[Elastic Defend onboarding][Fleet Integration] Unit tests to createDefaultPolicy and getPackagePolicyPostCreateCallback (#142690)

x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts

@@ -19,6 +19,7 @@ import {
 import { buildManifestManagerMock } from '../endpoint/services/artifacts/manifest_manager/manifest_manager.mock';
 import {
   getPackagePolicyCreateCallback,
+  getPackagePolicyPostCreateCallback,
   getPackagePolicyDeleteCallback,
   getPackagePolicyUpdateCallback,
 } from './fleet_integration';
@@ -40,11 +41,16 @@ import type { InternalArtifactCompleteSchema } from '../endpoint/schemas/artifac
 import { ManifestManager } from '../endpoint/services/artifacts/manifest_manager';
 import { getMockArtifacts, toArtifactRecords } from '../endpoint/lib/artifacts/mocks';
 import { Manifest } from '../endpoint/lib/artifacts';
-import type { NewPackagePolicy } from '@kbn/fleet-plugin/common/types/models';
+import type { NewPackagePolicy, PackagePolicy } from '@kbn/fleet-plugin/common/types/models';
 import type { ManifestSchema } from '../../common/endpoint/schema/manifest';
 import type { DeletePackagePoliciesResponse } from '@kbn/fleet-plugin/common';
 import { createMockPolicyData } from '../endpoint/services/feature_usage/mocks';
 import { ALL_ENDPOINT_ARTIFACT_LIST_IDS } from '../../common/endpoint/service/artifacts/constants';
+import { ENDPOINT_EVENT_FILTERS_LIST_ID } from '@kbn/securitysolution-list-constants';
+
+jest.mock('uuid', () => ({
+  v4: (): string => 'NEW_UUID',
+}));
 
 describe('ingest_integration tests ', () => {
   let endpointAppContextMock: EndpointAppContextServiceStartContract;
@@ -248,12 +254,75 @@ describe('ingest_integration tests ', () => {
       expect(manifestManager.pushArtifacts).not.toHaveBeenCalled();
       expect(manifestManager.commit).not.toHaveBeenCalled();
     });
-
-    it.todo('should override policy config with endpoint settings');
-    it.todo('should override policy config with cloud settings');
   });
+
   describe('package policy post create callback', () => {
-    it.todo('should create Event Filters given valid parameter on integration config');
+    const logger = loggingSystemMock.create().get('ingest_integration.test');
+    const callback = getPackagePolicyPostCreateCallback(logger, exceptionListClient);
+    const policyConfig = generator.generatePolicyPackagePolicy() as PackagePolicy;
+
+    it('should create the Endpoint Event Filters List and add the correct Event Filters List Item attached to the policy given nonInteractiveSession parameter on integration config eventFilters', async () => {
+      const integrationConfig = {
+        type: 'cloud',
+        eventFilters: {
+          nonInteractiveSession: true,
+        },
+      };
+
+      policyConfig.inputs[0]!.config!.integration_config = {
+        value: integrationConfig,
+      };
+      const postCreatedPolicyConfig = await callback(
+        policyConfig,
+        requestContextMock.convertContext(ctx),
+        req
+      );
+
+      expect(await exceptionListClient.createExceptionList).toHaveBeenCalledWith(
+        expect.objectContaining({ listId: ENDPOINT_EVENT_FILTERS_LIST_ID })
+      );
+
+      expect(await exceptionListClient.createExceptionListItem).toHaveBeenCalledWith(
+        expect.objectContaining({
+          listId: ENDPOINT_EVENT_FILTERS_LIST_ID,
+          tags: [`policy:${postCreatedPolicyConfig.id}`],
+          osTypes: ['linux'],
+          entries: [
+            {
+              field: 'process.entry_leader.interactive',
+              operator: 'included',
+              type: 'match',
+              value: 'false',
+            },
+          ],
+          itemId: 'NEW_UUID',
+          namespaceType: 'agnostic',
+        })
+      );
+    });
+
+    it('should not call Event Filters List and Event Filters List Item if nonInteractiveSession parameter is not present on integration config eventFilters', async () => {
+      const integrationConfig = {
+        type: 'cloud',
+      };
+
+      policyConfig.inputs[0]!.config!.integration_config = {
+        value: integrationConfig,
+      };
+      const postCreatedPolicyConfig = await callback(
+        policyConfig,
+        requestContextMock.convertContext(ctx),
+        req
+      );
+
+      expect(await exceptionListClient.createExceptionList).not.toHaveBeenCalled();
+
+      expect(await exceptionListClient.createExceptionListItem).not.toHaveBeenCalled();
+
+      expect(postCreatedPolicyConfig.inputs[0]!.config!.integration_config.value).toEqual(
+        integrationConfig
+      );
+    });
   });
   describe('package policy update callback (when the license is below platinum)', () => {
     beforeEach(() => {

x-pack/plugins/security_solution/server/fleet_integration/handlers/create_default_policy.test.ts

