Fixes runtime error with meta when it is missing (#75844) (#75991)

## Summary Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like: ```ts An error occurred during rule execution: message: "Cannot read property 'kibana_siem_app_url' of null" name: "Unusual Windows Remote User" id: "1cc27e7e-d7c7-4f6a-b918-8c272fc6b1a3" rule id: "1781d055-5c66-4adf-9e93-fc0fa69550c9" signals index: ".siem-signals-default" ``` This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code. If you have an action id handy you can manually test this by editing the json file of: ```ts test_cases/queries/action_without_meta.json ``` to have your action id and then posting it like so: ```ts ./post_rule.sh ./rules/test_cases/queries/action_without_meta.json ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Elastic Machine <[email protected]>
elastic · Aug 26, 2020 · 57637ef · 57637ef
1 parent 8c9f758
commit 57637ef
Show file tree

Hide file tree

Showing 8 changed files with 402 additions and 3 deletions.
diff --git a/..._solution/server/lib/detection_engine/notifications/rules_notification_alert_type.test.ts b/..._solution/server/lib/detection_engine/notifications/rules_notification_alert_type.test.ts
@@ -79,6 +79,84 @@ describe('rules_notification_alert_type', () => {
       );
     });
 
+    it('should resolve results_link when meta is undefined to use "/app/security"', async () => {
+      const ruleAlert = getResult();
+      delete ruleAlert.params.meta;
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      alertServices.callCluster.mockResolvedValue({
+        count: 10,
+      });
+
+      await alert.executor(payload);
+      expect(alertServices.alertInstanceFactory).toHaveBeenCalled();
+
+      const [{ value: alertInstanceMock }] = alertServices.alertInstanceFactory.mock.results;
+      expect(alertInstanceMock.scheduleActions).toHaveBeenCalledWith(
+        'default',
+        expect.objectContaining({
+          results_link:
+            '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:1576255233400,kind:absolute,to:1576341633400)),timeline:(linkTo:!(global),timerange:(from:1576255233400,kind:absolute,to:1576341633400)))',
+        })
+      );
+    });
+
+    it('should resolve results_link when meta is an empty object to use "/app/security"', async () => {
+      const ruleAlert = getResult();
+      ruleAlert.params.meta = {};
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      alertServices.callCluster.mockResolvedValue({
+        count: 10,
+      });
+      await alert.executor(payload);
+      expect(alertServices.alertInstanceFactory).toHaveBeenCalled();
+
+      const [{ value: alertInstanceMock }] = alertServices.alertInstanceFactory.mock.results;
+      expect(alertInstanceMock.scheduleActions).toHaveBeenCalledWith(
+        'default',
+        expect.objectContaining({
+          results_link:
+            '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:1576255233400,kind:absolute,to:1576341633400)),timeline:(linkTo:!(global),timerange:(from:1576255233400,kind:absolute,to:1576341633400)))',
+        })
+      );
+    });
+
+    it('should resolve results_link to custom kibana link when given one', async () => {
+      const ruleAlert = getResult();
+      ruleAlert.params.meta = {
+        kibana_siem_app_url: 'http://localhost',
+      };
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      alertServices.callCluster.mockResolvedValue({
+        count: 10,
+      });
+      await alert.executor(payload);
+      expect(alertServices.alertInstanceFactory).toHaveBeenCalled();
+
+      const [{ value: alertInstanceMock }] = alertServices.alertInstanceFactory.mock.results;
+      expect(alertInstanceMock.scheduleActions).toHaveBeenCalledWith(
+        'default',
+        expect.objectContaining({
+          results_link:
+            'http://localhost/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:1576255233400,kind:absolute,to:1576341633400)),timeline:(linkTo:!(global),timerange:(from:1576255233400,kind:absolute,to:1576341633400)))',
+        })
+      );
+    });
+
     it('should not call alertInstanceFactory if signalsCount was 0', async () => {
       const ruleAlert = getResult();
       alertServices.savedObjectsClient.get.mockResolvedValue({

diff --git a/...urity_solution/server/lib/detection_engine/notifications/rules_notification_alert_type.ts b/...urity_solution/server/lib/detection_engine/notifications/rules_notification_alert_type.ts
@@ -64,8 +64,8 @@ export const rulesNotificationAlertType = ({
       from: fromInMs,
       to: toInMs,
       id: ruleAlertSavedObject.id,
-      kibanaSiemAppUrl: (ruleAlertParams.meta as { kibana_siem_app_url?: string })
-        .kibana_siem_app_url,
+      kibanaSiemAppUrl: (ruleAlertParams.meta as { kibana_siem_app_url?: string } | undefined)
+        ?.kibana_siem_app_url,
     });
 
