From 8c1d69a2aab2bbff13bc023fd45d2631392c5b89 Mon Sep 17 00:00:00 2001 From: Atte Niemi Date: Fri, 18 Oct 2024 10:59:27 +0100 Subject: [PATCH 1/5] Fixes handling of Custom IOA Rule Group Versioning --- caracara/modules/custom_ioa/custom_ioa.py | 37 ++++++++++++----------- caracara/modules/custom_ioa/rules.py | 2 +- tests/unit_tests/test_custom_ioas.py | 17 ++++++----- 3 files changed, 30 insertions(+), 26 deletions(-) diff --git a/caracara/modules/custom_ioa/custom_ioa.py b/caracara/modules/custom_ioa/custom_ioa.py index 6e59240..0ce37ba 100644 --- a/caracara/modules/custom_ioa/custom_ioa.py +++ b/caracara/modules/custom_ioa/custom_ioa.py @@ -96,7 +96,7 @@ def create_rule_group( rule.group = new_group # Update the rules - new_group = self._create_update_delete_rules(new_group, comment=comment) + new_group = self._update_create_delete_rules(new_group, comment=comment) return new_group @@ -138,7 +138,7 @@ def update_rule_group( new_group.rules_to_delete = group.rules_to_delete # Update the rules - new_group = self._create_update_delete_rules(new_group, comment=comment) + new_group = self._update_create_delete_rules(new_group, comment=comment) return new_group @@ -167,7 +167,7 @@ def delete_rule_groups( ids_to_delete.append(rule_group) instr(self.custom_ioa_api.delete_rule_groups)(ids=ids_to_delete, comment=comment) - def _create_update_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaRuleGroup: + def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaRuleGroup: existing_rules = [] to_be_created = [] for rule in group.rules: @@ -176,25 +176,13 @@ def _create_update_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR else: to_be_created.append(rule) - # Create the new rules - new_rules = [] - for rule in to_be_created: - resp = instr(self.custom_ioa_api.create_rule)(body=rule.dump_create(comment=comment)) - raw_rule = resp["body"]["resources"][0] - new_rule = CustomIoaRule.from_data_dict( - raw_rule, - rule_type=self._get_rule_types_cached()[raw_rule["ruletype_id"]], - ) - new_rule.rulegroup_id = group.id_ - new_rules.append(new_rule) - # Update the existing rules, if there are any if len(existing_rules) > 0: response = instr(self.custom_ioa_api.update_rules)( body={ "comment": comment, "rule_updates": [rule.dump_update() for rule in existing_rules], - "rulegroup_version": group.version + 1, + "rulegroup_version": group.version, "rulegroup_id": group.id_, } ) @@ -204,9 +192,22 @@ def _create_update_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR rule_types = self._get_rule_types_cached() new_group = IoaRuleGroup.from_data_dict(data_dict=raw_group, rule_type_map=rule_types) else: - group.rules = new_rules new_group = group + # Create the new rules + new_rules = [] + for rule in to_be_created: + resp = instr(self.custom_ioa_api.create_rule)(body=rule.dump_create(comment=comment)) + raw_rule = resp["body"]["resources"][0] + new_rule = CustomIoaRule.from_data_dict( + raw_rule, + rule_type=self._get_rule_types_cached()[raw_rule["ruletype_id"]], + ) + new_rule.rulegroup_id = group.id_ + new_rules.append(new_rule) + + new_group.rules.extend(new_rules) + # Delete rules queued for deletion, if any if len(group.rules_to_delete) > 0: ids_to_delete = [rule.instance_id for rule in group.rules_to_delete] @@ -215,6 +216,8 @@ def _create_update_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR ) # If successful (i.e. no exceptions raised), clear the deletion queue group.rules_to_delete = [] + + new_group.version += len(new_group.rules) + bool(group.rules_to_delete) return new_group @filter_string diff --git a/caracara/modules/custom_ioa/rules.py b/caracara/modules/custom_ioa/rules.py index 5314e48..881636a 100644 --- a/caracara/modules/custom_ioa/rules.py +++ b/caracara/modules/custom_ioa/rules.py @@ -262,7 +262,7 @@ def dump_rules_update(self, comment: str) -> dict: return { "comment": comment, "rule_updates": [rule.dump_update(group=self) for rule in self.rules], - "rulegroup_version": self.version + 1, + "rulegroup_version": self.version, "rulegroup_id": self.id_, } diff --git a/tests/unit_tests/test_custom_ioas.py b/tests/unit_tests/test_custom_ioas.py index 647496c..1921c5c 100644 --- a/tests/unit_tests/test_custom_ioas.py +++ b/tests/unit_tests/test_custom_ioas.py @@ -575,13 +575,14 @@ def