Feature/Option to use OR queries on security-data/alerts search (#117)

timabrmsn · web-flow · commit 15f0378baeaf · 2020-07-23T11:56:43.000-05:00
* add --password option to `profile create` and `profile update` commands

* remove unused `_reset_pw()`

* remove unused `_reset_pw()`

* clarify reset-pw help

* fix bad merge and test

* add --or-query option to `alerts search` and `security-data search`

* bump required extractor version

* fixes

* fix style

* tests for OR expected query

* style fix

* remove unused result var

* change or_query check

* change or_query check on security-data
diff --git a/setup.py b/setup.py
@@ -33,10 +33,10 @@
     install_requires=[
         "click>=7.1.1",
         "colorama>=0.4.3",
-        "c42eventextractor==0.3.2",
+        "c42eventextractor==0.4.0",
         "keyring==18.0.1",
         "keyrings.alt==3.2.0",
-        "py42>=1.5.1",
+        "py42>=1.7.0",
     ],
     extras_require={
         "dev": [
diff --git a/src/code42cli/cmds/alerts.py b/src/code42cli/cmds/alerts.py
@@ -155,15 +155,21 @@ def clear_checkpoint(state, checkpoint_name):
 @alerts.command()
 @alert_options
 @search_options
+@click.option(
+    "--or-query", is_flag=True, cls=searchopt.AdvancedQueryAndSavedSearchIncompatible
+)
 @opt.sdk_options
-def search(cli_state, format, begin, end, advanced_query, use_checkpoint, **kwargs):
+def search(
+    cli_state, format, begin, end, advanced_query, use_checkpoint, or_query, **kwargs
+):
     """Search for alerts."""
     output_logger = logger_factory.get_logger_for_stdout(format)
     cursor = _get_alert_cursor_store(cli_state.profile.name) if use_checkpoint else None
     handlers = ext.create_handlers(
         cli_state.sdk, AlertExtractor, output_logger, cursor, use_checkpoint
     )
     extractor = _get_alert_extractor(cli_state.sdk, handlers)
+    extractor.use_or_query = or_query
     if advanced_query:
         extractor.extract_advanced(advanced_query)
     else:
diff --git a/src/code42cli/cmds/profile.py b/src/code42cli/cmds/profile.py
@@ -26,19 +26,11 @@ def profile():
     help="The name of the Code42 CLI profile to use when executing this command.",
 )
 server_option = click.option(
-    "-s",
-    "--server",
-    required=True,
-    type=str,
-    help="The url and port of the Code42 server.",
+    "-s", "--server", required=True, help="The url and port of the Code42 server.",
 )
 
 username_option = click.option(
-    "-u",
-    "--username",
-    required=True,
-    type=str,
-    help="The username of the Code42 API user.",
+    "-u", "--username", required=True, help="The username of the Code42 API user.",
 )
 
