Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing test: Rule Bulk Actions API Integration Tests - ESS - Rule bulk actions logic.x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess·ts - Rule Bulk Action API @ess perform_bulk_action - ESS specific logic legacy investigation fields should export rules with legacy investigation_fields and transform legacy field in response #173804

Closed
Tracked by #173731
kibanamachine opened this issue Dec 21, 2023 · 8 comments · Fixed by #174757
Closed
Tracked by #173731

Failing test: Rule Bulk Actions API Integration Tests - ESS - Rule bulk actions logic.x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess·ts - Rule Bulk Action API @ess perform_bulk_action - ESS specific logic legacy investigation fields should export rules with legacy investigation_fields and transform legacy field in response #173804

kibanamachine opened this issue Dec 21, 2023 · 8 comments · Fixed by #174757
Assignees
@nikitaindik
Labels
8.13 candidate failed-test A test failure on a tracked branch, potentially flaky-test Feature:Rule Management Security Solution Detection Rule Management area legit-flake Test was triaged and marked as an actual flake. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@kibanamachine
Copy link
Contributor

A test failed on a tracked branch

Error: expected undefined to sort of equal { field_names: [ 'client.address', 'agent.name' ] }
    at Assertion.assert (expect.js:100:11)
    at Assertion.eql (expect.js:244:8)
    at Context.<anonymous> (perform_bulk_action_ess.ts:509:83)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.apply (wrap_function.js:73:16) {
  actual: undefined,
  expected: { field_names: [ 'client.address', 'agent.name' ] },
  showDiff: true
}

First failure: CI Build - main
@kibanamachine kibanamachine added the failed-test A test failure on a tracked branch, potentially flaky-test label Dec 21, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Dec 21, 2023
@kibanamachine kibanamachine added the Team:Detection Rule Management Security Detection Rule Management Team label Dec 21, 2023
@botelastic botelastic bot removed the needs-team Issues missing a team label label Dec 21, 2023
@banderror
Copy link
Contributor

@MadameSheema Could you please skip this one?

@MadameSheema
Copy link
Member

/skip

@kibanamachine
Copy link
Contributor Author

Skipped

main: 42353e7

kibanamachine added a commit that referenced this issue Dec 21, 2023
@kibanamachine
skip failing test suite (#173804)
42353e7
@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area 8.13 candidate labels Dec 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror mentioned this issue Dec 21, 2023
Closed
@banderror banderror added the legit-flake Test was triaged and marked as an actual flake. label Dec 21, 2023
@nikitaindik
Copy link
Contributor

nikitaindik commented Jan 8, 2024
edited
Loading

I tried reproducing the flakiness by running the bad test through the flaky test runner a couple times (one, two), but it was all green. Either I am doing it wrong or we fixed it in one of the other tickets (or it's a Christmas miracle and it fixed itself!).

Shall I close it for now? @banderror @MadameSheema

@banderror
Copy link
Contributor

@nikitaindik I think we discussed a couple of options what can be checked over zoom, any updates on that?

@nikitaindik
Copy link
Contributor

@banderror

  1. I added logging to the test to see what are the values of objects when the test fails. Ran the Flaky Test Runner a few more times - with the bad test isolated (1, 2) and also with all the tests enabled (1, 2) in the suite. All green.
    But the rule (that has investigation_fields equal to undefined) is at least a legit JSON object (otherwise it would throw here). So probably a rule is returned, it just doesn't have investigation fields for some reason.
  2. The only possible place where rule's investigation_fields can be set undefined is a function called migrateLegacyInvestigationFields.
    We pass rule.params.investigationFields into it. Rule object is read from ES using rulesClient. Nothing interesting there.
export const migrateLegacyInvestigationFields = (
  investigationFields: InvestigationFieldsCombined | undefined
): InvestigationFields | undefined => {
  if (investigationFields && Array.isArray(investigationFields)) {
    if (investigationFields.length) {
      return {
        field_names: investigationFields,
      };
    }

    return undefined;
  }

  return investigationFields;
};

It would return undefined in two cases:

  • you pass undefined into it
  • you pass it an empty array

Currently checking if there's a way to end up with a rule that has investigationFields equal to [] or undefined in the test env.

