Google Git
Sign in
apache / metron / b9a130ca96774add38865d3934ed61ca19599b87 / . / metron-platform / metron-indexing / metron-indexing-common / src / test / java / org / apache / metron / indexing / dao / metaalert / MetaAlertIntegrationTest.java
blob: 5a18fc50b5dd0ab3000d703cd7ccf54fabedc6c0 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.metron.indexing.dao.metaalert;
import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.ALERT_FIELD;
import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.METAALERT_FIELD;
import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.METAALERT_TYPE;
import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.STATUS_FIELD;
import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.THREAT_FIELD_DEFAULT;
import com.google.common.base.Joiner;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.adrianwalker.multilinestring.Multiline;
import org.apache.metron.common.Constants;
import org.apache.metron.common.utils.JSONUtils;
import org.apache.metron.indexing.dao.search.GetRequest;
import org.apache.metron.indexing.dao.search.Group;
import org.apache.metron.indexing.dao.search.GroupRequest;
import org.apache.metron.indexing.dao.search.GroupResponse;
import org.apache.metron.indexing.dao.search.GroupResult;
import org.apache.metron.indexing.dao.search.InvalidSearchException;
import org.apache.metron.indexing.dao.search.SearchRequest;
import org.apache.metron.indexing.dao.search.SearchResponse;
import org.apache.metron.indexing.dao.search.SearchResult;
import org.apache.metron.indexing.dao.search.SortField;
import org.apache.metron.indexing.dao.search.SortOrder;
import org.apache.metron.indexing.dao.update.Document;
import org.apache.metron.indexing.dao.update.OriginalNotFoundException;
import org.apache.metron.indexing.dao.update.PatchRequest;
import org.apache.metron.integration.utils.TestUtils;
import org.json.simple.parser.ParseException;
import org.junit.Assert;
import org.junit.Test;
import static org.apache.metron.integration.utils.TestUtils.assertEventually;
public abstract class MetaAlertIntegrationTest {
private static final String META_INDEX_FLAG = "%META_INDEX%";
// To change back after testing
protected static int MAX_RETRIES = 10;
protected static final int SLEEP_MS = 500;
protected static final String SENSOR_NAME = "test";
protected static final String NEW_FIELD = "new-field";
protected static final String NAME_FIELD = "name";
protected static final String DATE_FORMAT = "yyyy.MM.dd.HH";
// Separate the raw indices from the query indices. ES for example, modifies the indices to
// have a separator
protected ArrayList<String> allIndices = new ArrayList<String>() {
{
add(getTestIndexName());
add(getMetaAlertIndex());
}
};
protected ArrayList<String> queryIndices = allIndices;
protected static MetaAlertDao metaDao;
/**
{
"guid": "meta_alert",
"index": "%META_INDEX%",
"patch": [
{
"op": "add",
"path": "/name",
"value": "New Meta Alert"
}
],
"sensorType": "metaalert"
}
*/
@Multiline
public static String namePatchRequest;
/**
{
"guid": "meta_alert",
"index": "%META_INDEX%",
"patch": [
{
"op": "add",
"path": "/name",
"value": "New Meta Alert"
},
{
"op": "add",
"path": "/metron_alert",
"value": []
}
],
"sensorType": "metaalert"
}
*/
@Multiline
public static String alertPatchRequest;
/**
{
"guid": "meta_alert",
"index": "%META_INDEX%",
"patch": [
{
"op": "add",
"path": "/status",
"value": "inactive"
},
{
"op": "add",
"path": "/name",
"value": "New Meta Alert"
}
],
"sensorType": "metaalert"
}
*/
@Multiline
public static String statusPatchRequest;
@Test
public void shouldGetAllMetaAlertsForAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(3);
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlerts
List<Map<String, Object>> metaAlerts = buildMetaAlerts(12, MetaAlertStatus.ACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
metaAlerts.add(buildMetaAlert("meta_active_12", MetaAlertStatus.ACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
metaAlerts.add(buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(metaAlerts, getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
List<GetRequest> createdDocs = metaAlerts.stream().map(metaAlert ->
new GetRequest((String) metaAlert.get(Constants.GUID), METAALERT_TYPE))
.collect(Collectors.toList());
createdDocs.addAll(alerts.stream().map(alert ->
new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME))
.collect(Collectors.toList()));
findCreatedDocs(createdDocs);
{
// Verify searches successfully return more than 10 results
