From 87c72ae988e631d0eb22dfcbb88dfb8de6e978de Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 12:52:27 -0400 Subject: [PATCH 1/7] Convert new trusted app data to expected format for artifact --- .../routes/trusted_apps/trusted_apps.test.ts | 111 +++++++++++++++++- .../endpoint/routes/trusted_apps/utils.ts | 22 +++- 2 files changed, 125 insertions(+), 8 deletions(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index 35d0bf1116148e..dc57433b35f95e 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -138,7 +138,9 @@ describe('when invoking endpoint trusted apps route handlers', () => { describe('when creating a trusted app', () => { let routeHandler: RequestHandler; - const createNewTrustedAppBody = (): PostTrustedAppCreateRequest => ({ + const createNewTrustedAppBody = (): { + -readonly [k in keyof PostTrustedAppCreateRequest]: PostTrustedAppCreateRequest[k]; + } => ({ name: 'Some Anti-Virus App', description: 'this one is ok', os: 'windows', @@ -151,11 +153,11 @@ describe('when invoking endpoint trusted apps route handlers', () => { }, ], }); - const createPostRequest = () => { + const createPostRequest = (body?: PostTrustedAppCreateRequest) => { return httpServerMock.createKibanaRequest({ path: TRUSTED_APPS_LIST_API, method: 'post', - body: createNewTrustedAppBody(), + body: body ?? createNewTrustedAppBody(), }); }; @@ -247,6 +249,109 @@ describe('when invoking endpoint trusted apps route handlers', () => { expect(response.internalError).toHaveBeenCalled(); expect(endpointAppContext.logFactory.get('trusted_apps').error).toHaveBeenCalled(); }); + + it('should trim trusted app entry name', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.name = `\n ${newTrustedApp.name} \r\n`; + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ + _tags: ['os:windows'], + comments: [], + description: 'this one is ok', + entries: [ + { + field: 'process.path', + operator: 'included', + type: 'match', + value: 'c:/programs files/Anti-Virus', + }, + ], + itemId: expect.stringMatching(/.*/), + listId: 'endpoint_trusted_apps', + meta: undefined, + name: 'Some Anti-Virus App', + namespaceType: 'agnostic', + tags: [], + type: 'simple', + }); + }); + + it('should trim condition entry values', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.entries.push({ + field: 'process.path', + value: '\n some value \r\n ', + operator: 'included', + type: 'match', + }); + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ + _tags: ['os:windows'], + comments: [], + description: 'this one is ok', + entries: [ + { + field: 'process.path', + operator: 'included', + type: 'match', + value: 'c:/programs files/Anti-Virus', + }, + { + field: 'process.path', + value: 'some value', + operator: 'included', + type: 'match', + }, + ], + itemId: expect.stringMatching(/.*/), + listId: 'endpoint_trusted_apps', + meta: undefined, + name: 'Some Anti-Virus App', + namespaceType: 'agnostic', + tags: [], + type: 'simple', + }); + }); + + it('should convert hash values to lowercase', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.entries.push({ + field: 'process.hash.*', + value: 'XXXXXYYYYZZZZZ', + operator: 'included', + type: 'match', + }); + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ + _tags: ['os:windows'], + comments: [], + description: 'this one is ok', + entries: [ + { + field: 'process.path', + operator: 'included', + type: 'match', + value: 'c:/programs files/Anti-Virus', + }, + { + field: 'process.hash.*', + value: 'xxxxxyyyyzzzzz', + operator: 'included', + type: 'match', + }, + ], + itemId: expect.stringMatching(/.*/), + listId: 'endpoint_trusted_apps', + meta: undefined, + name: 'Some Anti-Virus App', + namespaceType: 'agnostic', + tags: [], + type: 'simple', + }); + }); }); describe('when deleting a trusted app', () => { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts index 794c1db4b49aa8..7401bda8999bc6 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts @@ -10,7 +10,7 @@ import { NewTrustedApp, TrustedApp } from '../../../../common/endpoint/types'; import { ExceptionListClient } from '../../../../../lists/server'; import { ENDPOINT_TRUSTED_APPS_LIST_ID } from '../../../../../lists/common/constants'; -type NewExecptionItem = Parameters[0]; +type NewExceptionItem = Parameters[0]; /** * Map an ExcptionListItem to a TrustedApp item @@ -51,22 +51,34 @@ export const newTrustedAppItemToExceptionItem = ({ entries, name, description = '', -}: NewTrustedApp): NewExecptionItem => { +}: NewTrustedApp): NewExceptionItem => { return { _tags: tagsListFromOs(os), comments: [], description, - entries, + // @ts-ignore + entries: entries.map(({ value, ...newEntry }) => { + let newValue = value.trim(); + + if (newEntry.field === 'process.hash.