github.com/crowdsecurity/crowdsec@v1.6.1/pkg/parser/whitelist_test.go (about) 1 package parser 2 3 import ( 4 "testing" 5 6 log "github.com/sirupsen/logrus" 7 "github.com/stretchr/testify/require" 8 9 "github.com/crowdsecurity/go-cs-lib/cstest" 10 11 "github.com/crowdsecurity/crowdsec/pkg/models" 12 "github.com/crowdsecurity/crowdsec/pkg/types" 13 ) 14 15 func TestWhitelistCompile(t *testing.T) { 16 node := &Node{ 17 Logger: log.NewEntry(log.New()), 18 } 19 tests := []struct { 20 name string 21 whitelist Whitelist 22 expectedErr string 23 }{ 24 { 25 name: "Valid CIDR whitelist", 26 whitelist: Whitelist{ 27 Reason: "test", 28 Cidrs: []string{ 29 "127.0.0.1/24", 30 }, 31 }, 32 }, 33 { 34 name: "Invalid CIDR whitelist", 35 whitelist: Whitelist{ 36 Reason: "test", 37 Cidrs: []string{ 38 "127.0.0.1/1000", 39 }, 40 }, 41 expectedErr: "invalid CIDR address", 42 }, 43 { 44 name: "Valid EXPR whitelist", 45 whitelist: Whitelist{ 46 Reason: "test", 47 Exprs: []string{ 48 "1==1", 49 }, 50 }, 51 }, 52 { 53 name: "Invalid EXPR whitelist", 54 whitelist: Whitelist{ 55 Reason: "test", 56 Exprs: []string{ 57 "evt.THISPROPERTYSHOULDERROR == true", 58 }, 59 }, 60 expectedErr: "types.Event has no field", 61 }, 62 } 63 64 for _, tt := range tests { 65 tt := tt 66 t.Run(tt.name, func(t *testing.T) { 67 node.Whitelist = tt.whitelist 68 _, err := node.CompileWLs() 69 cstest.RequireErrorContains(t, err, tt.expectedErr) 70 }) 71 } 72 } 73 74 func TestWhitelistCheck(t *testing.T) { 75 node := &Node{ 76 Logger: log.NewEntry(log.New()), 77 } 78 tests := []struct { 79 name string 80 whitelist Whitelist 81 event *types.Event 82 expected bool 83 }{ 84 { 85 name: "IP Whitelisted", 86 whitelist: Whitelist{ 87 Reason: "test", 88 Ips: []string{ 89 "127.0.0.1", 90 }, 91 }, 92 event: &types.Event{ 93 Meta: map[string]string{ 94 "source_ip": "127.0.0.1", 95 }, 96 }, 97 expected: true, 98 }, 99 { 100 name: "IP Not Whitelisted", 101 whitelist: Whitelist{ 102 Reason: "test", 103 Ips: []string{ 104 "127.0.0.1", 105 }, 106 }, 107 event: &types.Event{ 108 Meta: map[string]string{ 109 "source_ip": "127.0.0.2", 110 }, 111 }, 112 }, 113 { 114 name: "CIDR Whitelisted", 115 whitelist: Whitelist{ 116 Reason: "test", 117 Cidrs: []string{ 118 "127.0.0.1/32", 119 }, 120 }, 121 event: &types.Event{ 122 Meta: map[string]string{ 123 "source_ip": "127.0.0.1", 124 }, 125 }, 126 expected: true, 127 }, 128 { 129 name: "CIDR Not Whitelisted", 130 whitelist: Whitelist{ 131 Reason: "test", 132 Cidrs: []string{ 133 "127.0.0.1/32", 134 }, 135 }, 136 event: &types.Event{ 137 Meta: map[string]string{ 138 "source_ip": "127.0.0.2", 139 }, 140 }, 141 }, 142 { 143 name: "EXPR Whitelisted", 144 whitelist: Whitelist{ 145 Reason: "test", 146 Exprs: []string{ 147 "evt.Meta.source_ip == '127.0.0.1'", 148 }, 149 }, 150 event: &types.Event{ 151 Meta: map[string]string{ 152 "source_ip": "127.0.0.1", 