mock_update_rule_group(body): raw_group["description"] = body["description"] raw_group["enabled"] = body["enabled"] raw_group["comment"] = body["comment"] + raw_group["version"] += 1 return {"body": {"resources": [raw_group]}} custom_ioa_api.update_rule_group.side_effect = mock_update_rule_group def mock_update_rules(body): assert body["rulegroup_id"] == raw_group["id"] - assert body["rulegroup_version"] == raw_group["version"] + 1 + assert body["rulegroup_version"] == raw_group["version"] raw_group["version"] = body["rulegroup_version"] for raw_rule_update in body["rule_updates"]: matching_rules = [ @@ -647,8 +648,8 @@ def mock_create_rule(body): # Assert falconpy called correctly # This consists of # - A rule group update - # - A rule deletion # - A rule update + # - A rule deletion # - A rule creation custom_ioa_api.update_rule_group.assert_called_once_with( body={ @@ -660,11 +661,6 @@ def mock_create_rule(body): "comment": "test update comment", } ) - custom_ioa_api.delete_rules.assert_called_once_with( - rule_group_id="test_group_01", - ids=["test_rule_01"], - comment="test update comment", - ) custom_ioa_api.update_rules.assert_called_once_with( body={ "rulegroup_id": "test_group_01", @@ -695,5 +691,10 @@ def mock_create_rule(body): "comment": "test update comment", } ) + custom_ioa_api.delete_rules.assert_called_once_with( + rule_group_id="test_group_01", + ids=["test_rule_01"], + comment="test update comment", + ) # Assert new group is as expected - assert new_group.version == group.version + 1 + assert new_group.version == group.version + 4 From 302f53cb54ec5a4a5c4d0405c8198e3c6a1978b3 Mon Sep 17 00:00:00 2001 From: Atte Niemi Date: Fri, 18 Oct 2024 11:57:59 +0100 Subject: [PATCH 2/5] Fix incorrect logic in rule group version tracking --- caracara/modules/custom_ioa/custom_ioa.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/caracara/modules/custom_ioa/custom_ioa.py b/caracara/modules/custom_ioa/custom_ioa.py index 0ce37ba..418c219 100644 --- a/caracara/modules/custom_ioa/custom_ioa.py +++ b/caracara/modules/custom_ioa/custom_ioa.py @@ -216,8 +216,8 @@ def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR ) # If successful (i.e. no exceptions raised), clear the deletion queue group.rules_to_delete = [] - - new_group.version += len(new_group.rules) + bool(group.rules_to_delete) + + new_group.version += len(new_rules) + bool(group.rules_to_delete) return new_group @filter_string From dffb58e865541ce1e32cf1312aa3182f1491e4d1 Mon Sep 17 00:00:00 2001 From: Atte Niemi Date: Fri, 18 Oct 2024 14:59:15 +0100 Subject: [PATCH 3/5] Fix missing side effect in tests & fix tracking of rules --- caracara/modules/custom_ioa/custom_ioa.py | 10 ++++++++-- tests/unit_tests/test_custom_ioas.py | 17 +++++++++++++++-- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/caracara/modules/custom_ioa/custom_ioa.py b/caracara/modules/custom_ioa/custom_ioa.py index 418c219..ac5925f 100644 --- a/caracara/modules/custom_ioa/custom_ioa.py +++ b/caracara/modules/custom_ioa/custom_ioa.py @@ -1,6 +1,7 @@ """Caracara Indicator of Attack (IOA) API module.""" from functools import partial +from itertools import chain from time import monotonic from typing import Dict, List, Union @@ -205,8 +206,13 @@ def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR ) new_rule.rulegroup_id = group.id_ new_rules.append(new_rule) + new_group.version += 1 + + new_group.rules = list(chain(( + rule for rule in group.rules if rule.exists_in_cloud()), + (new_rule for rule in new_rules)) + ) - new_group.rules.extend(new_rules) # Delete rules queued for deletion, if any if len(group.rules_to_delete) > 0: @@ -216,8 +222,8 @@ def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR ) # If successful (i.e. no exceptions raised), clear the deletion queue group.rules_to_delete = [] + new_group.version += 1 - new_group.version += len(new_rules) + bool(group.rules_to_delete) return new_group @filter_string diff --git a/tests/unit_tests/test_custom_ioas.py b/tests/unit_tests/test_custom_ioas.py index 1921c5c..2b5d0cb 100644 --- a/tests/unit_tests/test_custom_ioas.py +++ b/tests/unit_tests/test_custom_ioas.py @@ -2,7 +2,7 @@ import copy from typing import List -from unittest.mock import MagicMock +from unittest.mock import DEFAULT, MagicMock import falconpy import pytest @@ -426,6 +426,11 @@ def test_delete_rule_groups_using_groups(client: Client, custom_ioa_api: falconp ) +def