Tests for aggregation_id - #170

VincentD06 · VincentD06 · commit c5bb38cc9b2c · 2025-12-11T16:11:34.000+01:00
diff --git a/validation/graylog.py b/validation/graylog.py
@@ -61,8 +61,8 @@ def access_rest_api(self):
     def update_logging_alert_plugin_configuration(self):
         return self._api.update_logging_alert_plugin_configuration()
     
-    def update_alert_wizard_plugin_configuration(self, default_time=1, backlog_size=500):
-        return self._api.update_alert_wizard_plugin_configuration(default_time=default_time, backlog_size=backlog_size)
+    def update_alert_wizard_plugin_configuration(self, default_time=1, backlog_size=500, aggregation_time=0):
+        return self._api.update_alert_wizard_plugin_configuration(default_time=default_time, backlog_size=backlog_size, aggregation_time=aggregation_time)
     
     def get_alert_wizard_plugin_configuration(self):
         return self._api.get_alert_wizard_plugin_configuration()
@@ -179,4 +179,4 @@ def _has_aggregation_event(self):
 
     def wait_until_new_event(self, initial_event_count, wait_duration):
         has_new_event = lambda: self.get_events_count('aggregation-v1') == initial_event_count + 1
-        self._wait(has_new_event, 60*wait_duration)
+        self._wait(has_new_event, 60 * wait_duration)
diff --git a/validation/graylog_rest_api.py b/validation/graylog_rest_api.py
@@ -244,10 +244,9 @@ def get_alert_rules(self):
 
     def update_logging_alert_plugin_configuration(self):
         configuration = {
-            'aggregation_time': '1441',
             'alert_tag': 'LoggingAlert',
             'field_alert_id': 'id',
-            'log_body': 'type: alert\nid: ${logging_alert.id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${event_definition_title}\nbody: ${event_definition_description}\n${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}\nsrc_category: ${backlog[0].fields.src_category}\ndest: ${backlog[0].fields.dest_ip}\ndest_category: ${backlog[0].fields.dest_category}\n${end}',
+            'log_body': 'type: alert\nid: ${event.fields.aggregation_id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${event_definition_title}\nbody: ${event_definition_description}\n${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}\nsrc_category: ${backlog[0].fields.src_category}\ndest: ${backlog[0].fields.dest_ip}\ndest_category: ${backlog[0].fields.dest_category}\n${end}',
             'overflow_tag': 'LoggingOverflow',
             'separator': ' | '
         }
@@ -258,11 +257,12 @@ def get_alert_wizard_plugin_configuration(self):
         response = self._get('plugins/com.airbus_cyber_security.graylog.wizard/config')
         return response.json()
 
-    def update_alert_wizard_plugin_configuration(self, default_time=1, backlog_size=500):
+    def update_alert_wizard_plugin_configuration(self, default_time=1, backlog_size=500, aggregation_time=0):
         configuration = {
             'default_values': {
                 'matching_type': '',
                 'threshold_type': '',
+                'aggregation_time': aggregation_time,
                 'time': default_time,
                 'backlog': backlog_size
             },
diff --git a/validation/test.py b/validation/test.py
@@ -83,7 +83,7 @@ def test_create_and_alert_rule_with_pipeline_condition_should_not_trigger_event_
         self._api.create_alert_rule_count('A', _PERIOD, stream=stream)
 
