RubyGems - plunk - Versions diffs - 0.0.7 → 0.0.8 - Mend

plunk 0.0.7 → 0.0.8

Files changed (15) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9995468d364aaf1391ad67f6d1f8ddb4e65a6553
-  data.tar.gz: f1594cf5f75541b1cfec6a2d82fa9eb55d243345
+  metadata.gz: 599c26a054ac47928ba6b476dcf62c2731b07305
+  data.tar.gz: d10dbfe0b2c3d3d26611a509b1e699bc42b8e412
 SHA512:
-  metadata.gz: 26187e0add2cc39f6fe1e915e701bf237a8638c61d81331c430c934f98f588a89007edf2813765dde894c3da5238b86dadb671f3b7e408a03ee24e8a99d64117
-  data.tar.gz: 95473787d59e19a6d984a170a78f64ff8dad05e9f69592ffdc57c33d0a5fe4e6bc548328af6c25719c8083e25e3b89d294cec53b3a912f02cb4ecc25c6703d03
+  metadata.gz: 1f5facdc7cedcfdb9a94d7f51a148ad72319b1ebd55ae54449c6e860f6a173149da2f5ec95697ef2a7e23bcd2af46535154bfba46030345864f07ab2c244144d
+  data.tar.gz: 0b8b372f4b1b5ca0ae46cfcb3d2214e68dcc5490432b9117bb02d84f8e2cbf564f8322b961d385eb0ea57116e1b4b3b2b542d16f105364702573c8a4a0a56ec9

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    plunk (0.0.6)
+    plunk (0.0.7)
       activesupport
       json
       parslet

data/lib/plunk/parser.rb CHANGED

@@ -19,7 +19,7 @@ class Plunk::Parser < Parslet::Parser
   # Field / value
   rule(:identifier) { match['_@a-zA-Z.'].repeat(1) }
   rule(:wildcard)   { match('[a-zA-Z0-9.*]').repeat(1) }
-  rule(:searchop)   { match('[=]').as(:op) >> space? }
+  rule(:searchop)   { match('[=]').as(:op) }
   # boolean operators search
   rule(:concatop)   { (str('OR') | str('AND')) >> space? }
@@ -30,27 +30,27 @@ class Plunk::Parser < Parslet::Parser
   # Grammar parts
   rule(:rhs) {
-      (regex | wildcard | integer | subsearch |
-        (lparen >> (space? >> (wildcard | integer) >>
-          (space >> concatop).maybe).repeat(1) >> rparen))
+      regexp | subsearch | integer | wildcard |
+       (lparen >> (space? >> (wildcard | integer) >>
+         (space >> concatop).maybe).repeat(1) >> rparen).maybe
   }
-  rule(:regex) {
+  rule(:regexp) {
     str('/') >> match('[^/]').repeat >> str('/')
   }
+  rule(:last) {
+    str("last") >> space >> timerange.as(:timerange) >> (space >>
+    search.as(:search)).maybe
+  }
   rule(:search) {
     identifier.as(:field) >> space? >> searchop >> space? >>
       rhs.as(:value) | rhs.as(:match)
   }
-  rule(:last) {
-    str("last") >> space >> timerange.as(:timerange) >> space >>
-    search.as(:search)
-  }
   rule(:binaryop) {
-    (paren | search).as(:left) >> space? >> operator >> job.as(:right)
+    (search | paren).as(:left) >> space? >> operator >> job.as(:right)
   }
   rule(:subsearch) {
@@ -58,12 +58,9 @@ class Plunk::Parser < Parslet::Parser
   }
   rule(:nested_search) {
-    match('[^|]').repeat.as(:term) >> str('|') >> space? >>
+    match('[^|]').repeat.as(:initial_query) >> str('|') >> space? >>
     match('[^`]').repeat.as(:extractors)
-  }
-  rule(:joined_search) {
+    # job >> str('|') >> space? >>
   }
   rule(:paren) {
@@ -71,7 +68,7 @@ class Plunk::Parser < Parslet::Parser
   }
   rule(:job) {
-    binaryop | paren | last | search
+    last | search | binaryop | paren
   }
   # root :job

data/plunk.gemspec CHANGED

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name                    = "plunk"
-  s.version                 = "0.0.7"
+  s.version                 = "0.0.8"
   s.date                    = "2013-12-03"
   s.add_runtime_dependency  "json"
   s.add_runtime_dependency  "parslet"

