[Security Solution] Migrates siem-detection-engine-rule-actions ruleAlertId and actions to saved object references array

x-pack/plugins/security_solution/server/lib/detection_engine/notifications/legacy_saved_object_references/legacy_extract_rule_id.test.ts

@@ -37,7 +37,7 @@ describe('legacy_extract_rule_id', () => {
     ).toEqual<FuncReturn>([]);
 
     expect(logger.error).toBeCalledWith(
-      'Security Solution notification (Legacy) system "ruleAlertId" is null or undefined when it never should be. ,This indicates potentially that saved object migrations did not run correctly. Returning empty reference'
+      'Security Solution notification (Legacy) system "ruleAlertId" is null or undefined when it never should be. This indicates potentially that saved object migrations did not run correctly. Returning empty reference.'
     );
   });
 

x-pack/plugins/security_solution/server/lib/detection_engine/notifications/legacy_saved_object_references/legacy_extract_rule_id.ts

@@ -6,6 +6,9 @@
  */
 
 import { Logger, SavedObjectReference } from 'src/core/server';
+
+// eslint-disable-next-line no-restricted-imports
+import { legacyGetRuleReference } from '../../rule_actions/legacy_utils';
 // eslint-disable-next-line no-restricted-imports
 import { LegacyRulesNotificationParams } from '../legacy_types';
 
@@ -30,17 +33,11 @@ export const legacyExtractRuleId = ({
     logger.error(
       [
         'Security Solution notification (Legacy) system "ruleAlertId" is null or undefined when it never should be. ',
-        'This indicates potentially that saved object migrations did not run correctly. Returning empty reference',
-      ].join()
+        'This indicates potentially that saved object migrations did not run correctly. Returning empty reference.',
+      ].join('')
     );
     return [];
   } else {
-    return [
-      {
-        id: ruleAlertId,
-        name: 'alert_0',
-        type: 'alert',
-      },
-    ];
+    return [legacyGetRuleReference(ruleAlertId)];
   }
 };

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_route.test.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { loggingSystemMock } from 'src/core/server/mocks';
 import { DETECTION_ENGINE_RULES_URL } from '../../../../../common/constants';
 import { getQueryRuleParams } from '../../schemas/rule_schemas.mock';
 import { requestContextMock, requestMock, serverMock } from '../__mocks__';
@@ -23,9 +24,11 @@ describe.each([
 ])('find_rules - %s', (_, isRuleRegistryEnabled) => {
   let server: ReturnType<typeof serverMock.create>;
   let { clients, context } = requestContextMock.createTools();
+  let logger: ReturnType<typeof loggingSystemMock.createLogger>;
 
   beforeEach(async () => {
     server = serverMock.create();
+    logger = loggingSystemMock.createLogger();
     ({ clients, context } = requestContextMock.createTools());
 
     clients.rulesClient.find.mockResolvedValue(getFindResultWithSingleHit(isRuleRegistryEnabled));
@@ -35,7 +38,7 @@ describe.each([
     clients.savedObjectsClient.find.mockResolvedValue(getEmptySavedObjectsResponse());
     clients.ruleExecutionLogClient.findBulk.mockResolvedValue(getFindBulkResultStatus());
 
-    findRulesRoute(server.router, isRuleRegistryEnabled);
+    findRulesRoute(server.router, logger, isRuleRegistryEnabled);
   });
 
   describe('status codes with actionClient and alertClient', () => {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/find_rules_route.ts

@@ -6,6 +6,7 @@
  */
 
 import { transformError } from '@kbn/securitysolution-es-utils';
+import { Logger } from 'src/core/server';
 import { findRuleValidateTypeDependents } from '../../../../../common/detection_engine/schemas/request/find_rules_type_dependents';
 import {
   findRulesSchema,
@@ -17,11 +18,13 @@ import { findRules } from '../../rules/find_rules';
 import { buildSiemResponse } from '../utils';
 import { buildRouteValidation } from '../../../../utils/build_validation/route_validation';
 import { transformFindAlerts } from './utils';
+
 // eslint-disable-next-line no-restricted-imports
 import { legacyGetBulkRuleActionsSavedObject } from '../../rule_actions/legacy_get_bulk_rule_actions_saved_object';
 
 export const findRulesRoute = (
   router: SecuritySolutionPluginRouter,
+  logger: Logger,
   isRuleRegistryEnabled: boolean
 ) => {
   router.get(
@@ -71,7 +74,7 @@ export const findRulesRoute = (
             logsCount: 1,
             spaceId: context.securitySolution.getSpaceId(),
           }),
-          legacyGetBulkRuleActionsSavedObject({ alertIds, savedObjectsClient }),
+          legacyGetBulkRuleActionsSavedObject({ alertIds, savedObjectsClient, logger }),
         ]);
         const transformed = transformFindAlerts(rules, ruleStatuses, ruleActions);
         if (transformed == null) {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/legacy_create_legacy_notification.ts

