adding prebuilt role tests for rule execution

elastic · Nov 24, 2024 · a52a396 · a52a396
1 parent 5342f32
commit a52a396
Show file tree

Hide file tree

Showing 16 changed files with 1,044 additions and 0 deletions.
diff --git a/.buildkite/ftr_security_serverless_configs.yml b/.buildkite/ftr_security_serverless_configs.yml
@@ -53,6 +53,7 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/authorization/rule_execution/essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/trial_license_complete_tier/configs/serverless.config.ts

diff --git a/x-pack/test/security_solution_api_integration/package.json b/x-pack/test/security_solution_api_integration/package.json
@@ -27,6 +27,9 @@
     "initialize-server:de:basic_essentials": "node ./scripts/index.js server detections_response/detection_engine basic_license_essentials_tier",
     "run-tests:de:basic_essentials": "node ./scripts/index.js runner detections_response/detection_engine basic_license_essentials_tier",
 
+    "initialize-server:de:essentials_only": "node ./scripts/index.js server detections_response/detection_engine essentials_tier",
+    "run-tests:de:essentials_only": "node ./scripts/index.js runner detections_response/detection_engine essentials_tier",
+
     "initialize-server:rm": "node ./scripts/index.js server detections_response/rules_management trial_license_complete_tier ",
     "run-tests:rm": "node ./scripts/index.js runner detections_response/rules_management trial_license_complete_tier",
 
@@ -266,6 +269,11 @@
     "alerts:basic:server:ess": "npm run initialize-server:de:basic_essentials alerts ess",
     "alerts:basic:runner:ess": "npm run run-tests:de:basic_essentials alerts ess essEnv",
 
+    "rule_execution_logic:auth:server:serverless": "npm run initialize-server:de:essentials_only rule_execution_logic/authorization/rule_execution serverless",
+    "rule_execution_logic:auth:runner:serverless": "npm run run-tests:de:essentials_only rule_execution_logic/authorization/rule_execution serverless serverlessEnv",
+    "rule_execution_logic:auth:qa:serverless": "npm run run-tests:de:essentials_only rule_execution_logic/authorization/rule_execution serverless qaPeriodicEnv",
+    "rule_execution_logic:auth:qa:serverless:release": "npm run run-tests:de:essentials_only rule_execution_logic/authorization/rule_execution serverless qaEnv",
+
     "rule_execution_logic:eql:server:serverless": "npm run initialize-server:de rule_execution_logic/eql serverless",
     "rule_execution_logic:eql:runner:serverless": "npm run run-tests:de rule_execution_logic/eql serverless serverlessEnv",
     "rule_execution_logic:eql:qa:serverless": "npm run run-tests:de rule_execution_logic/eql serverless qaPeriodicEnv",

