Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] EQL Validation #77493

Merged
merged 40 commits into from
Oct 2, 2020
Merged
Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
30b9a94
WIP: Adding new route for EQL Validation
rylnd Sep 14, 2020
01fc159
Cherry-pick Marshall's EQL types
rylnd Sep 15, 2020
f81ed6c
Implements actual EQL validation
rylnd Sep 15, 2020
c45ca39
Adds validation calls to the EQL form input
rylnd Sep 16, 2020
587a60a
Do not call the validation API if query is not present
rylnd Sep 16, 2020
cfaa05c
Remove EQL Help Text
rylnd Sep 16, 2020
d68ff61
Flesh out and use our popover for displaying validation errors
rylnd Sep 16, 2020
15f955e
Include verification_exception errors as validation errors
rylnd Sep 17, 2020
4cf2d55
Generalize our validation helpers
rylnd Sep 17, 2020
051db75
Move error popover and EQL reference link to footer
rylnd Sep 17, 2020
d3a6c75
Fix jest tests following additional prop
rylnd Sep 17, 2020
9ee7397
Add icon for EQL Rule card
rylnd Sep 18, 2020
2662d77
Fixes existing EqlQueryBar tests
rylnd Sep 18, 2020
490d2e3
Add unit tests around error rendering on EQL Query Bar
rylnd Sep 18, 2020
c47f2c0
Add tests for ErrorPopover
rylnd Sep 18, 2020
fc27ca8
Merge branch 'master' into eql_validation
rylnd Sep 18, 2020
7a6c8dc
Remove unused schema type
rylnd Sep 22, 2020
2a97944
Remove duplicated header
rylnd Sep 22, 2020
cd20b8c
Merge branch 'master' into eql_validation
rylnd Sep 22, 2020
6655ce1
Use ignore parameter to prevent EQL validations from logging errors
rylnd Sep 22, 2020
9c27650
Include mapping_exceptions during EQL query validation
rylnd Sep 22, 2020
4ef8069
Display toast messages for non-validation messages
rylnd Sep 24, 2020
6c0693c
Merge branch 'master' into eql_validation
rylnd Sep 24, 2020
34f43c8
fix type errors
rylnd Sep 24, 2020
fb2da66
Merge branch 'master' into eql_validation
rylnd Sep 27, 2020
c4e8519
Merge branch 'master' into eql_validation
rylnd Sep 28, 2020
9684414
Do not request data in our validation request
rylnd Sep 28, 2020
a6f36ac
Merge branch 'master' into eql_validation
rylnd Sep 29, 2020
80ed453
Move EQL validation to an async form validator
rylnd Oct 1, 2020
8fa5fda
Invalidate our query field when index patterns change
rylnd Oct 1, 2020
429c763
Merge branch 'master' into eql_validation_async
rylnd Oct 1, 2020
b865866
Set a min-height on our EQL textarea
rylnd Oct 1, 2020
7865eaf
Remove unused prop from EqlQueryBar
rylnd Oct 1, 2020
aa3f9b0
Update EQL overview link to point to elasticsearch docs
rylnd Oct 1, 2020
32f292f
Remove unused prop from stale tests
rylnd Oct 1, 2020
075ff96
Merge branch 'master' into eql_validation
rylnd Oct 1, 2020
bbc1469
Update docLinks documentation with new EQL link
rylnd Oct 1, 2020
03060f3
Fix bug where saved query rules had no type selected on Edit
rylnd Oct 1, 2020
5a5e9bc
Wait for kibana requests to complete before moving between rule tabs
rylnd Oct 2, 2020
1d2b5a8
Merge branch 'master' into eql_validation
rylnd Oct 2, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/core/public/doc_links/doc_links_service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ export class DocLinksService {
gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/index.html`,
},
query: {
eql: `${ELASTICSEARCH_DOCS}eql.html`,
luceneQuerySyntax: `${ELASTICSEARCH_DOCS}query-dsl-query-string-query.html#query-string-syntax`,
queryDsl: `${ELASTICSEARCH_DOCS}query-dsl.html`,
kueryQuerySyntax: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/kuery-query.html`,
Expand Down Expand Up @@ -227,6 +228,7 @@ export interface DocLinksStart {
readonly gettingStarted: string;
};
readonly query: {
readonly eql: string;
readonly luceneQuerySyntax: string;
readonly queryDsl: string;
readonly kueryQuerySyntax: string;
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security_solution/common/constants.ts
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ export const DETECTION_ENGINE_PREPACKAGED_URL = `${DETECTION_ENGINE_RULES_URL}/p
export const DETECTION_ENGINE_PRIVILEGES_URL = `${DETECTION_ENGINE_URL}/privileges`;
export const DETECTION_ENGINE_INDEX_URL = `${DETECTION_ENGINE_URL}/index`;
export const DETECTION_ENGINE_TAGS_URL = `${DETECTION_ENGINE_URL}/tags`;
export const DETECTION_ENGINE_EQL_VALIDATION_URL = `${DETECTION_ENGINE_URL}/validate_eql`;
export const DETECTION_ENGINE_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/_find_statuses`;
export const DETECTION_ENGINE_PREPACKAGED_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/prepackaged/_status`;

