metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/SensorEnrichmentConfigControllerIntegrationTest.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.metron.rest.controller;

import org.adrianwalker.multilinestring.Multiline;
import org.apache.metron.rest.service.SensorEnrichmentConfigService;
import org.hamcrest.core.IsCollectionContaining;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.http.MediaType;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;

import java.nio.charset.StandardCharsets;

import static org.apache.metron.integration.utils.TestUtils.assertEventually;
import static org.apache.metron.rest.MetronRestConstants.TEST_PROFILE;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;

@ExtendWith(SpringExtension.class)
@SpringBootTest(webEnvironment= SpringBootTest.WebEnvironment.RANDOM_PORT)
@ActiveProfiles(TEST_PROFILE)
public class SensorEnrichmentConfigControllerIntegrationTest {

  /**
   {
   "enrichment": {
   "fieldMap": {
   "geo": [
   "ip_dst_addr"
   ],
   "host": [
   "ip_dst_addr"
   ],
   "hbaseEnrichment": [
   "ip_src_addr"
   ],
   "stellar": {
   "config": {
   "group1": {
   "foo": "1 + 1",
   "bar": "foo"
   },
   "group2": {
   "ALL_CAPS": "TO_UPPER(source.type)"
   }
   }
   }
   },
   "fieldToTypeMap": {
   "ip_src_addr": [
   "sample"
   ]
   }
   },
   "threatIntel": {
   "fieldMap": {
   "hbaseThreatIntel": [
   "ip_src_addr",
   "ip_dst_addr"
   ]
   },
   "fieldToTypeMap": {
   "ip_src_addr": [
   "malicious_ip"
   ],
   "ip_dst_addr": [
   "malicious_ip"
   ]
   },
   "triageConfig": {
   "riskLevelRules": [
   {
   "rule": "ip_src_addr == '10.122.196.204' or ip_dst_addr == '10.122.196.204'",
   "score": 10
   }
   ],
   "aggregator": "MAX"
   }
   }
   }
   */
  @Multiline
  public static String broJson;

  @Autowired
  private SensorEnrichmentConfigService sensorEnrichmentConfigService;

  @Autowired
  private WebApplicationContext wac;

  private MockMvc mockMvc;

  private String sensorEnrichmentConfigUrl = "/api/v1/sensor/enrichment/config";
  private String user = "user";
  private String password = "password";

  @BeforeEach
  public void setup() throws Exception {
    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).apply(springSecurity()).build();
  }

  @Test
  public void testSecurity() throws Exception {
    this.mockMvc.perform(post(sensorEnrichmentConfigUrl).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(broJson))
            .andExpect(status().isUnauthorized());

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl + "/broTest"))
            .andExpect(status().isUnauthorized());

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl))
            .andExpect(status().isUnauthorized());

    this.mockMvc.perform(delete(sensorEnrichmentConfigUrl + "/broTest").with(csrf()))
            .andExpect(status().isUnauthorized());
  }

  /**
   * Note: <a href="https://github.com/json-path/JsonPath#path-examples">JSON Path examples</a>
   */
  @Test
  public void test() throws Exception {
    sensorEnrichmentConfigService.delete("broTest");

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl).with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(content().bytes("{}".getBytes(StandardCharsets.UTF_8)));

    this.mockMvc.perform(post(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(broJson))
            .andExpect(status().isCreated())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$.enrichment.fieldMap.geo[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.host[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.hbaseEnrichment[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.enrichment.fieldToTypeMap.ip_src_addr[0]").value("sample"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.foo").value("1 + 1"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.bar").value("foo"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group2.ALL_CAPS").value("TO_UPPER(source.type)"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[1]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_src_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_dst_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].rule").value("ip_src_addr == '10.122.196.204' or ip_dst_addr == '10.122.196.204'"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].score").value(10))
            .andExpect(jsonPath("$.threatIntel.triageConfig.aggregator").value("MAX"));

    assertEventually(() -> this.mockMvc.perform(post(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(broJson))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$.enrichment.fieldMap.geo[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.host[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.hbaseEnrichment[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.enrichment.fieldToTypeMap.ip_src_addr[0]").value("sample"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.foo").value("1 + 1"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.bar").value("foo"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group2.ALL_CAPS").value("TO_UPPER(source.type)"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[1]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_src_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_dst_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].rule").value("ip_src_addr == '10.122.196.204' or ip_dst_addr == '10.122.196.204'"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].score").value(10))
            .andExpect(jsonPath("$.threatIntel.triageConfig.aggregator").value("MAX") )
    );

