Closed mateojames closed 1 month ago
To do the testing I have a manager running Ubuntu in a Docker container, where the branch feature/16407-amazon-sec-lake-dev
was cloned from the wazuh
repository and installed. In the container I have also cloned the 3333-aws-integration-tests
branch from wazuh-qa
repository and have installed Vagrant for the management of VMs. Some errors were found.
Further investigation is required.
Cases | Expected Result | Configuration |
Use an existing lake and sqs | The module is invoked with the expected parameters and no error occurs |
ossec.conf```XML |
Cases | Expected Result | Configuration |
Use an existing lake and sqs | The module is invoked with the expected parameters and no error occurs |
ossec.conf```XML |
Cases | Expected Result | Configuration |
Use an existing lake and sqs | The module is invoked with the expected parameters and no error occurs |
ossec.conf```XML |
Cases | Expected Result | Configuration |
Use an existing lake and sqs | The module is invoked with the expected parameters and no error occurs |
ossec.conf```XML |
Some integration tests still need to be defined, such as:
iam_role_duration
)sts_endpoint
is implemented correctly (procedure to be defined)service_endpoint
is implemented correctly (procedure to be defined)The subscriber section for Tier 0 testing was added to the test_basic
, still in development process
To maintain consistency between the different already developed integration tests of the module, and because the iam_role_duration
, sts_endpoint
, and service_endpoint
parameters do not generate a fundamental modification of the behavior of the module, no tests will be developed that make use of the same.
Also, the parser integration tests added in https://github.com/wazuh/wazuh-qa/pull/3882 will be expanded in order to contemplate the new <subscriber>
section and its inner fields.
The current Integration Tests structure has been reviewed to understand better how the Security Lake tests should be developed.
Since the objective of these tests is not the generation of the Security Lake itself but the interaction with the principal components available when setting up a Data Access Subscription, we should have an environment with the following services available for the test account:
iam_role_arn
parameter when fetching messages and the bucket's content and it will also have the external_id
parameter set in Trusted relationships
.sqs_name
parameter. The test will send a message to it which will be the one ingested by the module that contains the path of the parquet file.While the needed permissions to handle these services are being required, the Subscriber Parser Integration tests are being developed.
The base test which needs the previously mentioned AWS services, will be added to test_basic.py
.
In the meantime, the test_parser.py
is being updated with ASL integration cases, which are:
[x] test_parser.py::test_type_missing_in_subscriber[parser_type_missing_in_subscriber]
[x] test_parser.py::test_empty_values_in_subscriber[parser_empty_type_in_subscriber]
[ ] test_parser.py::test_empty_values_in_subscriber[parser_empty_queue_in_subscriber]
The expected message related to the empty sqs_name
value is not implemented at the C level. Instead, it is being processed by the script as an invalid argument due to its non-existence:
WARNING: Subscriber: security_lake - Error parsing arguments.
Points to discuss: Should we take it as an invalid value or a required one like the
subscriber
type which does not allow the empty value? This last option would require an issue in order to carry out the necessary changes (should be opened after the whole analysis on the required changes)
[ ] test_parser.py::test_invalid_values_in_subscriber[parser_invalid_type_in_subscriber]
[ ] test_parser.py::test_invalid_values_in_subscriber[parser_invalid_queue_in_subscriber]
[ ] test_parser.py::test_multiple_bucket_and_service_tags[parser_mutiple_bucket_and_service_tags]
Possible alternatives: add more test cases or add the
subscriber
configuration to the existing one.
New test cases have been checked for the Parser tests:
test_parser.py::test_type_missing_in_subscriber[parser_type_missing_in_subscriber]
test_parser.py::test_empty_values_in_subscriber[parser_empty_type_in_subscriber]
test_parser.py::test_invalid_values_in_subscriber[parser_invalid_type_in_subscriber]
test_parser.py::test_multiple_bucket_service_and_subscriber_tags[parser_multiple_bucket_service_and_subscriber_tags]
test_parser.py::test_empty_values_in_subscriber[parser_empty_queue_in_subscriber]
Displays: WARNING: Subscriber: security_lake - Error parsing arguments.
The sqs_name
is a mandatory parameter, the module should show an error when it parses the ossec.conf
and does not find a value for the tag.
test_parser.py::test_empty_values_in_subscriber[parser_empty_iam_arn_in_subscriber]
Raises an error at a script level, displaying the traceback. Needs to be modified because the iam_role_arn
is required for the subscriber
type.
test_parser.py::test_empty_values_in_subscriber[parser_empty_external_id_in_subscriber]
It also raises an error at a script level, displaying the traceback. Needs to be modified because the external_id
is required for the subscriber
type.
test_parser.py::test_invalid_values_in_subscriber[parser_invalid_queue_in_subscriber]
This is not currently being checked, so the error displayed is the one when no queue with the given name is found. AWS sets minimal requirements for these, therefore the argument verification should be implemented.
test_parser.py::test_invalid_values_in_subscriber[parser_invalid_iam_arn_in_subscriber]
This also is not currently being checked and given that the iam_role_arn
is a mandatory parameter, a verification function should be developed.
test_parser.py::test_invalid_values_in_subscriber[parser_invalid_iam_duration_in_subscriber]
It should be modified with a more descriptive message because when setting a non-alphanumeric value, the following logs are displayed:
2023/06/22 14:47:56 wazuh-modulesd:aws-s3[39534] wm_aws.c:790 at wm_aws_run_subscriber(): DEBUG: Launching Security Lake Subscriber Command: wodles/aws/aws-s3 --subscriber security_lake --queue name --external_id invented --iam_role_arn role --iam_role_duration test --debug 2
2023/06/22 14:47:56 wazuh-modulesd:aws-s3[39534] wm_aws.c:805 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake name - Returned exit code 2
2023/06/22 14:47:56 wazuh-modulesd:aws-s3[39534] wm_aws.c:818 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake name - Error parsing arguments.
Moving to on hold as the tests migration is almost ready.
The issue will be resumed once higher-priority issues are done.
Due to the changes planned for version 5.0, the analysis that is being carried out regarding the External integrations modules, the team's efforts for improvements will be directed to the mentioned version.
Following the https://github.com/wazuh/wazuh/issues/16326 epic, this task aims to develop integrations tests to the https://github.com/wazuh/wazuh/issues/16407.
For the completion of this issue we must ensure to: