fixed GetFindings not searching all indices; fixed proper deletion of… (opensearch-project#122)

petardz · web-flow · commit 8dd1c9ff5feb · 2022-11-09T12:17:14.000-08:00
* fixed GetFindings not searching all indices; fixed proper deletion of old history indices


Signed-off-by: Petar Dzepina &lt;petar.dzepina@gmail.com&gt;
diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java
@@ -82,7 +82,7 @@ public void onResponse(GetDetectorResponse getDetectorResponse) {
                 AlertsService.this.getAlertsByMonitorIds(
                         monitorToDetectorMapping,
                         monitorIds,
-                        DetectorMonitorConfig.getAlertsIndex(detector.getDetectorType()),
+                        DetectorMonitorConfig.getAllAlertsIndicesPattern(detector.getDetectorType()),
                         table,
                         severityLevel,
                         alertState,
@@ -193,7 +193,7 @@ public void getAlerts(
         AlertsService.this.getAlertsByMonitorIds(
             monitorToDetectorMapping,
             allMonitorIds,
-            DetectorMonitorConfig.getAlertsIndex(detectorType.getDetectorType()),
+            DetectorMonitorConfig.getAllAlertsIndicesPattern(detectorType.getDetectorType()),
             table,
             severityLevel,
             alertState,
diff --git a/src/main/java/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.java b/src/main/java/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.java
@@ -4,8 +4,8 @@
  */
 package org.opensearch.securityanalytics.config.monitors;
 
-import java.util.ArrayList;
 import java.util.List;
+import java.util.stream.Collectors;
 import org.opensearch.securityanalytics.model.Detector;
 
 import java.util.Arrays;
@@ -18,9 +18,11 @@ public class DetectorMonitorConfig {
 
     public static final String OPENSEARCH_DEFAULT_RULE_INDEX = ".opensearch-sap-detectors-queries-default";
     public static final String OPENSEARCH_DEFAULT_ALERT_INDEX = ".opensearch-sap-alerts-default";
+    public static final String OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN = ".opensearch-sap-alerts-default*";
     public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX = ".opensearch-sap-alerts-history-default";
     public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX_PATTERN = "<.opensearch-sap-alerts-history-default-{now/d}-1>";
     public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX = ".opensearch-sap-findings-default";
+    public static final String OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN = ".opensearch-sap-findings-default*";
     public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX_PATTERN = "<.opensearch-sap-findings-default-{now/d}-1>";
 
     private static Map<String, MonitorConfig> detectorTypeToIndicesMapping;
@@ -41,10 +43,16 @@ public class DetectorMonitorConfig {
                             Locale.getDefault(), ".opensearch-sap-%s-alerts*", detectorType.getDetectorType());
                     String findingsIndex = String.format(
                             Locale.getDefault(), ".opensearch-sap-%s-findings", detectorType.getDetectorType());
+                    String allFindingsIndicesPattern = String.format(
+                            Locale.getDefault(), ".opensearch-sap-%s-findings*", detectorType.getDetectorType());
                     String findingsIndexPattern = String.format(
                             Locale.getDefault(), "<.opensearch-sap-%s-findings-{now/d}-1>", detectorType.getDetectorType());
 
-                    MonitorConfig monitor = new MonitorConfig(alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern, findingsIndex, findingsIndexPattern, ruleIndex);
+                    MonitorConfig monitor = new MonitorConfig(
+                            alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern,
+                            findingsIndex, findingsIndexPattern, allFindingsIndicesPattern,
+                            ruleIndex
+                    );
                     detectorTypeToIndicesMapping.put(detectorType.getDetectorType(), monitor);
                 });
     }
@@ -76,7 +84,14 @@ public static String getAlertsHistoryIndexPattern(String detectorType) {
     public static String getAllAlertsIndicesPattern(String detectorType) {
         return detectorTypeToIndicesMapping.containsKey(detectorType) ?
                 detectorTypeToIndicesMapping.get(detectorType).getAllAlertsIndicesPattern() :
-                "*";
+                OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN;
+    }
+
+    public static List<String> getAllAlertsIndicesPatternForAllTypes() {
+        return detectorTypeToIndicesMapping.entrySet()
+                .stream()
+                .map(e -> e.getValue().getAllAlertsIndicesPattern())
+                .collect(Collectors.toList());
     }
 
     public static String getFindingsIndex(String detectorType) {
@@ -85,6 +100,19 @@ public static String getFindingsIndex(String detectorType) {
                 OPENSEARCH_DEFAULT_FINDINGS_INDEX;
     }
 
+    public static String getAllFindingsIndicesPattern(String detectorType) {
+        return detectorTypeToIndicesMapping.containsKey(detectorType) ?
+                detectorTypeToIndicesMapping.get(detectorType).getAllFindingsIndicesPattern() :
+                OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN;
+    }
+
+    public static List<String> getAllFindingsIndicesPatternForAllTypes() {
+        return detectorTypeToIndicesMapping.entrySet()
+                .stream()
+                .map(e -> e.getValue().getAllFindingsIndicesPattern())
+                .collect(Collectors.toList());
+    }
+
     public static String getFindingsIndexPattern(String detectorType) {
         return detectorTypeToIndicesMapping.containsKey(detectorType) ?
                 detectorTypeToIndicesMapping.get(detectorType).getFindingsIndexPattern() :
@@ -106,6 +134,7 @@ public static class MonitorConfig {
         private final String allAlertsIndicesPattern;
         private final String findingIndex;
         private final String findingsIndexPattern;
+        private final String allFindingsIndicesPattern;
         private final String ruleIndex;
 
         private MonitorConfig(
@@ -115,6 +144,7 @@ private MonitorConfig(
                 String allAlertsIndicesPattern,
                 String findingsIndex,
                 String findingsIndexPattern,
+                String allFindingsIndicesPattern,
                 String ruleIndex
         ) {
             this.alertsIndex = alertsIndex;
@@ -123,6 +153,7 @@ private MonitorConfig(
             this.allAlertsIndicesPattern = allAlertsIndicesPattern;
             this.findingIndex = findingsIndex;
             this.findingsIndexPattern = findingsIndexPattern;
+            this.allFindingsIndicesPattern = allFindingsIndicesPattern;
             this.ruleIndex = ruleIndex;
         }
 
@@ -150,6 +181,10 @@ public String getFindingsIndexPattern() {
             return findingsIndexPattern;
         }
 
+        public String getAllFindingsIndicesPattern() {
+            return allFindingsIndicesPattern;
+        }
+
         public String getRuleIndex() {
             return ruleIndex;
         }
diff --git a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
@@ -91,7 +91,7 @@ public void onFailure(Exception e) {
                 FindingsService.this.getFindingsByMonitorIds(
                         monitorToDetectorMapping,
                         monitorIds,
-                        DetectorMonitorConfig.getFindingsIndex(detector.getDetectorType()),
+                        DetectorMonitorConfig.getAllFindingsIndicesPattern(detector.getDetectorType()),
                         table,
                         getFindingsResponseListener
                 );
@@ -183,7 +183,7 @@ public void getFindings(
         FindingsService.this.getFindingsByMonitorIds(
             monitorToDetectorMapping,
             allMonitorIds,
-            DetectorMonitorConfig.getFindingsIndex(detectorType.getDetectorType()),
+            DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType.getDetectorType()),
             table,
             new ActionListener<>() {
                 @Override
diff --git a/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java b/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java
@@ -55,9 +55,6 @@ public class DetectorIndexManagementService extends AbstractLifecycleComponent i
 
     private Logger logger = LogManager.getLogger(DetectorIndexManagementService.class);
 
-    private static final String ALERT_HISTORY_ALL = ".opensearch-sap-alerts-history-*";
-    private static final String FINDING_HISTORY_ALL = ".opensearch-sap-findings-*";
-
     private final Client client;
     private final ThreadPool threadPool;
     private final ClusterService clusterService;
@@ -235,7 +232,7 @@ private String executorName() {
         return ThreadPool.Names.MANAGEMENT;
     }
 
-    private void deleteOldIndices(String tag, String indices) {
+    private void deleteOldIndices(String tag, String... indices) {
         logger.error("info deleteOldIndices");
         ClusterStateRequest clusterStateRequest = new ClusterStateRequest()
                 .clear()
@@ -250,7 +247,7 @@ private void deleteOldIndices(String tag, String indices) {
                     public void onResponse(ClusterStateResponse clusterStateResponse) {
                         if (!clusterStateResponse.getState().metadata().getIndices().isEmpty()) {
                             List<String> indicesToDelete = getIndicesToDelete(clusterStateResponse);
-                            logger.info("Deleting old " + tag + " indices viz $indicesToDelete");
+                            logger.info("Checking if we should delete " + tag + " indices: [" + indicesToDelete + "]");
                             deleteAllOldHistoryIndices(indicesToDelete);
                         } else {
                             logger.info("No Old " + tag + " Indices to delete");
@@ -269,12 +266,14 @@ private List<String> getIndicesToDelete(ClusterStateResponse clusterStateRespons
         List<String> indicesToDelete = new ArrayList<>();
         for (ObjectCursor<IndexMetadata> in : clusterStateResponse.getState().metadata().indices().values()) {
             IndexMetadata indexMetaData = in.value;
-            indicesToDelete.add(
-                    getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled)
-            );
-            indicesToDelete.add(
-                    getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled)
-            );
+            String indexToDelete = getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled);
+            if (indexToDelete != null) {
+                indicesToDelete.add(indexToDelete);
+            }
+            indexToDelete = getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled);
+            if (indexToDelete != null) {
+                indicesToDelete.add(indexToDelete);
+            }
         }
         return indicesToDelete;
     }
@@ -319,15 +318,17 @@ private void deleteAllOldHistoryIndices(List<String> indicesToDelete) {
                         public void onResponse(AcknowledgedResponse deleteIndicesResponse) {
                             if (!deleteIndicesResponse.isAcknowledged()) {
                                 logger.error(
-                                        "Could not delete one or more Alerting/Finding history indices: $indicesToDelete. Retrying one by one."
+                                        "Could not delete one or more Alerting/Finding history indices: [" + indicesToDelete + "]. Retrying one by one."
                                 );
                                 deleteOldHistoryIndex(indicesToDelete);
+                            } else {
+                                logger.info("Succsessfuly deleted indices: [" + indicesToDelete + "]");
                             }
                         }
 
