Skip to content

[Security Solution] Fix Coverage Overview API activity filter#163785

Merged
maximpn merged 1 commit intoelastic:mainfrom
maximpn:fix-coverage-overview-api-activity-filter
Aug 14, 2023
Merged

[Security Solution] Fix Coverage Overview API activity filter#163785
maximpn merged 1 commit intoelastic:mainfrom
maximpn:fix-coverage-overview-api-activity-filter

Conversation

@maximpn
Copy link
Copy Markdown
Contributor

@maximpn maximpn commented Aug 14, 2023

Relates to: #158246

Summary

If activity filter contains both allowed values enabled and disabled simultaneously Coverage Overview endpoint returns the response filtered by the first value only.

This PR fixes wrong behavior os if enabled and disabled values are set simultaneously the response contains combined results for both enabled and disabled activity filter values.

For example a request like below

curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose

would produce the same response as the following request

curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose

Checklist

@maximpn maximpn added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team v8.10.0 labels Aug 14, 2023
@maximpn maximpn self-assigned this Aug 14, 2023
@kibana-ci
Copy link
Copy Markdown

kibana-ci commented Aug 14, 2023

💚 Build Succeeded

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @maximpn

@maximpn maximpn marked this pull request as ready for review August 14, 2023 10:49
@maximpn maximpn requested review from a team as code owners August 14, 2023 10:49
@maximpn maximpn requested a review from nikitaindik August 14, 2023 10:49
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 14, 2023

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Aug 14, 2023

Pinging @elastic/security-solution (Team: SecuritySolution)

@maximpn maximpn requested review from dplumlee and removed request for dplumlee August 14, 2023 10:49
@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Feature:Rule Management Security Solution Detection Rule Management area and removed backport:skip This PR does not require backporting Feature:Detection Rules Security Solution rules and Detection Engine labels Aug 14, 2023
@banderror banderror requested review from banderror and removed request for nikitaindik August 14, 2023 11:09
@maximpn maximpn mentioned this pull request Aug 14, 2023
Merged
4 tasks
banderror
banderror approved these changes Aug 14, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally and reviewed the changes. Everything looks good and works fine 👍

I left a few minor comments for your consideration @maximpn. Thank you for the fix.

Comment thread ...ction_engine/rule_management/api/rules/coverage_overview/handle_coverage_overview_request.ts
Comment on lines +42 to +48
enabled:
(activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
activitySet.has(CoverageOverviewRuleActivity.Disabled)) ||
(!activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
!activitySet.has(CoverageOverviewRuleActivity.Disabled))
? undefined
: activitySet.has(CoverageOverviewRuleActivity.Enabled),
Copy link
Copy Markdown
Contributor

@banderror banderror Aug 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: We could extract it to a function and use if instead of ternaries to make this code a bit more readable.

...
enabled: getIsEnabledFilter(activitySet)
...

function getIsEnabledFilter(activitySet: Set<CoverageOverviewRuleActivity>): boolean | undefined {
  const bothSpecified =
    activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
    activitySet.has(CoverageOverviewRuleActivity.Disabled);
  const noneSpecified =
    !activitySet.has(CoverageOverviewRuleActivity.Enabled) &&
    !activitySet.has(CoverageOverviewRuleActivity.Disabled);

  return bothSpecified || noneSpecified
    ? undefined
    : activitySet.has(CoverageOverviewRuleActivity.Enabled);
}

Comment thread x-pack/test/detection_engine_api_integration/basic/tests/coverage_overview.ts

it('returns response filtered by enabled and disabled rules equal to response if enabled and disabled are not set', async () => {
const expectedRule1 = await createRule(supertest, log, {
...getSimpleRule('rule-1'),
Copy link
Copy Markdown
Contributor

@banderror banderror Aug 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getSimpleRule('rule-1', false) would be a more robust expression, in case someone removes the enabled parameter or changes its default value. This can be important for this particular test that actually depends on this.

Comment thread x-pack/test/detection_engine_api_integration/basic/tests/coverage_overview.ts
});
});

it('returns response filtered by enabled and disabled rules equal to response if enabled and disabled are not set', async () => {
Copy link
Copy Markdown
Contributor

@banderror banderror Aug 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: returns all rules if both enabled and disabled filters are specified in the request

@maximpn maximpn merged commit c610d03 into elastic:main Aug 14, 2023
@kibanamachine kibanamachine added the backport:skip This PR does not require backporting label Aug 14, 2023
@maximpn maximpn deleted the fix-coverage-overview-api-activity-filter branch August 14, 2023 20:12
@banderror banderror mentioned this pull request Aug 15, 2023
Closed
2 tasks
bryce-b pushed a commit that referenced this pull request Aug 22, 2023
@maximpn @bryce-b
[Security Solution] Fix Coverage Overview API activity filter (#163785)
629a796 
**Relates to:** #158246

## Summary

If activity filter contains both allowed values `enabled` and `disabled` simultaneously Coverage Overview endpoint returns the response filtered by the first value only.

This PR fixes wrong behavior os if `enabled` and `disabled` values are set simultaneously the response contains combined results for both `enabled` and `disabled` activity filter values.

For example a request like below

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

would produce the same response as the following request

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banderror banderror banderror approved these changes

Assignees

@maximpn maximpn

Labels

backport:skip This PR does not require backporting bug Fixes for quality problems that affect the customer experience Feature:Rule Management Security Solution Detection Rule Management area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.10.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@maximpn @kibana-ci @elasticmachine @banderror @kibanamachine