Refactor integratord test_integratord_read_json_file_deleted

CHANGELOG.md

@@ -29,6 +29,10 @@ Release report: https://github.com/wazuh/wazuh/issues/17004
 - Add test to check the Syscollector configuration. ([#3584](https://github.com/wazuh/wazuh-qa/pull/3584)) \- (Framework + Tests)
 - Add system tests for groups deletion ([#4057](https://github.com/wazuh/wazuh-qa/pull/4057)) \- (Tests)
 
+### Changed
+
+- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Framework + Tests)
+
 ### Fixed
 
 - Stabilize multiple wday tests (GCloud integration) ([#4176](https://github.com/wazuh/wazuh-qa/pull/4176)) \- (Tests)

deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py

@@ -8,3 +8,8 @@
                                'analysisd.sca_threads': '1', 'analysisd.hostinfo_threads': '1',
                                'analysisd.winevt_threads': '1', 'analysisd.rule_matching_threads': '1',
                                'analysisd.dbsync_threads': '1', 'remoted.worker_pool': '1'}
+# Callback Messages
+CB_ANALYSISD_STARTUP_COMPLETED = fr"DEBUG: Startup completed. Waiting for new messages.*"
+
+# Error messages
+ERR_MSG_STARTUP_COMPLETED_NOT_FOUND = fr'Did not recieve the expected "{CB_ANALYSISD_STARTUP_COMPLETED}"'

deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py

@@ -3,29 +3,18 @@
            Created by Wazuh, Inc. <info@wazuh.com>.
            This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
 '''
+from wazuh_testing.tools import ANALYSISD_DAEMON, DB_DAEMON, INTEGRATOR_DAEMON
 
 # Variables
-INTEGRATORD_PREFIX = 'wazuh-integratord'
+INTEGRATORD_PREFIX = fr".+{INTEGRATOR_DAEMON}"
+REQUIRED_DAEMONS = [INTEGRATOR_DAEMON, DB_DAEMON, ANALYSISD_DAEMON]
+TIME_TO_DETECT_FILE = 2
 
-# Callback Messages
-CB_VIRUSTOTAL_ENABLED = r".*(wazuh-integratord.*Enabling integration for: 'virustotal').*"
-CB_INTEGRATORD_SENDING_ALERT = r'(.*wazuh-integratord.*DEBUG: sending new alert).*'
-CB_PROCESSING_ALERT = r'.*(wazuh-integratord.*Processing alert.*)'
-CB_INTEGRATORD_THREAD_READY = r'.*(wazuh-integratord.*DEBUG: Local requests thread ready).*'
-CB_VIRUSTOTAL_ALERT = r'.*(wazuh-integratord.*alert_id.*\"integration\": \"virustotal\").*'
-CB_VIRUSTOTAL_ALERT_JSON = r'.*(VirusTotal: Alert.*\"integration\":\"virustotal\").*'
-CB_INVALID_JSON_ALERT_READ = r'.*(wazuh-integratord.*WARNING: Invalid JSON alert read).*'
-CB_OVERLONG_JSON_ALERT_READ = r'.*(wazuh-integratord.*WARNING: Overlong JSON alert read).*'
-CB_ALERTS_FILE_INODE_CHANGED = r'.*(wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed).*'
-CB_CANNOT_RETRIEVE_JSON_FILE = r'.*(wazuh-integratord.*WARNING.*Could not retrieve information of file).*'\
-                               r'alerts\.json.*No such file.*'
-
-# Error messages
-ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = r'Did not recieve the expected "Enabling integration for virustotal"'
-ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = r'Did not recieve the expected VirusTotal alert in alerts.json'
-ERR_MSG_INVALID_ALERT_NOT_FOUND = r'Did not recieve the expected "...Invalid JSON alert read..." event'
-ERR_MSG_OVERLONG_ALERT_NOT_FOUND = r'Did not recieve the expected "...Overlong JSON alert read..." event'
-ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = r'Did not recieve the expected "...Alert file inode changed..." event'
-ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = r'Did not recieve the expected "...Could not retrieve information/open file"'
-ERR_MSG_SENDING_ALERT_NOT_FOUND = r'Did not recieve the expected "...sending new alert" event'
-ERR_MSG_PROCESSING_ALERT_NOT_FOUND = r'Did not recieve the expected "...Procesing alert" event'
+# Callbacks
+CB_INVALID_ALERT_READ = r'.*WARNING: Invalid JSON alert read.*'
+CB_OVERLONG_ALERT_READ = r'.*WARNING: Overlong JSON alert read.*'
+CB_ALERT_JSON_FILE_NOT_FOUND = r'.+WARNING.*Could not retrieve information of file.*alerts\.json.*No such file.*'
+CB_THIRD_PARTY_RESPONSE = r'.*<Response \[200\]>'
+CB_PROCESSING_ALERT = r'.*Processing alert.*'
+CB_INODE_CHANGED = r'.*DEBUG: jqueue_next.*Alert file inode changed.*'
+CB_INTEGRATORD_THREAD_IS_READY = r'.*DEBUG: Local requests thread ready.*'

deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py

@@ -3,25 +3,120 @@
            Created by Wazuh, Inc. <info@wazuh.com>.
            This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
 '''
+import re
 
+from wazuh_testing import T_5, T_20, T_30
 from wazuh_testing.tools import LOG_FILE_PATH
 from wazuh_testing.tools.monitoring import FileMonitor
+from wazuh_testing.modules import integratord
+
+
+def make_integratord_callback(pattern, prefix=integratord.INTEGRATORD_PREFIX):
+    '''Create a callback function from a text pattern.
+
+    It already contains the vulnerability-detector prefix.
+
+    Args:
+        pattern (str): String to match on the log.
+        prefix (str): regular expression used as prefix before the pattern.
+
+    Returns:
+        lambda: function that returns if there's a match in the file
+
+    Examples:
+        >>> callback_bionic_update_started = make_vuln_callback("Starting Ubuntu Bionic database update")
+    '''
+    pattern = r'\s+'.join(pattern.split())
+    regex = re.compile(r'{}{}'.format(prefix, pattern))
+
+    return lambda line: regex.match(line) is not None
 
 
 def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position=True,
-                            timeout=30, accum_results=1, file_to_monitor=LOG_FILE_PATH):
-    """Check if an event occurs
+                            timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH,
+                            prefix=integratord.INTEGRATORD_PREFIX):
+    '''Check if an event occurs
     Args:
         file_monitor (FileMonitor): FileMonitor object to monitor the file content.
         callback (str): log regex to check in Wazuh log
         error_message (str): error message to show in case of expected event does not occur
         update_position (boolean): filter configuration parameter to search in Wazuh log
         timeout (str): timeout to check the event in Wazuh log
         accum_results (int): Accumulation of matches.
-    """
+        prefix (str): log pattern regex
+    '''
     file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
     error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \
         error_message
 