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { EqlValidationSchema } from './eql_validation_schema';

export const getEqlValidationSchemaMock = (): EqlValidationSchema => ({
index: ['index-123'],
query: 'process where process.name == "regsvr32.exe"',
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { pipe } from 'fp-ts/lib/pipeable';
import { left } from 'fp-ts/lib/Either';

import { exactCheck } from '../../../exact_check';
import { foldLeftRight, getPaths } from '../../../test_utils';
import { eqlValidationSchema, EqlValidationSchema } from './eql_validation_schema';
import { getEqlValidationSchemaMock } from './eql_validation_schema.mock';

describe('EQL validation schema', () => {
it('requires a value for index', () => {
const payload = {
...getEqlValidationSchemaMock(),
index: undefined,
};
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual([
'Invalid value "undefined" supplied to "index"',
]);
expect(message.schema).toEqual({});
});

it('requires a value for query', () => {
const payload = {
...getEqlValidationSchemaMock(),
query: undefined,
};
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual([
'Invalid value "undefined" supplied to "query"',
]);
expect(message.schema).toEqual({});
});

it('validates a payload with index and query', () => {
const payload = getEqlValidationSchemaMock();
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
const expected: EqlValidationSchema = {
index: ['index-123'],
query: 'process where process.name == "regsvr32.exe"',
};

expect(getPaths(left(message.errors))).toEqual([]);
expect(message.schema).toEqual(expected);
});
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import * as t from 'io-ts';

import { index, query } from '../common/schemas';

export const eqlValidationSchema = t.exact(
t.type({
index,
query,
})
);

export type EqlValidationSchema = t.TypeOf<typeof eqlValidationSchema>;
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { EqlValidationSchema } from './eql_validation_schema';

export const getEqlValidationResponseMock = (): EqlValidationSchema => ({
valid: false,
errors: ['line 3:52: token recognition error at: '],
});

export const getValidEqlValidationResponseMock = (): EqlValidationSchema => ({
valid: true,
errors: [],
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { pipe } from 'fp-ts/lib/pipeable';
import { left } from 'fp-ts/lib/Either';

import { exactCheck } from '../../../exact_check';
import { foldLeftRight, getPaths } from '../../../test_utils';
import { getEqlValidationResponseMock } from './eql_validation_schema.mock';
import { eqlValidationSchema } from './eql_validation_schema';

describe('EQL validation response schema', () => {
it('validates a typical response', () => {
const payload = getEqlValidationResponseMock();
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual([]);
expect(message.schema).toEqual(getEqlValidationResponseMock());
});

it('invalidates a response with extra properties', () => {
const payload = { ...getEqlValidationResponseMock(), extra: 'nope' };
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual(['invalid keys "extra"']);
expect(message.schema).toEqual({});
});

