From f5fdc1f3a3b005d64c0851ddb955565dbd59d0ee Mon Sep 17 00:00:00 2001 From: Marshall Main Date: Mon, 4 Nov 2024 16:23:22 -0500 Subject: [PATCH 1/3] Wrap KQL filters in parentheses to fix logic --- .../utils/get_exception_list_filter.test.ts | 6 +- .../utils/get_exception_list_filter.ts | 2 +- .../import/find_all_exception_list_types.ts | 79 ++++++++----------- .../import_rules.ts | 52 ++++++++++++ 4 files changed, 87 insertions(+), 52 deletions(-) diff --git a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts index 9e0b06f8482c7..03a3f6305a4e1 100644 --- a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts +++ b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts @@ -22,7 +22,7 @@ describe('getExceptionListFilter', () => { savedObjectTypes: ['exception-list-agnostic'], }); expect(filter).toEqual( - '(exception-list-agnostic.attributes.list_type: list) AND exception-list-agnostic.attributes.name: "Sample Endpoint Exception List"' + '(exception-list-agnostic.attributes.list_type: list) AND (exception-list-agnostic.attributes.name: "Sample Endpoint Exception List")' ); }); @@ -40,7 +40,7 @@ describe('getExceptionListFilter', () => { savedObjectTypes: ['exception-list'], }); expect(filter).toEqual( - '(exception-list.attributes.list_type: list) AND exception-list.attributes.name: "Sample Endpoint Exception List"' + '(exception-list.attributes.list_type: list) AND (exception-list.attributes.name: "Sample Endpoint Exception List")' ); }); @@ -60,7 +60,7 @@ describe('getExceptionListFilter', () => { savedObjectTypes: ['exception-list-agnostic', 'exception-list'], }); expect(filter).toEqual( - '(exception-list-agnostic.attributes.list_type: list OR exception-list.attributes.list_type: list) AND exception-list-agnostic.attributes.name: "Sample Endpoint Exception List"' + '(exception-list-agnostic.attributes.list_type: list OR exception-list.attributes.list_type: list) AND (exception-list-agnostic.attributes.name: "Sample Endpoint Exception List")' ); }); }); diff --git a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.ts b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.ts index 44a9be320755f..8aedaa13bcab7 100644 --- a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.ts +++ b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.ts @@ -20,6 +20,6 @@ export const getExceptionListFilter = ({ .join(' OR '); if (filter != null) { - return `(${listTypesFilter}) AND ${filter}`; + return `(${listTypesFilter}) AND (${filter})`; } else return `(${listTypesFilter})`; }; diff --git a/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.ts b/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.ts index 870acc6cc4462..93c5491a84ddb 100644 --- a/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.ts +++ b/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.ts @@ -52,57 +52,40 @@ export const findAllListTypes = async ( nonAgnosticListItems: ExceptionListQueryInfo[], savedObjectsClient: SavedObjectsClientContract ): Promise => { - // Agnostic filter - const agnosticFilter = getListFilter({ - namespaceType: 'agnostic', - objects: agnosticListItems, - }); - - // Non-agnostic filter - const nonAgnosticFilter = getListFilter({ - namespaceType: 'single', - objects: nonAgnosticListItems, - }); - if (!agnosticListItems.length && !nonAgnosticListItems.length) { return null; - } else if (agnosticListItems.length && !nonAgnosticListItems.length) { - return findExceptionList({ - filter: agnosticFilter, - namespaceType: ['agnostic'], - page: undefined, - perPage: CHUNK_PARSED_OBJECT_SIZE, - pit: undefined, - savedObjectsClient, - searchAfter: undefined, - sortField: undefined, - sortOrder: undefined, - }); - } else if (!agnosticListItems.length && nonAgnosticListItems.length) { - return findExceptionList({ - filter: nonAgnosticFilter, - namespaceType: ['single'], - page: undefined, - perPage: CHUNK_PARSED_OBJECT_SIZE, - pit: undefined, - savedObjectsClient, - searchAfter: undefined, - sortField: undefined, - sortOrder: undefined, - }); - } else { - return findExceptionList({ - filter: `${agnosticFilter} OR ${nonAgnosticFilter}`, - namespaceType: ['single', 'agnostic'], - page: undefined, - perPage: CHUNK_PARSED_OBJECT_SIZE, - pit: undefined, - savedObjectsClient, - searchAfter: undefined, - sortField: undefined, - sortOrder: undefined, - }); } + + const filters: string[] = []; + if (agnosticListItems.length > 0) { + filters.push( + getListFilter({ + namespaceType: 'agnostic', + objects: agnosticListItems, + }) + ); + } + + if (nonAgnosticListItems.length > 0) { + filters.push( + getListFilter({ + namespaceType: 'single', + objects: nonAgnosticListItems, + }) + ); + } + + return findExceptionList({ + filter: filters.join(' OR '), + namespaceType: ['single', 'agnostic'], + page: undefined, + perPage: CHUNK_PARSED_OBJECT_SIZE, + pit: undefined, + savedObjectsClient, + searchAfter: undefined, + sortField: undefined, + sortOrder: undefined, + }); }; /** diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/import_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/import_rules.ts index 038ed1787843a..2dc5358f0f7ad 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/import_rules.