Add initial support to validate the mappings in system tests

[mrodm]

Relates #2206

Add validation of the mappings when running system tests.

This process compares the mappings installed by Fleet (preview mappings) with the ones obtained after ingesting new documents into Elasticsearch.

This validation for the time being is behind an environment variable as a technical preview:

# Default value and same behavior as now (validation of fields)
ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD=fields elastic-package test system -v

# Test just validation of mappings 
ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD=mappings elastic-package test system -v

# Test both validation of mappings and fields
ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD=all elastic-package test system -v

Assumptions considered while working on this PR: #2206 (comment)

As part of this PR:

• CI pipeline has been updated to remove steps related to running system tests with Elastic Agent.
  • It will be kept one step to ensure that the feature is working.
• CI pipeline has been updated to add steps to run mapping validation in system tests.

Author's checklist

• Update CI steps to remove old stack agents
• Update CI to add new steps for validating fields using mappings
• Add environment variable to validate that fields are documented with different methods
• Add new environment variables to docs.
• Remove debug/testing log statements
• Test with Elastic stack 8.x
  • Some packages are failing like prometheus failing since some fields depend on dynamic templates (not implemented yet)
• Test with Elastic stack 7.x (f5 package in integrations repository)
• Test with integration and input packages (sql_input test package in elastic-package repo).
• Test with Elastic stacks with LogsDB enabled (synthetics).
  • Tested in CI with ti_anomali_logsdb and auth0_logsdb

[mrodm]

/test

[mrodm]

New variable to hold just the Field Definitions from the local directory (package).

It is needed to check if a given mapping is related to a field definition with type array.

[jsoriano]

Why not using Schema?

[mrodm]

Added here for completeness, but it is not used in this validator.

Should we remove it from here?

[jsoriano]

If not used I would say to remove it.

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#11828

[mrodm]

box_events, claroty_ctd, mimecast, ti_anomali:

• failures like for threat.indicator.modified_at different types in ECS and in Elasticsearch
• failures depend on the stack version

There is a difference in the ecs@mappings component template between 8.13.0 and 8.15.3 related to the dynamic template to detect dates causing these errors:

• 8.13.0 (it is missing *.indicator.last_seen, *.indicate.first_seen and *.indicator.modified_at)

        {
          "ecs_date": {
            "path_match": [
              "*.timestamp",
              "*_timestamp",
              "*.not_after",
              "*.not_before",
              "*.accessed",
              "created",
              "*.created",
              "*.installed",
              "*.creation_date",
              "*.ctime",
              "*.mtime",
              "ingested",
              "*.ingested",
              "*.start",
              "*.end"
            ],
            "unmatch_mapping_type": "object",
            "mapping": {
              "type": "date"
            }
          }
        },

• 8.15.3

        {
          "ecs_date": {
            "path_match": [
              "*.timestamp",
              "*_timestamp",
              "*.not_after",
              "*.not_before",
              "*.accessed",
              "created",
              "*.created",
              "*.installed",
              "*.creation_date",
              "*.ctime",
              "*.mtime",
              "ingested",
              "*.ingested",
              "*.start",
              "*.end",
              "*.indicator.first_seen",
              "*.indicator.last_seen",
              "*.indicator.modified_at",
              "*threat.enrichments.matched.occurred"
            ],
            "unmatch_mapping_type": "object",
            "mapping": {
              "type": "date"
            }
          }
        }

Not sure if it could be applied some kind of exception @jsoriano

[mrodm]

For the cef package there is a similar error as in box_events and others:

• 8.6.1 dynamic templates (this mapping does not match url.original):
  • These dynamic templates are added as part of the import_mappings setting.

        {
          "_embedded_ecs-url_original_to_multifield": {
            "path_match": "*.url.original",
            "mapping": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            }
          }
        },

• 8.15.3, these dynamic templates belong to the ecs@mappings component template:

        {
          "ecs_path_match_wildcard_and_match_only_text": {
            "path_match": [
              "*.body.content",
              "*url.full",
              "*url.original"
            ],
            "unmatch_mapping_type": "object",
            "mapping": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            }
          }
        },

[mrodm]

In the second build from integrations, teleport started to fail but I could not reproduce it yet locally:
https://buildkite.com/elastic/integrations/builds/18608#_
but in the third attempt it run successfully. I don't know why there could be differences in the mappings.

In the first build, this package was not failing:
https://buildkite.com/elastic/integrations/builds/18601#_

[mrodm]

The error related to ibmmq it's about process.pid.
In this case, this field comes from the Ingest pipeline where it is set the type float (link).
This field is not defined in the package, and when checking with ECS it fails because ECS sets for this field long type (link).

This package fails with both 8.14.0 and 8.15.3 stack versions.