diff --git a/...tection_engine/rule_execution_logic/authorization/rule_execution/essentials_tier/admin.ts b/...tection_engine/rule_execution_logic/authorization/rule_execution/essentials_tier/admin.ts
@@ -0,0 +1,82 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import TestAgent from 'supertest/lib/agent';
+import {
+  QueryRuleCreateProps,
+  RulePreviewRequestBody,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/common/constants';
+import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
+import { EsArchivePathBuilder } from '../../../../../../../es_archive_path_builder';
+import {
+  deleteAllRules,
+  deleteAllAlerts,
+  getRuleForAlertTesting,
+} from '../../../../../../../../common/utils/security_solution';
+
+/**
+ * Specific _id to use for some of the tests. If the archiver changes and you see errors
+ * here, update this to a new value of a chosen auditbeat record and update the tests values.
+ */
+const ID = 'BhbXBmkBR346wHgn4PeZ';
+
+export default ({ getService }: FtrProviderContext): void => {
+  const log = getService('log');
+  const utils = getService('securitySolutionUtils');
+  const config = getService('config');
+  const isServerless = config.get('serverless');
+  const dataPathBuilder = new EsArchivePathBuilder(isServerless);
+  const auditbeatPath = dataPathBuilder.getPath('auditbeat/hosts');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+  const esDeleteAllIndices = getService('esDeleteAllIndices');
+
+  let admin: TestAgent;
+
+  describe('@serverless @serverlessQA admin rule execution API behaviors', () => {
+    before(async () => {
+      await esArchiver.load(auditbeatPath);
+      admin = await utils.createSuperTest('admin');
+      admin = await utils.createSuperTest('admin');
+    });
+
+    afterEach(async () => {
+      await esDeleteAllIndices('.preview.alerts*');
+    });
+
+    after(async () => {
+      await esArchiver.unload(auditbeatPath);
+      await deleteAllAlerts(admin, log, es, [
+        '.preview.alerts-security.alerts-*',
+        '.alerts-security.alerts-*',
+      ]);
+      await deleteAllRules(admin, log);
+    });
+
+    describe('rule execution', () => {
+      it('should return 200 for admin', async () => {
+        const rule: QueryRuleCreateProps = {
+          ...getRuleForAlertTesting(['auditbeat-*']),
+          query: `_id:${ID}`,
+        };
+        const previewRequest: RulePreviewRequestBody = {
+          ...rule,
+          invocationCount: 1,
+          timeframeEnd: new Date().toISOString(),
+        };
+        await admin
+          .post(DETECTION_ENGINE_RULES_PREVIEW)
+          .query({ enable_logged_requests: true })
+          .set('kbn-xsrf', 'true')
+          .set('elastic-api-version', '2023-10-31')
+          .send(previewRequest)
+          .expect(200);
+      });
+    });
+  });
+};
diff --git a/...execution_logic/authorization/rule_execution/essentials_tier/configs/serverless.config.ts b/...execution_logic/authorization/rule_execution/essentials_tier/configs/serverless.config.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials';
+
+export default createTestConfig({
+  testFiles: [require.resolve('..')],
+  junit: {
+    reportName:
+      'Detection Engine - Rule execution Authentication Tests - Serverless Env - Essentials Tier',
+  },
+});
diff --git a/...ection_engine/rule_execution_logic/authorization/rule_execution/essentials_tier/editor.ts b/...ection_engine/rule_execution_logic/authorization/rule_execution/essentials_tier/editor.ts
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import TestAgent from 'supertest/lib/agent';
+import {
+  QueryRuleCreateProps,
+  RulePreviewRequestBody,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/common/constants';
+import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
+import { EsArchivePathBuilder } from '../../../../../../../es_archive_path_builder';
+import {
+  deleteAllRules,
+  deleteAllAlerts,
+  getRuleForAlertTesting,
+} from '../../../../../../../../common/utils/security_solution';
+
+/**
+ * Specific _id to use for some of the tests. If the archiver changes and you see errors
+ * here, update this to a new value of a chosen auditbeat record and update the tests values.
+ */
+const ID = 'BhbXBmkBR346wHgn4PeZ';
+
+export default ({ getService }: FtrProviderContext): void => {
+  const log = getService('log');
+  const utils = getService('securitySolutionUtils');
+  const config = getService('config');
+  const isServerless = config.get('serverless');
+  const dataPathBuilder = new EsArchivePathBuilder(isServerless);
+  const auditbeatPath = dataPathBuilder.getPath('auditbeat/hosts');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+  const esDeleteAllIndices = getService('esDeleteAllIndices');
+
+  let admin: TestAgent;
+  let editor: TestAgent;
+
+  describe('@serverless @serverlessQA editor rule execution API behaviors', () => {
+    before(async () => {
+      await esArchiver.load(auditbeatPath);
+      admin = await utils.createSuperTest('admin');
+      editor = await utils.createSuperTest('editor');
+    });
+
+    afterEach(async () => {
+      await esDeleteAllIndices('.preview.alerts*');
+    });
+
+    after(async () => {
+      await esArchiver.unload(auditbeatPath);
+      await deleteAllAlerts(admin, log, es, [
+        '.preview.alerts-security.alerts-*',
+        '.alerts-security.alerts-*',
+      ]);
+      await deleteAllRules(admin, log);
+    });
+
+    describe('rule execution', () => {
+      it('should return 200 for editor', async () => {
+        const rule: QueryRuleCreateProps = {
+          ...getRuleForAlertTesting(['auditbeat-*']),
+          query: `_id:${ID}`,
+        };
+        const previewRequest: RulePreviewRequestBody = {
+          ...rule,
+          invocationCount: 1,
+          timeframeEnd: new Date().toISOString(),
+        };
+        await editor
+          .post(DETECTION_ENGINE_RULES_PREVIEW)
+          .query({ enable_logged_requests: true })
+          .set('kbn-xsrf', 'true')