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$.enrichment.fieldMap.geo[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.host[0]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.enrichment.fieldMap.hbaseEnrichment[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.enrichment.fieldToTypeMap.ip_src_addr[0]").value("sample"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.foo").value("1 + 1"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group1.bar").value("foo"))
            .andExpect(jsonPath("$.enrichment.fieldMap.stellar.config.group2.ALL_CAPS").value("TO_UPPER(source.type)"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[0]").value("ip_src_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldMap.hbaseThreatIntel[1]").value("ip_dst_addr"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_src_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.fieldToTypeMap.ip_dst_addr[0]").value("malicious_ip"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].rule").value("ip_src_addr == '10.122.196.204' or ip_dst_addr == '10.122.196.204'"))
            .andExpect(jsonPath("$.threatIntel.triageConfig.riskLevelRules[0].score").value(10))
            .andExpect(jsonPath("$.threatIntel.triageConfig.aggregator").value("MAX"));

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl).with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$[?(@.broTest.enrichment.fieldMap.geo[0] == 'ip_dst_addr' &&" +
                    "@.broTest.enrichment.fieldMap.host[0] == 'ip_dst_addr' &&" +
                    "@.broTest.enrichment.fieldMap.hbaseEnrichment[0] == 'ip_src_addr' &&" +
                    "@.broTest.enrichment.fieldToTypeMap.ip_src_addr[0] == 'sample' &&" +
                    "@.broTest.enrichment.fieldMap.stellar.config.group1.foo == '1 + 1' &&" +
                    "@.broTest.enrichment.fieldMap.stellar.config.group1.bar == 'foo' &&" +
                    "@.broTest.enrichment.fieldMap.stellar.config.group2.ALL_CAPS == 'TO_UPPER(source.type)' &&" +
                    "@.broTest.threatIntel.fieldMap.hbaseThreatIntel[0] == 'ip_src_addr' &&" +
                    "@.broTest.threatIntel.fieldMap.hbaseThreatIntel[1] == 'ip_dst_addr' &&" +
                    "@.broTest.threatIntel.fieldToTypeMap.ip_src_addr[0] == 'malicious_ip' &&" +
                    "@.broTest.threatIntel.fieldToTypeMap.ip_dst_addr[0] == 'malicious_ip' &&" +
                    "@.broTest.threatIntel.triageConfig.riskLevelRules[0].rule == \"ip_src_addr == '10.122.196.204' or ip_dst_addr == '10.122.196.204'\" &&" +
                    "@.broTest.threatIntel.triageConfig.riskLevelRules[0].score == 10 &&" +
                    "@.broTest.threatIntel.triageConfig.aggregator == 'MAX'" +
                    ")]").exists());

    this.mockMvc.perform(delete(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user,password)).with(csrf()))
            .andExpect(status().isOk());

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user,password)))
            .andExpect(status().isNotFound());

    this.mockMvc.perform(delete(sensorEnrichmentConfigUrl + "/broTest").with(httpBasic(user,password)).with(csrf()))
            .andExpect(status().isNotFound());

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl).with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$[?(@.sensorTopic == 'broTest')]").doesNotExist());

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl + "/list/available/enrichments").with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$.length()").value("3"))
            .andExpect(jsonPath("$.*").value(IsCollectionContaining.hasItems("foo", "bar", "baz")));

    this.mockMvc.perform(get(sensorEnrichmentConfigUrl + "/list/available/threat/triage/aggregators").with(httpBasic(user,password)))
            .andExpect(status().isOk())
            .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
            .andExpect(jsonPath("$[0]").value("MAX"))
            .andExpect(jsonPath("$[1]").value("MIN"))
            .andExpect(jsonPath("$[2]").value("SUM"))
            .andExpect(jsonPath("$[3]").value("MEAN"))
            .andExpect(jsonPath("$[4]").value("POSITIVE_MEAN"))
    ;

    sensorEnrichmentConfigService.delete("broTest");
  }
}