elastic · tomsonpl · May 19, 2022 · Apr 29, 2022 · Apr 29, 2022 · Apr 29, 2022
@@ -35,9 +35,7 @@ const OsqueryEditorComponent: React.FC<OsqueryEditorProps> = ({
 }) => {
   const [editorValue, setEditorValue] = useState(defaultValue ?? '');
 
-  useDebounce(() => onChange(editorValue.replaceAll('\n', ' ').replaceAll('  ', ' ')), 500, [
-    editorValue,
-  ]);
+  useDebounce(() => onChange(editorValue), 500, [editorValue]);
 
   useEffect(() => setEditorValue(defaultValue), [defaultValue]);
 

@@ -746,11 +746,13 @@ export const ECSMappingEditorField = React.memo(
         return;
       }
 
+      const oneLineQuery = query.replaceAll('\n', ' ').replaceAll('  ', ' ');
+
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       let ast: Record<string, any> | undefined;
 
       try {
-        ast = sqlParser.parse(query)?.value;
+        ast = sqlParser.parse(oneLineQuery)?.value;
       } catch (e) {
         return;
       }

@@ -19,7 +19,7 @@ import { OsqueryAppContext } from '../../lib/osquery_app_context_services';
 import { OSQUERY_INTEGRATION_NAME } from '../../../common';
 import { PLUGIN_ID } from '../../../common';
 import { packSavedObjectType } from '../../../common/types';
-import { convertPackQueriesToSO } from './utils';
+import { convertPackQueriesToSO, convertSOQueriesToPack } from './utils';
 import { getInternalSavedObjectsClient } from '../../usage/collector';
 
 export const createPackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => {
@@ -138,7 +138,7 @@ export const createPackRoute = (router: IRouter, osqueryContext: OsqueryAppConte
                   }
 
                   set(draft, `inputs[0].config.osquery.value.packs.${packSO.attributes.name}`, {
-                    queries,
+                    queries: convertSOQueriesToPack(queries, true),
                   });
 
                   return draft;

@@ -282,7 +282,7 @@ export const updatePackRoute = (router: IRouter, osqueryContext: OsqueryAppConte
                     draft,
                     `inputs[0].config.osquery.value.packs.${updatedPackSO.attributes.name}`,
                     {
-                      queries: updatedPackSO.attributes.queries,
+                      queries: convertSOQueriesToPack(updatedPackSO.attributes.queries, true),
                     }
                   );
 

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { convertSOQueriesToPack } from './utils';
+
+const getTestQueries = (additionalFields?: Record<string, unknown>, packName = 'default') => ({
+  [packName]: {
+    ...additionalFields,
+    query:
+      'select u.username,\n' +
+      '       p.pid,\n' +
+      '       p.name,\n' +
+      '       pos.local_address,\n' +
+      '       pos.local_port,\n' +
+      '       p.path,\n' +
+      '       p.cmdline,\n' +
+      '       pos.remote_address,\n' +
+      '       pos.remote_port\n' +
+      'from processes as p\n' +
+      'join users as u\n' +
+      '    on u.uid=p.uid\n' +
+      'join process_open_sockets as pos\n' +
+      '    on pos.pid=p.pid\n' +
+      "where pos.remote_port !='0'\n" +
+      'limit 1000;',
+    interval: 3600,
+  },
+});
+
+const oneLiner = {
+  default: {
+    ecs_mapping: {},
+    interval: 3600,
+    query: `select u.username,    p.pid,    p.name,    pos.local_address,    pos.local_port,    p.path,    p.cmdline,    pos.remote_address,    pos.remote_port from processes as p join users as u   on u.uid=p.uid join process_open_sockets as pos   on pos.pid=p.pid where pos.remote_port !='0' limit 1000;`,
+  },
+};
+
+describe('Pack utils', () => {
+  describe('convertSOQueriesToPack', () => {
+    test('converts to pack with empty ecs_mapping', () => {
+      const convertedQueries = convertSOQueriesToPack(getTestQueries());
+      expect(convertedQueries).toStrictEqual(getTestQueries({ ecs_mapping: {} }));
+    });
+    test('converts to pack with converting query to single line', () => {
+      const convertedQueries = convertSOQueriesToPack(getTestQueries(), true);
+      expect(convertedQueries).toStrictEqual(oneLiner);
+    });
+    test('converts to object with pack names after query.id', () => {
+      const convertedQueries = convertSOQueriesToPack(getTestQueries({ id: 'testId' }));
+      expect(convertedQueries).toStrictEqual(getTestQueries({ ecs_mapping: {} }, 'testId'));
+    });
+  });
+});
@@ -27,13 +27,15 @@ export const convertPackQueriesToSO = (queries) =>
   );
 
