Skip to content

Commit

Permalink
[Security Solution] Use current user instead of internal user when qu…
Browse files Browse the repository at this point in the history
…erying for threshold rule history (elastic#174723)

## Summary

Follow up to elastic#174216
  • Loading branch information
marshallmain authored Jan 22, 2024
1 parent 450c6e6 commit f87a348
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -412,7 +412,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
wrapHits,
wrapSequences,
listClient,
ruleDataReader: ruleDataClient.getReader({ namespace: options.spaceId }),
ruleDataClient,
mergeStrategy,
primaryTimestamp,
secondaryTimestamp,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ export const createThresholdAlertType = (
completeRule,
tuple,
wrapHits,
ruleDataReader,
ruleDataClient,
inputIndex,
runtimeMappings,
primaryTimestamp,
Expand All @@ -88,7 +88,7 @@ export const createThresholdAlertType = (
state,
bulkCreate,
wrapHits,
ruleDataReader,
ruleDataClient,
inputIndex,
runtimeMappings,
primaryTimestamp,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@
*/

import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
import type { IRuleDataReader } from '@kbn/rule-registry-plugin/server';
import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
import { ALERT_RULE_UUID } from '@kbn/rule-data-utils';
import type { ElasticsearchClient } from '@kbn/core/server';
import type { ThresholdSignalHistory } from './types';
import { buildThresholdSignalHistory } from './build_signal_history';
import { createErrorsFromShard } from '../utils/utils';
Expand All @@ -17,15 +18,19 @@ interface GetThresholdSignalHistoryParams {
to: string;
frameworkRuleId: string;
bucketByFields: string[];
ruleDataReader: IRuleDataReader;
spaceId: string;
ruleDataClient: IRuleDataClient;
esClient: ElasticsearchClient;
}

export const getThresholdSignalHistory = async ({
from,
to,
frameworkRuleId,
bucketByFields,
ruleDataReader,
spaceId,
ruleDataClient,
esClient,
}: GetThresholdSignalHistoryParams): Promise<{
signalHistory: ThresholdSignalHistory;
searchErrors: string[];
Expand All @@ -37,7 +42,11 @@ export const getThresholdSignalHistory = async ({
bucketByFields,
});

const response = await ruleDataReader.search(request);
const indexPattern = ruleDataClient?.indexNameWithNamespace(spaceId);
const response = await esClient.search({
...request,
index: indexPattern,
});
return {
signalHistory: buildThresholdSignalHistory({ alerts: response.hits.hits }),
searchErrors: createErrorsFromShard({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ describe('threshold_executor', () => {
createdItems: [],
})),
wrapHits: jest.fn(),
ruleDataReader: ruleDataClientMock.getReader({ namespace: 'default' }),
ruleDataClient: ruleDataClientMock,
runtimeMappings: {},
inputIndex: ['auditbeat-*'],
primaryTimestamp: TIMESTAMP,
Expand Down Expand Up @@ -164,7 +164,7 @@ describe('threshold_executor', () => {
createdItems: [],
})),
wrapHits: jest.fn(),
ruleDataReader: ruleDataClientMock.getReader({ namespace: 'default' }),
ruleDataClient: ruleDataClientMock,
runtimeMappings: {},
inputIndex: ['auditbeat-*'],
primaryTimestamp: TIMESTAMP,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import type {
AlertInstanceState,
RuleExecutorServices,
} from '@kbn/alerting-plugin/server';
import type { IRuleDataReader } from '@kbn/rule-registry-plugin/server';
import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
import type { Filter, DataViewFieldBase } from '@kbn/es-query';
import type { CompleteRule, ThresholdRuleParams } from '../../rule_schema';
import { getFilter } from '../utils/get_filter';
Expand Down Expand Up @@ -59,7 +59,7 @@ export const thresholdExecutor = async ({
state,
bulkCreate,
wrapHits,
ruleDataReader,
ruleDataClient,
primaryTimestamp,
secondaryTimestamp,
aggregatableTimestampField,
Expand All @@ -81,7 +81,7 @@ export const thresholdExecutor = async ({
state: ThresholdAlertState;
bulkCreate: BulkCreate;
wrapHits: WrapHits;
ruleDataReader: IRuleDataReader;
ruleDataClient: IRuleDataClient;
primaryTimestamp: string;
secondaryTimestamp?: string;
aggregatableTimestampField: string;
Expand Down Expand Up @@ -112,7 +112,9 @@ export const thresholdExecutor = async ({
to: tuple.to.toISOString(),
frameworkRuleId: completeRule.alertId,
bucketByFields: ruleParams.threshold.field,
ruleDataReader,
spaceId,
ruleDataClient,
esClient: services.scopedClusterClient.asCurrentUser,
});

const validSignalHistory = getSignalHistory(state, signalHistory, tuple);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import type { ListClient } from '@kbn/lists-plugin/server';
import type {
PersistenceServices,
IRuleDataClient,
IRuleDataReader,
SuppressedAlertService,
} from '@kbn/rule-registry-plugin/server';
import type { EcsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/ecs_field_map';
Expand Down Expand Up @@ -86,7 +85,7 @@ export interface RunOpts<TParams extends RuleParams> {
bulkCreate: BulkCreate;
wrapHits: WrapHits;
wrapSequences: WrapSequences;
ruleDataReader: IRuleDataReader;
ruleDataClient: IRuleDataClient;
inputIndex: string[];
runtimeMappings: estypes.MappingRuntimeFields | undefined;
mergeStrategy: ConfigType['alertMergeStrategy'];
Expand Down

0 comments on commit f87a348

Please sign in to comment.