*') { + newValue = newValue.toLowerCase(); + } + + return { + ...newEntry, + value: newValue, + }; + }), itemId: uuid.v4(), listId: ENDPOINT_TRUSTED_APPS_LIST_ID, meta: undefined, - name, + name: name.trim(), namespaceType: 'agnostic', tags: [], type: 'simple', }; }; -const tagsListFromOs = (os: NewTrustedApp['os']): NewExecptionItem['_tags'] => { +const tagsListFromOs = (os: NewTrustedApp['os']): NewExceptionItem['_tags'] => { return [`os:${os}`]; }; From f8256376bea8302469e2e108a2495f96c4374720 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 14:41:16 -0400 Subject: [PATCH 2/7] Renamed condition field `process.path` to `process.path.text` --- .../common/endpoint/schema/trusted_apps.test.ts | 4 ++-- .../common/endpoint/schema/trusted_apps.ts | 5 ++++- .../common/endpoint/types/trusted_apps.ts | 4 +++- .../components/condition_entry.tsx | 2 +- .../routes/trusted_apps/trusted_apps.test.ts | 16 ++++++++-------- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.test.ts b/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.test.ts index fc94e9a7c312a5..c0fbebf73ed8af 100644 --- a/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.test.ts @@ -76,7 +76,7 @@ describe('When invoking Trusted Apps Schema', () => { os: 'windows', entries: [ { - field: 'process.path', + field: 'process.path.text', type: 'match', operator: 'included', value: 'c:/programs files/Anti-Virus', @@ -194,7 +194,7 @@ describe('When invoking Trusted Apps Schema', () => { }; expect(() => body.validate(bodyMsg2)).toThrow(); - ['process.hash.*', 'process.path'].forEach((field) => { + ['process.hash.*', 'process.path.text'].forEach((field) => { const bodyMsg3 = { ...getCreateTrustedAppItem(), entries: [ diff --git a/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.ts b/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.ts index 72e24a7d694d4c..3b3bec4a478046 100644 --- a/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.ts +++ b/x-pack/plugins/security_solution/common/endpoint/schema/trusted_apps.ts @@ -26,7 +26,10 @@ export const PostTrustedAppCreateRequestSchema = { os: schema.oneOf([schema.literal('linux'), schema.literal('macos'), schema.literal('windows')]), entries: schema.arrayOf( schema.object({ - field: schema.oneOf([schema.literal('process.hash.*'), schema.literal('process.path')]), + field: schema.oneOf([ + schema.literal('process.hash.*'), + schema.literal('process.path.text'), + ]), type: schema.literal('match'), operator: schema.literal('included'), value: schema.string({ minLength: 1 }), diff --git a/x-pack/plugins/security_solution/common/endpoint/types/trusted_apps.ts b/x-pack/plugins/security_solution/common/endpoint/types/trusted_apps.ts index 3356fc67d26820..93e3305078f8d2 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/trusted_apps.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/trusted_apps.ts @@ -12,6 +12,7 @@ import { /** API request params for retrieving a list of Trusted Apps */ export type GetTrustedAppsListRequest = TypeOf; + export interface GetTrustedListAppsResponse { per_page: number; page: number; @@ -21,12 +22,13 @@ export interface GetTrustedListAppsResponse { /** API Request body for creating a new Trusted App entry */ export type PostTrustedAppCreateRequest = TypeOf; + export interface PostTrustedAppCreateResponse { data: TrustedApp; } export interface MacosLinuxConditionEntry { - field: 'process.hash.*' | 'process.path'; + field: 'process.hash.*' | 'process.path.text'; type: 'match'; operator: 'included'; value: string; diff --git a/x-pack/plugins/security_solution/public/management/pages/trusted_apps/view/components/logical_condition/components/condition_entry.tsx b/x-pack/plugins/security_solution/public/management/pages/trusted_apps/view/components/logical_condition/components/condition_entry.tsx index 23bced0c048b19..7eeadeb02a3852 100644 --- a/x-pack/plugins/security_solution/public/management/pages/trusted_apps/view/components/logical_condition/components/condition_entry.