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/import_rules.ts @@ -1215,6 +1215,58 @@ export default ({ getService }: FtrProviderContext): void => { }); }); + it('should be able to import a rule with both single space and space agnostic exception lists', async () => { + const ndjson = combineToNdJson( + getCustomQueryRuleParams({ + exceptions_list: [ + { + id: 'agnostic', + list_id: 'test_list_agnostic_id', + type: 'detection', + namespace_type: 'agnostic', + }, + { + id: 'single', + list_id: 'test_list_id', + type: 'rule_default', + namespace_type: 'single', + }, + ], + }), + { ...getImportExceptionsListSchemaMock('test_list_id'), type: 'rule_default' }, + getImportExceptionsListItemNewerVersionSchemaMock('test_item_id', 'test_list_id'), + { + ...getImportExceptionsListSchemaMock('test_list_agnostic_id'), + type: 'detection', + namespace_type: 'agnostic', + }, + { + ...getImportExceptionsListItemNewerVersionSchemaMock( + 'test_item_id', + 'test_list_agnostic_id' + ), + namespace_type: 'agnostic', + } + ); + + const { body } = await supertest + .post(`${DETECTION_ENGINE_RULES_URL}/_import`) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .attach('file', Buffer.from(ndjson), 'rules.ndjson') + .expect(200); + + expect(body).toMatchObject({ + success: true, + success_count: 1, + rules_count: 1, + errors: [], + exceptions_errors: [], + exceptions_success: true, + exceptions_success_count: 2, + }); + }); + it('should only remove non existent exception list references from rule', async () => { // create an exception list const { body: exceptionBody } = await supertest From 76592ffa3d2238762ab425c89313c02707ae0488 Mon Sep 17 00:00:00 2001 From: Marshall Main Date: Wed, 6 Nov 2024 08:24:07 -0500 Subject: [PATCH 2/3] Fix test --- .../utils/import/find_all_exception_list_types.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.test.ts b/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.test.ts index 5ffe0967ef330..83623a581d97f 100644 --- a/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.test.ts +++ b/x-pack/plugins/lists/server/services/exception_lists/utils/import/find_all_exception_list_types.test.ts @@ -60,7 +60,7 @@ describe('find_all_exception_list_item_types', () => { expect(findExceptionList).toHaveBeenCalledWith({ filter: 'exception-list-agnostic.attributes.list_id:(1)', - namespaceType: ['agnostic'], + namespaceType: ['single', 'agnostic'], page: undefined, perPage: 1000, savedObjectsClient, @@ -74,7 +74,7 @@ describe('find_all_exception_list_item_types', () => { expect(findExceptionList).toHaveBeenCalledWith({ filter: 'exception-list.attributes.list_id:(1)', - namespaceType: ['single'], + namespaceType: ['single', 'agnostic'], page: undefined, perPage: 1000, savedObjectsClient, From 9e5c13a3b9b49e85c4d34ba1a870e4b0bb973fcc Mon Sep 17 00:00:00 2001 From: Marshall Main Date: Mon, 11 Nov 2024 15:03:02 -0500 Subject: [PATCH 3/3] Modify test --- .../exception_lists/utils/get_exception_list_filter.test.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts index 03a3f6305a4e1..676df7cdf09f5 100644 --- a/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts +++ b/x-pack/plugins/lists/server/services/exception_lists/utils/get_exception_list_filter.test.ts @@ -56,11 +56,12 @@ describe('getExceptionListFilter', () => { test('it should create a filter that searches for both agnostic and single lists with additional filters if searching for both single and agnostic lists', () => { const filter = getExceptionListFilter({ - filter: 'exception-list-agnostic.attributes.name: "Sample Endpoint Exception List"', + filter: + 'exception-list-agnostic.attributes.name: "Sample Endpoint Exception List" OR exception-list.attributes.name: "Sample Rule Exception List"', savedObjectTypes: ['exception-list-agnostic', 'exception-list'], }); expect(filter).toEqual( - '(exception-list-agnostic.attributes.list_type: list OR exception-list.attributes.list_type: list) AND (exception-list-agnostic.attributes.name: "Sample Endpoint Exception List")' + '(exception-list-agnostic.attributes.list_type: list OR exception-list.attributes.list_type: list) AND (exception-list-agnostic.attributes.name: "Sample Endpoint Exception List" OR exception-list.attributes.name: "Sample Rule Exception List")' ); }); });