Merge branch 'main' into sec_integ_test_fix_latest1

opensearch-project · Nov 12, 2022 · fb33a43 · fb33a43
2 parents 7496103 + 2e44ff4
commit fb33a43
Show file tree

Hide file tree

Showing 11 changed files with 170 additions and 25 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
@@ -5,6 +5,7 @@
 package org.opensearch.securityanalytics.findings;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -16,6 +17,7 @@
 import org.opensearch.client.Client;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.commons.alerting.AlertingPluginInterface;
+import org.opensearch.commons.alerting.model.DocLevelQuery;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
 import org.opensearch.commons.alerting.model.Table;
 import org.opensearch.rest.RestStatus;
@@ -83,9 +85,9 @@ public void onFailure(Exception e) {
                 };
 
                 // monitor --> detectorId mapping
-                Map<String, String> monitorToDetectorMapping = new HashMap<>();
+                Map<String, Detector> monitorToDetectorMapping = new HashMap<>();
                 detector.getMonitorIds().forEach(
-                        monitorId -> monitorToDetectorMapping.put(monitorId, detector.getId())
+                        monitorId -> monitorToDetectorMapping.put(monitorId, detector)
                 );
                 // Get findings for all monitor ids
                 FindingsService.this.getFindingsByMonitorIds(
@@ -112,7 +114,7 @@ public void onFailure(Exception e) {
      * @param listener ActionListener to get notified on response or error
      */
     public void getFindingsByMonitorIds(
-            Map<String, String> monitorToDetectorMapping,
+            Map<String, Detector> monitorToDetectorMapping,
             List<String> monitorIds,
             String findingIndexName,
             Table table,
@@ -169,11 +171,11 @@ public void getFindings(
 
         List<String> allMonitorIds = new ArrayList<>();
         // Used to convert monitorId back to detectorId to store in result FindingDto
-        Map<String, String> monitorToDetectorMapping = new HashMap<>();
+        Map<String, Detector> monitorToDetectorMapping = new HashMap<>();
         detectors.forEach(detector -> {
             // monitor --> detector map
             detector.getMonitorIds().forEach(
-                monitorId -> monitorToDetectorMapping.put(monitorId, detector.getId())
+                monitorId -> monitorToDetectorMapping.put(monitorId, detector)
             );
             // all monitorIds
             allMonitorIds.addAll(detector.getMonitorIds());
@@ -201,13 +203,21 @@ public void onFailure(Exception e) {
         );
     }
 
-    public FindingDto mapFindingWithDocsToFindingDto(FindingWithDocs findingWithDocs, String detectorId) {
+    public FindingDto mapFindingWithDocsToFindingDto(FindingWithDocs findingWithDocs, Detector detector) {
+        List<DocLevelQuery> docLevelQueries = findingWithDocs.getFinding().getDocLevelQueries();
+        if (docLevelQueries.isEmpty()) { // this is finding generated by a bucket level monitor
+            for (Map.Entry<String, String> entry : detector.getRuleIdMonitorIdMap().entrySet()) {
+                if(entry.getValue().equals(findingWithDocs.getFinding().getMonitorId())) {
+                    docLevelQueries = Collections.singletonList(new DocLevelQuery(entry.getKey(),"","",Collections.emptyList()));
+                }
+            }
+        }
         return new FindingDto(
-                detectorId,
+                detector.getId(),
                 findingWithDocs.getFinding().getId(),
                 findingWithDocs.getFinding().getRelatedDocIds(),
                 findingWithDocs.getFinding().getIndex(),
-                findingWithDocs.getFinding().getDocLevelQueries(),
+                docLevelQueries,
                 findingWithDocs.getFinding().getTimestamp(),
                 findingWithDocs.getDocuments()
         );

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java
@@ -10,6 +10,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
@@ -20,6 +21,7 @@
 import org.opensearch.common.xcontent.NamedXContentRegistry;
 import org.opensearch.index.query.NestedQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
+import org.opensearch.rest.RestStatus;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.GetAlertsAction;
 import org.opensearch.securityanalytics.action.GetAlertsRequest;
@@ -28,6 +30,7 @@
 import org.opensearch.securityanalytics.alerts.AlertsService;
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.securityanalytics.util.DetectorUtils;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.transport.TransportService;
 
