[Security Solution][Endpoint] Fix automated response actions when spaces is enabled and action can not be sent (#226043)

## Summary

PR fixes the following issue when spaces is enabled:

- When automated response actions are processed, if unable to determine
the policy associated with the agent the action is being sent to, we
should still create the failed action request (as we did before spaces
was enabled)
- Although this fix creates the action request in failed state, it will
not be visible in the UI - both under the alert that triggered it and
the action history log - because we are not able to determine access to
the action due to not having policy information for the agent.
- Action failure will tagged as "orphan" and thus it will be displayed
in the action history log in the space that is configured to show orphan
actions

Author: paul-tavares

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.test.ts

@@ -179,4 +179,19 @@ describe('When using `getActionDetailsById()', () => {
       })
     );
   });
+
+  it('should not validate against spaces when `bypassSpaceValidation` is `true`', async () => {
+    // @ts-expect-error
+    endpointAppContextService.experimentalFeatures.endpointManagementSpaceAwarenessEnabled = true;
+    (
+      endpointAppContextService.getInternalFleetServices().ensureInCurrentSpace as jest.Mock
+    ).mockResolvedValue(undefined);
+    await getActionDetailsById(endpointAppContextService, 'default', '123', {
+      bypassSpaceValidation: true,
+    });
+
+    expect(
+      endpointAppContextService.getInternalFleetServices().ensureInCurrentSpace
+    ).not.toHaveBeenCalled();
+  });
 });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/action_details_by_id.ts

@@ -27,7 +27,16 @@ import { NotFoundError } from '../../errors';
 export const getActionDetailsById = async <T extends ActionDetails = ActionDetails>(
   endpointService: EndpointAppContextService,
   spaceId: string,
-  actionId: string
+  actionId: string,
+  {
+    bypassSpaceValidation = false,
+  }: Partial<{
+    /**
+     * if `true`, then no space validations will be done on the action retrieved. Default is `false`.
+     * USE IT CAREFULLY!
+     */
+    bypassSpaceValidation: boolean;
+  }> = {}
 ): Promise<T> => {
   let normalizedActionRequest: ReturnType<typeof mapToNormalizedActionRequest> | undefined;
   let actionResponses: FetchActionResponsesResult;
@@ -36,7 +45,7 @@ export const getActionDetailsById = async <T extends ActionDetails = ActionDetai
     // Get both the Action Request(s) and action Response(s)
     const [actionRequestEsDoc, actionResponseResult] = await Promise.all([
       // Get the action request(s)
-      fetchActionRequestById(endpointService, spaceId, actionId),
+      fetchActionRequestById(endpointService, spaceId, actionId, { bypassSpaceValidation }),
 
       // Get all responses
       fetchActionResponses({

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/endpoint/endpoint_actions_client.test.ts

@@ -21,6 +21,7 @@ import { Readable } from 'stream';
 import { EndpointActionGenerator } from '../../../../../../common/endpoint/data_generators/endpoint_action_generator';
 import type { ResponseActionsRequestBody } from '../../../../../../common/api/endpoint';
 import { AgentNotFoundError } from '@kbn/fleet-plugin/server';
+import { ALLOWED_ACTION_REQUEST_TAGS } from '../../constants';
 