test_update_rule_groups_no_changes(client: Client, custom_ioa_api: falconpy.CustomIOA): + """Tests `CustomIoaApiModule.update_rule_group` when no changes are made""" + + + def test_update_rule_groups_no_rules(client: Client, custom_ioa_api: falconpy.CustomIOA): """Tests `CustomIoaApiModule.update_rule_groups` when the group has no rules""" # Setup @@ -583,7 +588,7 @@ def mock_update_rule_group(body): def mock_update_rules(body): assert body["rulegroup_id"] == raw_group["id"] assert body["rulegroup_version"] == raw_group["version"] - raw_group["version"] = body["rulegroup_version"] + raw_group["version"] += 1 for raw_rule_update in body["rule_updates"]: matching_rules = [ i @@ -605,6 +610,7 @@ def mock_update_rules(body): def mock_create_rule(body): assert raw_group["id"] == body["rulegroup_id"] + raw_group["version"] += 1 new_rule = { "customer_id": "test_customer", "instance_id": "test_rule_03", @@ -633,6 +639,13 @@ def mock_create_rule(body): raw_group["rules"].append(new_rule) return {"body": {"resources": [new_rule]}} + def mock_delete_rule(rule_group_id, ids, comment): + assert raw_group["id"] == rule_group_id + raw_group["version"] += 1 + return DEFAULT + + custom_ioa_api.delete_rules.side_effect = mock_delete_rule + custom_ioa_api.create_rule.side_effect = mock_create_rule custom_ioa_api.query_rule_types.side_effect = create_mock_query_resources( From 931f338552b834ee6f7db8de3d0ee8dc5b0d36ab Mon Sep 17 00:00:00 2001 From: Atte Niemi Date: Fri, 18 Oct 2024 15:25:06 +0100 Subject: [PATCH 4/5] Fix linting complaints --- caracara/modules/custom_ioa/custom_ioa.py | 2 +- tests/unit_tests/test_custom_ioas.py | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/caracara/modules/custom_ioa/custom_ioa.py b/caracara/modules/custom_ioa/custom_ioa.py index ac5925f..68630d4 100644 --- a/caracara/modules/custom_ioa/custom_ioa.py +++ b/caracara/modules/custom_ioa/custom_ioa.py @@ -209,7 +209,7 @@ def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR new_group.version += 1 new_group.rules = list(chain(( - rule for rule in group.rules if rule.exists_in_cloud()), + rule for rule in group.rules if rule.exists_in_cloud()), (new_rule for rule in new_rules)) ) diff --git a/tests/unit_tests/test_custom_ioas.py b/tests/unit_tests/test_custom_ioas.py index 2b5d0cb..b94361a 100644 --- a/tests/unit_tests/test_custom_ioas.py +++ b/tests/unit_tests/test_custom_ioas.py @@ -2,7 +2,7 @@ import copy from typing import List -from unittest.mock import DEFAULT, MagicMock +from unittest.mock import MagicMock import falconpy import pytest @@ -426,11 +426,6 @@ def test_delete_rule_groups_using_groups(client: Client, custom_ioa_api: falconp ) -def test_update_rule_groups_no_changes(client: Client, custom_ioa_api: falconpy.CustomIOA): - """Tests `CustomIoaApiModule.update_rule_group` when no changes are made""" - - - def test_update_rule_groups_no_rules(client: Client, custom_ioa_api: falconpy.CustomIOA): """Tests `CustomIoaApiModule.update_rule_groups` when the group has no rules""" # Setup @@ -641,8 +636,10 @@ def mock_create_rule(body): def mock_delete_rule(rule_group_id, ids, comment): assert raw_group["id"] == rule_group_id + assert ids + assert comment raw_group["version"] += 1 - return DEFAULT + return {"body": {}} custom_ioa_api.delete_rules.side_effect = mock_delete_rule From 22ce4b3dfd5bd70554768111db4187318a3bf82a Mon Sep 17 00:00:00 2001 From: Atte Niemi Date: Mon, 21 Oct 2024 15:53:07 +0100 Subject: [PATCH 5/5] fix: linting --- caracara/modules/custom_ioa/custom_ioa.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/caracara/modules/custom_ioa/custom_ioa.py b/caracara/modules/custom_ioa/custom_ioa.py index 68630d4..42860c2 100644 --- a/caracara/modules/custom_ioa/custom_ioa.py +++ b/caracara/modules/custom_ioa/custom_ioa.py @@ -208,12 +208,13 @@ def _update_create_delete_rules(self, group: IoaRuleGroup, comment: str) -> IoaR new_rules.append(new_rule) new_group.version += 1 - new_group.rules = list(chain(( - rule for rule in group.rules if rule.exists_in_cloud()), - (new_rule for rule in new_rules)) + new_group.rules = list( + chain( + (rule for rule in group.rules if rule.exists_in_cloud()), + (new_rule for rule in new_rules), + ) ) - # Delete rules queued for deletion, if any if len(group.rules_to_delete) > 0: ids_to_delete = [rule.instance_id for rule in group.rules_to_delete]