def test_engine_config(self, mock_error): """Test building an engine with a custom config.""" schema = {'event_types': {'magic': 543212345}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') config_file = os.path.abspath('config.tmp.json') with use_schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) with open(analytics_file, 'r') as f: expected_contents = f.read() save_dump({'schema': schema}, config_file) main([ 'build', analytics_file, target_file, '--config', config_file, '--analytics-only' ]) with open(target_file, 'r') as f: actual_contents = f.read() self.assertEqual(actual_contents, expected_contents) os.remove(config_file) os.remove(target_file) os.remove(analytics_file)
def test_engine_schema_failure(self): """Test building an engine with a custom config.""" schema = {'event_types': {'magic': 543212345}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') with use_schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) with self.assertRaises(SchemaError): main(['build', analytics_file, target_file]) os.remove(analytics_file)
def test_engine_schema_implied(self): """Test building an engine with a custom config.""" schema = {'magic': {}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') with Schema(schema): analytics = parse_analytics([{ 'query': "magic where true", 'metadata': { 'id': str(uuid.uuid4()) } }]) save_analytics(analytics, analytics_file) main(['build', analytics_file, target_file]) os.remove(analytics_file) os.remove(target_file)
def test_engine_config(self, mock_error): """Test building an engine with a custom config.""" schema = {'magic': {"expected_field": "string"}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') config_file = os.path.abspath('config.tmp.json') if os.path.exists(target_file): os.remove(target_file) analytics = parse_analytics([ { 'query': "magic where actual_field = true", 'metadata': { 'id': str(uuid.uuid4()) } }, ]) save_analytics(analytics, analytics_file) save_dump({ 'schema': { "events": schema }, "allow_any": False }, config_file) with self.assertRaises(EqlSchemaError): main([ 'build', analytics_file, target_file, '--config', config_file, '--analytics-only' ]) self.assertFalse(os.path.exists(target_file)) os.remove(config_file) os.remove(analytics_file)
def load_analytics(filename): """Load analytics.""" analytics = load_dump(filename) if isinstance(analytics, dict): analytics = analytics['analytics'] # type: list return parse_analytics(analytics)
from eql.loader import save_analytics from eql.main import main from eql.parser import parse_analytics from eql.schema import use_schema from eql.utils import save_dump build_analytics = parse_analytics([ { 'query': "process where a == b", 'metadata': { 'id': str(uuid.uuid4()) } }, { 'query': "sequence [process where a == b] [file where x == y]", 'metadata': { 'id': str(uuid.uuid4()) } }, { 'query': "join by unique_pid [network where true] [dns where true]", 'metadata': { 'id': str(uuid.uuid4()) } }, ]) def stdin_patch(): """Patch stdin with a temporary stream.""" return io.StringIO(u'\n'.join( [json.dumps(event.data) for event in TestEngine.get_events()]))