@@ -87,6 +90,16 @@ protected void doExecute(Task task, GetAlertsRequest request, ActionListener<Get
                 public void onResponse(SearchResponse searchResponse) {
                     try {
                         List<Detector> detectors = DetectorUtils.getDetectors(searchResponse, xContentRegistry);
+                        if (detectors.size() == 0) {
+                            actionListener.onFailure(
+                                SecurityAnalyticsException.wrap(
+                                    new OpenSearchStatusException(
+                                            "No detectors found for provided type", RestStatus.NOT_FOUND
+                                    )
+                                )
+                            );
+                            return;
+                        }
                         alertsService.getAlerts(
                                 detectors,
                                 request.getDetectorType(),

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java
@@ -35,6 +35,7 @@
 import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
 import org.opensearch.securityanalytics.util.DetectorIndices;
 import org.opensearch.securityanalytics.util.DetectorUtils;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
@@ -119,6 +120,16 @@ protected void doExecute(Task task, GetFindingsRequest request, ActionListener<G
                 public void onResponse(SearchResponse searchResponse) {
                     try {
                         List<Detector> detectors = DetectorUtils.getDetectors(searchResponse, xContentRegistry);
+                        if (detectors.size() == 0) {
+                            actionListener.onFailure(
+                                    SecurityAnalyticsException.wrap(
+                                            new OpenSearchStatusException(
+                                                    "No detectors found for provided type", RestStatus.NOT_FOUND
+                                            )
+                                    )
+                            );
+                            return;
+                        }
                         findingsService.getFindings(
                                 detectors,
                                 request.getDetectorType(),

diff --git a/...main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java b/...main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java
@@ -4,16 +4,19 @@
  */
 package org.opensearch.securityanalytics.transport;
 
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetIndexMappingsAction;
 import org.opensearch.securityanalytics.mapper.MapperService;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
@@ -44,7 +47,13 @@ protected void doExecute(Task task, GetIndexMappingsRequest request, ActionListe
         this.threadPool.getThreadContext().stashContext();
         IndexMetadata index = clusterService.state().metadata().index(request.getIndexName());
         if (index == null) {
-            actionListener.onFailure(new IllegalStateException("Could not find index [" + request.getIndexName() + "]"));
+            actionListener.onFailure(
+                    SecurityAnalyticsException.wrap(
+                            new OpenSearchStatusException(
+                                    "Could not find index [" + request.getIndexName() + "]", RestStatus.NOT_FOUND
+                            )
+                    )
+            );
             return;
         }
         mapperService.getMappingAction(request.getIndexName(), actionListener);

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java
@@ -4,19 +4,22 @@
  */
 package org.opensearch.securityanalytics.transport;
 
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetIndexMappingsAction;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
 import org.opensearch.securityanalytics.action.GetMappingsViewAction;
 import org.opensearch.securityanalytics.action.GetMappingsViewRequest;
 import org.opensearch.securityanalytics.action.GetMappingsViewResponse;
 import org.opensearch.securityanalytics.mapper.MapperService;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
@@ -46,7 +49,13 @@ protected void doExecute(Task task, GetMappingsViewRequest request, ActionListen
         this.threadPool.getThreadContext().stashContext();
         IndexMetadata index = clusterService.state().metadata().index(request.getIndexName());
         if (index == null) {
-            actionListener.onFailure(new IllegalStateException("Could not find index [" + request.getIndexName() + "]"));
+            actionListener.onFailure(
+                    SecurityAnalyticsException.wrap(
+                            new OpenSearchStatusException(
+                                    "Could not find index [" + request.getIndexName() + "]", RestStatus.NOT_FOUND
+                            )
+                    )
+            );
             return;
         }
         mapperService.getMappingsViewAction(request.getIndexName(), request.getRuleTopic(), actionListener);

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -193,6 +193,7 @@ private void createMonitorFromQueries(String index, List<Pair<String, Rule>> rul
         }
         // Do nothing if detector doesn't have any monitor
         if(monitorRequests.isEmpty()){
+            listener.onResponse(Collections.emptyList());
             return;
         }
 

diff --git a/...n/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java b/...n/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java
@@ -4,16 +4,19 @@
  */
 package org.opensearch.securityanalytics.transport;
 
