[Security Solution] Integration tests for simple diff algorithm (#184889

) ## Summary Completes related tickets: #180160 and #180158 Switches fields to use the diff algorithms assigned to them in the related tickets Adds integration tests in accordance to #184484 for the `upgrade/_review` API endpoint for the simple diff algorithm. Also changes logic in the `upgrade/_review` API endpoint to return user customized fields in the diffs even if there was not an update for that field. This new logic is described in #180154. We filter out the fields that fall under this new logic so that they are only returned from the API but not displayed in the per-field rule diff flyout as the current UI cannot support them. They are utilized in testing logic and will be implemented in the UI at a later date ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
elastic · Jun 13, 2024 · 0082f45 · 0082f45
1 parent c8add4c
commit 0082f45
Show file tree

Hide file tree

Showing 12 changed files with 785 additions and 24 deletions.
diff --git a/...esting/test_plans/detection_response/prebuilt_rules/installation_and_upgrade.md b/...esting/test_plans/detection_response/prebuilt_rules/installation_and_upgrade.md
@@ -893,8 +893,8 @@ And <field_name> field is customized by the user (current version != base versio
 And <field_name> field is updated by Elastic in this upgrade (target version != base version)
 And customized <field_name> field is the same as the Elastic update in this upgrade (current version == target version)
 Then for <field_name> field the diff algorithm should output the current version as the merged one without a conflict
-And <field_name> field should not be returned from the `upgrade/_review` API endpoint
-And <field_name> field should not be shown in the upgrade preview UI
+And <field_name> field should be returned from the `upgrade/_review` API endpoint
+And <field_name> field should be shown in the upgrade preview UI
 
 Examples:
 | field_name | base_version | current_version | target_version |

diff --git a/...y_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/schema.tsx b/...y_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/schema.tsx
@@ -217,7 +217,7 @@ export const schema: FormSchema<AboutStepRule> = {
     label: i18n.translate(
       'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldMitreThreatLabel',
       {
-        defaultMessage: 'MITRE ATT&CK\\u2122',
+        defaultMessage: 'MITRE ATT&CK\u2122',
       }
     ),
     labelAppend: OptionalFieldLabel,

diff --git a/...urity_solution/public/detection_engine/rule_management/components/rule_details/helpers.ts b/...urity_solution/public/detection_engine/rule_management/components/rule_details/helpers.ts
@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { RuleFieldsDiff, ThreeWayDiff } from '../../../../../common/api/detection_engine';
+import { ThreeWayDiffOutcome } from '../../../../../common/api/detection_engine';
 import type { FieldsGroupDiff } from '../../model/rule_details/rule_field_diff';
 import {
   ABOUT_UPGRADE_FIELD_ORDER,
@@ -36,3 +38,21 @@ export const getSectionedFieldDiffs = (fields: FieldsGroupDiff[]) => {
     setupFields,
   };
 };
+
+/**
+ * Filters out any fields that have a `diff_outcome` of `CustomizedValueNoUpdate`
+ * or `CustomizedValueSameUpdate` as they are not supported for display in the
+ * current per-field rule diff flyout
+ */
+export const filterUnsupportedDiffOutcomes = (
+  fields: Partial<RuleFieldsDiff>
+): Partial<RuleFieldsDiff> =>
+  Object.fromEntries(
+    Object.entries(fields).filter(([key, value]) => {
+      const diff = value as ThreeWayDiff<unknown>;
+      return (
+        diff.diff_outcome !== ThreeWayDiffOutcome.CustomizedValueNoUpdate &&
+        diff.diff_outcome !== ThreeWayDiffOutcome.CustomizedValueSameUpdate
+      );
+    })
+  );
diff --git a/...blic/detection_engine/rule_management/components/rule_details/per_field_rule_diff_tab.tsx b/...blic/detection_engine/rule_management/components/rule_details/per_field_rule_diff_tab.tsx
@@ -10,7 +10,7 @@ import type { PartialRuleDiff, RuleFieldsDiff } from '../../../../../common/api/
 import { getFormattedFieldDiffGroups } from './per_field_diff/get_formatted_field_diff';
 import { UPGRADE_FIELD_ORDER } from './constants';
 import { RuleDiffHeaderBar, RuleDiffSection } from './diff_components';
-import { getSectionedFieldDiffs } from './helpers';
+import { filterUnsupportedDiffOutcomes, getSectionedFieldDiffs } from './helpers';
 import type { FieldsGroupDiff } from '../../model/rule_details/rule_field_diff';
 import * as i18n from './translations';
 