data/spec/basic_spec.rb ADDED

@@ -0,0 +1,25 @@
+require 'spec_helper'
+describe 'basic searches' do
+  before :each do
+    @parsed = @parser.parse 'bar'
+  end
+  it 'should parse a single keyword' do
+    expect(@parsed[:match].to_s).to eq 'bar'
+  end
+  context 'transformed' do
+    before :each do
+      @result_set = @transformer.apply(@parsed)
+    end
+    it 'should be a proper query' do
+      @result_set.query.should eq({
+       query: {
+         query_string: {
+           query: 'bar'
+      }}})
+    end
+  end
+end

data/spec/boolean_spec.rb ADDED

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe 'boolean searches' do
+  it 'should parse last command with boolean' do
+    @parsed = @parser.parse 'last 1h (foo OR bar)'
+    expect(@parsed[:search][:match].to_s).to eq '(foo OR bar)'
+  end
+  it 'should parse a single field / value complex boolean expression' do
+    @parsed = @parser.parse 'ids.attackers=(bar OR car)'
+    expect(@parsed[:field].to_s).to eq 'ids.attackers'
+    expect(@parsed[:value].to_s).to eq '(bar OR car)'
+    expect(@parsed[:op].to_s).to eq '='
+  end
+  it 'should parse a single boolean expression' do
+    @parsed = @parser.parse '(bar OR car)'
+    expect(@parsed[:match].to_s).to eq '(bar OR car)'
+  end
+end

data/spec/field_value_spec.rb ADDED

@@ -0,0 +1,17 @@
+require 'spec_helper'
+describe 'field / value searches' do
+  it 'should parse a single field/value combo' do
+    @parsed = @parser.parse 'tshark.http.@src_ip=bar'
+    expect(@parsed[:field].to_s).to eq 'tshark.http.@src_ip'
+    expect(@parsed[:value].to_s).to eq 'bar'
+    expect(@parsed[:op].to_s).to eq '='
+  end
+  it 'should parse a single field / parenthesized value' do
+    @parsed = @parser.parse 'ids.attacker=(10.150.44.195)'
+    expect(@parsed[:field].to_s).to eq 'ids.attacker'
+    expect(@parsed[:value].to_s).to eq '(10.150.44.195)'
+    expect(@parsed[:op].to_s).to eq '='
+  end
+end

data/spec/last_spec.rb ADDED

@@ -0,0 +1,47 @@
+require 'spec_helper'
+describe 'the last command' do
+  context 'basic' do
+    it 'should parse a standalone last command' do
+      @parsed = @parser.parse 'last 24h'
+      expect(@parsed[:timerange][:quantity].to_s).to eq '24'
+      expect(@parsed[:timerange][:quantifier].to_s).to eq 'h'
+    end
+  end
+  context 'complex' do
+    before :all do
+      @parsed = @parser.parse 'last 24w tshark.@src_ip = bar'
+    end
+    it 'should parse last command with a search' do
+      expect(@parsed[:timerange][:quantity].to_s).to eq '24'
+      expect(@parsed[:timerange][:quantifier].to_s).to eq 'w'
+      expect(@parsed[:search][:field].to_s).to eq 'tshark.@src_ip'
+      expect(@parsed[:search][:value].to_s).to eq 'bar'
+    end
+    context 'transformation' do
+      before :each do
+        @result_set = @transformer.apply(@parsed)
+      end
+      it 'should have the proper result set' do
+        @result_set.should be_a Plunk::ResultSet
+        @result_set.query.should be_present
+        query = { query: {
+          query_string: {
+            query: "tshark.@src_ip:bar"
+            },
+          range: {
+            '@timestamp' => {
+              gte: 24.weeks.ago,
+              lte: Time.now
+          }}}}
+        @result_set.query.to_json.should eq query.to_json
+      end
+    end
+  end
+end

