[Security Solution] Integration tests for simple diff algorithm #184889
Conversation
dplumlee
added
test
release_note:skip
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#6224[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed. |
| @@ -217,7 +217,7 @@ export const schema: FormSchema<AboutStepRule> = { | |||
| label: i18n.translate( | |||
| 'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldMitreThreatLabel', | |||
| { | |||
| defaultMessage: 'MITRE ATT&CK\\u2122', | |||
| defaultMessage: 'MITRE ATT&CK\u2122', | |||
There was a problem hiding this comment.
When I was doing some testing, I noticed this was returning with the literal string both in the diffing UI and in the rule forms, probably caused by the big i18n update that got merged in a couple weeks ago. This fixes the unicode to display correctly.
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Outdated
Show resolved
Hide resolved
...ver/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
Outdated
Show resolved
Hide resolved
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Outdated
Show resolved
Hide resolved
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Outdated
Show resolved
Hide resolved
| name: { | ||
| current_version: 'B', | ||
| diff_outcome: ThreeWayDiffOutcome.StockValueCanUpdate, | ||
| has_conflict: false, |
There was a problem hiding this comment.
Should this actually be has_conflict: true? The test plan mentions that there should be a conflict, and I think it makes sense.
Let's say you have a rule with a customized field value, then the base version gets removed somehow. In such case I think we shouldn't automatically choose the target version, but force the user to make this choice.
There was a problem hiding this comment.
Yeah I agree, I'll change the logic of what we're returning to match this output
There was a problem hiding this comment.
I think this poses another question actually. Currently, whenever the base_version is missing, we assume the rule is not customized giving us the diff outcomes of StockValueNoUpdate for the -AA situation and StockValueCanUpdate for the -AB situation. Here is where that logic occurs in the code
Should we be instead assuming both are customized and the fallback for an undefined base_version would be to return the field and let users decide if they want to keep or update the field?
In this scenario we would return CustomizedValueSameUpdate for the now assumed -BB outcome and CustomizedValueCanUpdate for the -BC outcome.
The only downside I can think of for this would be we'd return all the fields for an entire rule no matter what if the base_version was unavailable which could be overwhelming.
There was a problem hiding this comment.
I think it's okay to return a bunch of fields in this edge case, since it should only happen once. Base version would get created if you upgrade a rule, right? Otherwise we run the risk of removing user's custom value with no way to return to it.
This was my line of thinking:
If we have the -AA situation this could mean one of:
AAA-> no conflict, pick targetABB-> no conflict, pick target
Since we don't know which case it is, we can assume the most complex scenario (ABB) and returnThreeWayDiffOutcome.CustomizedValueSameUpdate. Then indeed we'll return every field in response.
If we have the -AB situation this could mean one of:
AAB-> no conflict, pick targetABC-> has conflict, user has to choose
Again, I would assume the "worst" (ABC) and returnCustomizedValueCanUpdate. Then the field would also havehas_conflict: trueand the user would have to make a choice.
There was a problem hiding this comment.
I think we can merge this as is for now and wait until folks come back from vacations to discuss with them. Looking at the comment here, perhaps there was an idea behind the current behaviour 🤷 .
There was a problem hiding this comment.
I have read the thread and agree with the compromise logic option. Does it make sense to inform the user about missing the base version when this happens?
There was a problem hiding this comment.
@approksiu I think it's probably a good idea, not sure if that's in the UI plans yet or not
There was a problem hiding this comment.
Thanks for the feedback @approksiu, we'll go with option 3 then.
Does it make sense to inform the user about missing the base version when this happens?
not sure if that's in the UI plans yet or not
It would be a rare edge case to handle. It's not planned. I think it might be useful eventually, especially when we reach that 15k limit, but at this point I would not include this into Milestone 3. I opened a #186880 that we can consider adding to Milestone 4.
There was a problem hiding this comment.
Agreed, definitely in Milestone 3. Thanks for adding the issue!
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Show resolved
Hide resolved
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Show resolved
Hide resolved
...ement/prebuilt_rules/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.ts
Outdated
Show resolved
Hide resolved
...ver/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
Outdated
Show resolved
Hide resolved
| name: { | ||
| current_version: 'B', | ||
| diff_outcome: ThreeWayDiffOutcome.StockValueCanUpdate, | ||
| has_conflict: false, |
There was a problem hiding this comment.
@nikitaindik @dplumlee This is a great catch, thank you both!
We have a technical and a UX sides of the question.
Technically, your above comments make sense that if we treat -AA as ABB and -AB as ABC, we would need to adjust the returned ThreeWayDiffOutcome values accordingly.
From the UX perspective, we have a trade-off:
- 1st option is to treat
-AAasABBand-ABasABC. The trade-off is safety at the cost of usability. In practice, all-AAand-ABfields would be shown in the rule upgrade flyout, with-ABfields shown as conflicting. This might look confusing, dangerous and overwhelming, especially if the user has never customized their installed rules and just lost some of the prebuilt rule assets. - 2nd option is to treat
-AAasAAAand-ABasAAB. The trade-off is usability at the cost of safety. In practice, all-AAfields would not be shown in the rule upgrade flyout, and-ABfields would be shown in the flyout as auto-accepted, thus significantly saving the time to upgrade the rules. This might be dangerous for those rules that had been customized by the user, then Elastic published a new package with updates to those rules, and the user lost some of the prebuilt rule assets (-ABsituation).
There can be a few ways to loose rule assets partially:
- By manually deleting some of them using a script, or dev tools, etc. I think chances are very low, and that would be the shooting yourself in the foot type of case.
- By installing a new package version where some of the historical rule versions will be missing. We have a hard limit of 15000 rule versions per package. We haven't reached it yet, but reaching it is a matter of time. When the TRaDE team reaches it, they will need to come up with an algorithm for evicting old rule versions from the package. Our upgrade logic should work well regardless of existence or non-existence of certain historical versions. What are the chances for the user to find themselves in this situation? I think it will depend on this eviction algorithm in the future, but currently I think it's 0.
The 1st option would be a fool-proof and safe way of handling the two situations above, the 2nd option would be a quick-and-easy way.
Probably there can be a 3rd, compromise option:
- Treat
-AAasAAAandNO_CONFLICTfor increased usability. - Treat
-ABasABCandSOLVABLE_CONFLICTfor safety. In this case, we would successfully auto-merge the change and return amerged_version: 'C', but mark it asSOLVABLE_CONFLICTaccording to the idea of solvable and non-solvable conflicts described in the RFC and this ticket. In this case, users would need to manually accept the auto-merged value in the upgrade flyout.
I agree that we should hold off changing the current logic until all people are back from vacations 👍
There was a problem hiding this comment.
Thanks for addressing my comments @dplumlee! The PR LGTM now!
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @dplumlee |
Summary
Completes related tickets: #180160 and #180158
Switches fields to use the diff algorithms assigned to them in the related tickets
Adds integration tests in accordance to #184484 for the
upgrade/_reviewAPI endpoint for the simple diff algorithm.Also changes logic in the
upgrade/_reviewAPI endpoint to return user customized fields in the diffs even if there was not an update for that field. This new logic is described in #180154. We filter out the fields that fall under this new logic so that they are only returned from the API but not displayed in the per-field rule diff flyout as the current UI cannot support them. They are utilized in testing logic and will be implemented in the UI at a later dateChecklist
Delete any items that are not applicable to this PR.
For maintainers