FIX all sort

Author: VincentD06

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/business/AlertRuleService.java

@@ -18,8 +18,16 @@
 package com.airbus_cyber_security.graylog.wizard.alert.business;
 
 import com.airbus_cyber_security.graylog.wizard.alert.model.AlertRule;
+import com.google.common.collect.ImmutableList;
 import com.mongodb.BasicDBObject;
+import com.mongodb.client.AggregateIterable;
+import com.mongodb.client.MongoCollection;
+import com.mongodb.client.model.Aggregates;
+import com.mongodb.client.model.Field;
+import com.mongodb.client.model.Variable;
+import org.bson.Document;
 import org.bson.conversions.Bson;
+import org.graylog.events.processor.DBEventDefinitionService;
 import org.graylog2.bindings.providers.MongoJackObjectMapperProvider;
 import org.graylog2.database.MongoConnection;
 import org.graylog2.database.NotFoundException;
@@ -37,6 +45,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.function.Predicate;
+import java.util.stream.StreamSupport;
 
 
 // TODO split this into AlertRuleCollection and move it down in the persistence namespace
@@ -46,13 +55,16 @@ public class AlertRuleService extends PaginatedDbService<AlertRule> {
 	private final Validator validator;
 	private static final Logger LOG = LoggerFactory.getLogger(AlertRuleService.class);
 	private static final String TITLE = "title";
+	private static final List<String> STRING_FIELDS = List.of("title", "description", "creator_user_id");
+	private final MongoCollection<Document> collection;
 
 	@Inject
 	public AlertRuleService(MongoConnection mongoConnection, MongoJackObjectMapperProvider mapperProvider,
 							Validator validator) {
 		super(mongoConnection, mapperProvider, AlertRule.class, COLLECTION_NAME);
 		this.validator = validator;
 		this.db.createIndex(new BasicDBObject(TITLE, 1), new BasicDBObject("unique", true));
+		this.collection = mongoConnection.getMongoDatabase().getCollection(COLLECTION_NAME);
 	}
 
 	public AlertRule create(AlertRule alert) {
@@ -94,18 +106,65 @@ public boolean isPresent(String title) {
 		return (this.db.getCount(DBQuery.is(TITLE, title)) > 0);
 	}
 
-	public PaginatedList<AlertRule> searchPaginated(SearchQuery query, Predicate<AlertRule> filter,
-															 Bson sort, int page, int perPage) {
+	public PaginatedList<AlertRule> searchPaginated(SearchQuery query, Predicate<AlertRule> predicate,
+													String order, String sortField, int page, int perPage) {
 		final Bson dbQuery = query.toBson();
-		final PaginatedList<AlertRule> list = filter == null ?
-				findPaginatedWithQueryAndSort(dbQuery, sort, page, perPage) :
-				findPaginatedWithQueryFilterAndSort(dbQuery, filter, sort, page, perPage);
-
-		return new PaginatedList<>(
-				list,
-				list.pagination().total(),
-				page,
-				perPage
-		);
+
+		var pipelineBuilder = ImmutableList.<Bson>builder()
+				.add(Aggregates.match(dbQuery));
+
+		if (sortField.equals("priority") || sortField.equals("description")) {
+			String eventField = "$event_definition." + sortField;
+			pipelineBuilder.add(Aggregates.lookup(
+							DBEventDefinitionService.COLLECTION_NAME,
+							List.of(new Variable<>("event_identifier", doc("$toObjectId", "$alert_pattern.event_identifier")),
+									new Variable<>("event_identifier1", doc("$toObjectId", "$alert_pattern.event_identifier1"))),
+							List.of(Aggregates.match(doc("$or",
+									List.of(
+											doc("$expr", doc("$eq", List.of("$_id", "$$event_identifier"))),
+											doc("$expr", doc("$eq", List.of("$_id", "$$event_identifier1")))
+									)))),
+							"event_definition"
+					))
+					.add(Aggregates.set(new Field<>(sortField, doc("$first", eventField))))
+					.add(Aggregates.unset("event_definition"));
+		}
+
+		if (isStringField(sortField)) {
+			pipelineBuilder.add(Aggregates.set(new Field<>("lower" + sortField, doc("$toLower", "$" + sortField))))
+					.add(Aggregates.sort(getSortBuilder(order, "lower" + sortField)))
+					.add(Aggregates.unset("lower" + sortField));
+		} else {
+			pipelineBuilder.add(Aggregates.sort(getSortBuilder(order, sortField)));
+		}
+
+		final AggregateIterable<Document> result = collection.aggregate(pipelineBuilder.build());
+
+		final List<AlertRule> alertRuleList = StreamSupport.stream(result.spliterator(), false)
+				.map(AlertRule::fromDocument)
+				.filter(predicate)
+				.toList();
+
+		final long grandTotal = db.find(DBQuery.empty()).toArray()
+				.stream()
+				.filter(predicate)
+				.count();
+
+		final List<AlertRule> paginatedAlerts = perPage > 0
+				? alertRuleList.stream()
+				.skip((long) perPage * Math.max(0, page - 1))
+				.limit(perPage)
+				.toList()
+				: alertRuleList;
+
+		return new PaginatedList<>(paginatedAlerts, alertRuleList.size(), page, perPage, grandTotal);
+	}
+
+	private Document doc(String key, Object value) {
+		return new Document(key, value);
+	}
+
+	private boolean isStringField(String sortField) {
+		return STRING_FIELDS.contains(sortField);
 	}
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/AggregationAlertPattern.java