     logger.info(

diff --git a/...ion/server/lib/detection_engine/scripts/rules/test_cases/queries/action_without_meta.json b/...ion/server/lib/detection_engine/scripts/rules/test_cases/queries/action_without_meta.json
@@ -0,0 +1,42 @@
+{
+  "type": "query",
+  "index": [
+    "apm-*-transaction*",
+    "auditbeat-*",
+    "endgame-*",
+    "filebeat-*",
+    "logs-*",
+    "packetbeat-*",
+    "winlogbeat-*"
+  ],
+  "filters": [],
+  "language": "kuery",
+  "query": "host.name: *",
+  "author": [],
+  "false_positives": [],
+  "references": [],
+  "risk_score": 50,
+  "risk_score_mapping": [],
+  "severity": "low",
+  "severity_mapping": [],
+  "threat": [],
+  "name": "Host Name Test",
+  "description": "Host Name Test",
+  "tags": [],
+  "license": "",
+  "interval": "5m",
+  "from": "now-30s",
+  "to": "now",
+  "actions": [
+    {
+      "group": "default",
+      "id": "4c42ecf2-5e9b-4ce6-8a7a-ab620fd8b169",
+      "params": {
+        "body": "{}"
+      },
+      "action_type_id": ".webhook"
+    }
+  ],
+  "enabled": true,
+  "throttle": "rule"
+}
diff --git a/...gins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts b/...gins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts
@@ -16,6 +16,7 @@ import {
   getListsClient,
   getExceptions,
   sortExceptionItems,
+  parseScheduleDates,
 } from './utils';
 import { RuleExecutorOptions } from './types';
 import { searchAfterAndBulkCreate } from './search_after_bulk_create';
@@ -227,6 +228,105 @@ describe('rules_notification_alert_type', () => {
       );
     });
 
+    it('should resolve results_link when meta is an empty object to use "/app/security"', async () => {
+      const ruleAlert = getResult();
+      ruleAlert.params.meta = {};
+      ruleAlert.actions = [
+        {
+          actionTypeId: '.slack',
+          params: {
+            message:
+              'Rule generated {{state.signals_count}} signals\n\n{{context.rule.name}}\n{{{context.results_link}}}',
+          },
+          group: 'default',
+          id: '99403909-ca9b-49ba-9d7a-7e5320e68d05',
+        },
+      ];
+
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      (parseScheduleDates as jest.Mock).mockReturnValue(moment(100));
+      payload.params.meta = {};
+      await alert.executor(payload);
+
+      expect(scheduleNotificationActions).toHaveBeenCalledWith(
+        expect.objectContaining({
+          resultsLink:
+            '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))',
+        })
+      );
+    });
+
+    it('should resolve results_link when meta is undefined use "/app/security"', async () => {
+      const ruleAlert = getResult();
+      delete ruleAlert.params.meta;
+      ruleAlert.actions = [
+        {
+          actionTypeId: '.slack',
+          params: {
+            message:
+              'Rule generated {{state.signals_count}} signals\n\n{{context.rule.name}}\n{{{context.results_link}}}',
+          },
+          group: 'default',
+          id: '99403909-ca9b-49ba-9d7a-7e5320e68d05',
+        },
+      ];
+
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      (parseScheduleDates as jest.Mock).mockReturnValue(moment(100));
+      delete payload.params.meta;
+      await alert.executor(payload);
+
+      expect(scheduleNotificationActions).toHaveBeenCalledWith(
+        expect.objectContaining({
+          resultsLink:
+            '/app/security/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))',
+        })
+      );
+    });
+
+    it('should resolve results_link with a custom link', async () => {
+      const ruleAlert = getResult();
+      ruleAlert.params.meta = { kibana_siem_app_url: 'http://localhost' };
+      ruleAlert.actions = [
+        {
+          actionTypeId: '.slack',
+          params: {
+            message:
+              'Rule generated {{state.signals_count}} signals\n\n{{context.rule.name}}\n{{{context.results_link}}}',
+          },
+          group: 'default',
+          id: '99403909-ca9b-49ba-9d7a-7e5320e68d05',
+        },
+      ];
+
+      alertServices.savedObjectsClient.get.mockResolvedValue({
+        id: 'rule-id',
+        type: 'type',
+        references: [],
+        attributes: ruleAlert,
+      });
+      (parseScheduleDates as jest.Mock).mockReturnValue(moment(100));
+      payload.params.meta = { kibana_siem_app_url: 'http://localhost' };
+      await alert.executor(payload);
+
+      expect(scheduleNotificationActions).toHaveBeenCalledWith(
+        expect.objectContaining({
+          resultsLink:
+            'http://localhost/detections/rules/id/rule-id?timerange=(global:(linkTo:!(timeline),timerange:(from:100,kind:absolute,to:100)),timeline:(linkTo:!(global),timerange:(from:100,kind:absolute,to:100)))',
+        })
+      );
+    });
+
     describe('ML rule', () => {
       it('should throw an error if ML plugin was not available', async () => {
         const ruleAlert = getMlResult();