     file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
-                       callback=callback, error_message=error_message)
+                       callback=make_integratord_callback(callback, prefix), error_message=error_message)
+
+
+def check_integratord_thread_ready(file_monitor=None, timeout=T_5):
+    '''Check if a local requests thread ready in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout,
+                            callback=integratord.CB_INTEGRATORD_THREAD_IS_READY,
+                            error_message='Did not receive the expected "Local requests thread ready"')
+
+
+def check_file_inode_changed(file_monitor=None, timeout=T_20):
+    '''Check for Alert file inode changed in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_INODE_CHANGED,
+                            error_message='Did not receive the expected "...Alert file inode changed..." event')
+
+
+def check_alert_processing(file_monitor=None, timeout=T_20):
+    '''Check for Processing alert message in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_PROCESSING_ALERT,
+                            error_message='Did not receive the expected Slack alert in alerts.json')
+
+
+def check_third_party_response(file_monitor=None, timeout=T_20):
+    '''Check for response message in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_THIRD_PARTY_RESPONSE,
+                            error_message='Could not send the alert to slack')
+
+
+def check_invalid_alert_read(file_monitor=None, timeout=T_20, callback='', error_message=None):
+    '''Check for invalid alert read message in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+        callback (str): log regex to check in Wazuh log
+        error_message (str): error message to show in case of expected event does not occur
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=callback, error_message=error_message)
+
+
+def check_file_warning(file_monitor=None, timeout=T_20):
+    '''Check for information of file in the logs.
+
+    Args:
+        log_monitor (FileMonitor): Log monitor.
+        timeout (int): Event timeout.
+    '''
+    check_integratord_event(file_monitor=file_monitor, timeout=timeout,
+                            callback=integratord.CB_ALERT_JSON_FILE_NOT_FOUND,
+                            error_message='Did not receive the expected "...Could not retrieve information/open file"')

deps/wazuh_testing/wazuh_testing/tools/__init__.py

@@ -177,7 +177,8 @@ def get_service():
                         MODULESD_CONTROL_SOCKET_PATH,
                         MODULESD_KREQUEST_SOCKET_PATH
                       ],
-    'wazuh-clusterd': [MODULESD_C_INTERNAL_SOCKET_PATH]
+    'wazuh-clusterd': [MODULESD_C_INTERNAL_SOCKET_PATH],
+    'wazuh-integratord': []
 }
 
 # These sockets do not exist with default Wazuh configuration

tests/integration/conftest.py

@@ -122,11 +122,39 @@ def restart_wazuh_daemon_function(daemon=None):
 
 
 @pytest.fixture(scope='function')
-def restart_wazuh_function(daemon=None):
-    """Restart all Wazuh daemons"""
-    control_service("restart", daemon=daemon)
+def restart_wazuh_function(request):
+    """Restart before starting a test, and stop it after finishing.
+
+       Args:
+            request (fixture): Provide information on the executing test function.
+    """
+    # If there is a list of required daemons defined in the test module, restart daemons, else restart all daemons.
+    try:
+        daemons = request.module.REQUIRED_DAEMONS
+    except AttributeError:
+        daemons = []
+
+    if len(daemons) == 0:
+        logger.debug(f"Restarting all daemon")
+        control_service('restart')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Restarting {daemon}")
+            # Restart daemon instead of starting due to legacy used fixture in the test suite.
+            control_service('restart', daemon=daemon)
+
     yield
-    control_service('stop', daemon=daemon)
+
+    # Stop all daemons by default (daemons = None)
+    if len(daemons) == 0:
+        logger.debug(f"Stopping all daemons")
+        control_service('stop')
+    else:
+        # Stop a list daemons in order (as Wazuh does)
+        daemons.reverse()
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            control_service('stop', daemon=daemon)
 
 
 @pytest.fixture(scope='module')
@@ -300,12 +328,12 @@ def pytest_addoption(parser):
         help="run tests using a specific WPK package path"
     )
     parser.addoption(
-        "--integration-api-key",
+        "--slack-webhook-url",
         action="store",
-        metavar="integration_api_key",
+        metavar="slack_webhook_url",
         default=None,
         type=str,
-        help="pass api key required for integratord tests."
+        help="pass webhook url required for integratord tests."
     )
 
 
@@ -364,10 +392,10 @@ def pytest_configure(config):
     # Set WPK package version
     global_parameters.wpk_version = config.getoption("--wpk_version")
 
-    # Set integration_api_key if it is passed through command line args
-    integration_api_key = config.getoption("--integration-api-key")
-    if integration_api_key:
-        global_parameters.integration_api_key = integration_api_key
+    # Set slack_webhook_url if it is passed through command line args
+    slack_webhook_url = config.getoption("--slack-webhook-url")
+    if slack_webhook_url:
+        global_parameters.slack_webhook_url = slack_webhook_url
 