 password_option = click.option(
diff --git a/src/code42cli/cmds/securitydata.py b/src/code42cli/cmds/securitydata.py
@@ -163,9 +163,20 @@ def clear_checkpoint(state, checkpoint_name):
 @security_data.command()
 @file_event_options
 @search_options
+@click.option(
+    "--or-query", is_flag=True, cls=searchopt.AdvancedQueryAndSavedSearchIncompatible
+)
 @sdk_options
 def search(
-    state, format, begin, end, advanced_query, use_checkpoint, saved_search, **kwargs
+    state,
+    format,
+    begin,
+    end,
+    advanced_query,
+    use_checkpoint,
+    saved_search,
+    or_query,
+    **kwargs
 ):
     """Search for file events."""
     output_logger = logger_factory.get_logger_for_stdout(format)
@@ -176,6 +187,8 @@ def search(
         state.sdk, FileEventExtractor, output_logger, cursor, use_checkpoint
     )
     extractor = _get_file_event_extractor(state.sdk, handlers)
+    extractor.use_or_query = or_query
+    extractor.or_query_exempt_filters.append(f.ExposureType.exists())
     if advanced_query:
         extractor.extract_advanced(advanced_query)
     elif saved_search:
diff --git a/tests/cmds/test_alerts.py b/tests/cmds/test_alerts.py
@@ -1,3 +1,5 @@
+import json
+
 import py42.sdk.queries.alerts.filters as f
 import pytest
 from c42eventextractor.extractors import AlertExtractor
@@ -576,3 +578,57 @@ def test_search_when_given_multiple_search_args_uses_expected_filters(
     assert str(f.Actor.is_in([actor])) in filter_strings
     assert str(f.Actor.not_in([exclude_actor])) in filter_strings
     assert str(f.RuleName.is_in([rule_name])) in filter_strings
+
+
+def test_search_with_or_query_flag_produces_expected_query(runner, cli_state):
+    begin_date = get_test_date_str(days_ago=10)
+    test_actor = "test@example.com"
+    test_rule_type = "FedEndpointExfiltration"
+    runner.invoke(
+        cli,
+        [
+            "alerts",
+            "search",
+            "--or-query",
+            "--begin",
+            begin_date,
+            "--actor",
+            test_actor,
+            "--rule-type",
+            test_rule_type,
+        ],
+        obj=cli_state,
+    )
+    expected_query = {
+        "tenantId": None,
+        "groupClause": "AND",
+        "groups": [
+            {
+                "filterClause": "AND",
+                "filters": [
+                    {
+                        "operator": "ON_OR_AFTER",
+                        "term": "createdAt",
+                        "value": "{}T00:00:00.000Z".format(begin_date),
+                    }
+                ],
+            },
+            {
+                "filterClause": "OR",
+                "filters": [
+                    {"operator": "IS", "term": "actor", "value": "test@example.com"},
+                    {
+                        "operator": "IS",
+                        "term": "type",
+                        "value": "FedEndpointExfiltration",
+                    },
+                ],
+            },
+        ],
+        "pgNum": 0,
+        "pgSize": 500,
+        "srtDirection": "asc",
+        "srtKey": "CreatedAt",
+    }
+    actual_query = json.loads(str(cli_state.sdk.alerts.search.call_args[0][0]))
+    assert actual_query == expected_query
diff --git a/tests/cmds/test_securitydata.py b/tests/cmds/test_securitydata.py
@@ -1,3 +1,4 @@
+import json
 import logging
 
 import py42.sdk.queries.fileevents.filters as f
@@ -634,3 +635,59 @@ def test_show_detail_calls_get_by_id_method(runner, cli_state):
         cli, ["security-data", "saved-search", "show", test_id], obj=cli_state
     )
     cli_state.sdk.securitydata.savedsearches.get_by_id.assert_called_once_with(test_id)
+
+
+def test_search_with_or_query_flag_produces_expected_query(runner, cli_state):
+    begin_date = get_test_date_str(days_ago=10)
+    test_username = "test@example.com"
+    test_filename = "test.txt"
+    runner.invoke(
+        cli,
+        [
+            "security-data",
+            "search",
+            "--or-query",
+            "--begin",
+            begin_date,
+            "--c42-username",
+            test_username,
+            "--file-name",
+            test_filename,
+        ],
+        obj=cli_state,
+    )
+    expected_query = {
+        "groupClause": "AND",
+        "groups": [
+            {
+                "filterClause": "AND",
+                "filters": [
+                    {"operator": "EXISTS", "term": "exposure", "value": None},
+                    {
+                        "operator": "ON_OR_AFTER",
+                        "term": "eventTimestamp",
+                        "value": "{}T00:00:00.000Z".format(begin_date),
+                    },
+                ],
+            },
+            {
+                "filterClause": "OR",
+                "filters": [
+                    {
+                        "operator": "IS",
+                        "term": "deviceUserName",
+                        "value": "test@example.com",
+                    },
+                    {"operator": "IS", "term": "fileName", "value": "test.txt"},
+                ],
+            },
+        ],
+        "pgNum": 1,
+        "pgSize": 10000,
+        "srtDir": "asc",
+        "srtKey": "insertionTimestamp",
+    }
+    actual_query = json.loads(
+        str(cli_state.sdk.securitydata.search_file_events.call_args[0][0])
+    )
+    assert actual_query == expected_query
