-
Notifications
You must be signed in to change notification settings - Fork 8.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Cloud Security] Mute CSP Benchmark Rules
- Loading branch information
Showing
24 changed files
with
563 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
...gins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
import expect from 'expect'; | ||
import { setRulesStates, buildRuleKey } from './utils'; | ||
|
||
describe('CSP Rule State Management', () => { | ||
beforeEach(() => { | ||
jest.clearAllMocks(); | ||
}); | ||
|
||
it('should set rules states correctly', () => { | ||
const ruleIds = ['rule1', 'rule3']; | ||
const newState = true; | ||
|
||
const updatedRulesStates = setRulesStates(ruleIds, newState); | ||
|
||
expect(updatedRulesStates).toEqual({ | ||
rule1: { muted: true }, | ||
rule3: { muted: true }, | ||
}); | ||
}); | ||
|
||
it('should build a rule key with the provided benchmarkId, benchmarkVersion, and ruleNumber', () => { | ||
const benchmarkId = 'randomId'; | ||
const benchmarkVersion = 'v1'; | ||
const ruleNumber = '001'; | ||
|
||
const result = buildRuleKey(benchmarkId, benchmarkVersion, ruleNumber); | ||
|
||
expect(result).toBe(`${benchmarkId};${benchmarkVersion};${ruleNumber}`); | ||
}); | ||
}); |
68 changes: 68 additions & 0 deletions
68
...k/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { transformError } from '@kbn/securitysolution-es-utils'; | ||
import { | ||
CspBenchmarkRulesBulkActionRequestSchema, | ||
CspBenchmarkRulesStates, | ||
cspBenchmarkRulesBulkActionRequestSchema, | ||
} from '../../../../common/types/rules/v3'; | ||
import { CspRouter } from '../../../types'; | ||
|
||
import { CSP_BENCHMARK_RULES_BULK_ACTION_ROUTE_PATH } from '../../../../common/constants'; | ||
import { bulkActionBenchmarkRulesHandler } from './v1'; | ||
|
||
export const defineBulkActionCspBenchmarkRulesRoute = (router: CspRouter) => | ||
router.versioned | ||
.post({ | ||
access: 'internal', | ||
path: CSP_BENCHMARK_RULES_BULK_ACTION_ROUTE_PATH, | ||
}) | ||
.addVersion( | ||
{ | ||
version: '1', | ||
validate: { | ||
request: { | ||
body: cspBenchmarkRulesBulkActionRequestSchema, | ||
}, | ||
}, | ||
}, | ||
async (context, request, response) => { | ||
if (!(await context.fleet).authz.fleet.all) { | ||
return response.forbidden(); | ||
} | ||
const cspContext = await context.csp; | ||
|
||
try { | ||
const requestBody: CspBenchmarkRulesBulkActionRequestSchema = request.body; | ||
|
||
const benchmarkRulesToUpdate = requestBody.rules; | ||
|
||
const handlerResponse = await bulkActionBenchmarkRulesHandler( | ||
cspContext.encryptedSavedObjects, | ||
benchmarkRulesToUpdate, | ||
requestBody.action | ||
); | ||
|
||
const updatedBenchmarkRules: CspBenchmarkRulesStates = handlerResponse; | ||
return response.ok({ | ||
body: { | ||
updated_benchmark_rules: updatedBenchmarkRules, | ||
message: 'The bulk operation has been executed successfully.', | ||
}, | ||
}); | ||
} catch (err) { | ||
const error = transformError(err); | ||
|
||
cspContext.logger.error(`Bulk action failed: ${error.message}`); | ||
return response.customError({ | ||
body: { message: error.message }, | ||
statusCode: error.statusCode || 500, // Default to 500 if no specific status code is provided | ||
}); | ||
} | ||
} | ||
); |
42 changes: 42 additions & 0 deletions
42
x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/utils.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { | ||
SavedObjectsClientContract, | ||
SavedObjectsUpdateResponse, | ||
} from '@kbn/core-saved-objects-api-server'; | ||
import { CspBenchmarkRulesStates, CspSettings } from '../../../../common/types/rules/v3'; | ||
|
||
import { | ||
INTERNAL_CSP_SETTINGS_SAVED_OBJECT_ID, | ||
