[Security Solution][Detections] Convert EQL validation to use search strategy (#79538)

* Rename types from the top-level plugin

These are the same types with a different name. However, the benefit is
that they exist in a non-restricted path (the top level of the plugin).

* Convert our validation function to use the EQL search strategy

Rather than calling our custom EQL validation endpoint, we can instead
leverage the EQL search strategy. The downside is that we have to move
our response parsing logic to the frontend, but the benefit is that
there's no backend to maintain.

* Remove server code related to our EQL validation endpoint

We're keeping our io-ts schemas for now since they're still being used
to type the I/O of our client function.

* Add the data contract to our KibanaServices

I'm not aware of a way to pass react context to the form lib validator
functions, so for now we have to pass this the ugly way :(

* Remove io-ts types corresponding to our defunct validation endpoint

We were keeping these around for the types, but they're so simple that
it's really not worth the overhead. The tests are similarly for
functionality that is no longer used, so no hard feelings there.

* Ensure that our validation does not bother generating hits

We only care about the query's validity, so we can tell the response
handler to do less work here.

* Pass transport options when retrieving an existing search

Without passing transport options to .get, a query with an `ignore`
would succeed if it completed in the `waitForCompletionTimeout` window,
but fail (with the ignored error) on the subsequent request if it became
async.

* Use constant for our strategy key

* Export search strategy constants for client consumption

Common values cannot be consumed directly by client code (compilation
error), so we need to re-export them from data_enhanced's public module.

Author: rylnd

x-pack/plugins/data_enhanced/public/index.ts

@@ -9,3 +9,5 @@ import { DataEnhancedPlugin, DataEnhancedSetup, DataEnhancedStart } from './plug
 export const plugin = () => new DataEnhancedPlugin();
 
 export { DataEnhancedSetup, DataEnhancedStart };
+
+export { ENHANCED_ES_SEARCH_STRATEGY, EQL_SEARCH_STRATEGY } from '../common';

x-pack/plugins/data_enhanced/server/search/eql_search_strategy.test.ts

@@ -163,6 +163,15 @@ describe('EQL search strategy', () => {
           })
         );
       });
+
+      it('passes transport options for an existing request', async () => {
+        const eqlSearch = await eqlSearchStrategyProvider(mockLogger);
+        await eqlSearch.search(mockContext, { id: 'my-search-id', options: { ignore: [400] } });
+        const [[, requestOptions]] = mockEqlGet.mock.calls;
+
+        expect(mockEqlSearch).not.toHaveBeenCalled();
+        expect(requestOptions).toEqual(expect.objectContaining({ ignore: [400] }));
+      });
     });
   });
 });

x-pack/plugins/data_enhanced/server/search/eql_search_strategy.ts

@@ -32,12 +32,16 @@ export const eqlSearchStrategyProvider = (
       const eqlClient = context.core.elasticsearch.client.asCurrentUser.eql;
       const uiSettingsClient = await context.core.uiSettings.client;
       const asyncOptions = getAsyncOptions();
+      const searchOptions = toSnakeCase({ ...request.options });
 
       if (request.id) {
-        promise = eqlClient.get({
-          id: request.id,
-          ...toSnakeCase(asyncOptions),
-        });
+        promise = eqlClient.get(
+          {
+            id: request.id,
+            ...toSnakeCase(asyncOptions),
+          },
+          searchOptions
+        );
       } else {
         const { ignoreThrottled, ignoreUnavailable } = await getDefaultSearchParams(
           uiSettingsClient
@@ -48,11 +52,10 @@ export const eqlSearchStrategyProvider = (
           ...asyncOptions,
           ...request.params,
         });
-        const searchOptions = toSnakeCase({ ...request.options });
 
         promise = eqlClient.search(
           searchParams as EqlSearchStrategyRequest['params'],
-          searchOptions as EqlSearchStrategyRequest['options']
+          searchOptions
         );
       }
 

x-pack/plugins/security_solution/common/constants.ts

@@ -117,7 +117,6 @@ export const DETECTION_ENGINE_PREPACKAGED_URL = `${DETECTION_ENGINE_RULES_URL}/p
 export const DETECTION_ENGINE_PRIVILEGES_URL = `${DETECTION_ENGINE_URL}/privileges`;
 export const DETECTION_ENGINE_INDEX_URL = `${DETECTION_ENGINE_URL}/index`;
 export const DETECTION_ENGINE_TAGS_URL = `${DETECTION_ENGINE_URL}/tags`;
-export const DETECTION_ENGINE_EQL_VALIDATION_URL = `${DETECTION_ENGINE_URL}/validate_eql`;
 export const DETECTION_ENGINE_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/_find_statuses`;
 export const DETECTION_ENGINE_PREPACKAGED_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/prepackaged/_status`;
 

x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.test.ts

@@ -4,13 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import * as t from 'io-ts';
-
-export const eqlValidationSchema = t.exact(
-  t.type({
-    valid: t.boolean,
-    errors: t.array(t.string),
-  })
-);
-
-export type EqlValidationSchema = t.TypeOf<typeof eqlValidationSchema>;
+export * from './validation';