data/spec/nested_search_spec.rb ADDED

@@ -0,0 +1,51 @@
+require 'spec_helper'
+describe 'nested searches' do
+  it 'should parse a nested basic search' do
+    @parsed = @parser.parse 'tshark.len = ` 226 | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq '226 '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+  it 'should parse a nested regexp' do
+    @parsed = @parser.parse 'tshark.len = ` cif.malicious_ips=/foo/ | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq 'cif.malicious_ips=/foo/ '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+  it 'should parse a nested basic boolean' do
+    @parsed = @parser.parse 'tshark.len = `(foo OR bar) | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq '(foo OR bar) '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+  it 'should parse a nested field / value boolean' do
+    @parsed = @parser.parse 'tshark.len = `baz=(foo OR bar AND (bar OR fez)) | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq 'baz=(foo OR bar AND (bar OR fez)) '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+  it 'should parse a nested last standalone timerange' do
+    @parsed = @parser.parse 'tshark.len = `last 24h | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq 'last 24h '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+  it 'should parse a nested last timerange and field / value pair' do
+    @parsed = @parser.parse 'tshark.len = `last 24h foo=bar | tshark.frame.time_epoch,tshark.ip.src`'
+    expect(@parsed[:field].to_s).to eq 'tshark.len'
+    expect(@parsed[:op].to_s).to eq '='
+    expect(@parsed[:value][:initial_query].to_s).to eq 'last 24h foo=bar '
+    expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
+  end
+end

data/spec/regexp_spec.rb ADDED

@@ -0,0 +1,29 @@
+require 'spec_helper'
+describe 'regexp searches' do
+  context 'simple' do
+    it 'should parse a basic regexp search' do
+      @parsed = @parser.parse 'foo=/blah foo/'
+      expect(@parsed[:field].to_s).to eq 'foo'
+      expect(@parsed[:value].to_s).to eq '/blah foo/'
+    end
+  end
+  context 'complex' do
+    it 'should parse key/value with regex' do
+      @parsed = @parser.parse 'foo=bar fe.ip=/whodunnit/'
+      expect(@parsed[0][:field].to_s).to eq 'foo'
+      expect(@parsed[0][:value].to_s).to eq 'bar'
+      expect(@parsed[1][:field].to_s).to eq 'fe.ip'
+      expect(@parsed[1][:value].to_s).to eq '/whodunnit/'
+    end
+    it 'should parse last command with a regex' do
+      @parsed = @parser.parse 'last 24w foo=/blah/'
+      expect(@parsed[:timerange][:quantity].to_s).to eq '24'
+      expect(@parsed[:timerange][:quantifier].to_s).to eq 'w'
+      expect(@parsed[:search][:field].to_s).to eq 'foo'
+      expect(@parsed[:search][:value].to_s).to eq '/blah/'
+    end
+  end
+end

data/spec/spec_helper.rb ADDED

@@ -0,0 +1,24 @@
+require 'rspec'
+require 'plunk'
+require 'plunk/parser'
+require 'plunk/transformer'
+require 'plunk/result_set'
+require 'parslet/rig/rspec'
+# Print ascii_tree when exception occurs
+class Plunk::ParserWrapper < Plunk::Parser
+  def parse(query)
+    begin
+      super(query)
+    rescue Parslet::ParseFailed => failure
+      puts failure.cause.ascii_tree
+    end
+  end
+end
+RSpec.configure do |config|
+  config.before :all do
+    @parser = Plunk::ParserWrapper.new
+    @transformer = Plunk::Transformer.new
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: plunk
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - Ram Mehta
@@ -101,10 +101,14 @@ files:
 - lib/plunk/result_set.rb
 - lib/plunk/transformer.rb
 - plunk.gemspec
+- spec/basic_spec.rb
+- spec/boolean_spec.rb
 - spec/elasticsearch_spec.rb
-- spec/parser_spec.rb
-- spec/result_set_spec.rb
-- spec/transformer_spec.rb
+- spec/field_value_spec.rb
+- spec/last_spec.rb
+- spec/nested_search_spec.rb
+- spec/regexp_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/elbii/plunk
 licenses:
 - MIT

data/spec/parser_spec.rb DELETED

@@ -1,128 +0,0 @@
-require 'plunk'
-require 'plunk/parser'
-# Print ascii_tree when exception occurs
-class Plunk::ParserWrapper < Plunk::Parser
-  def parse(query)
-    begin
-      super(query)
-    rescue Parslet::ParseFailed => failure
-      puts failure.cause.ascii_tree
-    end
-  end
-end
-describe Plunk::Parser do
-  before :all do
-    @parser = Plunk::ParserWrapper.new
-    @transformer = Plunk::Transformer.new
-  end
-  context 'single-query searches' do
-    it 'should parse a single keyword' do
-      @parsed = @parser.parse 'bar'
-      expect(@parsed[:match].to_s).to eq 'bar'
-    end
-    it 'should parse a single field/value combo' do
-      @parsed = @parser.parse 'tshark.http.@src_ip=bar'
-      expect(@parsed[:field].to_s).to eq 'tshark.http.@src_ip'
-      expect(@parsed[:value].to_s).to eq 'bar'
-      expect(@parsed[:op].to_s).to eq '='
-    end
-    it 'should parse a single boolean expression' do
-      @parsed = @parser.parse '(bar OR car)'
-      expect(@parsed[:match].to_s).to eq '(bar OR car)'
-    end
-    it 'should parse a single field / value complex boolean expression' do
-      @parsed = @parser.parse 'ids.attackers=(bar OR car)'
-      expect(@parsed[:field].to_s).to eq 'ids.attackers'
-      expect(@parsed[:value].to_s).to eq '(bar OR car)'
-      expect(@parsed[:op].to_s).to eq '='
-    end
-    it 'should parse a single field / parenthesized value' do
-      @parsed = @parser.parse 'ids.attacker=(10.150.44.195)'
-      expect(@parsed[:field].to_s).to eq 'ids.attacker'
-      expect(@parsed[:value].to_s).to eq '(10.150.44.195)'
-      expect(@parsed[:op].to_s).to eq '='
-    end
-    it 'should parse a basic regex search' do
-      @parsed = @parser.parse 'foo=/blah foo/'
-      expect(@parsed[:field].to_s).to eq 'foo'
-      expect(@parsed[:value].to_s).to eq '/blah foo/'
-    end
-    context 'the last command' do
-      before :each do
-        @parsed = @parser.parse 'last 24w tshark.@src_ip = bar'
-      end
-      it 'should parse last command with a search' do
-        expect(@parsed[:timerange][:quantity].to_s).to eq '24'
-        expect(@parsed[:timerange][:quantifier].to_s).to eq 'w'
-        expect(@parsed[:search][:field].to_s).to eq 'tshark.@src_ip'
-        expect(@parsed[:search][:value].to_s).to eq 'bar'
-      end
-      context 'transformation' do
-        before :each do
-          @result_set = @transformer.apply(@parsed)
-        end
-        it 'should have the proper result set' do
-          @result_set.should be_a Plunk::ResultSet
-          @result_set.query.should be_present
-          query = { query: {
-            query_string: {
-              query: "tshark.@src_ip:bar"
-              },
-            range: {
-              '@timestamp' => {
-                gte: 24.weeks.ago,
-                lte: Time.now
-            }}}}
-          @result_set.query.to_json.should eq query.to_json
-        end
-      end
-    end
-    context 'chained searches' do
-      it 'should parse last command with a regex' do
-        @parsed = @parser.parse 'last 24w foo=/blah/'
-        expect(@parsed[:timerange][:quantity].to_s).to eq '24'
-        expect(@parsed[:timerange][:quantifier].to_s).to eq 'w'
-        expect(@parsed[:search][:field].to_s).to eq 'foo'
-        expect(@parsed[:search][:value].to_s).to eq '/blah/'
-      end
-    end
-    it 'should parse last command with boolean' do
-      @parsed = @parser.parse 'last 1h (foo OR bar)'
-      expect(@parsed[:search][:match].to_s).to eq '(foo OR bar)'
-    end
-    it 'should parse key/value with regex' do
-      @parsed = @parser.parse 'foo=bar fe.ip=/whodunnit/'
-      expect(@parsed[0][:field].to_s).to eq 'foo'
-      expect(@parsed[0][:value].to_s).to eq 'bar'
-      expect(@parsed[1][:field].to_s).to eq 'fe.ip'
-      expect(@parsed[1][:value].to_s).to eq '/whodunnit/'
-    end
-  end
-  context 'nested search' do
-    it 'should parse the nested search' do
-      @parsed = @parser.parse 'tshark.len = ` 226 | tshark.frame.time_epoch,tshark.ip.src`'
-      expect(@parsed[:field].to_s).to eq 'tshark.len'
-      expect(@parsed[:op].to_s).to eq '='
-      expect(@parsed[:value][:term].to_s).to eq '226 '
-      expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
-    end
-  end
-end

data/spec/result_set_spec.rb DELETED

@@ -1,4 +0,0 @@
-require 'plunk/result_set'
-describe Plunk::ResultSet do
-end

data/spec/transformer_spec.rb DELETED

@@ -1,4 +0,0 @@
-require 'plunk/transformer'
-describe Plunk::Transformer do
-end