@nikitaindik nikitaindik mentioned this issue Jan 12, 2024
Merged
nikitaindik added a commit that referenced this issue Jan 26, 2024
@nikitaindik
[Security Solution] Unskip bulk actions integration tests (#174757)
3213541 
**Resolves: #173804** 

500 runs of the flaky test file in ESS env: [Buildkite
4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)

## Summary
Even though I couldn't reproduce flakiness (1.5K runs), I've updated the
test to fix a suspected race condition.

What seems to be happening:
In the `beforeEach`
[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),
three rules are created:
- one with investigation_fields equal to `['client.address',
'agent.name']`
 - one with investigation_fields equal to `[]`
- one with investigation_fields equal to `{ field_names: ['host.name']
}`

Then, in the
[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),
we read all three rules and check them in that same order. But if the
`[]` rule is created on the backend before the `['client.address',
'agent.name']` rule, our first check would fail.

Other tests in this file don't expect rules to come in a particular
order. Instead, they search for a needed rule in the array. I used the
same approach for this flaky test.
nikitaindik added a commit to nikitaindik/kibana that referenced this issue Jan 26, 2024
@nikitaindik
[Security Solution] Unskip bulk actions integration tests (elastic#17…
a689e5b 
…4757)

**Resolves: elastic#173804**

500 runs of the flaky test file in ESS env: [Buildkite
4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)

Even though I couldn't reproduce flakiness (1.5K runs), I've updated the
test to fix a suspected race condition.

What seems to be happening:
In the `beforeEach`
[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),
three rules are created:
- one with investigation_fields equal to `['client.address',
'agent.name']`
 - one with investigation_fields equal to `[]`
- one with investigation_fields equal to `{ field_names: ['host.name']
}`

Then, in the
[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),
we read all three rules and check them in that same order. But if the
`[]` rule is created on the backend before the `['client.address',
'agent.name']` rule, our first check would fail.

Other tests in this file don't expect rules to come in a particular
order. Instead, they search for a needed rule in the array. I used the
same approach for this flaky test.

(cherry picked from commit 3213541)
nikitaindik added a commit that referenced this issue Jan 28, 2024
@nikitaindik
[8.12] [Security Solution] Unskip bulk actions integration tests (#17…
fb72093 
…4757) (#175732)

