def test_engine_config(self, mock_error): """Test building an engine with a custom config.""" schema = {'event_types': {'magic': 543212345}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') config_file = os.path.abspath('config.tmp.json') with use_schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) with open(analytics_file, 'r') as f: expected_contents = f.read() save_dump({'schema': schema}, config_file) main([ 'build', analytics_file, target_file, '--config', config_file, '--analytics-only' ]) with open(target_file, 'r') as f: actual_contents = f.read() self.assertEqual(actual_contents, expected_contents) os.remove(config_file) os.remove(target_file) os.remove(analytics_file)
def test_query_eql_jsonl(self, mock_print_event): """Test file I/O with EQL.""" query = "process where true | head 8 | tail 1" main(['query', query, '-f', self.EVENTS_FILE]) expected = [8] actual_event_ids = [ args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list ] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.")
def test_implied_base(self, mock_print_event): """Stream stdin to the EQL command.""" query = "| unique event_type_full" main(['query', query]) expected = [1, 55, 57, 63, 75304] actual_event_ids = [ args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list ] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.")
def test_query_eql_stdin(self, mock_print_event): """Stream stdin to the EQL command.""" query = "process where true | head 8 | tail 1" main(['query', query]) expected = [8] actual_event_ids = [ args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list ] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.")
def test_engine_schema_failure(self): """Test building an engine with a custom config.""" schema = {'event_types': {'magic': 543212345}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') with use_schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) with self.assertRaises(SchemaError): main(['build', analytics_file, target_file]) os.remove(analytics_file)
def test_engine_schema_implied(self): """Test building an engine with a custom config.""" schema = {'magic': {}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') with Schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) main(['build', analytics_file, target_file]) os.remove(analytics_file) os.remove(target_file)
def test_engine_config(self, mock_error): """Test building an engine with a custom config.""" schema = {'magic': {"expected_field": "string"}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') config_file = os.path.abspath('config.tmp.json') if os.path.exists(target_file): os.remove(target_file) analytics = parse_analytics([ { 'query': "magic where actual_field = true", 'metadata': { 'id': str(uuid.uuid4()) } }, ]) save_analytics(analytics, analytics_file) save_dump({ 'schema': { "events": schema }, "allow_any": False }, config_file) with self.assertRaises(EqlSchemaError): main([ 'build', analytics_file, target_file, '--config', config_file, '--analytics-only' ]) self.assertFalse(os.path.exists(target_file)) os.remove(config_file) os.remove(analytics_file)