@@ -24,6 +24,7 @@
 import com.google.auto.value.AutoValue;
 
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
 
 /**
  * To encode most simple rules: a single path (condition -> aggregation event) which trigger the same notification.
@@ -64,4 +65,11 @@ public static Builder create() {
 
         public abstract AggregationAlertPattern build();
     }
+
+    public static AggregationAlertPattern fromDocument(Document document) {
+        return builder().
+                eventIdentifier(document.getString(FIELD_EVENT_IDENTIFIER)).
+                conditions(TriggeringConditions.fromDocument(document.get(FIELD_CONDITIONS, Document.class))).
+                build();
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/AlertRule.java

@@ -20,7 +20,9 @@
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import com.google.auto.value.AutoValue;
+import org.bson.Document;
 import org.joda.time.DateTime;
 
 import jakarta.annotation.Nullable;
@@ -32,54 +34,86 @@
 @AutoValue
 @JsonAutoDetect
 public abstract class AlertRule {
-    public final static String ID = "id";
+    public static final String FIELD_ID = "_id";
+    public static final String FIELD_TITLE = "title";
+    public static final String FIELD_ALERT_TYPE = "alert_type";
+    public static final String FIELD_ALERT_PATTERN = "alert_pattern";
+    public static final String FIELD_NOTIFICATION = "notification";
+    public static final String FIELD_CREATED_AT = "created_at";
+    public static final String FIELD_LAST_MODIFIED = "last_modified";
+    public static final String FIELD_CREATOR_USER_ID = "creator_user_id";
 
     @Id
     @ObjectId
     @Nullable
-    @JsonProperty(ID)
+    @JsonProperty("id")
     public abstract String id();
 
-    @JsonProperty("title")
+    @JsonProperty(FIELD_TITLE)
     @NotNull
     public abstract String getTitle();
 
-    @JsonProperty("alert_type")
+    @JsonProperty(FIELD_ALERT_TYPE)
     @Nullable
     public abstract AlertType getAlertType();
 
-    @JsonProperty("alert_pattern")
+    @JsonProperty(FIELD_ALERT_PATTERN)
     @NotNull
     public abstract AlertPattern pattern();
 
     // TODO rename into notificationIdentifier
-    @JsonProperty("notification")
+    @JsonProperty(FIELD_NOTIFICATION)
     @Nullable
     public abstract String getNotificationID();
 
-    @JsonProperty("created_at")
+    @JsonProperty(FIELD_CREATED_AT)
     @Nullable
     public abstract DateTime getCreatedAt();
 
     // TODO rename int creatorUserIdentifier
-    @JsonProperty("creator_user_id")
+    @JsonProperty(FIELD_CREATOR_USER_ID)
     @Nullable
     public abstract String getCreatorUserId();
 
-    @JsonProperty("last_modified")
+    @JsonProperty(FIELD_LAST_MODIFIED)
     @Nullable
     public abstract DateTime getLastModified();
 
