def test_mitigation_to_hit(self, pg_db_conn, cleanup): # pylint: disable=unused-argument
"""Test replacing rule which has mitigation and is actvie with another one which is inactive but has mitigation"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
inv_id = 'INV-17'
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(
system, {
1: {
'id': 1,
'mitigation_reason': 'SELinux mitigates',
'cve_name': 'CVE-2014-1'
},
9: {
'id': 4,
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2018-1'
}
})
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, 1, 9)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_rule_adding_cve(self, pg_db_conn, cleanup, cve_id, rule_id,
cve_name): # pylint: disable=unused-argument
"""
Tests adding a rule which adds one CVE to a system
In some we are removing other rules from a system, but the rules in this tests were chosen so they're either not active or not VMaaS mitigated
"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = 'INV-4'
rule_hits = {
cve_id: {
'id': rule_id,
'details': '{"detail_key": "detail_value"}',
'cve_name': cve_name
}
}
orig_cve_count_cache = self._system_cache(cur, 'INV-4')
orig_caches = self._account_caches(cur)
db_import_system(system, rule_hits)
new_cve_count_cache = self._system_cache(cur, 'INV-4')
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, 1, cve_id)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_rule_not_changing_cves(self, pg_db_conn, cleanup, inv_id, cve_id,
rule_id, cve_name): # pylint: disable=unused-argument
"""Inserts CVE which is tied to inactive rule, nothing shall happen"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
rule_hits = {
cve_id: {
'id': rule_id,
'details': '{"detail_key": "detail_value"}',
'cve_name': cve_name
}
}
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(system, rule_hits)
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
assert orig_cve_count_cache == new_cve_count_cache
assert orig_caches == new_caches
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_new_rule_unknown_cve(self, pg_db_conn, cleanup): # pylint: disable=unused-argument
"""Tests adding completely new rule with completely new CVE"""
with DatabasePool(3):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
db_import_rule('new_rule|ERROR_KEY', ['CVE-2068-124'])
cur.execute(
"SELECT id FROM insights_rule WHERE name = 'new_rule|ERROR_KEY'"
)
rule_id = cur.fetchone()[0]
cur.execute(
"UPDATE insights_rule SET active = 'T' WHERE name = 'new_rule|ERROR_KEY'"
)
cur.execute(
"SELECT id FROM cve_metadata WHERE cve = 'CVE-2068-124'"
)
cve_id = cur.fetchone()[0]
conn.commit()
inv_id = 'INV-6'
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
rule_hits = {
cve_id: {
'id': rule_id,
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2068-124'
}
}
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(system, rule_hits)
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
assert orig_cve_count_cache + 1 == new_cve_count_cache
assert new_caches[cve_id] == 1
del new_caches[cve_id]
assert orig_caches == new_caches
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_adding_inactive(self, pg_db_conn, cleanup): # pylint: disable=unused-argument
"""Tests adding inactive rule mitigation to a system"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
inv_id = 'INV-5'
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(
system, {
1: {
'id': 3,
'mitigation_reason': 'SELinux mitigates',
'cve_name': 'CVE-2014-1'
},
8: {
'id': 4,
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2017-6'
},
10: {
'id': 5,
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2017-8'
},
11: {
'id': 5,
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2018-1'
}
})
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, 0, 1)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_simple_import(self, pg_db_conn): # pylint: disable=unused-argument
"""Test importing new system with one rule"""
with DatabasePool(1):
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = 'INV-112'
rule_hits = {}
rule_hits[CVES_CACHE['CVE-2014-1']] = {
'id': RULES_CACHE['CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE_2'],
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2014-1'
}
db_import_system(system, rule_hits)
# add a additional CVE to rule
rule_hits[CVES_CACHE['CVE-2016-1']] = {
'id': RULES_CACHE['CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE_2'],
'details': '{"detail_key": "detail_value"}',
'cve_name': 'CVE-2016-1'
}
db_import_system(system, rule_hits)
def test_unmitigation(self, pg_db_conn, cleanup): # pylint: disable=unused-argument
"""Test removing rule mitigations from system for a system with 2 CVEs from which only one is reported by VMaaS"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
inv_id = 'INV-17'
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(system, {})
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, 1, 9)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_removing_all_rules(self, pg_db_conn, cleanup): # pylint: disable=unused-argument
"""Tests removing all rules from system"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
inv_id = 'INV-5'
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(system, {})
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, -1, 8)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
def test_rule_removing_cve(self, pg_db_conn, cleanup, inv_id, cve_id,
rule_hits): # pylint: disable=unused-argument
"""Tests removing rule from system where the CVE is not reported by VMaaS"""
with DatabasePool(2):
with DatabasePoolConnection() as conn:
with conn.cursor() as cur:
system = deepcopy(SYSTEM_DICT)
system['inventory_id'] = inv_id
orig_cve_count_cache = self._system_cache(cur, inv_id)
orig_caches = self._account_caches(cur)
db_import_system(system, rule_hits)
new_cve_count_cache = self._system_cache(cur, inv_id)
new_caches = self._account_caches(cur)
self._test_counts(orig_cve_count_cache,
new_cve_count_cache, orig_caches,
new_caches, -1, cve_id)
assert all([
self._cache_check(cur, account_id)
for account_id in ('0', '1', '2')
])