SearchResponse searchResponse0 = metaDao.getAllMetaAlertsForAlert("message_0");
List<SearchResult> searchResults0 = searchResponse0.getResults();
Assert.assertEquals(13, searchResults0.size());
Set<Map<String, Object>> resultSet = new HashSet<>();
Iterables.addAll(resultSet, Iterables.transform(searchResults0, r -> r.getSource()));
StringBuffer reason = new StringBuffer("Unable to find " + metaAlerts.get(0) + "\n");
reason.append(Joiner.on("\n").join(resultSet));
Assert.assertTrue(reason.toString(), resultSet.contains(metaAlerts.get(0)));
// Verify no meta alerts are returned because message_1 was not added to any
SearchResponse searchResponse1 = metaDao.getAllMetaAlertsForAlert("message_1");
List<SearchResult> searchResults1 = searchResponse1.getResults();
Assert.assertEquals(0, searchResults1.size());
// Verify only the meta alert message_2 was added to is returned
SearchResponse searchResponse2 = metaDao.getAllMetaAlertsForAlert("message_2");
List<SearchResult> searchResults2 = searchResponse2.getResults();
Assert.assertEquals(1, searchResults2.size());
Assert.assertEquals(metaAlerts.get(12), searchResults2.get(0).getSource());
}
}
@Test
public void shouldSortByThreatTriageScore() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, "meta_active_0");
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlerts
List<Map<String, Object>> metaAlerts = buildMetaAlerts(1, MetaAlertStatus.ACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(metaAlerts, getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
List<GetRequest> createdDocs = metaAlerts.stream().map(metaAlert ->
new GetRequest((String) metaAlert.get(Constants.GUID), METAALERT_TYPE))
.collect(Collectors.toList());
createdDocs.addAll(alerts.stream().map(alert ->
new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME))
.collect(Collectors.toList()));
findCreatedDocs(createdDocs);
// Test descending
SortField sf = new SortField();
sf.setField(getThreatTriageField());
sf.setSortOrder(SortOrder.DESC.getSortOrder());
SearchRequest sr = new SearchRequest();
sr.setQuery("*:*");
sr.setSize(5);
sr.setIndices(Arrays.asList(getTestIndexName(), METAALERT_TYPE));
sr.setSort(Collections.singletonList(sf));
SearchResponse result = metaDao.search(sr);
List<SearchResult> results = result.getResults();
Assert.assertEquals(2, results.size());
Assert.assertEquals("meta_active_0", results.get((0)).getSource().get(Constants.GUID));
Assert.assertEquals("message_1", results.get((1)).getSource().get(Constants.GUID));
// Test ascending
SortField sfAsc = new SortField();
sfAsc.setField(getThreatTriageField());
sfAsc.setSortOrder(SortOrder.ASC.getSortOrder());
SearchRequest srAsc = new SearchRequest();
srAsc.setQuery("*:*");
srAsc.setSize(2);
srAsc.setIndices(Arrays.asList(getTestIndexName(), METAALERT_TYPE));
srAsc.setSort(Collections.singletonList(sfAsc));
result = metaDao.search(srAsc);
results = result.getResults();
Assert.assertEquals("message_1", results.get((0)).getSource().get(Constants.GUID));
Assert.assertEquals("meta_active_0", results.get((1)).getSource().get(Constants.GUID));
Assert.assertEquals(2, results.size());
}
@Test
public void getAllMetaAlertsForAlertShouldThrowExceptionForEmptyGuid() throws Exception {
try {
metaDao.getAllMetaAlertsForAlert("");
Assert.fail("An exception should be thrown for empty guid");
} catch (InvalidSearchException ise) {
Assert.assertEquals("Guid cannot be empty", ise.getMessage());
}
}
@Test
public void shouldCreateMetaAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(3);
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("message_2", SENSOR_NAME)));
{
MetaAlertCreateRequest metaAlertCreateRequest = new MetaAlertCreateRequest() {{
setAlerts(new ArrayList<GetRequest>() {{
add(new GetRequest("message_1", SENSOR_NAME));
add(new GetRequest("message_2", SENSOR_NAME, getTestIndexFullName()));
}});
setGroups(Collections.singletonList("group"));
}};
Document actualMetaAlert = metaDao
.createMetaAlert(metaAlertCreateRequest);
// Build expected metaAlert after alerts are added
Map<String, Object> expectedMetaAlert = new HashMap<>();
expectedMetaAlert.put(Constants.GUID, actualMetaAlert.getGuid());
expectedMetaAlert.put(getSourceTypeField(), METAALERT_TYPE);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString());
// Verify the proper alerts were added
@SuppressWarnings("unchecked")
List<Map<String, Object>> metaAlertAlerts = new ArrayList<>();
// Alert 0 is already in the metaalert. Add alerts 1 and 2.
