19de3a8a77
* Improve whitelist parsing * Split whitelist check into a function tied to whitelist, also since we check node debug we can make a pointer to node containing whitelist * No point passing clog as an argument since it is just a pointer to node we already know about * We should break instead of returning false, false as it may have been whitelisted by ips/cidrs * reimplement early return if expr errors * Fix lint and dont need to parse ip back to string just loop over sources * Log error with node logger as it provides context * Move getsource to a function cleanup some code * Change func name * Split out compile to a function so we can use in tests. Add a bunch of tests * spell correction * Use node logger so it has context * alternative solution * quick fixes * Use containswls * Change whitelist test to use parseipsource and only events * Make it simpler * Postoverflow tests, some basic ones to make sure it works * Use official pkg * Add @mmetc reco * Add @mmetc reco * Change if if to a switch to only evaluate once * simplify assertions --------- Co-authored-by: bui <thibault@crowdsec.net> Co-authored-by: Marco Mariani <marco@crowdsec.net>
300 lines
5.4 KiB
Go
300 lines
5.4 KiB
Go
package parser
|
|
|
|
import (
|
|
"testing"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/crowdsecurity/go-cs-lib/cstest"
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/models"
|
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
|
)
|
|
|
|
func TestWhitelistCompile(t *testing.T) {
|
|
node := &Node{
|
|
Logger: log.NewEntry(log.New()),
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
whitelist Whitelist
|
|
expectedErr string
|
|
}{
|
|
{
|
|
name: "Valid CIDR whitelist",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"127.0.0.1/24",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "Invalid CIDR whitelist",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"127.0.0.1/1000",
|
|
},
|
|
},
|
|
expectedErr: "invalid CIDR address",
|
|
},
|
|
{
|
|
name: "Valid EXPR whitelist",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"1==1",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "Invalid EXPR whitelist",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"evt.THISPROPERTYSHOULDERROR == true",
|
|
},
|
|
},
|
|
expectedErr: "types.Event has no field",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
tt := tt
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
node.Whitelist = tt.whitelist
|
|
_, err := node.CompileWLs()
|
|
cstest.RequireErrorContains(t, err, tt.expectedErr)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestWhitelistCheck(t *testing.T) {
|
|
node := &Node{
|
|
Logger: log.NewEntry(log.New()),
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
whitelist Whitelist
|
|
event *types.Event
|
|
expected bool
|
|
}{
|
|
{
|
|
name: "IP Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Ips: []string{
|
|
"127.0.0.1",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.1",
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "IP Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Ips: []string{
|
|
"127.0.0.1",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.2",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "CIDR Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"127.0.0.1/32",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.1",
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "CIDR Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"127.0.0.1/32",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.2",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "EXPR Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"evt.Meta.source_ip == '127.0.0.1'",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.1",
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "EXPR Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"evt.Meta.source_ip == '127.0.0.1'",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Meta: map[string]string{
|
|
"source_ip": "127.0.0.2",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "Postoverflow IP Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Ips: []string{
|
|
"192.168.1.1",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
Sources: map[string]models.Source{
|
|
"192.168.1.1": {},
|
|
},
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "Postoverflow IP Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Ips: []string{
|
|
"192.168.1.2",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
Sources: map[string]models.Source{
|
|
"192.168.1.1": {},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "Postoverflow CIDR Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"192.168.1.1/32",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
Sources: map[string]models.Source{
|
|
"192.168.1.1": {},
|
|
},
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "Postoverflow CIDR Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Cidrs: []string{
|
|
"192.168.1.2/32",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
Sources: map[string]models.Source{
|
|
"192.168.1.1": {},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "Postoverflow EXPR Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"evt.Overflow.APIAlerts[0].Source.Cn == 'test'",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
APIAlerts: []models.Alert{
|
|
{
|
|
Source: &models.Source{
|
|
Cn: "test",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expected: true,
|
|
},
|
|
{
|
|
name: "Postoverflow EXPR Not Whitelisted",
|
|
whitelist: Whitelist{
|
|
Reason: "test",
|
|
Exprs: []string{
|
|
"evt.Overflow.APIAlerts[0].Source.Cn == 'test2'",
|
|
},
|
|
},
|
|
event: &types.Event{
|
|
Type: types.OVFLW,
|
|
Overflow: types.RuntimeAlert{
|
|
APIAlerts: []models.Alert{
|
|
{
|
|
Source: &models.Source{
|
|
Cn: "test",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
tt := tt
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
var err error
|
|
node.Whitelist = tt.whitelist
|
|
node.CompileWLs()
|
|
isWhitelisted := node.CheckIPsWL(tt.event.ParseIPSources())
|
|
if !isWhitelisted {
|
|
isWhitelisted, err = node.CheckExprWL(map[string]interface{}{"evt": tt.event})
|
|
}
|
|
require.NoError(t, err)
|
|
require.Equal(t, tt.expected, isWhitelisted)
|
|
})
|
|
}
|
|
}
|