def test_engine_config(self, mock_error):
"""Test building an engine with a custom config."""
schema = {'event_types': {'magic': 543212345}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
config_file = os.path.abspath('config.tmp.json')
with use_schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
with open(analytics_file, 'r') as f:
expected_contents = f.read()
save_dump({'schema': schema}, config_file)
main([
'build', analytics_file, target_file, '--config', config_file,
'--analytics-only'
])
with open(target_file, 'r') as f:
actual_contents = f.read()
self.assertEqual(actual_contents, expected_contents)
os.remove(config_file)
os.remove(target_file)
os.remove(analytics_file)
def test_engine_schema_failure(self):
"""Test building an engine with a custom config."""
schema = {'event_types': {'magic': 543212345}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
with use_schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
with self.assertRaises(SchemaError):
main(['build', analytics_file, target_file])
os.remove(analytics_file)
def test_engine_schema_implied(self):
"""Test building an engine with a custom config."""
schema = {'magic': {}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
with Schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
main(['build', analytics_file, target_file])
os.remove(analytics_file)
os.remove(target_file)
def test_engine_config(self, mock_error):
"""Test building an engine with a custom config."""
schema = {'magic': {"expected_field": "string"}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
config_file = os.path.abspath('config.tmp.json')
if os.path.exists(target_file):
os.remove(target_file)
analytics = parse_analytics([
{
'query': "magic where actual_field = true",
'metadata': {
'id': str(uuid.uuid4())
}
},
])
save_analytics(analytics, analytics_file)
save_dump({
'schema': {
"events": schema
},
"allow_any": False
}, config_file)
with self.assertRaises(EqlSchemaError):
main([
'build', analytics_file, target_file, '--config', config_file,
'--analytics-only'
])
self.assertFalse(os.path.exists(target_file))
os.remove(config_file)
os.remove(analytics_file)
def load_analytics(filename):
"""Load analytics."""
analytics = load_dump(filename)
if isinstance(analytics, dict):
analytics = analytics['analytics'] # type: list
return parse_analytics(analytics)
from eql.loader import save_analytics
from eql.main import main
from eql.parser import parse_analytics
from eql.schema import use_schema
from eql.utils import save_dump
build_analytics = parse_analytics([
{
'query': "process where a == b",
'metadata': {
'id': str(uuid.uuid4())
}
},
{
'query': "sequence [process where a == b] [file where x == y]",
'metadata': {
'id': str(uuid.uuid4())
}
},
{
'query': "join by unique_pid [network where true] [dns where true]",
'metadata': {
'id': str(uuid.uuid4())
}
},
])
def stdin_patch():
"""Patch stdin with a temporary stream."""
return io.StringIO(u'\n'.join(
[json.dumps(event.data) for event in TestEngine.get_events()]))