     // TODO should replace the create functions by a Builder (see EventDefinitionDTO)
     @JsonCreator
     public static AlertRule create(@JsonProperty("_id") String objectId,
-                                   @JsonProperty("title") String title,
-                                   @JsonProperty("alert_type") AlertType alertType,
-                                   @JsonProperty("alert_pattern") AlertPattern pattern,
-                                   @JsonProperty("notification") String notificationID,
-                                   @JsonProperty("created_at") DateTime createdAt,
-                                   @JsonProperty("creator_user_id") String creatorUserId,
-                                   @JsonProperty("last_modified") DateTime lastModified){
+                                   @JsonProperty(FIELD_TITLE) String title,
+                                   @JsonProperty(FIELD_ALERT_TYPE) AlertType alertType,
+                                   @JsonProperty(FIELD_ALERT_PATTERN) AlertPattern pattern,
+                                   @JsonProperty(FIELD_NOTIFICATION) String notificationID,
+                                   @JsonProperty(FIELD_CREATED_AT) DateTime createdAt,
+                                   @JsonProperty(FIELD_CREATOR_USER_ID) String creatorUserId,
+                                   @JsonProperty(FIELD_LAST_MODIFIED) DateTime lastModified){
         return new AutoValue_AlertRule(objectId, title, alertType, pattern, notificationID, createdAt, creatorUserId, lastModified);
     }
+
+    public static AlertRule fromDocument(Document document) {
+        Document patternDoc = document.get(FIELD_ALERT_PATTERN, Document.class);
+        AlertPattern pattern = null;
+        if (patternDoc != null) {
+            String patternClass = patternDoc.getString(JsonTypeInfo.Id.CLASS.getDefaultPropertyName());
+            if (patternClass.equals(AutoValue_AggregationAlertPattern.class.getName())) {
+                pattern = AggregationAlertPattern.fromDocument(patternDoc);
+            } else if (patternClass.equals(AutoValue_CorrelationAlertPattern.class.getName())) {
+                pattern =  CorrelationAlertPattern.fromDocument(patternDoc);
+            } else if (patternClass.equals(AutoValue_DisjunctionAlertPattern.class.getName())) {
+                pattern = DisjunctionAlertPattern.fromDocument(patternDoc);
+            }
+        }
+
+        return new AutoValue_AlertRule(
+                document.getObjectId(FIELD_ID).toHexString(),
+                document.getString(FIELD_TITLE),
+                AlertType.valueOf(document.getString(FIELD_ALERT_TYPE)),
+                pattern,
+                document.getString(FIELD_NOTIFICATION),
+                new DateTime(document.getDate(FIELD_CREATED_AT)),
+                document.getString(FIELD_CREATOR_USER_ID),
+                new DateTime(document.getDate(FIELD_LAST_MODIFIED)));
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/CorrelationAlertPattern.java

@@ -24,6 +24,7 @@
 import com.google.auto.value.AutoValue;
 
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
 
 /**
  * To encode AND/THEN rules: two separate conditions which are combined with a correlation event
@@ -72,4 +73,12 @@ public static Builder create() {
 
         public abstract CorrelationAlertPattern build();
     }
+
+    public static CorrelationAlertPattern fromDocument(Document document) {
+        return builder().
+                eventIdentifier(document.getString(FIELD_EVENT_IDENTIFIER)).
+                conditions1(TriggeringConditions.fromDocument(document.get(FIELD_CONDITIONS1, Document.class))).
+                conditions2(TriggeringConditions.fromDocument(document.get(FIELD_CONDITIONS2, Document.class))).
+                build();
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/DisjunctionAlertPattern.java

@@ -23,6 +23,7 @@
 import com.google.auto.value.AutoValue;
 
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
 
 /**
  * To encode Or rule: two separate paths (condition -> aggregation event) which trigger the same notification.
@@ -79,4 +80,13 @@ public static Builder create() {
 
         public abstract DisjunctionAlertPattern build();
     }
+
+    public static DisjunctionAlertPattern fromDocument(Document document) {
+        return builder().
+                eventIdentifier1(document.getString(FIELD_EVENT_IDENTIFIER1)).
+                eventIdentifier2(document.getString(FIELD_EVENT_IDENTIFIER2)).
+                conditions1(TriggeringConditions.fromDocument(document.get(FIELD_CONDITIONS1, Document.class))).
+                conditions2(TriggeringConditions.fromDocument(document.get(FIELD_CONDITIONS2, Document.class))).
+                build();
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/FieldRule.java

