elastic · oatkiller · Jul 29, 2020 · Jul 27, 2020 · Jul 27, 2020 · Jul 27, 2020
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts
@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { KibanaReactContextValue } from '../../../../../../src/plugins/kibana_react/public';
+import { StartServices } from '../../types';
+import { DataAccessLayer } from '../types';
+import {
+  ResolverRelatedEvents,
+  ResolverTree,
+  ResolverEntityIndex,
+} from '../../../common/endpoint/types';
+import { DEFAULT_INDEX_KEY as defaultIndexKey } from '../../../common/constants';
+
+/**
+ * The data access layer for resolver. All communication with the Kibana server is done through this object. This object is provided to Resolver. In tests, a mock data access layer can be used instead.
+ */
+export function dataAccessLayerFactory(
+  context: KibanaReactContextValue<StartServices>
+): DataAccessLayer {
+  const dataAccessLayer: DataAccessLayer = {
+    /**
+     * Used to get non-process related events for a node.
+     */
+    async relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
+      return context.services.http.get(`/api/endpoint/resolver/${entityID}/events`, {
+        query: { events: 100 },
+      });
+    },
+    /**
+     * Used to get descendant and ancestor process events for a node.
+     */
+    async resolverTree(entityID: string, signal: AbortSignal): Promise<ResolverTree> {
+      return context.services.http.get(`/api/endpoint/resolver/${entityID}`, {
+        signal,
+      });
+    },
+
+    /**
+     * Used to get the default index pattern from the SIEM application.
+     */
+    indexPatterns(): string[] {
+      return context.services.uiSettings.get(defaultIndexKey);
+    },
+
+    /**
+     * Used to get the entity_id for an _id.
+     */
+    async entities({
+      _id,
+      indices,
+      signal,
+    }: {
+      _id: string;
+      indices: string[];
+      signal: AbortSignal;
+    }): Promise<ResolverEntityIndex> {
+      return context.services.http.get('/api/endpoint/resolver/entity', {
+        signal,
+        query: {
+          _id,
+          indices,
+        },
+      });
+    },
+  };
+  return dataAccessLayer;
+}
diff --git a/...ns/security_solution/public/resolver/data_access_layer/mocks/one_ancestor_two_children.ts b/...ns/security_solution/public/resolver/data_access_layer/mocks/one_ancestor_two_children.ts
@@ -0,0 +1,96 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  ResolverRelatedEvents,
+  ResolverTree,
+  ResolverEntityIndex,
+} from '../../../../common/endpoint/types';
+import { mockEndpointEvent } from '../../store/mocks/endpoint_event';
+import { mockTreeWithNoAncestorsAnd2Children } from '../../store/mocks/resolver_tree';
+import { DataAccessLayer } from '../../types';
+
+interface Metadata {
+  /**
+   * The `_id` of the document being analyzed.
+   */
+  databaseDocumentID: string;
+  /**
+   * A record of entityIDs to be used in tests assertions.
+   */
+  entityIDs: {
+    /**
+     * The entityID of the node related to the document being analyzed.
+     */
+    origin: 'origin';
+    /**
+     * The entityID of the first child of the origin.
+     */
+    firstChild: 'firstChild';
+    /**
+     * The entityID of the second child of the origin.
+     */
+    secondChild: 'secondChild';
+  };
+}
+
+/**
+ * A simple mock dataAccessLayer possible that returns a tree with 0 ancestors and 2 direct children. 1 related event is returned. The parameter to `entities` is ignored.
+ */
+export function oneAncestorTwoChildren(): { dataAccessLayer: DataAccessLayer; metadata: Metadata } {
+  const metadata: Metadata = {
+    databaseDocumentID: '_id',
+    entityIDs: { origin: 'origin', firstChild: 'firstChild', secondChild: 'secondChild' },
+  };
+  return {
+    metadata,
+    dataAccessLayer: {
+      /**
+       * Fetch related events for an entity ID
+       */
+      relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
+        return Promise.resolve({
+          entityID,
+          events: [
+            mockEndpointEvent({
+              entityID,
+              name: 'event',
+              timestamp: 0,
+            }),
+          ],
+          nextEvent: null,
+        });
+      },
+
+      /**
+       * Fetch a ResolverTree for a entityID
+       */
+      resolverTree(): Promise<ResolverTree> {
+        return Promise.resolve(
+          mockTreeWithNoAncestorsAnd2Children({
+            originID: metadata.entityIDs.origin,
+            firstChildID: metadata.entityIDs.firstChild,
+            secondChildID: metadata.entityIDs.secondChild,
+          })
+        );
+      },
+
+      /**
+       * Get an array of index patterns that contain events.
+       */
+      indexPatterns(): string[] {
+        return ['index pattern'];
+      },
+
+      /**
+       * Get entities matching a document.
+       */
+      entities(): Promise<ResolverEntityIndex> {
+        return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]);
+      },
+    },
+  };
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/models/process_event.ts b/x-pack/plugins/security_solution/public/resolver/models/process_event.ts
@@ -29,7 +29,7 @@ export function isTerminatedProcess(passedEvent: ResolverEvent) {
 }
 
