From f3b48631f122acc204f559271669802e31500cb3 Mon Sep 17 00:00:00 2001
From: giorgia <giorgiafusco@hotmail.com>
Date: Tue, 5 Mar 2024 18:06:07 +0100
Subject: [PATCH] fixed bug in exist filter

---
 CHANGELOG.md                             |  3 ++
 routing_test.py                          |  7 +++++
 routingfilter/filters/filters.py         |  2 +-
 setup.py                                 |  2 +-
 test_data/test_event_19.json             | 36 +++++++++++++++++++++++
 test_data/test_rule_31_equals_exist.json | 37 ++++++++++++++++++++++++
 6 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 test_data/test_event_19.json
 create mode 100644 test_data/test_rule_31_equals_exist.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7bb2068..e864b17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,7 @@
 ## 2.2.x
+### 2.2.7
+#### Bugfix
+* Fixed bug in exist filter
 ### 2.2.6
 #### Bugfix
 * Removed error logging in *filters.py*
diff --git a/routing_test.py b/routing_test.py
index b364df6..b56f5ae 100644
--- a/routing_test.py
+++ b/routing_test.py
@@ -39,6 +39,7 @@ def setUp(self):
         self.test_event_16 = load_test_data("test_event_16")
         self.test_event_17 = load_test_data("test_event_17")
         self.test_event_18 = load_test_data("test_event_18")
+        self.test_event_19 = load_test_data("test_event_19")
         self.test_event_with_list_1 = load_test_data("test_event_with_list_1")
         self.test_event_with_list_2 = load_test_data("test_event_with_list_2")
 
@@ -467,6 +468,12 @@ def test_count(self):
         self.routing.load_from_dicts(rule_list)
         self.assertEqual(self.routing.count(), 5)
 
+    def test_exist_source_ip(self):
+        self.routing.load_from_dicts([load_test_data("test_rule_31_equals_exist")])
+        match = self.routing.match(self.test_event_19)
+        self.assertTrue(match)
+        self.assertDictEqual(match[0].output, {"Workshop": {"workers_needed": 1}})
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/routingfilter/filters/filters.py b/routingfilter/filters/filters.py
index 79ef047..66aa13f 100644
--- a/routingfilter/filters/filters.py
+++ b/routingfilter/filters/filters.py
@@ -61,7 +61,7 @@ def match(self, event: DictQuery) -> bool:
         :rtype: bool
         """
         for key in self._key:
-            if key in event.keys():
+            if event.get(key) is not None:
                 return True
         return False
 
diff --git a/setup.py b/setup.py
index 00af922..bbddc4c 100644
--- a/setup.py
+++ b/setup.py
@@ -5,7 +5,7 @@
 
 setup(
     name="routingfilter",
-    version="2.2.6",
+    version="2.2.7",
     packages=find_packages(include=["routingfilter", "routingfilter.*"]),
     include_package_data=True,
     install_requires=["IPy~=1.1", "macaddress~=2.0.2"],
diff --git a/test_data/test_event_19.json b/test_data/test_event_19.json
new file mode 100644
index 0000000..3c41016
--- /dev/null
+++ b/test_data/test_event_19.json
@@ -0,0 +1,36 @@
+{
+  "tags": [
+    "elastic_query",
+    "foobar"
+  ],
+  "user": {
+    "name": "mario.rossi"
+  },
+  "event": {
+    "kind": "event",
+    "type": "start",
+    "action": "login",
+    "outcome": "success",
+    "category": "authentication"
+  },
+  "radius": {
+    "ttl": 17.044188022613525,
+    "result": "success"
+  },
+  "source": {
+    "ip": "1.1.1.1",
+    "port": 10402
+  },
+  "network": {
+    "protocol": "radius"
+  },
+  "severity": 3,
+  "reply_msg": "Enter your SecurID OTP or select another method: 1 to Approve on your registered authenticator, 2 for Biometrics"
+}
+
+
+
+
+
+
+
diff --git a/test_data/test_rule_31_equals_exist.json b/test_data/test_rule_31_equals_exist.json
new file mode 100644
index 0000000..c4503d6
--- /dev/null
+++ b/test_data/test_rule_31_equals_exist.json
@@ -0,0 +1,37 @@
+{
+  "streams": {
+    "rules": {
+      "elastic_query": [
+        {
+          "id": "equals-ffh498",
+          "filters": [
+            {
+              "id": 5540,
+              "key": [
+                "tags"
+              ],
+              "type": "EQUALS",
+              "value": [
+                "bar",
+                "foobar"
+              ]
+            },
+            {
+              "id": 6001,
+              "key": [
+                "source.ip"
+              ],
+              "type": "EXISTS",
+              "value": []
+            }
+          ],
+          "streams": {
+            "Workshop": {
+              "workers_needed": 1
+            }
+          }
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file