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/trusted_apps/view/components/logical_condition/components/condition_entry.tsx @@ -76,7 +76,7 @@ export const ConditionEntry = memo( 'xpack.securitySolution.trustedapps.logicalConditionBuilder.entry.field.path', { defaultMessage: 'Path' } ), - value: 'process.path', + value: 'process.path.text', }, ]; }, []); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index dc57433b35f95e..fb622810916894 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -146,7 +146,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { os: 'windows', entries: [ { - field: 'process.path', + field: 'process.path.text', type: 'match', operator: 'included', value: 'c:/programs files/Anti-Virus', @@ -199,7 +199,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { description: 'this one is ok', entries: [ { - field: 'process.path', + field: 'process.path.text', operator: 'included', type: 'match', value: 'c:/programs files/Anti-Virus', @@ -226,7 +226,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { description: 'this one is ok', entries: [ { - field: 'process.path', + field: 'process.path.text', operator: 'included', type: 'match', value: 'c:/programs files/Anti-Virus', @@ -261,7 +261,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { description: 'this one is ok', entries: [ { - field: 'process.path', + field: 'process.path.text', operator: 'included', type: 'match', value: 'c:/programs files/Anti-Virus', @@ -280,7 +280,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { it('should trim condition entry values', async () => { const newTrustedApp = createNewTrustedAppBody(); newTrustedApp.entries.push({ - field: 'process.path', + field: 'process.path.text', value: '\n some value \r\n ', operator: 'included', type: 'match', @@ -293,13 +293,13 @@ describe('when invoking endpoint trusted apps route handlers', () => { description: 'this one is ok', entries: [ { - field: 'process.path', + field: 'process.path.text', operator: 'included', type: 'match', value: 'c:/programs files/Anti-Virus', }, { - field: 'process.path', + field: 'process.path.text', value: 'some value', operator: 'included', type: 'match', @@ -331,7 +331,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { description: 'this one is ok', entries: [ { - field: 'process.path', + field: 'process.path.text', operator: 'included', type: 'match', value: 'c:/programs files/Anti-Virus', From 3d29a6362bbb77def684d082f85b50ffd0f62253 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 14:44:28 -0400 Subject: [PATCH 3/7] simplified test comparison data --- .../routes/trusted_apps/trusted_apps.test.ts | 103 ++++++------------ 1 file changed, 31 insertions(+), 72 deletions(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index fb622810916894..2f5075272a98c7 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -255,26 +255,9 @@ describe('when invoking endpoint trusted apps route handlers', () => { newTrustedApp.name = `\n ${newTrustedApp.name} \r\n`; const request = createPostRequest(newTrustedApp); await routeHandler(context, request, response); - expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ - _tags: ['os:windows'], - comments: [], - description: 'this one is ok', - entries: [ - { - field: 'process.path.text', - operator: 'included', - type: 'match', - value: 'c:/programs files/Anti-Virus', - }, - ], - itemId: expect.stringMatching(/.*/), - listId: 'endpoint_trusted_apps', - meta: undefined, - name: 'Some Anti-Virus App', - namespaceType: 'agnostic', - tags: [], - type: 'simple', - }); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].name).toEqual( + 'Some Anti-Virus App' + ); }); it('should trim condition entry values', async () => { @@ -287,32 +270,20 @@ describe('when invoking endpoint trusted apps route handlers', () => { }); const request = createPostRequest(newTrustedApp); await routeHandler(context, request, response); - expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ - _tags: ['os:windows'], - comments: [], - description: 'this one is ok', - entries: [ - { - field: 'process.path.text', - operator: 'included', - type: 'match', - value: 'c:/programs files/Anti-Virus', - }, - { - field: 'process.path.text', - value: 'some value', - operator: 'included', - type: 'match', - }, - ], - itemId: expect.stringMatching(/.*/), - listId: 'endpoint_trusted_apps', - meta: undefined, - name: 'Some Anti-Virus App', - namespaceType: 'agnostic', - tags: [], - type: 'simple', - }); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].entries).toEqual([ + { + field: 'process.path.text', + operator: 'included', + type: 'match', + value: 'c:/programs files/Anti-Virus', + }, + { + field: 'process.path.text', + value: 'some value', + operator: 'included', + type: 'match', + }, + ]); }); it('should convert hash values to lowercase', async () => { @@ -325,32 +296,20 @@ describe('when invoking endpoint trusted apps route handlers', () => { }); const request = createPostRequest(newTrustedApp); await routeHandler(context, request, response); - expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0]).toEqual({ - _tags: ['os:windows'], - comments: [], - description: 'this one is ok', - entries: [ - { - field: 'process.path.text', - operator: 'included', - type: 'match', - value: 'c:/programs files/Anti-Virus', - }, - { - field: 'process.hash.*', - value: 'xxxxxyyyyzzzzz', - operator: 'included', - type: 'match', - }, - ], - itemId: expect.stringMatching(/.*/), - listId: 'endpoint_trusted_apps', - meta: undefined, - name: 'Some Anti-Virus App', - namespaceType: 'agnostic', - tags: [], - type: 'simple', - }); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].entries).toEqual([ + { + field: 'process.path.text', + operator: 'included', + type: 'match', + value: 'c:/programs files/Anti-Virus', + }, + { + field: 'process.hash.*', + value: 'xxxxxyyyyzzzzz', + operator: 'included', + type: 'match', + }, + ]); }); }); From d7c4ed3e08148e0794ed87796edd427a49b354ec Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 14:54:54 -0400 Subject: [PATCH 4/7] determine hash type based on length of hash value --- .../routes/trusted_apps/trusted_apps.test.ts | 70 ++++++++++++++++++- .../endpoint/routes/trusted_apps/utils.ts | 12 ++++ 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index 2f5075272a98c7..d973952e9c5e96 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -290,7 +290,7 @@ describe('when invoking endpoint trusted apps route handlers', () => { const newTrustedApp = createNewTrustedAppBody(); newTrustedApp.entries.push({ field: 'process.hash.*', - value: 'XXXXXYYYYZZZZZ', + value: '741462AB431A22233C787BAAB9B653C7', operator: 'included', type: 'match', }); @@ -303,9 +303,75 @@ describe('when invoking endpoint trusted apps route handlers', () => { type: 'match', value: 'c:/programs files/Anti-Virus', }, + { + field: 'process.hash.md5', + value: '741462ab431a22233c787baab9b653c7', + operator: 'included', + type: 'match', + }, + ]); + }); + + it('should detect md5 hash', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.entries = [ + { + field: 'process.hash.*', + value: '741462ab431a22233c787baab9b653c7', + operator: 'included', + type: 'match', + }, + ]; + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].entries).toEqual([ + { + field: 'process.hash.md5', + value: '741462ab431a22233c787baab9b653c7', + operator: 'included', + type: 'match', + }, + ]); + }); + + it('should detect sha1 hash', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.entries = [ { field: 'process.hash.*', - value: 'xxxxxyyyyzzzzz', + value: 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', + operator: 'included', + type: 'match', + }, + ]; + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].entries).toEqual([ + { + field: 'process.hash.sha1', + value: 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', + operator: 'included', + type: 'match', + }, + ]); + }); + + it('should detect sha256 hash', async () => { + const newTrustedApp = createNewTrustedAppBody(); + newTrustedApp.entries = [ + { + field: 'process.hash.*', + value: 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476', + operator: 'included', + type: 'match', + }, + ]; + const request = createPostRequest(newTrustedApp); + await routeHandler(context, request, response); + expect(exceptionsListClient.createExceptionListItem.mock.calls[0][0].entries).toEqual([ + { + field: 'process.hash.sha256', + value: 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476', operator: 'included', type: 'match', }, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts index 7401bda8999bc6..fe7c03bf2f25ef 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts @@ -62,6 +62,7 @@ export const newTrustedAppItemToExceptionItem = ({ if (newEntry.field === 'process.hash.*') { newValue = newValue.toLowerCase(); + newEntry.field = `process.hash.${hashType(newValue)}`; } return { @@ -82,3 +83,14 @@ export const newTrustedAppItemToExceptionItem = ({ const tagsListFromOs = (os: NewTrustedApp['os']): NewExceptionItem['_tags'] => { return [`os:${os}`]; }; + +const hashType = (hash: string): 'md5' | 'sha256' | 'sha1' | undefined => { + switch (hash.length) { + case 32: + return 'md5'; + case 40: + return 'sha1'; + case 64: + return 'sha256'; + } +}; From b96f5f3fe58a12fb6d26ef37d25f6d33132820c5 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 15:35:56 -0400 Subject: [PATCH 5/7] Convert `process.hash.[sha1|md5|sha256]` to `process.hash.*` for return on list api --- .../server/endpoint/routes/trusted_apps/utils.