 /**
- * ms since unix epoc, based on timestamp.
+ * ms since Unix epoc, based on timestamp.
  * may return NaN if the timestamp wasn't present or was invalid.
  */
 export function datetime(passedEvent: ResolverEvent): number | null {
@@ -85,7 +85,7 @@ export function eventType(passedEvent: ResolverEvent): ResolverProcessType {
 }
 
 /**
- * Returns the process event's pid
+ * Returns the process event's PID
  */
 export function uniquePidForProcess(passedEvent: ResolverEvent): string {
   if (event.isLegacyEvent(passedEvent)) {
@@ -96,7 +96,7 @@ export function uniquePidForProcess(passedEvent: ResolverEvent): string {
 }
 
 /**
- * Returns the pid for the process on the host
+ * Returns the PID for the process on the host
  */
 export function processPid(passedEvent: ResolverEvent): number | undefined {
   if (event.isLegacyEvent(passedEvent)) {
@@ -107,7 +107,7 @@ export function processPid(passedEvent: ResolverEvent): number | undefined {
 }
 
 /**
- * Returns the process event's parent pid
+ * Returns the process event's parent PID
  */
 export function uniqueParentPidForProcess(passedEvent: ResolverEvent): string | undefined {
   if (event.isLegacyEvent(passedEvent)) {
@@ -118,7 +118,7 @@ export function uniqueParentPidForProcess(passedEvent: ResolverEvent): string |
 }
 
 /**
- * Returns the process event's parent pid
+ * Returns the process event's parent PID
  */
 export function processParentPid(passedEvent: ResolverEvent): number | undefined {
   if (event.isLegacyEvent(passedEvent)) {
@@ -144,12 +144,12 @@ export function processPath(passedEvent: ResolverEvent): string | undefined {
  */
 export function userInfoForProcess(
   passedEvent: ResolverEvent
-): { user?: string; domain?: string } | undefined {
+): { name?: string; domain?: string } | undefined {
   return passedEvent.user;
 }
 
 /**
- * Returns the MD5 hash for the `passedEvent` param, or undefined if it can't be located
+ * Returns the MD5 hash for the `passedEvent` parameter, or undefined if it can't be located
  * @param {ResolverEvent} passedEvent The `ResolverEvent` to get the MD5 value for
  * @returns {string | undefined} The MD5 string for the event
  */
@@ -164,7 +164,7 @@ export function md5HashForProcess(passedEvent: ResolverEvent): string | undefine
 /**
  * Returns the command line path and arguments used to run the `passedEvent` if any
  *
- * @param {ResolverEvent} passedEvent The `ResolverEvent` to get the arguemnts value for
+ * @param {ResolverEvent} passedEvent The `ResolverEvent` to get the arguments value for
  * @returns {string | undefined} The arguments (including the path) used to run the process
  */
 export function argsForProcess(passedEvent: ResolverEvent): string | undefined {

diff --git a/x-pack/plugins/security_solution/public/resolver/store/index.ts b/x-pack/plugins/security_solution/public/resolver/store/index.ts
@@ -6,22 +6,20 @@
 
 import { createStore, applyMiddleware, Store } from 'redux';
 import { composeWithDevTools } from 'redux-devtools-extension/developmentOnly';
-import { KibanaReactContextValue } from '../../../../../../src/plugins/kibana_react/public';
-import { ResolverState } from '../types';
-import { StartServices } from '../../types';
+import { ResolverState, DataAccessLayer } from '../types';
 import { resolverReducer } from './reducer';
 import { resolverMiddlewareFactory } from './middleware';
 import { ResolverAction } from './actions';
 
 export const storeFactory = (
-  context?: KibanaReactContextValue<StartServices>
+  dataAccessLayer: DataAccessLayer
 ): Store<ResolverState, ResolverAction> => {
   const actionsDenylist: Array<ResolverAction['type']> = ['userMovedPointer'];
   const composeEnhancers = composeWithDevTools({
     name: 'Resolver',
     actionsBlacklist: actionsDenylist,
   });
-  const middlewareEnhancer = applyMiddleware(resolverMiddlewareFactory(context));
+  const middlewareEnhancer = applyMiddleware(resolverMiddlewareFactory(dataAccessLayer));
 
   return createStore(resolverReducer, composeEnhancers(middlewareEnhancer));
 };
diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/index.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/index.ts
@@ -5,34 +5,26 @@
  */
 
 import { Dispatch, MiddlewareAPI } from 'redux';
-import { KibanaReactContextValue } from '../../../../../../../src/plugins/kibana_react/public';
-import { StartServices } from '../../../types';
-import { ResolverState } from '../../types';
+import { ResolverState, DataAccessLayer } from '../../types';
 import { ResolverRelatedEvents } from '../../../../common/endpoint/types';
 import { ResolverTreeFetcher } from './resolver_tree_fetcher';
 import { ResolverAction } from '../actions';
 
 type MiddlewareFactory<S = ResolverState> = (
-  context?: KibanaReactContextValue<StartServices>
+  dataAccessLayer: DataAccessLayer
 ) => (
   api: MiddlewareAPI<Dispatch<ResolverAction>, S>
 ) => (next: Dispatch<ResolverAction>) => (action: ResolverAction) => unknown;
 