+          .set('elastic-api-version', '2023-10-31')
+          .send(previewRequest)
+          .expect(200);
+      });
+    });
+  });
+};
diff --git a/...ecution_logic/authorization/rule_execution/essentials_tier/endpoint_operations_analyst.ts b/...ecution_logic/authorization/rule_execution/essentials_tier/endpoint_operations_analyst.ts
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import TestAgent from 'supertest/lib/agent';
+import {
+  QueryRuleCreateProps,
+  RulePreviewRequestBody,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/common/constants';
+import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
+import { EsArchivePathBuilder } from '../../../../../../../es_archive_path_builder';
+import {
+  deleteAllRules,
+  deleteAllAlerts,
+  getRuleForAlertTesting,
+} from '../../../../../../../../common/utils/security_solution';
+
+/**
+ * Specific _id to use for some of the tests. If the archiver changes and you see errors
+ * here, update this to a new value of a chosen auditbeat record and update the tests values.
+ */
+const ID = 'BhbXBmkBR346wHgn4PeZ';
+
+export default ({ getService }: FtrProviderContext): void => {
+  const log = getService('log');
+  const utils = getService('securitySolutionUtils');
+  const config = getService('config');
+  const isServerless = config.get('serverless');
+  const dataPathBuilder = new EsArchivePathBuilder(isServerless);
+  const auditbeatPath = dataPathBuilder.getPath('auditbeat/hosts');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+  const esDeleteAllIndices = getService('esDeleteAllIndices');
+
+  let admin: TestAgent;
+  let endpointOperationsAnalyst: TestAgent;
+
+  describe('@serverless @serverlessQA endpoint_operations_analyst rule execution API behaviors', () => {
+    before(async () => {
+      await esArchiver.load(auditbeatPath);
+      admin = await utils.createSuperTest('admin');
+      endpointOperationsAnalyst = await utils.createSuperTest('endpoint_operations_analyst');
+    });
+
+    afterEach(async () => {
+      await esDeleteAllIndices('.preview.alerts*');
+    });
+
+    after(async () => {
+      await esArchiver.unload(auditbeatPath);
+      await deleteAllAlerts(admin, log, es, [
+        '.preview.alerts-security.alerts-*',
+        '.alerts-security.alerts-*',
+      ]);
+      await deleteAllRules(admin, log);
+    });
+
+    describe('rule execution', () => {
+      it('should return 200 for endpoint_operations_analyst', async () => {
+        const rule: QueryRuleCreateProps = {
+          ...getRuleForAlertTesting(['auditbeat-*']),
+          query: `_id:${ID}`,
+        };
+        const previewRequest: RulePreviewRequestBody = {
+          ...rule,
+          invocationCount: 1,
+          timeframeEnd: new Date().toISOString(),
+        };
+        await endpointOperationsAnalyst
+          .post(DETECTION_ENGINE_RULES_PREVIEW)
+          .query({ enable_logged_requests: true })
+          .set('kbn-xsrf', 'true')
+          .set('elastic-api-version', '2023-10-31')
+          .send(previewRequest)
+          .expect(200);
+      });
+    });
+  });
+};
diff --git a/...e_execution_logic/authorization/rule_execution/essentials_tier/endpoint_policy_manager.ts b/...e_execution_logic/authorization/rule_execution/essentials_tier/endpoint_policy_manager.ts
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import TestAgent from 'supertest/lib/agent';
+import {
+  QueryRuleCreateProps,
+  RulePreviewRequestBody,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/common/constants';
+import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
+import { EsArchivePathBuilder } from '../../../../../../../es_archive_path_builder';
+import {
+  deleteAllRules,
+  deleteAllAlerts,
+  getRuleForAlertTesting,
+} from '../../../../../../../../common/utils/security_solution';
+
+/**
+ * Specific _id to use for some of the tests. If the archiver changes and you see errors
+ * here, update this to a new value of a chosen auditbeat record and update the tests values.
+ */
+const ID = 'BhbXBmkBR346wHgn4PeZ';
+
+export default ({ getService }: FtrProviderContext): void => {
+  const log = getService('log');
+  const utils = getService('securitySolutionUtils');
+  const config = getService('config');
+  const isServerless = config.get('serverless');
+  const dataPathBuilder = new EsArchivePathBuilder(isServerless);
+  const auditbeatPath = dataPathBuilder.getPath('auditbeat/hosts');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+  const esDeleteAllIndices = getService('esDeleteAllIndices');
+
+  let admin: TestAgent;
+  let endpointPolicyManager: TestAgent;
+
+  describe('@serverless @serverlessQA endpoint_policy_manager rule execution API behaviors', () => {
+    before(async () => {
+      await esArchiver.load(auditbeatPath);
+      admin = await utils.createSuperTest('admin');
+      endpointPolicyManager = await utils.createSuperTest('endpoint_policy_manager');
+    });
+
+    afterEach(async () => {
+      await esDeleteAllIndices('.preview.alerts*');
+    });
+
+    after(async () => {
+      await esArchiver.unload(auditbeatPath);
+      await deleteAllAlerts(admin, log, es, [
+        '.preview.alerts-security.alerts-*',
+        '.alerts-security.alerts-*',
+      ]);
+      await deleteAllRules(admin, log);
+    });
+
+    describe('rule execution', () => {
+      it('should return 200 for endpoint_policy_manager', async () => {
+        const rule: QueryRuleCreateProps = {
+          ...getRuleForAlertTesting(['auditbeat-*']),
+          query: `_id:${ID}`,
+        };
+        const previewRequest: RulePreviewRequestBody = {
+          ...rule,
+          invocationCount: 1,
+          timeframeEnd: new Date().toISOString(),
+        };
+        await endpointPolicyManager
+          .post(DETECTION_ENGINE_RULES_PREVIEW)
+          .query({ enable_logged_requests: true })
+          .set('kbn-xsrf', 'true')
+          .set('elastic-api-version', '2023-10-31')
+          .send(previewRequest)
+          .expect(200);
+      });
+    });
+  });
+};