[Security Solution] Resolver retrieve entity id of documents without field mapped (#76562)

* More comments

* Adding tests for mapping without entity_id

* Removing unnecessary comments

* Fixing type errors

* Removing unnecessary import

* Fixups and style

* change 'data' state shape, nesting the tree fetcher data
* rename 'TreeFetcherParameters' from 'DatabaseParameters' to make it
more specific to the API it works on
* fix bug in 'equal' method of 'TreeFetcherParameters'`
* use mockTreeFetcherParameters method in tests that need to specify a
TreeFetcherParameters but when the value isn't relevant to the test
* Hide Resolver if there is no databaseDocumentID
* add doc comments

* Fixing test name and adding comments

* Pulling in roberts test name changes

* [Resolver] Only render resolver once we have a signals index

Co-authored-by: oatkiller <robert.austin@elastic.co>

Author: jonathan-buttner

x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts

@@ -12,7 +12,6 @@ import {
   ResolverTree,
   ResolverEntityIndex,
 } from '../../../common/endpoint/types';
-import { DEFAULT_INDEX_KEY as defaultIndexKey } from '../../../common/constants';
 
 /**
  * The data access layer for resolver. All communication with the Kibana server is done through this object. This object is provided to Resolver. In tests, a mock data access layer can be used instead.
@@ -38,13 +37,6 @@ export function dataAccessLayerFactory(
       });
     },
 
-    /**
-     * Used to get the default index pattern from the SIEM application.
-     */
-    indexPatterns(): string[] {
-      return context.services.uiSettings.get(defaultIndexKey);
-    },
-
     /**
      * Used to get the entity_id for an _id.
      */

x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/emptify_mock.ts

@@ -12,7 +12,7 @@ import {
 import { mockTreeWithNoProcessEvents } from '../../mocks/resolver_tree';
 import { DataAccessLayer } from '../../types';
 
-type EmptiableRequests = 'relatedEvents' | 'resolverTree' | 'entities' | 'indexPatterns';
+type EmptiableRequests = 'relatedEvents' | 'resolverTree' | 'entities';
 
 interface Metadata<T> {
   /**
@@ -66,15 +66,6 @@ export function emptifyMock<T>(
           : dataAccessLayer.resolverTree(...args);
       },
 
-      /**
-       * Get an array of index patterns that contain events.
-       */
-      indexPatterns(...args): string[] {
-        return dataShouldBeEmpty.includes('indexPatterns')
-          ? []
-          : dataAccessLayer.indexPatterns(...args);
-      },
-
       /**
        * Get entities matching a document.
        */

x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts

@@ -78,13 +78,6 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
         );
       },
 
-      /**
-       * Get an array of index patterns that contain events.
-       */
-      indexPatterns(): string[] {
-        return ['index pattern'];
-      },
-
       /**
        * Get entities matching a document.
        */

x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts

@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  ResolverRelatedEvents,
+  ResolverTree,
+  ResolverEntityIndex,
+} from '../../../../common/endpoint/types';
+import { mockEndpointEvent } from '../../mocks/endpoint_event';
+import { mockTreeWithNoAncestorsAnd2Children } from '../../mocks/resolver_tree';
+import { DataAccessLayer } from '../../types';
+
+interface Metadata {
+  /**
+   * The `_id` of the document being analyzed.
+   */
+  databaseDocumentID: string;
+  /**
+   * A record of entityIDs to be used in tests assertions.
+   */
+  entityIDs: {
+    /**
+     * The entityID of the node related to the document being analyzed.
+     */
+    origin: 'origin';
+    /**
+     * The entityID of the first child of the origin.
+     */
+    firstChild: 'firstChild';
+    /**
+     * The entityID of the second child of the origin.
+     */
+    secondChild: 'secondChild';
+  };
+}
+
+/**
+ * A mock DataAccessLayer that will return an origin in two children. The `entity` response will be empty unless
+ * `awesome_index` is passed in the indices array.
+ */
+export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
+  dataAccessLayer: DataAccessLayer;
+  metadata: Metadata;
+} {
+  const metadata: Metadata = {
+    databaseDocumentID: '_id',
+    entityIDs: { origin: 'origin', firstChild: 'firstChild', secondChild: 'secondChild' },
+  };
+  return {
+    metadata,
+    dataAccessLayer: {
+      /**
+       * Fetch related events for an entity ID
+       */
+      relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
+        return Promise.resolve({
+          entityID,
+          events: [
+            mockEndpointEvent({
+              entityID,
+              name: 'event',
+              timestamp: 0,
+            }),
+          ],
+          nextEvent: null,
+        });
+      },
+
+      /**
+       * Fetch a ResolverTree for a entityID
+       */
+      resolverTree(): Promise<ResolverTree> {
+        return Promise.resolve(
+          mockTreeWithNoAncestorsAnd2Children({
+            originID: metadata.entityIDs.origin,
+            firstChildID: metadata.entityIDs.firstChild,
+            secondChildID: metadata.entityIDs.secondChild,
+          })
+        );
+      },
+
+      /**
+       * Get entities matching a document.
+       */
+      entities({ indices }): Promise<ResolverEntityIndex> {
+        // Only return values if the `indices` array contains exactly `'awesome_index'`
+        if (indices.length === 1 && indices[0] === 'awesome_index') {
+          return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]);
+        }
+        return Promise.resolve([]);
+      },
+    },
+  };
+}

x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts

@@ -76,13 +76,6 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
         return Promise.resolve(tree);
       },
 