Mapping created for this field in this package during tests:

        "process": {
          "properties": {
            "pid": {
              "type": "float"
            },
            "title": {
              "type": "keyword",
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            }
          }
        }

EDIT: It looks like that currently (with fields validation), this is accepted if the definition is long (ECS) and the value has type float:

elastic-package/internal/fields/validate.go

Lines 1234 to 1247 in 8cc126a

	case "float", "long", "double":
	switch val := val.(type) {
	case float64:
	case json.Number:
	case string:
	if !slices.Contains(v.stringNumberFields, key) {
	return invalidTypeError()
	}
	if _, err := strconv.ParseFloat(val, 64); err != nil {
	return invalidTypeError()
	}
	default:
	return invalidTypeError()
	}

[mrodm]

Triggered a new execution in integrations with the rest of packages:
https://buildkite.com/elastic/integrations/builds/18617

[mrodm]

In the latest integrations build, there are some failures in network_traffic package. These look related to the same issue #2214 (comment)

There are fields undefined under a group field, that I think thy are not taken into account since until spec 3.0.1 they are not checked.

• Definition from ecs: https://github.com/elastic/ecs/blob/ce703ab38f0c128c0dfeeb2daf0893ff3021cdff/generated/ecs/ecs_flat.yml#L2204-L2222

EDIT: dns.answers in this case it's an array of objects: https://github.com/elastic/integrations/blob/ef28635e4ed1fd875b50861e7bd783af7ef68968/packages/network_traffic/data_stream/dns/sample_event.json#L27

Not sure how to detect this via the actual or preview mappings

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#11828

[mrodm]

Added an exception to validate mappings that define number type (long, float, double) in 5097aee

This change is related to the issue found in the comment: #2214 (comment)

[mrodm]

Just updated the logic to show warnings when a field is defined as nested, and it could have just some fields under it with no definition.

Tested with gcp package:

• https://github.com/elastic/integrations/blob/932f12662fb91649cf4907df3a77ad417ac534fb/packages/gcp/data_stream/firewall/fields/fields.yml#L33-L36

Examples:

• Field type nested (parent), but just one field under that field is not defined:
  • there are actual mappings under this field
  • just some fields are defined in the package

2024/12/03 19:23:34  WARN Validate mappings found (technical preview)
2024/12/03 19:23:34  WARN Skip validation of nested object (spec version gcp.firewall.rule_details.ip_port_info): 3.0.0
2024/12/03 19:23:34  WARN undefined path "gcp.firewall.rule_details.ip_port_info.port_range" (pending to check dynamic templates)
2024/12/03 19:23:34  WARN skip validation due to parent type nested:
[0] field "gcp.firewall.rule_details.ip_port_info.port_range" is undefined: missing definition for path

• Field type nested (parent):
  • there are actual mappings under this field
  • no field is defined in the package

2024/12/03 19:27:42  WARN Validate mappings found (technical preview)
2024/12/03 19:27:42  WARN Skip validation of nested object (spec version gcp.firewall.rule_details.ip_port_info): 3.0.0
2024/12/03 19:27:42  WARN skipped due to field of type "nested": not found properties in preview mappings for path "gcp.firewall.rule_details.ip_port_info"

Tested updating gcp package to spec 3.0.1, this test fails:

FAILURE DETAILS:
gcp/firewall pubsub:
[0] not found properties in preview mappings for path: gcp.firewall.rule_details.ip_port_info


╭─────────┬─────────────┬───────────┬───────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT                                                                                           │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────┤
│ gcp     │ firewall    │ system    │ pubsub    │ FAIL: test case failed: one or more errors found in mappings in logs-gcp.firewall index template │ 32.218456931s │
╰─────────┴─────────────┴───────────┴───────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┴───────────────╯
--- Test results for package: gcp - END   ---
Done
Error: failed to process results: one or more test cases failed

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#11828

[jsoriano]

We can probably go on with these changes and continue polishing in other PRs.

There seems to be good test coverage, I would only try to make them more real, specially on what we can expect on the actual mappings for a given preview.

[jsoriano]

Implementation before 3.0.1 ignored everything under nested objects, right? Couldn't we return nil directly here?

[mrodm]

Maybe it's not needed, but I didn't return here with nil to allow us to show warnings with all the missing definitions.

[jsoriano]

Can this case happen? Than an actual mapping doesn't have a field that is in the preview?

[mrodm]

I was thinking that maybe this could happen since in system testing it is appended all the ECS definitions depending on the stack version or import_mappings.

Maybe there could be a case (e.g. with the ecs@mappings component template without import_mappings) where some field does not match any dynamic template but it is in the ECS.

Would that make sense @jsoriano ?

[jsoriano]

I mean that in this actual mapping, the foo field should be also present, right?

[jsoriano]

If the user is in the mapping, and is not external, it should be in the preview, right?

[mrodm]

That's right. As user is in the schema, it should have a mapping in the preview too. I'll fix this test case.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: ee755e9

History

• 💚 Build #4396 succeeded aa60ec4
• 💛 Build #4395 was flaky c0dbfbb
• 💚 Build #4388 succeeded 5097aee
• 💚 Build #4360 succeeded cdf7821
• 💚 Build #4359 succeeded f4451d2
• 💚 Build #4355 succeeded e20d563

cc @mrodm

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#11828