 jest.mock('../../action_details_by_id', () => {
   const originalMod = jest.requireActual('../../action_details_by_id');
@@ -596,5 +597,52 @@ describe('EndpointActionsClient', () => {
         ).not.toHaveBeenCalled();
       }
     );
+
+    it('should create failed action request for automated response actions', async () => {
+      classConstructorOptions.isAutomated = true;
+      // @ts-expect-error mocking this for testing purposes
+      endpointActionsClient.checkAgentIds = jest.fn().mockResolvedValueOnce({
+        isValid: false,
+        valid: [],
+        invalid: ['invalid-id'],
+        hosts: [{ agent: { id: 'invalid-id', name: '' }, host: { hostname: '' } }],
+      });
+
+      await endpointActionsClient.isolate(
+        responseActionsClientMock.createIsolateOptions(getCommonResponseActionOptions())
+      );
+
+      expect(classConstructorOptions.esClient.index).toHaveBeenCalledWith(
+        expect.objectContaining({
+          document: expect.objectContaining({
+            agent: { id: [], policy: [] },
+            tags: [ALLOWED_ACTION_REQUEST_TAGS.integrationPolicyDeleted],
+          }),
+        }),
+        expect.anything()
+      );
+    });
+
+    it('should return action details for failed automated response actions even when no valid agents', async () => {
+      classConstructorOptions.isAutomated = true;
+      // @ts-expect-error mocking this for testing purposes
+      endpointActionsClient.checkAgentIds = jest.fn().mockResolvedValueOnce({
+        isValid: false,
+        valid: [],
+        invalid: ['invalid-id'],
+        hosts: [{ agent: { id: 'invalid-id', name: '' }, host: { hostname: '' } }],
+      });
+
+      await endpointActionsClient.isolate(
+        responseActionsClientMock.createIsolateOptions(getCommonResponseActionOptions())
+      );
+
+      expect(getActionDetailsByIdMock).toHaveBeenCalledWith(
+        expect.anything(),
+        expect.anything(),
+        expect.anything(),
+        { bypassSpaceValidation: true }
+      );
+    });
   });
 });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/endpoint/endpoint_actions_client.ts

@@ -195,7 +195,10 @@ export class EndpointActionsClient extends ResponseActionsClientImpl {
       }),
     });
 
-    return this.fetchActionDetails<TResponse>(actionId);
+    // We bypass space validation when retrieving the action details to ensure that if a failed
+    // action was created, and it did not contain the agent policy information (and space is enabled)
+    // we don't trigger an error.
+    return this.fetchActionDetails<TResponse>(actionId, true);
   }
 
   private async dispatchActionViaFleet({

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/lib/base_response_actions_client.test.ts

@@ -293,7 +293,8 @@ describe('ResponseActionsClientImpl base class', () => {
       expect(getActionDetailsByIdMock).toHaveBeenCalledWith(
         expect.anything(),
         expect.anything(),
-        'one'
+        'one',
+        { bypassSpaceValidation: false }
       );
     });
   });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/clients/lib/base_response_actions_client.ts

@@ -16,6 +16,7 @@ import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/type
 import type { PackagePolicy } from '@kbn/fleet-plugin/common';
 import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '@kbn/fleet-plugin/common';
 import type { ResponseActionRequestTag } from '../../constants';
+import { ALLOWED_ACTION_REQUEST_TAGS } from '../../constants';
 import { getUnExpiredActionsEsQuery } from '../../utils/fetch_space_ids_with_maybe_pending_actions';
 import { catchAndWrapError } from '../../../../utils';
 import {
@@ -452,12 +453,20 @@ export abstract class ResponseActionsClientImpl implements ResponseActionsClient
   /**
    * Returns the action details for a given response action id
    * @param actionId
+   * @param bypassSpaceValidation
    * @protected
    */
   protected async fetchActionDetails<T extends ActionDetails = ActionDetails>(
-    actionId: string
+    actionId: string,
+    /**
+     * if `true`, then no space validations will be done on the action retrieved. Default is `false`.
+     * USE IT CAREFULLY!
+     */
+    bypassSpaceValidation: boolean = false
   ): Promise<T> {
-    return getActionDetailsById(this.options.endpointService, this.options.spaceId, actionId);
+    return getActionDetailsById(this.options.endpointService, this.options.spaceId, actionId, {
+      bypassSpaceValidation,
+    });
   }
 
   /**
@@ -611,29 +620,41 @@ export abstract class ResponseActionsClientImpl implements ResponseActionsClient
 
     this.notifyUsage(actionRequest.command);
 
