Merge pull request #23 from certego/exist_filter_bug

fixed bug in exist filter
certego · Mar 5, 2024 · 5e214b9 · 5e214b9
2 parents 5b33605 + f3b4863
commit 5e214b9
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,7 @@
 ## 2.2.x
+### 2.2.7
+#### Bugfix
+* Fixed bug in exist filter
 ### 2.2.6
 #### Bugfix
 * Removed error logging in *filters.py*

diff --git a/routing_test.py b/routing_test.py
@@ -39,6 +39,7 @@ def setUp(self):
         self.test_event_16 = load_test_data("test_event_16")
         self.test_event_17 = load_test_data("test_event_17")
         self.test_event_18 = load_test_data("test_event_18")
+        self.test_event_19 = load_test_data("test_event_19")
         self.test_event_with_list_1 = load_test_data("test_event_with_list_1")
         self.test_event_with_list_2 = load_test_data("test_event_with_list_2")
 
@@ -467,6 +468,12 @@ def test_count(self):
         self.routing.load_from_dicts(rule_list)
         self.assertEqual(self.routing.count(), 5)
 
+    def test_exist_source_ip(self):
+        self.routing.load_from_dicts([load_test_data("test_rule_31_equals_exist")])
+        match = self.routing.match(self.test_event_19)
+        self.assertTrue(match)
+        self.assertDictEqual(match[0].output, {"Workshop": {"workers_needed": 1}})
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/routingfilter/filters/filters.py b/routingfilter/filters/filters.py
@@ -61,7 +61,7 @@ def match(self, event: DictQuery) -> bool:
         :rtype: bool
         """
         for key in self._key:
-            if key in event.keys():
+            if event.get(key) is not None:
                 return True
         return False
 

diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setup(
     name="routingfilter",
-    version="2.2.6",
+    version="2.2.7",
     packages=find_packages(include=["routingfilter", "routingfilter.*"]),
     include_package_data=True,
     install_requires=["IPy~=1.1", "macaddress~=2.0.2"],

diff --git a/test_data/test_event_19.json b/test_data/test_event_19.json
@@ -0,0 +1,36 @@
+{
+  "tags": [
+    "elastic_query",
+    "foobar"
+  ],
+  "user": {
+    "name": "mario.rossi"
+  },
+  "event": {
+    "kind": "event",
+    "type": "start",
+    "action": "login",
+    "outcome": "success",
+    "category": "authentication"
+  },
+  "radius": {
+    "ttl": 17.044188022613525,
+    "result": "success"
+  },
+  "source": {
+    "ip": "1.1.1.1",
+    "port": 10402
+  },
+  "network": {
+    "protocol": "radius"
+  },
+  "severity": 3,
+  "reply_msg": "Enter your SecurID OTP or select another method: 1 to Approve on your registered authenticator, 2 for Biometrics"
+}
+
+
+
+
+
+
+
diff --git a/test_data/test_rule_31_equals_exist.json b/test_data/test_rule_31_equals_exist.json
@@ -0,0 +1,37 @@
+{
+  "streams": {
+    "rules": {
+      "elastic_query": [
+        {
+          "id": "equals-ffh498",
+          "filters": [
+            {
+              "id": 5540,
+              "key": [
+                "tags"
+              ],
+              "type": "EQUALS",
+              "value": [
+                "bar",
+                "foobar"
+              ]
+            },
+            {
+              "id": 6001,
+              "key": [
+                "source.ip"
+              ],
+              "type": "EXISTS",
+              "value": []
+            }
+          ],
+          "streams": {
+            "Workshop": {
+              "workers_needed": 1
+            }
+          }
+        }
+      ]
+    }
+  }
+}