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.master.AcknowledgedResponse;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.rest.RestStatus;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsAction;
 import org.opensearch.securityanalytics.mapper.MapperService;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
@@ -48,7 +51,13 @@ protected void doExecute(Task task, UpdateIndexMappingsRequest request, ActionLi
         try {
             IndexMetadata index = clusterService.state().metadata().index(request.getIndexName());
             if (index == null) {
-                actionListener.onFailure(new IllegalStateException("Could not find index [" + request.getIndexName() + "]"));
+                actionListener.onFailure(
+                        SecurityAnalyticsException.wrap(
+                                new OpenSearchStatusException(
+                                        "Could not find index [" + request.getIndexName() + "]", RestStatus.NOT_FOUND
+                                )
+                        )
+                );
                 return;
             }
             mapperService.updateMappingAction(

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java
@@ -5,24 +5,22 @@
 package org.opensearch.securityanalytics.transport;
 
 import java.util.List;
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
-import org.opensearch.action.support.master.AcknowledgedResponse;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
 import org.opensearch.common.xcontent.NamedXContentRegistry;
-import org.opensearch.securityanalytics.action.CreateIndexMappingsAction;
-import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest;
+import org.opensearch.rest.RestStatus;
 import org.opensearch.securityanalytics.action.ValidateRulesAction;
 import org.opensearch.securityanalytics.action.ValidateRulesRequest;
 import org.opensearch.securityanalytics.action.ValidateRulesResponse;
-import org.opensearch.securityanalytics.mapper.MapperService;
-import org.opensearch.securityanalytics.util.RuleIndices;
 import org.opensearch.securityanalytics.util.RuleValidator;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.transport.TransportService;
 
@@ -48,7 +46,13 @@ public TransportValidateRulesAction(
     protected void doExecute(Task task, ValidateRulesRequest request, ActionListener<ValidateRulesResponse> actionListener) {
         IndexMetadata index = clusterService.state().metadata().index(request.getIndexName());
         if (index == null) {
-            actionListener.onFailure(new IllegalStateException("Could not find index [" + request.getIndexName() + "]"));
+            actionListener.onFailure(
+                    SecurityAnalyticsException.wrap(
+                            new OpenSearchStatusException(
+                                    "Could not find index [" + request.getIndexName() + "]", RestStatus.NOT_FOUND
+                            )
+                    )
+            );
             return;
         }
         StepListener<List<String>> validateRulesResponseListener = new StepListener();

diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java
@@ -19,6 +19,7 @@
 import org.junit.Assert;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
+import org.opensearch.client.ResponseException;
 import org.opensearch.commons.alerting.model.action.Action;
 import org.opensearch.rest.RestStatus;
 import org.opensearch.search.SearchHit;
@@ -164,6 +165,16 @@ public void testGetAlerts_success() throws IOException {
         assertEquals(((ArrayList<AlertDto>) ackAlertsResponseMap.get("acknowledged")).size(), 1);
     }
 
+    public void testGetAlerts_noDetector_failure() throws IOException {
+         // Call GetAlerts API
+        Map<String, String> params = new HashMap<>();
+        params.put("detector_id", "nonexistent_detector_id");
+        try {
+            makeRequest(client(), "GET", SecurityAnalyticsPlugin.ALERTS_BASE_URI, params, null);
+        } catch (ResponseException e) {
+            assertEquals(HttpStatus.SC_NOT_FOUND, e.getResponse().getStatusLine().getStatusCode());
+        }
+    }
 
     @SuppressWarnings("unchecked")
     public void testAckAlerts_WithInvalidDetectorAlertsCombination() throws IOException {

diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java
@@ -15,6 +15,7 @@
 import org.junit.Assert;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
+import org.opensearch.client.ResponseException;
 import org.opensearch.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
@@ -90,6 +91,16 @@ public void testGetFindings_byDetectorId_success() throws IOException {
         Assert.assertEquals(1, getFindingsBody.get("total_findings"));
     }
 
+    public void testGetFindings_noDetector_failure() throws IOException {
+        Map<String, String> params = new HashMap<>();
+        params.put("detector_id", "nonexistent_id");
+        try {
+            makeRequest(client(), "GET", SecurityAnalyticsPlugin.FINDINGS_BASE_URI + "/_search", params, null);
+        } catch (ResponseException e) {
+            assertEquals(HttpStatus.SC_NOT_FOUND, e.getResponse().getStatusLine().getStatusCode());
+        }
+    }
+
     public void testGetFindings_byDetectorType_oneDetector_success() throws IOException {
         String index = createTestIndex(randomIndex(), windowsIndexMapping());