-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY_SOLUTION][ENDPOINT] Trusted Apps List API (#75476)
* Trusted Apps initial setup for route registration * Added types for TrustedApp entries * trusted apps list API returns results * use methods and const from latest PR merge to lists * a quick generator for trusted apps entries * support cli options for trusted app data loader * Add mocked `createTrustedAppsList()` method to `ExceptionListClientMock` * tests fro trusted apps route handlers * tests for trusted apps schema * Correct name of mock method * Fix service to ensure return value of `getExceptionList` service throws if service not available * Fix types * Refactor TrustedApp type + code review feedback
- Loading branch information
1 parent
532f2d7
commit 9873df8
Showing
16 changed files
with
503 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { GetTrustedAppsRequestSchema } from './trusted_apps'; | ||
|
||
describe('When invoking Trusted Apps Schema', () => { | ||
describe('for GET List', () => { | ||
const getListQueryParams = (page: unknown = 1, perPage: unknown = 20) => ({ | ||
page, | ||
per_page: perPage, | ||
}); | ||
const query = GetTrustedAppsRequestSchema.query; | ||
|
||
describe('query param validation', () => { | ||
it('should return query params if valid', () => { | ||
expect(query.validate(getListQueryParams())).toEqual({ | ||
page: 1, | ||
per_page: 20, | ||
}); | ||
}); | ||
|
||
it('should use default values', () => { | ||
expect(query.validate(getListQueryParams(undefined, undefined))).toEqual({ | ||
page: 1, | ||
per_page: 20, | ||
}); | ||
expect(query.validate(getListQueryParams(undefined, 100))).toEqual({ | ||
page: 1, | ||
per_page: 100, | ||
}); | ||
expect(query.validate(getListQueryParams(10, undefined))).toEqual({ | ||
page: 10, | ||
per_page: 20, | ||
}); | ||
}); | ||
|
||
it('should throw if `page` param is not a number', () => { | ||
expect(() => { | ||
query.validate(getListQueryParams('one')); | ||
}).toThrowError(); | ||
}); | ||
|
||
it('should throw if `page` param is less than 1', () => { | ||
expect(() => { | ||
query.validate(getListQueryParams(0)); | ||
}).toThrowError(); | ||
expect(() => { | ||
query.validate(getListQueryParams(-1)); | ||
}).toThrowError(); | ||
}); | ||
|
||
it('should throw if `per_page` param is not a number', () => { | ||
expect(() => { | ||
query.validate(getListQueryParams(1, 'twenty')); | ||
}).toThrowError(); | ||
}); | ||
|
||
it('should throw if `per_page` param is less than 1', () => { | ||
expect(() => { | ||
query.validate(getListQueryParams(1, 0)); | ||
}).toThrowError(); | ||
expect(() => { | ||
query.validate(getListQueryParams(1, -1)); | ||
}).toThrowError(); | ||
}); | ||
}); | ||
}); | ||
}); |
14 changes: 14 additions & 0 deletions
14
x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { schema } from '@kbn/config-schema'; | ||
|
||
export const GetTrustedAppsRequestSchema = { | ||
query: schema.object({ | ||
page: schema.maybe(schema.number({ defaultValue: 1, min: 1 })), | ||
per_page: schema.maybe(schema.number({ defaultValue: 20, min: 1 })), | ||
}), | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
x-pack/plugins/security_solution/common/endpoint/types/trusted_apps.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { TypeOf } from '@kbn/config-schema'; | ||
import { GetTrustedAppsRequestSchema } from '../schema/trusted_apps'; | ||
|
||
/** API request params for retrieving a list of Trusted Apps */ | ||
export type GetTrustedAppsListRequest = TypeOf<typeof GetTrustedAppsRequestSchema.query>; | ||
export interface GetTrustedListAppsResponse { | ||
per_page: number; | ||
page: number; | ||
total: number; | ||
data: TrustedApp[]; | ||
} | ||
|
||
interface MacosLinuxConditionEntry { | ||
field: 'hash' | 'path'; | ||
type: 'match'; | ||
operator: 'included'; | ||
