Merge pull request #1834 from wazuh/1804-qadocs-migrate-test-analysisd

Migrate `test_analysisd` documentation to QA Docs
wazuh · Sep 3, 2021 · 680b00e · 680b00e
2 parents 2370a46 + 0a9d0e2
commit 680b00e
Show file tree

Hide file tree

Showing 12 changed files with 1,017 additions and 99 deletions.
diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml
@@ -5,6 +5,7 @@ Output path: "../output"
 Include paths:
   - "../../tests/integration/test_active_response"
   - "../../tests/integration/test_agentd"
+  - "../../tests/integration/test_analysisd"
 
 Include regex:
   - "^test_.*py$"
@@ -19,6 +20,13 @@ Ignore paths:
   - "../../tests/integration/test_active_response/test_analysisd/data"
   - "../../tests/integration/test_active_response/test_execd/data"
   - "../../tests/integration/test_agentd/data"
+  - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/data"
+  - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/yaml_generators"
+  - "../../tests/integration/test_analysisd/test_error_messages/data"
+  - "../../tests/integration/test_analysisd/test_event_messages/data"
+  - "../../tests/integration/test_analysisd/test_integrity_messages/data"
+  - "../../tests/integration/test_analysisd/test_mitre/data"
+  - "../../tests/integration/test_analysisd/test_scan_messages/data"
 
 Output fields:
   Module:

diff --git a/...tion/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py b/...tion/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py
@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <info@wazuh.com>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+    Copyright (C) 2015-2021, Wazuh Inc.
 
+    Created by Wazuh, Inc. <info@wazuh.com>.
+
+    This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+    integration
+
+description:
+    These tests will verify if the `wazuh-db` and `analysisd` daemons
+    correctly handle `syscheck` events considered rare.
+
+tiers:
+    - 2
+
+component:
+    manager
+
+path:
+    tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+    - analysisd
+    - syscheckd
+    - wazuh-db
+
+os_support:
+    - linux, rhel5
+    - linux, rhel6
+    - linux, rhel7
+    - linux, rhel8
+    - linux, amazon linux 1
+    - linux, amazon linux 2
+    - linux, debian buster
+    - linux, debian stretch
+    - linux, debian wheezy
+    - linux, ubuntu bionic
+    - linux, ubuntu xenial
+    - linux, ubuntu trusty
+    - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -51,16 +98,48 @@
                          ids=[test_case['name'] for test_case in test_cases])
 def test_validate_rare_socket_responses(configure_sockets_environment, connect_to_sockets_module,
                                         wait_for_analysisd_startup, test_case: list):
-    """Validate every response from the analysisd socket to the wazuh-db socket using rare cases with encoded characters.
+    '''
+    description:
+        Validate every response from the `analysisd` socket to the `wazuh-db` socket
+        using rare `syscheck` events with encoded characters.
+
+    wazuh_min_version:
+        3.12
+
+    parameters:
+        - configure_sockets_environment:
+            type: fixture
+            brief: Configure environment for sockets and MITM.
+
+        - connect_to_sockets_module:
+            type: fixture
+            brief: Module scope version of `connect_to_sockets` fixture.
+
+        - wait_for_analysisd_startup:
+            type: fixture
+            brief: Wait until analysisd has begun and alerts.json is created.
+
+        - test_case:
+            type: list
+            brief: List of tests to be performed.
+
+    assertions:
+        - Check that the output logs are consistent with the syscheck events received.
+
+    test_input:
+        Different test cases that are contained in an external `YAML` file (syscheck_rare_events.yaml)
+        that includes `syscheck` events data and the expected output.
+
+    logging:
+        - ossec.log:
+            - "Multiple values located in the `syscheck_rare_events.yaml` file."
+
+        - alerts.json:
+            -"Multiple values located in the `syscheck_rare_events.yaml` file."
 
-    This test will catch every response from analysisd to wazuh-db in real-time using the yaml
-    `/data/syscheck_events.yaml`.
+    tags:
 
-    Parameters
-    ----------
-    test_case : dict
-        Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket.
-    """
+    '''
     # There is only one stage per test_case
     stage = test_case[0]
     expected = callback_analysisd_message(stage['output'])

diff --git a/...tegration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py b/...tegration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py
@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <info@wazuh.com>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+    Copyright (C) 2015-2021, Wazuh Inc.
 
+    Created by Wazuh, Inc. <info@wazuh.com>.
+
+    This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+    integration
+
+description:
+    These tests will verify if the `wazuh-db` and `analysisd` daemons
+    correctly handle common `syscheck` events.
+
+tiers:
+    - 2
+
+component:
+    manager
+
+path:
+    tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+    - analysisd
+    - syscheckd
+    - wazuh-db
+
+os_support:
+    - linux, rhel5
+    - linux, rhel6
+    - linux, rhel7
+    - linux, rhel8
+    - linux, amazon linux 1
+    - linux, amazon linux 2
+    - linux, debian buster
+    - linux, debian stretch
+    - linux, debian wheezy
+    - linux, ubuntu bionic
+    - linux, ubuntu xenial
+    - linux, ubuntu trusty
+    - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -51,16 +98,48 @@
                          ids=[test_case['name'] for test_case in test_cases])
 def test_validate_socket_responses(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup,
                                    test_case: list):
-    """Validate every response from the analysisd socket to the wazuh-db socket.
+    '''
+    description:
+        Validate every response from the `analysisd` socket to the `wazuh-db` socket
+        using common `syscheck` events.
+
+    wazuh_min_version:
+        3.12
+
+    parameters:
+        - configure_sockets_environment:
+            type: fixture
+            brief: Configure environment for sockets and MITM.
+
+        - connect_to_sockets_module:
+            type: fixture
+            brief: Module scope version of `connect_to_sockets` fixture.
+
+        - wait_for_analysisd_startup:
+            type: fixture
+            brief: Wait until analysisd has begun and alerts.json is created.
+
+        - test_case:
+            type: list
+            brief: List of tests to be performed.
+
+    assertions:
+        - Check that the output logs are consistent with the syscheck events received.
+
+    test_input:
+        Different test cases that are contained in an external `YAML` file (syscheck_events.yaml)
+        that includes `syscheck` events data and the expected output.
+
+    logging:
+        - ossec.log:
+            - "Multiple values located in the `syscheck_events.yaml` file."
+
+        - alerts.json:
+            -"Multiple values located in the `syscheck_events.yaml` file."
 
-    This test will catch every response from analysisd to wazuh-db in real-time using the yaml
-    `/data/syscheck_events.yaml`.
+    tags:
 
-    Parameters
-    ----------
-    test_case : dict
-        Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket.
-    """
+    '''
     # There is only one stage per test_case
     stage = test_case[0]
     expected = callback_analysisd_message(stage['output'])

diff --git a/.../test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py b/.../test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py
@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <info@wazuh.com>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+    Copyright (C) 2015-2021, Wazuh Inc.
 
+    Created by Wazuh, Inc. <info@wazuh.com>.
+
+    This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+    integration
+
+description:
+    These tests will verify if the `analysisd` daemon correctly handles alerts generated
+    from the received Linux events.
+
+tiers:
+    - 2
+
+component:
+    manager
+
+path:
+    tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+    - analysisd
+    - syscheckd
+    - wazuh-db
+
+os_support:
+    - linux, rhel5
+    - linux, rhel6
+    - linux, rhel7
+    - linux, rhel8
+    - linux, amazon linux 1
+    - linux, amazon linux 2
+    - linux, debian buster
+    - linux, debian stretch
+    - linux, debian wheezy
+    - linux, ubuntu bionic
+    - linux, ubuntu xenial
+    - linux, ubuntu trusty
+    - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -57,12 +104,53 @@ def get_alert(request):
 
 def test_validate_all_linux_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup,
                                    generate_events_and_alerts, get_alert):
-    """Check the event messages handling by analysisd.
+    '''
+    description:
+        Check that the alerts generated by `analysisd` from Linux systems events are valid.
+        The `validate_analysis_alert_complex` function checks if an `analysisd` alert is
+        properly formatted in reference to its `syscheck` event.
+
+    wazuh_min_version:
+        3.12
+
+    parameters:
+        - configure_sockets_environment:
+            type: fixture
+            brief: Configure environment for sockets and MITM.
+
+        - connect_to_sockets_module:
+            type: fixture
+            brief: Module scope version of `connect_to_sockets` fixture.
+
+        - wait_for_analysisd_startup:
+            type: fixture
+            brief: Wait until analysisd has begun and alerts.json is created.
+
+        - generate_events_and_alerts:
+            type: fixture
+            brief: Read the specified yaml and generate every event and alert using the input from every test case.
+
+        - get_alert:
+            type: fixture
+            brief: List of alerts to be validated.
+
+    assertions:
+        - Check that the alerts generated are consistent with the events received.
+
+    test_input:
+        Different test cases that are contained in an external `YAML` file (syscheck_events.yaml)
+        that includes `syscheck` events data and the expected output.
+
+    logging:
+        - ossec.log:
+            - "Multiple values located in the `syscheck_events.yaml` file."
+
+        - alerts.json:
+            -"Multiple values located in the `syscheck_events.yaml` file."
+
+    tags:
 
-    The variable `test_case` is a yaml file that contains the input and the expected output for every test case.
-    The function validate_analysis_integrity_state is a function responsible for checking that the output follows a
-    certain jsonschema.
-    """
+    '''
     alert = get_alert
     path = alert['syscheck']['path']
     mode = alert['syscheck']['event'].title()