[Security Solution] Integration tests for query diff algorithms#192655
[Security Solution] Integration tests for query diff algorithms#192655dplumlee merged 5 commits intoelastic:mainfrom
query diff algorithms#192655Conversation
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#6921[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed. |
nikitaindik
left a comment
There was a problem hiding this comment.
Thanks @dplumlee! I have reviewed and left a few comments.
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.eql_query_fields.ts
Outdated
Show resolved
Hide resolved
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.eql_query_fields.ts
Outdated
Show resolved
Hide resolved
| has_base_version: true, | ||
| }); | ||
|
|
||
| expect(reviewResponse.rules[0].diff.num_fields_with_updates).toBe(2); |
There was a problem hiding this comment.
Please help me understand why is it 2 here? Which other field was updated except eql_query? Is it version? If yes, then why is num_fields_with_updates === 1 for scenario ABA?
There was a problem hiding this comment.
Yeah, it's version. It will always be present given the nature of the way the tests are written. I can put this in a comment.
For ABA, there's technically no update for the eql_query field, only version
There was a problem hiding this comment.
Got it. Thanks for the explanation.
| await installPrebuiltRules(es, supertest); | ||
|
|
||
| // Customize an eql_query field on the installed rule | ||
| await updateRule(supertest, { |
There was a problem hiding this comment.
Why is updateRule used here, but patchRule is used for ABB below? Is there a difference?
There was a problem hiding this comment.
No, this is copied over from the kql_query file where the difference was needed, I can switch them to be the same
There was a problem hiding this comment.
nit: I think it's better to use patchRule because it communicates the intent more clearly. Like "I want to update these specific fields without touching the other ones".
There was a problem hiding this comment.
I'd probably agree with you for the ones that don't need to unset fields, but for whatever reason, certain fields like saved_id and threat_query don't correctly update with this PATCH util. I didn't look too much into it as I thought keeping the tests consistent and readable was a good reason to just use the updateRule util, possible I was just using it incorrectly. But it works with other fields so not sure, I'll look more into it soon and open a ticket to investigate if need be
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.eql_query_fields.ts
Outdated
Show resolved
Hide resolved
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.eql_query_fields.ts
Outdated
Show resolved
Hide resolved
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.kql_query_fields.ts
Outdated
Show resolved
Hide resolved
...les/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.kql_query_fields.ts
Outdated
Show resolved
Hide resolved
...es/management/trial_license_complete_tier/upgrade_review_prebuilt_rules.esql_query_fields.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Do you think we should also a file for threat_query? It's mostly like kql_query except it can only have inline queries.
Or maybe we could split this kql_query test file into two files - one for inline, another for saved queries. And then mention in the comment that the inline query one applies to both kql_query and threat_query. What's your opinion?
There was a problem hiding this comment.
I was thinking a bit more about this last night, I think I'm going to add a few of these cases into the ABC category. I think it'd also be worth covering new_terms and threshold rule types as they have the kql_query field as well.
As the diff algorithm itself is the same between kql_query and threat_query, I don't think we need an entire separate file - I think just having the extra test cases for coverage exist in the ABC scenario as we've done for the other diff algorithms will suffice.
nikitaindik
left a comment
There was a problem hiding this comment.
Thanks for the updates and explanations @dplumlee! PR LGTM now. Left one nit comment.
…m-integration-tests
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: cc @dplumlee |
…astic#192655) ## Summary Completes elastic#187658 Switches `kql_query`, `eql_query`, and `esql_query` fields to use the implemented diff algorithms assigned to them in elastic#190179 Adds integration tests in accordance to elastic#192529 for the `upgrade/_review` API endpoint for the `query` field diff algorithms. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) (cherry picked from commit ceb1b1a)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…f algorithms (#192655) (#193108) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Integration tests for `query` diff algorithms (#192655)](#192655) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-16T23:58:55Z","message":"[Security Solution] Integration tests for `query` diff algorithms (#192655)\n\n## Summary\r\n\r\nCompletes https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches `kql_query`, `eql_query`, and `esql_query` fields to use the\r\nimplemented diff algorithms assigned to them in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds integration tests in accordance to\r\nhttps://github.com//pull/192529 for the `upgrade/_review`\r\nAPI endpoint for the `query` field diff algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","v8.16.0"],"title":"[Security Solution] Integration tests for `query` diff algorithms","number":192655,"url":"https://github.com/elastic/kibana/pull/192655","mergeCommit":{"message":"[Security Solution] Integration tests for `query` diff algorithms (#192655)\n\n## Summary\r\n\r\nCompletes https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches `kql_query`, `eql_query`, and `esql_query` fields to use the\r\nimplemented diff algorithms assigned to them in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds integration tests in accordance to\r\nhttps://github.com//pull/192529 for the `upgrade/_review`\r\nAPI endpoint for the `query` field diff algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192655","number":192655,"mergeCommit":{"message":"[Security Solution] Integration tests for `query` diff algorithms (#192655)\n\n## Summary\r\n\r\nCompletes https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches `kql_query`, `eql_query`, and `esql_query` fields to use the\r\nimplemented diff algorithms assigned to them in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds integration tests in accordance to\r\nhttps://github.com//pull/192529 for the `upgrade/_review`\r\nAPI endpoint for the `query` field diff algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
Summary
Completes #187658
Switches
kql_query,eql_query, andesql_queryfields to use the implemented diff algorithms assigned to them in #190179Adds integration tests in accordance to #192529 for the
upgrade/_reviewAPI endpoint for thequeryfield diff algorithms.Checklist
Delete any items that are not applicable to this PR.
For maintainers