[Security Solution] Extend the /upgrade/_perform API endpoint's contract
#189187
Conversation
jpdjere
added
release_note:skip
jpdjere
changed the title
/upgrade/_perform API endpoint's contract and functionality/upgrade/_perform API endpoint's contract
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
| - $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleName' | ||
| - $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleTagArray' | ||
| - $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleDescription' |
There was a problem hiding this comment.
What is the reason for making this type a union? The rule name prop should have the resolved_value matching the ruleName type, not any of these. Can it be implemented that way?
There was a problem hiding this comment.
I'm trying to reverse engineer these types. Notice the generic FieldUpgradeRequest type, which is what I tried to replicate with a union:
export interface PerformRuleUpgradeRequestBody {
mode: 'ALL_RULES' | 'SPECIFIC_RULES';
pick_version?: 'BASE' | 'CURRENT' | 'TARGET' | 'MERGED';
rules: SingleRuleUpgradeRequest[]; // required if mode is SPECIFIC_RULES
}
export interface SingleRuleUpgradeRequest {
id: RuleObjectId;
pick_version?: 'BASE' | 'CURRENT' | 'TARGET' | 'MERGED';
fields?: {
name?: FieldUpgradeRequest<RuleName>;
description?: FieldUpgradeRequest<RuleDescription>;
// etc
// Every non-specified field will default to pick_version: 'MERGED'.
// If pick_version is MERGED and there's a merge conflict the endpoint will throw.
};
rule_revision: number;
}
export interface FieldUpgradeRequest<T> {
pick_version: 'BASE' | 'CURRENT' | 'TARGET' | 'MERGED' | 'RESOLVED';
resolved_value: T; // required if pick_version is RESOLVED; type depends on the rule field type
}So each of the properties within fields in SingleRuleUpgradeRequest should be of type FieldUpgradeRequest because each property should be able to be updated to any of the pick_versions listed in the full enum (which includes RESOLVED).
Only if the pick_version value for that field is RESOLVED, then the resolved_value can take the value of the prop (RuleName for the case of the name property).
I'm not sure how to write the OAS in some other way without that union. Do you have in mind something more simple? Ideas welcome 😄
There was a problem hiding this comment.
Maybe instead of having a "generic" FieldUpgradeRequest we could have something like RuleNameFieldUpgradeRequest, which directly refs to RuleName. And create a similar schema for each of the updatable fields.
With such an approach we wouldn't need a union, but it would mean a lot more schemas manually created.
What do you think?
There was a problem hiding this comment.
I think we need to list every upgradeable field, something like this:
RuleUpgradeSpecifier:
type: object
properties:
fields:
type: object
properties:
name:
type: object
required:
- pick_version
properties:
pick_version:
$ref: '#/components/schemas/FieldPickVersionValues'
resolved_value:
$ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleName'
tags:
type: object
required:
- pick_version
properties:
pick_version:
$ref: '#/components/schemas/FieldPickVersionValues'
resolved_value:
$ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleTagArray'This approach is a bit more verbose than using a union with all possible values, but it will produce the most accurate type. I believe the effort is worth it.
jpdjere
force-pushed
the
extend-perform-endpoint
branch
from
af446ba
to
c30b261
Compare
...ty_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
Outdated
Show resolved
Hide resolved
.../detection_engine/prebuilt_rules/perform_rule_upgrade/perform_rule_upgrade_route.schema.yaml
Show resolved
Hide resolved
| required: | ||
| - pick_version | ||
| properties: | ||
| pick_version: |
There was a problem hiding this comment.
Should it be oneOf? Either pick_version or resolved_value need to be specified?
There was a problem hiding this comment.
No, resolved_value should only be defined if pick_version is RESOLVED. And it should contain the "resolved" value -as passed by the user in the request- that the field should be updated to.
There was a problem hiding this comment.
Thanks, makes sense now! Do you think we could make the type more precise, something like:
{
pick_version: 'BASE' | 'CURRENT' | 'TARGET' | 'MERGED'
} |
{
pick_version: 'RESOLVED',
resolved_value: <value>
}
.../detection_engine/prebuilt_rules/perform_rule_upgrade/perform_rule_upgrade_route.schema.yaml
Show resolved
Hide resolved
| title: Perform Rule Upgrade API endpoint | ||
| version: '2023-10-31' | ||
| paths: | ||
| /api/detection_engine/rules/prebuilt/_perform_upgrade: |
There was a problem hiding this comment.
| /api/detection_engine/rules/prebuilt/_perform_upgrade: | |
| /internal/detection_engine/prebuilt_rules/upgrade/_perform: |
| openapi: 3.0.0 | ||
| info: | ||
| title: Perform Rule Upgrade API endpoint | ||
| version: '2023-10-31' |
There was a problem hiding this comment.
| version: '2023-10-31' | |
| version: '1' |
| paths: | ||
| /api/detection_engine/rules/prebuilt/_perform_upgrade: | ||
| post: | ||
| x-labels: [ess] |
There was a problem hiding this comment.
| x-labels: [ess] | |
| x-labels: [ess, serverless] |
| errors: | ||
| type: array | ||
| items: | ||
| $ref: '../../model/error_schema.schema.yaml#/components/schemas/ErrorSchema' |
There was a problem hiding this comment.
Shouldn't it be aggregated error?
ErrorSchema is pretty different:
| description: | | ||
| Fields that can be customized during the upgrade workflow | ||
| as decided in: https://github.com/elastic/kibana/issues/186544 | ||
| Fields listed here, which are not specified in the request body, | ||
| will default to a `pick_version` of `MERGED`. |
There was a problem hiding this comment.
Descriptions become a part of our public documentation. We should avoid putting technical details or links to GitHub issues in the description.
Also, is this part still accurate?
Fields listed here, which are not specified in the request body,
will default to a `pick_version` of `MERGED`.
Shouldn't omitted fields default to the high-level pick_version?
There was a problem hiding this comment.
Shouldn't omitted fields default to the high-level pick_version?
Yes and no. Omitted fields will default to the higher-level pick_version, but only if one is defined (notice that pick_version is not required at any higher level, only on each field within fields). So I think the behaviour should be:
- Use the
pick_versiondefined within each rule field. - If the field is not defined, update that field to:
2.1.MERGEDif no higher-levelpick_versionis defined.
2.2. Otherwise: thepick_versionpassed on theRuleUpgradeSpecifier, if defined.
2.3. Otherwise: thepick_versionpassed on theUpgradeSpecificRulesRequest, if defined.
2.4. Otherwise (nopick_versionpassed on individual fields or at any level): useMERGEDas default.
Same for UpgradeAllRulesRequest: here use MERGED as default, unless pick_version is explicitly passed.
What do you think? The alternative to this would be to make the top-level pick_version required so that we can default to that instead of MERGED.
| rule_id: | ||
| $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleSignatureId' | ||
| revision: | ||
| type: number | ||
| version: | ||
| $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleVersion' | ||
| pick_version: | ||
| $ref: '#/components/schemas/PickVersionValues' |
There was a problem hiding this comment.
It would be super helpful to provide some description for other fields as well
There was a problem hiding this comment.
Yes, added to the fields here. What do you think about the description for revision?
Rule's current revision number. Should match the rule's revision number returned from the Review Rule Upgrade API endpoint.
I think that is understandable by the user (mentioning the upgrade endpoint), but is not technically correct. If a request slips in between calling /upgrade and /perform, the second request will fail because the revision number won't match. But that's hard to explain here.
There was a problem hiding this comment.
@jpdjere I would like to avoid migrating prebuilt rules API endpoints to OpenAPI at this stage. This can require significant effort, since a lot of types like ThreeWayDiff, RuleFieldsDiff, DiffableRule, diff algorithms are all generics. Some of them are a part of the API contract.
My proposal is to extend the perform's API request schema using the current tech used for Prebuilt Rules API. This will allow us to iterate on the perform endpoint implementation much sooner.
When we have implemented the API behavior required for Milestone 3 + a comprehensive integration test coverage for it, we will plan a migration to OpenAPI. Tests would be a safety net for this significant refactoring.
💔 Build FailedFailed CI Steps
Test Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @jpdjere |
|
Closing in favour of: #189790 |
…tract migrating to Zod (#189790) Partially addresses (contract change only): #166376 Created in favour of: #189187 (closed) ## Summary - Extends contract as described in the [POC](#144060), migrating from `io-ts` to Zod (search for `Perform rule upgrade`) - Uses new types in endpoint, but functionality remains unchaged. ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Partially addresses (contract change only): #166376
Summary
/upgrade/_performendpoint.Perform rule upgrade)/upgrade/_performendpoint upgrade workflow #186544For maintainers