def test_build_where_clause():
from CortexDataLake import build_where_clause
test_cases = [({
'query': 'Test'
}, 'Test'),
({
'source_ip': 'ip1,ip2',
'dest_ip': 'ip3,ip4',
'rule_matched': 'rule1',
'from_zone': 'UTC,UTC2',
'dest_port': '555,666',
'action': 'allow,unknown',
'file_sha_256': 'hash1,hash2',
'file_name': 'name1,name2'
}, '(source_ip.value = "ip1" OR source_ip.value = "ip2") '
'AND (dest_ip.value = "ip3" OR dest_ip.value = "ip4") '
'AND (rule_matched = "rule1") '
'AND (from_zone = "UTC" OR from_zone = "UTC2") '
'AND (action.value = "allow" OR action.value = "unknown") '
'AND (file_sha_256 = "hash1" OR file_sha_256 = "hash2") '
'AND (file_name = "name1" OR file_name = "name2") '
'AND (dest_port = 555 OR dest_port = 666)'),
({
'source_ip': 'ip1',
'non_relevant_arg': 'value'
}, '(source_ip.value = "ip1")')]
for args, expected_result in test_cases:
assert build_where_clause(args) == expected_result
def test_build_where_clause_ip_port():
from CortexDataLake import build_where_clause
test_cases = [({'query': 'Test'}, 'Test'),
({'ip': 'ip1,ip2',
'port': '555,888'},
'(source_ip.value = "ip1" OR dest_ip.value = "ip1" OR '
'source_ip.value = "ip2" OR dest_ip.value = "ip2") '
'AND (source_port = 555 OR dest_port = 555 OR source_port = 888 OR dest_port = 888)'
),
({'source_ip': 'ip1', 'non_relevant_arg': 'value'}, '(source_ip.value = "ip1")')]
for args, expected_result in test_cases:
assert build_where_clause(args) == expected_result