         # Send a log with user=toto and source=sourceABC. It will be placed in the Stream because the pipeline function found the user in the list. So the rule will trigger but it is wrong because "source" is not equal to "source123"
-        # Send a log with user=xxx and source=source123. It will be placed in the Stream beauce the only Stream rule is field "source" match exactly "source123". So the rule will trigger but it is wrong because "user" is not present in the list
+        # Send a log with user=xxx and source=source123. It will be placed in the Stream because the only Stream rule is field "source" match exactly "source123". So the rule will trigger but it is wrong because "user" is not present in the list
         with self._graylog.access_gelf_input(self._gelf_input_identifier) as inputs:
             inputs.send({'host': 'source123'})
             aggregation_events_count = self._graylog.get_events_count('aggregation-v1')
@@ -170,3 +170,121 @@ def test_create_alert_rule_with_list_should_not_generate_event_on_substrings_of_
             for i in range(events['total_events']):
                 print(events['events'][i])
             self.assertEqual(starting_events_count, self._graylog.get_events_count('aggregation-v1'))
+
+    def test_notification_should_generate_identifier_for_aggregation_id__issue170(self):
+        stream = {
+            'field_rule': [{
+                'field': 'x',
+                'type': 1,
+                'value': 'test_value'
+            }],
+            'matching_type': 'AND'
+        }
+        self._api.create_alert_rule_count('A', _PERIOD, stream=stream)
+
+        # Send a log with _x=test_value
+        with self._graylog.access_gelf_input(self._gelf_input_identifier) as inputs:
+            inputs.send({'_x': 'test_value'})
+
+            for i in range(60*_PERIOD + 20):
+                events_count = self._graylog.get_events_count('aggregation-v1')
+                print(f'events count: {events_count}')
+                if events_count > 0:
+                    break
+                time.sleep(1)
+
+            events = self._graylog.get_events()
+
+            aggregation_id = events['events'][0]['event']['fields']['aggregation_id']
+            self.assertIsNotNone(aggregation_id)
+
+    def test_notification_should_generate_new_identifier_for_aggregation_id__issue170(self):
+        # Prepare config
+        self._graylog.update_alert_wizard_plugin_configuration(aggregation_time=0)
+        stream = {
+            'field_rule': [{
+                'field': 'x',
+                'type': 1,
+                'value': 'test_value'
+            }],
+            'matching_type': 'AND'
+        }
+        self._api.create_alert_rule_count('A', _PERIOD, stream=stream)
+
+        with self._graylog.access_gelf_input(self._gelf_input_identifier) as inputs:
+            # Send a message with _x=test_value
+            inputs.send({'_x': 'test_value'})
+
+            for i in range(60*_PERIOD + 20):
+                events_count = self._graylog.get_events_count('aggregation-v1')
+                print(f'events count: {events_count}')
+                if events_count > 0:
+                    break
+                time.sleep(1)
+
+            # Send a second message with _x=test_value
+            inputs.send({'_x': 'test_value'})
+
+            for i in range(60*_PERIOD + 20):
+                events_count = self._graylog.get_events_count('aggregation-v1')
+                print(f'events count: {events_count}')
+                if events_count > 1:
+                    break
+                time.sleep(1)
+
+            events = self._graylog.get_events()
+
+            # Check if all aggregation_id are the same
+            aggregation_id_1 = events['events'][0]['event']['fields']['aggregation_id']
+            aggregation_id_2 = events['events'][1]['event']['fields']['aggregation_id']
+
+            self.assertNotEquals(aggregation_id_1, aggregation_id_2)
+
+    def test_notification_should_reuse_identifier_for_aggregation_id__issue170(self):
+        # Prepare config
+        self._graylog.update_alert_wizard_plugin_configuration(aggregation_time=10)
+        stream = {
+            'field_rule': [{
+                'field': 'x',
+                'type': 1,
+                'value': 'test_value'
+            }],
+            'matching_type': 'AND'
+        }
+        self._api.create_alert_rule_count('A', _PERIOD, stream=stream)
+
+        with self._graylog.access_gelf_input(self._gelf_input_identifier) as inputs:
+            # Send a message with _x=test_value
+            inputs.send({'_x': 'test_value'})
+
+            for i in range(60*_PERIOD + 20):
+                events_count = self._graylog.get_events_count('aggregation-v1')
+                print(f'events count: {events_count}')
+                if events_count > 0:
+                    break
+                time.sleep(1)
+
+            events = self._graylog.get_events()
+
+            # Store aggregation_id
+            aggregation_id = events['events'][0]['event']['fields']['aggregation_id']
+
+            # Send a second message with _x=test_value
+            inputs.send({'_x': 'test_value'})
+
+            for i in range(60*_PERIOD + 20):
+                events_count = self._graylog.get_events_count('aggregation-v1')
+                print(f'events count: {events_count}')
+                if events_count > 1:
+                    break
+                time.sleep(1)
+
+            events = self._graylog.get_events()
+
+            # Check if all aggregation_id are the same
+            aggregation_id_1 = events['events'][0]['event']['fields']['aggregation_id']
+            aggregation_id_2 = events['events'][1]['event']['fields']['aggregation_id']
+
+            self.assertEqual(aggregation_id, aggregation_id_1)
+            self.assertEqual(aggregation_id, aggregation_id_2)
+
