Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alerts and security solutions rules with spaces have validation issues #76035

Closed
FrankHassanabad opened this issue Aug 26, 2020 · 2 comments · Fixed by #76079
Closed

Alerts and security solutions rules with spaces have validation issues #76035

FrankHassanabad opened this issue Aug 26, 2020 · 2 comments · Fixed by #76079
Assignees
@mikecote
Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@FrankHassanabad
Copy link
Contributor

FrankHassanabad commented Aug 26, 2020
edited
Loading

Kibana version:
7.9.0

Both alerting and security solution alerts cannot have trailing spaces in their names or you end up not being able to create the rules. For existing rules/alerts that already have trailing spaces, those alerts cannot be modified, disabled, enabled, without errors being thrown.

This has to do with recent changes in a few areas involving ES API names:
#71623
#71620
#71558
elastic/elasticsearch#58156

However, a lot of code paths flow through:
https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/authentication/api_keys.ts#L210

And not just the alerting framework fwiw, so we might consider changing things and truncating/throwing errors within the bottom most layer rather than fixing it within the solution layers? Or... It's up to each solutions team and people built on the alerting framework to fix this locally by doing a trim() on their strings and continue letting the errors bubble up stricter API key validation changes.

The nature of the fix depends on if the API key generator not allowing trailing and leading spaces is the correct validation for it within ES or not. If that is the correct new validation to not allow leading or trailing spaces, then any code in the Kibana stack and else where should be doing a trimRight() and/or trim() if it is creating an API key with customer data driven values to avoid these blowups since we already have alerts and security rules with trailing spaces and the alerting framework uses the names as part of the key generation process.

It's subjective where in the stack this type of fix should be such as here:
https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/authentication/api_keys.ts

Or more upstream such as here in the alerting solution with a trimRight() on the alert name:
https://github.com/elastic/kibana/blob/master/x-pack/plugins/alerts/server/alerts_client.ts#L943

So far it looks like the solutions themselves are to manage this new validation change.

Steps to reproduce:

Go to alerting and make an alert with a trailing spaces like so. You can't see the trailing spaces in the UI below but really it should have something like, "dfdf ":

Screen Shot 2020-08-26 at 2 39 57 PM

And then when you hit save you get the error message:
Screen Shot 2020-08-26 at 2 14 06 PM

If you do the same with security detection rules by creating a rule with a trailing space or already have an existing one with trailing spaces that you try to enable/disable in the name then you get errors like so:
Screen Shot 2020-08-26 at 12 51 59 PM

Stack traces are:

server    log   [14:14:02.401] [error][http] { Error: [action_request_validation_exception] Validation Failed: 1: name may not begin or end with whitespace;
    at respond (/Users/frankhassanabad/projects/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/Users/frankhassanabad/projects/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/Users/frankhassanabad/projects/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/Users/frankhassanabad/projects/kibana/node_modules/lodash/lodash.js:4949:19)
    at IncomingMessage.emit (events.js:203:15)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  status: 400,
  displayName: 'BadRequest',
  message:
   '[action_request_validation_exception] Validation Failed: 1: name may not begin or end with whitespace;',
  path: '/_security/api_key/grant',
  query: {},
  body:
   { error:
      { root_cause: [Array],
        type: 'action_request_validation_exception',
        reason:
         'Validation Failed: 1: name may not begin or end with whitespace;' },
     status: 400 },
  statusCode: 400,
  response:
   '{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: name may not begin or end with whitespace;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: name may not begin or end with whitespace;"},"status":400}',
  toString: [Function],
  toJSON: [Function] }
server   error  [14:14:02.259]  Error: Internal Server Error
    at HapiResponseAdapter.toInternalError (/Users/frankhassanabad/projects/kibana/src/core/server/http/router/response_adapter.ts:56:19)
    at Router.handle (/Users/frankhassanabad/projects/kibana/src/core/server/http/router/router.ts:286:34)
    at process._tickCallback (internal/process/next_tick.js:68:7)
server  respons [14:14:02.259]  POST /api/alerts/alert 500 241ms - 9.0B
server  respons [14:14:06.942]  POST /api/alerting_builtins/index_threshold/_time_series_query 200 100ms - 9.0B
server  respons [14:14:11.936]  POST /api/alerting_builtins/index_threshold/_time_series_query 200 89ms - 9.0B
server  respons [14:14:16.936]  POST /api/alerting_builtins/index_threshold/_time_series_query 200 91ms - 9.0B
server    log   [14:14:19.513] [debug][0][0][endpoint:user-artifact-packager:1][plugins][securitySolution] User manifest not available yet.

Expected behavior:
No errors for rules/alerts that have trailing spaces already
@FrankHassanabad FrankHassanabad added bug Fixes for quality problems that affect the customer experience Team:SIEM labels Aug 26, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@mikecote mikecote added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Aug 27, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@mikecote mikecote removed their assignment Aug 27, 2020
@mikecote mikecote self-assigned this Aug 27, 2020
@mikecote mikecote mentioned this issue Aug 27, 2020
Merged
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikecote mikecote

Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix alerts unable to create / update when the name has trailing whitepace(s) mikecote/kibana
5 participants
@kobelb @FrankHassanabad @MindyRS @mikecote @elasticmachine