@@ -25,6 +25,7 @@
 
 import jakarta.annotation.Nullable;
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
 
 @AutoValue
 @JsonAutoDetect
@@ -55,4 +56,13 @@ public static FieldRule create(@JsonProperty("id") String id,
         return new AutoValue_FieldRule(id, field, type, value);
     }
 
+    public static FieldRule fromDocument(Document document) {
+        return create(
+                document.getString("id"),
+                document.getString("field"),
+                document.getInteger("type"),
+                document.getString("value")
+        );
+    }
+
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/Pipeline.java

@@ -24,6 +24,8 @@
 import com.google.auto.value.AutoValue;
 
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
+
 import java.util.List;
 
 @AutoValue
@@ -71,4 +73,12 @@ public static Builder create() {
 
         public abstract Pipeline build();
     }
+
+    public static Pipeline fromDocument(Document document) {
+        return builder().
+                identifier(document.getString(FIELD_IDENTIFIER)).
+                ruleIdentifier(document.getString(FIELD_RULE_IDENTIFIER)).
+                fieldRules(document.getList(FIELD_FIELD_RULES, Document.class).stream().map(FieldRule::fromDocument).toList()).
+                build();
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/model/TriggeringConditions.java

@@ -25,6 +25,7 @@
 
 import jakarta.annotation.Nullable;
 import jakarta.validation.constraints.NotNull;
+import org.bson.Document;
 import org.graylog2.plugin.streams.Stream;
 
 /**
@@ -94,4 +95,13 @@ public static Builder create() {
 
         public abstract TriggeringConditions build();
     }
+
+    public static TriggeringConditions fromDocument(Document document) {
+        return builder().
+                matchingType(Stream.MatchingType.valueOf(document.getString(FIELD_MATCHING_TYPE))).
+                filteringStreamIdentifier(document.getString(FIELD_FILTERING_STREAM)).
+                outputStreamIdentifier(document.getString(FIELD_OUTPUT_STREAM)).
+
+                build();
+    }
 }

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java

@@ -656,7 +656,7 @@ public PageListResponse<GetDataAlertRule> getPage(@ApiParam(name = "page") @Quer
                                                               allowableValues = "title,user,created,lastModified")
                                                       @DefaultValue(DEFAULT_SORT_FIELD) @QueryParam("sort") String sort,
                                                       @ApiParam(name = "order", value = "The sort direction", allowableValues = "asc, desc")
-                                                      @DefaultValue(DEFAULT_SORT_DIRECTION) @QueryParam("order") SortOrder order) {
+                                                      @DefaultValue(DEFAULT_SORT_DIRECTION) @QueryParam("order") String order) {
 
         SearchQuery searchQuery;
         try {
@@ -668,7 +668,8 @@ public PageListResponse<GetDataAlertRule> getPage(@ApiParam(name = "page") @Quer
         final PaginatedList<AlertRule> result = this.alertRuleService.searchPaginated(
                 searchQuery,
                 alertRule -> true,
-                order.toBsonSort(sortAttr),
+                order,
+                sortAttr,
                 page,
                 perPage);
 

src/web/wizard/components/rules/AlertRulesContainer.jsx

@@ -92,7 +92,7 @@ const AlertRulesContainer = ({ fieldOrder }) => {
         {key: 'created', label: intl.formatMessage({id: 'wizard.created', defaultMessage: 'Created'}), config: 'Created', sortable: true},
         {key: 'lastModified', label: intl.formatMessage({id: 'wizard.lastModified', defaultMessage: 'Last Modified'}), config: 'Last Modified', sortable: true},
         {key: 'user', label: intl.formatMessage({id: 'wizard.user', defaultMessage: 'User'}), config: 'User', sortable: true},
-        {key: 'status', label: intl.formatMessage({id: 'wizard.status', defaultMessage: 'Status'}), config: 'Status', sortable: true},
+        {key: 'status', label: intl.formatMessage({id: 'wizard.status', defaultMessage: 'Status'}), config: 'Status', sortable: false},
         {key: 'rule', label: intl.formatMessage({id: 'wizard.rule', defaultMessage: 'Rule'}), config: 'Rule', sortable: false}
     ];
     const availablePriorityTypes = [