2017-01-26 00:37:23 +01:00
from zerver . lib . test_classes import WebhookTestCase
2020-01-14 22:06:24 +01:00
2017-01-26 00:37:23 +01:00
class SplunkHookTests ( WebhookTestCase ) :
STREAM_NAME = ' splunk '
2017-04-21 23:35:40 +02:00
URL_TEMPLATE = " /api/v1/external/splunk?api_key= {api_key} &stream= {stream} "
2017-01-26 00:37:23 +01:00
FIXTURE_DIR_NAME = ' splunk '
2017-11-04 07:47:46 +01:00
def test_splunk_search_one_result ( self ) - > None :
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
# define the expected message contents
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ sudo ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
# using fixture named splunk_search_one_result, execute this test
self . send_and_test_stream_message ( ' search_one_result ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_short_search_name ( self ) - > None :
2017-01-26 00:37:23 +01:00
# don't provide a topic so the search name is used instead
2020-04-09 21:51:58 +02:00
expected_topic = " This search ' s name isn ' t that long "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ This search ' s name isn ' t that long ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' short_search_name ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_long_search_name ( self ) - > None :
2017-01-26 00:37:23 +01:00
# don't provide a topic so the search name is used instead
2020-04-09 21:51:58 +02:00
expected_topic = " this-search ' s-got-47-words-37-sentences-58-words-we-wanna... "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ this - search ' s-got-47-words-37-sentences-58-words-we-wanna-know-details-of-the-search-time-of-the-search-and-any-other-kind-of-thing-you-gotta-say-pertaining-to-and-about-the-search-I-want-to-know-authenticated-user ' s - name - and - any - other - kind - of - thing - you - gotta - say ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' long_search_name ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_missing_results_link ( self ) - > None :
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ sudo ] ( Missing results_link )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' missing_results_link ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_missing_search_name ( self ) - > None :
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ Missing search_name ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' missing_search_name ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_missing_host ( self ) - > None :
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ sudo ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : Missing host
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' missing_host ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_missing_source ( self ) - > None :
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ sudo ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` Missing source `
* * * Raw * * : ` Jan 4 11 : 14 : 32 myserver sudo : pam_unix ( sudo : session ) : session closed for user root `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' missing_source ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2017-11-04 07:47:46 +01:00
def test_splunk_missing_raw ( self ) - > None :
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
self . url = self . build_webhook_url ( topic = " New Search Alert " )
2017-01-26 00:37:23 +01:00
2020-04-09 21:51:58 +02:00
expected_topic = " New Search Alert "
2019-04-17 03:31:56 +02:00
expected_message = """
Splunk alert from saved search :
* * * Search * * : [ sudo ] ( http : / / example . com : 8000 / app / search / search ? q = % 7 Cloadjob % 20 rt_scheduler__admin__search__sudo_at_1483557185_2 .2 % 20 % 7 C % 20 head % 201 % 20 % 7 C % 20 tail % 201 & earliest = 0 & latest = now )
* * * Host * * : myserver
* * * Source * * : ` / var / log / auth . log `
* * * Raw * * : ` Missing _raw `
""" .strip()
2017-01-26 00:37:23 +01:00
self . send_and_test_stream_message ( ' missing_raw ' ,
2018-11-09 20:33:58 +01:00
expected_topic ,
2017-01-26 00:37:23 +01:00
expected_message ,
content_type = " application/x-www-form-urlencoded " )
2018-05-10 19:34:01 +02:00
def get_body ( self , fixture_name : str ) - > str :
2018-04-20 03:57:21 +02:00
return self . webhook_fixture_data ( " splunk " , fixture_name , file_type = " json " )