     # Set files to add to the HTML report
     set_report_files(config.getoption("--save-file"))

tests/integration/test_integratord/conftest.py

@@ -3,20 +3,23 @@
            Created by Wazuh, Inc. <info@wazuh.com>.
            This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
 '''
-
-
 import pytest
 
+from wazuh_testing import T_5
 from wazuh_testing.tools import LOG_FILE_PATH
-from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback
-from wazuh_testing.modules import integratord as integrator
-from wazuh_testing.modules.integratord.event_monitor import check_integratord_event
+from wazuh_testing.tools.monitoring import FileMonitor
+from wazuh_testing.modules import analysisd
+from wazuh_testing.modules.analysisd.event_monitor import check_analysisd_event
+from wazuh_testing.modules.integratord import event_monitor as evm
 
 
 @pytest.fixture(scope='function')
 def wait_for_start_module(request):
     # Wait for integratord thread to start
     file_monitor = FileMonitor(LOG_FILE_PATH)
-    check_integratord_event(file_monitor=file_monitor, timeout=20,
-                            callback=generate_monitoring_callback(integrator.CB_INTEGRATORD_THREAD_READY),
-                            error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND)
+    evm.check_integratord_thread_ready(file_monitor=file_monitor)
+
+    # Wait for analysisd to start successfully (to detect changes in the alerts.json file)
+    check_analysisd_event(file_monitor=file_monitor, timeout=T_5,
+                          callback=analysisd.CB_ANALYSISD_STARTUP_COMPLETED,
+                          error_message=analysisd.ERR_MSG_STARTUP_COMPLETED_NOT_FOUND)

tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml → tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml

@@ -1,39 +1,35 @@
-- tags:
-    - all
-  apply_to_modules:
-    - test_integratord_read_json_alerts
-    - test_integratord_change_inode_alert
-    - test_integratord_read_json_file_deleted
-  sections:
+- sections:
     - section: integration
       elements:
         - name:
-            value: virustotal
-        - api_key:
-            value: API_KEY
+            value: slack
+        - hook_url:
+            value: WEBHOOK_URL
         - rule_id:
-            value: '554'
+            value: 5712
+        - level:
+            value: 10
         - alert_format:
             value: json
+
     - section: sca
       elements:
         - enabled:
             value: 'no'
-    - section: rootcheck
-      elements:
-        - disabled:
-            value: 'yes'
+
     - section: syscheck
       elements:
         - disabled:
             value: 'yes'
+
     - section: wodle
       attributes:
-        - name: syscollector
+        - name: vulnerability-detector
       elements:
         - disabled:
             value: 'yes'
-    - section: auth
+
+    - section: rootcheck
       elements:
         - disabled:
             value: 'yes'

tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml

@@ -1,17 +1,22 @@
-- name: Cannot read alerts - Inode changed
+- name: cannot_read_alerts_file_inode_changed
   description: The alerts.json file inode has changed and it cannot read alerts from it until it reloads.
   configuration_parameters:
-    API_KEY: Insert using --integration-api-key parameter
+    WEBHOOK_URL: Insert using --slack-webhook-url parameter
   metadata:
-    alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":
-                   "File added to the system.", "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck",
-                   "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],
-                   "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8",
-                   "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":
-                   "1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode:
-                   scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled",
-                   "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":
-                   "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe",
-                   "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":
-                   "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},
-                   "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}'
+    alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description":
+                   "sshd: brute force trying to get access to the system. Non existent user.","id":"5712",
+                   "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,
+                   "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":
+                   ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":
+                   ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":
+                   "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653",
+                   "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port
+                   56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay
+                   11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09
+                   localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost
+                   sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]:
+                   Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user
+                   paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user
+                   paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18",
+                   "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1",
+                   "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}'