Map<String, Object> expectedAlert1 = alerts.get(1);
expectedAlert1.put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid()));
metaAlertAlerts.add(expectedAlert1);
Map<String, Object> expectedAlert2 = alerts.get(2);
expectedAlert2.put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid()));
metaAlertAlerts.add(expectedAlert2);
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
// Verify the counts were properly updated
expectedMetaAlert.put("average", 1.5d);
expectedMetaAlert.put("min", 1.0d);
expectedMetaAlert.put("median", 1.5d);
expectedMetaAlert.put("max", 2.0d);
expectedMetaAlert.put("count", 2);
expectedMetaAlert.put("sum", 3.0d);
expectedMetaAlert.put(getThreatTriageField(), 3.0d);
{
// Verify metaAlert was created
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findCreatedDoc(actualMetaAlert.getGuid(), METAALERT_TYPE);
}
{
// Verify alert 0 was not updated with metaalert field
Document alert = metaDao.getLatest("message_0", SENSOR_NAME);
Assert.assertEquals(4, alert.getDocument().size());
Assert.assertNull(alert.getDocument().get(METAALERT_FIELD));
}
{
// Verify alert 1 was properly updated with metaalert field
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(1));
expectedAlert
.put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid()));
findUpdatedDoc(expectedAlert, "message_1", SENSOR_NAME);
}
{
// Verify alert 2 was properly updated with metaalert field
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(2));
expectedAlert
.put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid()));
findUpdatedDoc(expectedAlert, "message_2", SENSOR_NAME);
}
}
}
@Test
public void shouldAddAlertsToMetaAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(4);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlert
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("message_2", SENSOR_NAME),
new GetRequest("message_3", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)
));
// Build expected metaAlert after alerts are added
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
// Verify the proper alerts were added
@SuppressWarnings("unchecked")
List<Map<String, Object>> metaAlertAlerts = new ArrayList<>(
(List<Map<String, Object>>) expectedMetaAlert.get(ALERT_FIELD));
// Alert 0 is already in the metaalert. Add alerts 1 and 2.
Map<String, Object> expectedAlert1 = alerts.get(1);
expectedAlert1.put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
metaAlertAlerts.add(expectedAlert1);
Map<String, Object> expectedAlert2 = alerts.get(2);
expectedAlert2.put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
metaAlertAlerts.add(expectedAlert2);
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
// Verify the counts were properly updated
expectedMetaAlert.put("average", 1.0d);
expectedMetaAlert.put("min", 0.0d);
expectedMetaAlert.put("median", 1.0d);
expectedMetaAlert.put("max", 2.0d);
expectedMetaAlert.put("count", 3);
expectedMetaAlert.put("sum", 3.0d);
expectedMetaAlert.put(getThreatTriageField(), 3.0d);
{
// Verify alerts were successfully added to the meta alert
Document actualMetaAlert = metaDao.addAlertsToMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_1", SENSOR_NAME),
new GetRequest("message_2", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
{
// Verify False when alerts are already in a meta alert and no new alerts are added
Document actualMetaAlert = metaDao.addAlertsToMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
{
// Verify only 1 alert is added when a list of alerts only contains 1 alert that is not in the meta alert
metaAlertAlerts = (List<Map<String, Object>>) expectedMetaAlert.get(ALERT_FIELD);
Map<String, Object> expectedAlert3 = alerts.get(3);
expectedAlert3.put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
metaAlertAlerts.add(expectedAlert3);
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
expectedMetaAlert.put("average", 1.5d);
expectedMetaAlert.put("min", 0.0d);
expectedMetaAlert.put("median", 1.5d);
expectedMetaAlert.put("max", 3.0d);
expectedMetaAlert.put("count", 4);
expectedMetaAlert.put("sum", 6.0d);
expectedMetaAlert.put(getThreatTriageField(), 6.0d);
Document actualMetaAlert = metaDao.addAlertsToMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_2", SENSOR_NAME),
new GetRequest("message_3", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
}
@Test
@SuppressWarnings("unchecked")
public void shouldRemoveAlertsFromMetaAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(4);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
alerts.get(2).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
alerts.get(3).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlert
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(1), alerts.get(2), alerts.get(3))));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("message_2", SENSOR_NAME),
new GetRequest("message_3", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
// Build expected metaAlert after alerts are added
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
// Verify the proper alerts were added
List<Map<String, Object>> metaAlertAlerts = new ArrayList<>(
(List<Map<String, Object>>) expectedMetaAlert.get(ALERT_FIELD));
metaAlertAlerts.remove(0);
