contentctl 4.4.7__py3-none-any.whl → 5.0.0a0__py3-none-any.whl

contentctl/objects/base_test_result.py

@@ -1,5 +1,5 @@
 from typing import Union, Any
-from enum import Enum
+from enum import StrEnum
 
 from pydantic import ConfigDict, BaseModel
 from splunklib.data import Record                                                                   # type: ignore
@@ -10,7 +10,7 @@ from contentctl.helper.utils import Utils
 # TODO (#267): Align test reporting more closely w/ status enums (as it relates to "untested")
 # TODO (PEX-432): add status "UNSET" so that we can make sure the result is always of this enum
 #   type; remove mypy ignores associated w/ these typing issues once we do
-class TestResultStatus(str, Enum):
+class TestResultStatus(StrEnum):
     """Enum for test status (e.g. pass/fail)"""
     # Test failed (detection did NOT fire appropriately)
     FAIL = "fail"
@@ -113,7 +113,7 @@ class BaseTestResult(BaseModel):
                 # Exceptions and enums cannot be serialized, so convert to str
                 if isinstance(getattr(self, field), Exception):
                     summary_dict[field] = str(getattr(self, field))
-                elif isinstance(getattr(self, field), Enum):
+                elif isinstance(getattr(self, field), StrEnum):
                     summary_dict[field] = str(getattr(self, field))
                 else:
                     summary_dict[field] = getattr(self, field)

contentctl/objects/baseline.py

@@ -1,7 +1,10 @@
 
 from __future__ import annotations
-from typing import Annotated, Optional, List,Any
-from pydantic import field_validator, ValidationInfo, Field, model_serializer
+from typing import Annotated, List,Any, TYPE_CHECKING
+if TYPE_CHECKING:
+    from contentctl.input.director import DirectorOutputDto
+
+from pydantic import field_validator, ValidationInfo, Field, model_serializer, computed_field
 from contentctl.objects.deployment import Deployment
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
@@ -9,21 +12,34 @@ from contentctl.objects.baseline_tags import BaselineTags
 
 from contentctl.objects.config import CustomApp
 
-
+from contentctl.objects.lookup import Lookup
 from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH,CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE
 
 class Baseline(SecurityContentObject):
     name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
     type: Annotated[str,Field(pattern="^Baseline$")] = Field(...)
-    datamodel: Optional[List[DataModel]] = None
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
     tags: BaselineTags = Field(...)
-
+    lookups: list[Lookup] = Field([], validate_default=True)
     # enrichment
     deployment: Deployment = Field({})
-    
+
+
+    @field_validator('lookups', mode="before")
+    @classmethod
+    def getBaselineLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:
+        '''
+        This function has been copied and renamed from the Detection_Abstract class
+        '''
+        director:DirectorOutputDto = info.context.get("output_dto",None)
+        search: str | None = info.data.get("search",None)
+        if search is None:
+            raise ValueError("Search was None - is this file missing the search field?")
+        
+        lookups = Lookup.get_lookups(search, director)
+        return lookups
 
     def get_conf_stanza_name(self, app:CustomApp)->str:
         stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
@@ -34,6 +50,10 @@ class Baseline(SecurityContentObject):
     def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:
         return Deployment.getDeployment(v,info)
     
+    @computed_field
+    @property
+    def datamodel(self) -> List[DataModel]:
+        return [dm for dm in DataModel if dm in self.search]
 
     @model_serializer
     def serialize_model(self):

contentctl/objects/baseline_tags.py

@@ -1,5 +1,5 @@
 from __future__ import annotations
-from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer
+from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer, ConfigDict
 from typing import List, Any, Union
 
 from contentctl.objects.story import Story
@@ -12,12 +12,12 @@ from contentctl.objects.enums import SecurityDomain
 
 
 class BaselineTags(BaseModel):
+    model_config = ConfigDict(extra="forbid")
     analytic_story: list[Story] = Field(...)
     #deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
     # TODO (#223): can we remove str from the possible types here?
     detections: List[Union[Detection,str]] = Field(...)
     product: List[SecurityContentProductName] = Field(...,min_length=1)
-    required_fields: List[str] = Field(...,min_length=1)
     security_domain: SecurityDomain = Field(...)
 
