[Security Solution] Skip isCustomized calculation when the feature fl…

…ag is off (elastic#201825)

**Resolves: elastic#201632

## Summary

When the rule customization feature flag is disabled, we should always
return `isCustomized: false`, regardless of any changes introduced to a
rule. This ensures that we do not accidentally mark prebuilt rules as
customized in 8.16 with the feature flag off. For more details, refer to
the related issue: elastic#201632

### Main Changes

- The primary change in this PR is encapsulated in the
`calculateIsCustomized` function
- Other changes involve passing the feature flag to this function
- Added integration tests to cover all API CRUD operations that can be
performed with rules

(cherry picked from commit 22911c1)

.buildkite/ftr_security_serverless_configs.yml

@@ -70,7 +70,8 @@ disabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/serverless.config.ts

.buildkite/ftr_security_stateful_configs.yml

@@ -58,7 +58,8 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/ess.config.ts

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts

@@ -92,14 +92,20 @@ export const bulkEditRules = async ({
         params: modifiedParams,
       };
       const ruleResponse = convertAlertingRuleToRuleResponse(updatedRule);
+      let isCustomized = false;
+      if (ruleResponse.immutable === true) {
+        isCustomized = calculateIsCustomized({
+          baseRule: baseVersionsMap.get(ruleResponse.rule_id),
+          nextRule: ruleResponse,
+          isRuleCustomizationEnabled: experimentalFeatures.prebuiltRulesCustomizationEnabled,
+        });
+      }
+
       const ruleSource =
         ruleResponse.immutable === true
           ? {
               type: 'external' as const,
-              isCustomized: calculateIsCustomized(
-                baseVersionsMap.get(ruleResponse.rule_id),
-                ruleResponse
-              ),
+              isCustomized,
             }
           : {
               type: 'internal' as const,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_custom_rule.test.ts

@@ -51,6 +51,7 @@ describe('DetectionRulesClient.createCustomRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_prebuilt_rule.test.ts

@@ -44,6 +44,7 @@ describe('DetectionRulesClient.createPrebuiltRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.delete_rule.test.ts

@@ -30,6 +30,7 @@ describe('DetectionRulesClient.deleteRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rule.test.ts

@@ -51,6 +51,7 @@ describe('DetectionRulesClient.importRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rules.test.ts

@@ -32,6 +32,7 @@ describe('detectionRulesClient.importRules', () => {
       rulesClient: rulesClientMock.create(),
       mlAuthz: buildMlAuthz(),
       savedObjectsClient: savedObjectsClientMock.create(),
+      isRuleCustomizationEnabled: true,
     });
 
     (checkRuleExceptionReferences as jest.Mock).mockReturnValue([[], []]);

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.patch_rule.test.ts

@@ -50,6 +50,7 @@ describe('DetectionRulesClient.patchRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts

@@ -38,13 +38,15 @@ interface DetectionRulesClientParams {
   rulesClient: RulesClient;
   savedObjectsClient: SavedObjectsClientContract;
   mlAuthz: MlAuthz;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const createDetectionRulesClient = ({
   actionsClient,
   rulesClient,
   mlAuthz,
   savedObjectsClient,
+  isRuleCustomizationEnabled,
 }: DetectionRulesClientParams): IDetectionRulesClient => {
   const prebuiltRuleAssetClient = createPrebuiltRuleAssetsClient(savedObjectsClient);
 
@@ -89,6 +91,7 @@ export const createDetectionRulesClient = ({
           prebuiltRuleAssetClient,
           mlAuthz,
           ruleUpdate,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -101,6 +104,7 @@ export const createDetectionRulesClient = ({
           prebuiltRuleAssetClient,
           mlAuthz,
           rulePatch,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -119,6 +123,7 @@ export const createDetectionRulesClient = ({
           ruleAsset,
           mlAuthz,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -131,6 +136,7 @@ export const createDetectionRulesClient = ({
           importRulePayload: args,
           mlAuthz,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled,
         });
       });
     },

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.update_rule.test.ts

@@ -50,6 +50,7 @@ describe('DetectionRulesClient.updateRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.upgrade_prebuilt_rule.test.ts

@@ -48,6 +48,7 @@ describe('DetectionRulesClient.upgradePrebuiltRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts

@@ -37,6 +37,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -65,6 +66,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -94,6 +96,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError(
         'event_category_override: Expected string, received number, tiebreaker_field: Expected string, received number, timestamp_field: Expected string, received number'
@@ -119,6 +122,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError('alert_suppression.group_by: Expected array, received string');
     });
@@ -134,6 +138,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -154,6 +159,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       'threat_query: Expected string, received number, threat_indicator_path: Expected string, received number'
@@ -170,6 +176,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -190,6 +197,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       "index.0: Expected string, received number, language: Invalid enum value. Expected 'kuery' | 'lucene', received 'non-language'"
@@ -206,6 +214,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -226,6 +235,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       "index.0: Expected string, received number, language: Invalid enum value. Expected 'kuery' | 'lucene', received 'non-language'"
@@ -244,6 +254,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -268,6 +279,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError('threshold.value: Expected number, received string');
   });
@@ -285,6 +297,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -308,6 +321,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -330,6 +344,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -354,6 +369,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -376,6 +392,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -394,6 +411,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError('anomaly_threshold: Expected number, received string');
     });
@@ -410,6 +428,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
 
       expect(patchedRule).toEqual(
@@ -432,6 +451,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -450,6 +470,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError('new_terms_fields: Expected array, received string');
   });
@@ -472,6 +493,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts

@@ -51,13 +51,15 @@ interface ApplyRulePatchProps {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   existingRule: RuleResponse;
   rulePatch: PatchRuleRequestBody;
+  isRuleCustomizationEnabled: boolean;
 }
 
 // eslint-disable-next-line complexity
 export const applyRulePatch = async ({
   rulePatch,
   existingRule,
   prebuiltRuleAssetClient,
+  isRuleCustomizationEnabled,
 }: ApplyRulePatchProps): Promise<RuleResponse> => {
   const typeSpecificParams = patchTypeSpecificParams(rulePatch, existingRule);
 
@@ -122,6 +124,7 @@ export const applyRulePatch = async ({
   nextRule.rule_source = await calculateRuleSource({
     rule: nextRule,
     prebuiltRuleAssetClient,
+    isRuleCustomizationEnabled,
   });
 
   return nextRule;

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_update.ts

@@ -17,12 +17,14 @@ interface ApplyRuleUpdateProps {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   existingRule: RuleResponse;
   ruleUpdate: RuleUpdateProps;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const applyRuleUpdate = async ({
   prebuiltRuleAssetClient,
   existingRule,
   ruleUpdate,
+  isRuleCustomizationEnabled,
 }: ApplyRuleUpdateProps): Promise<RuleResponse> => {
   const nextRule: RuleResponse = {
     ...applyRuleDefaults(ruleUpdate),
@@ -46,6 +48,7 @@ export const applyRuleUpdate = async ({
   nextRule.rule_source = await calculateRuleSource({
     rule: nextRule,
     prebuiltRuleAssetClient,
+    isRuleCustomizationEnabled,
   });
 
   return nextRule;