@@ -6,6 +6,8 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { Logger } from 'src/core/server';
+
 import type { SecuritySolutionPluginRouter } from '../../../../types';
 // eslint-disable-next-line no-restricted-imports
 import { legacyUpdateOrCreateRuleActionsSavedObject } from '../../rule_actions/legacy_update_or_create_rule_actions_saved_object';
@@ -25,7 +27,10 @@ import { legacyCreateNotifications } from '../../notifications/legacy_create_not
  * @deprecated Once we no longer have legacy notifications and "side car actions" this can be removed.
  * @param router The router
  */
-export const legacyCreateLegacyNotificationRoute = (router: SecuritySolutionPluginRouter): void => {
+export const legacyCreateLegacyNotificationRoute = (
+  router: SecuritySolutionPluginRouter,
+  logger: Logger
+): void => {
   router.post(
     {
       path: '/internal/api/detection/legacy/notifications',
@@ -95,6 +100,7 @@ export const legacyCreateLegacyNotificationRoute = (router: SecuritySolutionPlug
           savedObjectsClient,
           actions,
           throttle: interval,
+          logger,
         });
       } catch (error) {
         const message = error instanceof Error ? error.message : 'unknown';

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/read_rules_route.test.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import { loggingSystemMock } from 'src/core/server/mocks';
+
 import { DETECTION_ENGINE_RULES_URL } from '../../../../../common/constants';
 import { readRulesRoute } from './read_rules_route';
 import {
@@ -22,16 +24,18 @@ describe.each([
 ])('read_rules - %s', (_, isRuleRegistryEnabled) => {
   let server: ReturnType<typeof serverMock.create>;
   let { clients, context } = requestContextMock.createTools();
+  let logger: ReturnType<typeof loggingSystemMock.createLogger>;
 
   beforeEach(() => {
     server = serverMock.create();
+    logger = loggingSystemMock.createLogger();
     ({ clients, context } = requestContextMock.createTools());
 
     clients.rulesClient.find.mockResolvedValue(getFindResultWithSingleHit(isRuleRegistryEnabled)); // rule exists
     clients.savedObjectsClient.find.mockResolvedValue(getEmptySavedObjectsResponse()); // successful transform
     clients.ruleExecutionLogClient.find.mockResolvedValue([]);
 
-    readRulesRoute(server.router, isRuleRegistryEnabled);
+    readRulesRoute(server.router, logger, isRuleRegistryEnabled);
   });
 
   describe('status codes with actionClient and alertClient', () => {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/read_rules_route.ts

@@ -6,6 +6,7 @@
  */
 
 import { transformError } from '@kbn/securitysolution-es-utils';
+import { Logger } from 'src/core/server';
 import { queryRuleValidateTypeDependents } from '../../../../../common/detection_engine/schemas/request/query_rules_type_dependents';
 import {
   queryRulesSchema,
@@ -24,6 +25,7 @@ import { legacyGetRuleActionsSavedObject } from '../../rule_actions/legacy_get_r
 
 export const readRulesRoute = (
   router: SecuritySolutionPluginRouter,
+  logger: Logger,
   isRuleRegistryEnabled: boolean
 ) => {
   router.get(
@@ -66,6 +68,7 @@ export const readRulesRoute = (
           const legacyRuleActions = await legacyGetRuleActionsSavedObject({
             savedObjectsClient,
             ruleAlertId: rule.id,
+            logger,
           });
           const ruleStatuses = await ruleStatusClient.find({
             logsCount: 1,

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/utils.test.ts

@@ -38,7 +38,8 @@ import {
 } from '../../schemas/rule_schemas.mock';
 // eslint-disable-next-line no-restricted-imports
 import { LegacyRulesActionsSavedObject } from '../../rule_actions/legacy_get_rule_actions_saved_object';
-import { RuleAlertAction } from '../../../../../common/detection_engine/types';
+// eslint-disable-next-line no-restricted-imports
+import { LegacyRuleAlertAction } from '../../rule_actions/legacy_types';
 
 type PromiseFromStreams = ImportRulesSchemaDecoded | Error;
 