value: string; | ||
} | ||
|
||
type WindowsConditionEntry = | ||
| MacosLinuxConditionEntry | ||
| (Omit<MacosLinuxConditionEntry, 'field'> & { | ||
field: 'signer'; | ||
}); | ||
|
||
/** Type for a new Trusted App Entry */ | ||
export type NewTrustedApp = { | ||
name: string; | ||
description?: string; | ||
} & ( | ||
| { | ||
os: 'linux' | 'macos'; | ||
entries: MacosLinuxConditionEntry[]; | ||
} | ||
| { | ||
os: 'windows'; | ||
entries: WindowsConditionEntry[]; | ||
} | ||
); | ||
|
||
/** A trusted app entry */ | ||
export type TrustedApp = NewTrustedApp & { | ||
id: string; | ||
created_at: string; | ||
created_by: string; | ||
}; |
9 changes: 9 additions & 0 deletions
9
x-pack/plugins/security_solution/scripts/endpoint/load_trusted_apps.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/usr/bin/env node | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
require('../../../../../src/setup_node_env'); | ||
require('./trusted_apps').cli(); |
91 changes: 91 additions & 0 deletions
91
x-pack/plugins/security_solution/scripts/endpoint/trusted_apps/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
import { v4 as generateUUID } from 'uuid'; | ||
// @ts-ignore | ||
import minimist from 'minimist'; | ||
import { KbnClient, ToolingLog } from '@kbn/dev-utils'; | ||
import { ENDPOINT_TRUSTED_APPS_LIST_ID } from '../../../../lists/common/constants'; | ||
import { TRUSTED_APPS_LIST_API } from '../../../common/endpoint/constants'; | ||
import { ExceptionListItemSchema } from '../../../../lists/common/schemas/response'; | ||
|
||
interface RunOptions { | ||
count?: number; | ||
} | ||
|
||
const logger = new ToolingLog({ level: 'info', writeTo: process.stdout }); | ||
const separator = '----------------------------------------'; | ||
|
||
export const cli = async () => { | ||
const options: RunOptions = minimist(process.argv.slice(2), { | ||
default: { | ||
count: 10, | ||
}, | ||
}); | ||
logger.write(`${separator} | ||
Loading ${options.count} Trusted App Entries`); | ||
await run(options); | ||
logger.write(`Done! | ||
${separator}`); | ||
}; | ||
|
||
export const run: (options?: RunOptions) => Promise<ExceptionListItemSchema[]> = async ({ | ||
count = 10, | ||
}: RunOptions = {}) => { | ||
const kbnClient = new KbnClient(logger, { url: 'http://elastic:changeme@localhost:5601' }); | ||
|
||
// touch the Trusted Apps List so it can be created | ||
await kbnClient.request({ | ||
method: 'GET', | ||
path: TRUSTED_APPS_LIST_API, | ||
}); | ||
|
||
return Promise.all( | ||
Array.from({ length: count }, () => { | ||
return kbnClient | ||
.request({ | ||
method: 'POST', | ||
path: '/api/exception_lists/items', | ||
body: generateTrustedAppEntry(), | ||
}) | ||
.then<ExceptionListItemSchema>((item) => (item as unknown) as ExceptionListItemSchema); | ||
}) | ||
); | ||
}; | ||
|
||
interface GenerateTrustedAppEntryOptions { | ||
os?: 'windows' | 'macos' | 'linux'; | ||
name?: string; | ||
} | ||
|
||
const generateTrustedAppEntry: (options?: GenerateTrustedAppEntryOptions) => object = ({ | ||
os = 'windows', | ||
name = `Sample Endpoint Trusted App Entry ${Date.now()}`, | ||
} = {}) => { | ||
return { | ||
list_id: ENDPOINT_TRUSTED_APPS_LIST_ID, | ||
item_id: `generator_endpoint_trusted_apps_${generateUUID()}`, | ||
_tags: ['endpoint', `os:${os}`], | ||
tags: ['user added string for a tag', 'malware'], | ||
type: 'simple', | ||
description: 'This is a sample agnostic endpoint trusted app entry', | ||
name, | ||
namespace_type: 'agnostic', | ||
entries: [ | ||
{ | ||
field: 'actingProcess.file.signer', | ||
operator: 'included', | ||
type: 'match', | ||
value: 'Elastic, N.V.', | ||
}, | ||
{ | ||
field: 'actingProcess.file.path', | ||
operator: 'included', | ||
type: 'match', | ||
value: '/one/two/three', | ||
}, | ||
], | ||
}; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.