feat: Scripted input support requirement test (#442)

* feat: Scripted input support requirement test

* added transport type file monitor

Author: nandinivij

pytest_splunk_addon/standard_lib/event_ingestors/requirement_event_ingester.py

@@ -162,6 +162,25 @@ def get_events(self):
                                     LOGGER.info(
                                         f"sending data transport_type:forwarder/uf_file_monitor filename:{filename} "
                                     )
+                                elif transport_type in (
+                                    "scripted_input",
+                                    "scripted input",
+                                    "hec_raw",
+                                ):
+                                    transport_type = "scripted_input"
+                                    host, source, sourcetype = self.extract_params(
+                                        event_tag
+                                    )
+                                    LOGGER.info(
+                                        f"sending data transport_type:scripted_input or hec_raw filename:{filename} "
+                                    )
+                                elif transport_type == "file_monitor":
+                                    host, source, sourcetype = self.extract_params(
+                                        event_tag
+                                    )
+                                    LOGGER.info(
+                                        f"sending data transport_type:file_monitor filename:{filename} "
+                                    )
                                 else:
                                     transport_type = "default"
                                 unescaped_event = self.extract_raw_events(event_tag)

pytest_splunk_addon/standard_lib/requirement_tests/test_generator.py

@@ -150,6 +150,11 @@ def generate_cim_req_params(self):
                             "dbx",
                             "windows_input",
                             "hec_event",
+                            "scripted_input",
+                            "scripted input",
+                            "hec_raw",
+                            "file_monitor",
+                            "forwarder",
                         ):
                             host, source, sourcetype = self.extract_params(event_tag)
                             host, source, sourcetype = self.escape_host_src_srctype(
@@ -160,18 +165,8 @@ def generate_cim_req_params(self):
                                 "source": source,
                                 "sourcetype": sourcetype,
                             }
-                        elif transport_type.lower() == "forwarder":
-                            host, source, sourcetype = self.extract_params(event_tag)
-                            host, source, sourcetype = self.escape_host_src_srctype(
-                                host, source, sourcetype
-                            )
-                            transport_type_params = {
-                                "host": host,
-                                "source": source,
-                                "sourcetype": sourcetype,
-                            }
                         else:
-                            # todo: non syslog/modinput events are skipped currently until we support it
+                            # todo: non syslog/modinput/non forwarder/scripted_input events are skipped currently until we support it
                             continue
 
                         escaped_event = self.escape_char_event(unescaped_event)

tests/constants.py

@@ -770,3 +770,12 @@
 TA_REQUIREMENTS_UF_FAILED = [
     "*test_splunk_app_requirements_uf.py::Test_App::test_requirement_params* FAILED*",
 ]
+
+TA_REQUIREMENTS_SCRIPTED_PASSED = [
+    "*test_splunk_app_requirements_scripted.py::Test_App::test_events_with_untokenised_values* PASSED*",
+    "*test_splunk_app_requirements_scripted.py::Test_App::test_requirement_params* PASSED*",
+]
+
+TA_REQUIREMENTS_SCRIPTED_FAILED = [
+    "*test_splunk_app_requirements_scripted.py::Test_App::test_requirement_params* FAILED*",
+]

tests/requirement_test_scripted/sample_requirement_test_scripted.log

@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<device>
+	<vendor>Nix</vendor>
+	<product>Nix</product>
+	<version id="6,7" os="CentOS"/>
+	<version id="6.9,7.4,8.0" os="RHEL"/>
+	<version id="16.04" os="Ubuntu"/>
+	<version id="10,11,11.3" os="Solaris"/>
+	<version id="10.11,10.12" os="MAC OS X"/>
+	<event code="" name="service" format="">
+		<transport type="scripted input" host="sample_host" source="Unix:Service" sourcetype ="Unix:Service" />
+		<source>
+			<comment>Unix service information. Data is collected from live instance. Data is generated from systemctl command. </comment>
+		</source>
+		<raw>
+		<![CDATA[Tue May 26 01:38:02 PDT 2020 type=systemctl UNIT=whoopsie.service, LOADED=not-found, ACTIVE=inactive, SUB=dead, DESCRIPTION="whoopsie.service"]]>
+		</raw>
+		<cim>
+		    <models>
+			    <model>Endpoint:Services</model>
+		    </models>
+			<cim_fields>
+				<field name="service" value="whoopsie.service"/>
+				<field name="service_name" value="whoopsie.service"/>
+				<field name="status" value="stopped"/>
+				<field name="start_mode" value="Auto"/>
+				<field name="vendor_product" value="nix"/>
+			</cim_fields>
+			<missing_recommended_fields>
+				<field>service_id</field>
+				<field>service_path</field>
+				<field>user</field>
+			</missing_recommended_fields>
+		</cim>
+		<test></test>
+	</event>
+</device>

