From 99d4f2a9543237e397075ca9dc3655b3cba484eb Mon Sep 17 00:00:00 2001 From: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Date: Mon, 18 Dec 2023 14:38:46 +0200 Subject: [PATCH] Added test for check-pack command --- panther_analysis_tool/main.py | 3 ++ tests/fixtures/check-packs/packs/test.yml | 7 +++ .../rules/test_rules/test_deprecated.yml | 17 +++++++ .../rules/test_rules/test_included.yml | 15 ++++++ .../rules/test_rules/test_missing.yml | 15 ++++++ .../panther_analysis_tool/test_check_packs.py | 50 +++++++++++++++++++ 6 files changed, 107 insertions(+) create mode 100644 tests/fixtures/check-packs/packs/test.yml create mode 100644 tests/fixtures/check-packs/rules/test_rules/test_deprecated.yml create mode 100644 tests/fixtures/check-packs/rules/test_rules/test_included.yml create mode 100644 tests/fixtures/check-packs/rules/test_rules/test_missing.yml create mode 100644 tests/unit/panther_analysis_tool/test_check_packs.py diff --git a/panther_analysis_tool/main.py b/panther_analysis_tool/main.py index 7b5b9818..6e4eb7e5 100644 --- a/panther_analysis_tool/main.py +++ b/panther_analysis_tool/main.py @@ -1281,6 +1281,9 @@ def check_packs(args: argparse.Namespace) -> Tuple[int, str]: pack_name = pack.file_name.replace(".yml", "").split("/")[-1] included_rules = [] detections = [detection for detection in specs.detections if not detection.is_deprecated()] + detections.extend( + [detection for detection in specs.simple_detections if not detection.is_deprecated()] + ) for detection in detections: # remove leading ./ # ./some-dir -> some-dir diff --git a/tests/fixtures/check-packs/packs/test.yml b/tests/fixtures/check-packs/packs/test.yml new file mode 100644 index 00000000..ac6355fc --- /dev/null +++ b/tests/fixtures/check-packs/packs/test.yml @@ -0,0 +1,7 @@ +AnalysisType: pack +PackID: PantherManaged.Test +Description: Group of all Test detections +PackDefinition: + IDs: + - Test.Included +DisplayName: "Panther Test Pack" diff --git a/tests/fixtures/check-packs/rules/test_rules/test_deprecated.yml b/tests/fixtures/check-packs/rules/test_rules/test_deprecated.yml new file mode 100644 index 00000000..b095d66b --- /dev/null +++ b/tests/fixtures/check-packs/rules/test_rules/test_deprecated.yml @@ -0,0 +1,17 @@ +AnalysisType: rule +Description: test description +DisplayName: "Test" +Enabled: true +Severity: Medium +DedupPeriodMinutes: 60 +Detection: + - All: + - Condition: Equals + KeyPath: IntegrityLevel + Value: System +LogTypes: + - Asana.Audit +RuleID: "Test.Deprecated" +Threshold: 1 +Tags: + - Deprecated \ No newline at end of file diff --git a/tests/fixtures/check-packs/rules/test_rules/test_included.yml b/tests/fixtures/check-packs/rules/test_rules/test_included.yml new file mode 100644 index 00000000..bde213b0 --- /dev/null +++ b/tests/fixtures/check-packs/rules/test_rules/test_included.yml @@ -0,0 +1,15 @@ +AnalysisType: rule +Description: test description +DisplayName: "Test" +Enabled: true +Severity: Medium +DedupPeriodMinutes: 60 +Detection: + - All: + - Condition: Equals + KeyPath: IntegrityLevel + Value: System +LogTypes: + - Asana.Audit +RuleID: "Test.Included" +Threshold: 1 diff --git a/tests/fixtures/check-packs/rules/test_rules/test_missing.yml b/tests/fixtures/check-packs/rules/test_rules/test_missing.yml new file mode 100644 index 00000000..2294379b --- /dev/null +++ b/tests/fixtures/check-packs/rules/test_rules/test_missing.yml @@ -0,0 +1,15 @@ +AnalysisType: rule +Description: test description +DisplayName: "Test" +Enabled: true +Severity: Medium +DedupPeriodMinutes: 60 +Detection: + - All: + - Condition: Equals + KeyPath: IntegrityLevel + Value: System +LogTypes: + - Asana.Audit +RuleID: "Test.Missing" +Threshold: 1 diff --git a/tests/unit/panther_analysis_tool/test_check_packs.py b/tests/unit/panther_analysis_tool/test_check_packs.py new file mode 100644 index 00000000..3a797b22 --- /dev/null +++ b/tests/unit/panther_analysis_tool/test_check_packs.py @@ -0,0 +1,50 @@ +""" +Panther Analysis Tool is a command line interface for writing, +testing, and packaging policies/rules. +Copyright (C) 2023 Panther Labs Inc + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +""" +import os +import unittest +from argparse import Namespace + +from panther_core.detection import DetectionResult +from panther_core.policy import TYPE_POLICY +from panther_core.rule import TYPE_RULE, Rule + +from panther_analysis_tool.main import check_packs +from panther_analysis_tool.testing import ( + FunctionTestResult, + TestCaseEvaluator, + TestError, + TestExpectations, + TestResult, + TestResultsPerFunction, + TestSpecification, +) + +FIXTURES_PATH = os.path.abspath( + os.path.join(os.path.dirname(__file__), "../../", "fixtures", "check-packs") +) + + +class TestCheckPacks(unittest.TestCase): + def test_fixtures(self) -> None: + args = Namespace(path=FIXTURES_PATH) + exit_code, res = check_packs(args) + + assert exit_code == 1 + expected = "There are packs that are potentially missing detections:\ntest.yml: Test.Missing\n\n" + assert res == expected