Feat: Added local es-node-docker for developing

SigmaHQ · Jun 21, 2024 · a8af9d5 · a8af9d5
1 parent 763f07a
commit a8af9d5
Show file tree

Hide file tree

Showing 4 changed files with 238 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -4,4 +4,6 @@
 .pytest_cache/
 cov.xml
 dist/
-docs/_build
+docs/_build
+.env
+
diff --git a/devtools/README.md b/devtools/README.md
@@ -0,0 +1,73 @@
+# DevTools Readme
+
+For now you can find a docker compose environment to start your own
+local Elasticsearch Node which can be used by the backend pytests
+to check the code against a real ES Instance.
+
+## Foreword
+
+1. Don't use this ES Node for production data!
+   * It isn't very hardened, using simple passwords, etc.
+2. It depends a installed docker and the docker compose plugin
+   * I guess you'll make it!
+
+## Startup
+
+Just open a new terminal and run `docker compose up` or `docker compose up -d` (detached).
+
+```bash
+cd devtools
+mv dot_env .env
+docker compose up -d
+cd ..
+```
+
+## Run tests against this node
+
+```bash
+$ pytest tests/test_backend_elasticsearch_*_connect.py
+
+================================================ test session starts ================================================
+platform linux -- Python 3.10.12, pytest-7.4.4, pluggy-1.5.0 -- /home/dev/.local/share/virtualenvs/pysigma-backend-elasticsearch-qlQ8rDO_-py3.10/bin/python
+cachedir: .pytest_cache
+rootdir: /home/dev/pySigma-backend-elasticsearch
+configfile: pyproject.toml
+plugins: cov-4.1.0
+collected 35 items                                                                                                  
+
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_and_expression PASSED [  2%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_and_expression_empty_string PASSED [  5%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_or_expression PASSED [  8%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_and_or_expression PASSED [ 11%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_or_and_expression PASSED [ 14%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_in_expression PASSED [ 17%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_in_expression_empty_string PASSED [ 20%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_regex_query PASSED [ 22%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_cidr_query PASSED [ 25%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_ip_query PASSED   [ 28%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_field_name_with_whitespace PASSED [ 31%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_dot_value PASSED  [ 34%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_space_value_text PASSED [ 37%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_space_value_keyword PASSED [ 40%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_angle_brackets PASSED [ 42%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_angle_brackets_single PASSED [ 45%]
+tests/test_backend_elasticsearch_eql_connect.py::TestConnectElasticsearch::test_connect_eql_windash_double PASSED [ 48%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_and_expression PASSED [ 51%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_and_expression_empty_string PASSED [ 54%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_or_expression PASSED [ 57%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_and_or_expression PASSED [ 60%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_or_and_expression PASSED [ 62%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_in_expression PASSED [ 65%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_in_expression_empty_string PASSED [ 68%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_regex_query PASSED [ 71%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_cidr_v4_query PASSED [ 74%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_cidr_v6_query PASSED [ 77%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_ip_query PASSED [ 80%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_field_name_with_whitespace PASSED [ 82%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_dot_value PASSED [ 85%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_space_value_text PASSED [ 88%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_space_value_keyword PASSED [ 91%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_angle_brackets PASSED [ 94%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_angle_brackets_single PASSED [ 97%]
+tests/test_backend_elasticsearch_lucene_connect.py::TestConnectElasticsearch::test_connect_lucene_windash_double PASSED [100%]
+```
diff --git a/devtools/docker-compose.yml b/devtools/docker-compose.yml
@@ -0,0 +1,120 @@
+version: "3.8"
+
+volumes:
+  certs:
+    driver: local
+  esdata01:
+    driver: local
+  kibanadata:
+    driver: local
+  metricbeatdata01:
+    driver: local
+  filebeatdata01:
+    driver: local
+  logstashdata01:
+    driver: local
+
+networks:
+  default:
+    name: elastic
+    external: false
+
+services:
+  setup:
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs
+    user: "0"
+    command: >
+      bash -c '
+        if [ x${ELASTIC_PASSWORD} == x ]; then
+          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
+          exit 1;
+        elif [ x${KIBANA_PASSWORD} == x ]; then
+          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
+          exit 1;
+        fi;
+        if [ ! -f config/certs/ca.zip ]; then
+          echo "Creating CA";
+          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
+          unzip config/certs/ca.zip -d config/certs;
+        fi;
+        if [ ! -f config/certs/certs.zip ]; then
+          echo "Creating certs";
+          echo -ne \
+          "instances:\n"\
+          "  - name: es01\n"\
+          "    dns:\n"\
+          "      - es01\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          "  - name: kibana\n"\
+          "    dns:\n"\
+          "      - kibana\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          > config/certs/instances.yml;
+          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
+          unzip config/certs/certs.zip -d config/certs;
+        fi;
+        echo "Setting file permissions"
+        chown -R root:root config/certs;
+        find . -type d -exec chmod 750 \{\} \;;
+        find . -type f -exec chmod 640 \{\} \;;
+        echo "Waiting for Elasticsearch availability";
+        until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
+        echo "Setting kibana_system password";
+        until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
+        curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/sigmahq -d "{\"password\" : \"sigmahq\", \"roles\" : [ \"superuser\" ], \"full_name\" : \"SigmaHQ\", \"email\" : \"[email protected]\"}"
+        echo "All done!";
+      '
+    healthcheck:
+      test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
+      interval: 1s
+      timeout: 5s
+      retries: 120
+  es01:
+    depends_on:
+      setup:
+        condition: service_healthy
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    labels:
+      co.elastic.logs/module: elasticsearch
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs
+      - esdata01:/usr/share/elasticsearch/data
+    ports:
+      - ${ES_PORT}:9200
+    environment:
+      - node.name=es01
+      - cluster.name=${CLUSTER_NAME}
+      - discovery.type=single-node
+      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=certs/es01/es01.key
+      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.key=certs/es01/es01.key
+      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.license.self_generated.type=${LICENSE}
+    mem_limit: ${ES_MEM_LIMIT}
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
diff --git a/devtools/dot_env b/devtools/dot_env
@@ -0,0 +1,42 @@
+# Project namespace (defaults to the current folder name if not set)
+#COMPOSE_PROJECT_NAME=myproject
+
+
+# Password for the 'elastic' user (at least 6 characters)
+ELASTIC_PASSWORD=changeme
+
+
+# Password for the 'kibana_system' user (at least 6 characters)
+KIBANA_PASSWORD=changeme
+
+
+# Version of Elastic products
+STACK_VERSION=8.7.1
+
+
+# Set the cluster name
+CLUSTER_NAME=docker-cluster
+
+
+# Set to 'basic' or 'trial' to automatically start the 30-day trial
+LICENSE=basic
+#LICENSE=trial
+
+
+# Port to expose Elasticsearch HTTP API to the host
+ES_PORT=9200
+
+
+# Port to expose Kibana to the host
+KIBANA_PORT=5601
+
+
+# Increase or decrease based on the available host memory (in bytes)
+ES_MEM_LIMIT=1073741824
+KB_MEM_LIMIT=1073741824
+LS_MEM_LIMIT=1073741824
+
+
+# SAMPLE Predefined Key only to be used in POC environments
+ENCRYPTION_KEY=c34d38b3a14956121ff2170e5030b471551370178f43e5626eec58b04a30fae2
+