delete threat intel monitor api

Signed-off-by: Surya Sashank Nistala <[email protected]>
opensearch-project · Jun 6, 2024 · cddd9ad · cddd9ad
1 parent 874d69b
commit cddd9ad
Show file tree

Hide file tree

Showing 8 changed files with 194 additions and 4 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
@@ -113,6 +113,7 @@
 import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigAction;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.DeleteThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.action.monitor.IndexThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.action.monitor.SearchThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.common.TIFLockService;
@@ -121,6 +122,7 @@
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfig;
 import org.opensearch.securityanalytics.threatIntel.resthandler.RestGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.RestIndexTIFSourceConfigAction;
+import org.opensearch.securityanalytics.threatIntel.resthandler.monitor.RestDeleteThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.monitor.RestIndexThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.monitor.RestSearchThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.service.DetectorThreatIntelService;
@@ -132,6 +134,7 @@
 import org.opensearch.securityanalytics.threatIntel.transport.TransportGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportPutTIFJobAction;
+import org.opensearch.securityanalytics.threatIntel.transport.monitor.TransportDeleteThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.transport.monitor.TransportIndexThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.threatIntel.transport.monitor.TransportSearchThreatIntelMonitorAction;
 import org.opensearch.securityanalytics.transport.TransportAcknowledgeAlertsAction;
@@ -323,6 +326,7 @@ public List<RestHandler> getRestHandlers(Settings settings,
                 new RestIndexTIFSourceConfigAction(),
                 new RestGetTIFSourceConfigAction(),
                 new RestIndexThreatIntelMonitorAction(),
+                new RestDeleteThreatIntelMonitorAction(),
                 new RestSearchThreatIntelMonitorAction()
         );
     }
@@ -460,6 +464,7 @@ public List<Setting<?>> getSettings() {
                 new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class),
                 new ActionHandler<>(PutTIFJobAction.INSTANCE, TransportPutTIFJobAction.class),
                 new ActionHandler<>(IndexThreatIntelMonitorAction.INSTANCE, TransportIndexThreatIntelMonitorAction.class),
+                new ActionHandler<>(DeleteThreatIntelMonitorAction.INSTANCE, TransportDeleteThreatIntelMonitorAction.class),
                 new ActionHandler<>(SearchThreatIntelMonitorAction.INSTANCE, TransportSearchThreatIntelMonitorAction.class),
                 new ActionHandler<>(SAIndexTIFSourceConfigAction.INSTANCE, TransportIndexTIFSourceConfigAction.class),
                 new ActionHandler<>(SAGetTIFSourceConfigAction.INSTANCE, TransportGetTIFSourceConfigAction.class)