@@ -21,9 +21,11 @@ interface PerFieldRuleDiffTabProps {
 export const PerFieldRuleDiffTab = ({ ruleDiff }: PerFieldRuleDiffTabProps) => {
   const fieldsToRender = useMemo(() => {
     const fields: FieldsGroupDiff[] = [];
-    for (const field of Object.keys(ruleDiff.fields)) {
+    // Filter out diff outcomes that we don't support displaying in the per-field diff flyout
+    const filteredFieldDiffs = filterUnsupportedDiffOutcomes(ruleDiff.fields);
+    for (const field of Object.keys(filteredFieldDiffs)) {
       const typedField = field as keyof RuleFieldsDiff;
-      const formattedDiffs = getFormattedFieldDiffGroups(typedField, ruleDiff.fields);
+      const formattedDiffs = getFormattedFieldDiffGroups(typedField, filteredFieldDiffs);
       fields.push({ formattedDiffs, fieldsGroupName: typedField });
     }
     const sortedFields = fields.sort(

diff --git a/..._solution/public/detection_engine/rule_management/components/rule_details/translations.ts b/..._solution/public/detection_engine/rule_management/components/rule_details/translations.ts
@@ -171,7 +171,7 @@ export const RULE_NAME_OVERRIDE_FIELD_LABEL = i18n.translate(
 export const THREAT_FIELD_LABEL = i18n.translate(
   'xpack.securitySolution.detectionEngine.ruleDetails.threatFieldLabel',
   {
-    defaultMessage: 'MITRE ATT&CK\\u2122',
+    defaultMessage: 'MITRE ATT&CK\u2122',
   }
 );
 

diff --git a/.../lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts b/.../lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
@@ -7,7 +7,10 @@
 
 import { transformError } from '@kbn/securitysolution-es-utils';
 import { pickBy } from 'lodash';
-import { REVIEW_RULE_UPGRADE_URL } from '../../../../../../common/api/detection_engine/prebuilt_rules';
+import {
+  REVIEW_RULE_UPGRADE_URL,
+  ThreeWayDiffOutcome,
+} from '../../../../../../common/api/detection_engine/prebuilt_rules';
 import type {
   ReviewRuleUpgradeResponseBody,
   RuleUpgradeInfoForReview,
@@ -120,7 +123,7 @@ const calculateRuleInfos = (results: CalculateRuleDiffResult[]): RuleUpgradeInfo
       diff: {
         fields: pickBy<ThreeWayDiff<unknown>>(
           ruleDiff.fields,
-          (fieldDiff) => fieldDiff.has_update || fieldDiff.has_conflict
+          (fieldDiff) => fieldDiff.diff_outcome !== ThreeWayDiffOutcome.StockValueNoUpdate
         ),
         has_conflict: ruleDiff.has_conflict,
       },

diff --git a/...ion/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/algorithms/index.ts b/...ion/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/algorithms/index.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { numberDiffAlgorithm } from './number_diff_algorithm';
+export { singleLineStringDiffAlgorithm } from './single_line_string_diff_algorithm';
+export { simpleDiffAlgorithm } from './simple_diff_algorithm';
diff --git a/...etection_engine/prebuilt_rules/logic/diff/calculation/algorithms/number_diff_algorithm.ts b/...etection_engine/prebuilt_rules/logic/diff/calculation/algorithms/number_diff_algorithm.ts
@@ -5,6 +5,9 @@
  * 2.0.
  */
 
+import type { ThreeVersionsOf } from '../../../../../../../../common/api/detection_engine';
 import { simpleDiffAlgorithm } from './simple_diff_algorithm';
 
-export const numberDiffAlgorithm = simpleDiffAlgorithm<number>;
+export const numberDiffAlgorithm = <TValue extends number | undefined>(
+  versions: ThreeVersionsOf<TValue>
+) => simpleDiffAlgorithm<TValue>(versions);
diff --git a/...ine/prebuilt_rules/logic/diff/calculation/algorithms/single_line_string_diff_algorithm.ts b/...ine/prebuilt_rules/logic/diff/calculation/algorithms/single_line_string_diff_algorithm.ts
@@ -5,6 +5,9 @@
  * 2.0.
  */
 
+import type { ThreeVersionsOf } from '../../../../../../../../common/api/detection_engine';
 import { simpleDiffAlgorithm } from './simple_diff_algorithm';
 
