Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Support testing of prerelease detection rules with Kibana #147466

Closed
Tracked by #174166
xcrzx opened this issue Dec 13, 2022 · 3 comments · Fixed by #148426
Closed
Tracked by #174166

[Security Solution] Support testing of prerelease detection rules with Kibana #147466

xcrzx opened this issue Dec 13, 2022 · 3 comments · Fixed by #148426
Assignees
Labels
8.7 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.7.0

Comments

@xcrzx
Copy link
Contributor

xcrzx commented Dec 13, 2022

Epic: https://github.com/elastic/security-team/issues/1974 (internal)

Summary

Use prerelease rules package versions for local development and CI

Fleet recently removed support of snapshot and staging registries. All environments now use production packages, including local setups and CI. That means there is no way to test prerelease versions of detection rules with Kibana.

Fleet proposes using semantic versioning to mark prerelease packages, such as 8.5.1-next. To ensure proper testing, we need to update our code to install prerelease versions of the prepackaged rules package during local development and in CI. The logic should be similar to what we had previously:

const getDefaultRegistryUrl = (): string => {
const branch = appContextService.getKibanaBranch();
if (branch === 'main') {
return SNAPSHOT_REGISTRY_URL_CDN;
} else if (appContextService.getKibanaVersion().includes('-SNAPSHOT')) {
return STAGING_REGISTRY_URL_CDN;
} else {
return PRODUCTION_REGISTRY_URL_CDN;
}
};

We should call methods that install packages with prerelease: true to install prerelease packages.

diff --git a/x-pack/plugins/security_solution/public/common/hooks/use_upgrade_security_packages.ts b/x-pack/plugins/security_solution/public/common/hooks/use_upgrade_security_packages.ts
index 848f1458502..e476a91cc93 100644
--- a/x-pack/plugins/security_solution/public/common/hooks/use_upgrade_security_packages.ts
+++ b/x-pack/plugins/security_solution/public/common/hooks/use_upgrade_security_packages.ts
@@ -24,6 +24,9 @@ const sendUpgradeSecurityPackages = async (
 ): Promise<BulkInstallPackagesResponse> => {
   return http.post<BulkInstallPackagesResponse>(epmRouteService.getBulkInstallPath(), {
     ...options,
+    query: {
+      prerelease: true,
+    },
     body: JSON.stringify({
       packages: ['endpoint', 'security_detection_engine'],
     }),

Allow selecting the rules package version for testing

Currently, it is impossible to install the prebuilt rules package of a version other than the latest. Therefore, to alleviate the prebuilt rules package testing (see comment), we need to add the ability to specify desired package version in the Kibana config.

@xcrzx xcrzx added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team 8.7 candidate labels Dec 13, 2022
@xcrzx xcrzx self-assigned this Dec 13, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@xcrzx xcrzx changed the title [Security Solution] Introduce a config setting to control the version of the prebuilt rules package [Security Solution] Support testing of prerelease detection rules with Kibana Dec 16, 2022
@banderror banderror added the Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area label Dec 19, 2022
@banderror banderror assigned spong and unassigned xcrzx Dec 29, 2022
spong added a commit that referenced this issue Jan 17, 2023
…rules (#148426)

## Summary

Resolves #147466
Resolves #112910

* Updates `useUpgradeSecurityPackages` hook to install the `prerelease` version of the `endpoint` and `security_detection_engine` packages if the current branch is `main` or build is `-SNAPSHOT` (to ensure PR's are testing against the latest to-be-released packages)
* Adds new `kibana.yml` configuration `xpack.securitySolution.prebuiltRulesPackageVersion` for specifying the version of the `security_detection_engine` package to install within the client-side logic of the `useUpgradeSecurityPackages` hook
* Adds FTR helpers for consuming the `xpack.securitySolution.prebuiltRulesPackageVersion` configuration from the `kbnServerArgs` and for installing a specific detection rules package version [c467762](c467762).
* Regenerated docs
* Unskips `useUpgradeSecurityPackages` tests from [#112910](#112910)

Note: I added jest tests for the `useUpgradeSecurityPackages` changes, however didn't find a reasonable way to test the `prebuiltRulesPackageVersion` configuration addition via FTR's, so ended up testing that manually by running a local `package-registry` and serving up two different versions of the `security_detection_engine` package (`8.3.1`/`8.4.1`) and specifying 

> xpack.securitySolution.prebuiltRulesPackageVersion: '8.3.1'

in my `kibana.dev.yml` to try and install the previous version. This initially failed as fleet would say the package is `out-of-date`

<p align="center">
  <img width="700" src="https://user-images.githubusercontent.com/2946766/211948816-69860629-6db0-4007-8786-3b08f7312baf.png" />
</p>

Since there was a higher version with the same `kibana.version` requirement: `kibana.version: ^8.4.0`. Modifying this for the higher version to `^8.9.0` then allowed for the installation of the `8.3.1` as specified in the `prebuiltRulesPackageVersion` setting:

<p align="center">
  <img width="700" src="https://user-images.githubusercontent.com/2946766/211946889-030c2fdd-6c7d-4124-a1dc-003b54982311.png" />
</p>

<p align="center">
  <img width="700" src="https://user-images.githubusercontent.com/2946766/211948135-03163b0f-b1c2-435a-b91f-c3cbbe028053.png" />
</p>

As [mentioned](#148426 (comment)) by @xcrzx, I ended up adding `force:true` to the individual install request to get around this limitation and to have a better testing experience within Cypress.

Note II: When using the `prebuiltRulesPackageVersion` setting, since this is used for updates initiated from the client and not on kibana start like the `fleet_package.json` (added in #143839), you will have to uninstall the package that was installed on start-up for this to be successful. 

Note III: When wanting to run the Cypress tests against a specific package version, be sure to update the cypress FTR configuration [cf3a83f](cf3a83f).

### Checklist

Delete any items that are not applicable to this PR.

- [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@spong
Copy link
Member

spong commented Jan 18, 2023

Additional artifacts from working this now that #148426 is merged:

Internal docs PR for outlining our different test configurations: https://github.com/elastic/security-team/pull/5762
Sample Kibana PR for testing cypress against the 8.3.4-beta.1 package #149081

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.7 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.7.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants