ba7bea456a
## Summary Fixes https://github.com/elastic/kibana/issues/113276 * Migrates the legacy `siem.notifications` "ruleAlertId" to be within the references array * Adds code to serialize and de-serialize "ruleAlertId" from the saved object references array * Adds migration code to `kibana-alerting` to migrate on startup * Adds `legacy_saved_object_references/README.md` which describes how to test and what those files are for. * Updates earlier similar `signals/saved_object_references/README.md` after reviewing it during my work * Names these files the format of `legacy_foo` since this is all considered legacy work and will be removed once the legacy notification system is removed after customers have migrated. * Adds unit tests * Adds 2e2 tests We only migrate if we find these conditions and cases: * "ruleAlertId" is not `null`, `undefined` or malformed data * The"ruleAlertId" references do not already have an exceptionItem reference already found within it. We migrate on the common use case: * "ruleAlertId" exists and is a string We do these additional (mis-use) cases and steps as well. These should NOT be common things that happen but we safe guard for them here: * If the migration is run twice we are idempotent and do NOT add duplicates or remove items. * If the migration was partially successful but re-run a second time, we only add what is missing. Again no duplicates or removed items should occur. * If the saved object references already exists and contains a different or foreign value, we will retain the foreign reference(s) and still migrate. Before migration you should see data structures like this if you query: ```json # Get the alert type of "siem-notifications" which is part of the legacy system. GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.notifications" } } } ``` ```json "data..omitted": "data..omitted", "params" : { "ruleAlertId" : "933ca720-1be1-11ec-a722-83da1c22a481" <-- Pre-migration we had this Saved Object ID which is not part of references array below }, "actions" : [ { "group" : "default", "params" : { "message" : "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" <-- Pre-migration this is correct as this work is already done within the alerting plugin }, "references" : [ { "id" : "879e8ff0-1be1-11ec-a722-83da1c22a481", "name" : "action_0", <-- Pre-migration this is correct as this work is already done within the alerting plugin "type" : "action" } ] ], "data..omitted": "data..omitted", ``` After migration you should see data structures like this: ```json "data..omitted": "data..omitted", "params" : { "ruleAlertId" : "933ca720-1be1-11ec-a722-83da1c22a481" <-- Post-migration this is not used but rather the serialized version references is used instead. }, "actions" : [ { "group" : "default", "params" : { "message" : "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" }, "references" : [ { "id" : "879e8ff0-1be1-11ec-a722-83da1c22a481", "name" : "action_0", "type" : "action" }, { "id" : "933ca720-1be1-11ec-a722-83da1c22a481", <-- Our id here is preferred and used during serialization. "name" : "param:alert_0", <-- We add the name of our reference which is param:alert_0 similar to action_0 but with "param" "type" : "alert" <-- We add the type which is type of alert to the references } ] ], "data..omitted": "data..omitted", ``` ## Manual testing There are e2e and unit tests but for any manual testing or verification you can do the following: If you have a 7.14.0 system and can migrate it forward that is the most straight forward way to ensure this does migrate correctly and forward. You should see that the legacy notification system still operates as expected. If you are a developer off of master and want to test different scenarios then this section is for below as it is more involved and harder to do but goes into more depth: * Create a rule and activate it normally within security_solution * Do not add actions to the rule at this point as we are exercising the older legacy system. However, you want at least one action configured such as a slack notification. * Within dev tools do a query for all your actions and grab one of the `_id` of them without their prefix: ```json # See all your actions GET .kibana/_search { "query": { "term": { "type": "action" } } } ``` Mine was `"_id" : "action:879e8ff0-1be1-11ec-a722-83da1c22a481"`, so I will be copying the ID of `879e8ff0-1be1-11ec-a722-83da1c22a481` Go to the file `detection_engine/scripts/legacy_notifications/one_action.json` and add this id to the file. Something like this: ```json { "name": "Legacy notification with one action", "interval": "1m", <--- You can use whatever you want. Real values are "1h", "1d", "1w". I use "1m" for testing purposes. "actions": [ { "id": "879e8ff0-1be1-11ec-a722-83da1c22a481", <--- My action id "group": "default", "params": { "message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId": ".slack" <--- I am a slack action id type. } ] } ``` Query for an alert you want to add manually add back a legacy notification to it. Such as: ```json # See all your siem.signals alert types and choose one GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.signals" } } } ``` Grab the `_id` without the alert prefix. For mine this was `933ca720-1be1-11ec-a722-83da1c22a481` Within the directory of detection_engine/scripts execute the script: ```json ./post_legacy_notification.sh 933ca720-1be1-11ec-a722-83da1c22a481 { "ok": "acknowledged" } ``` which is going to do a few things. See the file `detection_engine/routes/rules/legacy_create_legacy_notification.ts` for the definition of the route and what it does in full, but we should notice that we have now: Created a legacy side car action object of type `siem-detection-engine-rule-actions` you can see in dev tools: ```json # See the actions "side car" which