 // @ts-expect-error update types
-export const convertSOQueriesToPack = (queries) =>
+export const convertSOQueriesToPack = (queries, removeMultiLines?: boolean) =>
   reduce(
     queries,
     // eslint-disable-next-line @typescript-eslint/naming-convention
-    (acc, { id: queryId, ecs_mapping, ...query }) => {
-      acc[queryId] = {
-        ...query,
+    (acc, { id: queryId, ecs_mapping, query, ...rest }, key) => {
+      const index = queryId ? queryId : key;
+      acc[index] = {
+        ...rest,
+        query: removeMultiLines ? query.replaceAll('\n', ' ').replaceAll('  ', ' ') : query,
         ecs_mapping: convertECSMappingToObject(ecs_mapping),
       };
 

diff --git a/x-pack/test/api_integration/apis/index.ts b/x-pack/test/api_integration/apis/index.ts
@@ -36,5 +36,6 @@ export default function ({ loadTestFile }: FtrProviderContext) {
     loadTestFile(require.resolve('./ml'));
     loadTestFile(require.resolve('./watcher'));
     loadTestFile(require.resolve('./logs_ui'));
+    loadTestFile(require.resolve('./osquery'));
   });
 }
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('Osquery Endpoints', () => {
+    loadTestFile(require.resolve('./packs'));
+  });
+}
@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+
+import { FtrProviderContext } from '../../ftr_provider_context';
+
+const defaultPack = {
+  name: 'TestPack' + Date.now(),
+  description: 'TestPack Description',
+  enabled: true,
+  policy_ids: ['123', '456'],
+  queries: {
+    testQuery: {
+      query:
+        'select u.username,' +
+        '       p.pid,' +
+        '       p.name,' +
+        '       pos.local_address,' +
+        '       pos.local_port,' +
+        '       p.path,' +
+        '       p.cmdline,' +
+        '       pos.remote_address,' +
+        '       pos.remote_port' +
+        'from processes as p' +
+        'join users as u' +
+        '    on u.uid=p.uid' +
+        'join process_open_sockets as pos' +
+        '    on pos.pid=p.pid' +
+        "where pos.remote_port !='0'" +
+        'limit 1000;',
+      interval: 600,
+      platform: 'windows',
+      version: '1',
+    },
+  },
+};
+
+const singleLineQuery =
+  "select u.username,       p.pid,       p.name,       pos.local_address,       pos.local_port,       p.path,       p.cmdline,       pos.remote_address,       pos.remote_portfrom processes as pjoin users as u    on u.uid=p.uidjoin process_open_sockets as pos    on pos.pid=p.pidwhere pos.remote_port !='0'limit 1000;";
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+
+  describe('Packs', () => {
+    let newlyCreatedPackId: string = '';
+    describe('create route', () => {
+      it('should return 200 and have a single line query', async () => {
+        const resp = await supertest
+          .post('/internal/osquery/packs')
+          .set('kbn-xsrf', 'true')
+          .send(defaultPack);
+
+        newlyCreatedPackId = resp.body.id;
+        expect(resp.body.attributes.queries.testQuery.query).to.be(singleLineQuery);
+        expect(resp.status).to.be(200);
+      });
+    });
+    describe('update route', () => {
+      it('should return 200 and have a single line query', async () => {
+        const resp = await supertest
+          .put('/internal/osquery/packs/' + newlyCreatedPackId)
+          .set('kbn-xsrf', 'true')
+          .send(defaultPack);
+
+        expect(resp.body.id).to.be(newlyCreatedPackId);
+        expect(resp.body.attributes.queries.testQuery.query).to.be(singleLineQuery);
+        expect(resp.status).to.be(200);
+      });
+    });
+  });
+}
-Original file line number
+Diff line change
@@ Expand Up @@
                         draft,
                         `inputs[0].config.osquery.value.packs.${updatedPackSO.attributes.name}`,
                         {
-                          queries: updatedPackSO.attributes.queries,
+                          queries: convertSOQueriesToPack(updatedPackSO.attributes.queries, true),
                         }
                       );
@@ Expand Down @@