                         @Override
                         public void onFailure(Exception e) {
-                            logger.error("Delete for Alerting/Finding History Indices $indicesToDelete Failed. Retrying one By one.");
+                            logger.error("Delete for Alerting/Finding History Indices failed: [" + indicesToDelete + "]. Retrying one By one.");
                             deleteOldHistoryIndex(indicesToDelete);
                         }
                     }
@@ -351,7 +352,7 @@ public void onResponse(AcknowledgedResponse acknowledgedResponse) {
 
                         @Override
                         public void onFailure(Exception e) {
-                            logger.debug("Exception ${e.message} while deleting the index " + index);
+                            logger.debug("Exception: [" + e.getMessage() + "] while deleting the index " + index);
                         }
                     }
             );
@@ -360,12 +361,12 @@ public void onFailure(Exception e) {
 
     private void rolloverAndDeleteAlertHistoryIndices() {
         if (alertHistoryEnabled) rolloverAlertHistoryIndices();
-        deleteOldIndices("History", ALERT_HISTORY_ALL);
+        deleteOldIndices("Alert", DetectorMonitorConfig.getAllAlertsIndicesPatternForAllTypes().toArray(new String[0]));
     }
 
     private void rolloverAndDeleteFindingHistoryIndices() {
         if (findingHistoryEnabled) rolloverFindingHistoryIndices();
-        deleteOldIndices("Finding", FINDING_HISTORY_ALL);
+        deleteOldIndices("Finding", DetectorMonitorConfig.getAllFindingsIndicesPatternForAllTypes().toArray(new String[0]));
     }
 
     private void rolloverIndex(
@@ -393,13 +394,13 @@ private void rolloverIndex(
                     @Override
                     public void onResponse(RolloverResponse rolloverResponse) {
                         if (!rolloverResponse.isRolledOver()) {
-                            logger.info(index + "not rolled over. Conditions were: ${response.conditionStatus}");
+                            logger.info(index + "not rolled over. Conditions were: " + rolloverResponse.getConditionStatus());
                         }
                     }
 
                     @Override
                     public void onFailure(Exception e) {
-                        logger.error(index + " not roll over failed.");
+                        logger.error("rollover failed for index [" + index + "].");
                     }
                 }
         );
@@ -417,9 +418,9 @@ private void rolloverAlertHistoryIndices() {
     private void rolloverFindingHistoryIndices() {
         for (HistoryIndexInfo h : findingHistoryIndices) {
             rolloverIndex(
-                    h.isInitialized, h.indexAlias,
-                    h.indexPattern, h.indexMappings,
-                    h.maxDocs, h.maxAge
+                h.isInitialized, h.indexAlias,
+                h.indexPattern, h.indexMappings,
+                h.maxDocs, h.maxAge
             );
         }
     }
diff --git a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
@@ -1120,7 +1120,7 @@ public List<String> getAlertIndices(String detectorType) throws IOException {
     }
 
     public List<String> getFindingIndices(String detectorType) throws IOException {
-        Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getFindingsIndex(detectorType) + "?format=json"));
+        Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType) + "?format=json"));
         XContentParser xcp = createParser(XContentType.JSON.xContent(), response.getEntity().getContent());
         List<Object> responseList = xcp.list();
         List<String> indices = new ArrayList<>();
diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java
diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java

Original file line number	Diff line number	Diff line change
`@@ -1120,7 +1120,7 @@ public List<String> getAlertIndices(String detectorType) throws IOException {`
`1120`	`1120`	`}`
`1121`	`1121`
`1122`	`1122`	`public List<String> getFindingIndices(String detectorType) throws IOException {`
`1123`		`- Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getFindingsIndex(detectorType) + "?format=json"));`
	`1123`	`+ Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType) + "?format=json"));`
`1124`	`1124`	`XContentParser xcp = createParser(XContentType.JSON.xContent(), response.getEntity().getContent());`
`1125`	`1125`	`List<Object> responseList = xcp.list();`
`1126`	`1126`	`List<String> indices = new ArrayList<>();`