def test_versioned_downgrade(self):
"""Downgrade a KQL rule with version information"""
api_contents = self.v79_kql
self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents)
api_contents78 = api_contents.copy()
api_contents78.pop("author")
api_contents78.pop("license")
self.assertDictEqual(downgrade(api_contents, "7.8"), api_contents78)
with self.assertRaises(ValueError):
downgrade(api_contents, "7.7")
def test_versioned_downgrade(self):
"""Downgrade a KQL rule with version information"""
api_contents = self.versioned_rule.contents
self.assertDictEqual(
downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents)
self.assertDictEqual(
downgrade(api_contents, "7.8"),
{
# "author": ["Elastic"],
"description": "test description",
"index": ["filebeat-*"],
"language": "kuery",
# "license": "Elastic License",
"name": "test rule",
"query": "process.name:test.query",
"risk_score": 21,
"rule_id": self.versioned_rule.id,
"severity": "low",
"type": "query",
"version": 10,
})
with self.assertRaises(ValueError):
downgrade(api_contents, "7.7")
def test_threshold_downgrade(self):
"""Downgrade a threshold rule that was first introduced in 7.9."""
api_contents = self.threshold_rule.contents
self.assertDictEqual(
downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents)
with self.assertRaises(ValueError):
downgrade(api_contents, "7.7")
with self.assertRaisesRegex(ValueError, "Unsupported rule type"):
downgrade(api_contents, "7.8")
def test_query_downgrade(self):
"""Downgrade a standard KQL rule."""
api_contents = self.compatible_rule.contents
self.assertDictEqual(
downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9"), api_contents)
self.assertDictEqual(downgrade(api_contents, "7.9.2"), api_contents)
self.assertDictEqual(
downgrade(api_contents, "7.8"),
{
# "author": ["Elastic"],
"description": "test description",
"language": "kuery",
# "license": "Elastic License",
"name": "test rule",
"query": "process.name:test.query",
"risk_score": 21,
"rule_id": self.compatible_rule.id,
"severity": "low",
"type": "query"
})
with self.assertRaises(ValueError):
downgrade(api_contents, "7.7")
def test_threshold_downgrade(self):
"""Downgrade a threshold rule that was first introduced in 7.9."""
api_contents = self.v712_threshold_rule
self.assertDictEqual(downgrade(api_contents, '7.13'), api_contents)
self.assertDictEqual(downgrade(api_contents, '7.13.1'), api_contents)
exc_msg = 'Cannot downgrade a threshold rule that has multiple threshold fields defined'
with self.assertRaisesRegex(ValueError, exc_msg):
downgrade(api_contents, '7.9')
v712_threshold_contents_single_field = copy.deepcopy(api_contents)
v712_threshold_contents_single_field['threshold']['field'].pop()
with self.assertRaisesRegex(
ValueError,
"Cannot downgrade a threshold rule that has a defined cardinality"
):
downgrade(v712_threshold_contents_single_field, "7.9")
v712_no_cardinality = copy.deepcopy(
v712_threshold_contents_single_field)
v712_no_cardinality['threshold'].pop('cardinality')
self.assertEqual(downgrade(v712_no_cardinality, "7.9"),
self.v79_threshold_contents)
with self.assertRaises(ValueError):
downgrade(v712_no_cardinality, "7.7")
with self.assertRaisesRegex(ValueError, "Unsupported rule type"):
downgrade(v712_no_cardinality, "7.8")
def test_query_downgrade(self):
"""Downgrade a standard KQL rule."""
self.assertDictEqual(downgrade(self.v711_kql, "7.11"), self.v711_kql)
self.assertDictEqual(downgrade(self.v711_kql, "7.9"), self.v79_kql)
self.assertDictEqual(downgrade(self.v711_kql, "7.9.2"), self.v79_kql)
self.assertDictEqual(downgrade(self.v711_kql, "7.8.1"), self.v78_kql)
self.assertDictEqual(downgrade(self.v79_kql, "7.8"), self.v78_kql)
self.assertDictEqual(downgrade(self.v79_kql, "7.8"), self.v78_kql)
with self.assertRaises(ValueError):
downgrade(self.v711_kql, "7.7")
with self.assertRaises(ValueError):
downgrade(self.v79_kql, "7.7")
with self.assertRaises(ValueError):
downgrade(self.v78_kql, "7.7", current_version="7.8")
