From dcd4f6917d8f0ff29ed1d3cd053ea43f78552772 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Wed, 7 Feb 2024 23:10:35 +0100 Subject: [PATCH] Fix some unit tests --- x-pack/filebeat/input/etw/input.go | 13 +++- x-pack/filebeat/input/etw/input_test.go | 95 +++++++++++++------------ 2 files changed, 59 insertions(+), 49 deletions(-) diff --git a/x-pack/filebeat/input/etw/input.go b/x-pack/filebeat/input/etw/input.go index ef0b9e633000..5bfa1c2dacf3 100644 --- a/x-pack/filebeat/input/etw/input.go +++ b/x-pack/filebeat/input/etw/input.go @@ -121,7 +121,7 @@ func (e *etwInput) Run(ctx input.Context, publisher stateless.Publisher) error { evt := beat.Event{ Timestamp: time.Now(), Fields: mapstr.M{ - "metadata": fillEventMetadata(record, e.etwSession, e.config), + "metadata": fillEventMetadata(e.etwSession, e.config), "header": fillEventHeader(record.EventHeader), "winlog": data, }, @@ -197,6 +197,13 @@ func fillEventHeader(h etw.EventHeader) map[string]interface{} { // convertFileTimeToGoTime converts a Windows FileTime to a Go time.Time structure. func convertFileTimeToGoTime(fileTime64 uint64) time.Time { + // Define the offset between Windows epoch (1601) and Unix epoch (1970) + const epochDifference = 116444736000000000 + if fileTime64 < epochDifference { + // Time is before the Unix epoch, adjust accordingly + return time.Time{} + } + fileTime := windows.Filetime{ HighDateTime: uint32(fileTime64 >> 32), LowDateTime: uint32(fileTime64 & math.MaxUint32), @@ -205,8 +212,8 @@ func convertFileTimeToGoTime(fileTime64 uint64) time.Time { return time.Unix(0, fileTime.Nanoseconds()) } -// fillEventMetadata constructs a metadata map for an event record. -func fillEventMetadata(record *etw.EventRecord, session *etw.Session, cfg config) map[string]interface{} { +// fillEventMetadata constructs a metadata map with session information. +func fillEventMetadata(session *etw.Session, cfg config) map[string]interface{} { metadata := make(map[string]interface{}) // Include provider name and GUID in metadata if available diff --git a/x-pack/filebeat/input/etw/input_test.go b/x-pack/filebeat/input/etw/input_test.go index 0d1ec077653a..765d96404be6 100644 --- a/x-pack/filebeat/input/etw/input_test.go +++ b/x-pack/filebeat/input/etw/input_test.go @@ -24,7 +24,7 @@ func Test_fillEventHeader(t *testing.T) { expected map[string]interface{} }{ { - name: "Test with Level 1 (Critical)", + name: "TestStandardHeader", header: etw.EventHeader{ Size: 100, HeaderType: 10, @@ -57,23 +57,23 @@ func Test_fillEventHeader(t *testing.T) { }, }, expected: map[string]interface{}{ - "size": 100, - "type": 10, - "flags": 20, - "event_property": 30, - "thread_id": 40, - "process_id": 50, + "size": uint16(100), + "type": uint16(10), + "flags": uint16(20), + "event_property": uint16(30), + "thread_id": uint32(40), + "process_id": uint32(50), "timestamp": "2024-02-05T22:03:09.035Z", "provider_guid": "{12345678-1234-1234-1234-123456789ABC}", - "event_id": 60, - "event_version": 70, - "channel": 80, - "level": 1, + "event_id": uint16(60), + "event_version": uint8(70), + "channel": uint8(80), + "level": uint8(1), "severity": "critical", - "opcode": 90, - "task": 100, - "keyword": 110, - "time": 120, + "opcode": uint8(90), + "task": uint16(100), + "keyword": uint64(110), + "time": uint64(120), "activity_guid": "{12345678-1234-1234-1234-123456789ABC}", }, }, @@ -83,7 +83,22 @@ func Test_fillEventHeader(t *testing.T) { t.Run(tt.name, func(t *testing.T) { header := fillEventHeader(tt.header) assert.Equal(t, tt.expected["size"], header["size"]) - + assert.Equal(t, tt.expected["type"], header["type"]) + assert.Equal(t, tt.expected["flags"], header["flags"]) + assert.Equal(t, tt.expected["event_property"], header["event_property"]) + assert.Equal(t, tt.expected["thread_id"], header["thread_id"]) + assert.Equal(t, tt.expected["process_id"], header["process_id"]) + assert.Equal(t, tt.expected["provider_guid"], header["provider_guid"]) + assert.Equal(t, tt.expected["event_id"], header["event_id"]) + assert.Equal(t, tt.expected["event_version"], header["event_version"]) + assert.Equal(t, tt.expected["channel"], header["channel"]) + assert.Equal(t, tt.expected["level"], header["level"]) + assert.Equal(t, tt.expected["severity"], header["severity"]) + assert.Equal(t, tt.expected["opcode"], header["opcode"]) + assert.Equal(t, tt.expected["task"], header["task"]) + assert.Equal(t, tt.expected["keyword"], header["keyword"]) + assert.Equal(t, tt.expected["time"], header["time"]) + assert.Equal(t, tt.expected["activity_guid"], header["activity_guid"]) }) } } @@ -95,19 +110,19 @@ func Test_convertFileTimeToGoTime(t *testing.T) { want time.Time }{ { - name: "Windows epoch", - fileTime: 0, // January 1, 1601 (Windows epoch) - want: time.Date(1601, 01, 01, 0, 0, 0, 0, time.UTC), + name: "TestZeroValue", + fileTime: 0, + want: time.Time{}, }, { - name: "Unix epoch", + name: "TestUnixEpoch", fileTime: 116444736000000000, // January 1, 1970 (Unix epoch) want: time.Unix(0, 0), }, { - name: "Actual date", - fileTime: 133515900000000000, // February 05, 2023, 7:00:00 AM - want: time.Date(2023, 02, 05, 7, 0, 0, 0, time.UTC), + name: "TestActualDate", + fileTime: 133515900000000000, // February 05, 2024, 7:00:00 AM + want: time.Date(2024, 02, 05, 7, 0, 0, 0, time.UTC), }, } @@ -124,32 +139,29 @@ func Test_convertFileTimeToGoTime(t *testing.T) { func Test_fillEventMetadata(t *testing.T) { tests := []struct { name string - record *etw.EventRecord session *etw.Session cfg config expected map[string]interface{} }{ // Test Provider Name and GUID from config { - name: "TestProviderNameAndGUIDFromConfig", - record: &etw.EventRecord{}, + name: "TestProviderNameAndGUIDFromConfig", session: &etw.Session{ GUID: windows.GUID{}, Name: "SessionName", }, cfg: config{ ProviderName: "TestProvider", - ProviderGUID: "{12345678-1234-1234-1234-123456789abc}", + ProviderGUID: "{12345678-1234-1234-1234-123456789ABC}", }, expected: map[string]interface{}{ - "ProviderName": "TestProvider", - "ProviderGUID": "{12345678-1234-1234-1234-123456789abc}", + "provider_name": "TestProvider", + "provider_guid": "{12345678-1234-1234-1234-123456789ABC}", }, }, // Test Provider GUID from session if not available in config { - name: "TestProviderGUIDFromSession", - record: &etw.EventRecord{}, + name: "TestProviderGUIDFromSession", session: &etw.Session{ GUID: windows.GUID{ Data1: 0x12345678, @@ -162,14 +174,13 @@ func Test_fillEventMetadata(t *testing.T) { ProviderName: "TestProvider", }, expected: map[string]interface{}{ - "ProviderName": "TestProvider", - "ProviderGUID": "{12345678-1234-1234-1234-123456789abc}", + "provider_name": "TestProvider", + "provider_guid": "{12345678-1234-1234-1234-123456789ABC}", }, }, // Test Logfile and Session Information { - name: "TestLogfileAndSessionInfo", - record: &etw.EventRecord{}, + name: "TestLogfileAndSessionInfo", session: &etw.Session{ GUID: windows.GUID{}, Name: "SessionName", @@ -180,23 +191,15 @@ func Test_fillEventMetadata(t *testing.T) { SessionName: "DifferentSessionName", }, expected: map[string]interface{}{ - "Logfile": "C:\\Logs\\test.log", - "Session": "TestSession", + "logfile": "C:\\Logs\\test.log", + "session": "TestSession", }, }, - // Test with nil EventRecord - { - name: "TestWithNilEventRecord", - record: nil, - session: nil, - cfg: config{}, - expected: map[string]interface{}{}, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := fillEventMetadata(tt.record, tt.session, tt.cfg) + result := fillEventMetadata(tt.session, tt.cfg) assert.Equal(t, tt.expected, result, "fillEventMetadata() should match the expected output") }) }