filterx/modules/cef: add unit tests for filterx-func-parse-cef()

Signed-off-by: shifter <shifter@axoflow.com>

modules/cef/tests/CMakeLists.txt

@@ -1 +1,2 @@
 add_unit_test(LIBTEST CRITERION TARGET test-format-cef-extension DEPENDS cef)
+add_unit_test(LIBTEST CRITERION TARGET test-filterx-function-parse-cef DEPENDS cef)

modules/cef/tests/Makefile.am

@@ -1,4 +1,6 @@
 modules_cef_tests_TESTS		= \
+	modules/cef/tests/test-format-cef-extension	\
+	modules/cef/tests/test-filterx-function-parse-cef	\
 	modules/cef/tests/test-format-cef-extension
 
 check_PROGRAMS				+= ${modules_cef_tests_TESTS}

modules/cef/tests/test-filterx-function-parse-cef.c

@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2023 Axoflow
+ * Copyright (c) 2024 shifter
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ */
+
+#include <criterion/criterion.h>
+#include "libtest/filterx-lib.h"
+
+#include "apphook.h"
+#include "scratch-buffers.h"
+
+#include "filterx-func-parse-cef.h"
+#include "event-format-parser.h"
+
+#include "filterx/object-string.h"
+#include "filterx/object-null.h"
+#include "filterx/expr-literal.h"
+#include "filterx/object-json.h"
+#include "filterx/object-list-interface.h"
+#include "filterx/object-dict-interface.h"
+#include "filterx/object-primitive.h"
+#include "filterx/filterx-eval.h"
+
+
+FilterXExpr *
+_new_cef_parser(FilterXFunctionArgs *args, GError **error, FilterXObject *fillable)
+{
+  FilterXExpr *func = filterx_function_parse_cef_new(args, error);
+
+  if (!func)
+    return NULL;
+
+  FilterXExpr *fillable_expr = filterx_non_literal_new(fillable);
+  filterx_generator_set_fillable(func, fillable_expr);
+
+  return func;
+}
+
+FilterXFunctionArgs *
+_assert_create_args(const gchar *input)
+{
+  GList *args = NULL;
+  args = g_list_append(args, filterx_function_arg_new(NULL, filterx_literal_new(filterx_string_new(input, -1))));
+  GError *args_err = NULL;
+  FilterXFunctionArgs *result = filterx_function_args_new(args, &args_err);
+  cr_assert_null(args_err);
+  g_error_free(args_err);
+  return result;
+}
+
+FilterXObject *
+_eval_cef_input(const gchar *input, GError **error)
+{
+  FilterXExpr *func = _new_cef_parser(_assert_create_args(input), error, filterx_json_object_new_empty());
+  FilterXObject *obj = filterx_expr_eval(func);
+  filterx_expr_unref(func);
+  return obj;
+}
+
+void
+_assert_cef_parser_result(const gchar *input, const gchar *expected_result)
+{
+
+  GError *err = NULL;
+  FilterXObject *obj = _eval_cef_input(input, &err);
+  cr_assert_null(err);
+  cr_assert_not_null(obj);
+
+  cr_assert(filterx_object_is_type(obj, &FILTERX_TYPE_NAME(dict)));
+
+  GString *repr = scratch_buffers_alloc();
+
+  LogMessageValueType lmvt;
+  cr_assert(filterx_object_marshal(obj, repr, &lmvt));
+
+  cr_assert_str_eq(repr->str, expected_result);
+
+  filterx_object_unref(obj);
+  g_error_free(err);
+}
+
+Test(filterx_func_parse_cef, test_invalid_version)
+{
+  GError *init_err = NULL;
+  cr_assert_null(
+    _eval_cef_input("INVALID|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|rt=1647626887000 cs9=site location Bldg cs9Label=GroupName dhost=WS6465 dst=10.55.203.12 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Uninstall EDR cs10Label=TaskName cs4=885 cs4Label=TaskId cn2=4 cn2Label=TaskNewState cn1=0 cn1Label=TaskOldState",
+                    &init_err));
+  cr_assert_null(init_err);
+  const gchar *last_error = filterx_eval_get_last_error();
+  cr_assert_not_null(last_error);
+  GString *expected_err_msg = scratch_buffers_alloc();
+  g_string_append_printf(expected_err_msg, EVENT_FORMAT_PARSER_ERR_NO_LOG_SIGN_MSG, "CEF");
+  cr_assert_str_eq(expected_err_msg->str, last_error);
+}
+
+Test(filterx_func_parse_cef, test_invalid_log_signature)
+{
+  GError *init_err = NULL;
+  cr_assert_null(
+    _eval_cef_input("BAD_SIGN:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|rt=1647626887000 cs9=site location Bldg cs9Label=GroupName dhost=WS6465 dst=10.55.203.12 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Uninstall EDR cs10Label=TaskName cs4=885 cs4Label=TaskId cn2=4 cn2Label=TaskNewState cn1=0 cn1Label=TaskOldState",
+                    &init_err));
+  cr_assert_null(init_err);
+  const gchar *last_error = filterx_eval_get_last_error();
+  cr_assert_not_null(last_error);
+  GString *expected_err_msg = scratch_buffers_alloc();
+  g_string_append_printf(expected_err_msg, EVENT_FORMAT_PARSER_ERR_LOG_SIGN_DIFFERS_MSG, "BAD_SIGN:0", "CEF");
+  cr_assert_str_eq(expected_err_msg->str, last_error);
+}
+
+Test(filterx_func_parse_cef, test_header_missing_field)
+{
+  GError *init_err = NULL;