INTERNAL_CSP_SETTINGS_SAVED_OBJECT_TYPE, | ||
} from '../../../../common/constants'; | ||
|
||
export const updateRulesStates = async ( | ||
encryptedSoClient: SavedObjectsClientContract, | ||
newRulesStates: CspBenchmarkRulesStates | ||
): Promise<SavedObjectsUpdateResponse<CspSettings>> => { | ||
return await encryptedSoClient.update<CspSettings>( | ||
INTERNAL_CSP_SETTINGS_SAVED_OBJECT_TYPE, | ||
INTERNAL_CSP_SETTINGS_SAVED_OBJECT_ID, | ||
{ rules: newRulesStates }, | ||
// if there is no saved object yet, insert a new SO | ||
{ upsert: { rules: newRulesStates } } | ||
); | ||
}; | ||
|
||
export const setRulesStates = (ruleIds: string[], state: boolean): CspBenchmarkRulesStates => { | ||
const rulesStates: CspBenchmarkRulesStates = {}; | ||
ruleIds.forEach((ruleId) => { | ||
rulesStates[ruleId] = { muted: state }; | ||
}); | ||
return rulesStates; | ||
}; | ||
|
||
export const buildRuleKey = (benchmarkId: string, benchmarkVersion: string, ruleNumber: string) => { | ||
return `${benchmarkId};${benchmarkVersion};${ruleNumber}`; | ||
}; |
30 changes: 30 additions & 0 deletions
30
x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/v1.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
import { SavedObjectsClientContract } from '@kbn/core-saved-objects-api-server'; | ||
import { CspBenchmarkRules, CspBenchmarkRulesStates } from '../../../../common/types/rules/v3'; | ||
import { buildRuleKey, setRulesStates, updateRulesStates } from './utils'; | ||
|
||
const muteStatesMap = { | ||
mute: true, | ||
unmute: false, | ||
}; | ||
|
||
export const bulkActionBenchmarkRulesHandler = async ( | ||
encryptedSoClient: SavedObjectsClientContract, | ||
rulesToUpdate: CspBenchmarkRules, | ||
action: 'mute' | 'unmute' | ||
): Promise<CspBenchmarkRulesStates> => { | ||
const ruleKeys = rulesToUpdate.map((rule) => | ||
buildRuleKey(rule.benchmark_id, rule.benchmark_version, rule.rule_number) | ||
); | ||
|
||
const newRulesStates = setRulesStates(ruleKeys, muteStatesMap[action]); | ||
|
||
const newCspSettings = await updateRulesStates(encryptedSoClient, newRulesStates); | ||
|
||
return newCspSettings.attributes.rules!; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/utils.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
import semverValid from 'semver/functions/valid'; | ||
import semverCompare from 'semver/functions/compare'; | ||
import { NewPackagePolicy } from '@kbn/fleet-plugin/common'; | ||
import { SavedObjectsClientContract } from '@kbn/core-saved-objects-api-server'; | ||
import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../benchmarks/benchmarks'; | ||
import { getBenchmarkFromPackagePolicy } from '../../../../common/utils/helpers'; | ||
|
||
import type { CspBenchmarkRule } from '../../../../common/types/latest'; | ||
|
||
export const getSortedCspBenchmarkRulesTemplates = (cspBenchmarkRules: CspBenchmarkRule[]) => { | ||
return cspBenchmarkRules.slice().sort((a, b) => { | ||
const ruleNumberA = a?.metadata?.benchmark?.rule_number; | ||
const ruleNumberB = b?.metadata?.benchmark?.rule_number; | ||
|
||
const versionA = semverValid(ruleNumberA); | ||
const versionB = semverValid(ruleNumberB); | ||
|
||
if (versionA !== null && versionB !== null) { | ||
return semverCompare(versionA, versionB); | ||
} else { | ||
return String(ruleNumberA).localeCompare(String(ruleNumberB)); | ||
} | ||
}); | ||
}; | ||
|
||
export const getBenchmarkIdFromPackagePolicyId = async ( | ||
soClient: SavedObjectsClientContract, | ||
packagePolicyId: string | ||
): Promise<string> => { | ||
const res = await soClient.get<NewPackagePolicy>( | ||
PACKAGE_POLICY_SAVED_OBJECT_TYPE, | ||
packagePolicyId | ||
); | ||
return getBenchmarkFromPackagePolicy(res.attributes.inputs); | ||
}; |
Oops, something went wrong.