From de01bf3b2cb3d2d23084829e51b17a2fa2155345 Mon Sep 17 00:00:00 2001 From: "Devin W. Hurley" Date: Thu, 29 Apr 2021 09:30:46 -0400 Subject: [PATCH] Revert "adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes (#8)" This reverts commit f59c33c10211320f8d7403b711827651254cca83. --- x-pack/plugins/rule_registry/server/index.ts | 2 +- .../server/rac_client/rac_client.ts | 49 +++---------------- .../create_lifecycle_rule_type_factory.ts | 3 +- .../plugins/security_solution/server/index.ts | 4 +- .../routes/index/signals_mapping.json | 3 -- .../signals/build_bulk_body.ts | 6 +-- .../detection_engine/signals/build_signal.ts | 8 +-- .../signals/single_bulk_create.ts | 6 +-- .../lib/detection_engine/signals/types.ts | 1 - .../security_solution/server/plugin.ts | 16 +++--- 10 files changed, 25 insertions(+), 73 deletions(-) diff --git a/x-pack/plugins/rule_registry/server/index.ts b/x-pack/plugins/rule_registry/server/index.ts index 78b0b2c9160b8..2dfbdef44685d 100644 --- a/x-pack/plugins/rule_registry/server/index.ts +++ b/x-pack/plugins/rule_registry/server/index.ts @@ -9,7 +9,7 @@ import { schema, TypeOf } from '@kbn/config-schema'; import { PluginInitializerContext } from 'src/core/server'; import { RuleRegistryPlugin } from './plugin'; -export { RuleRegistryPluginSetupContract } from './plugin'; +export { RacPluginSetupContract } from './plugin'; export { createLifecycleRuleTypeFactory } from './rule_registry/rule_type_helpers/create_lifecycle_rule_type_factory'; export { FieldMapOf } from './types'; export { ScopedRuleRegistryClient } from './rule_registry/create_scoped_rule_registry_client/types'; diff --git a/x-pack/plugins/rule_registry/server/rac_client/rac_client.ts b/x-pack/plugins/rule_registry/server/rac_client/rac_client.ts index bd92464ace91a..56172d7964a9a 100644 --- a/x-pack/plugins/rule_registry/server/rac_client/rac_client.ts +++ b/x-pack/plugins/rule_registry/server/rac_client/rac_client.ts @@ -15,8 +15,6 @@ import { GrantAPIKeyResult as SecurityPluginGrantAPIKeyResult, InvalidateAPIKeyResult as SecurityPluginInvalidateAPIKeyResult, } from '../../../security/server'; -import { SERVER_APP_ID } from '../../../security_solution/server'; - import { RacAuthorization, WriteOperations, @@ -63,11 +61,6 @@ export interface FindOptions extends IndexType { filter?: string; } -export interface createAlertParams { - esClient: ElasticsearchClient; - owner: 'observability' | 'securitySolution'; -} - interface IndexType { [key: string]: unknown; } @@ -124,8 +117,14 @@ export class RacClient { owner, }: { id: string; - owner: typeof SERVER_APP_ID | 'observability'; + owner: 'securitySolution' | 'observability'; }): Promise { + // TODO: type alert for the get method + const result = await this.esClient.search({ + index: '.siem*', + body: { query: { match_all: {} } }, + }); + console.error(`************\nRESULT ${JSON.stringify(result, null, 2)}\n************`); // .get('alert', id); try { await this.authorization.ensureAuthorized( @@ -134,37 +133,7 @@ export class RacClient { owner, ReadOperations.Get ); - // TODO: type alert for the get method - - try { - // const result = await this.esClient.get({ - // index: '.siem-signals-devin-hurley-default', - // id: 'ecf1d03a9f3456bb28bf3af5ef9fd2ef441641f3b495d92112e5e76d8feae62e', - // }); - const result = await this.esClient.search({ - index: '.siem-signals*', - body: { - query: { - term: { - 'signal.owner': { - value: owner, - }, - }, - }, - }, - }); - console.error(`************\nRESULT ${JSON.stringify(result, null, 2)}\n************`); - return result; - } catch (exc) { - console.error('THREW ERROR WHEN TRYING GET', JSON.stringify(exc, null, 2)); - } - - // const result = await this.esClient.search({ - // index: '.siem*', - // body: { query: { match_all: {} } }, - // }); } catch (error) { - console.error('HERES THE ERROR', error); // this.auditLogger?.log( // alertAuditEvent({ // action: AlertAuditAction.GET, @@ -183,7 +152,7 @@ export class RacClient { // TODO: strip out owner field maybe? // this.getAlertFromRaw(result.id, result.attributes, result.references); - // return result; + return result; // return Promise.resolve({ id: 'hello world!!!' }); // const result = await this.unsecuredSavedObjectsClient.get('alert', id); @@ -368,6 +337,4 @@ export class RacClient { // ]); // return updateResult; } - - static async create({ esClient, owner, data }: createAlertParams) {} } diff --git a/x-pack/plugins/rule_registry/server/rule_registry/rule_type_helpers/create_lifecycle_rule_type_factory.ts b/x-pack/plugins/rule_registry/server/rule_registry/rule_type_helpers/create_lifecycle_rule_type_factory.ts index c4cd81af7222f..65eaf0964cfca 100644 --- a/x-pack/plugins/rule_registry/server/rule_registry/rule_type_helpers/create_lifecycle_rule_type_factory.ts +++ b/x-pack/plugins/rule_registry/server/rule_registry/rule_type_helpers/create_lifecycle_rule_type_factory.ts @@ -168,8 +168,7 @@ export function createLifecycleRuleTypeFactory(): CreateLifecycleRuleType { @@ -46,7 +46,7 @@ export const config: PluginConfigDescriptor = { }; export { ConfigType, Plugin, PluginSetup, PluginStart }; -export { AppClient, SERVER_APP_ID }; +export { AppClient }; // Exports to be shared with plugins such as x-pack/lists plugin export { deleteTemplate } from './lib/detection_engine/index/delete_template'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json index 81c5c3b296ba8..d6a06848592cc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json @@ -77,9 +77,6 @@ } } }, - "owner": { - "type": "keyword" - }, "rule": { "properties": { "id": { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts index d20514661b323..10cc168700447 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts @@ -18,19 +18,17 @@ import { import { buildRuleWithoutOverrides, buildRuleWithOverrides } from './build_rule'; import { additionalSignalFields, buildSignal } from './build_signal'; import { buildEventTypeSignal } from './build_event_type_signal'; -import { SERVER_APP_ID } from '../../../../common/constants'; import { EqlSequence } from '../../../../common/detection_engine/types'; import { generateSignalId, wrapBuildingBlocks, wrapSignal } from './utils'; // format search_after result for signals index. export const buildBulkBody = ( ruleSO: SavedObject, - doc: SignalSourceHit, - owner: typeof SERVER_APP_ID + doc: SignalSourceHit ): SignalHit => { const rule = buildRuleWithOverrides(ruleSO, doc._source!); const signal: Signal = { - ...buildSignal([doc], rule, owner), + ...buildSignal([doc], rule), ...additionalSignalFields(doc), }; const event = buildEventTypeSignal(doc); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts index 06f2d09cd6d74..237536a99c0f0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts @@ -6,7 +6,6 @@ */ import { SearchTypes } from '../../../../common/detection_engine/types'; -import { SERVER_APP_ID } from '../../../../common/constants'; import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema'; import { SIGNALS_TEMPLATE_VERSION } from '../routes/index/get_signals_template'; import { isEventTypeSignal } from './build_event_type_signal'; @@ -77,11 +76,7 @@ export const removeClashes = (doc: BaseSignalHit): BaseSignalHit => { * @param docs The parent signals/events of the new signal to be built. * @param rule The rule that is generating the new signal. */ -export const buildSignal = ( - docs: BaseSignalHit[], - rule: RulesSchema, - owner: typeof SERVER_APP_ID -): Signal => { +export const buildSignal = (docs: BaseSignalHit[], rule: RulesSchema): Signal => { const _meta = { version: SIGNALS_TEMPLATE_VERSION, }; @@ -97,7 +92,6 @@ export const buildSignal = ( parents, ancestors, status: 'open', - owner, rule, depth, }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts index eaafdb76d2f66..92d01fef6e50c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_bulk_create.ts @@ -12,8 +12,6 @@ import { AlertInstanceState, AlertServices, } from '../../../../../alerting/server'; - -import { SERVER_APP_ID } from '../../../../common/constants'; import { AlertAttributes, SignalHit, SignalSearchResponse, WrappedSignalHit } from './types'; import { RefreshTypes } from '../types'; import { generateId, makeFloatString, errorAggregator } from './utils'; @@ -123,7 +121,7 @@ export const singleBulkCreate = async ({ ), }, }, - buildBulkBody(ruleSO, doc, SERVER_APP_ID), + buildBulkBody(ruleSO, doc), ]); const start = performance.now(); const { body: response } = await services.scopedClusterClient.asCurrentUser.bulk({ @@ -142,7 +140,7 @@ export const singleBulkCreate = async ({ .map((doc, index) => ({ _id: response.items[index].create?._id ?? '', _index: response.items[index].create?._index ?? '', - ...buildBulkBody(ruleSO, doc, SERVER_APP_ID), + ...buildBulkBody(ruleSO, doc), })) .filter((_, index) => get(response.items[index], 'create.status') === 201); const createdItemsCount = createdItems.length; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts index f77189ea393ea..80d08a77ba5d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts @@ -211,7 +211,6 @@ export interface Signal { }; original_time?: string; original_event?: SearchTypes; - owner?: string; status: Status; threshold_result?: ThresholdResult; original_signal?: SearchTypes; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index e8848c235a525..5d405f9df3d33 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -217,9 +217,9 @@ export class Plugin implements IPlugin { try { const racClient = await context.ruleRegistry?.getRacClient(); - const thing = await racClient?.get({ id: 'hello world', owner: SERVER_APP_ID }); - console.error('hits?', JSON.stringify(thing.body.hits.hits, null, 2)); - return res.ok({ body: { success: true, thing: thing.body.hits.hits } }); + const thing = await racClient?.get({ id: 'hello world', owner: 'securitySolution' }); + console.error('THE THING EXISTS??', JSON.stringify(thing.body, null, 2)); + return res.ok({ body: { success: true } }); } catch (err) { console.error('monitoring route threw an error'); console.error(err); @@ -236,12 +236,12 @@ export class Plugin implements IPlugin