tests/requirement_test_scripted/sample_requirement_test_scripted_failure.log

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<device>
+	<vendor>Nix</vendor>
+	<product>Nix</product>
+	<version id="6,7" os="CentOS"/>
+	<version id="6.9,7.4,8.0" os="RHEL"/>
+	<version id="16.04" os="Ubuntu"/>
+	<version id="10,11,11.3" os="Solaris"/>
+	<version id="10.11,10.12" os="MAC OS X"/>
+	<event code="" name="service" format="">
+		<transport type="scripted input" host="sample_host" source="Unix:Service" sourcetype ="Unix:Service" />
+		<source>
+			<comment>Unix service information. Data is collected from live instance. Data is generated from systemctl command. </comment>
+		</source>
+		<raw>
+		<![CDATA[Tue May 26 01:38:02 PDT 2020 type=systemctl UNIT=whoopsie.service, LOADED=not-found, ACTIVE=inactive, SUB=dead, DESCRIPTION="whoopsie.service"]]>
+		</raw>
+		<cim>
+		    <models>
+			    <model>Endpoint:Services</model>
+		    </models>
+			<cim_fields>
+                <field name="dest" value="qa-ubuntu-105"/>
+				<field name="service" value="whoopsie.service"/>
+				<field name="service_name" value="whoopsie.service"/>
+				<field name="status" value="stopped"/>
+				<field name="start_mode" value="Auto"/>
+				<field name="vendor_product" value="nix"/>
+			</cim_fields>
+			<missing_recommended_fields>
+				<field>service_id</field>
+				<field>service_path</field>
+				<field>user</field>
+			</missing_recommended_fields>
+		</cim>
+		<test></test>
+	</event>
+</device>

tests/requirement_test_uf/sample_requirement_test_uf_failure.log

@@ -5,7 +5,7 @@
   <version id="13.21" />
     <event code="" name="failed_login1,sshd_authentication1" format="syslog">
         <version id="7.2"/>
-        <transport type="forwarder" host="sample_host" source="sample_source" sourcetype = "aix_secure" />
+        <transport type="forwarder" host="sample_host2" source="sample_source2" sourcetype = "aix_secure" />
         <source>
             <comment>Logs for Failed login attempt.(Live Sample)</comment>
         </source>

tests/test_splunk_addon.py

@@ -54,6 +54,12 @@ def setup_test_dir(testdir):
         ),
         os.path.join(testdir.tmpdir, "tests/requirement_test_uf"),
     )
+    shutil.copytree(
+        os.path.join(
+            testdir.request.config.invocation_dir, "tests/requirement_test_scripted"
+        ),
+        os.path.join(testdir.tmpdir, "tests/requirement_test_scripted"),
+    )
 
     shutil.copy(
         os.path.join(testdir.request.config.invocation_dir, "Dockerfile.splunk"),
@@ -640,3 +646,50 @@ def empty_method():
 
     # make sure that that we get a non '0' exit code for the testsuite as it contains failure
     assert result.ret != 0
+
+
+@pytest.mark.docker
+def test_splunk_app_requirements_scripted(testdir):
+    """Make sure that pytest accepts our fixture."""
+
+    testdir.makepyfile(
+        """
+        from pytest_splunk_addon.standard_lib.addon_basic import Basic
+        class Test_App(Basic):
+            def empty_method():
+                pass
+    """
+    )
+
+    shutil.copytree(
+        os.path.join(testdir.request.fspath.dirname, "addons/TA_requirement_test_uf"),
+        os.path.join(testdir.tmpdir, "package"),
+    )
+
+    setup_test_dir(testdir)
+    SampleGenerator.clean_samples()
+    Rule.clean_rules()
+
+    # run pytest with the following cmd args
+    result = testdir.runpytest(
+        "--splunk-type=docker",
+        "-v",
+        "-m splunk_searchtime_requirements",
+        "--search-interval=4",
+        "--search-retry=4",
+        "--search-index=*,_internal",
+        "--requirement-test=tests/requirement_test_scripted",
+    )
+    logger.info(result.outlines)
+    logger.info(len(constants.TA_REQUIREMENTS_SCRIPTED_PASSED))
+    logger.info(len(constants.TA_REQUIREMENTS_SCRIPTED_FAILED))
+    result.stdout.fnmatch_lines_random(
+        constants.TA_REQUIREMENTS_SCRIPTED_PASSED
+        + constants.TA_REQUIREMENTS_SCRIPTED_FAILED
+    )
+    result.assert_outcomes(
+        passed=len(constants.TA_REQUIREMENTS_SCRIPTED_PASSED), failed=1
+    )
+
+    # make sure that that we get a non '0' exit code for the testsuite as it contains failure
+    assert result.ret != 0