# Backport

This will backport the following commits from `main` to `8.12`:
- [[Security Solution] Unskip bulk actions integration tests
(#174757)](#174757)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Nikita
Indik","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-26T17:33:09Z","message":"[Security
Solution] Unskip bulk actions integration tests (#174757)\n\n**Resolves:
#173804** \r\n\r\n500 runs of the flaky test file in ESS env:
[Buildkite\r\n4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)\r\n\r\n##
Summary\r\nEven though I couldn't reproduce flakiness (1.5K runs), I've
updated the\r\ntest to fix a suspected race condition.\r\n\r\nWhat seems
to be happening:\r\nIn the
`beforeEach`\r\n[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),\r\nthree
rules are created:\r\n- one with investigation_fields equal to
`['client.address',\r\n'agent.name']`\r\n - one with
investigation_fields equal to `[]`\r\n- one with investigation_fields
equal to `{ field_names: ['host.name']\r\n}`\r\n\r\nThen, in
the\r\n[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),\r\nwe
read all three rules and check them in that same order. But if
the\r\n`[]` rule is created on the backend before the
`['client.address',\r\n'agent.name']` rule, our first check would
fail.\r\n\r\nOther tests in this file don't expect rules to come in a
particular\r\norder. Instead, they search for a needed rule in the
array. I used the\r\nsame approach for this flaky
test.","sha":"32135418d6ec15fd9405dc2884e181665709f0ae","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","test-coverage","Team:Detections
and Resp","Team: SecuritySolution","Feature:Rule
Management","Team:Detection Rule
Management","v8.12.1","v8.13.0"],"number":174757,"url":"https://github.com/elastic/kibana/pull/174757","mergeCommit":{"message":"[Security
Solution] Unskip bulk actions integration tests (#174757)\n\n**Resolves:
#173804** \r\n\r\n500 runs of the flaky test file in ESS env:
[Buildkite\r\n4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)\r\n\r\n##
Summary\r\nEven though I couldn't reproduce flakiness (1.5K runs), I've
updated the\r\ntest to fix a suspected race condition.\r\n\r\nWhat seems
to be happening:\r\nIn the
`beforeEach`\r\n[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),\r\nthree
rules are created:\r\n- one with investigation_fields equal to
`['client.address',\r\n'agent.name']`\r\n - one with
investigation_fields equal to `[]`\r\n- one with investigation_fields
equal to `{ field_names: ['host.name']\r\n}`\r\n\r\nThen, in
the\r\n[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),\r\nwe
read all three rules and check them in that same order. But if
the\r\n`[]` rule is created on the backend before the
`['client.address',\r\n'agent.name']` rule, our first check would
fail.\r\n\r\nOther tests in this file don't expect rules to come in a
particular\r\norder. Instead, they search for a needed rule in the
array. I used the\r\nsame approach for this flaky
test.","sha":"32135418d6ec15fd9405dc2884e181665709f0ae"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174757","number":174757,"mergeCommit":{"message":"[Security
Solution] Unskip bulk actions integration tests (#174757)\n\n**Resolves:
#173804** \r\n\r\n500 runs of the flaky test file in ESS env:
[Buildkite\r\n4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)\r\n\r\n##
Summary\r\nEven though I couldn't reproduce flakiness (1.5K runs), I've
updated the\r\ntest to fix a suspected race condition.\r\n\r\nWhat seems
to be happening:\r\nIn the
`beforeEach`\r\n[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),\r\nthree
rules are created:\r\n- one with investigation_fields equal to
`['client.address',\r\n'agent.name']`\r\n - one with
investigation_fields equal to `[]`\r\n- one with investigation_fields
equal to `{ field_names: ['host.name']\r\n}`\r\n\r\nThen, in
the\r\n[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),\r\nwe
read all three rules and check them in that same order. But if
the\r\n`[]` rule is created on the backend before the
`['client.address',\r\n'agent.name']` rule, our first check would
fail.\r\n\r\nOther tests in this file don't expect rules to come in a
particular\r\norder. Instead, they search for a needed rule in the
array. I used the\r\nsame approach for this flaky
test.","sha":"32135418d6ec15fd9405dc2884e181665709f0ae"}}]}] BACKPORT-->
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@nikitaindik @CoenWarmer
[Security Solution] Unskip bulk actions integration tests (elastic#17…
7286bac 
…4757)

**Resolves: elastic#173804** 

500 runs of the flaky test file in ESS env: [Buildkite
4833](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4833)

## Summary
Even though I couldn't reproduce flakiness (1.5K runs), I've updated the
test to fix a suspected race condition.

What seems to be happening:
In the `beforeEach`
[here](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L477),
three rules are created:
- one with investigation_fields equal to `['client.address',
'agent.name']`
 - one with investigation_fields equal to `[]`
- one with investigation_fields equal to `{ field_names: ['host.name']
}`

Then, in the
[test](https://github.com/nikitaindik/kibana/blob/b7b95111e010cc9fba618b625bb6f8c8969de1ec/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts#L506),
we read all three rules and check them in that same order. But if the
`[]` rule is created on the backend before the `['client.address',
'agent.name']` rule, our first check would fail.

Other tests in this file don't expect rules to come in a particular
order. Instead, they search for a needed rule in the array. I used the
same approach for this flaky test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikitaindik nikitaindik

Labels
8.13 candidate failed-test A test failure on a tracked branch, potentially flaky-test Feature:Rule Management Security Solution Detection Rule Management area legit-flake Test was triaged and marked as an actual flake. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Unskip bulk actions integration tests nikitaindik/kibana
5 participants
@banderror @elasticmachine @nikitaindik @MadameSheema @kibanamachine