[8.7] [Security Solution] Support rule id in wait for rule status hel…

…per (#153410) (#154328)

# Backport

This will backport the following commits from `main` to `8.7`:
- [[Security Solution] Support rule id in wait for rule status helper
(#153410)](#153410)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2023-03-27T09:03:15Z","message":"[Security
Solution] Support rule id in wait for rule status helper
(#153410)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/152900\r\n\r\n##
Summary\r\n\r\nThis PR adds an ability to wait for rule status by its
rule id in functional tests. It is a result of splitting of
#150553 into isolated
parts.\r\n\r\n## Details\r\n\r\nBased on what kind of id is used (SO id
or rule id) it leads to different behaviour under the hood. SO id
related functionality consumes ES Get API while rule id related
functionality consumes ES Search API. This way it may require to add
some delay to let ES to refresh the data if the testing logic consumes
ES Search API while rule status was awaited via SO id so that handled by
ES Get API. This PR removes such a delay at rule exporting functional
tests.","sha":"519185ffa88aeea05626f71b303a7daf1ce9d14b","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["refactoring","technical
debt","release_note:skip","test-api-integration","Team:Detections and
Resp","Team: SecuritySolution","Team:Detection
Rules","backport:prev-minor","v8.8.0"],"number":153410,"url":"https://github.com/elastic/kibana/pull/153410","mergeCommit":{"message":"[Security
Solution] Support rule id in wait for rule status helper
(#153410)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/152900\r\n\r\n##
Summary\r\n\r\nThis PR adds an ability to wait for rule status by its
rule id in functional tests. It is a result of splitting of
#150553 into isolated
parts.\r\n\r\n## Details\r\n\r\nBased on what kind of id is used (SO id
or rule id) it leads to different behaviour under the hood. SO id
related functionality consumes ES Get API while rule id related
functionality consumes ES Search API. This way it may require to add
some delay to let ES to refresh the data if the testing logic consumes
ES Search API while rule status was awaited via SO id so that handled by
ES Get API. This PR removes such a delay at rule exporting functional
tests.","sha":"519185ffa88aeea05626f71b303a7daf1ce9d14b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/153410","number":153410,"mergeCommit":{"message":"[Security
Solution] Support rule id in wait for rule status helper
(#153410)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/152900\r\n\r\n##
Summary\r\n\r\nThis PR adds an ability to wait for rule status by its
rule id in functional tests. It is a result of splitting of
#150553 into isolated
parts.\r\n\r\n## Details\r\n\r\nBased on what kind of id is used (SO id
or rule id) it leads to different behaviour under the hood. SO id
related functionality consumes ES Get API while rule id related
functionality consumes ES Search API. This way it may require to add
some delay to let ES to refresh the data if the testing logic consumes
ES Search API while rule status was awaited via SO id so that handled by
ES Get API. This PR removes such a delay at rule exporting functional
tests.","sha":"519185ffa88aeea05626f71b303a7daf1ce9d14b"}}]}]
BACKPORT-->

x-pack/test/cases_api_integration/common/lib/alerts.ts

@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type SuperTest from 'supertest';
+import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import { ToolingLog } from '@kbn/tooling-log';
+import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugin/common/constants';
+import { DetectionAlert } from '@kbn/security-solution-plugin/common/detection_engine/schemas/alerts';
+import { RiskEnrichmentFields } from '@kbn/security-solution-plugin/server/lib/detection_engine/signals/enrichments/types';
+import {
+  getRuleForSignalTesting,
+  createRule,
+  waitForRuleSuccess,
+  waitForSignalsToBePresent,
+  getSignalsByIds,
+  getQuerySignalIds,
+} from '../../../detection_engine_api_integration/utils';
+import { superUser } from './authentication/users';
+import { User } from './authentication/types';
+import { getSpaceUrlPrefix } from './api/helpers';
+
+export const createSecuritySolutionAlerts = async (
+  supertest: SuperTest.SuperTest<SuperTest.Test>,
+  log: ToolingLog
+): Promise<estypes.SearchResponse<DetectionAlert & RiskEnrichmentFields>> => {
+  const rule = getRuleForSignalTesting(['auditbeat-*']);
+  const { id } = await createRule(supertest, log, rule);
+  await waitForRuleSuccess({ supertest, log, id });
+  await waitForSignalsToBePresent(supertest, log, 1, [id]);
+  const signals = await getSignalsByIds(supertest, log, [id]);
+
+  return signals;
+};
+
+export const getSecuritySolutionAlerts = async (
+  supertest: SuperTest.SuperTest<SuperTest.Test>,
+  alertIds: string[]
+): Promise<estypes.SearchResponse<DetectionAlert & RiskEnrichmentFields>> => {
+  const { body: updatedAlert } = await supertest
+    .post(DETECTION_ENGINE_QUERY_SIGNALS_URL)
+    .set('kbn-xsrf', 'true')
+    .send(getQuerySignalIds(alertIds))
+    .expect(200);
+
+  return updatedAlert;
+};
+
+interface AlertResponse {
+  'kibana.alert.case_ids'?: string[];
+}
+
+export const getAlertById = async ({
+  supertest,
+  id,
+  index,
+  expectedHttpCode = 200,
+  auth = { user: superUser, space: null },
+}: {
+  supertest: SuperTest.SuperTest<SuperTest.Test>;
+  id: string;
+  index: string;
+  expectedHttpCode?: number;
+  auth?: { user: User; space: string | null };
+}): Promise<AlertResponse> => {
+  const { body: alert } = await supertest
+    .get(`${getSpaceUrlPrefix(auth?.space)}/internal/rac/alerts?id=${id}&index=${index}`)
+    .auth(auth.user.username, auth.user.password)
+    .set('kbn-xsrf', 'true')
+    .expect(expectedHttpCode);
+
+  return alert;
+};

