def test_versioned_downgrade(self): """Downgrade a KQL rule with version information""" api_contents = self.v79_kql self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents) api_contents78 = api_contents.copy() api_contents78.pop("author") api_contents78.pop("license") self.assertDictEqual(downgrade(api_contents, "7.8"), api_contents78) with self.assertRaises(ValueError): downgrade(api_contents, "7.7")
def test_versioned_downgrade(self): """Downgrade a KQL rule with version information""" api_contents = self.versioned_rule.contents self.assertDictEqual( downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents) self.assertDictEqual( downgrade(api_contents, "7.8"), { # "author": ["Elastic"], "description": "test description", "index": ["filebeat-*"], "language": "kuery", # "license": "Elastic License", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, "rule_id": self.versioned_rule.id, "severity": "low", "type": "query", "version": 10, }) with self.assertRaises(ValueError): downgrade(api_contents, "7.7")
def test_threshold_downgrade(self): """Downgrade a threshold rule that was first introduced in 7.9.""" api_contents = self.threshold_rule.contents self.assertDictEqual( downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents) with self.assertRaises(ValueError): downgrade(api_contents, "7.7") with self.assertRaisesRegex(ValueError, "Unsupported rule type"): downgrade(api_contents, "7.8")
def test_query_downgrade(self): """Downgrade a standard KQL rule.""" api_contents = self.compatible_rule.contents self.assertDictEqual( downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents) self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents) self.assertDictEqual( downgrade(api_contents, "7.8"), { # "author": ["Elastic"], "description": "test description", "language": "kuery", # "license": "Elastic License", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, "rule_id": self.compatible_rule.id, "severity": "low", "type": "query" }) with self.assertRaises(ValueError): downgrade(api_contents, "7.7")
def test_threshold_downgrade(self): """Downgrade a threshold rule that was first introduced in 7.9.""" api_contents = self.v712_threshold_rule self.assertDictEqual(downgrade(api_contents, '7.13'), api_contents) self.assertDictEqual(downgrade(api_contents, '7.13.1'), api_contents) exc_msg = 'Cannot downgrade a threshold rule that has multiple threshold fields defined' with self.assertRaisesRegex(ValueError, exc_msg): downgrade(api_contents, '7.9') v712_threshold_contents_single_field = copy.deepcopy(api_contents) v712_threshold_contents_single_field['threshold']['field'].pop() with self.assertRaisesRegex( ValueError, "Cannot downgrade a threshold rule that has a defined cardinality" ): downgrade(v712_threshold_contents_single_field, "7.9") v712_no_cardinality = copy.deepcopy( v712_threshold_contents_single_field) v712_no_cardinality['threshold'].pop('cardinality') self.assertEqual(downgrade(v712_no_cardinality, "7.9"), self.v79_threshold_contents) with self.assertRaises(ValueError): downgrade(v712_no_cardinality, "7.7") with self.assertRaisesRegex(ValueError, "Unsupported rule type"): downgrade(v712_no_cardinality, "7.8")
def test_query_downgrade(self): """Downgrade a standard KQL rule.""" self.assertDictEqual(downgrade(self.v711_kql, "7.11"), self.v711_kql) self.assertDictEqual(downgrade(self.v711_kql, "7.9"), self.v79_kql) self.assertDictEqual(downgrade(self.v711_kql, "7.9.2"), self.v79_kql) self.assertDictEqual(downgrade(self.v711_kql, "7.8.1"), self.v78_kql) self.assertDictEqual(downgrade(self.v79_kql, "7.8"), self.v78_kql) self.assertDictEqual(downgrade(self.v79_kql, "7.8"), self.v78_kql) with self.assertRaises(ValueError): downgrade(self.v711_kql, "7.7") with self.assertRaises(ValueError): downgrade(self.v79_kql, "7.7") with self.assertRaises(ValueError): downgrade(self.v78_kql, "7.7", current_version="7.8")