diff --git a/...ensearch/securityanalytics/threatIntel/action/monitor/DeleteThreatIntelMonitorAction.java b/...ensearch/securityanalytics/threatIntel/action/monitor/DeleteThreatIntelMonitorAction.java
@@ -0,0 +1,15 @@
+package org.opensearch.securityanalytics.threatIntel.action.monitor;
+
+import org.opensearch.action.ActionType;
+import org.opensearch.commons.alerting.action.DeleteMonitorResponse;
+import org.opensearch.securityanalytics.threatIntel.sacommons.monitor.ThreatIntelMonitorActions;
+
+public class DeleteThreatIntelMonitorAction extends ActionType<DeleteMonitorResponse> {
+
+    public static final DeleteThreatIntelMonitorAction INSTANCE = new DeleteThreatIntelMonitorAction();
+    public static final String NAME = ThreatIntelMonitorActions.DELETE_THREAT_INTEL_MONITOR_ACTION_NAME;
+
+    private DeleteThreatIntelMonitorAction() {
+        super(NAME, DeleteMonitorResponse::new);
+    }
+}
diff --git a/...securityanalytics/threatIntel/action/monitor/request/DeleteThreatIntelMonitorRequest.java b/...securityanalytics/threatIntel/action/monitor/request/DeleteThreatIntelMonitorRequest.java
@@ -0,0 +1,37 @@
+package org.opensearch.securityanalytics.threatIntel.action.monitor.request;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+public class DeleteThreatIntelMonitorRequest extends ActionRequest {
+
+    private String monitorId;
+
+    public DeleteThreatIntelMonitorRequest(String monitorId) {
+        super();
+        this.monitorId = monitorId;
+    }
+
+    public DeleteThreatIntelMonitorRequest(StreamInput sin) throws IOException {
+        this(sin.readString());
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(monitorId);
+    }
+
+    public String getMonitorId() {
+        return monitorId;
+    }
+
+}
diff --git a/...ecurityanalytics/threatIntel/action/monitor/response/IndexThreatIntelMonitorResponse.java b/...ecurityanalytics/threatIntel/action/monitor/response/IndexThreatIntelMonitorResponse.java
@@ -86,4 +86,4 @@ public long getPrimaryTerm() {
     public ThreatIntelMonitorDto getIocScanMonitor() {
         return iocScanMonitor;
     }
-}
+}
diff --git a/...securityanalytics/threatIntel/resthandler/monitor/RestDeleteThreatIntelMonitorAction.java b/...securityanalytics/threatIntel/resthandler/monitor/RestDeleteThreatIntelMonitorAction.java
@@ -0,0 +1,54 @@
+package org.opensearch.securityanalytics.threatIntel.resthandler.monitor;
+
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestToXContentListener;
+import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.DeleteThreatIntelMonitorAction;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.request.DeleteThreatIntelMonitorRequest;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.request.IndexThreatIntelMonitorRequest;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Locale;
+
+import static org.opensearch.securityanalytics.threatIntel.action.monitor.request.IndexThreatIntelMonitorRequest.THREAT_INTEL_MONITOR_ID;
+
+public class RestDeleteThreatIntelMonitorAction extends BaseRestHandler {
+
+    private static final Logger log = LogManager.getLogger(RestDeleteThreatIntelMonitorAction.class);
+
+    @Override
+    public String getName() {
+        return "delete_threat_intel_monitor_action";
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        log.debug(String.format(Locale.getDefault(),
+                "%s %s/{%s}",
+                request.method(),
+                SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI,
+                THREAT_INTEL_MONITOR_ID));
+
+        String detectorId = request.param(THREAT_INTEL_MONITOR_ID);
+        DeleteThreatIntelMonitorRequest deleteMonitorRequest = new DeleteThreatIntelMonitorRequest(detectorId);
+        return channel -> client.execute(
+                DeleteThreatIntelMonitorAction.INSTANCE,
+                deleteMonitorRequest, new RestToXContentListener<>(channel)
+        );
+    }
+
+    @Override
+    public List<Route> routes() {
+        return List.of(
+                new Route(RestRequest.Method.DELETE, String.format(Locale.getDefault(),
+                        "%s/{%s}",
+                        SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI,
+                        THREAT_INTEL_MONITOR_ID)));
+    }
+}
diff --git a/...opensearch/securityanalytics/threatIntel/sacommons/monitor/ThreatIntelMonitorActions.java b/...opensearch/securityanalytics/threatIntel/sacommons/monitor/ThreatIntelMonitorActions.java
@@ -3,4 +3,5 @@
 public class ThreatIntelMonitorActions {
     public static final String INDEX_THREAT_INTEL_MONITOR_ACTION_NAME = "cluster:admin/security_analytics/threatIntel/monitor/write";
     public static final String SEARCH_THREAT_INTEL_MONITOR_ACTION_NAME = "cluster:admin/security_analytics/threatIntel/monitor/search";
+    public static final String DELETE_THREAT_INTEL_MONITOR_ACTION_NAME = "cluster:admin/security_analytics/threatIntel/monitor/delete";
 }
diff --git a/...urityanalytics/threatIntel/transport/monitor/TransportDeleteThreatIntelMonitorAction.java b/...urityanalytics/threatIntel/transport/monitor/TransportDeleteThreatIntelMonitorAction.java
@@ -0,0 +1,68 @@
+package org.opensearch.securityanalytics.threatIntel.transport.monitor;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchStatusException;
+import org.opensearch.action.support.ActionFilters;
+import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.action.support.WriteRequest;
+import org.opensearch.client.Client;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.commons.alerting.AlertingPluginInterface;
+import org.opensearch.commons.alerting.action.DeleteMonitorRequest;
+import org.opensearch.commons.alerting.action.DeleteMonitorResponse;
+import org.opensearch.commons.authuser.User;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.DeleteThreatIntelMonitorAction;
+import org.opensearch.securityanalytics.threatIntel.action.monitor.request.DeleteThreatIntelMonitorRequest;
+import org.opensearch.securityanalytics.transport.SecureTransportAction;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
+import org.opensearch.tasks.Task;
+import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.transport.TransportService;
+
+public class TransportDeleteThreatIntelMonitorAction extends HandledTransportAction<DeleteThreatIntelMonitorRequest, DeleteMonitorResponse> implements SecureTransportAction {
+
+    private static final Logger log = LogManager.getLogger(TransportDeleteThreatIntelMonitorAction.class);
+
+    private final ThreadPool threadPool;
+    private final Settings settings;
+    private final NamedWriteableRegistry namedWriteableRegistry;
+    private final Client client;
+    private volatile Boolean filterByEnabled;
+
+    @Inject
+    public TransportDeleteThreatIntelMonitorAction(
+            final TransportService transportService,
+            final ActionFilters actionFilters,
+            final ThreadPool threadPool,
+            final Settings settings,
+            final Client client,
+            final NamedWriteableRegistry namedWriteableRegistry
+    ) {
+        super(DeleteThreatIntelMonitorAction.NAME, transportService, actionFilters, DeleteThreatIntelMonitorRequest::new);
+        this.threadPool = threadPool;
+        this.settings = settings;
+        this.namedWriteableRegistry = namedWriteableRegistry;
+        this.filterByEnabled = SecurityAnalyticsSettings.FILTER_BY_BACKEND_ROLES.get(this.settings);
+        this.client = client;
+    }
+
+    @Override
+    protected void doExecute(Task task, DeleteThreatIntelMonitorRequest request, ActionListener<DeleteMonitorResponse> listener) {
+        User user = readUserFromThreadContext(this.threadPool);
+        String validateBackendRoleMessage = validateUserBackendRoles(user, this.filterByEnabled);
+        if (!"".equals(validateBackendRoleMessage)) {
+            listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
+            return;
+        }
+        AlertingPluginInterface.INSTANCE.deleteMonitor((NodeClient) client,
+                new DeleteMonitorRequest(request.getMonitorId(), WriteRequest.RefreshPolicy.IMMEDIATE),
+                listener);
+    }
+}
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/ThreatIntelMonitorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/ThreatIntelMonitorRestApiIT.java
@@ -35,10 +35,10 @@ public void testCreateThreatIntelMonitor() throws IOException {
         Assert.assertEquals(201, response.getStatusLine().getStatusCode());
         Map<String, Object> responseBody = asMap(response);
 
