Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.x] [SECURITY SOLUTION] [Detections] Add / Update e2e tests to ensure initial rule runs are successful (#68441) #68643

Merged
merged 1 commit into from
Jun 9, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@

import expect from '@kbn/expect';

import { DETECTION_ENGINE_RULES_URL } from '../../../../plugins/security_solution/common/constants';
import {
DETECTION_ENGINE_RULES_URL,
DETECTION_ENGINE_RULES_STATUS_URL,
} from '../../../../plugins/security_solution/common/constants';
import { FtrProviderContext } from '../../common/ftr_provider_context';
import {
createSignalsIndex,
Expand Down Expand Up @@ -65,6 +68,46 @@ export default ({ getService }: FtrProviderContext) => {
expect(bodyToCompare).to.eql(getSimpleRuleOutput());
});

/*
This test is to ensure no future regressions introduced by the following scenario
a call to updateApiKey was invalidating the api key used by the
rule while the rule was executing, or even before it executed,
on the first rule run.
this pr https://github.com/elastic/kibana/pull/68184
fixed this by finding the true source of a bug that required the manual
api key update, and removed the call to that function.

When the api key is updated before / while the rule is executing, the alert
executor no longer has access to a service to update the rule status
saved object in Elasticsearch. Because of this, we cannot set the rule into
a 'failure' state, so the user ends up seeing 'going to run' as that is the
last status set for the rule before it erupts in an error that cannot be
recorded inside of the executor.

This adds an e2e test for the backend to catch that in case
this pops up again elsewhere.
*/
it('should create a single rule with a rule_id and validate it ran successfully', async () => {
const simpleRule = getSimpleRule();
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_URL)
.set('kbn-xsrf', 'true')
.send(simpleRule)
.expect(200);

// wait for Task Manager to execute the rule and update status
await new Promise((resolve) => setTimeout(resolve, 5000));
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
.set('kbn-xsrf', 'true')
.send({ ids: [body.id] })
.expect(200);

const bodyToCompare = removeServerGeneratedProperties(body);
expect(bodyToCompare).to.eql(getSimpleRuleOutput());
expect(statusBody[body.id].current_status.status).to.eql('succeeded');
});

it('should create a single rule without an input index', async () => {
const { index, ...payload } = getSimpleRule();
const { index: _index, ...expected } = getSimpleRuleOutput();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@

import expect from '@kbn/expect';

import { DETECTION_ENGINE_RULES_URL } from '../../../../plugins/security_solution/common/constants';
import {
DETECTION_ENGINE_RULES_URL,
DETECTION_ENGINE_RULES_STATUS_URL,
} from '../../../../plugins/security_solution/common/constants';
import { FtrProviderContext } from '../../common/ftr_provider_context';
import {
createSignalsIndex,
Expand Down Expand Up @@ -68,6 +71,46 @@ export default ({ getService }: FtrProviderContext): void => {
expect(bodyToCompare).to.eql(getSimpleRuleOutput());
});

/*
This test is to ensure no future regressions introduced by the following scenario
a call to updateApiKey was invalidating the api key used by the
rule while the rule was executing, or even before it executed,
on the first rule run.
this pr https://github.com/elastic/kibana/pull/68184
fixed this by finding the true source of a bug that required the manual
api key update, and removed the call to that function.

When the api key is updated before / while the rule is executing, the alert
executor no longer has access to a service to update the rule status
saved object in Elasticsearch. Because of this, we cannot set the rule into
a 'failure' state, so the user ends up seeing 'going to run' as that is the
last status set for the rule before it erupts in an error that cannot be
recorded inside of the executor.

This adds an e2e test for the backend to catch that in case
this pops up again elsewhere.
*/
it('should create a single rule with a rule_id and validate it ran successfully', async () => {
const simpleRule = getSimpleRule();
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_bulk_create`)
.set('kbn-xsrf', 'true')
.send([simpleRule])
.expect(200);

// wait for Task Manager to execute the rule and update status
await new Promise((resolve) => setTimeout(resolve, 5000));
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
.set('kbn-xsrf', 'true')
.send({ ids: [body[0].id] })
.expect(200);

const bodyToCompare = removeServerGeneratedProperties(body[0]);
expect(bodyToCompare).to.eql(getSimpleRuleOutput());
expect(statusBody[body[0].id].current_status.status).to.eql('succeeded');
});

it('should create a single rule without a rule_id', async () => {
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_bulk_create`)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,25 @@ export default ({ getService }: FtrProviderContext): void => {
expect(body).to.eql({});
});

/*
This test is to ensure no future regressions introduced by the following scenario
a call to updateApiKey was invalidating the api key used by the
rule while the rule was executing, or even before it executed,
on the first rule run.
this pr https://github.com/elastic/kibana/pull/68184
fixed this by finding the true source of a bug that required the manual
api key update, and removed the call to that function.

When the api key is updated before / while the rule is executing, the alert
executor no longer has access to a service to update the rule status
saved object in Elasticsearch. Because of this, we cannot set the rule into
a 'failure' state, so the user ends up seeing 'going to run' as that is the
last status set for the rule before it erupts in an error that cannot be
recorded inside of the executor.

This adds an e2e test for the backend to catch that in case
this pops up again elsewhere.
*/
it('should return a single rule status when a single rule is loaded from a find status with defaults added', async () => {
// add a single rule
const { body: resBody } = await supertest
Expand All @@ -61,7 +80,7 @@ export default ({ getService }: FtrProviderContext): void => {
.expect(200);

// expected result for status should be 'going to run' or 'succeeded
expect(['succeeded', 'going to run']).to.contain(body[resBody.id].current_status.status);
expect(body[resBody.id].current_status.status).to.eql('succeeded');
});
});
};