update README, adds integration test (skipped) for testing authz with…

… search strategy
dhurley14 · Jun 16, 2021 · 1673dc9 · 1673dc9
1 parent 36e7c9a
commit 1673dc9
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 52 deletions.
diff --git a/x-pack/plugins/rule_registry/README.md b/x-pack/plugins/rule_registry/README.md
@@ -27,9 +27,7 @@ On plugin setup, rule type producers can create the index template as follows:
 ```ts
 // get the FQN of the component template. All assets are prefixed with the configured `index` value, which is `.alerts` by default.
 
-const componentTemplateName = plugins.ruleRegistry.getFullAssetName(
-  'apm-mappings'
-);
+const componentTemplateName = plugins.ruleRegistry.getFullAssetName('apm-mappings');
 
 // if write is disabled, don't install these templates
 if (!plugins.ruleRegistry.isWriteEnabled()) {
@@ -73,14 +71,10 @@ await plugins.ruleRegistry.createOrUpdateComponentTemplate({
 await plugins.ruleRegistry.createOrUpdateIndexTemplate({
   name: plugins.ruleRegistry.getFullAssetName('apm-index-template'),
   body: {
-    index_patterns: [
-      plugins.ruleRegistry.getFullAssetName('observability-apm*'),
-    ],
+    index_patterns: [plugins.ruleRegistry.getFullAssetName('observability-apm*')],
     composed_of: [
       // Technical component template, required
-      plugins.ruleRegistry.getFullAssetName(
-        TECHNICAL_COMPONENT_TEMPLATE_NAME
-      ),
+      plugins.ruleRegistry.getFullAssetName(TECHNICAL_COMPONENT_TEMPLATE_NAME),
       componentTemplateName,
     ],
   },
@@ -107,8 +101,7 @@ await ruleDataClient.getWriter().bulk({
 // to read data, simply call ruleDataClient.getReader().search:
 const response = await ruleDataClient.getReader().search({
   body: {
-    query: {
-    },
+    query: {},
     size: 100,
     fields: ['*'],
     collapse: {
@@ -135,6 +128,7 @@ The following fields are defined in the technical field component template and s
 - `rule.name`: the name of the rule (as specified by the user).
 - `rule.category`: the name of the rule type (as defined by the rule type producer)
 - `kibana.rac.alert.producer`: the producer of the rule type. Usually a Kibana plugin. e.g., `APM`.
+- `kibana.rac.alert.owner`: the feature which produced the alert. Usually a Kibana feature id like `apm`, `siem`...
 - `kibana.rac.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
 - `kibana.rac.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again.
 - `kibana.rac.alert.status`: the status of the alert. Can be `open` or `closed`.
@@ -148,3 +142,16 @@ The following fields are defined in the technical field component template and s
 - `kibana.rac.alert.ancestors`: the array of ancestors (if any) for the alert.
 - `kibana.rac.alert.depth`: the depth of the alert in the ancestral tree (default 0).
 - `kibana.rac.alert.building_block_type`: the building block type of the alert (default undefined).
+
+# Alerts as data
+
+Alerts as data can be interacted with using the AlertsClient api found in `x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts`
+
+This api includes public methods such as
+
+[x] getFullAssetName
+[x] getAlertsIndex
+[x] get
+[x] update
+[ ] bulkUpdate (TODO)
+[ ] find (TODO)
diff --git a/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh b/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh
@@ -15,7 +15,9 @@ cd ./hunter && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ../observer && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ..
 
+# curl get_index script
+
 # Example: ./find_rules.sh
 curl -v -k \
  -u $USER:changeme \
- -X GET "${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm" | jq .
+ -X GET "${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV&indexName=.alerts-observability-apm" | jq .
diff --git a/x-pack/test/api_integration/apis/security_solution/events.ts b/x-pack/test/api_integration/apis/security_solution/events.ts
@@ -7,6 +7,7 @@
 
 import expect from '@kbn/expect';
 
+import { secOnly } from '../../../rule_registry/common/lib/authentication/users';
 import {
   createSpacesAndUsers,
   deleteSpacesAndUsers,
@@ -411,6 +412,7 @@ export default function ({ getService }: FtrProviderContext) {
   const retry = getService('retry');
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
 
   describe('Timeline', () => {
     // before(() => esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'));
@@ -468,53 +470,41 @@ export default function ({ getService }: FtrProviderContext) {
       });
     });
 
-    it('Make sure that we get Timeline data using the hunter role and do not receive observability alerts', async () => {
+    it.skip('Make sure that we get Timeline data using the hunter role and do not receive observability alerts', async () => {
       await retry.try(async () => {
-        const requestBody = {
-          defaultIndex: ['.alerts*'], // query both .alerts-observability-apm and .alerts-security-solution
-          docValueFields: [{ field: '*' }],
-          factoryQueryType: TimelineEventsQueries.all,
-          fieldRequested: FIELD_REQUESTED,
-          fields: [],
-          filterQuery: {
-            bool: {
-              filter: [
-                {
-                  match_all: {},
-                },
-              ],
-            },
-          },
-          pagination: {
-            activePage: 0,
-            querySize: 25,
-          },
-          language: 'kuery',
-          sort: [
-            {
-              field: '@timestamp',
-              direction: Direction.desc,
-              type: 'number',
-            },
-          ],
-          timerange: {
-            from: FROM,
-            to: TO,
-            interval: '12h',
-          },
-        };
-        // console.error('REQUEST BODY', JSON.stringify(requestBody, null, 2));
         const resp = await supertestWithoutAuth
           .post('/internal/search/securitySolutionTimelineSearchStrategy/')
           .auth(secOnly.username, secOnly.password)
           .set('kbn-xsrf', 'true')
           .set('Content-Type', 'application/json')
-          .send(requestBody);
-        // .expect(200);
-        // console.error('WHAT IS THE RESP', JSON.stringify(resp, null, 2));
+          .send({
+            defaultIndex: ['.alerts*'], // query both .alerts-observability-apm and .alerts-security-solution
+            docValueFields: DOC_VALUE_FIELDS,
+            factoryQueryType: TimelineEventsQueries.all,
+            fieldRequested: FIELD_REQUESTED,
+            fields: [],
+            filterQuery: FILTER_VALUE,
+            pagination: {
+              activePage: 0,
+              querySize: 25,
+            },
+            language: 'kuery',
+            sort: [
+              {
+                field: '@timestamp',
+                direction: Direction.desc,
+                type: 'number',
+              },
+            ],
+            timerange: {
+              from: FROM,
+              to: TO,
+              interval: '12h',
+            },
+          })
+          .expect(200);
 
         const timeline = resp.body;
-        // console.error('TIMELINE', JSON.stringify(timeline, null, 2));
 
         expect(timeline.totalCount).to.be(1);
       });

diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -12,7 +12,6 @@
     }
   }
 }
-
 {
   "type": "doc",
   "value": {
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,7 +12,6 @@ @@
         }
       }
     }
     {
       "type": "doc",
       "value": {
@@ Expand Down @@