diff --git a/...k/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/...k/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@@ -356,7 +356,8 @@ export const signalRulesAlertType = ({
               from: fromInMs,
               to: toInMs,
               id: savedObject.id,
-              kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string }).kibana_siem_app_url,
+              kibanaSiemAppUrl: (meta as { kibana_siem_app_url?: string } | undefined)
+                ?.kibana_siem_app_url,
             });
 
             logger.info(

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/add_actions.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/add_actions.ts
@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from '@kbn/expect';
+
+import { DETECTION_ENGINE_RULES_URL } from '../../../../plugins/security_solution/common/constants';
+import { FtrProviderContext } from '../../common/ftr_provider_context';
+import {
+  createSignalsIndex,
+  deleteAllAlerts,
+  deleteSignalsIndex,
+  removeServerGeneratedProperties,
+  waitFor,
+  getWebHookAction,
+  getRuleWithWebHookAction,
+  getSimpleRuleOutputWithWebHookAction,
+} from '../../utils';
+import { CreateRulesSchema } from '../../../../plugins/security_solution/common/detection_engine/schemas/request/create_rules_schema';
+
+// eslint-disable-next-line import/no-default-export
+export default ({ getService }: FtrProviderContext) => {
+  const supertest = getService('supertest');
+  const es = getService('es');
+
+  describe('add_actions', () => {
+    describe('adding actions', () => {
+      beforeEach(async () => {
+        await createSignalsIndex(supertest);
+      });
+
+      afterEach(async () => {
+        await deleteSignalsIndex(supertest);
+        await deleteAllAlerts(es);
+      });
+
+      it('should be able to create a new webhook action and attach it to a rule', async () => {
+        // create a new action
+        const { body: hookAction } = await supertest
+          .post('/api/actions/action')
+          .set('kbn-xsrf', 'true')
+          .send(getWebHookAction())
+          .expect(200);
+
+        // create a rule with the action attached
+        const { body } = await supertest
+          .post(DETECTION_ENGINE_RULES_URL)
+          .set('kbn-xsrf', 'true')
+          .send(getRuleWithWebHookAction(hookAction.id))
+          .expect(200);
+
+        const bodyToCompare = removeServerGeneratedProperties(body);
+        expect(bodyToCompare).to.eql(
+          getSimpleRuleOutputWithWebHookAction(`${bodyToCompare?.actions?.[0].id}`)
+        );
+      });
+
+      it('should be able to create a new webhook action and attach it to a rule without a meta field and run it correctly', async () => {
+        // create a new action
+        const { body: hookAction } = await supertest
+          .post('/api/actions/action')
+          .set('kbn-xsrf', 'true')
+          .send(getWebHookAction())
+          .expect(200);
+
+        // create a rule with the action attached
+        const { body: rule } = await supertest
+          .post(DETECTION_ENGINE_RULES_URL)
+          .set('kbn-xsrf', 'true')
+          .send(getRuleWithWebHookAction(hookAction.id))
+          .expect(200);
+
+        // wait for Task Manager to execute the rule and its update status
+        await waitFor(async () => {
+          const { body } = await supertest
+            .post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
+            .set('kbn-xsrf', 'true')
+            .send({ ids: [rule.id] })
+            .expect(200);
+          return body[rule.id].current_status?.status === 'succeeded';
+        });
+
+        // expected result for status should be 'succeeded'
+        const { body } = await supertest
+          .post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: [rule.id] })
+          .expect(200);
+        expect(body[rule.id].current_status.status).to.eql('succeeded');
+      });
+
+      it('should be able to create a new webhook action and attach it to a rule with a meta field and run it correctly', async () => {
+        // create a new action
+        const { body: hookAction } = await supertest
+          .post('/api/actions/action')
+          .set('kbn-xsrf', 'true')
+          .send(getWebHookAction())
+          .expect(200);
+
+        // create a rule with the action attached and a meta field
+        const ruleWithAction: CreateRulesSchema = {
+          ...getRuleWithWebHookAction(hookAction.id),
+          meta: {},
+        };
+
+        const { body: rule } = await supertest
+          .post(DETECTION_ENGINE_RULES_URL)
+          .set('kbn-xsrf', 'true')
+          .send(ruleWithAction)
+          .expect(200);
+
+        // wait for Task Manager to execute the rule and update status
+        await waitFor(async () => {
+          const { body } = await supertest
+            .post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
+            .set('kbn-xsrf', 'true')
+            .send({ ids: [rule.id] })
+            .expect(200);
+          return body[rule.id].current_status?.status === 'succeeded';
+        });
+
+        // expected result for status should be 'succeeded'
+        const { body } = await supertest
+          .post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: [rule.id] })
+          .expect(200);
+        expect(body[rule.id].current_status.status).to.eql('succeeded');
+      });
+    });
+  });
+};