+    const actionId = actionRequest.actionId || uuidv4();
+    const tags = actionRequest.tags ?? [];
+
+    // With automated response action, it's possible to reach this point and not have any `endpoint_ids`
+    // defined in the action. That's because with automated response actions we always create an
+    // action request, even when there is a failure - like if the agent was un-enrolled in between
+    // the event sent and the detection engine processing that event.
+    const agentPolicyInfo =
+      isSpacesEnabled && actionRequest.endpoint_ids.length
+        ? await this.fetchAgentPolicyInfo(actionRequest.endpoint_ids)
+        : [];
+
+    if (isSpacesEnabled && agentPolicyInfo.length === 0) {
+      tags.push(ALLOWED_ACTION_REQUEST_TAGS.integrationPolicyDeleted);
+    }
+
     const doc: LogsEndpointAction<TParameters, TOutputContent, TMeta> = {
       '@timestamp': new Date().toISOString(),
 
       // Add the `originSpaceId` property to the document if spaces is enabled
       ...(isSpacesEnabled ? { originSpaceId: this.options.spaceId } : {}),
 
       // Add `tags` property to the document if spaces is enabled
-      ...(isSpacesEnabled ? { tags: actionRequest.tags ?? [] } : {}),
+      ...(isSpacesEnabled ? { tags } : {}),
 
       // Need to suppress this TS error around `agent.policy` not supporting `undefined`.
       // It will be removed once we enable the feature and delete the feature flag checks.
       // @ts-expect-error
       agent: {
         id: actionRequest.endpoint_ids,
         // add the `policy` info if space awareness is enabled
-        ...(isSpacesEnabled
-          ? {
-              policy: await this.fetchAgentPolicyInfo(actionRequest.endpoint_ids),
-            }
-          : {}),
+        ...(isSpacesEnabled ? { policy: agentPolicyInfo } : {}),
       },
       EndpointActions: {
-        action_id: actionRequest.actionId || uuidv4(),
+        action_id: actionId,
         expiration: getActionRequestExpiration(),
         type: 'INPUT_ACTION',
         input_type: this.agentType,

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/utils/fetch_action_request_by_id.test.ts

@@ -117,5 +117,18 @@ describe('fetchActionRequestById() utility', () => {
         'Action [123] not found'
       );
     });
+
+    it('should not validate action against spaces if `bypassSpaceValidation` is true', async () => {
+      (
+        endpointServiceMock.getInternalFleetServices().ensureInCurrentSpace as jest.Mock
+      ).mockResolvedValue(undefined);
+      await fetchActionRequestById(endpointServiceMock, 'default', '123', {
+        bypassSpaceValidation: true,
+      });
+
+      expect(
+        endpointServiceMock.getInternalFleetServices().ensureInCurrentSpace as jest.Mock
+      ).not.toHaveBeenCalled();
+    });
   });
 });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/utils/fetch_action_request_by_id.ts

@@ -25,7 +25,6 @@ import { REF_DATA_KEYS } from '../../../lib/reference_data';
  * @param endpointService
  * @param spaceId
  * @param actionId
- *
  * @throws
  */
 export const fetchActionRequestById = async <
@@ -35,7 +34,16 @@ export const fetchActionRequestById = async <
 >(
   endpointService: EndpointAppContextService,
   spaceId: string,
-  actionId: string
+  actionId: string,
+  {
+    bypassSpaceValidation = false,
+  }: Partial<{
+    /**
+     * if `true`, then no space validations will be done on the action retrieved. Default is `false`.
+     * USE IT CAREFULLY!
+     */
+    bypassSpaceValidation: boolean;
+  }> = {}
 ): Promise<LogsEndpointAction<TParameters, TOutputContent, TMeta>> => {
   const logger = endpointService.createLogger('fetchActionRequestById');
   const searchResponse = await endpointService
@@ -54,7 +62,10 @@ export const fetchActionRequestById = async <
 
   if (!actionRequest) {
     throw new NotFoundError(`Action with id '${actionId}' not found.`);
-  } else if (endpointService.experimentalFeatures.endpointManagementSpaceAwarenessEnabled) {
+  } else if (
+    endpointService.experimentalFeatures.endpointManagementSpaceAwarenessEnabled &&
+    !bypassSpaceValidation
+  ) {
     if (!actionRequest.agent.policy || actionRequest.agent.policy.length === 0) {
       const message = `Response action [${actionId}] missing 'agent.policy' information - unable to determine if response action is accessible for space [${spaceId}]`;