def test_build_where_clause(): from CortexDataLake import build_where_clause test_cases = [({ 'query': 'Test' }, 'Test'), ({ 'source_ip': 'ip1,ip2', 'dest_ip': 'ip3,ip4', 'rule_matched': 'rule1', 'from_zone': 'UTC,UTC2', 'dest_port': '555,666', 'action': 'allow,unknown', 'file_sha_256': 'hash1,hash2', 'file_name': 'name1,name2' }, '(source_ip.value = "ip1" OR source_ip.value = "ip2") ' 'AND (dest_ip.value = "ip3" OR dest_ip.value = "ip4") ' 'AND (rule_matched = "rule1") ' 'AND (from_zone = "UTC" OR from_zone = "UTC2") ' 'AND (action.value = "allow" OR action.value = "unknown") ' 'AND (file_sha_256 = "hash1" OR file_sha_256 = "hash2") ' 'AND (file_name = "name1" OR file_name = "name2") ' 'AND (dest_port = 555 OR dest_port = 666)'), ({ 'source_ip': 'ip1', 'non_relevant_arg': 'value' }, '(source_ip.value = "ip1")')] for args, expected_result in test_cases: assert build_where_clause(args) == expected_result
def test_build_where_clause_ip_port(): from CortexDataLake import build_where_clause test_cases = [({'query': 'Test'}, 'Test'), ({'ip': 'ip1,ip2', 'port': '555,888'}, '(source_ip.value = "ip1" OR dest_ip.value = "ip1" OR ' 'source_ip.value = "ip2" OR dest_ip.value = "ip2") ' 'AND (source_port = 555 OR dest_port = 555 OR source_port = 888 OR dest_port = 888)' ), ({'source_ip': 'ip1', 'non_relevant_arg': 'value'}, '(source_ip.value = "ip1")')] for args, expected_result in test_cases: assert build_where_clause(args) == expected_result