+  cr_assert_null(_eval_cef_input("CEF:0|KasperskyLab|SecurityCenter|", &init_err));
+  cr_assert_null(init_err);
+  const gchar *last_error = filterx_eval_get_last_error();
+  cr_assert_not_null(last_error);
+  GString *expected_err_msg = scratch_buffers_alloc();
+  g_string_append_printf(expected_err_msg, EVENT_FORMAT_PARSER_ERR_MISSING_COLUMNS_MSG, (guint64)3, (guint64)8);
+  cr_assert_str_eq(expected_err_msg->str, last_error);
+}
+
+Test(filterx_func_parse_cef, test_basic_cef_message)
+{
+  _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|rt=1647626887000 cs9=site location Bldg cs9Label=GroupName dhost=WS6465 dst=10.55.203.12 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Uninstall EDR cs10Label=TaskName cs4=885 cs4Label=TaskId cn2=4 cn2Label=TaskNewState cn1=0 cn1Label=TaskOldState",
+                            "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"rt\":\"1647626887000\",\"cs9\":\"site location Bldg\",\"cs9Label\":\"GroupName\",\"dhost\":\"WS6465\",\"dst\":\"10.55.203.12\",\"cs2\":\"KES\",\"cs2Label\":\"ProductName\",\"cs3\":\"11.0.0.0\",\"cs3Label\":\"ProductVersion\",\"cs10\":\"Uninstall EDR\",\"cs10Label\":\"TaskName\",\"cs4\":\"885\",\"cs4Label\":\"TaskId\",\"cn2\":\"4\",\"cn2Label\":\"TaskNewState\",\"cn1\":\"0\",\"cn1Label\":\"TaskOldState\"}}");
+}
+
+Test(filterx_func_parse_cef, test_extensions_empty)
+{
+  _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|",
+                            "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{}}");
+}
+
+Test(filterx_func_parse_cef, test_header_escaped_delimiter)
+{
+  _assert_cef_parser_result("CEF:0|Kaspers\\|kyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|rt=1647626887000",
+                            "{\"version\":\"0\",\"deviceVendor\":\"Kaspers|kyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"rt\":\"1647626887000\"}}");
+}
+
+
+Test(filterx_func_parse_cef, test_exteansion_escaped_delimiter)
+{
+  _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|escaped=foo\\=bar\\=baz",
+                            "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"escaped\":\"foo=bar=baz\"}}");
+}
+
+Test(filterx_func_parse_cef, test_header_do_not_strip_whitespaces)
+{
+  _assert_cef_parser_result("CEF:0| KasperskyLab |  SecurityCenter  |   13.2.0.1511   |    KLPRCI_TaskState    |     Completed successfully     |      1      |",
+                            "{\"version\":\"0\",\"deviceVendor\":\" KasperskyLab \",\"deviceProduct\":\"  SecurityCenter  \",\"deviceVersion\":\"   13.2.0.1511   \",\"deviceEventClassId\":\"    KLPRCI_TaskState    \",\"name\":\"     Completed successfully     \",\"agentSeverity\":\"      1      \",\"extensions\":{}}");
+}
+
+Test(filterx_func_parse_cef, test_extensions_space_in_value)
+{
+  _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo=bar baz tik=tak toe",
+                            "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"foo\":\"bar baz\",\"tik\":\"tak toe\"}}");
+}
+
+// TODO: fix spaces?
+// Test(filterx_func_parse_cef, test_extensions_trailing_space_in_key)
+// {
+//   _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo bar=bar baz",
+//   "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"foo bar\":\"bar baz\"}}");
+// }
+
+// Test(filterx_func_parse_cef, test_extensions_trailing_space_in_value)
+// {
+//   _assert_cef_parser_result("CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo= bar baz tik=  tak toe ",
+//   "{\"version\":\"0\",\"deviceVendor\":\"KasperskyLab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{\"foo\":\"bar baz\"}}");
+// }
+
+Test(filterx_func_parse_cef, test_header_whitespaces)
+{
+  _assert_cef_parser_result("CEF:0|Kasper sky  Lab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|",
+                            "{\"version\":\"0\",\"deviceVendor\":\"Kasper sky  Lab\",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{}}");
+}
+
+Test(filterx_func_parse_cef, test_header_leading_trailing_whitespaces)
+{
+  _assert_cef_parser_result("CEF:0|  KasperskyLab |SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|",
+                            "{\"version\":\"0\",\"deviceVendor\":\"  KasperskyLab \",\"deviceProduct\":\"SecurityCenter\",\"deviceVersion\":\"13.2.0.1511\",\"deviceEventClassId\":\"KLPRCI_TaskState\",\"name\":\"Completed successfully\",\"agentSeverity\":\"1\",\"extensions\":{}}");
+}
+
+static void
+setup(void)
+{
+  app_startup();
+  init_libtest_filterx();
+}
+
+static void
+teardown(void)
+{
+  scratch_buffers_explicit_gc();
+  deinit_libtest_filterx();
+  app_shutdown();
+}
+
+TestSuite(filterx_func_parse_cef, .init = setup, .fini = teardown);