-      /**
-       * Get an array of index patterns that contain events.
-       */
-      indexPatterns(): string[] {
-        return ['index pattern'];
-      },
-
       /**
        * Get entities matching a document.
        */

x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/pausify_mock.ts

@@ -105,13 +105,6 @@ export function pausifyMock<T>({
         return dataAccessLayer.resolverTree(...args);
       },
 
-      /**
-       * Get an array of index patterns that contain events.
-       */
-      indexPatterns(...args): string[] {
-        return dataAccessLayer.indexPatterns(...args);
-      },
-
       /**
        * Get entities matching a document.
        */

x-pack/plugins/security_solution/public/resolver/mocks/tree_fetcher_parameters.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { TreeFetcherParameters } from '../types';
+
+/**
+ * A factory for the most basic `TreeFetcherParameters`. Many tests need to provide this even when the values aren't relevant to the test.
+ */
+export function mockTreeFetcherParameters(): TreeFetcherParameters {
+  return {
+    databaseDocumentID: '',
+    indices: [],
+  };
+}

x-pack/plugins/security_solution/public/resolver/models/tree_fetcher_parameters.test.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { TreeFetcherParameters } from '../types';
+
+import { equal } from './tree_fetcher_parameters';
+describe('TreeFetcherParameters#equal:', () => {
+  const cases: Array<[TreeFetcherParameters, TreeFetcherParameters, boolean]> = [
+    // different databaseDocumentID
+    [{ databaseDocumentID: 'a', indices: [] }, { databaseDocumentID: 'b', indices: [] }, false],
+    // different indices length
+    [{ databaseDocumentID: 'a', indices: [''] }, { databaseDocumentID: 'a', indices: [] }, false],
+    // same indices length, different databaseDocumentID
+    [{ databaseDocumentID: 'a', indices: [''] }, { databaseDocumentID: 'b', indices: [''] }, false],
+    // 1 item in `indices`
+    [{ databaseDocumentID: 'b', indices: [''] }, { databaseDocumentID: 'b', indices: [''] }, true],
+    // 2 item in `indices`
+    [
+      { databaseDocumentID: 'b', indices: ['1', '2'] },
+      { databaseDocumentID: 'b', indices: ['1', '2'] },
+      true,
+    ],
+    // 2 item in `indices`, but order inversed
+    [
+      { databaseDocumentID: 'b', indices: ['2', '1'] },
+      { databaseDocumentID: 'b', indices: ['1', '2'] },
+      true,
+    ],
+  ];
+  describe.each(cases)('%p when compared to %p', (first, second, expected) => {
+    it(`should ${expected ? '' : 'not'}be equal`, () => {
+      expect(equal(first, second)).toBe(expected);
+    });
+  });
+});

x-pack/plugins/security_solution/public/resolver/models/tree_fetcher_parameters.ts

@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { TreeFetcherParameters } from '../types';
+
+/**
+ * Determine if two instances of `TreeFetcherParameters` are equivalent. Use this to determine if
+ * a change to a `TreeFetcherParameters` warrants invaliding a request or response.
+ */
+export function equal(param1: TreeFetcherParameters, param2?: TreeFetcherParameters): boolean {
+  if (!param2) {
+    return false;
+  }
+  if (param1 === param2) {
+    return true;
+  }
+  if (param1.databaseDocumentID !== param2.databaseDocumentID) {
+    return false;
+  }
+  return arraysContainTheSameElements(param1.indices, param2.indices);
+}
+
+function arraysContainTheSameElements(first: unknown[], second: unknown[]): boolean {
+  if (first === second) {
+    return true;
+  }
+  if (first.length !== second.length) {
+    return false;
+  }
+  const firstSet = new Set(first);
+  for (let index = 0; index < second.length; index++) {
+    if (!firstSet.has(second[index])) {
+      return false;
+    }
+  }
+  return true;
+}

x-pack/plugins/security_solution/public/resolver/store/actions.ts

@@ -115,7 +115,7 @@ interface AppReceivedNewExternalProperties {
     /**
      * the `_id` of an ES document. This defines the origin of the Resolver graph.
      */
-    databaseDocumentID?: string;
+    databaseDocumentID: string;
     /**
      * An ID that uniquely identifies this Resolver instance from other concurrent Resolvers.
      */
@@ -125,6 +125,11 @@ interface AppReceivedNewExternalProperties {
      * The `search` part of the URL of this page.
      */
     locationSearch: string;
+
+    /**
+     * Indices that the backend will use to find the document.
+     */
+    indices: string[];
   };
 }