fix update threat intel monitor to avoid monitor exists check before …

…operation (opensearch-project#1111) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
eirsep · Jul 18, 2024 · 6bd699a · 6bd699a
1 parent 7b968c4
commit 6bd699a
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 9 deletions.
diff --git a/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java
@@ -106,7 +106,12 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
                 listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
                 return;
             }
-            //fetch monitors and search
+            if(request.getMethod().equals(RestRequest.Method.PUT)) {
+                indexMonitor(request, listener, user);
+                return;
+            }
+
+            //fetch monitors and search to ensure only one threat intel monitor can be created
             SearchRequest threatIntelMonitorsSearchRequest = new SearchRequest();
             threatIntelMonitorsSearchRequest.indices(".opendistro-alerting-config");
             BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();
@@ -118,15 +123,15 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
                         List<String> monitorIds = searchResponse.getHits() == null || searchResponse.getHits().getHits() == null ? new ArrayList<>() :
                                 Arrays.stream(searchResponse.getHits().getHits()).map(SearchHit::getId).collect(Collectors.toList());
                         if (monitorIds.isEmpty()) {
-                            createMonitor(request, listener, user);
+                            indexMonitor(request, listener, user);
                         } else
                             listener.onFailure(new ResourceAlreadyExistsException(String.format("Threat intel monitor %s already exists.", monitorIds.get(0))));
                     },
 
                     e -> {
                         if (e instanceof IndexNotFoundException || e.getMessage().contains("Configured indices are not found")) {
                             try {
-                                createMonitor(request, listener, user);
+                                indexMonitor(request, listener, user);
                                 return;
                             } catch (IOException ex) {
                                 log.error(() -> new ParameterizedMessage("Unexpected failure while indexing threat intel monitor {} named {}", request.getId(), request.getMonitor().getName()));
@@ -145,7 +150,7 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
         }
     }
 
-    private void createMonitor(IndexThreatIntelMonitorRequest request, ActionListener<IndexThreatIntelMonitorResponse> listener, User user) throws IOException {
+    private void indexMonitor(IndexThreatIntelMonitorRequest request, ActionListener<IndexThreatIntelMonitorResponse> listener, User user) throws IOException {
         IndexMonitorRequest indexMonitorRequest = buildIndexMonitorRequest(request);
         AlertingPluginInterface.INSTANCE.indexMonitor((NodeClient) client, indexMonitorRequest, namedWriteableRegistry, ActionListener.wrap(
                 r -> {

diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/ThreatIntelMonitorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/ThreatIntelMonitorRestApiIT.java
@@ -1,7 +1,6 @@
 package org.opensearch.securityanalytics.resthandler;
 
-import org.apache.hc.core5.http.ContentType;
-import org.apache.hc.core5.http.io.entity.StringEntity;
+import org.apache.http.entity.StringEntity;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.junit.Assert;
@@ -146,13 +145,13 @@ public void testCreateThreatIntelMonitor() throws IOException {
         assertEquals(1, 1);
 
         String matchAllRequest = getMatchAllRequest();
-        Response searchMonitorResponse = makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest, ContentType.APPLICATION_JSON, false));
+        Response searchMonitorResponse = makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest));
         Assert.assertEquals(200, alertingMonitorResponse.getStatusLine().getStatusCode());
         HashMap<String, Object> hits = (HashMap<String, Object>) asMap(searchMonitorResponse).get("hits");
         HashMap<String, Object> totalHits = (HashMap<String, Object>) hits.get("total");
         Integer totalHitsVal = (Integer) totalHits.get("value");
         assertEquals(totalHitsVal.intValue(), 1);
-        makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest, ContentType.APPLICATION_JSON, false));
+        makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest));
 
 
         iocFindingsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.THREAT_INTEL_BASE_URI + "/findings/_search",
@@ -186,11 +185,29 @@ public void testCreateThreatIntelMonitor() throws IOException {
         Response getAlertsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.THREAT_INTEL_ALERTS_URI, params, null);
         Map<String, Object> getAlertsBody = asMap(getAlertsResponse);
         Assert.assertEquals(4, getAlertsBody.get("total_alerts"));
+
+
+        ThreatIntelMonitorDto updateMonitorDto = new ThreatIntelMonitorDto(
+                monitorId,
+                iocScanMonitor.getName() + "update",
+                iocScanMonitor.getPerIocTypeScanInputList(),
+                new IntervalSchedule(5, ChronoUnit.MINUTES, Instant.now()),
+                false,
+                null,
+                List.of(iocScanMonitor.getTriggers().get(0), iocScanMonitor.getTriggers().get(1))
+        );
+        //update monitor
+        response = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI + "/" + monitorId, Collections.emptyMap(), toHttpEntity(updateMonitorDto));
+        Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+        responseBody = asMap(response);
+        assertEquals(responseBody.get("id").toString(), monitorId);
+        assertEquals(((HashMap<String, Object>) responseBody.get("monitor")).get("name").toString(), iocScanMonitor.getName() + "update");
+
         //delete
         Response delete = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI + "/" + monitorId, Collections.emptyMap(), null);
         Assert.assertEquals(200, delete.getStatusLine().getStatusCode());
 
-        searchMonitorResponse = makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest, ContentType.APPLICATION_JSON, false));
+        searchMonitorResponse = makeRequest(client(), "POST", SEARCH_THREAT_INTEL_MONITOR_PATH, Collections.emptyMap(), new StringEntity(matchAllRequest));
         Assert.assertEquals(200, alertingMonitorResponse.getStatusLine().getStatusCode());
         hits = (HashMap<String, Object>) asMap(searchMonitorResponse).get("hits");
         totalHits = (HashMap<String, Object>) hits.get("total");