[Security Solution][Alerts] Remove legacy rules schema #137605
Conversation
marshallmain
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
| export const getThreatMatchingSchemaMock = (anchorDate: string = ANCHOR_DATE): RulesSchema => { | ||
| export const getThreatMatchingSchemaMock = ( | ||
| anchorDate: string = ANCHOR_DATE | ||
| ): FullResponseSchema => { |
There was a problem hiding this comment.
Any reason why getThreatMatchingSchemaMock couldn't have return type of ThreatMatchResponseSchema?
As well as the above getRulesMlSchemaMock have a retrun type of MachineLearningResponseSchema?
There was a problem hiding this comment.
Nope, good point - updated to use more specific return types throughout this file.
| return validateNonExact(transformed, rulesSchema); | ||
| } | ||
| }; | ||
|
|
||
| export const newTransformValidate = ( |
There was a problem hiding this comment.
If we are getting rid of the original transformValidate, couldn't we rename newTransformValidate to transformValidate?
There was a problem hiding this comment.
Yeah, updated to transformValidate
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
That's exciting @marshallmain -- another improvement of the rule schemas! 🙌
Overall the PR looks great. Left a few comments, most of which are about reinforcing static types.
...plugins/security_solution/common/detection_engine/schemas/response/rules_bulk_schema.test.ts
Outdated
Show resolved
Hide resolved
| @@ -6,13 +6,18 @@ | |||
| */ | |||
|
|
|||
| import { DEFAULT_INDICATOR_SOURCE_PATH } from '../../../constants'; | |||
| import type { | |||
There was a problem hiding this comment.
After the changes, now we have rules_schema.mocks.ts and rules_schema.test.ts under both directories: request and response. Some of the tests under response have been deleted.
- What's the difference between those tests and mocks that are still there?
- Can we consolidate all of them under the
requestfolder?
There was a problem hiding this comment.
What's the difference between those tests and mocks that are still there?
The tests and mocks in each folder still correspond to the request and response schemas respectively. It definitely deserves to be reorganized, but I tried to avoid doing reorganization at the same time as the more technical changes. request/rule_schemas.test.ts is focused on testing the createRulesSchema - we don't have independent tests for updateRulesSchema at this point, but it's almost identical to createRulesSchema. Similarly the mocks in request/rule_schemas.mock.ts are all for the create schemas.
Since request/rule_schemas.ts is where all of the core schema logic lives, it ends up being the source for the new response schemas and replaces response/rules_schema.ts - which is simply deleted. However, I kept response/rules_schema.test.ts and response/rules_schema.mock.ts and updated them to use the new schemas for better assurance that the switch over to the new schema isn't breaking things.
Can we consolidate all of them under the request folder?
I think we can consolidate by moving most of request/rule_schemas.ts to common/rule_schemas.ts and better separating the "base" and "type specific" schema logic from create, update, response, etc. This way we can keep request and response schemas organized into their own sections, and also remove the dependency of response on request/rule_schemas.ts.
There was a problem hiding this comment.
Great, thank you for clarifying this! Could you please add a few comments to those files to explain this:
The tests and mocks in each folder still correspond to the request and response schemas respectively. It definitely deserves to be reorganized, but I tried to avoid doing reorganization at the same time as the more technical changes. request/rule_schemas.test.ts is focused on testing the createRulesSchema - we don't have independent tests for updateRulesSchema at this point, but it's almost identical to createRulesSchema. Similarly the mocks in request/rule_schemas.mock.ts are all for the create schemas.
Since request/rule_schemas.ts is where all of the core schema logic lives, it ends up being the source for the new response schemas and replaces response/rules_schema.ts - which is simply deleted. However, I kept response/rules_schema.test.ts and response/rules_schema.mock.ts and updated them to use the new schemas for better assurance that the switch over to the new schema isn't breaking things.
There was a problem hiding this comment.
I think we can consolidate by moving most of request/rule_schemas.ts to common/rule_schemas.ts and better separating the "base" and "type specific" schema logic from create, update, response, etc. This way we can keep request and response schemas organized into their own sections, and also remove the dependency of response on request/rule_schemas.ts.
++ Makes total sense. I added this to #138606 as a sub-task.
x-pack/plugins/security_solution/common/detection_engine/schemas/response/rules_schema.mocks.ts
Outdated
Show resolved
Hide resolved
| const sharedResponseSchema = t.intersection([ | ||
| baseResponseParams, | ||
| responseTypeSpecific, | ||
| t.exact(t.type(responseRequiredFields)), | ||
| t.exact(t.partial(responseOptionalFields)), | ||
| ]); | ||
| type SharedResponseSchema = t.TypeOf<typeof sharedResponseSchema>; |
There was a problem hiding this comment.
Nit: let's use either base or shared naming but not both
There was a problem hiding this comment.
sharedResponseSchema here is equivalent to sharedCreateSchema or sharedUpdateSchema but for the response instead, whereas base comes from the baseParams that form the basis of the create, update, patch, and response schemas. What do you think we should rename here?
There was a problem hiding this comment.
I'd probably rename baseParams to sharedParams etc. But I'm nitpicking here, the naming as it is now is clear enough, so feel free to ignore the suggestion.
x-pack/test/detection_engine_api_integration/utils/get_simple_rule_output.ts
Outdated
Show resolved
Hide resolved
...k/test/detection_engine_api_integration/utils/get_simple_rule_output_with_web_hook_action.ts
Outdated
Show resolved
Hide resolved
x-pack/test/detection_engine_api_integration/utils/get_simple_rule_output_without_rule_id.ts
Outdated
Show resolved
Hide resolved
x-pack/test/detection_engine_api_integration/utils/remove_server_generated_properties.ts
Outdated
Show resolved
Hide resolved
| // We're only removing undefined values, so this cast correctly narrows the type | ||
| return pickBy(removedProperties, (value) => value !== undefined) as Omit< |
There was a problem hiding this comment.
Why removing undefined values is necessary?
There was a problem hiding this comment.
We have to remove them because in the switch to FullResponseSchema, the mock data now has to specify fields that are undefined explicitly (e.g. https://github.com/elastic/kibana/pull/137605/files#diff-d162965f34c11868eafde7e03ca9bfe234c93845bc38bc7c441494b4d7cf5ca9R47-R59), but when we compare the mocks to actual outputs in the integration tests the extra undefined fields cause the equality check to fail.
This should be fixed as a follow up when we make a response type that does not require all fields to be specified, but for now I figured getting everything onto the same base set of schemas should happen first, then we can continue to expand the capabilities of the schema definition system.
There was a problem hiding this comment.
but when we compare the mocks to actual outputs in the integration tests the extra undefined fields cause the equality check to fail.
Ah, I see! Thank you.
This should be fixed as a follow up when we make a response type that does not require all fields to be specified
FWIW I think the problem could be in assertions rather than mocks. Instead of expect(<actual>).toEqual(<expected>) we could assert only a subset of the properties that would be relevant to each particular test: expect(<actual>).toEqual(expect.objectContaining(<expected subset>)).
Anyway, that would be a separate story to work on...
There was a problem hiding this comment.
@marshallmain Thank you for addressing the comments! The rest of them are nits.
🚀
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
Summary
Follow up to #82462
Removes remaining usages of the legacy
RulesSchema, replacing it withFullResponseSchemawhich is built from the single source of truth for rules schemas.