-        final String createdId = responseBody.get("id").toString();
-        Assert.assertNotEquals("response is missing Id", Monitor.NO_ID, createdId);
+        final String monitorId = responseBody.get("id").toString();
+        Assert.assertNotEquals("response is missing Id", Monitor.NO_ID, monitorId);
 
-        Response alertingMonitorResponse = getAlertingMonitor(client(), createdId);
+        Response alertingMonitorResponse = getAlertingMonitor(client(), monitorId);
         Assert.assertEquals(200, alertingMonitorResponse.getStatusLine().getStatusCode());
 
         String matchAllRequest = "{\n" +
@@ -53,7 +53,17 @@ public void testCreateThreatIntelMonitor() throws IOException {
         HashMap<String, Object> totalHits = (HashMap<String, Object>) hits.get("total");
         Integer totalHitsVal = (Integer) totalHits.get("value");
         assertEquals(totalHitsVal.intValue(), 1);
+        makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest, ContentType.APPLICATION_JSON, false));
 
+        Response delete = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI + "/" + monitorId, Collections.emptyMap(), null);
+        Assert.assertEquals(200, delete.getStatusLine().getStatusCode());
+
+        searchMonitorResponse = makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest, ContentType.APPLICATION_JSON, false));
+        Assert.assertEquals(200, alertingMonitorResponse.getStatusLine().getStatusCode());
+        hits = (HashMap<String, Object>) asMap(searchMonitorResponse).get("hits");
+        totalHits = (HashMap<String, Object>) hits.get("total");
+        totalHitsVal = (Integer) totalHits.get("value");
+        assertEquals(totalHitsVal.intValue(), 0);
     }
 
     private ThreatIntelMonitorDto randomIocScanMonitorDto() {
-Original file line number
+Diff line change
@@ Expand Up / @@ -86,4 +86,4 @@ public long getPrimaryTerm() { @@
         public ThreatIntelMonitorDto getIocScanMonitor() {
             return iocScanMonitor;
         }
-    }
+    }