@@ -306,7 +307,7 @@ describe.each([
     });
 
     test('outputs 200 if the data is of type siem alert and has a legacy rule action', () => {
-      const actions: RuleAlertAction[] = [
+      const actions: LegacyRuleAlertAction[] = [
         {
           id: '456',
           params: {},

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions/legacy_create_rule_actions_saved_object.test.ts

@@ -0,0 +1,160 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { savedObjectsClientMock } from 'src/core/server/mocks';
+
+// eslint-disable-next-line no-restricted-imports
+import { legacyCreateRuleActionsSavedObject } from './legacy_create_rule_actions_saved_object';
+// eslint-disable-next-line no-restricted-imports
+import { LegacyIRuleActionsAttributesSavedObjectAttributes } from './legacy_types';
+
+describe('legacy_create_rule_actions_saved_object', () => {
+  let savedObjectsClient: ReturnType<typeof savedObjectsClientMock.create>;
+
+  beforeEach(() => {
+    savedObjectsClient = savedObjectsClientMock.create();
+  });
+
+  test('it creates a rule actions saved object with empty actions array', () => {
+    legacyCreateRuleActionsSavedObject({
+      ruleAlertId: '123',
+      savedObjectsClient,
+      actions: [],
+      throttle: '1d',
+    });
+    const [[, arg2, arg3]] = savedObjectsClient.create.mock.calls;
+    expect(arg2).toEqual<LegacyIRuleActionsAttributesSavedObjectAttributes>({
+      actions: [],
+      alertThrottle: '1d',
+      ruleThrottle: '1d',
+    });
+    expect(arg3).toEqual({
+      references: [
+        {
+          id: '123',
+          name: 'alert_0',
+          type: 'alert',
+        },
+      ],
+    });
+  });
+
+  test('it creates a rule actions saved object with 1 single action', () => {
+    legacyCreateRuleActionsSavedObject({
+      ruleAlertId: '123',
+      savedObjectsClient,
+      actions: [
+        {
+          id: '456',
+          group: 'default',
+          actionTypeId: '.slack',
+          params: {
+            kibana_siem_app_url: 'www.example.com',
+          },
+        },
+      ],
+      throttle: '1d',
+    });
+    const [[, arg2, arg3]] = savedObjectsClient.create.mock.calls;
+    expect(arg2).toEqual<LegacyIRuleActionsAttributesSavedObjectAttributes>({
+      actions: [
+        {
+          actionRef: 'action_0',
+          action_type_id: '.slack',
+          group: 'default',
+          params: {
+            kibana_siem_app_url: 'www.example.com',
+          },
+        },
+      ],
+      alertThrottle: '1d',
+      ruleThrottle: '1d',
+    });
+    expect(arg3).toEqual({
+      references: [
+        {
+          id: '123',
+          name: 'alert_0',
+          type: 'alert',
+        },
+        {
+          id: '456',
+          name: 'action_0',
+          type: 'action',
+        },
+      ],
+    });
+  });
+
+  test('it creates a rule actions saved object with 2 actions', () => {
+    legacyCreateRuleActionsSavedObject({
+      ruleAlertId: '123',
+      savedObjectsClient,
+      actions: [
+        {
+          id: '456',
+          group: 'default',
+          actionTypeId: '.slack',
+          params: {
+            kibana_siem_app_url: 'www.example.com',
+          },
+        },
+        {
+          id: '555',
+          group: 'default_2',
+          actionTypeId: '.email',
+          params: {
+            kibana_siem_app_url: 'www.example.com/2',
+          },
+        },
+      ],
+      throttle: '1d',
+    });
+    const [[, arg2, arg3]] = savedObjectsClient.create.mock.calls;
+    expect(arg2).toEqual<LegacyIRuleActionsAttributesSavedObjectAttributes>({
+      actions: [
+        {
+          actionRef: 'action_0',
+          action_type_id: '.slack',
+          group: 'default',
+          params: {
+            kibana_siem_app_url: 'www.example.com',
+          },
+        },
+        {
+          actionRef: 'action_1',
+          action_type_id: '.email',
+          group: 'default_2',
+          params: {
+            kibana_siem_app_url: 'www.example.com/2',
+          },
+        },
+      ],
+      alertThrottle: '1d',
+      ruleThrottle: '1d',
+    });
+    expect(arg3).toEqual({
+      references: [
+        {
+          id: '123',
+          name: 'alert_0',
+          type: 'alert',
+        },
+        {
+          id: '456',
+          name: 'action_0',
+          type: 'action',
+        },
+        {
+          id: '555',
+          name: 'action_1',
+          type: 'action',
+        },
+      ],
+    });
+  });
+});