metaAlertAlerts.remove(0);
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
// Verify the counts were properly updated
expectedMetaAlert.put("average", 2.5d);
expectedMetaAlert.put("min", 2.0d);
expectedMetaAlert.put("median", 2.5d);
expectedMetaAlert.put("max", 3.0d);
expectedMetaAlert.put("count", 2);
expectedMetaAlert.put("sum", 5.0d);
expectedMetaAlert.put(getThreatTriageField(), 5.0d);
{
// Verify a list of alerts are removed from a meta alert
Document actualMetaAlert = metaDao.removeAlertsFromMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
{
// Verify False when alerts are not present in a meta alert and no alerts are removed
Document actualMetaAlert = metaDao.removeAlertsFromMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
{
// Verify only 1 alert is removed when a list of alerts only contains 1 alert that is in the meta alert
metaAlertAlerts = new ArrayList<>(
(List<Map<String, Object>>) expectedMetaAlert.get(ALERT_FIELD));
metaAlertAlerts.remove(0);
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
expectedMetaAlert.put("average", 3.0d);
expectedMetaAlert.put("min", 3.0d);
expectedMetaAlert.put("median", 3.0d);
expectedMetaAlert.put("max", 3.0d);
expectedMetaAlert.put("count", 1);
expectedMetaAlert.put("sum", 3.0d);
expectedMetaAlert.put(getThreatTriageField(), 3.0d);
Document actualMetaAlert = metaDao.removeAlertsFromMetaAlert("meta_alert", Arrays
.asList(new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_2", SENSOR_NAME)));
assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
}
{
// Verify all alerts are removed from a metaAlert
metaAlertAlerts = new ArrayList<>(
(List<Map<String, Object>>) expectedMetaAlert.get(ALERT_FIELD));
metaAlertAlerts.remove(0);
if (isEmptyMetaAlertList()) {
expectedMetaAlert.put(ALERT_FIELD, metaAlertAlerts);
} else {
expectedMetaAlert.remove(ALERT_FIELD);
}
expectedMetaAlert.put("average", 0.0d);
expectedMetaAlert.put("count", 0);
expectedMetaAlert.put("sum", 0.0d);
expectedMetaAlert.put(getThreatTriageField(), 0.0d);
// Handle the cases with non-finite Double values on a per store basis
if (isFiniteDoubleOnly()) {
expectedMetaAlert.put("min", String.valueOf(Double.POSITIVE_INFINITY));
expectedMetaAlert.put("median", String.valueOf(Double.NaN));
expectedMetaAlert.put("max", String.valueOf(Double.NEGATIVE_INFINITY));
} else {
expectedMetaAlert.put("min", Double.POSITIVE_INFINITY);
expectedMetaAlert.put("median", Double.NaN);
expectedMetaAlert.put("max", Double.NEGATIVE_INFINITY);
}
// Verify removing alerts cannot result in an empty meta alert
try {
metaDao.removeAlertsFromMetaAlert("meta_alert",
Collections.singletonList(new GetRequest("message_3", SENSOR_NAME)));
Assert.fail("Removing these alerts will result in an empty meta alert. Empty meta alerts are not allowed.");
} catch (IllegalStateException ise) {
Assert.assertEquals("Removing these alerts will result in an empty meta alert. Empty meta alerts are not allowed.",
ise.getMessage());
}
}
}
@Test
public void addRemoveAlertsShouldThrowExceptionForInactiveMetaAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlert
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.INACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
{
// Verify alerts cannot be added to an INACTIVE meta alert
try {
metaDao.addAlertsToMetaAlert("meta_alert",
Collections.singletonList(new GetRequest("message_1", SENSOR_NAME)));
Assert.fail("Adding alerts to an inactive meta alert should throw an exception");
} catch (IllegalStateException ise) {
Assert.assertEquals("Adding alerts to an INACTIVE meta alert is not allowed",
ise.getMessage());
}
}
{
// Verify alerts cannot be removed from an INACTIVE meta alert
try {
metaDao.removeAlertsFromMetaAlert("meta_alert",
Collections.singletonList(new GetRequest("message_0", SENSOR_NAME)));
Assert.fail("Removing alerts from an inactive meta alert should throw an exception");
} catch (IllegalStateException ise) {
Assert.assertEquals("Removing alerts from an INACTIVE meta alert is not allowed",
ise.getMessage());
}
}
}
@Test
public void shouldUpdateMetaAlertStatus() throws Exception {
int numChildAlerts = 25;
int numUnrelatedAlerts = 25;
int totalAlerts = numChildAlerts + numUnrelatedAlerts;
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(totalAlerts);
List<Map<String, Object>> childAlerts = alerts.subList(0, numChildAlerts);
List<Map<String, Object>> unrelatedAlerts = alerts.subList(numChildAlerts, totalAlerts);
for (Map<String, Object> alert : childAlerts) {
alert.put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
}
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Load metaAlerts
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(childAlerts));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(),
METAALERT_TYPE);
List<GetRequest> requests = new ArrayList<>();
for (int i = 0; i < numChildAlerts; ++i) {
requests.add(new GetRequest("message_" + i, SENSOR_NAME));
}
requests.add(new GetRequest("meta_alert", METAALERT_TYPE));
// Verify load was successful
findCreatedDocs(requests);
{
// Verify status changed to inactive and child alerts are updated
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.INACTIVE.getStatusString());
Document actualMetaAlert = metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.INACTIVE);
Assert.assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(childAlerts.get(i));
setEmptiedMetaAlertField(expectedAlert);
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
}
{
// Verify status changed to active and child alerts are updated
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString());
Document actualMetaAlert = metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.ACTIVE);
Assert.assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(i));
expectedAlert.put("metaalerts", Collections.singletonList("meta_alert"));
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
}
{
{
// Verify status changed to current status has no effect
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString());
Document actualMetaAlert = metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.ACTIVE);
Assert.assertEquals(expectedMetaAlert, actualMetaAlert.getDocument());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(i));
expectedAlert.put("metaalerts", Collections.singletonList("meta_alert"));
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
}
}
}
@Test
public void shouldSearchByStatus() throws Exception {
// Load alert
List<Map<String, Object>> alerts = buildAlerts(1);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(0).put("ip_src_addr", "192.168.1.1");
alerts.get(0).put("ip_src_port", 8010);
// Load metaAlerts
Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive",
MetaAlertStatus.INACTIVE,
Optional.empty());
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), getMetaAlertIndex(),
METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("meta_active", METAALERT_TYPE),
new GetRequest("meta_inactive", METAALERT_TYPE)));
SearchResponse searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("*:*");
setIndices(Collections.singletonList(METAALERT_TYPE));
setFrom(0);
setSize(5);
setSort(Collections.singletonList(new SortField() {{
setField(Constants.GUID);
}}));
}
});
// Verify only active meta alerts are returned
Assert.assertEquals(1, searchResponse.getTotal());
Assert.assertEquals(MetaAlertStatus.ACTIVE.getStatusString(),
searchResponse.getResults().get(0).getSource().get(STATUS_FIELD));
}
@Test
public void shouldSortMetaAlertsByAlertStatus() throws Exception {
final String guid = "meta_alert";
setupTypings();
// should be able to sort meta-alert search results by 'alert_status'
SortField sortField = new SortField();
sortField.setField("alert_status");
sortField.setSortOrder("asc");
// when no meta-alerts exist, it should work
Assert.assertEquals(0, searchForSortedMetaAlerts(sortField).getTotal());
// when meta-alert just created, it should work
createMetaAlert(guid);
Assert.assertEquals(1, searchForSortedMetaAlerts(sortField).getTotal());
// when meta-alert 'esclated', it should work
escalateMetaAlert(guid);
Assert.assertEquals(1, searchForSortedMetaAlerts(sortField).getTotal());
}
private Map<String, Object> createMetaAlert(String guid) throws Exception {
// create and index 2 normal alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList(guid));
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList(guid));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// create and index a meta-alert
Map<String, Object> metaAlert = buildMetaAlert(guid, MetaAlertStatus.ACTIVE, Optional.of(alerts));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// ensure the test alerts were loaded
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
return metaAlert;
}
private void escalateMetaAlert(String guid) throws Exception {
// create the patch that 'escalates' the meta-alert
Map<String, Object> patch = new HashMap<>();
patch.put("op", "add");
patch.put("path", "/alert_status");
patch.put("value", "escalate");
// 'escalate' the meta-alert
PatchRequest patchRequest = new PatchRequest();
patchRequest.setGuid(guid);
patchRequest.setIndex(getMetaAlertIndex());
patchRequest.setSensorType(METAALERT_TYPE);
patchRequest.setPatch(Collections.singletonList(patch));
metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
// ensure the alert status was changed to 'escalate'
assertEventually(() -> {
Document updated = metaDao.getLatest(guid, METAALERT_TYPE);
Assert.assertEquals("escalate", updated.getDocument().get("alert_status"));
});
}
private SearchResponse searchForSortedMetaAlerts(SortField sortBy) throws InvalidSearchException {
SearchRequest searchRequest = new SearchRequest();
searchRequest.setFrom(0);
searchRequest.setSize(10);
searchRequest.setIndices(Arrays.asList(getTestIndexName(), METAALERT_TYPE));
searchRequest.setQuery("*:*");
searchRequest.setSort(Collections.singletonList(sortBy));
return metaDao.search(searchRequest);
}
@Test
public void shouldHidesAlertsOnGroup() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(0).put("ip_src_addr", "192.168.1.1");
alerts.get(0).put("score", 1);
alerts.get(1).put("ip_src_addr", "192.168.1.1");
alerts.get(1).put("score", 10);
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Put the nested type into the test index, so that it'll match appropriately
setupTypings();
// Don't need any meta alerts to actually exist, since we've populated the field on the alerts.
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME)));
// Build our group request
Group searchGroup = new Group();
searchGroup.setField("ip_src_addr");
List<Group> groupList = new ArrayList<>();
groupList.add(searchGroup);
GroupResponse groupResponse = metaDao.group(new GroupRequest() {
{
setQuery("ip_src_addr:192.168.1.1");
setIndices(queryIndices);
setScoreField("score");
setGroups(groupList);
}
});
// Should only return the standalone alert in the group
GroupResult result = groupResponse.getGroupResults().get(0);
Assert.assertEquals(1, result.getTotal());
Assert.assertEquals("192.168.1.1", result.getKey());
// No delta, since no ops happen
Assert.assertEquals(10.0d, result.getScore(), 0.0d);
}
// This test is important enough that everyone should implement it, but is pretty specific to
// implementation
@Test
public abstract void shouldSearchByNestedAlert() throws Exception;
/**
* If a meta-alert is active, any updates to alerts associated with a meta-alert
* should be reflected in both the original alert and the copy contained within
* the meta-alert.
*/
@Test
public void shouldUpdateMetaAlertOnAlertUpdate() throws Exception {
final String expectedFieldValue = "metron";
{
// create 2 'regular' alerts that will be associated with meta-alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Arrays.asList("meta_active", "meta_inactive"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// the active meta-alert should be updated when an associated alert is updated
Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
// the inactive meta-alert should NOT be updated when an associated alert is updated
Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE,
Optional.of(Collections.singletonList(alerts.get(0))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_active", METAALERT_TYPE),
new GetRequest("meta_inactive", METAALERT_TYPE)));
}
{
// modify the 'normal' alert by adding a field
Document message0 = metaDao.getLatest("message_0", SENSOR_NAME);
message0.getDocument().put(NEW_FIELD, expectedFieldValue);
message0.getDocument().put(THREAT_FIELD_DEFAULT, 10.0d);
metaDao.update(message0, Optional.of(getTestIndexFullName()));
}
// ensure the original 'normal' alert was itself updated
assertEventually(() -> {
Document message0 = metaDao.getLatest("message_0", SENSOR_NAME);
Assert.assertNotNull(message0);
Assert.assertEquals(expectedFieldValue, message0.getDocument().get(NEW_FIELD));
});
// the 'active' meta-alert, which contains a copy of the updated alert should also be updated
assertEventually(() -> {
Document active = metaDao.getLatest("meta_active", METAALERT_TYPE);
Object value = active.getDocument().get(ALERT_FIELD);
List<Map<String, Object>> children = List.class.cast(value);
Assert.assertNotNull(children);
Assert.assertEquals(1, children.size());
Assert.assertEquals(expectedFieldValue, children.get(0).get(NEW_FIELD));
});
// the 'inactive' meta-alert, which contains a copy of the updated alert should NOT be updated
assertEventually(() -> {
Document inactive = metaDao.getLatest("meta_inactive", METAALERT_TYPE);
Object value = inactive.getDocument().get(ALERT_FIELD);
List<Map<String, Object>> children = List.class.cast(value);
Assert.assertNotNull(children);
Assert.assertEquals(1, children.size());
Assert.assertFalse(children.get(0).containsKey(NEW_FIELD));
});
}
@Test
public void shouldThrowExceptionOnMetaAlertUpdate() throws Exception {
Document metaAlert = new Document(new HashMap<>(), "meta_alert", METAALERT_TYPE, 0L);
try {
// Verify a meta alert cannot be updated in the meta alert dao
metaDao.update(metaAlert, Optional.empty());
Assert.fail("Direct meta alert update should throw an exception");
} catch (UnsupportedOperationException uoe) {
Assert.assertEquals("Meta alerts cannot be directly updated", uoe.getMessage());
}
}
@Test
public void shouldPatchMetaAlertFields() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// Put the nested type into the test index, so that it'll match appropriately
setupTypings();
// Load metaAlerts
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// ensure the test data was loaded
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
// patch the name field
String namePatch = namePatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex());
PatchRequest patchRequest = JSONUtils.INSTANCE.load(namePatch, PatchRequest.class);
metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
// ensure the alert was patched
assertEventually(() -> {
Document updated = metaDao.getLatest("meta_alert", METAALERT_TYPE);
Assert.assertEquals("New Meta Alert", updated.getDocument().get(NAME_FIELD));
});
}
@Test
public void shouldThrowExceptionIfPatchAlertField() throws Exception {
setupTypings();
// add 2 alerts to an active meta-alert
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// create an active meta-alert
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// ensure the test data was loaded
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
// attempt to patch the alert field
try {
String alertPatch = alertPatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex());
PatchRequest patchRequest = JSONUtils.INSTANCE.load(alertPatch, PatchRequest.class);
metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
Assert.fail("A patch on the alert field should throw an exception");
} catch (IllegalArgumentException iae) {
Assert.assertEquals("Meta alert patches are not allowed for /alert or /status paths. "
+ "Please use the add/remove alert or update status functions instead.",
iae.getMessage());
}
// ensure the alert field was NOT changed
assertEventually(() -> {
Document updated = metaDao.getLatest("meta_alert", METAALERT_TYPE);
Assert.assertEquals(metaAlert.get(ALERT_FIELD), updated.getDocument().get(ALERT_FIELD));
});
}
@Test
public void shouldThrowExceptionIfPatchStatusField() throws Exception {
setupTypings();
// add 2 alerts to an active meta-alert
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
addRecords(alerts, getTestIndexFullName(), SENSOR_NAME);
// create an active meta-alert
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE,
Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE);
// ensure the test data was loaded
findCreatedDocs(Arrays.asList(
new GetRequest("message_0", SENSOR_NAME),
new GetRequest("message_1", SENSOR_NAME),
new GetRequest("meta_alert", METAALERT_TYPE)));
// Verify a patch to a status field should throw an exception
try {
String statusPatch = statusPatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex());
PatchRequest patchRequest = JSONUtils.INSTANCE.load(statusPatch, PatchRequest.class);
metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
Assert.fail("A patch on the status field should throw an exception");
} catch (IllegalArgumentException iae) {
Assert.assertEquals("Meta alert patches are not allowed for /alert or /status paths. "
+ "Please use the add/remove alert or update status functions instead.",
iae.getMessage());
}
// ensure the status field was NOT changed
assertEventually(() -> {
Document updated = metaDao.getLatest("meta_alert", METAALERT_TYPE);
Assert.assertEquals(metaAlert.get(STATUS_FIELD), updated.getDocument().get(STATUS_FIELD));
});
}
protected void findUpdatedDoc(Map<String, Object> message0, String guid, String sensorType)
throws InterruptedException, IOException, OriginalNotFoundException {
commit();
for (int t = 0; t < MAX_RETRIES; ++t, Thread.sleep(SLEEP_MS)) {
Document doc = metaDao.getLatest(guid, sensorType);
// Change the underlying document alerts lists to sets to avoid ordering issues.
convertAlertsFieldToSet(doc.getDocument());
convertAlertsFieldToSet(message0);
if (doc.getDocument() != null && message0.equals(doc.getDocument())) {
convertAlertsFieldToList(doc.getDocument());
convertAlertsFieldToList(message0);
return;
}
}
throw new OriginalNotFoundException(
"Count not find " + guid + " after " + MAX_RETRIES + " tries");
}
protected void convertAlertsFieldToSet(Map<String, Object> document) {
if (document.get(ALERT_FIELD) instanceof List) {
@SuppressWarnings("unchecked")
List<Map<String, Object>> message0AlertField = (List<Map<String, Object>>) document
.get(ALERT_FIELD);
Set<Map<String, Object>> message0AlertSet = new HashSet<>(message0AlertField);
document.put(ALERT_FIELD, message0AlertSet);
}
}
protected void convertAlertsFieldToList(Map<String, Object> document) {
if (document.get(ALERT_FIELD) instanceof Set) {
@SuppressWarnings("unchecked")
Set<Map<String, Object>> message0AlertField = (Set<Map<String, Object>>) document
.get(ALERT_FIELD);
List<Map<String, Object>> message0AlertList = new ArrayList<>(message0AlertField);
message0AlertList.sort(Comparator.comparing(o -> ((String) o.get(Constants.GUID))));
document.put(ALERT_FIELD, message0AlertList);
}
}
protected boolean findCreatedDoc(String guid, String sensorType)
throws InterruptedException, IOException, OriginalNotFoundException {
for (int t = 0; t < MAX_RETRIES; ++t, Thread.sleep(SLEEP_MS)) {
Document doc = metaDao.getLatest(guid, sensorType);
if (doc != null) {
return true;
}
}
throw new OriginalNotFoundException(
"Count not find " + guid + " after " + MAX_RETRIES + "tries");
}
protected boolean findCreatedDocs(List<GetRequest> getRequests)
throws InterruptedException, IOException, OriginalNotFoundException {
for (int t = 0; t < MAX_RETRIES; ++t, Thread.sleep(SLEEP_MS)) {
Iterable<Document> docs = metaDao.getAllLatest(getRequests);
if (docs != null) {
int docCount = 0;
for (Document doc : docs) {
docCount++;
}
if (getRequests.size() == docCount) {
return true;
}
}
}
throw new OriginalNotFoundException("Count not find guids after " + MAX_RETRIES + "tries");
}
@SuppressWarnings("unchecked")
protected void assertEquals(Map<String, Object> expected, Map<String, Object> actual) {
Assert.assertEquals(expected.get(Constants.GUID), actual.get(Constants.GUID));
Assert.assertEquals(expected.get(getSourceTypeField()), actual.get(getSourceTypeField()));
Double actualThreatTriageField = actual.get(getThreatTriageField()) instanceof Float ?
