From ae4d522b52b2c3573c4e276bfd38ecec00d9ff96 Mon Sep 17 00:00:00 2001
From: Maryam Saeidi <maryam.saeidi@elastic.co>
Date: Wed, 14 Aug 2024 12:38:53 +0200
Subject: [PATCH] [Custom threshold] Always pass allowLeadingWildcards as true
 to the KQL validation in the custom threshold rule API param validation
 (#190031)

Fixes #189072
Related #190029

## Summary

This PR updates the KQL validation on the server side by passing the
Kibana leadingWildcard setting as true during validation. This means
that even if this configuration is disabled in Kibana, we will still
allow saving such a filter in the rule, but it will fail during rule
execution.
I've created a separate ticket to discuss how to apply the KQL
validation correctly during API param validation.
([issue](https://github.com/elastic/kibana/issues/190029))

This fix will solve the following issues:
<img
src="https://github.com/user-attachments/assets/d99177cb-d4cd-4f33-9a60-8575d87372e3"
width=500 />


We also have [proper validation on the UI
side](https://github.com/elastic/kibana/blob/main/x-pack/plugins/observability_solution/observability/public/components/custom_threshold/components/validation.tsx#L60,L64)
that considers Kibana setting during validation:

|Error|Leading wildcard error|
|---|---|
|
![image](https://github.com/user-attachments/assets/81cfaea6-c932-4184-8f2f-0d06b267a986)|![image](https://github.com/user-attachments/assets/7719813d-ee7b-4eac-b04f-69a867a6dd89)|
---
 ...rverless_upgrade_and_rollback_checks.test.ts.snap | 12 ++++++------
 .../register_custom_threshold_rule_type.ts           |  4 ++--
 .../server/lib/rules/custom_threshold/utils.test.ts  | 12 +++++++++++-
 .../server/lib/rules/custom_threshold/utils.ts       |  8 ++++++--
 x-pack/plugins/translations/translations/fr-FR.json  |  1 -
 x-pack/plugins/translations/translations/ja-JP.json  |  1 -
 x-pack/plugins/translations/translations/zh-CN.json  |  1 -
 7 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
index 932daa1fed69d..c84a3565d48f6 100644
--- a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
+++ b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
@@ -5619,12 +5619,6 @@ Object {
                   },
                   "name": "custom",
                 },
-                Object {
-                  "args": Object {
-                    "method": [Function],
-                  },
-                  "name": "custom",
-                },
               ],
               "type": "string",
             },
@@ -5639,6 +5633,12 @@ Object {
                   },
                   "name": "custom",
                 },
+                Object {
+                  "args": Object {
+                    "method": [Function],
+                  },
+                  "name": "custom",
+                },
               ],
               "type": "string",
             },
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
index f198a6c707968..2fe8cbe76d294 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
@@ -56,10 +56,10 @@ export const MetricsRulesTypeAlertDefinition: IRuleTypeAlerts<CustomThresholdAle
 export const searchConfigurationSchema = schema.object({
   index: schema.oneOf([schema.string(), dataViewSpecSchema]),
   query: schema.object({
-    language: schema.string({
+    language: schema.string(),
+    query: schema.string({
       validate: validateKQLStringFilter,
     }),
-    query: schema.string(),
   }),
   filter: schema.maybe(
     schema.arrayOf(
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
index 96eaebdd2b92f..12eae525c4476 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
@@ -62,12 +62,22 @@ describe('validateKQLStringFilter', () => {
     // input, output
     ['', undefined],
     ['host.name:host-0', undefined],
-    [':*', 'filterQuery must be a valid KQL filter'],
+  ];
+  const dataWithError = [
+    // input, output
+    [
+      ':*',
+      'filterQuery must be a valid KQL filter (error: Expected "(", NOT, end of input, field name, value, whitespace but ":" found.',
+    ],
   ];
 
   test.each(data)('validateKQLStringFilter(%s): %o', (input: any, output: any) => {
     expect(validateKQLStringFilter(input)).toEqual(output);
   });
+
+  test.each(dataWithError)('validateKQLStringFilter(%s): %o', (input: any, output: any) => {
+    expect(validateKQLStringFilter(input)).toContain(output);
+  });
 });
 
 describe('getFormattedGroupBy', () => {
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
index 906c8a8a9f0a5..74f6089af312f 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
@@ -52,10 +52,14 @@ export const validateKQLStringFilter = (value: string) => {
   }
 
   try {
-    kbnBuildEsQuery(undefined, [{ query: value, language: 'kuery' }], []);
+    kbnBuildEsQuery(undefined, [{ query: value, language: 'kuery' }], [], {
+      allowLeadingWildcards: true,
+      queryStringOptions: {},
+      ignoreFilterIfFieldNotInIndex: false,
+    });
   } catch (e) {
     return i18n.translate('xpack.observability.customThreshold.rule.schema.invalidFilterQuery', {
-      defaultMessage: 'filterQuery must be a valid KQL filter',
+      defaultMessage: `filterQuery must be a valid KQL filter (error: ${e.message})`,
     });
   }
 };
diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json
index 75e7b26557a0c..37642329d35bd 100644
--- a/x-pack/plugins/translations/translations/fr-FR.json
+++ b/x-pack/plugins/translations/translations/fr-FR.json
@@ -32674,7 +32674,6 @@
     "xpack.observability.customThreshold.rule.reason.forTheLast": "durée : {duration}",
     "xpack.observability.customThreshold.rule.reason.group": "groupe : {group}",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "Une description concise de la raison du signalement",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQuery doit être un filtre KQL valide",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "Échec de chargement de la source : Aucun client HTTP disponible.",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "Nous n'avons pas pu appliquer les modifications à la configuration des indicateurs. Réessayez plus tard.",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "La mise à jour de la configuration a échoué",
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index fa953de2475cd..dae805d79e18b 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -32659,7 +32659,6 @@
     "xpack.observability.customThreshold.rule.reason.forTheLast": "duration: {duration}",
     "xpack.observability.customThreshold.rule.reason.group": "グループ：{group}",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "アラートの理由の簡潔な説明",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQueryは有効なKQLフィルターでなければなりません",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "ソースの読み込みに失敗しました：HTTPクライアントがありません。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "変更をメトリック構成に適用できませんでした。しばらくたってから再試行してください。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "構成の更新が失敗しました",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 3f9b62848c120..9df2e11f620cc 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -32699,7 +32699,6 @@
     "xpack.observability.customThreshold.rule.reason.forTheLast": "持续时间：{duration}",
     "xpack.observability.customThreshold.rule.reason.group": "组：{group}",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "告警原因的简洁描述",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQuery 必须是有效的 KQL 筛选",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "无法加载源：无 HTTP 客户端可用。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "无法对指标配置应用更改。请稍后重试。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "配置更新失败",