 
@@ -33,7 +33,6 @@ class BaselineTags(BaseModel):
             "analytic_story": [story.name for story in self.analytic_story],
             "detections": [detection.name for detection in self.detections if isinstance(detection,Detection)],
             "product": self.product,
-            "required_fields":self.required_fields,
             "security_domain":self.security_domain,
             "deployments": None
         }

contentctl/objects/config.py

@@ -33,9 +33,9 @@ COMMON_INFORMATION_MODEL_UID = 1621
 SPLUNKBASE_URL = "https://splunkbase.splunk.com/app/{uid}/release/{version}/download"
 
 
-# TODO (#266): disable the use_enum_values configuration
 class App_Base(BaseModel,ABC):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True, extra='forbid')
     uid: Optional[int] = Field(default=None)
     title: str = Field(description="Human-readable name used by the app. This can have special characters.")
     appid: Optional[APPID_TYPE]= Field(default=None,description="Internal name used by your app. "
@@ -59,9 +59,8 @@ class App_Base(BaseModel,ABC):
                 config.getLocalAppDir().mkdir(parents=True)
 
 
-# TODO (#266): disable the use_enum_values configuration
 class TestApp(App_Base):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     hardcoded_path: Optional[Union[FilePath,HttpUrl]] = Field(default=None, description="This may be a relative or absolute link to a file OR an HTTP URL linking to your app.")
     
 
@@ -99,9 +98,8 @@ class TestApp(App_Base):
         return str(destination)
 
 
-# TODO (#266): disable the use_enum_values configuration
 class CustomApp(App_Base):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     # Fields required for app.conf based on
     # https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Appconf
     uid: int = Field(ge=2, lt=100000, default_factory=lambda:random.randint(20000,100000))
@@ -159,9 +157,8 @@ class CustomApp(App_Base):
                                 verbose_print=True)
         return str(destination)
     
-# TODO (#266): disable the use_enum_values configuration
 class Config_Base(BaseModel):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
 
     path: DirectoryPath = Field(default=DirectoryPath("."), description="The root of your app.")
     app:CustomApp = Field(default_factory=CustomApp)
@@ -175,7 +172,7 @@ class Config_Base(BaseModel):
         return str(path)
 
 class init(Config_Base):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     bare: bool = Field(default=False, description="contentctl normally provides some some example content "
                        "(macros, stories, data_sources, and/or analytic stories).  This option disables "
                        "initialization with that additional contnet.  Note that even if --bare is used, it "
@@ -184,9 +181,8 @@ class init(Config_Base):
                        "the deployment/ directory (since it is not yet easily customizable).")
 
 
-# TODO (#266): disable the use_enum_values configuration
 class validate(Config_Base):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     enrichments: bool = Field(default=False, description="Enable MITRE, APP, and CVE Enrichments.  "\
                                                          "This is useful when outputting a release build "\
                                                          "and validating these values, but should otherwise "\
@@ -241,9 +237,8 @@ class report(validate):
         return self.path/"reporting/"
 
 
-# TODO (#266): disable the use_enum_values configuration
 class build(validate):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     build_path: DirectoryPath = Field(default=DirectoryPath("dist/"), title="Target path for all build outputs")
 
     @field_serializer('build_path',when_used='always')
@@ -395,17 +390,15 @@ class new(Config_Base):
     type: NewContentType = Field(default=NewContentType.detection, description="Specify the type of content you would like to create.")
 
 
-# TODO (#266): disable the use_enum_values configuration
 class deploy_acs(inspect):
-    model_config = ConfigDict(use_enum_values=True,validate_default=False, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=False, arbitrary_types_allowed=True)
     #ignore linter error
     splunk_cloud_jwt_token: str = Field(exclude=True, description="Splunk JWT used for performing ACS operations on a Splunk Cloud Instance")
     splunk_cloud_stack: str = Field(description="The name of your Splunk Cloud Stack")
 
 
-# TODO (#266): disable the use_enum_values configuration
 class Infrastructure(BaseModel):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     splunk_app_username:str = Field(default="admin", description="Username for logging in to your Splunk Server")
     splunk_app_password:str = Field(exclude=True, default="password", description="Password for logging in to your Splunk Server.")
     instance_address:str = Field(..., description="Address of your splunk server.")
@@ -415,15 +408,13 @@ class Infrastructure(BaseModel):
     instance_name: str = Field(...)
 