 /**
- * The redux middleware that the app uses to trigger side effects.
+ * The `redux` middleware that the application uses to trigger side effects.
  * All data fetching should be done here.
- * For actions that the app triggers directly, use `app` as a prefix for the type.
+ * For actions that the application triggers directly, use `app` as a prefix for the type.
  * For actions that are triggered as a result of server interaction, use `server` as a prefix for the type.
  */
-export const resolverMiddlewareFactory: MiddlewareFactory = (context) => {
+export const resolverMiddlewareFactory: MiddlewareFactory = (dataAccessLayer: DataAccessLayer) => {
   return (api) => (next) => {
-    // This cannot work w/o `context`.
-    if (!context) {
-      return async (action: ResolverAction) => {
-        next(action);
-      };
-    }
-    const resolverTreeFetcher = ResolverTreeFetcher(context, api);
+    const resolverTreeFetcher = ResolverTreeFetcher(dataAccessLayer, api);
     return async (action: ResolverAction) => {
       next(action);
 
@@ -45,12 +37,7 @@ export const resolverMiddlewareFactory: MiddlewareFactory = (context) => {
         const entityIdToFetchFor = action.payload;
         let result: ResolverRelatedEvents | undefined;
         try {
-          result = await context.services.http.get(
-            `/api/endpoint/resolver/${entityIdToFetchFor}/events`,
-            {
-              query: { events: 100 },
-            }
-          );
+          result = await dataAccessLayer.relatedEvents(entityIdToFetchFor);
         } catch {
           api.dispatch({
             type: 'serverFailedToReturnRelatedEventData',

diff --git a/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts b/x-pack/plugins/security_solution/public/resolver/store/middleware/resolver_tree_fetcher.ts
@@ -9,11 +9,8 @@
 import { Dispatch, MiddlewareAPI } from 'redux';
 import { ResolverTree, ResolverEntityIndex } from '../../../../common/endpoint/types';
 
-import { KibanaReactContextValue } from '../../../../../../../src/plugins/kibana_react/public';
-import { ResolverState } from '../../types';
+import { ResolverState, DataAccessLayer } from '../../types';
 import * as selectors from '../selectors';
-import { StartServices } from '../../../types';
-import { DEFAULT_INDEX_KEY as defaultIndexKey } from '../../../../common/constants';
 import { ResolverAction } from '../actions';
 /**
  * A function that handles syncing ResolverTree data w/ the current entity ID.
@@ -23,7 +20,7 @@ import { ResolverAction } from '../actions';
  * This is a factory because it is stateful and keeps that state in closure.
  */
 export function ResolverTreeFetcher(
-  context: KibanaReactContextValue<StartServices>,
+  dataAccessLayer: DataAccessLayer,
   api: MiddlewareAPI<Dispatch<ResolverAction>, ResolverState>
 ): () => void {
   let lastRequestAbortController: AbortController | undefined;
@@ -48,17 +45,12 @@ export function ResolverTreeFetcher(
         payload: databaseDocumentIDToFetch,
       });
       try {
-        const indices: string[] = context.services.uiSettings.get(defaultIndexKey);
-        const matchingEntities: ResolverEntityIndex = await context.services.http.get(
-          '/api/endpoint/resolver/entity',
-          {
-            signal: lastRequestAbortController.signal,
-            query: {
-              _id: databaseDocumentIDToFetch,
-              indices,
-            },
-          }
-        );
+        const indices: string[] = dataAccessLayer.indexPatterns();
+        const matchingEntities: ResolverEntityIndex = await dataAccessLayer.entities({
+          _id: databaseDocumentIDToFetch,
+          indices,
+          signal: lastRequestAbortController.signal,
+        });
         if (matchingEntities.length < 1) {
           // If no entity_id could be found for the _id, bail out with a failure.
           api.dispatch({
@@ -68,9 +60,10 @@ export function ResolverTreeFetcher(
           return;
         }
         const entityIDToFetch = matchingEntities[0].entity_id;
-        result = await context.services.http.get(`/api/endpoint/resolver/${entityIDToFetch}`, {
-          signal: lastRequestAbortController.signal,
-        });
+        result = await dataAccessLayer.resolverTree(
+          entityIDToFetch,
+          lastRequestAbortController.signal
+        );
       } catch (error) {
         // https://developer.mozilla.org/en-US/docs/Web/API/DOMException#exception-AbortError
         if (error instanceof DOMException && error.name === 'AbortError') {

diff --git a/x-pack/plugins/security_solution/public/resolver/store/mocks/endpoint_event.ts b/x-pack/plugins/security_solution/public/resolver/store/mocks/endpoint_event.ts
@@ -18,7 +18,7 @@ export function mockEndpointEvent({
 }: {
   entityID: string;
   name: string;
-  parentEntityId: string | undefined;
+  parentEntityId?: string;
   timestamp: number;
   lifecycleType?: string;
 }): EndpointEvent {