@@ -0,0 +1,142 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { Subject } from 'rxjs';
+import type { ILicense } from '@kbn/licensing-plugin/common/types';
+import { licenseMock } from '@kbn/licensing-plugin/common/licensing.mock';
+import { LicenseService } from '../../../common/license';
+import { createDefaultPolicy } from './create_default_policy';
+import type { PolicyConfig } from '../../../common/endpoint/types';
+import {
+  policyFactory as policyConfigFactory,
+  policyFactoryWithoutPaidFeatures as policyConfigFactoryWithoutPaidFeatures,
+} from '../../../common/endpoint/models/policy_config';
+import type {
+  AnyPolicyCreateConfig,
+  PolicyCreateCloudConfig,
+  PolicyCreateEndpointConfig,
+} from '../types';
+
+describe('Create Default Policy tests ', () => {
+  const Platinum = licenseMock.createLicense({ license: { type: 'platinum', mode: 'platinum' } });
+  const Gold = licenseMock.createLicense({ license: { type: 'gold', mode: 'gold' } });
+  let licenseEmitter: Subject<ILicense>;
+  let licenseService: LicenseService;
+
+  const createDefaultPolicyCallback = (config: AnyPolicyCreateConfig | undefined): PolicyConfig => {
+    return createDefaultPolicy(licenseService, config);
+  };
+
+  beforeEach(() => {
+    licenseEmitter = new Subject();
+    licenseService = new LicenseService();
+    licenseService.start(licenseEmitter);
+    licenseEmitter.next(Platinum); // set license level to platinum
+  });
+  describe('When no config is set', () => {
+    it('Should return the Default Policy Config when license is at least platinum', () => {
+      const policy = createDefaultPolicyCallback(undefined);
+      expect(policy).toEqual(policyConfigFactory());
+    });
+    it('Should return the Default Policy Config without paid features when license is below platinum', () => {
+      licenseEmitter.next(Gold);
+      const policy = createDefaultPolicyCallback(undefined);
+      expect(policy).toEqual(policyConfigFactoryWithoutPaidFeatures());
+    });
+  });
+  describe('When endpoint config is set', () => {
+    const createEndpointConfig = (
+      endpointConfig: PolicyCreateEndpointConfig['endpointConfig']
+    ): PolicyCreateEndpointConfig => {
+      return {
+        type: 'endpoint',
+        endpointConfig,
+      };
+    };
+
+    const defaultEventsDisabled = () => ({
+      linux: {
+        process: false,
+        file: false,
+        network: false,
+        session_data: false,
+        tty_io: false,
+      },
+      mac: {
+        process: false,
+        file: false,
+        network: false,
+      },
+      windows: {
+        process: false,
+        file: false,
+        network: false,
+        dll_and_driver_load: false,
+        dns: false,
+        registry: false,
+        security: false,
+      },
+    });
+    const OSTypes = ['linux', 'mac', 'windows'] as const;
+
+    it('Should return only process event enabled on policy when preset is NGAV', () => {
+      const config = createEndpointConfig({ preset: 'NGAV' });
+      const policy = createDefaultPolicyCallback(config);
+      const events = defaultEventsDisabled();
+      OSTypes.forEach((os) => {
+        expect(policy[os].events).toMatchObject({
+          ...events[os],
+          process: true,
+        });
+      });
+    });
+    it('Should return process, file and network events enabled when preset is EDR Essential', () => {
+      const config = createEndpointConfig({ preset: 'EDREssential' });
+      const policy = createDefaultPolicyCallback(config);
+      const events = defaultEventsDisabled();
+      const enabledEvents = {
+        process: true,
+        file: true,
+        network: true,
+      };
+      OSTypes.forEach((os) => {
+        expect(policy[os].events).toMatchObject({
+          ...events[os],
+          ...enabledEvents,
+        });
+      });
+    });
+    it('Should return the default config when preset is EDR Complete', () => {
+      const config = createEndpointConfig({ preset: 'EDRComplete' });
+      const policy = createDefaultPolicyCallback(config);
+      const policyFactory = policyConfigFactory();
+      expect(policy).toMatchObject(policyFactory);
+    });
+  });
+  describe('When cloud config is set', () => {
+    const createCloudConfig = (): PolicyCreateCloudConfig => ({
+      type: 'cloud',
+    });
+
+    it('Session data should be enabled for Linux', () => {
+      const config = createCloudConfig();
+      const policy = createDefaultPolicyCallback(config);
+      expect(policy.linux.events.session_data).toBe(true);
+    });
+    it('Protections should be disabled for all OSs', () => {
+      const config = createCloudConfig();
+      const policy = createDefaultPolicyCallback(config);
+      const OSTypes = ['linux', 'mac', 'windows'] as const;
+      OSTypes.forEach((os) => {
+        expect(policy[os].malware.mode).toBe('off');
+        expect(policy[os].memory_protection.mode).toBe('off');
+        expect(policy[os].behavior_protection.mode).toBe('off');
+      });
+      // Ransomware is windows only
+      expect(policy.windows.ransomware.mode).toBe('off');
+    });
+  });
+});