 
-# TODO (#266): disable the use_enum_values configuration
 class Container(Infrastructure):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     instance_address:str = Field(default="localhost", description="Address of your splunk server.")
 
 
-# TODO (#266): disable the use_enum_values configuration
 class ContainerSettings(BaseModel):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     leave_running: bool = Field(default=True, description="Leave container running after it is first "
                                 "set up to speed up subsequent test runs.")
     num_containers: PositiveInt = Field(default=1, description="Number of containers to start in parallel. "
@@ -444,18 +435,19 @@ class ContainerSettings(BaseModel):
 
 class All(BaseModel):
     #Doesn't need any extra logic
+    mode_name:str = "All"
     pass
 
 
-# TODO (#266): disable the use_enum_values configuration
 class Changes(BaseModel):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
+    mode_name: str = "Changes"
     target_branch:str = Field(...,description="The target branch to diff against. Note that this includes uncommitted changes in the working directory as well.")
 
 
-# TODO (#266): disable the use_enum_values configuration
 class Selected(BaseModel):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
+    mode_name:str = "Selected"
     files:List[FilePath] = Field(...,description="List of detection files to test, separated by spaces.")
 
     @field_serializer('files',when_used='always')
@@ -684,12 +676,12 @@ DEFAULT_APPS:List[TestApp] = [
 class test_common(build):
     mode:Union[Changes, Selected, All] = Field(All(), union_mode='left_to_right')
     post_test_behavior: PostTestBehavior = Field(default=PostTestBehavior.pause_on_failure, description="Controls what to do when a test completes.\n\n"
-                                                                                                        f"'{PostTestBehavior.always_pause.value}' -  the state of "
+                                                                                                        f"'{PostTestBehavior.always_pause}' -  the state of "
                                                                                                         "the test will always pause after a test, allowing the user to log into the "
                                                                                                         "server and experiment with the search and data before it is removed.\n\n"
-                                                                                                        f"'{PostTestBehavior.pause_on_failure.value}' - pause execution ONLY when a test fails. The user may press ENTER in the terminal "
+                                                                                                        f"'{PostTestBehavior.pause_on_failure}' - pause execution ONLY when a test fails. The user may press ENTER in the terminal "
                                                                                                         "running the test to move on to the next test.\n\n"
-                                                                                                        f"'{PostTestBehavior.never_pause.value}' -  never stop testing, even if a test fails.\n\n"
+                                                                                                        f"'{PostTestBehavior.never_pause}' -  never stop testing, even if a test fails.\n\n"
                                                                                                         "***SPECIAL NOTE FOR CI/CD*** 'never_pause' MUST be used for a test to "
                                                                                                         "run in an unattended manner or in a CI/CD system - otherwise a single failed test "
                                                                                                         "will result in the testing never finishing as the tool waits for input.")
@@ -706,7 +698,7 @@ class test_common(build):
                                " interactive command line workflow that can display progress bars and status information frequently. "
                                "Unfortunately it is incompatible with, or may cause poorly formatted logs, in many CI/CD systems or other unattended environments. "
                                "If you are running contentctl in CI/CD, then please set this argument to True. Note that if you are running in a CI/CD context, "
-                               f"you also MUST set post_test_behavior to {PostTestBehavior.never_pause.value}. Otherwiser, a failed detection will cause"
+                               f"you also MUST set post_test_behavior to {PostTestBehavior.never_pause}. Otherwiser, a failed detection will cause"
                                "the CI/CD running to pause indefinitely.")
 
     apps: List[TestApp] = Field(default=DEFAULT_APPS, exclude=False, description="List of apps to install in test environment")
@@ -715,7 +707,7 @@ class test_common(build):
     def dumpCICDPlanAndQuit(self, githash: str, detections:List[Detection]):
         output_file = self.path / "test_plan.yml"
         self.mode = Selected(files=sorted([detection.file_path for detection in detections], key=lambda path: str(path)))
-        self.post_test_behavior = PostTestBehavior.never_pause.value
+        self.post_test_behavior = PostTestBehavior.never_pause
         #required so that CI/CD does not get too much output or hang
         self.disable_tqdm = True
 
@@ -782,12 +774,12 @@ class test_common(build):
     def suppressTQDM(self)->Self:
         if self.disable_tqdm:
             tqdm.tqdm.__init__ = partialmethod(tqdm.tqdm.__init__, disable=True)
-            if self.post_test_behavior != PostTestBehavior.never_pause.value:
+            if self.post_test_behavior != PostTestBehavior.never_pause:
                 raise ValueError(f"You have disabled tqdm, presumably because you are "
                                  f"running in CI/CD or another unattended context.\n"
                                  f"However, post_test_behavior is set to [{self.post_test_behavior}].\n"
                                  f"If that is the case, then you MUST set post_test_behavior "
-                                 f"to [{PostTestBehavior.never_pause.value}].\n"
+                                 f"to [{PostTestBehavior.never_pause}].\n"
                                  "Otherwise, if a detection fails in CI/CD, your CI/CD runner will hang forever.")
         return self
                          
@@ -817,18 +809,8 @@ class test_common(build):
         return self
 
 
-    def getModeName(self)->str:
-        if isinstance(self.mode, All):
-            return DetectionTestingMode.all.value
-        elif isinstance(self.mode, Changes):
-            return DetectionTestingMode.changes.value
-        else:
-            return DetectionTestingMode.selected.value
-
-
-# TODO (#266): disable the use_enum_values configuration
 class test(test_common):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     container_settings:ContainerSettings = ContainerSettings()
     test_instances: List[Container] = Field([], exclude = True, validate_default=True)
     splunk_api_username: Optional[str] = Field(default=None, exclude = True,description="Splunk API username used for running appinspect or installating apps from Splunkbase")
@@ -893,9 +875,8 @@ class test(test_common):
 TEST_ARGS_ENV = "CONTENTCTL_TEST_INFRASTRUCTURES"
 
 
-# TODO (#266): disable the use_enum_values configuration
 class test_servers(test_common):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
+    model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     test_instances:List[Infrastructure] = Field([],description="Test against one or more preconfigured servers.", validate_default=True)
     server_info:Optional[str] = Field(None, validate_default=True, description='String of pre-configured servers to use for testing.  The list MUST be in the format:\n'
                                       'address,username,web_ui_port,hec_port,api_port;address_2,username_2,web_ui_port_2,hec_port_2,api_port_2'

contentctl/objects/constants.py

@@ -79,6 +79,7 @@ SES_KILL_CHAIN_MAPPINGS = {
     "Actions on Objectives": 7
 }
 
+# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
 SES_OBSERVABLE_ROLE_MAPPING = {
     "Other": -1,
     "Unknown": 0,
@@ -93,6 +94,7 @@ SES_OBSERVABLE_ROLE_MAPPING = {
     "Observer": 9
 }
 
+# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
 SES_OBSERVABLE_TYPE_MAPPING = {
     "Unknown": 0,
     "Hostname": 1,
@@ -135,6 +137,7 @@ SES_ATTACK_TACTICS_ID_MAPPING = {
     "Impact": "TA0040"
 }
 
+# TODO (cmcginley): is this just for the transition testing?
 RBA_OBSERVABLE_ROLE_MAPPING = {
     "Attacker": 0,
     "Victim": 1
@@ -149,7 +152,7 @@ DOWNLOADS_DIRECTORY = "downloads"
 # errors, if its name is longer than 99 characters.
 # When an saved search is cloned in Enterprise Security User Interface,
 # it is wrapped in the following: 
-# {Detection.tags.security_domain.value} - {SEARCH_STANZA_NAME} - Rule
+# {Detection.tags.security_domain} - {SEARCH_STANZA_NAME} - Rule
 # Similarly, when we generate the search stanza name in contentctl, it
 # is app.label - detection.name - Rule
 # However, in product the search name is: