def test_engine_config(self, mock_error):
"""Test building an engine with a custom config."""
schema = {'event_types': {'magic': 543212345}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
config_file = os.path.abspath('config.tmp.json')
with use_schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
with open(analytics_file, 'r') as f:
expected_contents = f.read()
save_dump({'schema': schema}, config_file)
main([
'build', analytics_file, target_file, '--config', config_file,
'--analytics-only'
])
with open(target_file, 'r') as f:
actual_contents = f.read()
self.assertEqual(actual_contents, expected_contents)
os.remove(config_file)
os.remove(target_file)
os.remove(analytics_file)
def test_query_eql_jsonl(self, mock_print_event):
"""Test file I/O with EQL."""
query = "process where true | head 8 | tail 1"
main(['query', query, '-f', self.EVENTS_FILE])
expected = [8]
actual_event_ids = [
args[0][0].data['serial_event_id']
for args in mock_print_event.call_args_list
]
self.assertEqual(expected, actual_event_ids,
"Event IDs didn't match expected.")
def test_implied_base(self, mock_print_event):
"""Stream stdin to the EQL command."""
query = "| unique event_type_full"
main(['query', query])
expected = [1, 55, 57, 63, 75304]
actual_event_ids = [
args[0][0].data['serial_event_id']
for args in mock_print_event.call_args_list
]
self.assertEqual(expected, actual_event_ids,
"Event IDs didn't match expected.")
def test_query_eql_stdin(self, mock_print_event):
"""Stream stdin to the EQL command."""
query = "process where true | head 8 | tail 1"
main(['query', query])
expected = [8]
actual_event_ids = [
args[0][0].data['serial_event_id']
for args in mock_print_event.call_args_list
]
self.assertEqual(expected, actual_event_ids,
"Event IDs didn't match expected.")
def test_engine_schema_failure(self):
"""Test building an engine with a custom config."""
schema = {'event_types': {'magic': 543212345}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
with use_schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
with self.assertRaises(SchemaError):
main(['build', analytics_file, target_file])
os.remove(analytics_file)
def test_engine_schema_implied(self):
"""Test building an engine with a custom config."""
schema = {'magic': {}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
with Schema(schema):
analytics = parse_analytics([{
'query': "magic where true",
'metadata': {
'id': str(uuid.uuid4())
}
}])
save_analytics(analytics, analytics_file)
main(['build', analytics_file, target_file])
os.remove(analytics_file)
os.remove(target_file)
def test_engine_config(self, mock_error):
"""Test building an engine with a custom config."""
schema = {'magic': {"expected_field": "string"}}
target_file = os.path.abspath('analytics-saved.tmp.json')
analytics_file = os.path.abspath('analytics.tmp.json')
config_file = os.path.abspath('config.tmp.json')
if os.path.exists(target_file):
os.remove(target_file)
analytics = parse_analytics([
{
'query': "magic where actual_field = true",
'metadata': {
'id': str(uuid.uuid4())
}
},
])
save_analytics(analytics, analytics_file)
save_dump({
'schema': {
"events": schema
},
"allow_any": False
}, config_file)
with self.assertRaises(EqlSchemaError):
main([
'build', analytics_file, target_file, '--config', config_file,
'--analytics-only'
])
self.assertFalse(os.path.exists(target_file))
os.remove(config_file)
os.remove(analytics_file)