153 }, 154 }, 155 expected: true, 156 }, 157 { 158 name: "EXPR Not Whitelisted", 159 whitelist: Whitelist{ 160 Reason: "test", 161 Exprs: []string{ 162 "evt.Meta.source_ip == '127.0.0.1'", 163 }, 164 }, 165 event: &types.Event{ 166 Meta: map[string]string{ 167 "source_ip": "127.0.0.2", 168 }, 169 }, 170 }, 171 { 172 name: "Postoverflow IP Whitelisted", 173 whitelist: Whitelist{ 174 Reason: "test", 175 Ips: []string{ 176 "192.168.1.1", 177 }, 178 }, 179 event: &types.Event{ 180 Type: types.OVFLW, 181 Overflow: types.RuntimeAlert{ 182 Sources: map[string]models.Source{ 183 "192.168.1.1": {}, 184 }, 185 }, 186 }, 187 expected: true, 188 }, 189 { 190 name: "Postoverflow IP Not Whitelisted", 191 whitelist: Whitelist{ 192 Reason: "test", 193 Ips: []string{ 194 "192.168.1.2", 195 }, 196 }, 197 event: &types.Event{ 198 Type: types.OVFLW, 199 Overflow: types.RuntimeAlert{ 200 Sources: map[string]models.Source{ 201 "192.168.1.1": {}, 202 }, 203 }, 204 }, 205 }, 206 { 207 name: "Postoverflow CIDR Whitelisted", 208 whitelist: Whitelist{ 209 Reason: "test", 210 Cidrs: []string{ 211 "192.168.1.1/32", 212 }, 213 }, 214 event: &types.Event{ 215 Type: types.OVFLW, 216 Overflow: types.RuntimeAlert{ 217 Sources: map[string]models.Source{ 218 "192.168.1.1": {}, 219 }, 220 }, 221 }, 222 expected: true, 223 }, 224 { 225 name: "Postoverflow CIDR Not Whitelisted", 226 whitelist: Whitelist{ 227 Reason: "test", 228 Cidrs: []string{ 229 "192.168.1.2/32", 230 }, 231 }, 232 event: &types.Event{ 233 Type: types.OVFLW, 234 Overflow: types.RuntimeAlert{ 235 Sources: map[string]models.Source{ 236 "192.168.1.1": {}, 237 }, 238 }, 239 }, 240 }, 241 { 242 name: "Postoverflow EXPR Whitelisted", 243 whitelist: Whitelist{ 244 Reason: "test", 245 Exprs: []string{ 246 "evt.Overflow.APIAlerts[0].Source.Cn == 'test'", 247 }, 248 }, 249 event: &types.Event{ 250 Type: types.OVFLW, 251 Overflow: types.RuntimeAlert{ 252 APIAlerts: []models.Alert{ 253 { 254 Source: &models.Source{ 255 Cn: "test", 256 }, 257 }, 258 }, 259 }, 260 }, 261 expected: true, 262 }, 263 { 264 name: "Postoverflow EXPR Not Whitelisted", 265 whitelist: Whitelist{ 266 Reason: "test", 267 Exprs: []string{ 268 "evt.Overflow.APIAlerts[0].Source.Cn == 'test2'", 269 }, 270 }, 271 event: &types.Event{ 272 Type: types.OVFLW, 273 Overflow: types.RuntimeAlert{ 274 APIAlerts: []models.Alert{ 275 { 276 Source: &models.Source{ 277 Cn: "test", 278 }, 279 }, 280 }, 281 }, 282 }, 283 }, 284 } 285 286 for _, tt := range tests { 287 tt := tt 288 t.Run(tt.name, func(t *testing.T) { 289 var err error 290 node.Whitelist = tt.whitelist 291 node.CompileWLs() 292 isWhitelisted := node.CheckIPsWL(tt.event) 293 if !isWhitelisted { 294 isWhitelisted, err = node.CheckExprWL(map[string]interface{}{"evt": tt.event}, tt.event) 295 } 296 require.NoError(t, err) 297 require.Equal(t, tt.expected, isWhitelisted) 298 }) 299 } 300 }