From a5db083f49e205463155ea53c6a84eb30af135ae Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 17:40:58 -0700 Subject: [PATCH] [Backport 2.x] correlation rule search, delete and edit api (#484) Signed-off-by: Subhobrata Dey (cherry picked from commit ed45ef6be92cfc2ed7248b972807ad427ba919ff) --- .../RestIndexCorrelationRuleAction.java | 8 +- .../TransportDeleteCorrelationRuleAction.java | 1 + .../CorrelationEngineRuleRestApiIT.java | 80 +++++++++++++++++++ 3 files changed, 87 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java index 83c355f33..42b5a80ad 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java @@ -42,7 +42,11 @@ public String getName() { @Override public List routes() { return List.of( - new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI) + new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI), + new Route(RestRequest.Method.PUT, String.format(Locale.getDefault(), + "%s/{%s}", + SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, + "correlation_rule_id")) ); } @@ -50,7 +54,7 @@ public List routes() { protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { log.debug(String.format(Locale.ROOT, "%s %s", request.method(), SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI)); - String id = request.param("rule_id", CorrelationRule.NO_ID); + String id = request.param("correlation_rule_id", CorrelationRule.NO_ID); XContentParser xcp = request.contentParser(); diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java index da6e5c175..1dc220944 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java @@ -56,6 +56,7 @@ protected void doExecute(Task task, DeleteCorrelationRuleRequest request, Action new DeleteByQueryRequestBuilder(client, DeleteByQueryAction.INSTANCE) .source(CorrelationRule.CORRELATION_RULE_INDEX) .filter(QueryBuilders.matchQuery("_id", correlationRuleId)) + .refresh(true) .execute(new ActionListener<>() { @Override public void onResponse(BulkByScrollResponse response) { diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java index 4fa583381..d8cdcfdc5 100644 --- a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java @@ -4,6 +4,8 @@ */ package org.opensearch.securityanalytics.correlation; +import org.apache.http.entity.StringEntity; +import org.apache.http.message.BasicHeader; import org.junit.Assert; import org.opensearch.client.Response; import org.opensearch.client.ResponseException; @@ -13,6 +15,7 @@ import java.io.IOException; import java.util.Collections; +import java.util.Map; import static org.opensearch.securityanalytics.TestHelpers.randomCorrelationRule; @@ -33,4 +36,81 @@ public void testCreateCorrelationRuleWithInvalidName() { String actualMessage = exception.getMessage(); Assert.assertTrue(actualMessage.contains(expectedMessage)); } + + @SuppressWarnings("unchecked") + public void testUpdateCorrelationRule() throws IOException { + CorrelationRule rule = randomCorrelationRule("custom-rule"); + Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule)); + Assert.assertEquals(201, response.getStatusLine().getStatusCode()); + Map responseMap = responseAsMap(response); + Assert.assertEquals("custom-rule", ((Map) responseMap.get("rule")).get("name")); + + String id = responseMap.get("_id").toString(); + + rule = randomCorrelationRule("custom-updated-rule"); + response = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), toHttpEntity(rule)); + Assert.assertEquals(200, response.getStatusLine().getStatusCode()); + responseMap = responseAsMap(response); + Assert.assertEquals("custom-updated-rule", ((Map) responseMap.get("rule")).get("name")); + } + + @SuppressWarnings("unchecked") + public void testDeleteCorrelationRule() throws IOException { + CorrelationRule rule = randomCorrelationRule("custom-rule"); + Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule)); + Assert.assertEquals(201, response.getStatusLine().getStatusCode()); + Map responseMap = responseAsMap(response); + Assert.assertEquals("custom-rule", ((Map) responseMap.get("rule")).get("name")); + String id = responseMap.get("_id").toString(); + + String request = "{\n" + + " \"query\" : {\n" + + " \"match_all\":{\n" + + " }\n" + + " }\n" + + "}"; + response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json")); + responseMap = responseAsMap(response); + Assert.assertEquals(1, Integer.parseInt(((Map) ((Map) responseMap.get("hits")).get("total")).get("value").toString())); + + response = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), null); + Assert.assertEquals(200, response.getStatusLine().getStatusCode()); + + request = "{\n" + + " \"query\" : {\n" + + " \"match_all\":{\n" + + " }\n" + + " }\n" + + "}"; + response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json")); + responseMap = responseAsMap(response); + Assert.assertEquals(0, Integer.parseInt(((Map) ((Map) responseMap.get("hits")).get("total")).get("value").toString())); + } + + @SuppressWarnings("unchecked") + public void testSearchCorrelationRule() throws IOException { + CorrelationRule rule = randomCorrelationRule("custom-rule"); + Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule)); + Assert.assertEquals(201, response.getStatusLine().getStatusCode()); + Map responseMap = responseAsMap(response); + Assert.assertEquals("custom-rule", ((Map) responseMap.get("rule")).get("name")); + + String request = "{\n" + + " \"query\": {\n" + + " \"nested\": {\n" + + " \"path\": \"correlate\",\n" + + " \"query\": {\n" + + " \"bool\": {\n" + + " \"must\": [\n" + + " { \"match\": {\"correlate.category\": \"network\"}}\n" + + " ]\n" + + " }\n" + + " }\n" + + " }\n" + + " }\n" + + "}"; + response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json")); + responseMap = responseAsMap(response); + Assert.assertEquals(1, Integer.parseInt(((Map) ((Map) responseMap.get("hits")).get("total")).get("value").toString())); + } } \ No newline at end of file