are part of the legacy notification system. GET .kibana/_search { "query": { "term": { "type": { "value": "siem-detection-engine-rule-actions" } } } } ``` But more importantly what the saved object references are which should be this: ```json # Get the alert type of "siem-notifications" which is part of the legacy system. GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.notifications" } } } ``` If you need to ad-hoc test what happens when the migration runs you can get the id of an alert and downgrade it, then restart Kibana. The `ctx._source.references.remove(1)` removes the last element of the references array which is assumed to have a rule. But it might not, so ensure you check your data structure and adjust accordingly. ```json POST .kibana/_update/alert:933ca720-1be1-11ec-a722-83da1c22a481 { "script" : { "source": """ ctx._source.migrationVersion.alert = "7.15.0"; ctx._source.references.remove(1); """, "lang": "painless" } } ``` If you just want to remove your your "param:alert_0" and it is the second array element to test the errors within the console then you would use ```json POST .kibana/_update/alert:933ca720-1be1-11ec-a722-83da1c22a481 { "script" : { "source": """ ctx._source.references.remove(1); """, "lang": "painless" } } ``` Check your log files and should see errors about the saved object references missing until you restart Kibana. Once you restart then it will migrate forward and you will no longer see errors. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios |
||
|---|---|---|
| .. | ||
| build_chromium | ||
| dev-tools | ||
| examples | ||
| plugins | ||
| scripts | ||
| tasks | ||
| test | ||
| .gitignore | ||
| .i18nrc.json | ||
| .telemetryrc.json | ||
| gulpfile.js | ||
| package.json | ||
| README.md | ||
Elastic License Functionality
This directory tree contains files subject to the Elastic License 2.0. The files subject to the Elastic License 2.0 are grouped in this directory to clearly separate them from files dual-licensed under the Server Side Public License and the Elastic License 2.0.
Development
By default, Kibana will run with X-Pack installed as mentioned in the contributing guide.
Elasticsearch will run with a basic license. To run with a trial license, including security, you can specifying that with the yarn es command.
Example: yarn es snapshot --license trial --password changeme
By default, this will also set the password for native realm accounts to the password provided (changeme by default). This includes that of the kibana_system user which elasticsearch.username defaults to in development. If you wish to specify a password for a given native realm account, you can do that like so: --password.kibana_system=notsecure
Testing
For information on testing, see the Elastic functional test development guide.
Running functional tests
The functional UI tests, the API integration tests, and the SAML API integration tests are all run against a live browser, Kibana, and Elasticsearch install. Each set of tests is specified with a unique config that describes how to start the Elasticsearch server, the Kibana server, and what tests to run against them. The sets of tests that exist today are functional UI tests (specified by this config), API integration tests (specified by this config), and SAML API integration tests (specified by this config).
The script runs all sets of tests sequentially like so:
- builds Elasticsearch and X-Pack
- runs Elasticsearch with X-Pack
- starts up the Kibana server with X-Pack
- runs the functional UI tests against those servers
- tears down the servers
- repeats the same process for the API and SAML API integration test configs.
To do all of this in a single command run:
node scripts/functional_tests
Developing functional UI tests
If you are developing functional tests then you probably don't want to rebuild Elasticsearch and wait for all that setup on every test run, so instead use this command to build and start just the Elasticsearch and Kibana servers:
node scripts/functional_tests_server
After the servers are started, open a new terminal and run this command to run just the tests (without tearing down Elasticsearch or Kibana):
node scripts/functional_test_runner
For both of the above commands, it's crucial that you pass in --config to specify the same config file to both commands. This makes sure that the right tests will run against the right servers. Typically a set of tests and server configuration go together.
Read more about how the scripts work here.
For a deeper dive, read more about the way functional tests and servers work here.
Running API integration tests
API integration tests are run with a unique setup usually without UI assets built for the Kibana server.
API integration tests are intended to test only programmatic API exposed by Kibana. There is no need to run browser and simulate user actions, which significantly reduces execution time. In addition, the configuration for API integration tests typically sets optimize.enabled=false for Kibana because UI assets are usually not needed for these tests.
To run only the API integration tests:
node scripts/functional_tests --config test/api_integration/config
Running SAML API integration tests
We also have SAML API integration tests which set up Elasticsearch and Kibana with SAML support. Run only API integration tests with SAML enabled like so:
node scripts/functional_tests --config test/security_api_integration/saml.config
Running Jest integration tests
Jest integration tests can be used to test behavior with Elasticsearch and the Kibana server.
yarn test:jest_integration
Running Reporting functional tests
See here for more information on running reporting tests.
Running Security Solution Cypress E2E/integration tests
See here for information on running this test suite.