Skip to content

Commit

Permalink
[EDR Workflows] Use internal user to fetch automated actions and resu…
Browse files Browse the repository at this point in the history
  • Loading branch information
tomsonpl authored Oct 4, 2023
1 parent 038ac89 commit ffb60a1
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@ export enum SortOrder {
}

export interface RequestBasicOptions extends IEsSearchRequest {
factoryQueryType?: ResponseActionsQueries;
aggregations?: Record<string, estypes.AggregationsAggregationContainer>;
factoryQueryType: ResponseActionsQueries;
}

export type ResponseActionsSearchHit = estypes.SearchHit<
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
import { map, mergeMap } from 'rxjs/operators';
import type { ISearchStrategy, PluginStart } from '@kbn/data-plugin/server';
import { shimHitsTotal } from '@kbn/data-plugin/server';
import { ENHANCED_ES_SEARCH_STRATEGY } from '@kbn/data-plugin/common';
import { from } from 'rxjs';
import type {
EndpointStrategyParseResponseType,
Expand All @@ -21,38 +20,35 @@ import type { EndpointFactory } from './factory/types';
import type { EndpointAppContext } from '../../endpoint/types';
import { endpointFactory } from './factory';

function isObj(req: unknown): req is Record<string, unknown> {
return typeof req === 'object' && req !== null;
}

function assertValidRequestType<T extends EndpointFactoryQueryTypes>(
req: unknown
): asserts req is EndpointStrategyRequestType<T> & { factoryQueryType: EndpointFactoryQueryTypes } {
if (!isObj(req) || req.factoryQueryType == null) {
throw new Error('factoryQueryType is required');
}
}

export const endpointSearchStrategyProvider = <T extends EndpointFactoryQueryTypes>(
data: PluginStart,
endpointContext: EndpointAppContext
): ISearchStrategy<EndpointStrategyRequestType<T>, EndpointStrategyResponseType<T>> => {
const es = data.search.getSearchStrategy(
ENHANCED_ES_SEARCH_STRATEGY
) as unknown as ISearchStrategy<
const es = data.search.searchAsInternalUser as unknown as ISearchStrategy<
EndpointStrategyRequestType<T>,
EndpointStrategyParseResponseType<T>
>;

return {
search: (request, options, deps) => {
assertValidRequestType<T>(request);

if (request.factoryQueryType == null) {
throw new Error('factoryQueryType is required');
}
return from(endpointContext.service.getEndpointAuthz(deps.request)).pipe(
mergeMap((authz) => {
const queryFactory: EndpointFactory<T> = endpointFactory[request.factoryQueryType];
const dsl = queryFactory.buildDsl(request, { authz });
return es.search({ ...request, params: dsl }, options, deps).pipe(
const strictRequest = {
factoryQueryType: request.factoryQueryType,
sort: request.sort,
...('alertIds' in request ? { alertIds: request.alertIds } : {}),
...('agentId' in request ? { agentId: request.agentId } : {}),
...('expiration' in request ? { expiration: request.expiration } : {}),
...('actionId' in request ? { actionId: request.actionId } : {}),
...('agents' in request ? { agents: request.agents } : {}),
} as EndpointStrategyRequestType<T>;
const dsl = queryFactory.buildDsl(strictRequest, { authz });

return es.search({ ...strictRequest, params: dsl }, options, deps).pipe(
map((response) => {
return {
...response,
Expand Down

0 comments on commit ffb60a1

Please sign in to comment.