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts index fe7c03bf2f25ef..2b8129ab950c66 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts @@ -23,7 +23,15 @@ export const exceptionItemToTrustedAppItem = ( const { entries, description, created_by, created_at, name, _tags, id } = exceptionListItem; const os = osFromTagsList(_tags); return { - entries, + entries: entries.map((entry) => { + if (entry.field.startsWith('process.hash')) { + return { + ...entry, + field: 'process.hash.*', + }; + } + return entry; + }), description, created_at, created_by, From e7bd6e12e5a32773dd23be87ea6143f7c3707626 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 15:53:15 -0400 Subject: [PATCH 6/7] Add test for conversion of Exception Item to Trusted App Item --- .../routes/trusted_apps/trusted_apps.test.ts | 96 ++++++++++++++++++- 1 file changed, 95 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index d973952e9c5e96..7285da7945bff6 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -26,7 +26,10 @@ import { ENDPOINT_TRUSTED_APPS_LIST_ID } from '../../../../../lists/common/const import { EndpointAppContext } from '../../types'; import { ExceptionListClient, ListClient } from '../../../../../lists/server'; import { listMock } from '../../../../../lists/server/mocks'; -import { ExceptionListItemSchema } from '../../../../../lists/common/schemas/response'; +import { + ExceptionListItemSchema, + FoundExceptionListItemSchema, +} from '../../../../../lists/common/schemas/response'; import { DeleteTrustedAppsRequestParams } from './types'; import { getExceptionListItemSchemaMock } from '../../../../../lists/common/schemas/response/exception_list_item_schema.mock'; @@ -125,6 +128,97 @@ describe('when invoking endpoint trusted apps route handlers', () => { }); }); + it('should map Exception List Item to Trusted App item', async () => { + const request = createListRequest(10, 100); + const emptyResponse: FoundExceptionListItemSchema = { + data: [ + { + _tags: ['os:windows'], + _version: undefined, + comments: [], + created_at: '2020-09-21T19:43:48.240Z', + created_by: 'test', + description: '', + entries: [ + { + field: 'process.hash.sha256', + operator: 'included', + type: 'match', + value: 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476', + }, + { + field: 'process.hash.sha1', + operator: 'included', + type: 'match', + value: 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', + }, + { + field: 'process.hash.md5', + operator: 'included', + type: 'match', + value: '741462ab431a22233c787baab9b653c7', + }, + ], + id: '1', + item_id: '11', + list_id: 'trusted apps test', + meta: undefined, + name: 'test', + namespace_type: 'agnostic', + tags: [], + tie_breaker_id: '1', + type: 'simple', + updated_at: '2020-09-21T19:43:48.240Z', + updated_by: 'test', + }, + ], + page: 10, + per_page: 100, + total: 0, + }; + + exceptionsListClient.findExceptionListItem.mockResolvedValue(emptyResponse); + await routeHandler(context, request, response); + + expect(response.ok).toHaveBeenCalledWith({ + body: { + data: [ + { + created_at: '2020-09-21T19:43:48.240Z', + created_by: 'test', + description: '', + entries: [ + { + field: 'process.hash.*', + operator: 'included', + type: 'exact_cased', + value: 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476', + }, + { + field: 'process.hash.*', + operator: 'included', + type: 'exact_cased', + value: 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', + }, + { + field: 'process.hash.*', + operator: 'included', + type: 'exact_cased', + value: '741462ab431a22233c787baab9b653c7', + }, + ], + id: '1', + name: 'test', + os: 'windows', + }, + ], + page: 10, + per_page: 100, + total: 0, + }, + }); + }); + it('should log unexpected error if one occurs', async () => { exceptionsListClient.findExceptionListItem.mockImplementation(() => { throw new Error('expected error'); From 1fc7f8efa268e40fc80d7e89caf9d21774ab02e0 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Mon, 21 Sep 2020 15:55:38 -0400 Subject: [PATCH 7/7] Fix test --- .../endpoint/routes/trusted_apps/trusted_apps.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts index 7285da7945bff6..2368dcda09a38e 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts @@ -191,19 +191,19 @@ describe('when invoking endpoint trusted apps route handlers', () => { { field: 'process.hash.*', operator: 'included', - type: 'exact_cased', + type: 'match', value: 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476', }, { field: 'process.hash.*', operator: 'included', - type: 'exact_cased', + type: 'match', value: 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', }, { field: 'process.hash.*', operator: 'included', - type: 'exact_cased', + type: 'match', value: '741462ab431a22233c787baab9b653c7', }, ],