def testPopulatesEventCorrectly(self):
with test_lib.ConfigOverrider({
'Splunk.url': 'http://a',
'Splunk.token': 'b',
}):
with test_lib.FakeTime(
rdfvalue.RDFDatetime.FromSecondsSinceEpoch(15)):
mock_post = self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(
index='idx', annotations=['a', 'b', 'c']),
responses=[
rdf_client_fs.StatEntry(pathspec=rdf_paths.PathSpec(
path='/中国', pathtype='OS'))
])
events = self._ParseEvents(mock_post)
self.assertLen(events, 1)
self.assertEqual(events[0]['host'], 'Host-0.example.com')
self.assertEqual(events[0]['sourcetype'], 'grr_flow_result')
self.assertEqual(events[0]['source'], 'grr')
self.assertEqual(events[0]['time'], 15)
self.assertEqual(events[0]['event']['client']['clientUrn'],
'aff4:/C.1000000000000000')
self.assertEqual(events[0]['event']['annotations'], ['a', 'b', 'c'])
self.assertEqual(events[0]['event']['flow']['flowId'], '12345678')
self.assertEqual(events[0]['event']['resultType'], 'StatEntry')
self.assertEqual(events[0]['event']['result'], {
'pathspec': {
'pathtype': 'OS',
'path': '/中国',
},
})
def testFailsWhenTokenIsNotConfigured(self):
with test_lib.ConfigOverrider({'Splunk.url': 'a'}):
with self.assertRaisesRegex(splunk_plugin.SplunkConfigurationError,
'Splunk.token'):
self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(),
responses=[rdf_client.Process(pid=42)])
def testPopulatesBatchCorrectly(self):
with test_lib.ConfigOverrider({
'Splunk.url': 'http://a',
'Splunk.token': 'b',
}):
mock_post = self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(),
responses=[
rdf_client_fs.StatEntry(pathspec=rdf_paths.PathSpec(
path='/中国', pathtype='OS')),
rdf_client.Process(pid=42),
])
events = self._ParseEvents(mock_post)
self.assertLen(events, 2)
for event in events:
self.assertEqual(event['sourcetype'], 'grr_flow_result')
self.assertEqual(event['source'], 'grr')
self.assertEqual(event['host'], 'Host-0.example.com')
self.assertEqual(event['event']['client']['clientUrn'],
'aff4:/C.1000000000000000')
self.assertEqual(events[0]['event']['resultType'], 'StatEntry')
self.assertEqual(events[0]['event']['result'], {
'pathspec': {
'pathtype': 'OS',
'path': '/中国',
},
})
self.assertEqual(events[1]['event']['resultType'], 'Process')
self.assertEqual(events[1]['event']['result'], {
'pid': 42,
})
def testArgsOverrideConfiguration(self):
with test_lib.ConfigOverrider({
'Splunk.url': 'http://a',
'Splunk.token': 'b',
'Splunk.index': 'e'
}):
mock_post = self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(index='f'),
responses=[rdf_client.Process(pid=42)])
events = self._ParseEvents(mock_post)
self.assertEqual(events[0]['index'], 'f')
def testRaisesForHttpError(self):
post = mock.MagicMock()
post.return_value.raise_for_status.side_effect = (
requests.exceptions.HTTPError())
with test_lib.ConfigOverrider({
'Splunk.url': 'http://a',
'Splunk.token': 'b',
}):
with self.assertRaises(requests.exceptions.HTTPError):
self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(),
responses=[rdf_client.Process(pid=42)],
patcher=mock.patch.object(requests, 'post', post))
def testReadsConfigurationValuesCorrectly(self):
with test_lib.ConfigOverrider({
'Splunk.url': 'http://a',
'Splunk.token': 'b',
'Splunk.verify_https': False,
'Splunk.source': 'c',
'Splunk.sourcetype': 'd',
'Splunk.index': 'e'
}):
mock_post = self._CallPlugin(
plugin_args=splunk_plugin.SplunkOutputPluginArgs(),
responses=[rdf_client.Process(pid=42)])
self.assertEqual(mock_post.call_args[KWARGS]['url'],
'http://a/services/collector/event')
self.assertFalse(mock_post.call_args[KWARGS]['verify'])
self.assertEqual(mock_post.call_args[KWARGS]['headers']['Authorization'],
'Splunk b')
events = self._ParseEvents(mock_post)
self.assertEqual(events[0]['source'], 'c')
self.assertEqual(events[0]['sourcetype'], 'd')
self.assertEqual(events[0]['index'], 'e')
