From 4a6135786627a616e32f301946f8315f9659bb32 Mon Sep 17 00:00:00 2001
From: Maryam Saeidi <maryam.saeidi@elastic.co>
Date: Wed, 14 Aug 2024 12:38:53 +0200
Subject: [PATCH] [Custom threshold] Always pass allowLeadingWildcards as true
 to the KQL validation in the custom threshold rule API param validation
 (#190031)

Fixes #189072
Related #190029

## Summary

This PR updates the KQL validation on the server side by passing the
Kibana leadingWildcard setting as true during validation. This means
that even if this configuration is disabled in Kibana, we will still
allow saving such a filter in the rule, but it will fail during rule
execution.
I've created a separate ticket to discuss how to apply the KQL
validation correctly during API param validation.
([issue](https://github.com/elastic/kibana/issues/190029))

This fix will solve the following issues:
<img
src="https://github.com/user-attachments/assets/d99177cb-d4cd-4f33-9a60-8575d87372e3"
width=500 />

We also have [proper validation on the UI
side](https://github.com/elastic/kibana/blob/main/x-pack/plugins/observability_solution/observability/public/components/custom_threshold/components/validation.tsx#L60,L64)
that considers Kibana setting during validation:

|Error|Leading wildcard error|
|---|---|
|
![image](https://github.com/user-attachments/assets/81cfaea6-c932-4184-8f2f-0d06b267a986)|![image](https://github.com/user-attachments/assets/7719813d-ee7b-4eac-b04f-69a867a6dd89)|

(cherry picked from commit ae4d522b52b2c3573c4e276bfd38ecec00d9ff96)
---
 ...rverless_upgrade_and_rollback_checks.test.ts.snap | 12 ++++++------
 .../register_custom_threshold_rule_type.ts           |  4 ++--
 .../server/lib/rules/custom_threshold/utils.test.ts  | 12 +++++++++++-
 .../server/lib/rules/custom_threshold/utils.ts       |  8 ++++++--
 x-pack/plugins/translations/translations/fr-FR.json  |  1 -
 x-pack/plugins/translations/translations/ja-JP.json  |  1 -
 x-pack/plugins/translations/translations/zh-CN.json  |  1 -
 7 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
index 932daa1fed69d5..c84a3565d48f6b 100644
--- a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
+++ b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
@@ -5619,12 +5619,6 @@ Object {
                   },
                   "name": "custom",
                 },
-                Object {
-                  "args": Object {
-                    "method": [Function],
-                  },
-                  "name": "custom",
-                },
               ],
               "type": "string",
             },
@@ -5639,6 +5633,12 @@ Object {
                   },
                   "name": "custom",
                 },
+                Object {
+                  "args": Object {
+                    "method": [Function],
+                  },
+                  "name": "custom",
+                },
               ],
               "type": "string",
             },
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
index f198a6c7079686..2fe8cbe76d2940 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
@@ -56,10 +56,10 @@ export const MetricsRulesTypeAlertDefinition: IRuleTypeAlerts<CustomThresholdAle
 export const searchConfigurationSchema = schema.object({
   index: schema.oneOf([schema.string(), dataViewSpecSchema]),
   query: schema.object({
-    language: schema.string({
+    language: schema.string(),
+    query: schema.string({
       validate: validateKQLStringFilter,
     }),
-    query: schema.string(),
   }),
   filter: schema.maybe(
     schema.arrayOf(
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
index 96eaebdd2b92f7..12eae525c4476b 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.test.ts
@@ -62,12 +62,22 @@ describe('validateKQLStringFilter', () => {
     // input, output
     ['', undefined],
     ['host.name:host-0', undefined],
-    [':*', 'filterQuery must be a valid KQL filter'],
+  ];
+  const dataWithError = [
+    // input, output
+    [
+      ':*',
+      'filterQuery must be a valid KQL filter (error: Expected "(", NOT, end of input, field name, value, whitespace but ":" found.',
+    ],
   ];
 
   test.each(data)('validateKQLStringFilter(%s): %o', (input: any, output: any) => {
     expect(validateKQLStringFilter(input)).toEqual(output);
   });
+
+  test.each(dataWithError)('validateKQLStringFilter(%s): %o', (input: any, output: any) => {
+    expect(validateKQLStringFilter(input)).toContain(output);
+  });
 });
 
 describe('getFormattedGroupBy', () => {
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
index c80a003c050e07..d7736838629837 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/custom_threshold/utils.ts
@@ -52,10 +52,14 @@ export const validateKQLStringFilter = (value: string) => {
   }
 
   try {
-    kbnBuildEsQuery(undefined, [{ query: value, language: 'kuery' }], []);
+    kbnBuildEsQuery(undefined, [{ query: value, language: 'kuery' }], [], {
+      allowLeadingWildcards: true,
+      queryStringOptions: {},
+      ignoreFilterIfFieldNotInIndex: false,
+    });
   } catch (e) {
     return i18n.translate('xpack.observability.customThreshold.rule.schema.invalidFilterQuery', {
-      defaultMessage: 'filterQuery must be a valid KQL filter',
+      defaultMessage: `filterQuery must be a valid KQL filter (error: ${e.message})`,
     });
   }
 };
diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json
index 5c924a9a4ad8ae..592464fc03cf09 100644
--- a/x-pack/plugins/translations/translations/fr-FR.json
+++ b/x-pack/plugins/translations/translations/fr-FR.json
@@ -29721,7 +29721,6 @@
     "xpack.observability.customThreshold.rule.labelsActionVariableDescription": "Liste d'étiquettes associées avec l'entité sur laquelle l'alerte s'est déclenchée.",
     "xpack.observability.customThreshold.rule.orchestratorActionVariableDescription": "Objet orchestrateur défini par ECS s'il est disponible dans la source.",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "Une description concise de la raison du signalement",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQuery doit être un filtre KQL valide",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "Échec de chargement de la source : Aucun client HTTP disponible.",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "Nous n'avons pas pu appliquer les modifications à la configuration des indicateurs. Réessayez plus tard.",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "La mise à jour de la configuration a échoué",
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index f784846d9f1159..f750b51354c577 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -29699,7 +29699,6 @@
     "xpack.observability.customThreshold.rule.labelsActionVariableDescription": "このアラートがトリガーされたエンティティに関連付けられたラベルのリスト。",
     "xpack.observability.customThreshold.rule.orchestratorActionVariableDescription": "ソースで使用可能な場合に、ECSで定義されたオーケストレーターオブジェクト。",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "アラートの理由の簡潔な説明",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQueryは有効なKQLフィルターでなければなりません",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "ソースの読み込みに失敗しました：HTTPクライアントがありません。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "変更をメトリック構成に適用できませんでした。しばらくたってから再試行してください。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "構成の更新が失敗しました",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 5b70e9a8ae5494..2060417b3453c9 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -29739,7 +29739,6 @@
     "xpack.observability.customThreshold.rule.labelsActionVariableDescription": "与在其上触发此告警的实体关联的标签列表。",
     "xpack.observability.customThreshold.rule.orchestratorActionVariableDescription": "ECS 定义的 Orchestrator 对象（如果在源中可用）。",
     "xpack.observability.customThreshold.rule.reasonActionVariableDescription": "告警原因的简洁描述",
-    "xpack.observability.customThreshold.rule.schema.invalidFilterQuery": "filterQuery 必须是有效的 KQL 筛选",
     "xpack.observability.customThreshold.rule.sourceConfiguration.missingHttp": "无法加载源：无 HTTP 客户端可用。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureBody": "无法对指标配置应用更改。请稍后重试。",
     "xpack.observability.customThreshold.rule.sourceConfiguration.updateFailureTitle": "配置更新失败",