crowdsec/pkg/parser/whitelist_test.go
Laurence Jones 19de3a8a77
Runtime whitelist parsing improvement (#2422)
* Improve whitelist parsing

* Split whitelist check into a function tied to whitelist, also since we check node debug we can make a pointer to node containing whitelist

* No point passing clog as an argument since it is just a pointer to node we already know about

* We should break instead of returning false, false as it may have been whitelisted by ips/cidrs

* reimplement early return if expr errors

* Fix lint and dont need to parse ip back to string just loop over sources

* Log error with node logger as it provides context

* Move getsource to a function cleanup some code

* Change func name

* Split out compile to a function so we can use in tests. Add a bunch of tests

* spell correction

* Use node logger so it has context

* alternative solution

* quick fixes

* Use containswls

* Change whitelist test to use parseipsource and only events

* Make it simpler

* Postoverflow tests, some basic ones to make sure it works

* Use official pkg

* Add @mmetc reco

* Add @mmetc reco

* Change if if to a switch to only evaluate once

* simplify assertions

---------

Co-authored-by: bui <thibault@crowdsec.net>
Co-authored-by: Marco Mariani <marco@crowdsec.net>
2023-10-16 10:08:57 +01:00

300 lines
5.4 KiB
Go

package parser
import (
"testing"
log "github.com/sirupsen/logrus"
"github.com/stretchr/testify/require"
"github.com/crowdsecurity/go-cs-lib/cstest"
"github.com/crowdsecurity/crowdsec/pkg/models"
"github.com/crowdsecurity/crowdsec/pkg/types"
)
func TestWhitelistCompile(t *testing.T) {
node := &Node{
Logger: log.NewEntry(log.New()),
}
tests := []struct {
name string
whitelist Whitelist
expectedErr string
}{
{
name: "Valid CIDR whitelist",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"127.0.0.1/24",
},
},
},
{
name: "Invalid CIDR whitelist",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"127.0.0.1/1000",
},
},
expectedErr: "invalid CIDR address",
},
{
name: "Valid EXPR whitelist",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"1==1",
},
},
},
{
name: "Invalid EXPR whitelist",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"evt.THISPROPERTYSHOULDERROR == true",
},
},
expectedErr: "types.Event has no field",
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
node.Whitelist = tt.whitelist
_, err := node.CompileWLs()
cstest.RequireErrorContains(t, err, tt.expectedErr)
})
}
}
func TestWhitelistCheck(t *testing.T) {
node := &Node{
Logger: log.NewEntry(log.New()),
}
tests := []struct {
name string
whitelist Whitelist
event *types.Event
expected bool
}{
{
name: "IP Whitelisted",
whitelist: Whitelist{
Reason: "test",
Ips: []string{
"127.0.0.1",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.1",
},
},
expected: true,
},
{
name: "IP Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Ips: []string{
"127.0.0.1",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.2",
},
},
},
{
name: "CIDR Whitelisted",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"127.0.0.1/32",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.1",
},
},
expected: true,
},
{
name: "CIDR Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"127.0.0.1/32",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.2",
},
},
},
{
name: "EXPR Whitelisted",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"evt.Meta.source_ip == '127.0.0.1'",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.1",
},
},
expected: true,
},
{
name: "EXPR Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"evt.Meta.source_ip == '127.0.0.1'",
},
},
event: &types.Event{
Meta: map[string]string{
"source_ip": "127.0.0.2",
},
},
},
{
name: "Postoverflow IP Whitelisted",
whitelist: Whitelist{
Reason: "test",
Ips: []string{
"192.168.1.1",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
Sources: map[string]models.Source{
"192.168.1.1": {},
},
},
},
expected: true,
},
{
name: "Postoverflow IP Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Ips: []string{
"192.168.1.2",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
Sources: map[string]models.Source{
"192.168.1.1": {},
},
},
},
},
{
name: "Postoverflow CIDR Whitelisted",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"192.168.1.1/32",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
Sources: map[string]models.Source{
"192.168.1.1": {},
},
},
},
expected: true,
},
{
name: "Postoverflow CIDR Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Cidrs: []string{
"192.168.1.2/32",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
Sources: map[string]models.Source{
"192.168.1.1": {},
},
},
},
},
{
name: "Postoverflow EXPR Whitelisted",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"evt.Overflow.APIAlerts[0].Source.Cn == 'test'",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
APIAlerts: []models.Alert{
{
Source: &models.Source{
Cn: "test",
},
},
},
},
},
expected: true,
},
{
name: "Postoverflow EXPR Not Whitelisted",
whitelist: Whitelist{
Reason: "test",
Exprs: []string{
"evt.Overflow.APIAlerts[0].Source.Cn == 'test2'",
},
},
event: &types.Event{
Type: types.OVFLW,
Overflow: types.RuntimeAlert{
APIAlerts: []models.Alert{
{
Source: &models.Source{
Cn: "test",
},
},
},
},
},
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var err error
node.Whitelist = tt.whitelist
node.CompileWLs()
isWhitelisted := node.CheckIPsWL(tt.event.ParseIPSources())
if !isWhitelisted {
isWhitelisted, err = node.CheckExprWL(map[string]interface{}{"evt": tt.event})
}
require.NoError(t, err)
require.Equal(t, tt.expected, isWhitelisted)
})
}
}