Skip to content

[Bug] Review New Terms Schema and Transform Method Regarding JSONSchema #2930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
terrancedejesus opened this issue Jul 17, 2023 · 0 comments · Fixed by #2986
Closed

[Bug] Review New Terms Schema and Transform Method Regarding JSONSchema #2930

terrancedejesus opened this issue Jul 17, 2023 · 0 comments · Fixed by #2986
Assignees
@Mikaayenson @terrancedejesus
Labels
bug Something isn't working community

Comments

@terrancedejesus
Copy link
Contributor

terrancedejesus commented Jul 17, 2023
edited
Loading

Describe the bug
Based on discussion from community, when uploading rules view the CLI command, it references the JSONschema which is a frozen state of the NewTermsRuleData schema.

In the NewTermsRuleData class there is a method called transform which is called if it exists from _post_dict_conversion. This method, for NewTermsRuleData specifically adjusted the JSON object of the New Terms rule so that new_terms becomes new_terms_fields and sits in the root of the JSON object. This is the expected format of the rule object for the Kibana API.

The reason the schema was developed this way was based on how rule types and schemas are identified by the rule loader, which will attempt to find new_terms which is what type is set to in a TOML rule.

Untitled-2023-07-17-1420

Since the JSONSchema is frozen based on the NewTermsRuleData when it attempts to validate the API object of the rule, the fields are not matching and thus causes issues when jsonschema.validate() is called during strip_additional_properties which is used when attempting to upload rules from CLI.

def strip_additional_properties(version: Version, api_contents: dict) -> dict:
    """Remove all fields that the target schema doesn't recognize."""

    if Version.parse(version, optional_minor_and_patch=True) >= Version.parse("8.3.0"):
        api_contents = strip_build_time_fields(api_contents)

    stripped = {}
    target_schema = get_schema_file(version, api_contents["type"])

    for field, field_schema in target_schema["properties"].items():
        if field in api_contents:
            stripped[field] = api_contents[field]

    # finally, validate against the json schema
    jsonschema.validate(stripped, target_schema)
    return stripped

To Reproduce

  1. Go to an old branch in our repo
  2. Use a later stack version than the repo selected
  3. Run the upload-rule command
  4. See that any new terms rule either error or have been removed from the upload because of jsonschema validation

Additional Information

Please see #2360
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mikaayenson Mikaayenson

@terrancedejesus terrancedejesus

Labels
bug Something isn't working community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Bug] Strip Non-Public Fields Prior to Uploading Rules elastic/detection-rules
2 participants
@Mikaayenson @terrancedejesus