class InputsPage(DocumentWithoutAddProp):
title = StringField(required=True, max_length=60)
description = StringField(max_length=200)
table = DocumentField(InputsTable, as_ref=True, required=True)
services = ArrayField(DictField(
properties={
"name": StringField(required=True, pattern="^[0-9a-zA-Z][0-9a-zA-Z_-]*$", max_length=50),
"title": StringField(required=True, max_length=100),
"entity": ArrayField(DocumentField(InputsEntity, as_ref=True), required=True),
"options": DocumentField(Hooks, as_ref=True),
"groups": ArrayField(DictField(
properties={
"options": DictField(
properties={
"isExpandable": BooleanField(),
"expand": BooleanField()
}
),
"label": StringField(required=True, max_length=100),
"field": ArrayField(StringField(required=True, pattern="^\w+$"))
}
), required=False),
"style": StringField(required=False, enum=["page", "dialog"]),
"hook": DictField(required=False),
"conf": StringField(required=False, max_length=100),
"restHandlerName": StringField(required=False, max_length=100)
}
), required=True)
menu = DictField(required=False)
class Alerts(DocumentWithoutAddProp):
name = StringField(required=True,
pattern="^[a-zA-Z0-9_]+$",
max_length=100)
label = StringField(required=True, max_length=100)
description = StringField(required=True)
activeResponse = DictField(properties={
"task":
ArrayField(StringField(required=True), required=True, min_items=1),
"supportsAdhoc":
BooleanField(required=True),
"subject":
ArrayField(StringField(required=True), required=True, min_items=1),
"category":
ArrayField(StringField(required=True), required=True, min_items=1),
"technology":
ArrayField(DocumentField(Technology, as_ref=True),
required=True,
min_items=1),
"drilldownUri":
StringField(required=False),
"sourcetype":
StringField(required=False, pattern="^[a-zA-Z0-9:-_]+$", max_length=50)
},
required=False)
entity = ArrayField(DocumentField(AlertEntity, as_ref=True))
def test_array_field():
s_f = StringField()
n_f = NumberField()
field = ArrayField(Var({
'role_1': s_f,
'role_2': n_f,
}))
schema = field.get_schema(role='role_1')
assert schema['items'] == s_f.get_schema()
schema = field.get_schema(role='role_2')
assert schema['items'] == n_f.get_schema()
schema = field.get_schema()
assert 'items' not in schema
_ = lambda value: Var({'role_1': value})
field = ArrayField(s_f,
min_items=_(1),
max_items=_(2),
unique_items=_(True),
additional_items=_(True))
assert field.get_schema() == {
'type': 'array',
'items': s_f.get_schema(),
}
assert field.get_schema(role='role_1') == {
'type': 'array',
'items': s_f.get_schema(),
'minItems': 1,
'maxItems': 2,
'uniqueItems': True,
'additionalItems': True,
}
class BaseNormalization(Document):
"""Base class for a normalization configuration."""
domain_name = None
class TimestampInfo(Document):
field = StringField(required=True)
format = StringField(required=True)
class Fields(Document):
scope = StringField()
mapping = DictField()
name = StringField(required=True)
filter_query = BooleanField(default=False)
os_types = ArrayField(StringField(), required=False)
domain = StringField(required=True)
strict = BooleanField(required=True)
timestamp = DocumentField(TimestampInfo(), required=True)
fields = DocumentField(Fields(), required=True)
events = DictField(additional_properties=DictField(
{
'enum':
DictField(additional_properties=DictField(
additional_properties=StringField())),
'mapping':
DictField(),
'filter':
StringField(required=True)
},
required=True))
def test_array_field():
s_f = StringField()
n_f = NumberField()
field = ArrayField(Var({
'role_1': s_f,
'role_2': n_f,
}))
schema = field.get_schema(role='role_1')
assert schema['items'] == s_f.get_schema()
schema = field.get_schema(role='role_2')
assert schema['items'] == n_f.get_schema()
schema = field.get_schema()
assert 'items' not in schema
_ = lambda value: Var({'role_1': value})
field = ArrayField(s_f, min_items=_(1), max_items=_(2), unique_items=_(True), additional_items=_(True))
assert field.get_schema() == {
'type': 'array',
'items': s_f.get_schema(),
}
assert field.get_schema(role='role_1') == {
'type': 'array',
'items': s_f.get_schema(),
'minItems': 1,
'maxItems': 2,
'uniqueItems': True,
'additionalItems': True,
}
class Domain(Document):
"""Meta schema for defining a query domain."""
class EventInfo(Document):
enum = DictField(
additional_properties=ArrayField(StringField(eql_name)))
fields = ArrayField(StringField(eql_name))
name = StringField(required=True)
fields = ArrayField(StringField(), required=True)
events = DictField(additional_properties=DocumentField(EventInfo()))
class TabContent(DocumentWithoutAddProp):
entity = ArrayField(DocumentField(ConfigurationEntity, as_ref=True), required=True)
name = StringField(required=True, pattern="^[\/\w]+$", max_length=250)
title = StringField(required=True, max_length=50)
options = DocumentField(Hooks, as_ref=True)
table = DocumentField(ConfigurationTable, as_ref=True)
conf = StringField(required=False, max_length=100)
restHandlerName = StringField(required=False, max_length=100)
# Provisioning tab level hook on configuration page
hook = DocumentField(Hooks, as_ref=True)
class Table(DocumentWithoutAddProp):
moreInfo = ArrayField(DictField(
properties={
"field": StringField(required=True, pattern="^\w+$"),
"label": StringField(required=True, max_length=30),
"mapping": DictField(required=False)
}
))
# Header field names needs to be display on UI
header = ArrayField(DictField(
properties={
"field": StringField(required=True, pattern="^\w+$"),
"label": StringField(required=True, max_length=30),
"mapping": DictField(required=False),
"customCell": DictField(required=False)
}
), required=True)
# custom Row implementation if required for special cases
customRow = DictField(required=False)
class User(Document):
class Options(object):
roles_to_propagate = not_(PARTIAL_RESPONSE_ROLE)
with Scope(DB_ROLE) as db:
db._id = StringField(required=True)
db.version = StringField(required=True)
with Scope(lambda r: r.startswith(RESPONSE_ROLE) or r == REQUEST_ROLE) as response:
response.id = StringField(required=when_not(PARTIAL_RESPONSE_ROLE))
with Scope(not_(REQUEST_ROLE)) as not_request:
not_request.messages = ArrayField(DocumentField(Message), required=when_not(PARTIAL_RESPONSE_ROLE))
def test_array_field():
field = ArrayField(Var({
'role_1': a,
'role_2': b,
}), additional_items=Var({
'role_3': c,
'role_4': d,
}))
assert set(field.iter_all_fields()) == set([a, b, c, d])
field = ArrayField(Var({
'role_1': (a, b),
'role_2': c
}), additional_items=d)
assert set(field.iter_all_fields()) == set([a, b, c, d])
field = ArrayField(a, additional_items=b)
assert set(field.iter_all_fields()) == set([a, b])
field = ArrayField()
assert set(field.iter_all_fields()) == set([])
class AnalyticMetadata(Document):
"""Base class for all analytics. Can be extended for cloud."""
id = StringField(pattern=UUID_PATTERN, required=True)
categories = ArrayField(StringField(enum=['detect', 'hunt', 'enrich']),
required=True)
contributors = ArrayField(StringField(), required=True)
confidence = StringField(enum=['low', 'medium', 'high'], required=True)
created_date = StringField(required=True)
description = StringField(required=True)
name = StringField(required=True)
notes = StringField(required=False)
os = ArrayField(StringField(enum=OS_NAMES), required=True)
references = ArrayField(StringField(), required=False)
tactics = ArrayField(StringField(enum=TACTICS), required=False)
tags = ArrayField(StringField(), required=False)
techniques = ArrayField(StringField(), required=False)
updated_date = StringField(required=True)
class AlertEntity(DocumentWithoutAddProp):
field = StringField(required=True, pattern="^\w+$")
label = StringField(required=True, max_length=30)
type = StringField(required=True,
enum=["text", "singleSelect", "checkbox", "radio", "singleSelectSplunkSearch"])
help = StringField(max_length=200)
defaultValue = OneOfField([
NumberField(),
StringField(max_length=250),
BooleanField()
])
required = BooleanField()
search = StringField(max_length=200)
valueField = StringField(max_length=200)
labelField = StringField(max_length=200)
options = DictField(
properties={
"items": ArrayField(DocumentField(ValueLabelPair, as_ref=True))
}
)
def test_array_field():
field = ArrayField(Var({
'role_1': a,
'role_2': b,
'role_none': None,
}), additional_items=Var({
'role_3': c,
'role_4': d,
'role_1': e,
'role_none': None,
}))
assert set(field.iter_fields()) == set([a, b, c, d, e])
assert set(field.resolve_and_iter_fields('role_1')) == set([a, e])
assert set(field.resolve_and_iter_fields('role_3')) == set([c])
assert set(field.resolve_and_iter_fields('role_none')) == set([])
field = ArrayField(Var({
'role_1': (a, b),
'role_2': c
}), additional_items=d)
assert set(field.iter_fields()) == set([a, b, c, d])
field = ArrayField((Var({'role_1': a, 'role_2': b, 'role_none': None}), c))
assert set(field.iter_fields()) == set([a, b, c])
assert set(field.resolve_and_iter_fields('role_1')) == set([a, c])
assert set(field.resolve_and_iter_fields('role_none')) == set([c])
field = ArrayField(a, additional_items=b)
assert set(field.iter_fields()) == set([a, b])
assert set(field.resolve_and_iter_fields('some_role')) == set([a, b])
field = ArrayField()
assert set(field.iter_fields()) == set([])
def test_array_field():
field = ArrayField(Var({
'role_1': a,
'role_2': b,
'role_none': None,
}), additional_items=Var({
'role_3': c,
'role_4': d,
'role_1': e,
'role_none': None,
}))
assert set(field.iter_all_fields()) == set([a, b, c, d, e])
assert set(field.iter_fields('role_1')) == set([a, e])
assert set(field.iter_fields('role_3')) == set([c])
assert set(field.iter_fields('role_none')) == set([])
field = ArrayField(Var({
'role_1': (a, b),
'role_2': c
}), additional_items=d)
assert set(field.iter_all_fields()) == set([a, b, c, d])
field = ArrayField((Var({'role_1': a, 'role_2': b, 'role_none': None}), c))
assert set(field.iter_all_fields()) == set([a, b, c])
assert set(field.iter_fields('role_1')) == set([a, c])
assert set(field.iter_fields('role_none')) == set([c])
field = ArrayField(a, additional_items=b)
assert set(field.iter_all_fields()) == set([a, b])
assert set(field.iter_fields('some_role')) == set([a, b])
field = ArrayField()
assert set(field.iter_all_fields()) == set([])
class NumberValidator(ValidatorBase):
type = StringField(required=True, enum=["number"])
range = ArrayField(NumberField(), required=True)
class Entity(DocumentWithoutAddProp):
field = StringField(required=True, pattern="^\w+$")
label = StringField(required=True, max_length=30)
type = StringField(required=True,
enum=["custom", "text", "singleSelect", "checkbox", "multipleSelect", "radio", "placeholder", "oauth", "helpLink"])
help = StringField(max_length=200)
tooltip = StringField(max_length=250)
defaultValue = OneOfField([
NumberField(),
StringField(max_length=250),
BooleanField()
])
options = DictField(
properties={
"disableSearch": BooleanField(),
"autoCompleteFields": OneOfField([
ArrayField(DictField(
properties={
"label": StringField(required=True, max_length=150),
"children": ArrayField(DocumentField(ValueLabelPair, as_ref=True), required=True)
}
)),
ArrayField(DocumentField(ValueLabelPair, as_ref=True))
]),
"endpointUrl": StringField(max_length=350),
"denyList": StringField(max_length=350),
"allowList": StringField(max_length=350),
"delimiter": StringField(max_length=1),
"items": ArrayField(DocumentField(ValueLabelPair, as_ref=True)),
"referenceName": StringField(max_length=250),
"enable": BooleanField(),
"placeholder": StringField(max_length=250),
"display": BooleanField(),
"labelField": StringField(max_length=250),
"src": StringField(max_length=250),
"defaultValue": StringField(max_length=250),
"disableonEdit": BooleanField(),
"basic": ArrayField(DocumentField(OAuthFields, as_ref=True)),
"oauth": ArrayField(DocumentField(OAuthFields, as_ref=True)),
"auth_type": ArrayField(StringField(max_length=100)),
"auth_label": StringField(max_length=250),
"oauth_popup_width": NumberField(),
"oauth_popup_height": NumberField(),
"oauth_timeout": NumberField(),
"auth_code_endpoint": StringField(max_length=350),
"access_token_endpoint": StringField(max_length=350),
"text": StringField(max_length=50),
"link": StringField()
}
)
required = BooleanField()
encrypted = BooleanField()
# List of inbuilt field validator
validators = ArrayField(AnyOfField([
DocumentField(StringValidator, as_ref=True),
DocumentField(NumberValidator, as_ref=True),
DocumentField(RegexValidator, as_ref=True),
DocumentField(EmailValidator, as_ref=True),
DocumentField(Ipv4Validator, as_ref=True),
DocumentField(UrlValidator, as_ref=True),
DocumentField(DateValidator, as_ref=True)
]))
class ConfigurationPage(DocumentWithoutAddProp):
title = StringField(required=True, max_length=60)
description = StringField(max_length=200)
tabs = ArrayField(DocumentField(TabContent, as_ref=True), required=True, min_items=1)
class ConfigurationTable(Table):
actions = ArrayField(StringField(enum=["edit", "delete", "clone"]), required=True)
class InputsTable(Table):
actions = ArrayField(StringField(enum=["edit", "delete", "clone", "enable"]), required=True)
class EventInfo(Document):
enum = DictField(
additional_properties=ArrayField(StringField(eql_name)))
fields = ArrayField(StringField(eql_name))
class Technology(DocumentWithoutAddProp):
version = ArrayField(StringField(required=True, pattern="^\d+(?:\.\d+)*$"),required=True, min_items=1)
product = StringField(required=True, max_length=100)
vendor = StringField(required=True, max_length=100)
def test_array_field():
field = ArrayField(Var({
'role_1': a,
'role_2': b,
}),
additional_items=Var({
'role_3': c,
'role_4': d,
}))
assert set(field.iter_all_fields()) == set([a, b, c, d])
field = ArrayField(Var({
'role_1': (a, b),
'role_2': c
}),
additional_items=d)
assert set(field.iter_all_fields()) == set([a, b, c, d])
field = ArrayField(a, additional_items=b)
assert set(field.iter_all_fields()) == set([a, b])
field = ArrayField()
assert set(field.iter_all_fields()) == set([])
class UCCConfig(DocumentWithoutAddProp):
meta = DocumentField(Meta, as_ref=True, required=True)
pages = DocumentField(Pages, as_ref=True, required=True)
alerts = ArrayField(DocumentField(Alerts, as_ref=True), required=False, min_items=1)