Adding v2/archive_rule.py and v2/unarchive_rule.py Python samples

Chronicle Team · copybara-github · commit ac7ead1590c8 · 2021-05-08T08:43:56.000-07:00
PiperOrigin-RevId: 372721574
diff --git a/detect/v2/archive_rule.py b/detect/v2/archive_rule.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Executable and reusable sample for archiving a detection rule."""
+
+import argparse
+
+from google.auth.transport import requests
+
+from common import chronicle_auth
+
+CHRONICLE_API_BASE_URL = "https://backstory.googleapis.com"
+
+
+def archive_rule(http_session: requests.AuthorizedSession, version_id: str):
+  """Archives a detection rule.
+
+  Archiving a rule will fail if:
+  - The provided version is not the latest rule version
+  - The rule is enabled as live
+  - The rule has retrohunts in progress
+
+  If alerting is enabled for a rule, archiving the rule will automatically
+  disable alerting for the rule.
+
+  Args:
+    http_session: Authorized session for HTTP requests.
+    version_id: Unique ID of the detection rule to archive ("ru_<UUID>" or
+      "ru_<UUID>@v_<seconds>_<nanoseconds>"). If a version suffix isn't
+      specified we use the rule's latest version.
+
+  Raises:
+    requests.exceptions.HTTPError: HTTP request resulted in an error
+      (response.status_code >= 400).
+  """
+  url = f"{CHRONICLE_API_BASE_URL}/v2/detect/rules/{version_id}:archive"
+
+  response = http_session.request("POST", url)
+  # Expected server response:
+  # {}
+
+  if response.status_code >= 400:
+    print(response.text)
+  response.raise_for_status()
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser()
+  chronicle_auth.add_argument_credentials_file(parser)
+  parser.add_argument(
+      "-vi",
+      "--version_id",
+      type=str,
+      required=True,
+      help="version ID ('ru_<UUID>[@v_<seconds>_<nanoseconds>]')")
+
+  args = parser.parse_args()
+  session = chronicle_auth.init_session(
+      chronicle_auth.init_credentials(args.credentials_file))
+  archive_rule(session, args.version_id)
diff --git a/detect/v2/archive_rule_test.py b/detect/v2/archive_rule_test.py
@@ -0,0 +1,49 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Unit tests for the "archive_rule" module."""
+
+import unittest
+from unittest import mock
+
+from google.auth.transport import requests
+from . import archive_rule
+
+
+class ArchiveRuleTest(unittest.TestCase):
+
+  @mock.patch.object(requests, "AuthorizedSession", autospec=True)
+  @mock.patch.object(requests.requests, "Response", autospec=True)
+  def test_http_error(self, mock_response, mock_session):
+    mock_session.request.return_value = mock_response
+    type(mock_response).status_code = mock.PropertyMock(return_value=400)
+    mock_response.raise_for_status.side_effect = (
+        requests.requests.exceptions.HTTPError())
+
+    with self.assertRaises(requests.requests.exceptions.HTTPError):
+      archive_rule.archive_rule(mock_session,
+                                "ru_12345678-1234-1234-1234-1234567890ab")
+
+  @mock.patch.object(requests, "AuthorizedSession", autospec=True)
+  @mock.patch.object(requests.requests, "Response", autospec=True)
+  def test_happy_path(self, mock_response, mock_session):
+    mock_session.request.return_value = mock_response
+    type(mock_response).status_code = mock.PropertyMock(return_value=200)
+
+    archive_rule.archive_rule(mock_session,
+                              "ru_12345678-1234-1234-1234-1234567890ab")
+
+
+if __name__ == "__main__":
+  unittest.main()
diff --git a/detect/v2/unarchive_rule.py b/detect/v2/unarchive_rule.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Executable and reusable sample for unarchiving a detection rule."""
+
+import argparse
+
+from google.auth.transport import requests
+
+from common import chronicle_auth
+
+CHRONICLE_API_BASE_URL = "https://backstory.googleapis.com"
+
+
+def unarchive_rule(http_session: requests.AuthorizedSession, version_id: str):
+  """Unarchives a detection rule.
+
+  Unarchiving a rule will fail if the provided version is not the latest rule
+  version.
+
+  Args:
+    http_session: Authorized session for HTTP requests.
+    version_id: Unique ID of the detection rule to unarchive ("ru_<UUID>" or
+      "ru_<UUID>@v_<seconds>_<nanoseconds>"). If a version suffix isn't
+      specified we use the rule's latest version.
+
+  Raises:
+    requests.exceptions.HTTPError: HTTP request resulted in an error
+      (response.status_code >= 400).
+  """
+  url = f"{CHRONICLE_API_BASE_URL}/v2/detect/rules/{version_id}:unarchive"
+
+  response = http_session.request("POST", url)
+  # Expected server response:
+  # {}
+
+  if response.status_code >= 400:
+    print(response.text)
+  response.raise_for_status()
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser()
+  chronicle_auth.add_argument_credentials_file(parser)
+  parser.add_argument(
+      "-vi",
+      "--version_id",
+      type=str,
+      required=True,
+      help="version ID ('ru_<UUID>[@v_<seconds>_<nanoseconds>]')")
+
+  args = parser.parse_args()
+  session = chronicle_auth.init_session(
+      chronicle_auth.init_credentials(args.credentials_file))
+  unarchive_rule(session, args.version_id)
diff --git a/detect/v2/unarchive_rule_test.py b/detect/v2/unarchive_rule_test.py
@@ -0,0 +1,49 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Unit tests for the "archive_rule" module."""
+
+import unittest
+from unittest import mock
+
+from google.auth.transport import requests
+from . import unarchive_rule
+
+
+class ArchiveRuleTest(unittest.TestCase):
+
+  @mock.patch.object(requests, "AuthorizedSession", autospec=True)
+  @mock.patch.object(requests.requests, "Response", autospec=True)
+  def test_http_error(self, mock_response, mock_session):
+    mock_session.request.return_value = mock_response
+    type(mock_response).status_code = mock.PropertyMock(return_value=400)
+    mock_response.raise_for_status.side_effect = (
+        requests.requests.exceptions.HTTPError())
+
+    with self.assertRaises(requests.requests.exceptions.HTTPError):
+      unarchive_rule.unarchive_rule(mock_session,
+                                    "ru_12345678-1234-1234-1234-1234567890ab")
+
+  @mock.patch.object(requests, "AuthorizedSession", autospec=True)
+  @mock.patch.object(requests.requests, "Response", autospec=True)
+  def test_happy_path(self, mock_response, mock_session):
+    mock_session.request.return_value = mock_response
+    type(mock_response).status_code = mock.PropertyMock(return_value=200)
+
+    unarchive_rule.unarchive_rule(mock_session,
+                                  "ru_12345678-1234-1234-1234-1234567890ab")
+
+
+if __name__ == "__main__":
+  unittest.main()
