Security Solution Trusted Apps release_note:feature Makes this part of the condensed release notes and removed release_note:skip Skip the PR/issue when compiling release notes labels Apr 20, 2021
@dasansol92
Copy link
Contributor

Few comments added but it looks awesome! 🔥 🔥

@ashokaditya ashokaditya marked this pull request as ready for review April 21, 2021 07:47
@ashokaditya ashokaditya requested a review from a team as a code owner April 21, 2021 07:47
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

@kevinlog
Copy link
Contributor

@ashokaditya

checked it out and it looks great so far!

A couple things to call out:

  1. We're saving the entry with matches, however the Endpoint should be reading the field as wildcard_caseless - does this value get set during artifact creation? cc/ @paul-tavares

  2. In addition, I see that matches is being saved in the SO, but the UI still reflects is for the operator in the saved entry. I would imagine this should reflect the input and say matches

image

Similarly if I go to edit the entry, the operator is set to is where it should be matches

image

Let me know if you have any questions. The requirements in the original ticket may not have been clear enough on item 2, happy to adjust!

@ashokaditya
Copy link
Member Author

@elasticmachine merge upstream

Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments. Looking good :)

@ashokaditya ashokaditya requested a review from yctercero April 27, 2021 20:30
@marshallmain
Copy link
Contributor

Changes to the shared exception list types look great! Thanks for all the hard work on this 😄

@ashokaditya, @yctercero, and I met today to discuss how the detection engine exception UI should handle the addition of wildcard entries. Until now, the exceptions UI has been built on the assumption that it supports all entry types, however the addition of wildcard entries means this is no longer true. We hope to add wildcard entry support in the detection exceptions UI at some point, so we settled on continuing to use the complete entry-type-union (EntriesArray) as a static type in the exceptions UI and we'll simply hide the wildcard option until we implement it.

The alternative option was decoupling the exceptions UI from the list of all entry types by adding a new union that contains only the subset of entry types supported by detection exceptions. However, that refactoring effort was deemed to be too significant to include in this PR. Long term, if we need entry types that are specific to trusted apps (i.e. detections will never support them) we should consider decoupling the exceptions UI to make it easier to add new entry types.

Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Just had some small comments about removing some type casts. I don't know the ins and outs of the trusted apps logic, so focused mainly on the exception type changes and testing basic functionality.

Not sure if a ticket already exists, but would be great to have a ticket to reference for the work needed detections side to hide this operator for now in UI and add a check API side to throw if a wildcard entry is trying to be added to a detection type exception list.

Just to note: I think @marshallmain point of decoupling types and creating unions could be a really good idea. I know we discussed it over zoom and it's definitely something to keep in mind for the larger discussions around exceptions refactoring, but I think it would add a whole lot of changes were we to jump to that right now.

review changes

refs dbd3532
review changes /pull/97623#discussion_r621673881

refs 6f2d0d7
@ashokaditya ashokaditya added the auto-backport Deprecated - use backport:version if exact versions are needed label Apr 28, 2021
review changes
CI check suggestion
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 🔥
Left just a minor comment, but it should not hold merging this in.

Awesome job on this


import { ConditionEntryField, OperatingSystem, TrustedAppEntryTypes } from '../endpoint/types';

export const placeholderText = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest that this be a function instead of object definition in order to ensure they are not mutated.
Also - are these for testing? if so, I would also suggest moving them to a file (or directory) whose name as "test" in it. like test_utils.ts

Copy link
Member Author

@ashokaditya ashokaditya Apr 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see your point with the mutation. I would change this to a function. Although, I'm just reusing the same text values within the getPlaceholderText function and also within the unit tests and thus I believe it is not necessary to move this to a test_utils.ts kind of file.

@ashokaditya
Copy link
Member Author

@elasticmachine merge upstream

Copy link
Contributor

@dasansol92 dasansol92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!🔥 🔥
Just a function naming comment but not needs to be changed now.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
lists 165 166 +1
securitySolution 2181 2182 +1
total +2

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
lists 237 239 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 7.0MB 7.0MB +1.8KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
lists 210.2KB 210.7KB +521.0B
Unknown metric groups

API count

id before after diff
lists 258 260 +2

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@ashokaditya ashokaditya merged commit c93e028 into elastic:master Apr 29, 2021
@ashokaditya ashokaditya deleted the sec-team-543/allow-wildcard-for-paths branch April 29, 2021 12:54
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 97623

ashokaditya added a commit that referenced this pull request Apr 29, 2021
…7623) (#98749)

* show operator dropdown for path field

refs elastic/security-team/issues/543

* update translation to use consistent values

refs elastic/security-team/issues/543

* update schema to validate path values

refs elastic/security-team/issues/543

* add tests for field and operator values

refs elastic/security-team/issues/543

* review changes

refs elastic/security-team/issues/543

* update schema to enforce dropdown validation for PATH field

refs elastic/security-team/issues/543

* add tests for schema updates

refs 1deab39
refs elastic/security-team/issues/543

* optimise dropdown list for re-renders

refs elastic/security-team/issues/543

* align input fields and keep alignments when resized

refs elastic/security-team/issues/543

* correctly enter operator data on trusted app CRUD

refs elastic/security-team/issues/543

* update tests

refs 2ac56ee
refs elastic/security-team/issues/543

* remove redundant code

review changes

* better type assertion

review changes

* move operator options out of component

- these do not depend on component props and thus no need to have it within a useMemo callback.

- review changes

* derive keys from operator entry field

review changes

* update type

* use custom styles for aligning input fields

review changes

* add a custom type for trusted_apps operator

undo changes from list plugin and server/lib/detection_engine

refs 2ac56ee
refs elastic/security-team/issues/543

* add wildcard entry type

refs elastic/security-team/issues/543
refs #97623 (review)

* use the new entry type

refs elastic/security-team/issues/543
refs #97623 (review)

* update tests

refs elastic/security-team/issues/543
refs #97623 (review)

* update name for wildcard type so that it can be used also for cased inputs

refs elastic/security-team/issues/543
refs f9cb7ed

* update artifacts to support wildcard entries

refs elastic/security-team/issues/543

* add tests for list schemas

refs f9cb7ed
refs elastic/security-team/issues/543

* add placeholders for path values

review changes
/pull/97623#discussion_r620617999

* ignore type check for now

* add type assertion

refs 284352e

* remove unnecessary test

refs 2ac56ee

* fix types

refs f9cb7ed
refs b3f5dc4

* add a note to entries

review changes

refs dbd3532

* remove redundant type assertions

review changes
refs bcf615a
refs b3f5dc4

* move placeholder text logic to utils

review changes /pull/97623#discussion_r621673881

refs 6f2d0d7

* pass the style as prop

review changes

* update api doc

CI check suggestion

* make placeholderText a function expression

review suggestion

/pull/97623/commits/2dc4fd390cf5ea0e4fa67b3f5fc2561cbb29555e

* use semantic names for functions

refs 330731e

Co-authored-by: Kibana Machine <[email protected]>
# Conflicts:
#	api_docs/security_solution.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Trusted Apps Security Solution Trusted Apps release_note:feature Makes this part of the condensed release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.14.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants