From fe9c7d41917bb07975ba6fa5cea3baeb05b03a2b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 4 Sep 2023 14:00:37 +0200 Subject: [PATCH] Merge remote-tracking branch 'origin/topic/jazoff/gh-3268t ' * origin/topic/jazoff/gh-3268: Fix check for emailed notices Changes: Added a test-case printing email_delay_tokens to compare email vs non-email notice types. Previously, both notice types would have email delay tokens at that point in the flow. (cherry picked from commit 7e11501d3cdee54482fcce9c9a640cabfe13d2c2) --- .../notice/extend-email/hostnames.zeek | 2 +- .../out | 3 ++ .../notice/extend-email/hostnames.zeek | 43 +++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.notice.extend-email.hostnames/out create mode 100644 testing/btest/scripts/policy/frameworks/notice/extend-email/hostnames.zeek diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek index f27477cb2d..cc66798ef0 100644 --- a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek +++ b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek @@ -20,7 +20,7 @@ hook notice(n: Notice::Info) &priority=-1 return; # This should only be done for notices that are being sent to email. - if ( ! n?$email_dest ) + if ( |n$email_dest| == 0 ) return; # I'm not recovering gracefully from the when statements because I want diff --git a/testing/btest/Baseline/scripts.policy.frameworks.notice.extend-email.hostnames/out b/testing/btest/Baseline/scripts.policy.frameworks.notice.extend-email.hostnames/out new file mode 100644 index 0000000000..19de5ef224 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.notice.extend-email.hostnames/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +email_delay_tokens, Test_New_Connection_Notice, (empty) +email_delay_tokens, Test_Connection_State_Remove_Notice, hostnames-dst,hostnames-src diff --git a/testing/btest/scripts/policy/frameworks/notice/extend-email/hostnames.zeek b/testing/btest/scripts/policy/frameworks/notice/extend-email/hostnames.zeek new file mode 100644 index 0000000000..be44ff70cd --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/notice/extend-email/hostnames.zeek @@ -0,0 +1,43 @@ +# @TEST-DOC: Check that extend-email/hostnames.zeek does not run lookup_addr() for non email type notices. +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +@load base/frameworks/notice + +@load frameworks/notice/extend-email/hostnames + + +redef enum Notice::Type += { + Test_New_Connection_Notice, + Test_Connection_State_Remove_Notice, +}; + +redef Notice::emailed_types += { + Test_Connection_State_Remove_Notice, +}; + +redef Notice::mail_dest = "user@example.net"; +redef Notice::sendmail = "fake-sendmail"; # not in effect, but better safe than sorry. + + +module Notice; + +hook Notice::notice(n: Notice::Info) &priority=-2 + { + # email_delay_token population runs at priority -1 + # in extend-email/hostnames.zeek, so we can look + # at the result during priority=-2 and observe + # that only Test_Connection_State_Remove_Notice + # has email_delay_tokens set. + print "email_delay_tokens", n$note, |n$email_delay_tokens| > 0 ? join_string_set(n$email_delay_tokens, ",") : "(empty)"; + } + +event new_connection(c: connection) + { + NOTICE([$note=Test_New_Connection_Notice, $conn=c]); + } + +event connection_state_remove(c: connection) + { + NOTICE([$note=Test_Connection_State_Remove_Notice, $conn=c]); + }