x-pack/test/cases_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts

@@ -43,7 +43,7 @@ import {
   deleteSignalsIndex,
   deleteAllRules,
   getRuleForSignalTesting,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   waitForSignalsToBePresent,
   getSignalsByIds,
   createRule,
@@ -804,7 +804,7 @@ export default ({ getService }: FtrProviderContext): void => {
           const postedCase = await createCase(supertest, postCaseReq);
 
           const { id } = await createRule(supertest, log, rule);
-          await waitForRuleSuccessOrStatus(supertest, log, id);
+          await waitForRuleSuccess({ supertest, log, id });
           await waitForSignalsToBePresent(supertest, log, 1, [id]);
           const signals = await getSignalsByIds(supertest, log, [id]);
 
@@ -864,7 +864,7 @@ export default ({ getService }: FtrProviderContext): void => {
           });
 
           const { id } = await createRule(supertest, log, rule);
-          await waitForRuleSuccessOrStatus(supertest, log, id);
+          await waitForRuleSuccess({ supertest, log, id });
           await waitForSignalsToBePresent(supertest, log, 1, [id]);
           const signals = await getSignalsByIds(supertest, log, [id]);
 
@@ -917,7 +917,7 @@ export default ({ getService }: FtrProviderContext): void => {
           });
 
           const { id } = await createRule(supertest, log, rule);
-          await waitForRuleSuccessOrStatus(supertest, log, id);
+          await waitForRuleSuccess({ supertest, log, id });
           await waitForSignalsToBePresent(supertest, log, 1, [id]);
           const signals = await getSignalsByIds(supertest, log, [id]);
 
@@ -986,7 +986,7 @@ export default ({ getService }: FtrProviderContext): void => {
 
           const postedCase = await createCase(supertest, postCaseReq);
           const { id } = await createRule(supertest, log, rule);
-          await waitForRuleSuccessOrStatus(supertest, log, id);
+          await waitForRuleSuccess({ supertest, log, id });
           await waitForSignalsToBePresent(supertest, log, 1, [id]);
           const signals = await getSignalsByIds(supertest, log, [id]);
 

x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts

@@ -42,7 +42,7 @@ import {
   deleteSignalsIndex,
   deleteAllRules,
   getRuleForSignalTesting,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   waitForSignalsToBePresent,
   getSignalsByIds,
   createRule,
@@ -386,7 +386,7 @@ export default ({ getService }: FtrProviderContext): void => {
         });
 
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 1, [id]);
         const signals = await getSignalsByIds(supertest, log, [id]);
 

x-pack/test/cases_api_integration/security_and_spaces/tests/common/internal/bulk_create_attachments.ts

@@ -41,7 +41,7 @@ import {
   deleteSignalsIndex,
   deleteAllRules,
   getRuleForSignalTesting,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   waitForSignalsToBePresent,
   getSignalsByIds,
   createRule,
@@ -503,7 +503,7 @@ export default ({ getService }: FtrProviderContext): void => {
         });
 
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 1, [id]);
         const signals = await getSignalsByIds(supertest, log, [id]);
         const attachments: CommentRequest[] = [];

x-pack/test/detection_engine_api_integration/basic/tests/open_close_signals.ts

@@ -24,7 +24,7 @@ import {
   createRule,
   waitForSignalsToBePresent,
   getSignalsByIds,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   getRuleForSignalTesting,
 } from '../../utils';
 
@@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => {
       it('should be able to execute and get 10 signals', async () => {
         const rule = getRuleForSignalTesting(['auditbeat-*']);
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
         const signalsOpen = await getSignalsByIds(supertest, log, [id]);
         expect(signalsOpen.hits.hits.length).equal(10);
@@ -66,7 +66,7 @@ export default ({ getService }: FtrProviderContext) => {
       it('should be have set the signals in an open state initially', async () => {
         const rule = getRuleForSignalTesting(['auditbeat-*']);
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
         const signalsOpen = await getSignalsByIds(supertest, log, [id]);
         const everySignalOpen = signalsOpen.hits.hits.every(
@@ -78,7 +78,7 @@ export default ({ getService }: FtrProviderContext) => {
       it('should be able to get a count of 10 closed signals when closing 10', async () => {
         const rule = getRuleForSignalTesting(['auditbeat-*']);
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
         const signalsOpen = await getSignalsByIds(supertest, log, [id]);
         const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
@@ -104,7 +104,7 @@ export default ({ getService }: FtrProviderContext) => {
       it('should be able close 10 signals immediately and they all should be closed', async () => {
         const rule = getRuleForSignalTesting(['auditbeat-*']);
         const { id } = await createRule(supertest, log, rule);
-        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForRuleSuccess({ supertest, log, id });
         await waitForSignalsToBePresent(supertest, log, 10, [id]);
         const signalsOpen = await getSignalsByIds(supertest, log, [id]);
         const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);

x-pack/test/detection_engine_api_integration/security_and_spaces/group1/add_actions.ts

@@ -17,7 +17,7 @@ import {
   getWebHookAction,
   getRuleWithWebHookAction,
   getSimpleRuleOutputWithWebHookAction,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   createRule,
 } from '../../utils';
 
@@ -74,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => {
           log,
           getRuleWithWebHookAction(hookAction.id, true)
         );
-        await waitForRuleSuccessOrStatus(supertest, log, rule.id);
+        await waitForRuleSuccess({ supertest, log, id: rule.id });
       });
 
       it('should be able to create a new webhook action and attach it to a rule with a meta field and run it correctly', async () => {
@@ -92,7 +92,7 @@ export default ({ getService }: FtrProviderContext) => {
         };
 
         const rule = await createRule(supertest, log, ruleWithAction);
-        await waitForRuleSuccessOrStatus(supertest, log, rule.id);
+        await waitForRuleSuccess({ supertest, log, id: rule.id });
       });
     });
   });

x-pack/test/detection_engine_api_integration/security_and_spaces/group1/aliases.ts

@@ -15,7 +15,7 @@ import {
   deleteSignalsIndex,
   getRuleForSignalTesting,
   getSignalsById,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   waitForSignalsToBePresent,
 } from '../../utils';
 
@@ -50,7 +50,7 @@ export default ({ getService }: FtrProviderContext) => {
     it('should keep the original alias value such as "host_alias" from a source index when the value is indexed', async () => {
       const rule = getRuleForSignalTesting(['host_alias']);
       const { id } = await createRule(supertest, log, rule);
-      await waitForRuleSuccessOrStatus(supertest, log, id);
+      await waitForRuleSuccess({ supertest, log, id });
       await waitForSignalsToBePresent(supertest, log, 4, [id]);
       const signalsOpen = await getSignalsById(supertest, log, id);
       const hits = signalsOpen.hits.hits
@@ -62,7 +62,7 @@ export default ({ getService }: FtrProviderContext) => {
     it('should copy alias data from a source index into the signals index in the same position when the target is ECS compatible', async () => {
       const rule = getRuleForSignalTesting(['host_alias']);
       const { id } = await createRule(supertest, log, rule);
-      await waitForRuleSuccessOrStatus(supertest, log, id);
+      await waitForRuleSuccess({ supertest, log, id });
       await waitForSignalsToBePresent(supertest, log, 4, [id]);
       const signalsOpen = await getSignalsById(supertest, log, id);
       const hits = signalsOpen.hits.hits

x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts

@@ -8,14 +8,13 @@
 import expect from '@kbn/expect';
 import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants';
 import { ROLES } from '@kbn/security-solution-plugin/common/test';
-import { RuleExecutionStatus } from '@kbn/security-solution-plugin/common/detection_engine/rule_monitoring';
 import { ThresholdRuleCreateProps } from '@kbn/security-solution-plugin/common/detection_engine/rule_schema';
 import { FtrProviderContext } from '../../common/ftr_provider_context';
 import {
   createSignalsIndex,
   deleteSignalsIndex,
   deleteAllRules,
-  waitForRuleSuccessOrStatus,
+  waitForRulePartialFailure,
   getRuleForSignalTesting,
   createRuleWithAuth,
   getThresholdRuleForSignalTesting,
@@ -65,12 +64,11 @@ export default ({ getService }: FtrProviderContext) => {
             user: ROLES.detections_admin,
             pass: 'changeme',
           });
-          await waitForRuleSuccessOrStatus(
+          await waitForRulePartialFailure({
             supertest,
             log,
             id,
-            RuleExecutionStatus['partial failure']
-          );
+          });
           const { body } = await supertest
             .get(DETECTION_ENGINE_RULES_URL)
             .set('kbn-xsrf', 'true')
@@ -104,12 +102,11 @@ export default ({ getService }: FtrProviderContext) => {
             user: ROLES.detections_admin,
             pass: 'changeme',
           });
-          await waitForRuleSuccessOrStatus(
+          await waitForRulePartialFailure({
             supertest,
             log,
             id,
-            RuleExecutionStatus['partial failure']
-          );
+          });
           const { body } = await supertest
             .get(DETECTION_ENGINE_RULES_URL)
             .set('kbn-xsrf', 'true')

x-pack/test/detection_engine_api_integration/security_and_spaces/group1/create_rules.ts

@@ -8,7 +8,6 @@
 import expect from '@kbn/expect';
 
 import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants';
-import { RuleExecutionStatus } from '@kbn/security-solution-plugin/common/detection_engine/rule_monitoring';
 import { RuleCreateProps } from '@kbn/security-solution-plugin/common/detection_engine/rule_schema';
 import { ExceptionListTypeEnum } from '@kbn/securitysolution-io-ts-list-types';
 import { ROLES } from '@kbn/security-solution-plugin/common/test';
@@ -26,12 +25,13 @@ import {
   removeServerGeneratedPropertiesIncludingRuleId,
   getSimpleMlRule,
   getSimpleMlRuleOutput,
-  waitForRuleSuccessOrStatus,
+  waitForRuleSuccess,
   getRuleForSignalTesting,
   getRuleForSignalTestingWithTimestampOverride,
   waitForAlertToComplete,
   waitForSignalsToBePresent,
   getThresholdRuleForSignalTesting,
+  waitForRulePartialFailure,
 } from '../../utils';
 import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution';
 
@@ -118,7 +118,7 @@ export default ({ getService }: FtrProviderContext) => {
             .send(simpleRule)
             .expect(200);
 
-          await waitForRuleSuccessOrStatus(supertest, log, body.id);
+          await waitForRuleSuccess({ supertest, log, id: body.id });
         });
 
         it('should create a single rule with a rule_id and an index pattern that does not match anything available and partial failure for the rule', async () => {
@@ -129,12 +129,11 @@ export default ({ getService }: FtrProviderContext) => {
             .send(simpleRule)
             .expect(200);
 
-          await waitForRuleSuccessOrStatus(
+          await waitForRulePartialFailure({
             supertest,
             log,
-            body.id,
-            RuleExecutionStatus['partial failure']
-          );
+            id: body.id,
+          });
 
           const { body: rule } = await supertest
             .get(DETECTION_ENGINE_RULES_URL)
@@ -157,7 +156,7 @@ export default ({ getService }: FtrProviderContext) => {
             .send(simpleRule)
             .expect(200);
 
-          await waitForRuleSuccessOrStatus(supertest, log, body.id, RuleExecutionStatus.succeeded);
+          await waitForRuleSuccess({ supertest, log, id: body.id });
         });
 
         it('should create a single rule without an input index', async () => {
@@ -518,12 +517,11 @@ export default ({ getService }: FtrProviderContext) => {
         const bodyId = body.id;
 
         await waitForAlertToComplete(supertest, log, bodyId);
-        await waitForRuleSuccessOrStatus(
+        await waitForRulePartialFailure({
           supertest,
           log,
-          bodyId,
-          RuleExecutionStatus['partial failure']
-        );
+          id: bodyId,
+        });
 
         const { body: rule } = await supertest
           .get(DETECTION_ENGINE_RULES_URL)
@@ -550,12 +548,11 @@ export default ({ getService }: FtrProviderContext) => {
           .expect(200);
         const bodyId = body.id;
 
-        await waitForRuleSuccessOrStatus(
+        await waitForRulePartialFailure({
           supertest,
           log,
-          bodyId,
-          RuleExecutionStatus['partial failure']
-        );
+          id: bodyId,
+        });
         await waitForSignalsToBePresent(supertest, log, 2, [bodyId]);
 
         const { body: rule } = await supertest