((Float) actual.get(getThreatTriageField())).doubleValue() : (Double) actual.get(getThreatTriageField());
Assert.assertEquals(expected.get(getThreatTriageField()), actualThreatTriageField);
List<Map<String, Object>> expectedAlerts = (List<Map<String, Object>>) expected.get(ALERT_FIELD);
List<Map<String, Object>> actualAlerts = (List<Map<String, Object>>) actual.get(ALERT_FIELD);
expectedAlerts.sort(Comparator.comparing(o -> ((String) o.get(Constants.GUID))));
actualAlerts.sort(Comparator.comparing(o -> ((String) o.get(Constants.GUID))));
Assert.assertEquals(expectedAlerts, actualAlerts);
Assert.assertEquals(expected.get(STATUS_FIELD), actual.get(STATUS_FIELD));
Assert.assertEquals(expected.get("average"), actual.get("average"));
Assert.assertEquals(expected.get("min"), actual.get("min"));
Assert.assertEquals(expected.get("median"), actual.get("median"));
Assert.assertEquals(expected.get("max"), actual.get("max"));
Integer actualCountField = actual.get("count") instanceof Long ? ((Long) actual.get("count")).intValue() :
(Integer) actual.get("count");
Assert.assertEquals(expected.get("count"), actualCountField);
Assert.assertEquals(expected.get("sum"), actual.get("sum"));
}
protected List<Map<String, Object>> buildAlerts(int count) {
List<Map<String, Object>> inputData = new ArrayList<>();
for (int i = 0; i < count; ++i) {
final String guid = "message_" + i;
Map<String, Object> alerts = new HashMap<>();
alerts.put(Constants.GUID, guid);
alerts.put(getSourceTypeField(), SENSOR_NAME);
alerts.put(THREAT_FIELD_DEFAULT, (double) i);
alerts.put("timestamp", System.currentTimeMillis());
inputData.add(alerts);
}
return inputData;
}
protected List<Map<String, Object>> buildMetaAlerts(int count, MetaAlertStatus status,
Optional<List<Map<String, Object>>> alerts) {
List<Map<String, Object>> inputData = new ArrayList<>();
for (int i = 0; i < count; ++i) {
final String guid = "meta_" + status.getStatusString() + "_" + i;
inputData.add(buildMetaAlert(guid, status, alerts));
}
return inputData;
}
protected Map<String, Object> buildMetaAlert(String guid, MetaAlertStatus status,
Optional<List<Map<String, Object>>> alerts) {
Map<String, Object> metaAlert = new HashMap<>();
metaAlert.put(Constants.GUID, guid);
metaAlert.put(getSourceTypeField(), METAALERT_TYPE);
metaAlert.put(STATUS_FIELD, status.getStatusString());
metaAlert.put(getThreatTriageField(), 100.0d);
if (alerts.isPresent()) {
List<Map<String, Object>> alertsList = alerts.get();
metaAlert.put(ALERT_FIELD, alertsList);
}
return metaAlert;
}
protected abstract long getMatchingAlertCount(String fieldName, Object fieldValue)
throws IOException, InterruptedException;
protected abstract void addRecords(List<Map<String, Object>> inputData, String index,
String docType) throws IOException, ParseException;
protected abstract long getMatchingMetaAlertCount(String fieldName, String fieldValue)
throws IOException, InterruptedException;
protected abstract void setupTypings() throws IOException;
// Get the base index name without any adjustments (e.g. without ES's "_index")
protected abstract String getTestIndexName();
// Get the full name of the test index. E.g. Elasticsearch appends "_index"
protected String getTestIndexFullName() {
return getTestIndexName();
}
protected abstract String getMetaAlertIndex();
protected abstract String getSourceTypeField();
protected String getThreatTriageField() {
return THREAT_FIELD_DEFAULT;
}
// Allow for impls to do any commit they need to do.
protected void commit() throws IOException {
}
// Different stores can have different representations of empty metaalerts field.
// E.g. Solr expects the field to not be present, ES expects it to be empty.
protected abstract void setEmptiedMetaAlertField(Map<String, Object> docMap);
// Different stores may choose to store non finite double values as Strings.
// E.g. NaN may be a string, not a double value.
protected abstract boolean isFiniteDoubleOnly();
// Different stores may choose to return empty alerts lists differently.
// E.g. It may be missing completely, or may be an empty list
protected abstract boolean isEmptyMetaAlertList();
}