-export const singleLineStringDiffAlgorithm = simpleDiffAlgorithm<string>;
+export const singleLineStringDiffAlgorithm = <TValue extends string | undefined>(
+  versions: ThreeVersionsOf<TValue>
+) => simpleDiffAlgorithm<TValue>(versions);
diff --git a/.../lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts b/.../lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
@@ -37,7 +37,11 @@ import type { FieldsDiffAlgorithmsFor } from '../../../../../../../common/api/de
 import type { ThreeVersionsOf } from '../../../../../../../common/api/detection_engine/prebuilt_rules/model/diff/three_way_diff/three_way_diff';
 import { MissingVersion } from '../../../../../../../common/api/detection_engine/prebuilt_rules/model/diff/three_way_diff/three_way_diff';
 import { calculateFieldsDiffFor } from './diff_calculation_helpers';
-import { simpleDiffAlgorithm } from './algorithms/simple_diff_algorithm';
+import {
+  numberDiffAlgorithm,
+  simpleDiffAlgorithm,
+  singleLineStringDiffAlgorithm,
+} from './algorithms';
 
 const BASE_TYPE_ERROR = `Base version can't be of different rule type`;
 const TARGET_TYPE_ERROR = `Target version can't be of different rule type`;
@@ -168,14 +172,14 @@ const calculateCommonFieldsDiff = (
 
 const commonFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableCommonFields> = {
   rule_id: simpleDiffAlgorithm,
-  version: simpleDiffAlgorithm,
+  version: numberDiffAlgorithm,
   meta: simpleDiffAlgorithm,
-  name: simpleDiffAlgorithm,
+  name: singleLineStringDiffAlgorithm,
   tags: simpleDiffAlgorithm,
   description: simpleDiffAlgorithm,
-  severity: simpleDiffAlgorithm,
+  severity: singleLineStringDiffAlgorithm,
   severity_mapping: simpleDiffAlgorithm,
-  risk_score: simpleDiffAlgorithm,
+  risk_score: numberDiffAlgorithm,
   risk_score_mapping: simpleDiffAlgorithm,
   references: simpleDiffAlgorithm,
   false_positives: simpleDiffAlgorithm,
@@ -185,12 +189,12 @@ const commonFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableCommonFields>
   related_integrations: simpleDiffAlgorithm,
   required_fields: simpleDiffAlgorithm,
   author: simpleDiffAlgorithm,
-  license: simpleDiffAlgorithm,
+  license: singleLineStringDiffAlgorithm,
   rule_schedule: simpleDiffAlgorithm,
   actions: simpleDiffAlgorithm,
   throttle: simpleDiffAlgorithm,
   exceptions_list: simpleDiffAlgorithm,
-  max_signals: simpleDiffAlgorithm,
+  max_signals: numberDiffAlgorithm,
   rule_name_override: simpleDiffAlgorithm,
   timestamp_override: simpleDiffAlgorithm,
   timeline_template: simpleDiffAlgorithm,
@@ -233,9 +237,9 @@ const eqlFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableEqlFields> = {
   type: simpleDiffAlgorithm,
   eql_query: simpleDiffAlgorithm,
   data_source: simpleDiffAlgorithm,
-  event_category_override: simpleDiffAlgorithm,
-  timestamp_field: simpleDiffAlgorithm,
-  tiebreaker_field: simpleDiffAlgorithm,
+  event_category_override: singleLineStringDiffAlgorithm,
+  timestamp_field: singleLineStringDiffAlgorithm,
+  tiebreaker_field: singleLineStringDiffAlgorithm,
 };
 
 const calculateEsqlFieldsDiff = (
@@ -262,7 +266,7 @@ const threatMatchFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableThreatMat
   threat_query: simpleDiffAlgorithm,
   threat_index: simpleDiffAlgorithm,
   threat_mapping: simpleDiffAlgorithm,
-  threat_indicator_path: simpleDiffAlgorithm,
+  threat_indicator_path: singleLineStringDiffAlgorithm,
   concurrent_searches: simpleDiffAlgorithm,
   items_per_search: simpleDiffAlgorithm,
 };
@@ -290,7 +294,7 @@ const machineLearningFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableMachi
   {
     type: simpleDiffAlgorithm,
     machine_learning_job_id: simpleDiffAlgorithm,
-    anomaly_threshold: simpleDiffAlgorithm,
+    anomaly_threshold: numberDiffAlgorithm,
   };
 
 const calculateNewTermsFieldsDiff = (
@@ -304,7 +308,7 @@ const newTermsFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableNewTermsFiel
   kql_query: simpleDiffAlgorithm,
   data_source: simpleDiffAlgorithm,
   new_terms_fields: simpleDiffAlgorithm,
-  history_window_start: simpleDiffAlgorithm,
+  history_window_start: singleLineStringDiffAlgorithm,
 };
 
 const calculateAllFieldsDiff = (

diff --git a/..._response/rules_management/prebuilt_rules/management/trial_license_complete_tier/index.ts b/..._response/rules_management/prebuilt_rules/management/trial_license_complete_tier/index.ts
@@ -16,5 +16,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
     loadTestFile(require.resolve('./upgrade_prebuilt_rules'));
     loadTestFile(require.resolve('./upgrade_prebuilt_rules_with_historical_versions'));
     loadTestFile(require.resolve('./fleet_integration'));
+    loadTestFile(require.resolve('./upgrade_review_prebuilt_rules'));
   });
 };