it('invalidates a response with missing properties', () => {
const payload = { ...getEqlValidationResponseMock(), valid: undefined };
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual([
'Invalid value "undefined" supplied to "valid"',
]);
expect(message.schema).toEqual({});
});

it('invalidates a response with properties of the wrong type', () => {
const payload = { ...getEqlValidationResponseMock(), errors: 'should be an array' };
const decoded = eqlValidationSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);

expect(getPaths(left(message.errors))).toEqual([
'Invalid value "should be an array" supplied to "errors"',
]);
expect(message.schema).toEqual({});
});
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import * as t from 'io-ts';

export const eqlValidationSchema = t.exact(
t.type({
valid: t.boolean,
errors: t.array(t.string),
})
);

export type EqlValidationSchema = t.TypeOf<typeof eqlValidationSchema>;
31 changes: 31 additions & 0 deletions x-pack/plugins/security_solution/public/common/hooks/eql/api.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { HttpStart } from '../../../../../../../src/core/public';
import { DETECTION_ENGINE_EQL_VALIDATION_URL } from '../../../../common/constants';
import { EqlValidationSchema as EqlValidationRequest } from '../../../../common/detection_engine/schemas/request/eql_validation_schema';
import { EqlValidationSchema as EqlValidationResponse } from '../../../../common/detection_engine/schemas/response/eql_validation_schema';

interface ApiParams {
http: HttpStart;
signal: AbortSignal;
}

export const validateEql = async ({
http,
query,
index,
signal,
}: ApiParams & EqlValidationRequest) => {
return http.fetch<EqlValidationResponse>(DETECTION_ENGINE_EQL_VALIDATION_URL, {
method: 'POST',
body: JSON.stringify({
query,
index,
}),
signal,
});
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import React from 'react';
import styled from 'styled-components';
import { EuiLink, EuiText } from '@elastic/eui';

import { useKibana } from '../../../../common/lib/kibana';
import { EQL_OVERVIEW_LINK_TEXT } from './translations';

const InlineText = styled(EuiText)`
display: inline-block;
`;

export const EqlOverviewLink = () => {
const overviewUrl = useKibana().services.docLinks.links.query.eql;

return (
<EuiLink external href={overviewUrl} target="_blank">
<InlineText size="xs">{EQL_OVERVIEW_LINK_TEXT}</InlineText>
</EuiLink>
);
};
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,12 @@
import React from 'react';
import { shallow, mount } from 'enzyme';

import { useFormFieldMock } from '../../../../common/mock';
import { TestProviders, useFormFieldMock } from '../../../../common/mock';
import { mockQueryBar } from '../../../pages/detection_engine/rules/all/__mocks__/mock';
import { EqlQueryBar, EqlQueryBarProps } from './eql_query_bar';
import { getEqlValidationError } from './validators.mock';

jest.mock('../../../../common/lib/kibana');

describe('EqlQueryBar', () => {
let mockField: EqlQueryBarProps['field'];
Expand All @@ -27,7 +30,11 @@ describe('EqlQueryBar', () => {
});

it('sets the field value on input change', () => {
const wrapper = mount(<EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />);
const wrapper = mount(
<TestProviders>
<EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />
</TestProviders>
);

wrapper
.find('[data-test-subj="eqlQueryBarTextInput"]')
Expand All @@ -44,4 +51,30 @@ describe('EqlQueryBar', () => {

expect(mockField.setValue).toHaveBeenCalledWith(expected);
});

it('does not render errors for a valid query', () => {
const wrapper = mount(
<TestProviders>
<EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />
</TestProviders>
);

expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(
false
);
});

it('renders errors for an invalid query', () => {
const invalidMockField = useFormFieldMock({
value: mockQueryBar,
errors: [getEqlValidationError()],
});
const wrapper = mount(
<TestProviders>
<EqlQueryBar dataTestSubj="myQueryBar" field={invalidMockField} />
</TestProviders>
);

expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(true);
});
});
Loading